Hi Mike,
if you open the tailoring file you have created, you'll see it's in the
format of small profile. This profile is extension (diff) of base
profile in this case it's extension of stig-rhel7-disa.
So the options you have in the kickstart say:
> content-type = scap-security-guide
use ssg-rhel7-ds.xml from scap-security guide
> tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
combine datastream with additional profile(s) defined within the
tailoring file
> profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
use the tailored profile you just included
The reason tailored profile is not used automatically is that
technically, it's possible to have tailoring file with multiple
different altered profiles, so we just merge them into the datastream
and let user choose.
Hope it helps!
Marek
On 4/5/19 3:32 PM, Mike Johnston wrote:
Watson,
I'm a little confused about what profile and tailored are supposed to
be. For example, here is what I have in the %post of my kickstart:
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa
tailoring-path = ssg-rhel7-ds-tailoring-custom.xml
%end
I produced the ' ssg-rhel7-ds-tailoring-custom.xml' file using the
scap-workbench tool after making changes. When I first start the
customization off of the DISA profie, it defaults to the name
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized' like
you're saying, but how does the system I'm loading know about this
customized profile? The scap-workbench is on a system where I create
the image but how doe a new system I'm loading with my image know
anything about
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized'?
That's why I'm asking if something more than the tailored-custom.xml
file that needs to copied to the image. Does that make sense?
On Fri, Apr 5, 2019 at 8:03 AM Watson Sato <[email protected]
<mailto:[email protected]>> wrote:
On Fri, Apr 5, 2019 at 2:06 PM Mike Johnston <[email protected]
<mailto:[email protected]>> wrote:
Thank you for the reply Watson! I discovered what your saying
is exactly right. One thing I would add is that it needs to be
copied there in the %pre section of kickstart. It took me a
week to figure that out. Adding in the %post does not work...
I'm still having issues however. Now that it seems to find my
tailored file it doesn't seem to implementing some (or all) of
my custom changes. For example, I need to keep X11 installed,
so I exclude setting to have those packages removed but those
files are getting removed anyway.
Is the tailored file the only thing that needs to be copied? Is
the profile need to be something other than
'xccdf_org.ssgproject.content_profile_stig-rhel7-disa' that
should be copied too?
The value for profile should be the ID you specified when creating
the tailoring. SCAP Workbench by default adds "_customized" suffix.
In the customization file, it should be defined it in the
"xccdf:Profile" element in the attribute "id".
If the default value suggested by SCAP Workbench was used, the
profile ID will be:
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa_customized
On Apr 5, 2019, 6:38 AM -0500, Watson Sato <[email protected]
<mailto:[email protected]>>, wrote:
Hello,
On Thu, Mar 28, 2019 at 4:50 PM Mike Johnston
<[email protected] <mailto:[email protected]>> wrote:
I'm a new to this project and have always done my SCAP
lock downs with kickstart scripts up until now. This
looks to be something I switched to a long time ago.
In the environment I work in, I need to make custom ISO
installation disks to send out to the field. I've been
testing out the 'addon
xccdf_org.ssgproject.content_profile_stig-rhel7-disa'
security profile and then made a custom tailored XML
following the guidelines keep a few things on that were
being removed. My problem is that now that I have my
'ssg-rhel7-ds-tailoring.xml' file, where do I put it in my
kickstart image?
I've tried copying it in the post -nochroot section of
my kickstart to /tmp/openscap_data and
/root/openscap_data and neither of those worked.
From what I see in the source code, the tailoring file needs
to be in "/tmp/openscap_data".
During the post install phase, the addon copies the file to
"/root/openscap_data" and uses the tailoring from there.
Can someone tell me or show me where in the guide it show
where it's supposed to go?
This is what my kickstart looks like:
-------------------------------------
%post --nochroot
cp /run/install/repo/hardening/ssg-rhel7-ds-tailoring.xml
/root/openscap_data/
%addon org_fedora_oscap
content-type = scap-security-guide
profile=xccdf_org.ssgproject.content_profile_stig-rhel7-disa
One thing to note is that the profile to use here should be
the one created in the tailoring file.
tailoring-path=ssg-rhel7-ds-tailoring.xml
%end
-------------------------------------
Thanks for all the work...this is a great project.
_______________________________________________
scap-security-guide mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
scap-security-guide mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
Watson Sato
Security Technologies | Red Hat, Inc
_______________________________________________
scap-security-guide mailing list --
[email protected]
<mailto:[email protected]>
To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
scap-security-guide mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
