Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

2.3. Creating a USGCB-compliant Installation Image

The scap-security-guide package in Red Hat Enterprise Linux 6 contains a specialized Kickstart file, which can be used to install a hardened system conforming to the United States Government Configuration Baseline (USGCB) standard. This is useful in cases where compliance with this standard is required by government regulations.
This Kickstart configuration can be used with the Server variant of Red Hat Enterprise Linux 6. If used, the system will be automatically configured by OpenSCAP to be USGCB profile compliant as part of the post-installation script. After the installation finishes, you can review a report placed in the /root/ directory on the installed system.

Note

The Kickstart file provided by scap-security-guide contains all required commands, making the installation completely automatic.
Also note that the Kickstart file requires access to the internet during the installation in order to download the latest benchmark.
For more information about compliance and vulnerability scanning using OpenSCAP, see the appropriate chapter of the Red Hat Enterprise Linux 6 Security Guide.
To obtain the Kickstart file, install the scap-security-guide package on an existing Red Hat Enterprise Linux 6 system. Once the package is installed, you can find the Kickstart file at /usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg.
After obtaining the file, copy it into your home directory and edit it using a plain text editor. Use Section 32.4, “Kickstart Options” and comments in the file for reference. Some of the comments mention Common Configuration Enumeration (CCE) identifier numbers; you can find information about these at the CCE Archive.
Notable parts of the Kickstart file which can be changed are:
  • Package repository location - the url command. To use a package repository on an HTTP or FTP server, replace the default IP address with an address of a server containing a package repository. Replace this command with one of nfs, cdrom, or harddrive to install from a NFS server, optical drive, or local hard drive, respectively.
  • System language, keyboard layout, and time zone - the lang, keyboard and timezone commands.
  • Root password - the rootpw command. By default, the root password configured in this Kickstart is "server". Make sure to generate a new checksum and change it.
  • Boot loader password - the bootloader --password= command. The default password is "password". Make sure to generate a new checksum and change it.
  • Network configuration - the network command. Automatic configuration using DHCP is enabled by default - adjust the settings if necessary.
  • Package selection - modify the %packages section of the file to install packages and groups you need.

    Important

    Packages git, aide and openscap-utils must always be installed. They are required for the Kickstart file and post installation OpenSCAP system evaluation to work.
  • Disk partitioning layout - the part, volgroup and logvol commands.
    The USGCB standard defines concrete requirements for a compliant system's disk layout, which means that the logical volumes defined in the default Kickstart file - /home, /tmp, /var, /var/log, and /var/log/audit - must always be created as separate partitions or logical volumes. Additionally, Red Hat Enterprise Linux requires you to create a /boot physical partition and volumes for / and swap. These are all defined in the default Kickstart; you can add additional separate logical volumes or partitions, and you can change the sizes of the default ones.

    Note

    By default, the /var/log/audit volume only takes up 512 MB of space. Due to the high number of calls being audited, it is highly recommended to increase its size to at least 1024 MB.
The rest of the Kickstart file can be used as-is. Once you finish modifying the file, proceed with Section 32.9.1, “Creating Kickstart Boot Media” to place it on an ISO image and use it to install a new system.