Re: [Open-scap] Anaconda Addon and Tail
Hello, - Original Message - > From: spammewo...@cox.net > To: "Jan Lieskovsky" > Cc: open-scap-list@redhat.com > Sent: Tuesday, March 21, 2017 8:09:59 PM > Subject: Re: [Open-scap] Anaconda Addon and Tail > > Hello Jan, > > Thanks for the reply and the web link, I have decided to use the oscap > command line tool instead of the built-in Anaconda addon. This seems to > work with the two stage installation. > > I am using the stig-rhel7-workstation-upstream profile and I have run into a > few problems with the remediation. Several of the Rules do not make any of > the changes. Here is a list of the Rules that don't work: > Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 > Set Password to Maximum of Consecutive Repeating Characters from Same > Character Class > Set Interactive Session Timeout > Enable GNOME3 Login Warning Banner > Set the GNOME3 Login Warning Banner Text > Configure Kernel Parameter for Accepting Source-Routed Packets for All > Interfaces > Ensure auditd Collects Information on the Use of Privileged Commands > Disable GSSAPI Authentication > Disable Kerberos Authentication > Enable Use of StictModes > Enable Use of Privilege Separation > Disable Compression Or Set Compression to delayed > Verify Permissions on SSH Server Private *_key Key Files Yes. This actually looks scan is possible to perform already (IOW it's working correctly). > > I am running this on RHEL 7.3 with the following open scap packages > installed: > openscap-scanner-1.2.10-3.el7_3.x86_64 > scap-security-guide-0.1.30-5.el7_3.noarch > openscap-1.2.10-3.el7_3.x86_64 > > This is the command that I'm running: oscap xccdf eval --remediate --profile > xccdf_org.ssgproject.content_profile_stig-rhel7-workstation-upstream > --tailoring-file /root/sysadmin/scap/ssg-rhel7-ds-tailoring.xml --report > /root/oscap_rhel7_report_4.html > /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml > > Is there something that I'm doing wrong or is there a problem with the XCCDF > XML file ? Can't see obvious issue in the aforementioned command (though actually looks you have modified the original / default workstation benchmark to contain / scan against just selected rules - but this is OK!). There are three possible reasons for the above behaviour: * Either something changed on the system, and remediation (corrective script) which was working before isn't due some reason working correctly now, * Remediation isn't present / available at all, * Remediation is both available and working correctly (according to rule description / requirements), but corresponding OVAL check (read the scan mechanism) checks / expects something else. I have filed RFE when online remediation is requested, oscap to be able to tell during scan which of the rules are missing remediation script: * https://github.com/OpenSCAP/openscap/issues/712 So seeing output like the above user is able to tell rules missing remediations. For these rules the remediations would need to be implemented yet (expected AI from you is to file these issues [Missing remediation for ... rule] upstream). They might be missing, because so far no one have tried that combination of rules. For the cases where remediation is present, but re-scan after fix still returns "Fail" they (or corresponding OVALs) need to be re-inspected for proper work (but again this is to be done after upstream issue has been created). Also be sure to check 0.1.31 behaviour: * https://github.com/OpenSCAP/scap-security-guide/releases Can't see mention about those rules in Remediation scripts section of the Release Notes, thus it's possible it will behave the same way. But the sooner these issues are reported upstream, the higher is chance they will be addressed in (some of) upcoming SSG releases. > > Jan Lieskovsky wrote: > > > > Hello, > > > > - Original Message - > > > From: spammewo...@cox.net > > > To: open-scap-list@redhat.com > > > Sent: Friday, March 17, 2017 6:09:43 PM > > > Subject: [Open-scap] Anaconda Addon and Tail > > > > > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I > > > want > > > to use the Anaconda oscap addon.The addon works well with the default > > > setting, but I'm having an issue using it with a tailored file that I > > > created through the openscap workbench.I am getting the error > > > messages > > > "OpenSCAP Error: Unable to open file: > > > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and > > > "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml > > > {oscap_source.c307]" >
Re: [Open-scap] Anaconda Addon and Tail
