Very interested in this topic as I have to build a new locked down gateway for use by a partner organisation via DMZ gateway network connections to our internal central gateway
So need to take every procaution and demonstrate its secure following the hardening guide, but need to show compliance reporting and be able routinely assess and report easily.
Many distros now support the openSCAP tools which are very useful for compliance reporting to various security profiles.
You can read more about its capabilities here.
The workbench tool is excellent for running a scan against a security profile and producing reports which include remedial scripting. This can be applied to a un hardened OS
or to one which is built with a security profile enabled which should equate to less remedial work later.
For context running on AlmaLinux9.0 with latest release Ignition 8.1.21.
For openSCAP profile used Australian Cyber Security Centre (ACSC) Essential Eight, but other NIST profiles are available for other regions.
The openScap tools require GUI support, so the full ISO linux image is needed at the initial build or augment all the relevant GUI packages later to a minimal build.
So I wanted to explore if its possible to install Ignition to a pre-hardened AlmaLinux 9.0 os instance and then resolve any remaining vulnerabilities leveraging the openSCAP workbench tools.
Hope being that it might be less work to harden everything post ignition install working from a pre-hardened OS base.
Turns out to be not straight forward here are two results:
Scenario 1: Pre-Hardened Linux build with openSCAP profile enabled, then install Ignition, then audit again and remediate
result: Ignition installer fails with error.
xhost: unable to open display ""
runtime/bin/./java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
This occurs for interactive mode and also the command line options of unattended installs.
Most likely need to relax some locked down packages/permissions to allow installer to run and then remediate afterwards.
Have raised tech support case with IA to identify dependencies (WIP)
Scenario 2: Unhardened linux with Ignition installed, then run openSCAP workbench to assess vulnerabilities
The assessment report identifies 44 non compliances out of total 97 criteria, so its a huge job to remedy that to meet an openSCAP profile.
Concern is will Ignition stay working if I remediated all the 44 issues to satisfy the openSCAP profile ?
Has anyone else had success with openSCAP tools with Ignition environments?
Perhaps there might be other paths to achieve this?
Any feedback and suggestions will be greatly appreciated.