kickstart using a secured image

Latest response

Hi guys,

in Solaris, you can secure a server, create a flash archive and use it to jumpstart other servers.

Red hat has kickstart. So, how can I secure a server and use its image to kickstart other servers in my environment?

Feed back truly appreciated.

Thanks

Arrey

Responses

Hi Arrey,

Depending on what you mean by 'securing a server', you should be able to do that using post-installation scripts in your Kickstart file. See How Do You Perform a Kickstart Installation? in the Installation Guide.

Hey Arrey - another good question.

Are you looking for something like the JET functionality?

I have never heard of a "disk image" deployment like FLAR integration with kickstart. Have you looked at Acronis, or something like clonezilla? I actually only use kickstart to distribute the bits, and bootstrap my host to Satellite once the installation has completed. So, I could also use a process like FLAR. But, I like the flexibility of having a kickstart file to control my build.

Could you provide a small build scenario that you would like to make work?

Thanks Robert and James for the reply

. The problem is, I do not know how to script. When I used to work on Solaris, we simply use Jumpstart and a secured image. Here is what I mean:

We will build a server. Use some baseline security recommendations (DISA, NESSUS or CIS) to secure the server. Then we will use a native utility called "flarcreate" to create an archive image of this server. We will share this archive via NFS. In our jumpstart config, we will point to this NFS share . The install of the new server will use this archive. When it is done, we don't need to do any baseline security.

So I was wondering if RHEL has a native utility as such? Or do they have plans to implement something like this in later releases?
Please see link :

http://www.computurn.com/docs/os/solaris/install/flar.html

This does not exactly answer your question, or satisfy the requirements (since I don't really know of a way to kickstart systems using disk-images), but I believe the following is worth looking in to for the security aspect.
They integrated openSCAP in to Satellite a while back. SCAP is a framework, and you make it as powerful as you need or customize the profiles as needed (i.e. a dev box might not have the same requirements as a public-facing web server, etc...)
https://access.redhat.com/documentation/en-US/Red_Hat_Network_Satellite/5.5/html/User_Guide/sect-Red_Hat_Network_Satellite-User_Guide-OpenSCAP-OpenSCAP_in_RHN_Satellite.html
Which can utilize XCCDF from whichever standards-group you want. NIST - for example, publishes standards for RHEL 6 -
http://scap-securityguide.rhcloud.com/RHEL6/output/table-rhel6-nistrefs-common.html
http://nvd.nist.gov/

I believe there is a self-remediation option also, but I would feel more comfortable updating my build standard to satisfy the Security Requirements instead of having something clean it up the fact.

The amount of scripting should be fairly minimal. Also - and this is pretty awesome, actually - the scap tools can generate a report which will provide the command to resolve the issue (for most issues).

So - I am sort of in the same boat as you and my approach has been

  • create a build standard
    ** determine the minimum package set to build from
    ** build using a filesystem/volume standard that is compliant
    ** enable/disable services as needed

  • post-build
    ** set remaining "tweaks"
    ** ensure system is using configuration management (I use Satellite)

  • Assessment and reporting
    ** regression test settings (this requires scripting)
    ** port-scan host
    ** review Satellite reports for current package and config file discrepancy
    ** run SCAP against host to determine score

So - I like this approach more than a FLAR approach as it allows me more flexibility and is easier to implement updates (without having to rebuild my FLAR, or build a different FLAR for different environments).

EDIT: I think this is a better link to the SCAP and Satellite docs
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html/User_Guide/chap-Maintaining_System_Security_Using_OpenSCAP.html