Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 9. Security hardening and compliance of bootable images

Image mode for RHEL provides security-compliance features and supports workloads that require compliant configuration. However, the process of hardening systems and verifying compliance status is different from in package mode.

The key part of using Image mode for RHEL is creating a bootable container image. The deployed system mirrors the image. Therefore, the built image must contain all packages and configuration settings that are required by the security policy.

Important

When a bootable image is run as a container, some of the hardening configuration is not in effect. To get a system that is fully configured in accordance with the security profile, you must boot the image in a bare metal or virtual machine instead of running as a container. Main differences of a container deployment include the following:

  • Systemd services that are required by security profiles do not run on containers because systemd is not running in the container. Therefore, the container cannot comply with the related policy requirements.
  • Other services cannot run in containers, although they are configured correctly. This means that oscap reports them as correctly configured, even if they are not running.
  • Configurations defined by the compliance profile are not enforcing. Requests from other packages or installation prescripts can change the compliance state. Always check the compliance of the installed product and alter your Containerfile to fit your requirements.

9.1. Building hardened bootable images
Link kopieren

To establish a highly secure foundation for your Red Hat Enterprise Linux deployments, you can build hardened bootable images. You can also embed security configurations directly into the base image to ensures compliance with strict organizational standards.

You can build hardened bootable images by including the oscap-im tool in the Containerfile that is used to build your bootable container image. Although oscap-im tool can consume any SCAP content, the SCAP source data streams in scap-security-guide are specifically adjusted and tested to be compatible with bootable containers.

Prerequisites

Procedure

  1. Create a Containerfile: 

    FROM registry.redhat.io/rhel10/rhel-bootc:latest

# Install OpenSCAP scanner and security content to the image
RUN dnf install -y openscap-utils scap-security-guide && dnf clean all

# Run scan and hardening
RUN oscap-im --profile <profile_ID> /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

# Because certain profiles prevent ssh root logins, add a separate sudo user with a password
# Alternatively, you can add users with Kickstart, cloud-init, or other methods
RUN useradd -G wheel -p "<password_hash>" <admin_user>

    Replace <admin_user> with the user name and <password_hash> with the hash of the selected password.

    This Containerfile performs the following tasks:

    • Installs the openscap-utils package that provides the oscap-im tool and the scap-security-guide package that provides the data streams with the Security Content Automation Protocol (SCAP) content.
    • Adds a user with sudoer privileges for profiles that prevent SSH root logins.
    • Scans and remediates the image for compliance with the selected profile.

  2. Build the image by using the Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

Verification

  • List all images: 

    $ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED              SIZE
quay.io/<namespace>/<image>                 <tag>   b28cd00741b3   About a minute ago   2.1 GB

Next steps

  • You can deploy hardened bootable images by using any of the normal bootable image deployment methods. For more information, see Deploying the RHEL bootc images.

    The deployment method, however, can affect the compliance state of the target system.

  • You can verify the compliance of a running system in Image Mode RHEL by using the oscap tool with the same syntax and usage as in package mode RHEL. For more information, see Configuration compliance scanning.

9.2. Customizing hardened bootable images
Link kopieren

You can apply a customized profile to a bootable image by using the oscap-im tool. You can customize a security profile by changing parameters in certain rules, for example, minimum password length, removing rules that you cover in a different way, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.

Prerequisites

Procedure

  1. Create a Containerfile: 

    FROM registry.redhat.io/rhel10/rhel-bootc:latest

# Copy a tailoring file into the Containerfile
COPY tailoring.xml /usr/share/

# Install OpenSCAP scanner and security content to the image
RUN dnf install -y openscap-utils scap-security-guide && dnf clean all


# Add sudo user 'admin' with password 'admin123'.
# The user can be used with profiles that prevent
# ssh root logins.
RUN useradd -G wheel -p "\$6\$Ga6Zn
IlytrWpuCzO\$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0" admin

# Run scan and hardening including the tailoring file
RUN oscap-im --tailoring-file /usr/share/tailoring.xml --profile stig_customized /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

    This Containerfile performs the following tasks:

    • Injects the tailoring file to your image.
    • Installs the openscap-utils package that provides the oscap-im tool and the scap-security-guide package that provides the data streams with the Security Content Automation Protocol (SCAP) content.
    • Adds a user with sudoer privileges for profiles that prevent SSH root logins.
    • Scans and remediates the image for compliance with the selected profile.

  2. Build the image by using the Containerfile in the current directory: 

    $ podman build -t quay.io/<namespace>/<image>:<tag> .

Verification

  • List all images: 

    $ podman images
REPOSITORY                                  TAG      IMAGE ID       CREATED              SIZE
quay.io/<namespace>/<image>                 <tag>   b28cd00741b3   About a minute ago   2.1 GB

Next steps

  • You can deploy hardened bootable images by using any of the normal bootable image deployment methods. For more information, see Deploying the RHEL bootc images.

    The deployment method, however, can affect the compliance state of the target system.

    Note

    Some customizations performed during the deployment, in blueprint for bootc-image-builder or in Kickstart for Anaconda, can interfere with the configuration present in the container image. Do not use customizations that conflict with the security policy requirements.

  • You can verify the compliance of a running system in Image Mode RHEL by using the oscap tool with the same syntax and usage as in package mode RHEL. For more information, see Configuration compliance scanning.
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben