Creating Separate Partition or Logical Volume for STIG

drift_ai · April 12, 2022, 6:21pm

I am trying to kickstart a fully STIG’d VM
I put this in my kickstart file

%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig
%end

and part of the STIG requires these directories to be on different partitions or logical volumes and I am new to this and would like any help in regards of how to accomplish this. I assume editing the partition table but am unsure of what to get rid of or what to add.

poulterer · April 13, 2022, 1:46pm

This is a fragment from our RHEL 8 partition table to meet CIS requirements. You may need to adjust some parameters. This corresponds to a 100GB vm.

# Partition clearing information
clearpart --all --initlabel --drives=sda
# Disk partitioning information
part /boot --fstype="xfs" --ondisk=sda --size=1024
part pv.01 --fstype="lvmpv" --ondisk=sda --grow --size=1
volgroup rhel --pesize=4096 pv.01
logvol /  --fstype="xfs" --size=24576 --name=root --vgname=rhel
logvol /home  --fstype="xfs" --size=19456 --name=home --vgname=rhel --fsoptions="nodev"
logvol /var/log/audit  --fstype="xfs" --size=10240 --name=var_log_audit --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol /var  --fstype="xfs" --size=22528 --name=var --vgname=rhel --fsoptions="nodev"
logvol /tmp  --fstype="xfs" --size=4096 --name=tmp --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol /var/log  --fstype="xfs" --size=12288 --name=var_log --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol swap  --fstype="swap" --size=8192 --name=swap --vgname=rhel

drift_ai · April 14, 2022, 2:05pm

poulterer:

# Partition clearing information
clearpart --all --initlabel --drives=sda
# Disk partitioning information
part /boot --fstype="xfs" --ondisk=sda --size=1024
part pv.01 --fstype="lvmpv" --ondisk=sda --grow --size=1
volgroup rhel --pesize=4096 pv.01
logvol /  --fstype="xfs" --size=24576 --name=root --vgname=rhel
logvol /home  --fstype="xfs" --size=19456 --name=home --vgname=rhel --fsoptions="nodev"
logvol /var/log/audit  --fstype="xfs" --size=10240 --name=var_log_audit --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol /var  --fstype="xfs" --size=22528 --name=var --vgname=rhel --fsoptions="nodev"
logvol /tmp  --fstype="xfs" --size=4096 --name=tmp --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol /var/log  --fstype="xfs" --size=12288 --name=var_log --vgname=rhel --fsoptions="nodev,noexec,nosuid"
logvol swap  --fstype="swap" --size=8192 --name=swap --vgname=rhel

Thank you very much for this. If it isn’t a bother may I ask how you install additional packages? It doesn’t seem to find the extra needed packages from the kickstart, so I just download them post install with some yum commands but I think that only works because the VM gets connected to the internet but they won’t have internet access in the future so it must be through foreman to get these packages.

EDIT:

Well it seems I’m going to need to figure this out sooner than I thought haha.

poulterer · April 14, 2022, 2:33pm

In our finish template, we use %packages with a simple list. They must be available from Foreman.

%packages
bc
chrony
kexec-tools
openscap
openscap-scanner
scap-security-guide
mc
wget
yum-utils
vim
bind-utils
subscription-manager
open-vm-tools

drift_ai · April 14, 2022, 2:56pm

Do you use the

in your kickstart file?

It seems the finish template will download those packages after everything is done? But I think for this to work I need to have the package list in the kickstart file not the kickstart finish. But when I add it to the kickstart file it doesn’t seem to find these packages. and when I try to add another repo like this

repo --name=a-base    --baseurl=http://my.domain.org/customrepo/path/here

Then my install for the OS doesn’t even work and I can’t continue.

I don’t know why I am having such trouble adding custom packages.

Also if I try to add the rpms to the package folder in my installation media they never show up.

drift_ai · April 14, 2022, 5:27pm