Contribute Kickstart file to SSG repo

[ajd394]

https://github.com/OpenSCAP/scap-security-guide/tree/master/rhel7/kickstart

The SSG repo has a spot for kickstart files. Should we contribute this content to the SSG?

[shawndwells]

On 10/20/17 4:22 PM, Andrew wrote: https://github.com/OpenSCAP/scap-security-guide/tree/master/rhel7/kickstart The SSG repo has a spot for kickstart files. Should we contribute this content to the SSG.

That'd be great!

[ajd394]

@shawndwells I want to merge the KS content in this repo and the content in the SSG such the below linked file. I think the strategy (to reduce redundancy) is to include in the kickstart only items that cannot be remediated with the anaconda addon. Do you agree? If so, what is the best way to determine that set of controls. Finally I think it's important to comment with with an identifier from the STIG content. What would be the best identifier for that purpose?

https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg

[shawndwells]

On 3/16/18 8:17 PM, Andrew wrote: @shawndwells <https://github.com/shawndwells> I want to merge the KS content in this repo and the content in the SSG such the below linked file. I think the strategy (to reduce redundancy) is to include in the kickstart only items that cannot be remediated with the anaconda addon. Do you agree?

Yes, definitely! By integrating into the upstream SSG project the resultant kickstart file would ultimately ship in RHEL (as part of the scap-security-guide packages).

If so, what is the best way to determine that set of controls. Finally I think it's important to comment with with an identifier from the STIG content. What would be the best identifier for that purpose? https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg

Kickstart files can use the integrated Anaconda SCAP plugin. When given a profile ID the plugin will perform hardening (as much as can be automated) during the installation process. Specific lines of code from the PCI kickstart: https://github.com/OpenSCAP/scap-security-guide/blob/master/rhel7/kickstart/ssg-rhel7-pci-dss-server-with-gui-oaa-ks.cfg#L116#L119 The first step would be changing line 118 to whatever profile you wish. They're all listed in the /rhel7/profiles directory of SSG here: https://github.com/OpenSCAP/scap-security-guide/tree/master/rhel7/profiles Since you mention the STIG, it's likely you're after the 'stig-rhel7-disa' profile. Once the profile is identified, kickstart a VM/machine with the resulting kickstart file. The Anaconda SCAP plugin will automatically have created a scan report and dropped it into /root (i forgot the name, but it will be something like oscap-report.html). That report can be used to identify what configuration checks cannot be automated (e.g. setting a grub password) that you could then integrate into a kickstart.