10:49 a.m.
I'm a new to this project and have always done my SCAP lock downs with
kickstart scripts up until now. This looks to be something I switched to a
long time ago.
In the environment I work in, I need to make custom ISO installation disks
to send out to the field. I've been testing out the 'addon
xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
then made a custom tailored XML following the guidelines keep a few things
on that were being removed. My problem is that now that I have my
'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart
image? I've tried copying it in the post -nochroot section of my kickstart
to /tmp/openscap_data and /root/openscap_data and neither of those
worked.
Can someone tell me or show me where in the guide it show where it's
supposed to go?
This is what my kickstart looks like:
-------------------------------------
%post --nochroot
cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
/root/openscap_data/
%addon org_fedora_oscap
content-type = scap-security-guide
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
-------------------------------------
Thanks for all the work...this is a great project.
6:37 a.m.
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
I'm a new to this project and have always done my SCAP lock downs
with
kickstart scripts up until now. This looks to be something I switched to a
long time ago.
In the environment I work in, I need to make custom ISO installation disks
to send out to the field. I've been testing out the 'addon
xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
then made a custom tailored XML following the guidelines keep a few things
on that were being removed. My problem is that now that I have my
'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
I've tried copying it in the post -nochroot section of my kickstart to
/tmp/openscap_data and /root/openscap_data and neither of those
worked.
From what I see in the source code, the tailoring file needs to be in
"/tmp/openscap_data".
During the post install phase, the addon copies the file to
"/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show where it's
supposed to go?
This is what my kickstart looks like:
-------------------------------------
%post --nochroot
cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
/root/openscap_data/
%addon org_fedora_oscap
content-type = scap-security-guide
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be the one created
in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
-------------------------------------
Thanks for all the work...this is a great project.
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Watson Sato
Security Technologies | Red Hat, Inc
7:05 a.m.
Thank you for the reply Watson! I discovered what your saying is exactly right. One
thing I would add is that it needs to be copied there in the %pre section of kickstart.
It took me a week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my tailored file it
doesn't seem to implementing some (or all) of my custom changes. For example, I need
to keep X11 installed, so I exclude setting to have those packages removed but those files
are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is the profile need to be
something other than 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that
should be copied too?
On Apr 5, 2019, 6:38 AM -0500, Watson Sato <wsato(a)redhat.com>, wrote:
Hello,
> On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
> > I'm a new to this project and have always done my SCAP lock downs with
kickstart scripts up until now. This looks to be something I switched to a long time
ago.
> >
> > In the environment I work in, I need to make custom ISO installation disks to
send out to the field. I've been testing out the 'addon
xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a
custom tailored XML following the guidelines keep a few things on that were being
removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file,
where do I put it in my kickstart image?
> > I've tried copying it in the post -nochroot section of my kickstart to
/tmp/openscap_data and /root/openscap_data and neither of those worked.
>
> From what I see in the source code, the tailoring file needs to be in
"/tmp/openscap_data".
> During the post install phase, the addon copies the file to
"/root/openscap_data" and uses the tailoring from there.
>
> >
> > Can someone tell me or show me where in the guide it show where it's
supposed to go?
> >
> > This is what my kickstart looks like:
> >
> > -------------------------------------
> > %post --nochroot
> > cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
> >
> >
> > %addon org_fedora_oscap
> > content-type = scap-security-guide
> > profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
>
> One thing to note is that the profile to use here should be the one created in the
tailoring file.
>
> > tailoring-path=ssg-rhel7-ds-tailoring.xml
> > %end
> > -------------------------------------
> >
> >
> > Thanks for all the work...this is a great project.
> > _______________________________________________
> > scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
> > To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
8:01 a.m.
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
Thank you for the reply Watson! I discovered what your saying is
exactly
right. One thing I would add is that it needs to be copied there in the
%pre section of kickstart. It took me a week to figure that out. Adding in
the %post does not work...
I'm still having issues however. Now that it seems to find my tailored
file it doesn't seem to implementing some (or all) of my custom changes.
For example, I need to keep X11 installed, so I exclude setting to have
those packages removed but those files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is the
profile need to be something other than
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be
copied too?
The value for profile should be the ID you specified when creating the
tailoring. SCAP Workbench by default adds "_customized" suffix.
In the customization file, it should be defined it in the "xccdf:Profile"
element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the profile ID
will be:
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
On Apr 5, 2019, 6:38 AM -0500, Watson Sato <wsato(a)redhat.com>, wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
> I'm a new to this project and have always done my SCAP lock downs with
> kickstart scripts up until now. This looks to be something I switched to a
> long time ago.
