Red Hat SummitChapter 10. Security hardening and compliance of bootable images
Image mode for RHEL provides security compliance features and supports workloads that require compliant configuration. However, the process of hardening systems and verifying compliance status is different than in package mode.
The key part of using Image mode for RHEL is creating a bootable container image. The deployed system mirrors the image. Therefore, the built image must contain all packages and configuration settings that are required by the security policy.
When a bootable image is run as a container, some of the hardening configuration is not in effect. To get a system that is fully configured in accordance with the security profile, you must boot the image in a bare metal or virtual machine instead of running as a container. Main differences of a container deployment include the following:
- Systemd services that are required by security profiles do not run on containers because systemd is not running in the container. Therefore, the container cannot comply with the related policy requirements.
-
Other services cannot run in containers, although they are configured correctly. This means that
oscapreports them as correctly configured, even if they are not running. - Configurations defined by the compliance profile are not enforcing. Requests from other packages or installation prescripts can change the compliance state. Always check the compliance of the installed product and alter your Containerfile to fit your requirements.
10.1. Building hardened bootable images
You can build hardened bootable images more easily by including the oscap-im tool in the Containerfile that you use to build your bootable container image.
Although oscap-im can consume any SCAP content, the SCAP source data streams shipped in scap-security-guide are specifically adjusted and tested to be compatible with bootable containers.
Prerequisites
-
The
container-toolsmeta-package is installed. - You know the ID of the profile within the baseline with which the system should comply. To find the ID, see the Viewing profiles for configuration compliance section.
Procedure
Create a
Containerfile:FROM registry.redhat.io/rhel9/rhel-bootc:latest # Install OpenSCAP scanner and security content to the image RUN dnf install -y openscap-utils scap-security-guide && dnf clean all # Add sudo user 'admin' with password 'admin123'. # The user can be used with profiles that prevent # ssh root logins. RUN useradd -G wheel -p "\$6\$Ga6Zn IlytrWpuCzO\$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0" admin # Run scan and hardening RUN oscap-im --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
FROM registry.redhat.io/rhel9/rhel-bootc:latest # Install OpenSCAP scanner and security content to the image RUN dnf install -y openscap-utils scap-security-guide && dnf clean all # Add sudo user 'admin' with password 'admin123'. # The user can be used with profiles that prevent # ssh root logins. RUN useradd -G wheel -p "\$6\$Ga6Zn IlytrWpuCzO\$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0" admin # Run scan and hardening RUN oscap-im --profile <profileID> /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmlCopy to Clipboard Copied! This
Containerfileperforms the following tasks:-
Installs the
openscap-utilspackage that provides theoscap-imtool and thescap-security-guidepackage that provides the data streams with the Security Content Automation Protocol (SCAP) content. -
Adds a user with
sudoerprivileges for profiles that prevent SSH root logins. - Scans and remediates the image for compliance with the selected profile.
-
Installs the
Build the image by using the
Containerfilein the current directory:podman build -t quay.io/<namespace>/<image>:<tag> .
$ podman build -t quay.io/<namespace>/<image>:<tag> .Copy to Clipboard Copied!
Verification
List all images:
podman images
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE quay.io/<namespace>/<image> <tag> b28cd00741b3 About a minute ago 2.1 GBCopy to Clipboard Copied!
Next steps
You can deploy hardened bootable images by using any of the normal bootable image deployment methods. For more information, see Deploying the RHEL bootc images.
The deployment method, however, can affect the compliance state of the target system.
-
You can verify the compliance of a running system in Image Mode RHEL by using the
oscaptool with the same syntax and usage as in package mode RHEL. For more information, see Configuration compliance scanning.
10.2. Customizing hardened bootable images
You can apply a customized profile to a bootable image by using the oscap-im tool. You can customize a security profile by changing parameters in certain rules, for example, minimum password length, removing rules that you cover in a different way, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.
Prerequisites
-
The
container-toolsmeta-package is installed. - You have a customization file for your profile. For more information, see Customizing a security profile with SCAP Workbench.
Procedure
Create a
Containerfile:FROM registry.redhat.io/rhel9/rhel-bootc:latest # Copy a tailoring file into the Containerfile COPY tailoring.xml /usr/share/ # Install OpenSCAP scanner and security content to the image RUN dnf install -y openscap-utils scap-security-guide && dnf clean all # Add sudo user 'admin' with password 'admin123'. # The user can be used with profiles that prevent # ssh root logins. RUN useradd -G wheel -p "\$6\$Ga6Zn IlytrWpuCzO\$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0" admin # Run scan and hardening including the tailoring file RUN oscap-im --tailoring-file /usr/share/tailoring.xml --profile stig_customized /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
FROM registry.redhat.io/rhel9/rhel-bootc:latest # Copy a tailoring file into the Containerfile COPY tailoring.xml /usr/share/ # Install OpenSCAP scanner and security content to the image RUN dnf install -y openscap-utils scap-security-guide && dnf clean all # Add sudo user 'admin' with password 'admin123'. # The user can be used with profiles that prevent # ssh root logins. RUN useradd -G wheel -p "\$6\$Ga6Zn IlytrWpuCzO\$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0" admin # Run scan and hardening including the tailoring file RUN oscap-im --tailoring-file /usr/share/tailoring.xml --profile stig_customized /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xmlCopy to Clipboard Copied!
This Containerfile performs the following tasks:
- Injects the tailoring file to your image.
-
Installs the
openscap-utilspackage that provides theoscap-imtool and thescap-security-guidepackage that provides the data streams with the Security Content Automation Protocol (SCAP) content. -
Adds a user with
sudoerprivileges for profiles that prevent SSH root logins. Scans and remediates the image for compliance with the selected profile.
Build the image by using the
Containerfilein the current directory:podman build -t quay.io/<namespace>/<image>:<tag> .
$ podman build -t quay.io/<namespace>/<image>:<tag> .Copy to Clipboard Copied!
Verification
List all images:
podman images
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE quay.io/<namespace>/<image> <tag> b28cd00741b3 About a minute ago 2.1 GBCopy to Clipboard Copied!
Next steps
You can deploy hardened bootable images by using any of the normal bootable image deployment methods. For more information, see Deploying the RHEL bootc images.
The deployment method, however, can affect the compliance state of the target system.
NoteSome customizations performed during the deployment, in blueprint for
bootc-image-builderor in Kickstart for Anaconda, can interfere with the configuration present in the container image. Do not use customizations that conflict with the security policy requirements.-
You can verify the compliance of a running system in Image Mode RHEL by using the
oscaptool with the same syntax and usage as in package mode RHEL. For more information, see Configuration compliance scanning.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}