Re: [Open-scap] question on addon_fedora_oscap
Another option, and one we're using right now for generating a production installation ISO, is to do apply the profile near the end of the %post section in our kickstart. -Rob -- ROBERT SANDERS Sr. Secure Systems Engineer FORCEPOINT T +1.703.896.4762 F +1.703.318.5041 www.forcepoint.com FORWARD WITHOUT FEAR On 10/4/18, 10:44 AM, "open-scap-list-boun...@redhat.com on behalf of Shawn Wells" wrote: On 10/4/18 3:05 AM, Jan Cerny wrote: > Hi, > > Unfortunately, the "tailoring" feature is broken in Anaconda Addon. > > However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). > Let me copy-paste his idea: > > There is a tool that can combine the tailoring to the datastream or XCCDF file. So it is possible > to embed the tailoring into content file and get it through "content-url" field. > > Quick howto commands and instructions below: > Grab the combine-tailoring tool > $ git clonehttps://github.com/mpreisler/combine-tailoring.git > cd combine-tailoring > > Combine tailoring and content > ./combine-tailoring.py --output ssg-rhel7-ds-combined.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ssg-rhel7-ds-standard-tailoring.xml > > Serve the file ssg-rhel7-ds-combined.xml in your network, and > in the kickstart: > - change content-type to datastream or xccdf > - add field content-url and point to your new combined content > - change profile to the id of your customized profile, please note that it must be the full id. > > For example: > %addon org_fedora_oscap > content-type = datastream > content-url =http://192.168.0.2/content/ssg-rhel7-ds-combined.xml > profile = xccdf_org.ssgproject.content_profile_standard_customized > %end > > > Hopefully it helps. Where can we find the BZ tracking fixing tailoring in Anaconda? Will this be included in the RHEL 7.6 release? Also - where can we find the KBase article documenting the work around on the customer portal? ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] question on addon_fedora_oscap
On 10/4/18 3:05 AM, Jan Cerny wrote: Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the datastream or XCCDF file. So it is possible to embed the tailoring into content file and get it through "content-url" field. Quick howto commands and instructions below: Grab the combine-tailoring tool $ git clonehttps://github.com/mpreisler/combine-tailoring.git cd combine-tailoring Combine tailoring and content ./combine-tailoring.py --output ssg-rhel7-ds-combined.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ssg-rhel7-ds-standard-tailoring.xml Serve the file ssg-rhel7-ds-combined.xml in your network, and in the kickstart: - change content-type to datastream or xccdf - add field content-url and point to your new combined content - change profile to the id of your customized profile, please note that it must be the full id. For example: %addon org_fedora_oscap content-type = datastream content-url =http://192.168.0.2/content/ssg-rhel7-ds-combined.xml profile = xccdf_org.ssgproject.content_profile_standard_customized %end Hopefully it helps. Where can we find the BZ tracking fixing tailoring in Anaconda? Will this be included in the RHEL 7.6 release? Also - where can we find the KBase article documenting the work around on the customer portal? ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
Re: [Open-scap] question on addon_fedora_oscap
Hi, Unfortunately, the "tailoring" feature is broken in Anaconda Addon. However, there is a workaround, suggested by Watson Yuuma Sato (adding him to this conversation). Let me copy-paste his idea: There is a tool that can combine the tailoring to the datastream or XCCDF file. So it is possible to embed the tailoring into content file and get it through "content-url" field. Quick howto commands and instructions below: Grab the combine-tailoring tool $ git clone https://github.com/mpreisler/combine-tailoring.git cd combine-tailoring Combine tailoring and content ./combine-tailoring.py --output ssg-rhel7-ds-combined.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml ssg-rhel7-ds-standard-tailoring.xml Serve the file ssg-rhel7-ds-combined.xml in your network, and in the kickstart: - change content-type to datastream or xccdf - add field content-url and point to your new combined content - change profile to the id of your customized profile, please note that it must be the full id. For example: %addon org_fedora_oscap content-type = datastream content-url = http://192.168.0.2/content/ssg-rhel7-ds-combined.xml profile = xccdf_org.ssgproject.content_profile_standard_customized %end Hopefully it helps. Regards Jan Černý Security Technologies | Red Hat, Inc. - Original Message - > From: "MARK D CTR USAF AFMC 412 RANS ROSS/JT4" > To: open-scap-list@redhat.com > Sent: Thursday, October 4, 2018 2:02:51 AM > Subject: [Open-scap] question on addon_fedora_oscap > > HI > I hope this is the right place to ask this ? I am not finding much help with > the documents. My goal is to build virtual systems that is scapped and using > the kickstart Anaconda Addon to automate the scaping process. Everything is > working except for the "tailoring-path". I have created a tailoring.xml file > and I don't understand how to fetch the tailoring.xml file > > >From the DOCS > tailoring-path - Path of the tailoring file that should be used, given as a > relative path in the archive. > > So if the tailoring-path must be in an archive, does the content-type have to > be "archive" ? if so then what type of archive ? tar ? rpm ? > I am fetching everything over the network so what would be my best option ? > Can anyone direct me to an example of this ? > thanks > > %addon org_fedora_oscap > > content-type = datastream > > content-url = http://adaps-f1/scap/ssg-centos7-ds.xml > > datastream-id = > scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml > > xccdf-id = scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml > > profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa > > tailoring-path = http://adaps-f1/scap/ssg-centos7-ds-tailoring.xml > > %end > > > ___ > Open-scap-list mailing list > Open-scap-list@redhat.com > https://www.redhat.com/mailman/listinfo/open-scap-list > ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
[Open-scap] question on addon_fedora_oscap
HI I hope this is the right place to ask this ? I am not finding much help with the documents. My goal is to build virtual systems that is scapped and using the kickstart Anaconda Addon to automate the scaping process. Everything is working except for the "tailoring-path". I have created a tailoring.xml file and I don't understand how to fetch the tailoring.xml file >From the DOCS tailoring-path - Path of the tailoring file that should be used, given as a relative path in the archive. So if the tailoring-path must be in an archive, does the content-type have to be "archive" ? if so then what type of archive ? tar ? rpm ? I am fetching everything over the network so what would be my best option ? Can anyone direct me to an example of this ? thanks %addon org_fedora_oscap content-type = datastream content-url = http://adaps-f1/scap/ssg-centos7-ds.xml datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml xccdf-id = scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml profile = xccdf_org.ssgproject.content_profile_stig-rhel7-disa tailoring-path = http://adaps-f1/scap/ssg-centos7-ds-tailoring.xml %end ___ Open-scap-list mailing list Open-scap-list@redhat.com https://www.redhat.com/mailman/listinfo/open-scap-list
