Raphael, I never tried with a leading '//' on the tailoring-path - I did see one reference in the utils.py code to the join_paths() call. Without the '../../' then my tailoring path wound up being preceeded by some other path components that broke when executed in the chroot part of the kickstart. What I have here 'works' - in that it didn't raise an error.....
-Rob ________________________________________ From: Raphael Sanchez Prudencio [rspruden...@redhat.com] Sent: Thursday, February 16, 2017 9:48 AM To: Robert Sanders; open-scap-list@redhat.com Subject: EXTERNAL: Re: [Open-scap] Kickstart with SCAP tailoring Hi Robert On 02/16/2017 03:15 PM, Robert Sanders wrote: > Updating with some extra testing - crossposted from the > scap-security-guide list.... > > The initial work I was doing was just using a floppy to provide both > the kickstart and the tailoring file from scap-workbench. We've > migrated to having a full bootable ISO remastered from the RHEL 7.3 > install media instead, with our tailoring file added as an extra RPM to > be installed. I finally managed some syntax on the oscap addon that > didn't raise an exception using this: > > %addon org_fedora_oscap > content-type = scap-security-guide > profile = ospp-rhel7-server > tailoring-path = ../../usr/share/xml/scap/custom/tailoring.xml > %end > > But after the system installs my modified banner is not present. > Looking at the logs it appears that the tailoring path was completely > ignored. I re-installed the system and dropped to one of the alternate > windows to see exactly what oscap command was being executed and it was > this: > > oscap xccdf eval --remediate > --results=/root/openscap_data/eval_remediate_results.xml > --profile=ospp-rhel7-server > tailoring-file=/usr/share/xml/scap/custom/tailoring.xml > /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml Is this a typo or are you using --tailoring-file without double dashes? > > While it runs apparently without error messages - I've noticed several > things: > 1) my tailoring is never used - just the steps from the profile > 2) it looks like some of the 'kickstart actions' are not being done - > if I understand the USGCB profile, it has an action for installing the > 'screen' package if needed, but this is not happening at kickstart. I > just found a bug in the oscap anacoonda addon > (https://github.com/OpenSCAP/oscap-anaconda-addon/issues/16) that seems > to confirm this, at least for RHEL 7.3 which we are using. > 3) If I run the above command from a 'live' system (with or without > the tailoring line) it still ignores the tailoring and there is an quick > message is displayed - 'This content points out to the remote resources. > Use `--fetch-remote-resources` option to download them.' If I provide > an incorrect filename for the tailoring it does error without doing any > other actions. > > So far the only way I've been able to have my tailoring file used is to > use a command similar to what scap-workbench displays in the 'dry-run' > option - and that command uses the datastream flavor of commands not the > xccdf flavor. > > So it seems if I want to have tailoring done using the plugin I have to > use the datastream content, which I can't because these systems will be > totally isolated at configuration. > > None of this is a hard show-stopper, but it means that the oscap plugin > is not usable as it stands. Right now I don't have time to delve deeper > into the plugin (although I have pulled the source to try and understand > it better). > > -Rob*From:* open-scap-list-boun...@redhat.com > [open-scap-list-boun...@redhat.com] on behalf of Robert Sanders > [rsand...@forcepoint.com] > *Sent:* Friday, February 10, 2017 10:50 AM > *To:* open-scap-list@redhat.com > *Subject:* EXTERNAL: [Open-scap] Kickstart with SCAP tailoring > > Morning all, > Have a quick question - I'm looking at using a kickstart file to > automate our OS install, but I also want to use the SCAP plugin to > handle the initial lockdown of our images. Looking at the > 'tailoring-path' option to the anaconda plugin looks promising, but the > docs indicate that the path for this option is relative to the archive > being used. Is there a way to specify the path so that it will the path > from the 'floppy' image I'm using (currently booting by adding "linux > ks=hd:fd0:ks.cfg"), or do I need to stand everything up as an > http/https/ftp server and reference the SCAP contents and my tailoring > file that way? > > -Rob > > > > > Scanned by Forcepoint Email Security Gateway > Click here > <https://esgpem.websense.com:443/pem/pages/digestProcess/digestProcess.jsf?content=c3805c5951889c5eec3780a436fe3d8d1ebdce6aca7e402da347b9b8769b7c902c0fe0e50f83ec29c6a066df750951d5228a8058902795e94fa86cc7c6e69f2b33db2c1092e76d7b08eb7b8efb3eb0469156ac51527d5859e4eec74d3f30db2c025e307ff8039af00030da46facf08e69d426f8d2508cac4a168f052b2f6ca76f981b597adcb6279f2a8db3d9f162da7> > to > report this email as spam > > > > > > > _______________________________________________ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > -- Raphael Sanchez Prudencio Security Technologies | Red Hat, Inc. Scanned by Forcepoint Email Security Gateway To report this email as SPAM, please forward it to s...@forcepoint.com _______________________________________________ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list