2

during the install of RHEL 7.x or CentOS one can choose (or not choose) to apply one of these security profiles these are from 7.6:

  • United States Government Configuration Baseline
  • Standard System Security Profile for RHEL 7
  • Criminal Justice Information Services (CJIS)
  • C2S for RHEL 7 {Commercial Cloud Services}
  • HIPPA
  • Unclassified Information in non-federal Information System Organizations (NIST 800-171)
  • DISA stig for RHEL 7
  • OSPP v4.2
  • PCI-DSS v3 control baseline for RHEL 7
  • Red Hat Corporate profile for certified cloud providers (RHCCP)

In choosing one it changes a myriad of configuration files. which ones? I wouldn't mind knowing, but

I want to know if it's possible to extract, simply the /etc/ssh/sshd_config file that gets used for a given security profile from an already running RHEL or CentOS system not having that profile applied at system creation; I do not want to spend the time installing RHEL/CentOS on a new system disk (10 times) with a profile applied to then extract and save said file(s) to a usb stick for comparison and understanding.

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
ron
  • 5,749
  • 7
  • 48
  • 84

1 Answers1

1

(Disclaimer: I have zero practical experience with scap.)

On the negative side: as far as I can tell, it's not easily possible to do that, since it's not a matter of "this is the non-default config file I'll drop in". As far as I can tell, the definitions are provided by the scap-security-guide package, and the profiles are really a big bunch of rules like "no root login", "only these ssh algorithms allowed", etc. So instead of a complete file, we get a whole bunch of incremental changes.

On the positive side: if you look at the above-mentioned package, it'll install, in triplicate (bash, ansible, kickstart), the implementation of the rules into /usr/share/scap-security-guide, so you "only" need to look in there. (To give you an idea, the HIPPA role shell script is around 800k.)

On another positive side: looking at man scap-security-guide, you should be able to use oscap to just compare the existing system against the guidelines, which will give you, vaguely, a long list with either checkmarks or to-dos. RedHat has a useful guide to using scap to generate these reports.

Ulrich Schwarz
  • 15,669
  • 4
  • 47
  • 58
  • The `scap-workbench` graphical tool is an excellent additional resource for putting the `scap-security-guide` information to use; scanning systems against various baselines, generating remediation scripts and playbook, etc. – 0xSheepdog Apr 24 '19 at 14:43