Hello Jan, Thanks for the reply and the web link, I have decided to use the oscap command line tool instead of the built-in Anaconda addon. This seems to work with the two stage installation.
I am using the stig-rhel7-workstation-upstream profile and I have run into a few problems with the remediation. Several of the Rules do not make any of the changes. Here is a list of the Rules that don't work: Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 Set Password to Maximum of Consecutive Repeating Characters from Same Character Class Set Interactive Session Timeout Enable GNOME3 Login Warning Banner Set the GNOME3 Login Warning Banner Text Configure Kernel Parameter for Accepting Source-Routed Packets for All Interfaces Ensure auditd Collects Information on the Use of Privileged Commands Disable GSSAPI Authentication Disable Kerberos Authentication Enable Use of StictModes Enable Use of Privilege Separation Disable Compression Or Set Compression to delayed Verify Permissions on SSH Server Private *_key Key Files I am running this on RHEL 7.3 with the following open scap packages installed: openscap-scanner-1.2.10-3.el7_3.x86_64 scap-security-guide-0.1.30-5.el7_3.noarch openscap-1.2.10-3.el7_3.x86_64 This is the command that I'm running: oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig-rhel7-workstation-upstream --tailoring-file /root/sysadmin/scap/ssg-rhel7-ds-tailoring.xml --report /root/oscap_rhel7_report_4.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml Is there something that I'm doing wrong or is there a problem with the XCCDF XML file ? ---- Jan Lieskovsky <[email protected]> wrote: > > Hello, > > ----- Original Message ----- > > From: [email protected] > > To: [email protected] > > Sent: Friday, March 17, 2017 6:09:43 PM > > Subject: [Open-scap] Anaconda Addon and Tail > > > > I am trying to create a kickstart file for a custom RHEL 7.3 DVD and I want > > to use the Anaconda oscap addon. The addon works well with the default > > setting, but I'm having an issue using it with a tailored file that I > > created through the openscap workbench. I am getting the error messages > > "OpenSCAP Error: Unable to open file: > > /run/install/repo/scap/ssg-rhel7-ds.xml [scap_source.c264]" and > > "Unrecognized document type for /run/install/repo/scap/ssg-rhel7-ds.xml > > {oscap_source.c307]" > > I am guessing the issue is there, because OAA tries to open wrong / > non-existent file (it tries "/run/install/repo/scap/ssg-rhel7-ds.xml" > instead of "../../../../run/install/repo/scap/ssg-rhel7-ds.xml") > > > > > Here is the addon section from my kickstart file. > > > > %addon org_fedora_oscap > > content-type = scap-security-guide > > profile = stig-rhel7-workstation-upstream > > tailoring-path = ../../../../run/install/repo/scap/ssg-rhel7-ds.xml > > %end > > > > Does anyone know what I'm doing wrong ? > > AFAICT in the default installation, anaconda creates chroot and mounts > "/mnt/sysimage" as "/". If you want to use DS file outside of chroot, simple > "reference to parent folder" won't work. You either first need to copy that DS > file under the chroot tree. Something like here: > > http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-7-kickstart-disc-part-4/ > > IOW have the %post section to have two stages (in first copy the DS file, in > the > latter use it). > > Another option is to put that DS file on some remotely accessible HTTP server, > and tell OAA to fetch that DS file remotely (this might be actually easier > option > that modifying the %post section). > > > > > _______________________________________________ > > Open-scap-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/open-scap-list > > > > HTH, Jan _______________________________________________ Open-scap-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/open-scap-list
