Skip to content

Instantly share code, notes, and snippets.

@ancorgs

ancorgs/it-works.md

Last active November 3, 2022 11:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ancorgs/9f90f3622d1035e065395a556c07b2be to your computer and use it in GitHub Desktop.
Save ancorgs/9f90f3622d1035e065395a556c07b2be to your computer and use it in GitHub Desktop.
Download ZIP
Nothing else needed
Raw
it-works.md

The current implementation is the result of acknowledging the default DISA STIG policy:

  • Contains rules that should be taken into account during installation since they cannot be easily remedied afterwards (eg. partitioning and encryption).
  • Contains rules that could make the system unusable for its original purpose if a full remediation is blindly applied.

The first problem is addressed in both interactive and automated installations by issuing warnings the user must accept in order to finish the installation process. Interactive installation also includes links to the section of the installer where the configuration can be fixed.

The second problem is addressed:

  • In interactive installation by making scanning and remediation optional in the first boot, so the user has the possibility to tweak the SCAP definitions (eg. with a tailoring file) or the system before running the scan or remediation manually.
  • In the automated installation by using the same traditional AutoYaST mechanisms that are always used to automate post-installation tasks. For example, using a <file> section to deploy the /etc/ssg-apply/override.conf configuration file that would then be used in the scan or remediation done during first boot.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment