Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
8.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation
You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP or PCI-DSS, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.
8.8.1. Deploying Baseline-Compliant RHEL Systems Using the Graphical Installation
Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
- You have booted into the
graphicalinstallation program. Note that the OSCAP Anaconda Add-on does not support text-only installation. - You have accessed the
Installation Summarywindow.
Procedure
- From the
Installation Summarywindow, clickSoftware Selection. TheSoftware Selectionwindow opens. - From the
Base Environmentpane, select theServerenvironment. You can select only one base environment. - Click
Doneto apply the setting and return to theInstallation Summarywindow. - Click
Security Policy. TheSecurity Policywindow opens. - To enable security policies on the system, toggle the
Apply security policyswitch toON. - Select
Protection Profile for General Purpose Operating Systemsfrom the profile pane. - Click
Select Profileto confirm the selection. - Confirm the changes in the
Changes that were done or need to be donepane that is displayed at the bottom of the window. Complete any remaining manual changes. - Because OSPP has strict partitioning requirements that must be met, create separate partitions for
/boot,/home,/var,/var/log,/var/tmp, and/var/log/audit. - Complete the graphical installation process.
Note
The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the/root/anaconda-ks.cfgfile to automatically install OSPP-compliant systems.
Verification
- To check the current status of the system after installation is complete, reboot the system and start a new scan:
~]#oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Additional Resources
- For more details on partitioning, see Configuring manual partitioning.
8.8.2. Deploying Baseline-Compliant RHEL Systems Using Kickstart
Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
- The scap-security-guide package is installed on your system.
Procedure
- Open the
/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfgKickstart file in an editor of your choice. - Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for
/boot,/home,/var,/var/log,/var/tmp, and/var/log/auditmust be preserved, although you can change the sizes of these partitions.Warning
Because theOSCAP Anaconda Add-ondoes not support text-only installation, do not use thetextoption in your Kickstart file. For more information, see RHBZ#1674001. - Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important
Passwords in the hash form cannot be checked for OSPP requirements.
Verification
- To check the current status of the system after installation is complete, reboot the system and start a new scan:
~]#oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Additional Resources
- For more details, see the OSCAP Anaconda Add-on project page.