>
> In the environment I work in, I need to make custom ISO installation
> disks to send out to the field. I've been testing out the 'addon
> xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
> then made a custom tailored XML following the guidelines keep a few things
> on that were being removed. My problem is that now that I have my
> 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
>
I've tried copying it in the post -nochroot section of my kickstart to
> /tmp/openscap_data and /root/openscap_data and neither of those worked.
>
From what I see in the source code, the tailoring file needs to be in
"/tmp/openscap_data".
During the post install phase, the addon copies the file to
"/root/openscap_data" and uses the tailoring from there.
>
> Can someone tell me or show me where in the guide it show where it's
> supposed to go?
>
> This is what my kickstart looks like:
>
> -------------------------------------
> %post --nochroot
> cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
> /root/openscap_data/
>
>
> %addon org_fedora_oscap
> content-type = scap-security-guide
> profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
>
One thing to note is that the profile to use here should be the one
created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
> %end
> -------------------------------------
>
>
> Thanks for all the work...this is a great project.
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Watson Sato
Security Technologies | Red Hat, Inc
8:32 a.m.
Watson,
I'm a little confused about what profile and tailored are supposed to be.
For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
%end
I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the
scap-workbench tool after making changes. When I first start the
customization off of the DISA profie, it defaults to the name
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like
you're saying, but how does the system I'm loading know about this
customized profile? The scap-workbench is on a system where I create the
image but how doe a new system I'm loading with my image know anything
about 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'?
That's why I'm asking if something more than the tailored-custom.xml file
that needs to copied to the image. Does that make sense?
On Fri, Apr 5, 2019 at 8:03 AM Watson Sato <wsato(a)redhat.com> wrote:
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
> Thank you for the reply Watson! I discovered what your saying is exactly
> right. One thing I would add is that it needs to be copied there in the
> %pre section of kickstart. It took me a week to figure that out. Adding in
> the %post does not work...
>
> I'm still having issues however. Now that it seems to find my tailored
> file it doesn't seem to implementing some (or all) of my custom changes.
> For example, I need to keep X11 installed, so I exclude setting to have
> those packages removed but those files are getting removed anyway.
>
> Is the tailored file the only thing that needs to be copied? Is the
> profile need to be something other than
> 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be
> copied too?
>
The value for profile should be the ID you specified when creating the
tailoring. SCAP Workbench by default adds "_customized" suffix.
In the customization file, it should be defined it in the "xccdf:Profile"
element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the profile ID
will be:
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
>
> On Apr 5, 2019, 6:38 AM -0500, Watson Sato <wsato(a)redhat.com>, wrote:
>
> Hello,
>
> On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst(a)gmail.com> wrote:
>
>> I'm a new to this project and have always done my SCAP lock downs with
>> kickstart scripts up until now. This looks to be something I switched to a
>> long time ago.
>>
>> In the environment I work in, I need to make custom ISO installation
>> disks to send out to the field. I've been testing out the 'addon
>> xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
>> then made a custom tailored XML following the guidelines keep a few things
>> on that were being removed. My problem is that now that I have my
>> 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart
image?
>>
> I've tried copying it in the post -nochroot section of my kickstart to
>> /tmp/openscap_data and /root/openscap_data and neither of those worked.
>>
>
> From what I see in the source code, the tailoring file needs to be in
> "/tmp/openscap_data".
> During the post install phase, the addon copies the file to
> "/root/openscap_data" and uses the tailoring from there.
>
>
>>
>> Can someone tell me or show me where in the guide it show where it's
>> supposed to go?
>>
>> This is what my kickstart looks like:
>>
>> -------------------------------------
>> %post --nochroot
>> cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
>> /root/openscap_data/
>>
>
>>
>> %addon org_fedora_oscap
>> content-type = scap-security-guide
>> profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
>>
>
> One thing to note is that the profile to use here should be the one
> created in the tailoring file.
>
> tailoring-path=ssg-rhel7-ds-tailoring.xml
>> %end
>> -------------------------------------
>>
>>
>> Thanks for all the work...this is a great project.
>> _______________________________________________
>> scap-security-guide mailing list --
>> scap-security-guide(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> scap-security-guide-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>>
>
>
> --
> Watson Sato
> Security Technologies | Red Hat, Inc
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
8:52 a.m.
Hi Mike,
if you open the tailoring file you have created, you'll see it's in the
format of small profile. This profile is extension (diff) of base
profile in this case it's extension of stig-rhel7-disa.
So the options you have in the kickstart say:
content-type = scap-security-guide
use ssg-rhel7-ds.xml from
scap-security guide
tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
combine
datastream with additional profile(s) defined within the
tailoring file
profile =
xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
use the tailored
profile you just included
The reason tailored profile is not used automatically is that
technically, it's possible to have tailoring file with multiple
different altered profiles, so we just merge them into the datastream
and let user choose.
Hope it helps!
