Page 1 of 2

Security Profiles

Posted: 2019/09/03 12:07:32
by DonTrustIm
Guys sorry if this has been asked before but are aware if you can apply the security profiles after you have installed the OS with the normal profile?


Re: Security Profiles

Posted: 2019/09/03 13:17:13
by TrevorH
It uses openscap to do the security profiles, so yes, it's possible. No idea how...

Re: Security Profiles

Posted: 2019/09/05 05:50:40
by DonTrustIm
and this is a security hardening profile based on scap data?

Re: Security Profiles

Posted: 2019/10/01 13:58:32
by DonTrustIm
does this actually apply the profile when selected on the installation screen or is it purely guidance?

Re: Security Profiles

Posted: 2019/10/24 12:50:39
by ron7000
i sort of asked, and maybe not here but on stackexchange... how to find the details of the security profiles listed during system installation... what actually gets changed when choosing one of those security profiles?

- never found an answer or what able to find anything digging into the installation iso,

- never figured out how to access them after installation,

- and more than once had a [rhel] system tank after applying the stig profile; things on the surface seem normal but when user goes to run software that has worked in the past things fail and could not be figured out resulting in rebuild of system.

my opinion - if the specific details are not going to be published on those security profiles then they need to be removed and banned!

they cannot be left as black box mystery settings, they end up doing more harm then good.
does this actually apply the profile when selected on the installation screen or is it purely guidance?
it modifies various things... password minimum length, password expiration days, many many other things. For a given security profile what is everything that it modifies? i have no idea
and this is a security hardening profile based on scap data?
yes... SCAP = secure content automation protocol which I thought was more of a method and specifications than data. I have not been able to find that data making up those security profiles. Those profiles may as well be a virus or trojan horse... changes a bunch of things but you don't know what. I suspect there should be some [scap] benchmark scan (i.e. xml or xccdf file) for any of those profiles that you would run afterwards to validate the profile was applied... such as

Re: Security Profiles

Posted: 2019/10/24 12:59:27
by ron7000
if you are a home user and see those security profiles and think...

oh cool security profile, apply automatically, equals good and better

the problem is you don't know what all gets modified and when many other things you normally take for granted don't work you're stuck not knowing how to do undo whatever security settings were changed or applied preventing things from working.

Re: Security Profiles

Posted: 2019/10/25 09:10:21
by KernelOops
the security profiles are quite easy to read and understand, they are openscap and you can find lots of documentation about it online. You may even proofread and study the changes made by the profiles, so you can pick and choose the right one, or even make your own custom profile.

Eventually, I took the most advanced profile and made my own ansible playbook based on it. It's what I've been using for production servers for many years and had great success in preventing compromises. Plus, the added bonus that I can pass all PCI certifications quite easily.

So yes, I highly recommend everyone serious about security to take a look at the profiles. After all, they don't do anythnng magical, they just enforce what is known as... common sense ;)

Re: Security Profiles

Posted: 2019/10/28 15:34:46
by ron7000 ... Spoke-x86/
The CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux.
my question: ... hel-centos
  • United States Government Configuration Baseline
  • Standard System Security Profile for RHEL 7
  • Criminal Justice Information Services (CJIS)
  • C2S for RHEL 7 {Commercial Cloud Services}
  • Unclassified Information in non-federal Information System Organizations (NIST 800-171)
  • DISA stig for RHEL 7
  • OSPP v4.2
  • PCI-DSS v3 control baseline for RHEL 7
  • Red Hat Corporate profile for certified cloud providers (RHCCP)

    please tell me the contents of any one of these, and how you found and accessed its scap file containing that information.

    I want to know what baseline system settings are going to be modified.
    So yes, I highly recommend everyone serious about security to take a look at the profiles.
    How :?: :?: :?:

Re: Security Profiles

Posted: 2020/01/06 16:13:58
by ron7000
still want to know how to access the profiles so i can look at them... it was supposed to be common sense u said.

Re: Security Profiles

Posted: 2020/01/06 16:37:38
by KernelOops
Ah, I see what you mean, if you want to inspect the XML profiles, you need to install the scap-security-guide package, for example:

Code: Select all

dnf install openscap scap-workbench scap-security-guide
Use Fedora 31 and it will install the latest versions, you may then remotely scan any system you like with the provided profiles (installed size: 700+ MB!). You may look at the XML profile files under /usr/share/xml/scap/ssg/content/