Re: Disabling specific bash remediations
Hi,
one option is to use remediation roles instead of --remediate,
generating them out of specific results or whole profile, and remove
offending remediations out of the role (which is either bash script, or
ansible role). It's a bit clunky, but it should work :)
Marek
On 03/02/2018 04:53 PM, Gabe Alford wrote:
Fen,
There is an RFE open in OpenSCAP for this very thing at
https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP
side of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme
mailto:fen.laba...@civicactions.com>> wrote:
The goal is to create a hardened EC2 server on AWS from scratch.
After provisioning a new RHEL/7 instance on AWS, we run `yum -y
update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
--results-arf /tmp/results-arf.xml --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2
server such as install_smartcard_packages.sh and dracut-fips. Is
there a way to prevent certain remediations from running?
Thanks,
=Fen
___
scap-security-guide mailing list --
scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-le...@lists.fedorahosted.org
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Re: Disabling specific bash remediations
Fen,
There is an RFE open in OpenSCAP for this very thing at
https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP side
of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme
wrote:
> The goal is to create a hardened EC2 server on AWS from scratch. After
> provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed
> by the bash remediations from SSG using:
>
> command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
> --results-arf /tmp/results-arf.xml --report /tmp/report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
>
> But there are some remediations I don't want to run for an EC2 server such
> as install_smartcard_packages.sh and dracut-fips. Is there a way to
> prevent certain remediations from running?
>
> Thanks,
> =Fen
>
>
> ___
> scap-security-guide mailing list -- scap-security-guide@lists.
> fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave@
> lists.fedorahosted.org
>
>
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
Re: Disabling specific bash remediations
It may be over the top for your use case, but you might want to also look
at the FOSS SIMP project https://simp-project.com (shamelss SSG-related
plug).
We target SSG compliance but it's imminently flexible and manages your
system state over time instead of just at one time.
You can spawn an AWS instance using our base 6.1 load from the Marketplace
to try it out.
Trevor
On Thu, Mar 1, 2018 at 10:59 PM, Fen Labalme
wrote:
> The goal is to create a hardened EC2 server on AWS from scratch. After
> provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed
> by the bash remediations from SSG using:
>
> command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
> --results-arf /tmp/results-arf.xml --report /tmp/report.html \
> /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
>
> But there are some remediations I don't want to run for an EC2 server such
> as install_smartcard_packages.sh and dracut-fips. Is there a way to
> prevent certain remediations from running?
>
> Thanks,
> =Fen
>
>
> ___
> scap-security-guide mailing list -- scap-security-guide@lists.
> fedorahosted.org
> To unsubscribe send an email to scap-security-guide-leave@
> lists.fedorahosted.org
>
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
RE: Disabling specific bash remediations
Look into SCAP Workbench to help build a custom security profile for your
application.
https://www.open-scap.org/tools/scap-workbench/
Robert
From: Fen Labalme [mailto:fen.laba...@civicactions.com]
Sent: Thursday, March 1, 2018 10:00 PM
To: SCAP Security Guide
Subject: Disabling specific bash remediations
The goal is to create a hardened EC2 server on AWS from scratch. After
provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by
the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \
--results-arf /tmp/results-arf.xml --report /tmp/report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2 server such as
install_smartcard_packages.sh and dracut-fips. Is there a way to prevent
certain remediations from running?
Thanks,
=Fen
CONFIDENTIALITY NOTICE This message and any included attachments are from
Cerner Corporation and are intended only for the addressee. The information
contained in this message is confidential and may constitute inside or
non-public information under international, federal, or state securities laws.
Unauthorized forwarding, printing, copying, distribution, or use of such
information is strictly prohibited and may be unlawful. If you are not the
addressee, please promptly delete this message and notify the sender of the
delivery error by e-mail or you may call Cerner's corporate offices in Kansas
City, Missouri, U.S.A at (+1) (816)221-1024.
___
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-le...@lists.fedorahosted.org
