forked from OpenSCAP/openscap
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ability to specify post sections
If a line in kickstart remediation starts with `%post`, that line and all following lines until a line starting with `%end` are considered a block. Blocks are propagated to the output without any processing.
- Loading branch information
Showing
6 changed files
with
181 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
tests/API/XCCDF/unittests/test_remediation_kickstart_expected.cfg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
############################################################################### | ||
# | ||
# Kickstart for Common hardening profile | ||
# | ||
# Profile Description: | ||
# This is a very cool profile | ||
# | ||
# Profile ID: xccdf_org.openscap.www_profile_common | ||
# Benchmark ID: xccdf_org.openscap.www_benchmark_test | ||
# Benchmark Version: 1.0 | ||
# XCCDF Version: 1.2 | ||
# | ||
# This file was generated by OpenSCAP 1.4.0 using: | ||
# $ oscap xccdf generate fix --profile xccdf_org.openscap.www_profile_common --fix-type kickstart TEST_DATA_STREAM_PATH | ||
# | ||
# This Kickstart is generated from an OpenSCAP profile without preliminary evaluation. | ||
# It attempts to fix every selected rule, even if the system is already compliant. | ||
# | ||
# How to apply this Kickstart: | ||
# Review the kickstart and customize the kickstart for your deployment. | ||
# Pay attention to items marked as "required for security compliance". | ||
# Install the operating system using this kickstart. | ||
# | ||
############################################################################### | ||
|
||
|
||
# Default values for automated installation | ||
lang en_US.UTF-8 | ||
keyboard --vckeymap us | ||
timezone --utc America/New_York | ||
|
||
# Root password is required for system rescue tasks | ||
rootpw changeme | ||
|
||
# Create partition layout scheme (required for security compliance) | ||
zerombr | ||
clearpart --all --initlabel | ||
reqpart --add-boot | ||
part pv.01 --grow --size=1 | ||
volgroup system pv.01 | ||
logvol / --name=root --vgname=system --size=2000 --grow | ||
logvol swap --name=swap --vgname=system --size=1000 | ||
logvol /var/tmp --name=vartmp --vgname=system --size=1024 | ||
|
||
# Configure boot loader options (required for security compliance) | ||
bootloader --append="quick audit=1" | ||
|
||
# Disable and enable systemd services (required for security compliance) | ||
services --disabled=telnet,httpd --enabled=auditd,rsyslog,sshd | ||
|
||
# Packages selection (required for security compliance) | ||
%packages | ||
openscap-scanner | ||
scap-security-guide | ||
rsyslog | ||
openssh-server | ||
podman | ||
-usbguard | ||
%end | ||
|
||
# Perform OpenSCAP hardening (required for security compliance) | ||
%post --erroronfail | ||
oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.openscap.www_profile_common' /usr/share/xml/scap/ssg/content/test_remediation_kickstart.ds.xml | ||
[ $? -eq 0 -o $? -eq 2 ] || exit 1 | ||
%end | ||
|
||
# Additional %post section (required for security compliance) | ||
%post --nochroot | ||
mkdir -p /etc/ddfds | ||
%end | ||
|
||
# Additional %post section (required for security compliance) | ||
%post --nochroot | ||
mkdir -p /etc/abcd | ||
%end | ||
|
||
# Additional %post section (required for security compliance) | ||
%post | ||
rm -rf /etc/xyz | ||
# create a new path | ||
feel /etc/xyz | ||
%end | ||
|
||
# Reboot after the installation is complete | ||
reboot |