Hello Jan, Thanks for the reply and the web link, I have decided to use the oscap command line tool instead of the built-in Anaconda addon. This seems to work with the two stage installation. I am using the stig-rhel7-workstation-upstream profile and I have run into a few problems with the remediation. Several of the Rules do not make any of the changes. Here is a list of the Rules that don't work: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Set Password to Maximum of Consecutive Repeating Characters from Same Character Class Set Interactive Session Timeout Enable GNOME3 Login Warning Banner Set the GNOME3 Login Warning Banner Text Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces Ensure auditd Collects Information on the Use of Privileged Commands Disable GSSAPI Authentication Disable Kerberos Authentication Enable Use of StictModes Enable Use of Privilege Separation Disable Compression Or Set Compression to delayed Verify Permissions on SSH Server Private *_key Key Files I am running this on RHEL 7.3 with the following open scap packages installed: openscap-scanner-1.2.10-3.el7_3.x86_64 scap-security-guide-0.1.30-5.el7_3.noarch openscap-1.2.10-3.el7_3.x86_64 This is the command that I'm running: oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig-rhel7-workstation-upstream --tailoring-file /root/sysadmin/scap/ssg-rhel7-ds-tailoring.xml --report /root/oscap_rhel7_report_4.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Is there something that I'm doing wrong or is there a problem with the XCCDF XML file ? Jan Lieskovsky wrote: > > Hello, > > - Original Message - > > From: spammewo...@cox.net > > To: open-scap-list@redhat.com > > Sent: Friday, March 17, 2017 6:09:43 PM > > Subject: [Open-scap] Anaconda Addon and Tail > > > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want > > to use the Anaconda oscap addon.The addon works well with the default > > setting, but I'm having an issue using it with a tailored file that I > > created through the openscap workbench.I am getting the error messages > > "OpenSCAP Error: Unable to open file: > > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and > > "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml > > {oscap_source.c307]" > > I am guessing the issue is there, because OAA tries to open wrong / > non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml" > instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml") > > > > > Here is the addon section from my kickstart file. > > > > %addon org_fedora_oscap > > content-type = scap-security-guide > > profile = stig-rhel7-workstation-upstream > > tailoring-path = ../../../../run/install/repo/scap/ssg-rhel7-ds.xml > > %end > > > > Does anyone know what I'm doing wrong ? > > AFAICT in the default installation, anaconda creates chroot and mounts > "/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple > "reference to parent folder" won't work. You either first need to copy that DS > file under the chroot tree. Something like here: > > http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/ > > IOW have the %post section to have two stages (in first copy the DS file, in > the > latter use it). > > Another option is to put that DS file on some remotely accessible HTTP server, > and tell OAA to fetch that DS file remotely (this might be actually easier > option > that modifying the %post section). > > > > > ___ > > Open-scap-list mailing list > > Open-scap-list@redhat.com > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > HTH, Jan ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] Anaconda Addon and Tail
Hello, - Original Message - > From: spammewo...@cox.net > To: open-scap-list@redhat.com > Sent: Friday, March 17, 2017 6:09:43 PM > Subject: [Open-scap] Anaconda Addon and Tail > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want > to use the Anaconda oscap addon.The addon works well with the default > setting, but I'm having an issue using it with a tailored file that I > created through the openscap workbench.I am getting the error messages > "OpenSCAP Error: Unable to open file: > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and > "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml > {oscap_source.c307]" I am guessing the issue is there, because OAA tries to open wrong / non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml" instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml") > > Here is the addon section from my kickstart file. > > %addon org_fedora_oscap > content-type = scap-security-guide > profile = stig-rhel7-workstation-upstream > tailoring-path = ../../../../run/install/repo/scap/ssg-rhel7-ds.xml > %end > > Does anyone know what I'm doing wrong ? AFAICT in the default installation, anaconda creates chroot and mounts "/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple "reference to parent folder" won't work. You either first need to copy that DS file under the chroot tree. Something like here: http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/ IOW have the %post section to have two stages (in first copy the DS file, in the latter use it). Another option is to put that DS file on some remotely accessible HTTP server, and tell OAA to fetch that DS file remotely (this might be actually easier option that modifying the %post section). > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > HTH, Jan ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] Anaconda Addon and Tail
I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want to use the Anaconda oscap addon.The addon works well with the default setting, but I'm having an issue using it with a tailored file that I created through the openscap workbench.I am getting the error messages "OpenSCAP Error: Unable to open file: /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml {oscap_source.c307]" Here is the addon section from my kickstart file. %addon org_fedora_oscap content-type = scap-security-guide profile = stig-rhel7-workstation-upstream tailoring-path = ../../../../run/install/repo/scap/ssg-rhel7-ds.xml %end Does anyone know what I'm doing wrong ? ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list