Chapter 7. Creating pre-hardened images with RHEL image builder OpenSCAP integration
RHEL image builder on-premise supports the OpenSCAP integration. This integration enables the production of pre-hardened RHEL images. By setting up a blueprint, you can perform the following actions:
- Customize it with a set of predefined security profiles
- Add a set of packages or add-on files
- Build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment
Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.
RHEL image builder does not include support for FIPS boot mode. Consequently, OpenSCAP profiles that require the FIPS mode to be enabled, such as DISA STIG, are not supported.
7.1. Differences between Kickstart and pre-hardened images
For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With the RHEL image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap remediation stage
runs the OpenSCAP
tool in the chroot, on the filesystem tree. The OpenSCAP
tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build a more completely hardened image, if you compare it to running the remediation on a live system.
7.2. Installing OpenSCAP
Install the OpenSCAP tool to have access to SCAP tools to help you to create standard security checklists for your systems.
Procedure
Install OpenSCAP on your system:
# *dnf install openscap-scanner*
Install
scap-security-guide
package:# *dnf install scap-security-guide*
After the installation is completed you can start using the
oscap
command line tool. The SCAP content will be installed in the/usr/share/xml/scap/ssg/content/
directory.
7.3. The OpenSCAP blueprint customization
With the OpenSCAP support for blueprint customization, you can create blueprints and then use them to build your own pre-hardened images. To create a pre-hardened image you can customize the mount points and configure the file system layout according to the selected security profile. After you select the OpenSCAP profile, the OpenSCAP blueprint customization configures the image to trigger the remediation during the image build with the selected profile. During the image build, OpenSCAP applies a first-boot remediation.
To use the OpenSCAP blueprint customization in your image blueprints, you need to provide the following information:
-
The datastream path to the
datastream
remediation instructions. The datastream path is located in the/usr/share/xml/scap/ssg/content/
directory. The
profile_id
of the required security profile. The value of theprofile_id
field accepts both the long and short forms, for example, the following are acceptable:cis
orxccdf_org.ssgproject.content_profile_cis
. See SCAP Security Guide profiles supported in RHEL 9 for more details.The following is a blueprint with OpenSCAP customization example:
[customizations] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis"
The most common SCAP file type is an SCAP source datastream. You can find more details about the SCAP source datastream from the
scap-security-guide
package, enter the command:$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
The oscap
tool runs on the image tree to perform an offline scan of a file system that is mounted at an arbitrary path. You can use it for scanning of custom objects that are not supported by oscap-docker
or oscap-vm
, such as containers in formats other than Docker. oscap-chroot
mimics the usage and options of the oscap
tool.
RHEL image builder generates the necessary configurations for the osbuild
stage based on your blueprint customization. Additionally, RHEL image builder adds two packages to the image:
-
openscap-scanner
- theOpenSCAP
tool. scap-security-guide
- package which contains the remediation instructions.NoteThe remediation stage uses the
scap-security-guide
package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in theoscap
configuration.
Additional resources
7.4. Creating a pre-hardened image with RHEL image builder
With the OpenSCAP and RHEL image builder integration, you can create pre-hardened images that you can deploy in a VM.
Prerequisite
-
You are logged in as the root user or a user who is a member of the
welder
group.
Procedure
Create a blueprint in the TOML format, with the following content:
name = "blueprint_name" description = "blueprint_description" version = "0.0.1" modules = [] groups = [] distro = "" [customizations] [[customizations.user]] name = "scap-security-guide" description = "Admin account" password = secure_password_hash key = ssh-key home = "/home/scap-security-guide" group = ["wheel"] [[customizations.filesystem]] mountpoint = "/tmp" size = "20 GiB" [customizations.openscap] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml " profile_id = "cis"
Start the build of a OpenSCAP image:
# composer-cli compose start blueprint_name qcow2
Where blueprint_name is the blueprint name.
After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.
Verification
After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned to the selected security profile.
Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.
- Connect to the image using SSH.
Run the
oscap
scanner.# scap-workbench
On the SCAP Workbench:
- Select the version of the system you want to scan. Click Load content.
- Select the profile you want to scan and click Scan. OpenSCAP checks all the requirements for the system.
- Click Scan to scan your system with the selected profile.
- After the scan finishes, click Show Report.