Updating with some extra testing - crossposted from the scap-security-guide list....
The initial work I was doing was just using a floppy to provide both the kickstart and the tailoring file from scap-workbench. We've migrated to having a full bootable ISO remastered from the RHEL 7.3 install media instead, with our tailoring file added as an extra RPM to be installed. I finally managed some syntax on the oscap addon that didn't raise an exception using this: %addon org_fedora_oscap content-type = scap-security-guide profile = ospp-rhel7-server tailoring-path = ../../usr/share/xml/scap/custom/tailoring.xml %end But after the system installs my modified banner is not present. Looking at the logs it appears that the tailoring path was completely ignored. I re-installed the system and dropped to one of the alternate windows to see exactly what oscap command was being executed and it was this: oscap xccdf eval --remediate --results=/root/openscap_data/eval_remediate_results.xml --profile=ospp-rhel7-server tailoring-file=/usr/share/xml/scap/custom/tailoring.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml While it runs apparently without error messages - I've noticed several things: 1) my tailoring is never used - just the steps from the profile 2) it looks like some of the 'kickstart actions' are not being done - if I understand the USGCB profile, it has an action for installing the 'screen' package if needed, but this is not happening at kickstart. I just found a bug in the oscap anacoonda addon (https://github.com/OpenSCAP/oscap-anaconda-addon/issues/16) that seems to confirm this, at least for RHEL 7.3 which we are using. 3) If I run the above command from a 'live' system (with or without the tailoring line) it still ignores the tailoring and there is an quick message is displayed - 'This content points out to the remote resources. Use `--fetch-remote-resources` option to download them.' If I provide an incorrect filename for the tailoring it does error without doing any other actions. So far the only way I've been able to have my tailoring file used is to use a command similar to what scap-workbench displays in the 'dry-run' option - and that command uses the datastream flavor of commands not the xccdf flavor. So it seems if I want to have tailoring done using the plugin I have to use the datastream content, which I can't because these systems will be totally isolated at configuration. None of this is a hard show-stopper, but it means that the oscap plugin is not usable as it stands. Right now I don't have time to delve deeper into the plugin (although I have pulled the source to try and understand it better). -RobFrom: open-scap-list-boun...@redhat.com [open-scap-list-boun...@redhat.com] on behalf of Robert Sanders [rsand...@forcepoint.com] Sent: Friday, February 10, 2017 10:50 AM To: open-scap-list@redhat.com Subject: EXTERNAL: [Open-scap] Kickstart with SCAP tailoring Morning all, Have a quick question - I'm looking at using a kickstart file to automate our OS install, but I also want to use the SCAP plugin to handle the initial lockdown of our images. Looking at the 'tailoring-path' option to the anaconda plugin looks promising, but the docs indicate that the path for this option is relative to the archive being used. Is there a way to specify the path so that it will the path from the 'floppy' image I'm using (currently booting by adding "linux ks=hd:fd0:ks.cfg"), or do I need to stand everything up as an http/https/ftp server and reference the SCAP contents and my tailoring file that way? -Rob Scanned by Forcepoint Email Security Gateway Click here<https://esgpem.websense.com:443/pem/pages/digestProcess/digestProcess.jsf?content=c3805c5951889c5eec3780a436fe3d8d1ebdce6aca7e402da347b9b8769b7c902c0fe0e50f83ec29c6a066df750951d5228a8058902795e94fa86cc7c6e69f2b33db2c1092e76d7b08eb7b8efb3eb0469156ac51527d5859e4eec74d3f30db2c025e307ff8039af00030da46facf08e69d426f8d2508cac4a168f052b2f6ca76f981b597adcb6279f2a8db3d9f162da7> to report this email as spam
_______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
