Here is a process I followed for v0.1.50, but it works for the latest release (v0.1.54) as well:
To tailor an SSG profile, use the scap-workbench utility to customize your environment. Follow the prompts on the screen. Begin by selecting the appropriate operating system (e.g., CentOS 8).
Red Hat Enterprise Linux 8 may include many different profiles. However, you may notice there are only two profiles for CentOS Linux, namely:
- PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8 (122)
- Standard System Security Profile for Red Hat Enterprise Linux 8 (57)
We will need to build the latest SCAP content baseline for the derivatives of Red Hat Enterprise Linux. The desired baselines will need to be manually added to the build process. I leveraged the DISA STIG baseline, so the changes are as followed:
Code: Select all
git clone https://github.com/ComplianceAsCode/content.git ssg-content
git checkout v0.1.50
First, we'll add "stig" to the standard profile and then build the RHEL 8 derivatives.
Code: Select all
sed -i $'s/standard_profiles =.*/standard_profiles = [\'standard\', \'pci-dss\', \'desktop\', \'server\', \'stig\']/' ssg/constants.py
./build_product --derivatives rhel8
Next, let's correct some points of failure:
Code: Select all
sed -i.bak 's/\^\/boot\/efi\/EFI\/(redhat|fedora)\/grub.cfg\$/\^\/boot\/efi\/EFI\/(redhat|fedora|centos)\/grub.cfg\$/g' build/ssg-centos8-ds*.xml
sed -i 's/\/boot\/efi\/EFI\/redhat\//\/boot\/efi\/EFI\/centos\//g' build/ssg-centos8-ds*.xml
sed -i 's/gelocation/geolocation/g' build/ssg-centos8-ds*.xml
Let's verify the derivatives contain the desired SSG profile exists:
Code: Select all
oscap info build/ssg-centos8-ds.xml
Profiles:
Title: PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_pci-dss
Title: Standard System Security Profile for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_standard
Title: [DRAFT] DISA STIG for Red Hat Enterprise Linux 8
Id: xccdf_org.ssgproject.content_profile_stig