Questo contenuto non è disponibile nella lingua selezionata.
8.8. Deploying Systems That Are Compliant with a Security Profile Immediately after an Installation
You can use the OpenSCAP suite to deploy RHEL systems that are compliant with a security profile, such as OSPP or PCI-DSS, immediately after the installation process. Using this deployment method, you can apply specific rules that cannot be applied later using remediation scripts, for example, a rule for password strength and partitioning.
8.8.1. Deploying Baseline-Compliant RHEL Systems Using the Graphical Installation
Use this procedure to deploy a RHEL system that is aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
- You have booted into the
graphical
installation program. Note that the OSCAP Anaconda Add-on does not support text-only installation. - You have accessed the
Installation Summary
window.
Procedure
- From the
Installation Summary
window, clickSoftware Selection
. TheSoftware Selection
window opens. - From the
Base Environment
pane, select theServer
environment. You can select only one base environment. - Click
Done
to apply the setting and return to theInstallation Summary
window. - Click
Security Policy
. TheSecurity Policy
window opens. - To enable security policies on the system, toggle the
Apply security policy
switch toON
. - Select
Protection Profile for General Purpose Operating Systems
from the profile pane. - Click
Select Profile
to confirm the selection. - Confirm the changes in the
Changes that were done or need to be done
pane that is displayed at the bottom of the window. Complete any remaining manual changes. - Because OSPP has strict partitioning requirements that must be met, create separate partitions for
/boot
,/home
,/var
,/var/log
,/var/tmp
, and/var/log/audit
. - Complete the graphical installation process.
Note
The graphical installation program automatically creates a corresponding Kickstart file after a successful installation. You can use the/root/anaconda-ks.cfg
file to automatically install OSPP-compliant systems.
Verification
- To check the current status of the system after installation is complete, reboot the system and start a new scan:
~]#
oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Additional Resources
- For more details on partitioning, see Configuring manual partitioning.
8.8.2. Deploying Baseline-Compliant RHEL Systems Using Kickstart
Use this procedure to deploy RHEL systems that are aligned with a specific baseline. This example uses Protection Profile for General Purpose Operating System (OSPP).
Prerequisites
- The scap-security-guide package is installed on your system.
Procedure
- Open the
/usr/share/scap-security-guide/kickstart/ssg-rhel7-ospp-ks.cfg
Kickstart file in an editor of your choice. - Update the partitioning scheme to fit your configuration requirements. For OSPP compliance, the separate partitions for
/boot
,/home
,/var
,/var/log
,/var/tmp
, and/var/log/audit
must be preserved, although you can change the sizes of these partitions.Warning
Because theOSCAP Anaconda Add-on
does not support text-only installation, do not use thetext
option in your Kickstart file. For more information, see RHBZ#1674001. - Start a Kickstart installation as described in Performing an automated installation using Kickstart.
Important
Passwords in the hash form cannot be checked for OSPP requirements.
Verification
- To check the current status of the system after installation is complete, reboot the system and start a new scan:
~]#
oscap xccdf eval --profile ospp --report eval_postinstall_report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
Additional Resources
- For more details, see the OSCAP Anaconda Add-on project page.