On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <[email protected]> wrote:
> Thank you for the reply Watson! I discovered what your saying is exactly
> right. One thing I would add is that it needs to be copied there in the
> %pre section of kickstart. It took me a week to figure that out. Adding in
> the %post does not work...
>
> I'm still having issues however. Now that it seems to find my tailored
> file it doesn't seem to implementing some (or all) of my custom changes.
> For example, I need to keep X11 installed, so I exclude setting to have
> those packages removed but those files are getting removed anyway.
>
> Is the tailored file the only thing that needs to be copied? Is the
> profile need to be something other than
> 'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that should be
> copied too?
>
The value for profile should be the ID you specified when creating the
tailoring. SCAP Workbench by default adds "_customized" suffix.
In the customization file, it should be defined it in the "xccdf:Profile"
element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the profile ID
will be:
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
>
> On Apr 5, 2019, 6:38 AM -0500, Watson Sato <[email protected]>, wrote:
>
> Hello,
>
> On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston <[email protected]> wrote:
>
>> I'm a new to this project and have always done my SCAP lock downs with
>> kickstart scripts up until now. This looks to be something I switched to a
>> long time ago.
>>
>> In the environment I work in, I need to make custom ISO installation
>> disks to send out to the field. I've been testing out the 'addon
>> xccdf_org.ssgproject.content_profile_stig-rhel7-disa' security profile and
>> then made a custom tailored XML following the guidelines keep a few things
>> on that were being removed. My problem is that now that I have my
>> 'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my kickstart image?
>>
> I've tried copying it in the post -nochroot section of my kickstart to
>> /tmp/openscap_data and /root/openscap_data and neither of those worked.
>>
>
> From what I see in the source code, the tailoring file needs to be in
> "/tmp/openscap_data".
> During the post install phase, the addon copies the file to
> "/root/openscap_data" and uses the tailoring from there.
>
>
>>
>> Can someone tell me or show me where in the guide it show where it's
>> supposed to go?
>>
>> This is what my kickstart looks like:
>>
>> -------------------------------------
>> %post --nochroot
>> cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
>> /root/openscap_data/
>>
>
>>
>> %addon org_fedora_oscap
>> content-type = scap-security-guide
>> profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
>>
>
> One thing to note is that the profile to use here should be the one
> created in the tailoring file.
>
> tailoring-path=ssg-rhel7-ds-tailoring.xml
>> %end
>> -------------------------------------
>>
>>
>> Thanks for all the work...this is a great project.
>> _______________________________________________
>> scap-security-guide mailing list --
>> [email protected]
>> To unsubscribe send an email to
>> [email protected]
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
>>
>
>
> --
> Watson Sato
> Security Technologies | Red Hat, Inc
> _______________________________________________
> scap-security-guide mailing list --
> [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
> _______________________________________________
> scap-security-guide mailing list --
> [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
