redhatrises
commented
5 years ago The C2S profile is an "official" profile and was removed for non-official use in addition it is no longer being uses or developed going forward in later versions.
Closed tkokev closed 5 years ago
redhatrises
commented
5 years ago The C2S profile is an "official" profile and was removed for non-official use in addition it is no longer being uses or developed going forward in later versions.
shawndwells
commented
5 years ago Extending that - the government let us know they no longer follow the historical CIS-inspired baseline and has since moved to the NIST National Checklist for RHEL7 and RHEL 8, e.g. https://nvd.nist.gov/ncp/checklist/909
(in the content, that would be the ospp profile)
tkokev
commented
5 years ago @redhatrises not sure what is meant by "official" but appreciate the update on the C2S profile.
I took a look at the link @shawndwells provided and see things are focused on ansible which is cool because we already use it on instances for other app specific setup just never on hardening related tasks. So are the days gone where we could launch an instance with this simple two liner in the userdata to come away with a hardened instance? Not quite sure how the newer approach maps to our previous process.
yum install scap-security-guide -y
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_C2S --results /root/scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xmlOr is it as simple as switching the above to oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --results /root/scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml?
shawndwells
commented
5 years ago @redhatrises not sure what is meant by "official" but appreciate the update on the C2S profile.
From AWS' webpage at https://aws.amazon.com/federal/us-intelligence-community/:
"C2S is the government program and contract vehicle that brings Amazon Web Services (AWS) “over the fence” and into the Intelligence Community (IC). This air-gapped AWS Region on the Top Secret fabric has been operating since 2014 and is exclusively available to the U.S. IC."
The C2S profile within ComplianceAsCode correlated to the security baseline the Government used for this environment. Because the Government now uses the NIST National Checklists for RHEL 8, there was no need for a specific C2S profile anymore.
shawndwells
commented
5 years ago I took a look at the link @shawndwells provided and see things are focused on ansible which is cool because we already use it on instances for other app specific setup just never on hardening related tasks. So are the days gone where we could launch an instance with this simple two liner in the userdata to come away with a hardened instance? Not quite sure how the newer approach maps to our previous process.
yum install scap-security-guide -y oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_C2S --results /root/scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xmlOr is it as simple as switching the above to
oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_ospp --results /root/scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml?
There are different rule selections between the profiles, but yes -- essentially you'd need to swap the --profile argument. To see a list of shipping profiles (looks like you're using downstream content in CentOS?), run oscap info on the datastream.
Description of problem:
While building a new AMI recently for our C2S environment, I noticed the
xccdf_org.ssgproject.content_profile_C2Sprofile is no longer an option forssg-centos7-ds.xml.SCAP Security Guide Version:
scap-security-guide-0.1.40-13.el7.centos.noarch
Operating System Version:
Steps to Reproduce:
Is there an equivalent profile still available in some other form or was it discontinued for some reason?