7.3. OpenSCAP 蓝图自定义
通过对蓝图自定义的 OpenSCAP 支持,您可以为特定安全配置集生成来自 scap-security-guide 内容的蓝图,然后使用它们构建自己的预先强化的镜像。要创建自定义预先强化的镜像,您可以修改挂载点并根据具体要求配置文件系统布局。选择 OpenSCAP 配置集后,OpenSCAP 蓝图配置镜像,以根据所选配置集在镜像构建过程中触发补救。在镜像构建过程中,OpenSCAP 应用预启动修复。
要在镜像蓝图中使用 OpenSCAP 蓝图,您需要提供以下信息:
-
数据流路径到
datastream修复指令。scap-security-guide软件包中的数据流文件位于/usr/share/xml/scap/ssg/content/目录中。1 所需的安全配置集的
profile_id。profile_id字段的值接受长和短形式,例如以下是可接受的形式:cis或xccdf_org.ssgproject.content_profile_cis。如需了解更多详细信息,请参阅 RHEL 9 支持的 SCAP 安全指南配置集。以下示例是带有
OpenSCAP补救阶段的蓝图:[customizations.openscap] # If you want to use the data stream from the 'scap-security-guide' package # the 'datastream' key could be omitted. # datastream = "/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml" profile_id = "xccdf_org.ssgproject.content_profile_cis"
您可以使用以下命令,从
scap-security-guide软件包中查找SCAP源数据流的更多详细信息,包括它提供的安全配置集列表:# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml
为方便起见,OpenSCAP 工具可以为 scap-security-guide 数据流中的任何配置集生成强化蓝图。
例如,命令
# oscap xccdf generate fix --profile=cis --fix-type=blueprint /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml将为 CIS 配置文件生成蓝图,类似于
# Blueprint for CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server # # Profile Description: # This profile defines a baseline that aligns to the "Level 2 - Server" # configuration from the Center for Internet Security® Red Hat Enterprise # Linux 9 Benchmark™, v3.0.0, released 2023-10-30. # This profile includes Center for Internet Security® # Red Hat Enterprise Linux 9 CIS Benchmarks™ content. # # Profile ID: xccdf_org.ssgproject.content_profile_cis # Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9 # Benchmark Version: 0.1.74 # XCCDF Version: 1.2 name = "hardened_xccdf_org.ssgproject.content_profile_cis" description = "CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server" version = "0.1.74" [customizations.openscap] profile_id = "xccdf_org.ssgproject.content_profile_cis" # If your hardening data stream is not part of the 'scap-security-guide' package # provide the absolute path to it (from the root of the image filesystem). # datastream = "/usr/share/xml/scap/ssg/content/ssg-xxxxx-ds.xml" [[customizations.filesystem]] mountpoint = "/home" size = 1073741824 [[customizations.filesystem]] mountpoint = "/tmp" size = 1073741824 [[customizations.filesystem]] mountpoint = "/var" size = 3221225472 [[customizations.filesystem]] mountpoint = "/var/tmp" size = 1073741824 [[packages]] name = "aide" version = "*" [[packages]] name = "libselinux" version = "*" [[packages]] name = "audit" version = "*" [customizations.kernel] append = "audit_backlog_limit=8192 audit=1" [customizations.services] enabled = ["auditd","crond","firewalld","systemd-journald","rsyslog"] disabled = [] masked = ["nfs-server","rpcbind","autofs","bluetooth","nftables"]
不要将此精确的蓝图片断用于镜像强化。它没有反映完整的配置集。当红帽不断更新并优化 scap-security-guide 软件包中每个配置集的安全要求时,始终使用为您的系统提供的最最新的数据流版本来重新生成初始模板。
现在,您可以自定义蓝图,或者在构建镜像时使用它。
RHEL 镜像构建器根据您的蓝图自定义为 osbuild 阶段生成所需的配置。另外,RHEL 镜像构建器向镜像中添加两个软件包:
-
openscap-scanner-OpenSCAP工具。 scap-security-guide- 包含修复和评估指令的软件包。注意补救阶段将
scap-security-guide软件包用于 datastream,因为这个软件包默认安装在镜像中。如果要使用不同的数据流,将必要的软件包添加到蓝图中,并在oscap配置中指定到 datastream 的路径。
其他资源
