It may be over the top for your use case, but you might want to also look
at the FOSS SIMP project (shamelss SSG-related

We target SSG compliance but it's imminently flexible and manages your
system state over time instead of just at one time.

You can spawn an AWS instance using our base 6.1 load from the Marketplace
to try it out.


On Thu, Mar 1, 2018 at 10:59 PM, Fen Labalme <>

> The goal is to create a hardened EC2 server on AWS from scratch. After
> provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed
> by the bash remediations from SSG using:
>   command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
>     --results-arf /tmp/results-arf.xml --report /tmp/report.html \
>     /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
> But there are some remediations I don't want to run for an EC2 server such
> as and dracut-fips. Is there a way to
> prevent certain remediations from running?
> Thanks,
> =Fen
> _______________________________________________
> scap-security-guide mailing list -- scap-security-guide@lists.
> To unsubscribe send an email to scap-security-guide-leave@

Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --
scap-security-guide mailing list --
To unsubscribe send an email to

Reply via email to