Hardening Script


#1

Previous versions of ManageIQ/CloudForms included a “security hardening” option in the appliance_console. However, after installing the latest version, Gaprindashvili-5, it seems to have been removed.

Is something comparable available elsewhere or accomplished by some other means?

Thanks!


#2

Can you elaborate please? What was the script name? Was it only accessible from appliance_console? What was the exact option name?

There is nothing in the history of appliance_console mentioning either hardening or security.


#3

CF 4.6 menu item 14:

Advanced Setting

1) Configure Network
2) Set Timezone
3) Set Date and Time
4) Restore Database From Backup
5) Configure Database
6) Configure Database Replication
7) translation missing: en.advanced_settings.db_maintenance
8) Logfile Configuration
9) Configure Application Database Failover Monitor
10) Extend Temporary Storage
11) Configure External Authentication (httpd)
12) Update External Authentication Options
13) Generate Custom Encryption Key
14) Harden Appliance Using SCAP Configuration
15) Stop EVM Server Processes
16) Start EVM Server Processes
17) Restart Appliance
18) Shut Down Appliance
19) Summary Information
20) Quit

Choose the advanced setting:

#4

Does this mean the Harden Appliance using SCAP Configuration has only ever been available for CF, not ManageIQ?


#5

Fine used to have it: http://manageiq.org/docs/reference/fine/doc-Installing_on_Red_Hat_Virtualization/miq/index.html#advanced-configuration-settings


#6

Thank you, that certainly clears things up. Do you happen to know what the rationale was for removing this?


#7

Does this mean the Harden Appliance using SCAP Configuration has only ever been available for CF, not ManageIQ?

The SCAP hardening menu item is CloudForms only and has never been in ManageIQ. While the core code for SCAP hardening is in the appliance console repo [1], the way SCAP works is it’s driven by configuration files, and those files are only available as an RPM on RHEL systems. As ManageIQ is not on RHEL we don’t have those configuration files.

[1] https://github.com/ManageIQ/manageiq-appliance_console/blob/cd6f786faff7f5d1996aa12394031819c59c1e18/lib/manageiq/appliance_console/scap.rb

Fine used to have it: http://manageiq.org/docs/reference/fine/doc-Installing_on_Red_Hat_Virtualization/miq/index.html#advanced-configuration-settings

If it’s in the documentation, it’s a bug. The reason it appears in the documentation is because the docs for both ManageIQ and CloudForms are equivalent and from the same source, just parts hidden or added by conditional logic. It’s likely a conditional was missed.


#8

As CF is opensource, you can always peek into the code.

cfme-gemset has linux_admin and cfme has scap-rules.yml in productization/appliance_console/config

Explore the rest yourself :slight_smile: