Hi Robert

On 02/16/2017 03:15 PM, Robert Sanders wrote:
> Updating with some extra testing - crossposted from the
> scap-security-guide list....
>   The initial work I was doing was just using a floppy to provide both
> the kickstart and the tailoring file from scap-workbench.  We've
> migrated to having a full bootable ISO remastered from the RHEL 7.3
> install media instead, with our tailoring file added as an extra RPM to
> be installed.  I finally managed some syntax on the oscap addon that
> didn't raise an exception using this:
> %addon org_fedora_oscap
>   content-type = scap-security-guide
>   profile = ospp-rhel7-server
>   tailoring-path = ../../usr/share/xml/scap/custom/tailoring.xml
> %end
> But after the system installs my modified banner is not present.
>  Looking at the logs it appears that the tailoring path was completely
> ignored.  I re-installed the system and dropped to one of the alternate
> windows to see exactly what oscap command was being executed and it was
> this:
> oscap xccdf eval --remediate
> --results=/root/openscap_data/eval_remediate_results.xml
> --profile=ospp-rhel7-server
> tailoring-file=/usr/share/xml/scap/custom/tailoring.xml
> /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
Is this a typo or are you using --tailoring-file without double dashes?
> While it runs apparently without error messages - I've noticed several
> things:
>   1) my tailoring is never used - just the steps from the profile
>   2) it looks like some of the 'kickstart actions' are not being done -
> if I understand the USGCB profile, it has an action for installing the
> 'screen' package if needed, but this is not happening at kickstart.  I
> just found a bug in the oscap anacoonda addon
> (https://github.com/OpenSCAP/oscap-anaconda-addon/issues/16)  that seems
> to confirm this, at least for RHEL 7.3 which we are using.
>   3) If I run the above command from a 'live' system (with or without
> the tailoring line) it still ignores the tailoring and there is an quick
> message is displayed - 'This content points out to the remote resources.
> Use `--fetch-remote-resources` option to download them.'  If I provide
> an incorrect filename for the tailoring it does error without doing any
> other actions.  
> So far the only way I've been able to have my tailoring file used is to
> use a command similar to what scap-workbench displays in the 'dry-run'
> option - and that command uses the datastream flavor of commands not the
> xccdf flavor.  
> So it seems if I want to have tailoring done using the plugin I have to
> use the datastream content, which I can't because these systems will be
> totally isolated at configuration.   
> None of this is a hard show-stopper, but it means that the oscap plugin
> is not usable as it stands.  Right now I don't have time to delve deeper
> into the plugin (although I have pulled the source to try and understand
> it better).  
> -Rob*From:* open-scap-list-boun...@redhat.com
> [open-scap-list-boun...@redhat.com] on behalf of Robert Sanders
> [rsand...@forcepoint.com]
> *Sent:* Friday, February 10, 2017 10:50 AM
> *To:* open-scap-list@redhat.com
> *Subject:* EXTERNAL: [Open-scap] Kickstart with SCAP tailoring
> Morning all,
>   Have a quick question - I'm looking at using a kickstart file to
> automate our OS install, but I also want to use the SCAP plugin to
> handle the initial lockdown of our images.  Looking at the
> 'tailoring-path' option to the anaconda plugin looks promising, but the
> docs indicate that the path for this option is relative to the archive
> being used.  Is there a way to specify the path so that it will the path
> from the 'floppy' image I'm using (currently booting by adding "linux
> ks=hd:fd0:ks.cfg"), or do I need to stand everything up as an
> http/https/ftp server and reference the SCAP contents and my tailoring
> file that way?
> -Rob
> Scanned by Forcepoint Email Security Gateway
> Click here
> <https://esgpem.websense.com:443/pem/pages/digestProcess/digestProcess.jsf?content=c3805c5951889c5eec3780a436fe3d8d1ebdce6aca7e402da347b9b8769b7c902c0fe0e50f83ec29c6a066df750951d5228a8058902795e94fa86cc7c6e69f2b33db2c1092e76d7b08eb7b8efb3eb0469156ac51527d5859e4eec74d3f30db2c025e307ff8039af00030da46facf08e69d426f8d2508cac4a168f052b2f6ca76f981b597adcb6279f2a8db3d9f162da7>
>  to
> report this email as spam
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list@redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list

Raphael Sanchez Prudencio
Security Technologies | Red Hat, Inc.

Open-scap-list mailing list

Reply via email to