赞
踩
《OpenShift 4.x HOL教程汇总》
已在 RHEL 8.4 上验证
本文的前置条件:RHEL8 - 配置基于安装 ISO 文件的 YUM Repo
$ yum install -y openscap-utils scap-security-guide wget
$ yum install -y podman buildah
$ yum install -y wget
$ wget -O - https://www.redhat.com/security/data/oval/v2/RHEL8/rhel-8.oval.xml.bz2 | bzip2 --decompress > rhel-8.oval.xml
$ TAG-NEW=latest
$ TAG-OLD=8.0-126
$ podman pull registry.access.redhat.com/ubi8:${TAG-NEW}
$ podman pull registry.access.redhat.com/ubi8:${TAG-OLD}
$ podman images ubi8
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.access.redhat.com/ubi8 latest 272209ff0ae5 9 days ago 234 MB
registry.access.redhat.com/ubi8 8.0-126 7ae69d957d8b 2 years ago 216 MB
$ ID=$(podman image inspect ubi8:${TAG-NEW} | jq -r .[0].Id) $ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-NEW}.html rhel-8.oval.xml Definition oval:com.redhat.rhsa:def:20212238: false Definition oval:com.redhat.rhsa:def:20212235: false Definition oval:com.redhat.rhsa:def:20212233: false Definition oval:com.redhat.rhsa:def:20212170: false W: oscap: Requested offline mode is not supported by uname probe. Definition oval:com.redhat.rhsa:def:20212169: false Definition oval:com.redhat.rhsa:def:20212168: false Definition oval:com.redhat.rhsa:def:20212165: false Definition oval:com.redhat.rhsa:def:20212037: false Definition oval:com.redhat.rhsa:def:20212036: false Definition oval:com.redhat.rhsa:def:20212034: false Definition oval:com.redhat.rhsa:def:20211989: false 。。。 $ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id) $ oscap-podman ${ID} oval eval --report /tmp/oval-report-ubi8:${TAG-OLD}.html rhel-8.oval.xml Definition oval:com.redhat.rhsa:def:20212238: false Definition oval:com.redhat.rhsa:def:20212235: false Definition oval:com.redhat.rhsa:def:20212233: false Definition oval:com.redhat.rhsa:def:20212170: true W: oscap: Requested offline mode is not supported by uname probe. Definition oval:com.redhat.rhsa:def:20212169: false Definition oval:com.redhat.rhsa:def:20212168: false Definition oval:com.redhat.rhsa:def:20212165: false Definition oval:com.redhat.rhsa:def:20212037: false Definition oval:com.redhat.rhsa:def:20212036: false Definition oval:com.redhat.rhsa:def:20212034: false Definition oval:com.redhat.rhsa:def:20211989: false 。。。
$ ll /tmp/oval-report-ubi8*
-rw-r--r--. 1 root root 557791 Jun 12 10:24 /tmp/oval-report-ubi8:latest.html
-rw-r--r--. 1 root root 557646 Jun 12 11:52 /tmp/oval-report-ubi8:8.0-126.html
$ ID=$(podman image inspect ubi8:${TAG-OLD} | jq -r .[0].Id) $ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8:8.0-126-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL8.xml' points out to the remote 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml'. Use '--fetch-remote-resources' option to download it. WARNING: Skipping 'https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL8.xml' file which is referenced from datastream WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL8.xml file which is referenced from XCCDF content Title Verify File Hashes with RPM Rule xccdf_org.ssgproject.content_rule_rpm_verify_hashes Ident CCE-80857-6 Result pass Title Verify and Correct File Permissions with RPM Rule xccdf_org.ssgproject.content_rule_rpm_verify_permissions Ident CCE-80858-4 Result fail Title Install AIDE Rule xccdf_org.ssgproject.content_rule_package_aide_installed Ident CCE-80844-4 Result notapplicable
$ buildah from registry.access.redhat.com/ubi8:8.0-126
ubi8-working-container
$ buildah containers
CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME
5cb411f02b99 * 7ae69d957d8b registry.access.redhat.com/ub... ubi8-working-container
$ buildah mount ubi8-working-container
/var/lib/containers/storage/overlay/d0ba6f84fe8e3a06bc26b88baa928f2adac1cb6b7a032600f6f9f6daccce4be5/merged
$ ll total 0 lrwxrwxrwx. 1 root root 7 Aug 12 2018 bin -> usr/bin dr-xr-xr-x. 2 root root 6 Aug 12 2018 boot drwxr-xr-x. 2 root root 6 Jun 11 2019 dev drwxr-xr-x. 1 root root 25 Jun 11 2019 etc drwxr-xr-x. 2 root root 6 Aug 12 2018 home lrwxrwxrwx. 1 root root 7 Aug 12 2018 lib -> usr/lib lrwxrwxrwx. 1 root root 9 Aug 12 2018 lib64 -> usr/lib64 drwx------. 2 root root 6 Jun 11 2019 lost+found drwxr-xr-x. 2 root root 6 Aug 12 2018 media drwxr-xr-x. 2 root root 6 Aug 12 2018 mnt drwxr-xr-x. 2 root root 6 Aug 12 2018 opt drwxr-xr-x. 2 root root 6 Jun 11 2019 proc dr-xr-x---. 1 root root 23 Jun 11 2019 root drwxr-xr-x. 1 root root 21 Jun 11 2019 run lrwxrwxrwx. 1 root root 8 Aug 12 2018 sbin -> usr/sbin drwxr-xr-x. 2 root root 6 Aug 12 2018 srv drwxr-xr-x. 2 root root 6 Jun 11 2019 sys drwxrwxrwt. 1 root root 6 Jun 11 2019 tmp drwxr-xr-x. 12 root root 144 Jun 11 2019 usr drwxr-xr-x. 1 root root 17 Jun 11 2019 var
$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/system-auth
$ sed --follow-symlinks -i 's/\<nullok\>//g' etc/pam.d/password-auth
$ buildah commit ubi8-working-container ubi8-my
Getting image source signatures
Copying blob 4144b1ae544b skipped: already exists
Copying blob 77ba31c86fd4 skipped: already exists
Copying blob 0cad3bd8dd71 done
Copying config d6ba863211 done
Writing manifest to image destination
Storing signatures
d6ba86321137604485e693f25cf8d47b2edc865fcb845b602a454bedd350eca8
$ podman images ubi8-my
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/ubi8-my latest d6ba86321137 41 seconds ago 216 MB
$ ID=$(podman image inspect ubi8-my:latest | jq -r .[0].Id)
$ oscap-podman ${ID} xccdf eval --report /tmp/rhel-ubi8-my:latest-pci-dss.html --profile pci-dss /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml
https://www.youtube.com/watch?v=nQmIcK1vvYc
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。