Yep, that's where I started, just making sure I could get a hardened image at install. But you can't (at least I didn't see a place on my RHEL7.3 box) to make changes to the selection of profiles included with the install RPM. I can bring up scap-workbench on a live box and make my changes there, and I was hoping to grab that customization and use it for the 'tailoring-path' option in the '%addon org_fedora_oscap' section. Anaconda yowls after installing stuff that it can't find the file. At the point where the error occurred it doesn't look like the floppy is mounted at all. This is my first dive into using kickstarts/anaconda like this and I'm not sure it is possible our of the box. I'm considering two workarounds -
1) Remaster the RHEL7.3 install ISO to include a new RPM with my customization tucked into the correct location 2) Standup a webserver to supply a datastream or archive of the desired profile, with my tailoring, and reference that via https I'm still sorting out in my head where the remediation happens during install - if I understand it correctly the indicated profile is scanned early enough to pull the info about partitioning and the l like before much is done, and other bits happen after everything is installed. But I don't know if that later hardening is before or after the %post section happens. -Rob ________________________________ From: Albrecht, Thomas C [[email protected]] Sent: Friday, February 10, 2017 2:50 PM To: SCAP Security Guide Subject: EXTERNAL: RE: Kickstart from floppy wth SCAP and tailoring Have you tried doing a manual install using the SCAP hardening in the install menu, and then stealing the code from the resulting anaconda.cfg that is generated in /root? From: Robert Sanders [mailto:[email protected]] Sent: Friday, February 10, 2017 2:48 PM To: [email protected] Subject: EXTERNAL: Kickstart from floppy wth SCAP and tailoring Hi all, Have a quick question - I'm looking at using a kickstart file to automate our OS install, but I also want to use the SCAP plugin to handle the initial lockdown of our images. Looking at the 'tailoring-path' option to the anaconda plugin looks promising, but the docs indicate that the path for this option is relative to the archive being used. Is there a way to specify the path so that it will the path from the 'floppy' image I'm using (currently booting by adding "linux ks=hd:fd0:ks.cfg"), or do I need to stand everything up as an http/https/ftp server and reference the SCAP contents and my tailoring file that way? -Rob Scanned by Forcepoint Email Security Gateway Click here<https://esgpem.websense.com:443/pem/pages/digestProcess/digestProcess.jsf?content=c3805c5951889c5e97054b396d5f8cda137d30c5fbf6f28f8250f6ee26070fdb2c0fe0e50f83ec29c6a066df750951d5228a8058902795e94fa86cc7c6e69f2b33db2c1092e76d7b08eb7b8efb3eb0469156ac51527d5859e4eec74d3f30db2c025e307ff8039af00030da46facf08e6a4fafe3343d12f0fe2fa51f5888792eab91860bb1b740d2cf63c0992c0430e8b> to report this email as spam
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
