2.3. Creating a USGCB-compliant Installation Image
The scap-security-guide package in Red Hat Enterprise Linux 6 contains a specialized Kickstart file, which can be used to install a hardened system conforming to the United States Government Configuration Baseline (USGCB) standard. This is useful in cases where compliance with this standard is required by government regulations.
This Kickstart configuration can be used with the Server variant of Red Hat Enterprise Linux 6. If used, the system will be automatically configured by OpenSCAP to be USGCB profile compliant as part of the post-installation script. After the installation finishes, you can review a report placed in the
/root/ directory on the installed system.
Note
The Kickstart file provided by scap-security-guide contains all required commands, making the installation completely automatic.
Also note that the Kickstart file requires access to the internet during the installation in order to download the latest benchmark.
For more information about compliance and vulnerability scanning using OpenSCAP, see the appropriate chapter of the Red Hat Enterprise Linux 6 Security Guide.
To obtain the Kickstart file, install the scap-security-guide package on an existing Red Hat Enterprise Linux 6 system. Once the package is installed, you can find the Kickstart file at
/usr/share/scap-security-guide/kickstart/ssg-rhel6-usgcb-server-with-gui-ks.cfg.
After obtaining the file, copy it into your home directory and edit it using a plain text editor. Use Section 32.4, “Kickstart Options” and comments in the file for reference. Some of the comments mention Common Configuration Enumeration (CCE) identifier numbers; you can find information about these at the CCE Archive.
Notable parts of the Kickstart file which can be changed are:
- Package repository location - the
urlcommand. To use a package repository on an HTTP or FTP server, replace the default IP address with an address of a server containing a package repository. Replace this command with one ofnfs,cdrom, orharddriveto install from a NFS server, optical drive, or local hard drive, respectively. - System language, keyboard layout, and time zone - the
lang,keyboardandtimezonecommands. - Root password - the
rootpwcommand. By default, the root password configured in this Kickstart is "server". Make sure to generate a new checksum and change it. - Boot loader password - the
bootloader --password=command. The default password is "password". Make sure to generate a new checksum and change it. - Network configuration - the
networkcommand. Automatic configuration using DHCP is enabled by default - adjust the settings if necessary. - Package selection - modify the
%packagessection of the file to install packages and groups you need.Important
Packages git, aide and openscap-utils must always be installed. They are required for the Kickstart file and post installation OpenSCAP system evaluation to work. - Disk partitioning layout - the
part,volgroupandlogvolcommands.The USGCB standard defines concrete requirements for a compliant system's disk layout, which means that the logical volumes defined in the default Kickstart file -/home,/tmp,/var,/var/log, and/var/log/audit- must always be created as separate partitions or logical volumes. Additionally, Red Hat Enterprise Linux requires you to create a/bootphysical partition and volumes for/andswap. These are all defined in the default Kickstart; you can add additional separate logical volumes or partitions, and you can change the sizes of the default ones.Note
By default, the/var/log/auditvolume only takes up 512 MB of space. Due to the high number of calls being audited, it is highly recommended to increase its size to at least 1024 MB.
The rest of the Kickstart file can be used as-is. Once you finish modifying the file, proceed with Section 32.9.1, “Creating Kickstart Boot Media” to place it on an ISO image and use it to install a new system.
