Chapter 7. Creating pre-hardened images with RHEL image builder OpenSCAP integration

RHEL image builder on-premise supports the OpenSCAP integration. This integration enables the production of pre-hardened RHEL images. By setting up a blueprint, you can perform the following actions:

  • Customize it with a set of predefined security profiles
  • Add a set of packages or add-on files
  • Build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment

Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.

Warning

RHEL image builder does not include support for FIPS boot mode. Consequently, OpenSCAP profiles that require the FIPS mode to be enabled, such as DISA STIG, are not supported.

7.1. Differences between Kickstart and pre-hardened images

For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With the RHEL image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap remediation stage runs the OpenSCAP tool in the chroot, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build a more completely hardened image, if you compare it to running the remediation on a live system.

7.2. Installing OpenSCAP

Install the OpenSCAP tool to have access to SCAP tools to help you to create standard security checklists for your systems.

Procedure

  1. Install OpenSCAP on your system: 

    # *dnf install openscap-scanner*

  2. Install scap-security-guide package: 

    # *dnf install scap-security-guide*

    After the installation is completed you can start using the oscap command line tool. The SCAP content will be installed in the /usr/share/xml/scap/ssg/content/ directory.

7.3. The OpenSCAP blueprint customization

With the OpenSCAP support for blueprint customization, you can create blueprints and then use them to build your own pre-hardened images. To create a pre-hardened image you can customize the mount points and configure the file system layout according to the selected security profile. After you select the OpenSCAP profile, the OpenSCAP blueprint customization configures the image to trigger the remediation during the image build with the selected profile. During the image build, OpenSCAP applies a first-boot remediation.

To use the OpenSCAP blueprint customization in your image blueprints, you need to provide the following information:

  • The datastream path to the datastream remediation instructions. The datastream path is located in the /usr/share/xml/scap/ssg/content/ directory.

  • The profile_id of the required security profile. The value of the profile_id field accepts both the long and short forms, for example, the following are acceptable: cis or xccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 9 for more details.

    The following is a blueprint with OpenSCAP customization example: 

    [customizations]
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"
profile_id = "xccdf_org.ssgproject.content_profile_cis"

    The most common SCAP file type is an SCAP source datastream. You can find more details about the SCAP source datastream from the scap-security-guide package, enter the command: 

    $ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

The oscap tool runs on the image tree to perform an offline scan of a file system that is mounted at an arbitrary path. You can use it for scanning of custom objects that are not supported by oscap-docker or oscap-vm, such as containers in formats other than Docker. oscap-chroot mimics the usage and options of the oscap tool.

RHEL image builder generates the necessary configurations for the osbuild stage based on your blueprint customization. Additionally, RHEL image builder adds two packages to the image:

  • openscap-scanner - the OpenSCAP tool.

  • scap-security-guide - package which contains the remediation instructions.

    Note

    The remediation stage uses the scap-security-guide package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in the oscap configuration.

Additional resources

7.4. Creating a pre-hardened image with RHEL image builder

With the OpenSCAP and RHEL image builder integration, you can create pre-hardened images that you can deploy in a VM.

Prerequisite

  • You are logged in as the root user or a user who is a member of the welder group.

Procedure

  1. Create a blueprint in the TOML format, with the following content: 

    name = "blueprint_name"
description = "blueprint_description"
version = "0.0.1"
modules = []
groups = []
distro = ""

[customizations]
[[customizations.user]]
name = "scap-security-guide"
description = "Admin account"
password = secure_password_hash
key = ssh-key
home = "/home/scap-security-guide"
group = ["wheel"]

[[customizations.filesystem]]
mountpoint = "/tmp"
size = "20 GiB"

[customizations.openscap]
datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml "
profile_id = "cis"

  2. Start the build of a OpenSCAP image: 

    # composer-cli compose start blueprint_name qcow2

    Where blueprint_name is the blueprint name.

    After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.

Verification

After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned to the selected security profile.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.

  1. Connect to the image using SSH.

  2. Run the oscap scanner. 

    # scap-workbench

  3. On the SCAP Workbench:

    1. Select the version of the system you want to scan. Click Load content.
    2. Select the profile you want to scan and click Scan. OpenSCAP checks all the requirements for the system.
    3. Click Scan to scan your system with the selected profile.
    4. After the scan finishes, click Show Report.

Additional resources