Search

Chapter 8. Creating pre-hardened images with RHEL image builder OpenSCAP integration

download PDF

RHEL image builder on-premise supports the OpenSCAP integration. This integration enables the production of pre-hardened RHEL images. By setting up a blueprint, you can perform the following actions:

  • Customize it with a set of predefined security profiles
  • Add a set of packages or add-on files
  • Build a customized RHEL image ready to deploy on your chosen platform that is more suitable to your environment

Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.

8.1. Differences between Kickstart and pre-hardened images

For the traditional image creation using a Kickstart file, you have to choose which packages you must install and ensure that the system is not affected by a vulnerability. With the RHEL image builder OpenSCAP integration, you can build security hardened images. During the image build process an OSBuild oscap.remediation stage runs the OpenSCAP tool in the chroot, on the filesystem tree. The OpenSCAP tool runs the standard evaluation for the profile you choose and applies the remediations to the image. With this, you can build an image that would be configured according to the security profile requirements even before it boots for the first time.

8.2. Installing OpenSCAP

Install the OpenSCAP tool to have access to SCAP tools to help you to create standard security checklists for your systems.

Procedure

  1. Install OpenSCAP on your system:

    # yum install openscap-scanner
  2. Install scap-security-guide package:

    # yum install scap-security-guide

    After the installation is completed you can start using the oscap command line tool. The SCAP content with security profiles will be installed in the /usr/share/xml/scap/ssg/content/ directory.

8.3. The OpenSCAP blueprint customization

With the OpenSCAP support for blueprint customization, you can generate blueprints from scap-security-guide content for specific security profiles and then use them to build your own pre-hardened images. To create a customized pre-hardened image you can modify the mount points and configure the file system layout according to your specific requirements. After you select the OpenSCAP profile, the OpenSCAP blueprint configures the image to trigger the remediation during the image build in accordance with the selected profile. During the image build, OpenSCAP applies a pre-first-boot remediation.

To use the OpenSCAP blueprint customization in your image blueprints, you need to provide the following information:

  • The data stream path to the datastream remediation instructions. The data stream files from scap-security-guide package are located in the /usr/share/xml/scap/ssg/content/ directory. 1
  • The profile_id of the required security profile. The value of the profile_id field accepts both the long and short forms, for example, the following are acceptable: cis or xccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 8 for more details.

    The following example is a blueprint with the OpenSCAP remediation stage:

    [customizations.openscap]
    # If you want to use the data stream from the 'scap-security-guide' package
    # the 'datastream' key could be omitted.
    # datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml"
    profile_id = "xccdf_org.ssgproject.content_profile_cis"

    You can find more details about the SCAP source data stream from the scap-security-guide package, including the list of security profiles it provides, by using the command:

    # oscap info /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

For your convenience the OpenSCAP tool can generate the hardening blueprint for any profile available in scap-security-guide data streams.

For example, the command:

# oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

generates a blueprint for CIS profile similar to:

# Blueprint for CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
#
# Profile Description:
# This profile defines a baseline that aligns to the "Level 2 - Server"
# configuration from the Center for Internet Security® Red Hat Enterprise
# Linux 8 Benchmark™, v3.0.0, released 2023-10-30.
# This profile includes Center for Internet Security®
# Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
#
# Profile ID:  xccdf_org.ssgproject.content_profile_cis
# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_RHEL-8
# Benchmark Version:  0.1.74
# XCCDF Version:  1.2

name = "hardened_xccdf_org.ssgproject.content_profile_cis"
description = "CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server"
version = "0.1.74"

[customizations.openscap]
profile_id = "xccdf_org.ssgproject.content_profile_cis"
# If your hardening data stream is not part of the 'scap-security-guide' package
# provide the absolute path to it (from the root of the image filesystem).
# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"

[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824

[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824

[[customizations.filesystem]]
mountpoint = "/var"
size = 3221225472

[[customizations.filesystem]]
mountpoint = "/var/tmp"
size = 1073741824

[[packages]]
name = "aide"
version = "*"

[[packages]]
name = "libselinux"
version = "*"

[[packages]]
name = "audit"
version = "*"

[customizations.kernel]
append = "audit_backlog_limit=8192 audit=1"

[customizations.services]
enabled = ["auditd","crond","firewalld","systemd-journald","rsyslog"]
disabled = []
masked = ["nfs-server","rpcbind","autofs","bluetooth","nftables"]
Note

Do not use this exact blueprint snippet for image hardening. It does not reflect a complete profile. As Red Hat constantly updates and refines security requirements for each profile in the scap-security-guide package, it makes sense to always re-generate the initial template using the most up-to-date version of the data stream provided for your system.

