The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running?
Thanks, =Fen
Look into SCAP Workbench to help build a custom security profile for your application. https://www.open-scap.org/tools/scap-workbench/
Robert
From: Fen Labalme [mailto:fen.labalme@civicactions.com] Sent: Thursday, March 1, 2018 10:00 PM To: SCAP Security Guide scap-security-guide@lists.fedorahosted.org Subject: Disabling specific bash remediations
The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running?
Thanks, =Fen
CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.
It may be over the top for your use case, but you might want to also look at the FOSS SIMP project https://simp-project.com (shamelss SSG-related plug).
We target SSG compliance but it's imminently flexible and manages your system state over time instead of just at one time.
You can spawn an AWS instance using our base 6.1 load from the Marketplace to try it out.
Trevor
On Thu, Mar 1, 2018 at 10:59 PM, Fen Labalme fen.labalme@civicactions.com wrote:
The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running?
Thanks, =Fen
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Fen,
There is an RFE open in OpenSCAP for this very thing at https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP side of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme fen.labalme@civicactions.com wrote:
The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using:
command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml'
But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running?
Thanks, =Fen
scap-security-guide mailing list -- scap-security-guide@lists. fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@ lists.fedorahosted.org
Hi, one option is to use remediation roles instead of --remediate, generating them out of specific results or whole profile, and remove offending remediations out of the role (which is either bash script, or ansible role). It's a bit clunky, but it should work :)
Marek
On 03/02/2018 04:53 PM, Gabe Alford wrote:
Fen,
There is an RFE open in OpenSCAP for this very thing at https://github.com/OpenSCAP/openscap/issues/633
Outside of tailoring a profile, nothing super easy from the OpenSCAP side of the house.
Gabe
On Thu, Mar 1, 2018 at 8:59 PM, Fen Labalme <fen.labalme@civicactions.com mailto:fen.labalme@civicactions.com> wrote:
The goal is to create a hardened EC2 server on AWS from scratch. After provisioning a new RHEL/7 instance on AWS, we run `yum -y update` followed by the bash remediations from SSG using: command: 'oscap xccdf eval --profile {{ scapprofile }} --remediate \ --results-arf /tmp/results-arf.xml --report /tmp/report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml' But there are some remediations I don't want to run for an EC2 server such as install_smartcard_packages.sh and dracut-fips. Is there a way to prevent certain remediations from running? Thanks, =Fen _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org>
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
scap-security-guide@lists.fedorahosted.org
-
Fen Labalme -
Gabe Alford -
Hayden,Robert -
Marek Haicman -
Trevor Vaughan