When I was still doing IT Operations work, I dreamt of a day when a system could be secured and done so reliably during the installation process. Sure, I had scripts and other tools at my disposal, but the problem with them was that there was not consensus that the actions I was taking to secure the server was actually correct. Additionally, what happened if the checks and remediation steps that I was performing changed? How long, if ever, would it take me to change my scripts?
With the advent of SCAP and the associated tools, achieving compliance during installation has never been easier. Long gone are the worries that I used to have and I can now be sure that the systems I am installing are secure from the first time that they touch the network.
In this post, we are going to look at the RHEL 7.2 installer and how it integrates SCAP content from the SCAP Security Guide project to make installation based compliance a reality.
The Installer
Starting with version 7.2 of Red Hat Enterprise Linux, there is a new installer option called – you guessed it “Security”. The new option is on the second install screen, right after the options to set language and keyboard layouts.
By default, no security policy is selected. To set a security profile, simply click on the security icon. A new screen will appear that allows the selection of a security profile that will be applied during installation. RHEL 7.2 ships with several profiles including:
- Default – contains no rules, but sets the server up for applying a profile in the future.
- Standard System Security Profile – This is a base profile with a “sane” set of defaults for typically deployments
- Draft PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7 – draft PCI-DSS version 3 profile
- Red Hat Corporate Profile for Certified Cloud Providers (RH CCP) – This is the draft rules for use by Red Hat Certified Cloud Providers
- Common Profile for General-Purpose Systems – This profile contains a set of rules common to both server and desktop deployments
- Pre-release Draft STIG for Red Hat Enterprise Linux 7 Server – This is the draft consensus content for RHEL 7 Server and will be the basis for the official DoD STIG.
For this post, I will be using the Draft STIG content and I will be performing a minimal (default) installation of RHEL 7.2. If there is another profile that needs to be used, the new installer option includes an option to fetch the content from another location using HTTP, HTTPS or FTP. To fetch new content, just click on the “Change Content” button and specify the URL to the content. Note: in order to fetch content, networking has to be activated. The network can be activated using the “Network & Hostname” section on the installer screen.
To select a profile, ensure that the “Apply security policy” is set to “ON”, click the profile name and then click the “Select profile” button. Once the profile is set (a green check mark will be present) click “Done” in the upper left corner of the screen to return to the main installation screen.
At this point, the installation can be started once all of the other required configuration steps are taken care of. I am not going to get into those here, but typically, the installation destination will be the only other installation item that will need attention.
Validating the Security Profile
Once the installation is complete, you will notice some of the configuration changes as soon as the system boots to the login prompt. A warning banner is included.
So far, so good. The configuration of the rest of the system can be verified using OpenSCAP tools that are included in the installation. To list all off the available profiles, run:
oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The profile that we want to use is called “xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream”
To scan the system, run the following command. Notice where the profile from the previous command is specified.
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream --results arf.xml --report report.html /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
The scan should only take a few seconds. During the scan, the output of the different tests will be displays on the console.
After the evaluation is complete, there will be two files present. An arf.xml file that contains all of the results on a reusable format called Reusable DataStream and a human readable report.html file.
Opening the report.html file in Firefox reveals that the installer corrected all but three configuration items. That is not bad at all since it means a lot less work fixing configuration issues.
Two of the issues that are present have to do with Partitioning – which is a relatively easy fix during installation. The other failure has to do with the audit daemon logging privileged commands. Investigating the XML for this rule reveals that there is no automated fix content included yet for this particular check. Maybe this rule will change in the future.
Where do the various security profile scripts live on the installation media? I assume the security profiles are in the form of a kickstart friendly format or a bash script? I’d like to use the STIG security profile as a starting point for a more comprehensive security implimentation.
Rob, the security profiles reside in the scap-security-guide package on the install media. The scan and remediation can be a part of a Kickstarter file by using the Anaconda add-on for OpenSCAP. Information on using the add-on can be found at https://www.open-scap.org/tools/oscap-anaconda-addon/doc/
Thanks for the info! That helps a lot!