Now you can customize the blueprint or use it as it is to build an image.

RHEL image builder generates the necessary configurations for the osbuild stage based on your blueprint customization. Additionally, RHEL image builder adds two packages to the image:

  • openscap-scanner - the OpenSCAP tool.
  • scap-security-guide - the package which contains the remediation and evaluation instructions.

    Note

    The remediation stage uses the scap-security-guide package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint, and specify the path to the datastream in the oscap configuration.

8.4. Creating a pre-hardened image with RHEL image builder

With the OpenSCAP and RHEL image builder integration, you can create pre-hardened images that you can deploy in a VM.

Prerequisite

  • You are logged in as the root user or a user who is a member of the welder group.

Procedure

  1. Create a hardening blueprint in the TOML format, using OpenSCAP tool and scap-security-guide content, and modify it if necessary:

    # oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml > cis.toml
  2. Push the blueprint to osbuild-composer by using the composer-cli tool:

    # composer-cli blueprints push cis.toml
  3. Start the build of hardened image:

    # composer-cli compose start hardened_xccdf_org.ssgproject.content_profile_cis qcow2

    After the image build is ready, you can use your pre-hardened image on your deployments. See Creating a virtual machine.

Verification

After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned with the selected security profile.

Important

Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.

  1. Connect to the virtual machine by using SSH.
  2. Run the oscap scanner.

    # oscap xccdf eval --profile=cis --report=/tmp/compliance-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  3. Fetch compliance-report.html and inspect the results.

8.5. Adding customized tailoring options for a profile to the blueprint

With the OpenSCAP and RHEL image builder integration, you can add customized tailoring options for a profile to the blueprint customizations by using the following options:

  • selected for the list of rules that you want to add
  • unselected for the list of rules that you want to remove

With the default org.ssgproject.content rule namespace, you can omit the prefix for rules under this namespace. For example, org.ssgproject.content_grub2_password and grub2_password are functionally equivalent.

When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and saves it to the image as /usr/share/xml/osbuild-oscap-tailoring/tailoring.xml. The new profile ID will have _osbuild_tailoring appended as a suffix to the base profile. For example, if you use the CIS (cis) base profile, the profile ID will be xccdf_org.ssgproject.content_profile_cis_osbuild_tailoring.

Prerequisites

  • You are logged in as the root user or a user who is a member of the welder group.

Procedure

  1. Create a hardening blueprint in the TOML format, using OpenSCAP tool and scap-security-guide content, and modify it if necessary:

    # oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml > cis_tailored.toml
  2. Append the tailoring section with the customized rule set to the blueprint:

    # Blueprint for CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
    # ...
    [customizations.openscap.tailoring]
    selected = [ "xccdf_org.ssgproject.content_bind_crypto_policy" ]
    unselected = [ "grub2_password" ]
  3. Push the blueprint to osbuild-composer by using the composer-cli tool:

    # composer-cli blueprints push cis_tailored.toml
  4. Start the build of hardened image:

    # composer-cli compose start hardened_xccdf_org.ssgproject.content_profile_cis qcow2

    After the image build is ready, use your pre-hardened image on your deployments to create a VM. For more information, see Creating a virtual machine.

    After you deploy your pre-hardened image in a VM, you can perform a configuration compliance scan to verify that the image is aligned with the selected security profile.

    Important

    Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.

Verification

In the VM where you deployed your pre-hardened image, follow the steps:

  1. Connect to the virtual machine by using SSH.
  2. Run the oscap scanner.

    # oscap xccdf eval --profile=cis --report=/tmp/compliance-report.html /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
  3. Fetch compliance-report.html and inspect the results.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.