7.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation

You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP or PCI-DSS, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.

7.8.1. Deploying Baseline-Compliant RHEL Systems Using the Graphical Installation

Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • You have booted into the graphical installation program. Note that the OSCAP Anaconda Add-on does not support text-only installation.
  • You have accessed the Installation Summary window.

Procedure

  1. From the Installation Summary window, click Software Selection. The Software Selection window opens.
  2. From the Base Environment pane, select the Server environment. You can select only one base environment.
  3. Click Done to apply the setting and return to the Installation Summary window.
  4. Click Security Policy. The Security Policy window opens.
  5. To enable security policies on the system, toggle the Apply security policy switch to ON.
  6. Select Protection Profile for General Purpose Operating Systems from the profile pane.
  7. Click Select Profile to confirm the selection.
  8. Confirm the changes in the Changes that were done or need to be done pane that is displayed at the bottom of the window. Complete any remaining manual changes.
  9. Because OSPP has strict partitioning requirements that must be met, create separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit.
  10. Complete the graphical installation process.

    Note

    The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the /root/anaconda-ks.cfg file to automatically install OSPP-compliant systems.

Verification

  1. To check the current status of the system after installation is complete, reboot the system and start a new scan:
    ~]# oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Additional Resources

7.8.2. Deploying Baseline-Compliant RHEL Systems Using Kickstart

Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).

Prerequisites

  • The scap-security-guide package is installed on your system.

Procedure

  1. Open the /usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg Kickstart file in an editor of your choice.
  2. Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for /boot, /home, /var, /var/log, /var/tmp, and /var/log/audit must be preserved, although you can change the sizes of these partitions.

    Warning

    Because the OSCAP Anaconda Add-on does not support text-only installation, do not use the text option in your Kickstart file. For more information, see RHBZ#1674001.
  3. Start a Kickstart installation as described in Performing an automated installation using Kickstart.

Important

Passwords in the hash form cannot be checked for OSPP requirements.

Verification

  1. To check the current status of the system after installation is complete, reboot the system and start a new scan:
    ~]# oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

Additional Resources