Marek
On 4/5/19 3:32 PM, Mike Johnston wrote:
Watson,
I'm a little confused about what profile and tailored are supposed to
be. For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
%end
I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the
scap-workbench tool after making changes. When I first start the
customization off of the DISA profie, it defaults to the name
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like
you're saying, but how does the system I'm loading know about this
customized profile? The scap-workbench is on a system where I create
the image but how doe a new system I'm loading with my image know
anything about
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'?
That's why I'm asking if something more than the tailored-custom.xml
file that needs to copied to the image. Does that make sense?
On Fri, Apr 5, 2019 at 8:03 AM Watson Sato <wsato(a)redhat.com
<mailto:wsato@redhat.com>> wrote:
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <mijohnst(a)gmail.com
<mailto:mijohnst@gmail.com>> wrote:
Thank you for the reply Watson! I discovered what your saying
is exactly right. One thing I would add is that it needs to be
copied there in the %pre section of kickstart. It took me a
week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my
tailored file it doesn't seem to implementing some (or all) of
my custom changes. For example, I need to keep X11 installed,
so I exclude setting to have those packages removed but those
files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is
the profile need to be something other than
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that
should be copied too?
The value for profile should be the ID you specified when creating
the tailoring. SCAP Workbench by default adds "_customized" suffix.
In the customization file, it should be defined it in the
"xccdf:Profile" element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the
profile ID will be:
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
On Apr 5, 2019, 6:38 AM -0500, Watson Sato <wsato(a)redhat.com
<mailto:wsato@redhat.com>>, wrote:
> Hello,
>
> On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston
> <mijohnst(a)gmail.com <mailto:mijohnst@gmail.com>> wrote:
>
> I'm a new to this project and have always done my SCAP
> lock downs with kickstart scripts up until now. This
> looks to be something I switched to a long time ago.
>
> In the environment I work in, I need to make custom ISO
> installation disks to send out to the field. I've been
> testing out the 'addon
> xccdf_org.ssgproject.content_profile_stig-rhel7-disa'
> security profile and then made a custom tailored XML
> following the guidelines keep a few things on that were
> being removed. My problem is that now that I have my
> 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my
> kickstart image?
>
> I've tried copying it in the post -nochroot section of
> my kickstart to /tmp/openscap_data and
> /root/openscap_data and neither of those worked.
>
>
> From what I see in the source code, the tailoring file needs
> to be in "/tmp/openscap_data".
> During the post install phase, the addon copies the file to
> "/root/openscap_data" and uses the tailoring from there.
>
>
> Can someone tell me or show me where in the guide it show
> where it's supposed to go?
>
> This is what my kickstart looks like:
>
> -------------------------------------
> %post --nochroot
> cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
> /root/openscap_data/
>
>
>
> %addon org_fedora_oscap
> content-type = scap-security-guide
>
> profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
>
> One thing to note is that the profile to use here should be
> the one created in the tailoring file.
>
> tailoring-path=ssg-rhel7-ds-tailoring.xml
> %end
> -------------------------------------
>
>
> Thanks for all the work...this is a great project.
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> <mailto:scap-security-guide@lists.fedorahosted.org>
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> <mailto:scap-security-guide-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
>
>
> --
> Watson Sato
> Security Technologies | Red Hat, Inc
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> <mailto:scap-security-guide@lists.fedorahosted.org>
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> <mailto:scap-security-guide-leave@lists.fedorahosted.org>
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
<mailto:scap-security-guide@lists.fedorahosted.org>
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
<mailto:scap-security-guide-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
<mailto:scap-security-guide@lists.fedorahosted.org>
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
<mailto:scap-security-guide-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
7:21 a.m.
On 4/5/19 7:37 AM, Watson Sato wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst(a)gmail.com
<mailto:mijohnst@gmail.com>> wrote:
I'm a new to this project and have always done my SCAP lock downs
with kickstart scripts up until now. This looks to be something I
switched to a long time ago.
In the environment I work in, I need to make custom ISO
installation disks to send out to the field. I've been testing out
the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa'
security profile and then made a custom tailored XML following the
guidelines keep a few things on that were being removed. My
problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml'
file, where do I put it in my kickstart image?
I've tried copying it in the post -nochroot section of my
kickstart to /tmp/openscap_data and /root/openscap_data and
neither of those worked.
From what I see in the source code, the tailoring file needs to be in
"/tmp/openscap_data".
During the post install phase, the addon copies the file to
"/root/openscap_data" and uses the tailoring from there.
Where should that be documented?
1871
days inactive
1879
days old
scap-security-guide@lists.fedorahosted.org
6 comments
4 participants
participants (4)
-
Marek Haicman -
Mike Johnston -
Shawn Wells -
Watson Sato