osbuild-composer now provides the ability to build security hardened images using the OpenSCAP tool.
This feature is available for
RHEL 8.7 (& above) and
RHEL 9.1 (& above).
OpenSCAP tool enables users to scan images for vulnerabilities and then remediate the non-compliances according to
pre-defined security standards. A limitation of this is that it is not always trivial to fix all issues after the first
boot of the image.
To solve this issue, an osbuild stage runs the
OpenSCAP tool on the filesystem tree while the image is being built. The
OpenSCAP tool runs
the standard evaluation for the given profile and applies the remediations to the image. This process enables the user to build a more completely
hardened image compared to running the remediation on a live system.
osbuild-composer exposes to fields for the user to customize in the image blueprints:
- the path to the
datastream instructions (most likely in the
profile_id for the desired security standard
profile_id field accepts both the long and short forms, i.e.
See the below table for supported profiles.
osbuild-composer will then generate the necessary configurations for the
osbuild stage based on the the
user customizations. Additionally, two packages will be added to the image,
scap-security-guide (this package contains the remediation instructions).
:warning: Note The the remediation stage assumes that the
scap-security-guidewill be used for the datastream. This pacakge is installed on the image by default. If another datastream is desired, add the necessary package to the blueprint and specify the path to the datastream in the oscap config.
The supported profiles are distro specific, see below:
|Fedora||RHEL 8.7^||CS9/RHEL 9.1^|
|CIS Level 2 - Server||x||x|
|CIS Level 1 - Server||x||x|
|CIS Level 1 - Workstation||x||x|
|CIS Level 2 - Workstation||x||x|
|DISA STIG with GUI||x||x|