Security Profiles
-
- Posts: 7
- Joined: 2019/08/05 13:14:11
Security Profiles
Guys sorry if this has been asked before but are aware if you can apply the security profiles after you have installed the OS with the normal profile?
Nate
Nate
Re: Security Profiles
It uses openscap to do the security profiles, so yes, it's possible. No idea how...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 7
- Joined: 2019/08/05 13:14:11
Re: Security Profiles
and this is a security hardening profile based on scap data?
-
- Posts: 7
- Joined: 2019/08/05 13:14:11
Re: Security Profiles
does this actually apply the profile when selected on the installation screen or is it purely guidance?
Re: Security Profiles
i sort of asked, and maybe not here but on stackexchange... how to find the details of the security profiles listed during system installation... what actually gets changed when choosing one of those security profiles?
- never found an answer or what able to find anything digging into the installation iso,
- never figured out how to access them after installation,
- and more than once had a [rhel] system tank after applying the stig profile; things on the surface seem normal but when user goes to run software that has worked in the past things fail and could not be figured out resulting in rebuild of system.
my opinion - if the specific details are not going to be published on those security profiles then they need to be removed and banned!
they cannot be left as black box mystery settings, they end up doing more harm then good.
- never found an answer or what able to find anything digging into the installation iso,
- never figured out how to access them after installation,
- and more than once had a [rhel] system tank after applying the stig profile; things on the surface seem normal but when user goes to run software that has worked in the past things fail and could not be figured out resulting in rebuild of system.
my opinion - if the specific details are not going to be published on those security profiles then they need to be removed and banned!
they cannot be left as black box mystery settings, they end up doing more harm then good.
it modifies various things... password minimum length, password expiration days, many many other things. For a given security profile what is everything that it modifies? i have no ideadoes this actually apply the profile when selected on the installation screen or is it purely guidance?
yes... SCAP = secure content automation protocol which I thought was more of a method and specifications than data. I have not been able to find that data making up those security profiles. Those profiles may as well be a virus or trojan horse... changes a bunch of things but you don't know what. I suspect there should be some [scap] benchmark scan (i.e. xml or xccdf file) for any of those profiles that you would run afterwards to validate the profile was applied... such as U_Red_Hat_Enterprise_Linux_7_V2R4_STIG.zipand this is a security hardening profile based on scap data?
Re: Security Profiles
if you are a home user and see those security profiles and think...
oh cool security profile, apply automatically, equals good and better
the problem is you don't know what all gets modified and when many other things you normally take for granted don't work you're stuck not knowing how to do undo whatever security settings were changed or applied preventing things from working.
oh cool security profile, apply automatically, equals good and better
the problem is you don't know what all gets modified and when many other things you normally take for granted don't work you're stuck not knowing how to do undo whatever security settings were changed or applied preventing things from working.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Security Profiles
the security profiles are quite easy to read and understand, they are openscap and you can find lots of documentation about it online. You may even proofread and study the changes made by the profiles, so you can pick and choose the right one, or even make your own custom profile.
Eventually, I took the most advanced profile and made my own ansible playbook based on it. It's what I've been using for production servers for many years and had great success in preventing compromises. Plus, the added bonus that I can pass all PCI certifications quite easily.
So yes, I highly recommend everyone serious about security to take a look at the profiles. After all, they don't do anythnng magical, they just enforce what is known as... common sense
Eventually, I took the most advanced profile and made my own ansible playbook based on it. It's what I've been using for production servers for many years and had great success in preventing compromises. Plus, the added bonus that I can pass all PCI certifications quite easily.
So yes, I highly recommend everyone serious about security to take a look at the profiles. After all, they don't do anythnng magical, they just enforce what is known as... common sense
--
R.I.P. CentOS
--
R.I.P. CentOS
--
Re: Security Profiles
https://docs.centos.org/en-US/centos/in ... Spoke-x86/
my question: https://unix.stackexchange.com/question ... hel-centosThe CentOS Project does not provide any verification, certification, or software assurance with respect to security for CentOS Linux. The Security Profiles provided in the CentOS Linux installers are a conversion of the ones included in RHEL Source Code. If certified / verified software that has guaranteed assurance is what you are looking for, then you likely do not want to use CentOS Linux.
- United States Government Configuration Baseline
- Standard System Security Profile for RHEL 7
- Criminal Justice Information Services (CJIS)
- C2S for RHEL 7 {Commercial Cloud Services}
- HIPPA
- Unclassified Information in non-federal Information System Organizations (NIST 800-171)
- DISA stig for RHEL 7
- OSPP v4.2
- PCI-DSS v3 control baseline for RHEL 7
- Red Hat Corporate profile for certified cloud providers (RHCCP)
[/code]
please tell me the contents of any one of these, and how you found and accessed its scap file containing that information.
I want to know what baseline system settings are going to be modified.
HowSo yes, I highly recommend everyone serious about security to take a look at the profiles.
Re: Security Profiles
still want to know how to access the profiles so i can look at them... it was supposed to be common sense u said.
- KernelOops
- Posts: 428
- Joined: 2013/12/18 15:04:03
- Location: xfs file system
Re: Security Profiles
Ah, I see what you mean, if you want to inspect the XML profiles, you need to install the scap-security-guide package, for example:
Use Fedora 31 and it will install the latest versions, you may then remotely scan any system you like with the provided profiles (installed size: 700+ MB!). You may look at the XML profile files under /usr/share/xml/scap/ssg/content/
Enjoy!
Code: Select all
dnf install openscap scap-workbench scap-security-guide
Enjoy!
--
R.I.P. CentOS
--
R.I.P. CentOS
--