[rhos-list] Aqueduct and RHEL 6 etc

Saunders, Brian CIV NAWCWD, 452000D brian.saunders1 at navy.mil
Wed Feb 27 17:42:42 UTC 2013 

I have started using Puppet in my labs. I would love to have the opportunity to contribute to updating the RHEL5 modules for RHEL6.

Brian Saunders
Systems Administrator
452000D
Desk: 760.939.1732
Mobile: 760.264.5750


-----Original Message-----
From: aqueduct-bounces at lists.fedorahosted.org [mailto:aqueduct-bounces at lists.fedorahosted.org] On Behalf Of Vincent Passaro
Sent: Friday, February 01, 2013 8:31
To: aqueduct at lists.fedorahosted.org
Subject: Re: Aqueduct and RHEL 6 etc

No worries :)  There is a lot of data on that page!

The RHEL 6 STIG is coming, the best part being that its being written in the Open Source Community rather than coming out of the bunker of DISA!

R/

Vince

From: <King>, Christopher M <Christopher.M.King at boeing.com>
Reply-To: "aqueduct at lists.fedorahosted.org" <aqueduct at lists.fedorahosted.org>
Date: Wednesday, January 30, 2013 4:07 PM
To: "aqueduct at lists.fedorahosted.org" <aqueduct at lists.fedorahosted.org>
Subject: RE: Aqueduct and RHEL 6 etc



Hey thanks for the quick answers!  I don't know how I missed that RHEL5 wiki and I guess the RHEL6 was wishful thinking :)

 

From: aqueduct-bounces at lists.fedorahosted.org [mailto:aqueduct-bounces at lists.fedorahosted.org] On Behalf Of Vincent Passaro
Sent: Wednesday, January 30, 2013 4:03 PM
To: aqueduct at lists.fedorahosted.org
Subject: Re: Aqueduct and RHEL 6 etc

 

Chris,

 

Welcome to the list.  I have embedded my comments below:

 

From: <King>, Christopher M <Christopher.M.King at boeing.com>
Reply-To: "aqueduct at lists.fedorahosted.org" <aqueduct at lists.fedorahosted.org>
Date: Wednesday, January 30, 2013 3:52 PM
To: "aqueduct at lists.fedorahosted.org" <aqueduct at lists.fedorahosted.org>
Subject: Aqueduct and RHEL 6 etc

 

Hi,

 

I've been checking out the project.  I think it's great since I see a lot of people around the community writing their own scripts to do the same exact thing over and over again (even within my own company).  We are putting together a project hosted on RHEL 6.x.   These days the vast majority of our project costs are related to accreditors scrutinizing scan results and managing paperwork to document deviations so my group is trying to get smarter at scripting security hardening and we were thinking using aqueduct might be a good approach.  

 

I started playing around with aqueduct the other day and I have a couple of questions.   The short version is I'm trying to determine if aqueduct can be applied to RHEL6.  I know just enough Linux to be dangerous so bear with me:

 

1)      Is the RHEL5 STIG process under the "road map" that uses puppet still accurate?  

 

It worked fine for me in general but the reason I ask is I noticed more recent development on the trunk but the procedure says to grab puppet scripts from an "archive" path.

 

Puppet is not on the roadmap for either the RHEL 5 or RHEL 6 STIG.  If you are interested in contributing code for puppet, we can work that out!

 

2)      Is there a documented way to run through the bash scripts?  

 

I saw the aqueduct script at the root of the trunk.  Out of curiosity, I tried pulling down a copy of the entire trunk onto a CentOS load I had on a vm (I didn't have RHEL handy at home).  By messing around with the paths in the aqueduct.conf file and copying some files to /etc I actually got it run through the STIG bash scripts by invoking the high level "aqueduct" script.  I think I had to hack around the fact that the only thing currently under /profiles/DISA folder was "firefox" and "rhel-5-beta" and I was actually trying to run the "rhel-5" bash scripts at the time.  I didn't see a walk through on the site so I don't know if I'm on the right path here.

 

Check the Wiki, we have how-to guides. 

 

https://fedorahosted.org/aqueduct/wiki/Rhel5DraftStigGettingStarted

 

3)      Is there a preferred language for running the lockdown (e.g. puppet over bash)? 

 

Just wondering if one is considered more mature or less buggy since I see both being worked on.

 

Right now it's Bash.  If the community starts really adopting Puppet and wants to contribute code, we can look at shifting from Bash to Puppet (or have both)

 

1)      What's the state of the RHEL 6 STIG support?  I'm guessing a lot of the RHEL 5 work will port directly over to RHEL 6 when the STIG gets officially published but have you guys tried this yet?  Or is there already an established way to apply aqueduct to RHEL 6 that I missed?

 

As we know the RHEL 6 STIG isn't final yet.  You can check out our sister project SCAP Security Guide https://fedorahosted.org/scap-security-guide/

We have some content that right now for the impending RHEL 6 STIG, but no direct mapping has occurred.  Once DISA accepts the Draft version and releases it, development will begin.

 

I know the STIG still hasn't been officially released but my group had already committed to using RHEL6 over a year ago thinking it would be released by now (we are working with a pre-lease draft copy).  But I was browsing around the source tree and I found a few RHEL 6 bash scripts in the works.  Again out of curiosity, I tried running the RHEL 5 STIG scripts against a CentOS 6 load just to see what would happen.  I also loaded the latest version of EPEL I could find (6.8 I think).  I noticed some of the scripts reference the RHEL version file (/etc/redhat-release) so I faked one to indicate RHEL6 since I was using CentOS 6.  I called the aqueduct script to invoke the RHEL 5 STIG bash scripts then I manually invoked all the RHEL 6 STIG bash scripts.  I spot checked a few STIG related settings that I happened to remember on my CentOS 6.3 vm and I was pleased to discover they had all been implemented the way I expected despite the OS mismatch (5 vs 6).  So that was kind of pr!
 omising.

 

Outside of the OS differences the RHEL 5 STIG and the RHEL 6 STIG are going to be pretty different, so trying to jackhammer RHEL 5 scripts onto a RHEL 6 box isn't going to go very well.

 

Anyways, I'm looking forward to integrating aqueduct with our work in the future.

 

Thanks,

Chris

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5621 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/rhos-list/attachments/20130227/a4750103/attachment.bin>

More information about the rhos-list mailing list