Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 8 章 Creating pre-hardened images with RHEL image builder OpenSCAP integration

RHEL image builder on-premise supports the OpenSCAP integration. This integration enables the production of pre-hardened RHEL images.

By setting up a blueprint, you can perform the following actions:

  • Customize it with a set of predefined security profiles
  • Add a set of packages or add-on files
  • Build a customized RHEL image ready to deploy on your chosen platform that is more suitable for your environment

Red Hat provides regularly updated versions of the security hardening profiles that you can choose when you build your systems so that you can meet your current deployment guidelines.

8.1. The OpenSCAP blueprint customization
复制链接

With the OpenSCAP support for blueprint customization, you can generate blueprints from the scap-security-guide content for specific security profiles and then use the blueprints to build your own pre-hardened images.

Creating a customized blueprint with OpenSCAP involves the following high-level steps:

  • Modify the mount points and configure the file system layout according to your specific requirements.
  • In the blueprint, select the OpenSCAP profile. This configures the image to trigger the remediation during the image build in accordance with the selected profile. Also, during the image build, OpenSCAP applies a pre-first-boot remediation.

To use the OpenSCAP blueprint customization in your image blueprints, you need to provide the following information:

  • The data stream path to the datastream remediation instructions. The data stream files from scap-security-guide package are located in the /usr/share/xml/scap/ssg/content/ directory.
  • The profile_id of the required security profile. The value of the profile_id field accepts both the long and short forms, for example, the following are acceptable: cis or xccdf_org.ssgproject.content_profile_cis. See SCAP Security Guide profiles supported in RHEL 10 for more details.

The following example is a snippet with the OpenSCAP remediation stage: 

[customizations.openscap]
# If you want to use the data stream from the 'scap-security-guide' package
# the 'datastream' key could be omitted.
# datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml"
profile_id = "xccdf_org.ssgproject.content_profile_cis"

You can find more details about the SCAP source data stream from the scap-security-guide package, including the list of security profiles it provides, by using the command: 

# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

For your convenience, the OpenSCAP tool can generate the hardening blueprint for any profile available in scap-security-guide data streams.

For example, the command: 

# oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

generates a blueprint for CIS profile similar to the following example: 

# Blueprint for CIS Red Hat Enterprise Linux 10.0 Benchmark for Level 2 - Server

# Profile Description:
# This profile defines a baseline that aligns to the "Level 2 - Server"
# configuration from the Center for Internet Security® Red Hat Enterprise
# Linux 10 Benchmark™, v3.0.0, released 2023-10-30.
# This profile includes Center for Internet Security®
# Red Hat Enterprise Linux 10.0 CIS Benchmarks™ content.
#
# Profile ID:  xccdf_org.ssgproject.content_profile_cis
# Benchmark ID:  xccdf_org.ssgproject.content_benchmark_RHEL-10.0
# Benchmark Version:  0.1.74
# XCCDF Version:  1.2

name = "hardened_xccdf_org.ssgproject.content_profile_cis"
description = "CIS Red Hat Enterprise Linux 10.0 Benchmark for Level 2 - Server"
version = "0.1.74"

[customizations.openscap]
profile_id = "xccdf_org.ssgproject.content_profile_cis"
# If your hardening data stream is not part of the 'scap-security-guide' package
# provide the absolute path to it (from the root of the image filesystem).
# datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml"

[[customizations.filesystem]]
mountpoint = "/home"
size = 1073741824

[[customizations.filesystem]]
mountpoint = "/tmp"
size = 1073741824

[[customizations.filesystem]]
mountpoint = "/var"
size = 3221225472

[[customizations.filesystem]]
mountpoint = "/var/tmp"
size = 1073741824

[[packages]]
name = "aide"
version = "*"

[[packages]]
name = "libselinux"
version = "*"

[[packages]]
name = "audit"
version = "*"

[customizations.kernel]
append = "audit_backlog_limit=8192 audit=1"

[customizations.services]
enabled = ["auditd","crond","firewalld","systemd-journald","rsyslog"]
disabled = []
masked = ["nfs-server","rpcbind","autofs","bluetooth","nftables"]
注意

Do not use this exact blueprint snippet for image hardening. It does not reflect a complete profile. As Red Hat constantly updates and refines security requirements for each profile in the scap-security-guide package, it makes sense to always re-generate the initial template using the most up-to-date version of the data stream provided for your system.

Now you can customize the blueprint or use it as it is to build an image.

RHEL image builder generates the necessary configurations for the stage based on your blueprint customization. Additionally, RHEL image builder adds two packages to the image:

  • openscap-scanner is the OpenSCAP tool.

  • scap-security-guide is the package that contains the remediation and evaluation instructions.

    注意

    The remediation stage uses the scap-security-guide package for the datastream because this package is installed on the image by default. If you want to use a different datastream, add the necessary package to the blueprint and specify the path to the datastream in the oscap configuration.

Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2026 Red Hat返回顶部