Hello everyone,
I have the following question: How can I deploy CIS Security Profiles with Foreman during a Kickstart PXE Boot? Does anyone have a tip for me? I couldn’t find anything in the documentation.
Thank you for your help.
Friendly greetings.
You first need to get to foreman_openscap plugin installed and configured. Once you have the policy up and working, you can configure Foreman to deploy the CIS benchmark and scan the system as one of the first action right after the machine is provisioned (by leveraging ansible or puppet). It does not happen during the kickstart though. If you need to do it during the provisioning, I think the best course of action is to rather use image based provisioning with images, that are already hardened. If you try to perform any compliance hardening during the provisioning, you’ll execute those things in chrooted environment running a different (Anaconda’s) kernel, so the results may be different after the final reboot.
There is also the Anaconda plugin which integrates OpenSCAP. This would not scan but enforce some policy during installation like partitioning. (OSCAP Anaconda Addon | OpenSCAP portal)
But there is no integration yet for this, so a user would need to manually add to the kickstart file.
Actually this may be quite easy tweak in our default Kickstart template. Would there be interest for such functionality?
In Germany we have now a new Security requirement called KRITIS which is applied to everything responsible for critical infrastructure. It is not a fixed standard like STIG or similar, but using one of those to harden your systems including OpenSCAP for documentation and reporting of Security compliance will solve many requirements. This is something where I could already position Foreman at some customers or create at least some interest.
We are currently looking internally on how to position here with Open source against Closed source and as it feels also against a Closed communication and mindset for KRITIS but also ISO27001 and other similar requirements.
So yes, I have and also see some interest. But let’s also ask the original poster if this is what he was looking for. So @elias.steiner what’s your opinion on this? Can you give us some insights into your requirements?
I think so. when you install a AlmaLinux manualy you have the posibility to add the CIS Profiles. So the rigth LVMS, Mount Options and other Settings are correct from beginn.
For us its important to start with a conform os (with the right partitions and settings) because its a lot more work to to this after the installation