Chapter 7. Creating pre-hardened images with RHEL image builder OpenSCAP integration
With the RHEL image builder on-premise support for the OpenSCAP integration, you can create customized blueprints with specific security profiles, and use the blueprints to build your pre-hardened images. You can then use this pre-hardened image to deploy systems that need to be compliant with a specific profile. You can add a set of packages or add-on files to customize your blueprints. With that, you can build a pre-hardened customized RHEL image ready to deploy compliant systems.
During the image build process, an OSBuild oscap.remediation
stage runs the OpenSCAP tool in the chroot
environment, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build an image that can be configured according to the security profile requirements even before it boots for the first time.
Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.
7.1. The OpenSCAP blueprint customization
With the OpenSCAP support for blueprint customization, you can generate blueprints from the`scap-security-guide` content for specific security profiles and then use the blueprints to build your own pre-hardened images.
Creating a customized blueprint with OpenSCAP involves the following high level steps:
- Modify the mount points and configure the file system layout according to your specific requirements.
- In the blueprint, Select the OpenSCAP profile. This configures the image to trigger the remediation during the image build in accordance with the selected profile. Also during the image build, OpenSCAP applies a pre-first-boot remediation.
To use the OpenSCAP
blueprint customization in your image blueprints, you need to provide the following information:
-
The data stream path to the
datastream
remediation instructions. The data stream files fromscap-security-guide
package are located in the/usr/share/xml/scap/ssg/content/
directory. -
The
profile_id
of the required security profile. The value of theprofile_id
field accepts both the long and short forms, for example, the following are acceptable:cis
orxccdf_org.ssgproject.content_profile_cis
. See SCAP Security Guide profiles supported in RHEL 9 for more details.
The following example is a snippet with the OpenSCAP
remediation stage:
[customizations.openscap] # If you want to use the data stream from the 'scap-security-guide' package # the 'datastream' key could be omitted. # datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis"
You can find more details about the SCAP
source data stream from the scap-security-guide
package, including the list of security profiles it provides, by using the command:
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
For your convenience the OpenSCAP
tool can generate the hardening blueprint for any profile available in scap-security-guide
data streams.
For example, the command:
# oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
generates a blueprint for CIS profile similar to:
# Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server # # Profile Description: # This profile defines a baseline that aligns to the "Level 2 - Server" # configuration from the Center for Internet Security® Red Hat Enterprise # Linux 9 Benchmark™, v3.0.0, released 2023-10-30. # This profile includes Center for Internet Security® # Red Hat Enterprise Linux 9 CIS Benchmarks™ content. # # Profile ID: xccdf_org.ssgproject.content_profile_cis # Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9 # Benchmark Version: 0.1.74 # XCCDF Version: 1.2 name = "hardened_xccdf_org.ssgproject.content_profile_cis" description = "CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server" version = "0.1.74" [customizations.openscap] profile_id = "xccdf_org.ssgproject.content_profile_cis" # If your hardening data stream is not part of the 'scap-security-guide' package # provide the absolute path to it (from the root of the image filesystem). # datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml" [[customizations.filesystem]] mountpoint = "/home" size = 1073741824 [[customizations.filesystem]] mountpoint = "/tmp" size = 1073741824 [[customizations.filesystem]] mountpoint = "/var" size = 3221225472 [[customizations.filesystem]] mountpoint = "/var/tmp" size = 1073741824 [[packages]] name = "aide" version = "*" [[packages]] name = "libselinux" version = "*" [[packages]] name = "audit" version = "*" [customizations.kernel] append = "audit_backlog_limit=8192 audit=1" [customizations.services] enabled = ["auditd","crond","firewalld","systemd-journald","rsyslog"] disabled = [] masked = ["nfs-server","rpcbind","autofs","bluetooth","nftables"]
Do not use this exact blueprint snippet for image hardening. It does not reflect a complete profile. As Red Hat constantly updates and refines security requirements for each profile in the scap-security-guide
package, it makes sense to always re-generate the initial template using the most up-to-date version of the data stream provided for your system.
Now you can customize the blueprint or use it as it is to build an image.
RHEL image builder generates the necessary configurations for the osbuild
stage based on your blueprint customization. Additionally, RHEL image builder adds two packages to the image:
-
openscap-scanner
- theOpenSCAP
tool. scap-security-guide
- the package which contains the remediation and evaluation instructions.NoteThe remediation stage uses the
scap-security-guide
package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in theoscap
configuration.
Additional resources
7.2. Creating a pre-hardened image with RHEL image builder
With the OpenSCAP and RHEL image builder integration, you can create images that are pre-hardened in compliance with a specific profile, and you can deploy them in a VM, or a bare-metal environment, for example.
Prerequisite
-
You are logged in as the root user or a user who is a member of the
weldr
group. -
The
openscap
andscap-security-guide
packages are installed.
Procedure
Create a hardening blueprint in the TOML format, using
OpenSCAP
tool andscap-security-guide
content, and modify it if necessary:# oscap xccdf generate fix --profile=<profileID> --fix-type=<blueprint_name>.toml /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > cis.toml
Replace
<profileID>
with the profile ID with which the system should comply, for example,cis
.Push the blueprint to
osbuild-composer
by using thecomposer-cli
tool:# composer-cli blueprints push <blueprint_name>.toml
Start the build of hardened image:
# composer-cli compose start <blueprint_name> <image_type>
Replace
<image_type>
with any image type, for example,qcow2
.After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.
Verification
After you deploy your pre-hardened image you can perform a configuration compliance scan to verify that the image is aligned with the selected security profile.
Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.
Additional resources
7.3. Customizing a pre-hardened image with RHEL image builder
You can customize a security profile by changing parameters in certain rules, for example, minimum password length, removing rules that you cover in a different way, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.
When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and saves it to the image as /usr/share/xml/osbuild-oscap-tailoring/tailoring.xml
. The new profile ID adds the _osbuild_tailoring
suffix to the base ID. For example, if you tailor the CIS (cis
) base profile, the profile ID is xccdf_org.ssgproject.content_profile_cis_osbuild_tailoring
.
Prerequisites
-
You are logged in as the root user or a user who is a member of the
weldr
group. -
The
openscap
andscap-security-guide
packages are installed.
Procedure
Create a hardening blueprint in the TOML format from a selected profile:
# oscap xccdf generate fix --profile=<profileID> --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > <profileID>-tailored.toml
Append the tailoring file to the blueprint. The tailoring customization affects only the default state of the selected or unselected rules in the profile in which the customization is based on. It selects or unselects a rule in the profile, but does not change the state of other rules.
# Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server # ... [customizations.openscap.tailoring] selected = [ "xccdf_org.ssgproject.content_bind_crypto_policy" ] unselected = [ "grub2_password" ]
Push the blueprint to
osbuild-composer
by using thecomposer-cli
tool:# composer-cli blueprints push <blueprintProfileID>-tailored.toml
Start the build of hardened image:
# composer-cli compose start <blueprintProfileID> <image_type>
Replace
<image_type>
with any image type, for example,qcow2
.After the image build is ready, use your pre-hardened image on your deployments.
Verification
After you deploy your pre-hardened image, you can perform a configuration compliance scan to verify that the image is aligned with the selected security profile.
Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.
Additional resources