I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image? I've tried copying it in the post -nochroot section of my kickstart to /tmp/openscap_data and /root/openscap_data and neither of those worked.
Can someone tell me or show me where in the guide it show where it's supposed to go?
This is what my kickstart looks like:
------------------------------------- %post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
%addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa tailoring-path=ssg-rhel7-ds-tailoring.xml %end -------------------------------------
Thanks for all the work...this is a great project.
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston mijohnst@gmail.com wrote:
I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
I've tried copying it in the post -nochroot section of my kickstart to
/tmp/openscap_data and /root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show where it's supposed to go?
This is what my kickstart looks like:
%post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
%addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be the one created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
Thanks for all the work...this is a great project. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Thank you for the reply Watson! I discovered what your saying is exactly right. One thing I would add is that it needs to be copied there in the %pre section of kickstart. It took me a week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my tailored file it doesn't seem to implementing some (or all) of my custom changes. For example, I need to keep X11 installed, so I exclude setting to have those packages removed but those files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is the profile need to be something other than 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be copied too?
On Apr 5, 2019, 6:38 AM -0500, Watson Sato wsato@redhat.com, wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston mijohnst@gmail.com wrote:
I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image? I've tried copying it in the post -nochroot section of my kickstart to /tmp/openscap_data and /root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show where it's supposed to go?
This is what my kickstart looks like:
%post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
%addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be the one created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml %end
Thanks for all the work...this is a great project. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston mijohnst@gmail.com wrote:
Thank you for the reply Watson! I discovered what your saying is exactly right. One thing I would add is that it needs to be copied there in the %pre section of kickstart. It took me a week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my tailored file it doesn't seem to implementing some (or all) of my custom changes. For example, I need to keep X11 installed, so I exclude setting to have those packages removed but those files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is the profile need to be something other than 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be copied too?
The value for profile should be the ID you specified when creating the tailoring. SCAP Workbench by default adds "_customized" suffix. In the customization file, it should be defined it in the "xccdf:Profile" element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the profile ID will be: profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
On Apr 5, 2019, 6:38 AM -0500, Watson Sato wsato@redhat.com, wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston mijohnst@gmail.com wrote:
I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
I've tried copying it in the post -nochroot section of my kickstart to
/tmp/openscap_data and /root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show where it's supposed to go?
This is what my kickstart looks like:
%post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
%addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be the one created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
Thanks for all the work...this is a great project. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Watson,
I'm a little confused about what profile and tailored are supposed to be. For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa tailoring-path = ssg-rhel7-ds-tailoring-custom.xml %end
I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the scap-workbench tool after making changes. When I first start the customization off of the DISA profie, it defaults to the name 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like you're saying, but how does the system I'm loading know about this customized profile? The scap-workbench is on a system where I create the image but how doe a new system I'm loading with my image know anything about 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'? That's why I'm asking if something more than the tailored-custom.xml file that needs to copied to the image. Does that make sense?
On Fri, Apr 5, 2019 at 8:03 AM Watson Sato wsato@redhat.com wrote:
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston mijohnst@gmail.com wrote:
Thank you for the reply Watson! I discovered what your saying is exactly right. One thing I would add is that it needs to be copied there in the %pre section of kickstart. It took me a week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my tailored file it doesn't seem to implementing some (or all) of my custom changes. For example, I need to keep X11 installed, so I exclude setting to have those packages removed but those files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is the profile need to be something other than 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be copied too?
The value for profile should be the ID you specified when creating the tailoring. SCAP Workbench by default adds "_customized" suffix. In the customization file, it should be defined it in the "xccdf:Profile" element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the profile ID will be: profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
On Apr 5, 2019, 6:38 AM -0500, Watson Sato wsato@redhat.com, wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston mijohnst@gmail.com wrote:
I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
I've tried copying it in the post -nochroot section of my kickstart to
/tmp/openscap_data and /root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show where it's supposed to go?
