红帽全球峰会8.3. Customizing a pre-hardened image with RHEL image builder
You can customize a security profile by changing parameters in certain rules, for example, minimum password length, removing rules that you cover differently, and selecting additional rules, to implement internal policies. You cannot define new rules by customizing a profile.
When you build an image from that blueprint, it creates a tailoring file with a new tailoring profile ID and saves it to the image as /usr/share/xml/oscap-tailoring/tailoring.xml. The new profile ID will have tailoring appended as a suffix to the base profile. For example, if you use the CIS (cis) base profile, the profile ID will be xccdf_org.ssgproject.content_profile_cis_tailoring.
Prerequisites
-
You are logged in as the root user or a user who is a member of the
weldrgroup. -
The
openscapandscap-security-guidepackages are installed.
Procedure
Create a hardening blueprint in the TOML format from a selected profile. For example:
# oscap xccdf generate fix --profile=<profileID> --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml > <profileID>tailored.tomlAppend the tailoring section with the customized rule set to the blueprint. Note that the tailoring customization will only affect the default selected or unselected state of the rules in the profile on which the customization is based, by selecting or deselecting a rule, without changing the state of other rules.
# Blueprint for CIS Red Hat Enterprise Linux 10.0 Benchmark for Level 2 - Server # ... [customizations.openscap.tailoring] selected = [ "xccdf_org.ssgproject.content_bind_crypto_policy" ] unselected = [ "grub2_password" ]Start the build of a hardened image:
# *image-builder build <image_type> --blueprint <blueprintProfileID> *Replace
<image_type>with any image type, for example,qcow2.After the image build is ready, use your pre-hardened image on your deployments.
Verification
After you deploy your pre-hardened image, you can perform a configuration compliance scan to verify that the image is aligned with the selected security profile.
Performing a configuration compliance scanning does not guarantee the system is compliant. For more information, see Configuration compliance scanning.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}