[Open-scap] Anaconda Addon and Tail
Jan Lieskovsky
jlieskov at redhat.com
Fri Mar 24 09:32:18 UTC 2017
Hello,
----- Original Message -----
> From: spammewoods at cox.net
> To: "Jan Lieskovsky" <jlieskov at redhat.com>
> Cc: open-scap-list at redhat.com
> Sent: Tuesday, March 21, 2017 8:09:59 PM
> Subject: Re: [Open-scap] Anaconda Addon and Tail
>
> Hello Jan,
>
> Thanks for the reply and the web link, I have decided to use the oscap
> command line tool instead of the built-in Anaconda addon. This seems to
> work with the two stage installation.
>
> I am using the stig-rhel7-workstation-upstream profile and I have run into a
> few problems with the remediation. Several of the Rules do not make any of
> the changes. Here is a list of the Rules that don't work:
> Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
> Set Password to Maximum of Consecutive Repeating Characters from Same
> Character Class
> Set Interactive Session Timeout
> Enable GNOME3 Login Warning Banner
> Set the GNOME3 Login Warning Banner Text
> Configure Kernel Parameter for Accepting Source-Routed Packets for All
> Interfaces
> Ensure auditd Collects Information on the Use of Privileged Commands
> Disable GSSAPI Authentication
> Disable Kerberos Authentication
> Enable Use of StictModes
> Enable Use of Privilege Separation
> Disable Compression Or Set Compression to delayed
> Verify Permissions on SSH Server Private *_key Key Files
Yes. This actually looks scan is possible to perform already (IOW it's
working correctly).
>
> I am running this on RHEL 7.3 with the following open scap packages
> installed:
> openscap-scanner-1.2.10-3.el7_3.x86_64
> scap-security-guide-0.1.30-5.el7_3.noarch
> openscap-1.2.10-3.el7_3.x86_64
>
> This is the command that I'm running: oscap xccdf eval --remediate --profile
> xccdf_org.ssgproject.content_profile_stig-rhel7-workstation-upstream
> --tailoring-file /root/sysadmin/scap/ssg-rhel7-ds-tailoring.xml --report
> /root/oscap_rhel7_report_4.html
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
>
> Is there something that I'm doing wrong or is there a problem with the XCCDF
> XML file ?
Can't see obvious issue in the aforementioned command (though actually looks
you have modified the original / default workstation benchmark to contain / scan
against just selected rules - but this is OK!).
There are three possible reasons for the above behaviour:
* Either something changed on the system, and remediation (corrective script)
which was working before isn't due some reason working correctly now,
* Remediation isn't present / available at all,
* Remediation is both available and working correctly (according to rule
description / requirements), but corresponding OVAL check (read the scan mechanism)
checks / expects something else.
I have filed RFE when online remediation is requested, oscap to be able to tell
during scan which of the rules are missing remediation script:
* https://github.com/OpenSCAP/openscap/issues/712
So seeing output like the above user is able to tell rules missing remediations.
For these rules the remediations would need to be implemented yet (expected
AI from you is to file these issues [Missing remediation for ... rule] upstream).
They might be missing, because so far no one have tried that combination of rules.
For the cases where remediation is present, but re-scan after fix still returns
"Fail" they (or corresponding OVALs) need to be re-inspected for proper work (but
again this is to be done after upstream issue has been created).
Also be sure to check 0.1.31 behaviour:
* https://github.com/OpenSCAP/scap-security-guide/releases
Can't see mention about those rules in Remediation scripts section of the Release Notes,
thus it's possible it will behave the same way. But the sooner these issues are
reported upstream, the higher is chance they will be addressed in (some of) upcoming
SSG releases.
>
> ---- Jan Lieskovsky <jlieskov at redhat.com> wrote:
> >
> > Hello,
> >
> > ----- Original Message -----
> > > From: spammewoods at cox.net
> > > To: open-scap-list at redhat.com
> > > Sent: Friday, March 17, 2017 6:09:43 PM
> > > Subject: [Open-scap] Anaconda Addon and Tail
> > >
> > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I
> > > want
> > > to use the Anaconda oscap addon. The addon works well with the default
> > > setting, but I'm having an issue using it with a tailored file that I
> > > created through the openscap workbench. I am getting the error
> > > messages
> > > "OpenSCAP Error: Unable to open file:
> > > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and
> > > "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml
> > > {oscap_source.c307]"
> >
> > I am guessing the issue is there, because OAA tries to open wrong /
> > non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml"
> > instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml")
> >
> > >
> > > Here is the addon section from my kickstart file.
> > >
> > > %addon org_fedora_oscap
> > > content-type = scap-security-guide
> > > profile = stig-rhel7-workstation-upstream
> > > tailoring-path = ../../../../run/install/repo/scap/ssg-rhel7-ds.xml
> > > %end
> > >
> > > Does anyone know what I'm doing wrong ?
> >
> > AFAICT in the default installation, anaconda creates chroot and mounts
> > "/mnt/sysimage" as "/". If you want to use DS file outside of chroot,
> > simple
> > "reference to parent folder" won't work. You either first need to copy that
> > DS
> > file under the chroot tree. Something like here:
> > http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/
> >
> > IOW have the %post section to have two stages (in first copy the DS file,
> > in the
> > latter use it).
> >
> > Another option is to put that DS file on some remotely accessible HTTP
> > server,
> > and tell OAA to fetch that DS file remotely (this might be actually easier
> > option
> > that modifying the %post section).
> >
> > >
> > > _______________________________________________
> > > Open-scap-list mailing list
> > > Open-scap-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/open-scap-list
> > >
> >
HTH, Jan
More information about the Open-scap-list
mailing list