This is what my kickstart looks like:
%post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/
%addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be the one created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
Thanks for all the work...this is a great project. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
-- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Hi Mike, if you open the tailoring file you have created, you'll see it's in the format of small profile. This profile is extension (diff) of base profile in this case it's extension of stig-rhel7-disa.
So the options you have in the kickstart say:
content-type = scap-security-guide
use ssg-rhel7-ds.xml from scap-security guide
tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
combine datastream with additional profile(s) defined within the tailoring file
profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
use the tailored profile you just included
The reason tailored profile is not used automatically is that technically, it's possible to have tailoring file with multiple different altered profiles, so we just merge them into the datastream and let user choose.
Hope it helps! Marek
On 4/5/19 3:32 PM, Mike Johnston wrote:
Watson,
I'm a little confused about what profile and tailored are supposed to be. For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa tailoring-path = ssg-rhel7-ds-tailoring-custom.xml %end
I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the scap-workbench tool after making changes. When I first start the customization off of the DISA profie, it defaults to the name 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like you're saying, but how does the system I'm loading know about this customized profile? The scap-workbench is on a system where I create the image but how doe a new system I'm loading with my image know anything about 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'? That's why I'm asking if something more than the tailored-custom.xml file that needs to copied to the image. Does that make sense?
On Fri, Apr 5, 2019 at 8:03 AM Watson Sato <wsato@redhat.com mailto:wsato@redhat.com> wrote:
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <mijohnst@gmail.com <mailto:mijohnst@gmail.com>> wrote: Thank you for the reply Watson! I discovered what your saying is exactly right. One thing I would add is that it needs to be copied there in the %pre section of kickstart. It took me a week to figure that out. Adding in the %post does not work... I'm still having issues however. Now that it seems to find my tailored file it doesn't seem to implementing some (or all) of my custom changes. For example, I need to keep X11 installed, so I exclude setting to have those packages removed but those files are getting removed anyway. Is the tailored file the only thing that needs to be copied? Is the profile need to be something other than 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be copied too? The value for profile should be the ID you specified when creating the tailoring. SCAP Workbench by default adds "_customized" suffix. In the customization file, it should be defined it in the "xccdf:Profile" element in the attribute "id". If the default value suggested by SCAP Workbench was used, the profile ID will be: profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized On Apr 5, 2019, 6:38 AM -0500, Watson Sato <wsato@redhat.com <mailto:wsato@redhat.com>>, wrote:
Hello, On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst@gmail.com <mailto:mijohnst@gmail.com>> wrote: I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago. In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image? I've tried copying it in the post -nochroot section of my kickstart to /tmp/openscap_data and /root/openscap_data and neither of those worked. From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there. Can someone tell me or show me where in the guide it show where it's supposed to go? This is what my kickstart looks like: ------------------------------------- %post --nochroot cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml /root/openscap_data/ %addon org_fedora_oscap content-type = scap-security-guide profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa One thing to note is that the profile to use here should be the one created in the tailoring file. tailoring-path=ssg-rhel7-ds-tailoring.xml %end ------------------------------------- Thanks for all the work...this is a great project. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org -- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org -- Watson Sato Security Technologies | Red Hat, Inc _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On 4/5/19 7:37 AM, Watson Sato wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <mijohnst@gmail.com mailto:mijohnst@gmail.com> wrote:
I'm a new to this project and have always done my SCAP lock downs with kickstart scripts up until now. This looks to be something I switched to a long time ago. In the environment I work in, I need to make custom ISO installation disks to send out to the field. I've been testing out the 'addon xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and then made a custom tailored XML following the guidelines keep a few things on that were being removed. My problem is that now that I have my 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image? I've tried copying it in the post -nochroot section of my kickstart to /tmp/openscap_data and /root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs to be in "/tmp/openscap_data". During the post install phase, the addon copies the file to "/root/openscap_data" and uses the tailoring from there.
Where should that be documented?
scap-security-guide@lists.fedorahosted.org