Chapter 7. Creating pre-hardened images with image builder OpenSCAP integration
Image builder on-premise supports OpenSCAP integration to produce pre-hardened RHEL images. With image builder on-premise integrated with OpenSCAP, you can produce pre-hardened RHEL images. You can set up a blueprint, choose from a set of predefined security profiles, add a set of packages or add-on files, and build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment.
Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.
Image builder does not include support for FIPS boot mode. As a result, OpenSCAP profiles that require FIPS mode to be enabled, such as DISA STIG, are not currently supported.
7.1. Differences between Kickstart and pre-hardened images
For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap remediation stage runs the OpenSCAP tool in the chroot, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build a more completely hardened image, if you compare it to running the remediation on a live system.
7.2. Installing OpenSCAP
Install the OpenSCAP tool to have access to SCAP tools to help you to create standard security checklists for your systems.
Procedure
Install OpenSCAP on your system:
# *dnf install openscap-scanner*
Install
scap-security-guidepackage:# *dnf install scap-security-guide*
After the installation is completed you can start using the
oscapcommand line tool. The SCAP content will be installed in the/usr/share/xml/scap/ssg/content/directory.
7.3. The OpenSCAP blueprint customization
With the OpenSCAP support of blueprint customization, you can create blueprints and then use them to build your own pre-hardened images. To create a pre-hardened image you can customize the mount points and configure the file system layout according to the selected security profile. During the image build, OpenSCAP applies a first-boot remediation.
After you select the OpenSCAP profile, the OpenSCAP blueprint customization configures the image to trigger the remediation during the image build with the selected profile.
To use the OpenSCAP blueprint customization in your image blueprints, enter the following information:
-
The datastream path to the
datastreamremediation instructions. The datastream path is located in the /usr/share/xml/scap/ssg/content/ directory. The
profile_idof the required security profile. Theprofile_idfield accepts both the long and short forms, for example:cisorxccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 9 for more details.The following is a blueprint with OpenSCAP customization example:
[customizations] [customizations.openscap] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis"
The most common SCAP file type is an SCAP source datastream. To show details about the SCAP source datastream from the
scap-security-guidepackage, enter the command:$ oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
The
oscaptool runs on the image tree to perform an offline scan of a file system that is mounted at an arbitrary path. You can use it for scanning of custom objects that are not supported byoscap-dockeroroscap-vm, such as containers in formats other than Docker.oscap-chrootmimics the usage and options of theoscaptool.Image builder generate the necessary configurations for the
osbuildstage based on your blueprint customizations. Additionally, image builder adds two packages to the image:-
openscap-scanner- theOpenSCAPtool. scap-security-guide- package which contains the remediation instructions.NoteThe remediation stage uses the
scap-security-guidepackage for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in theoscapconfiguration.
Additional resources
7.4. Creating a pre-hardened image with image builder
With the OpenSCAP and image builder integration, you can create pre-hardened images.
Procedure
Create a blueprint in the TOML format, with the following content:
name = "blueprint_name" description = "blueprint_description" version = "0.0.1" modules = [] groups = [] distro = "" [customizations] [[customizations.user]] name = "scap-security-guide" description = "Admin account" password = secure_password_hash key = ssh-key home = "/home/scap-security-guide" group = ["wheel"] [[customizations.filesystem]] mountpoint = "/tmp" size = 13107200 [customizations.openscap] datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml " profile_id = "cis"
Start the build of a OpenSCAP image:
# composer-cli compose start blueprint_name qcow2Where blueprint_name is the blueprint name.
After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.
Verification
After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned to the selected security profile.
Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.
- Connect to the image using SSH.
Run the
oscapscanner.# scap-workbench- Select the version of the system you want to scan. Click Load content.
- Select the profile you want to scan and click Scan. OpenSCAP checks all the requirements for the system.
- After the scan finishes, click Show Report.