gregelin/ssg-rhel6-stig-ks.cfg

## ssg-rhel6-stig-ks.cfg
# SCAP Security Guide DoD STIG  profile kickstart for Red Hat Enterprise Linux 6 Server
# Version: 0.0.1
# Date: 2015-04-08
# Url: http://people.redhat.com/swells/ssg-rhel6-stig-ks.cfg
#
# Based on:
# http://fedoraproject.org/wiki/Anaconda/Kickstart
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
#
# NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification,
# while applying DoD-specific controls (and ignoring those waived by DoD)
#


# Install a fresh new system (optional)
install

# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
#
# Install from an installation tree on a remote server via FTP or HTTP:
# --url		the URL to install from
#
#url --url=http://192.168.122.1/image
#
# Other possible / supported installation methods:
# * install from the first CD-ROM/DVD drive on the system:
#
# cdrom
#
# * install from a directory of ISO images on a local drive:
#
# harddrive --partition=hdb2 --dir=/tmp/install-tree
#
# * install from provided NFS server:
#
# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
#

# Set language to use during installation and the default language to use on the installed system (required)
lang en_US.UTF-8

# Set system keyboard type / layout (required)
keyboard us

# Configure network information for target system and activate network devices in the installer environment (optional)
# --onboot	enable device at a boot time
# --device	device to be activated and / or configured with the network command
# --bootproto	method to obtain networking configuration for device (default dhcp)
# --noipv6	disable IPv6 on this device
network --onboot yes --device eth0 --bootproto dhcp --noipv6

# Set the system's root password (required)
# Plaintext password is: server
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
# encrypted password form for different plaintext password
rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0

# Configure firewall settings for the system (optional)
# --enabled	reject incoming connections that are not in response to outbound requests
# --ssh		allow sshd service through the firewall
firewall --enabled --ssh

# Set up the authentication options for the system (required)
# --enableshadow	enable shadowed passwords by default
# --passalgo		hash / crypt algorithm for new passwords
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512

# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing

# Set the system time zone (required)
timezone --utc America/New_York

# Specify how the bootloader should be installed (required)
# Plaintext password is: password
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
# encrypted password form for different plaintext password
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

# Initialize (format) all disks (optional)
zerombr

# The following partition layout scheme assumes disk of size 20GB or larger
# Modify size of partitions appropriately to reflect actual machine's hardware
#
# Remove Linux partitions from the system prior to creating new ones (optional)
# --linux	erase all Linux partitions
# --initlabel	initialize the disk label to the default based on the underlying architecture
clearpart --linux --initlabel

# Create primary system partitions (required for installs)
part /boot --fstype=ext4 --size=512
part pv.01 --grow --size=1

# Create a Logical Volume Management (LVM) group (optional)
volgroup VolGroup --pesize=4096 pv.01

# Create particular logical volumes (optional)
logvol / --fstype=ext4 --name=LogVol06 --vgname=VolGroup --size=12288 --grow
# CCE-26557-9: Ensure /home Located On Separate Partition
logvol /home --fstype=ext4 --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26435-8: Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=ext4 --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
# CCE-26639-5: Ensure /var Located On Separate Partition
logvol /var --fstype=ext4 --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
# CCE-26215-4: Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=ext4 --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
logvol /var/log/audit --fstype=ext4 --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
logvol swap --name=lv_swap --vgname=VolGroup --size=2016

# Packages selection (%packages section is required)
#
%packages
################################################
##
## Package listing
## ---------------
##
## The following list specifies the packages installed onto a bare minimum
## system. To allow an administrator to install the absolute minimum
## set of packages, the list is partitioned into common sets which are marked
## to belong to one of the following categories.
##
## Categories and their meaning:
##
##   Mandatory   You MUST install the set of packages if the given condition
##               applies.
##   Default     You MAY choose to not install the packages. However, these
##               packages provide functionality specified in the Security
##               Target that is outlined in the package set description.
##               If you intend to enable the respective functionality, you
##               MUST use these packages. Any other package from the
##               distribution that would provide similar functionality MUST NOT
##               be used as it is not ensured that those packages implement
##               all required functional aspects.
##               Note that you either MUST install all packages or none out of
##               the given set.
##   Optional    You MAY choose to not install the packages. Packages can be
##               selectively installed per package set (i.e. it is not
##               required to fully install all packages for one package set
##               or none at all).
##   Prohibited  These packages MUST NOT be installed. This is ensured by
##               listing the packages with a minus sign prepended. Therefore
##               you MUST NOT add comment signs to these sets.
##
################################################
## Package set: base packages
## Condition:   Mandatory in Base and MLS mode
##
audit
bridge-utils
libnl
policycoreutils
python-rhsm
python-simplejson
PyXML
prelink
rdate
rng-tools
screen
sudo
virt-what

################################################
## Package set: This package set provides the functionality to allow the
##              system to send audit data to a central audit server
## Condition:   Default in Base and MLS mode
##
audispd-plugins

################################################
## Package set: base packages providing MLS environment
## Condition:   Mandatory in MLS mode, Optional in Base mode
##
checkpolicy
policycoreutils-newrole
policycoreutils-python
selinux-policy-mls
xinetd

################################################
## Package set: Disk encryption support utilities to use a dm-crypt partition
## Condition:   Default in Base and MLS mode
cryptsetup-luks

################################################
## Package set: Labeled printing support
## Condition:   Default in MLS mode, Optional in Base mode
cups
foomatic
ghostscript
ghostscript-fonts

################################################
## Package set: CIPSO labeled networking support
## Condition:   Default in MLS mode, Optional in Base mode (labeled networking
##              functionality unusable in Base mode)
netlabel_tools

################################################
## Package set: IPSec-based labeled networking support
## Condition:   Default in MLS mode, Optional in Base mode (labeled networking
##              functionality unusable in Base mode)
iproute
iputils
openswan

################################################
## Package set: FIPS 140-2 mode support - this package MUST be installed
##              if the TOE shall be operated in FIPS 140-2 compliant mode
##              for all cryptographic modules - as FIPS 140-2 is no requirement
##              for the Common Criteria evaluation, this package set is
##              considered to be optional.
## Condition:   Optional in Base and MLS mode
dracut-fips

################################################
## Package set: Prohibited packages in any configuration
## Condition:   Prohibited in Base and MLS mode
-sendmail
-krb5-workstation
-abrt-addon-kerneloops
-abrt-addon-python
-abrt-addon-ccpp
-abrt-plugin-rhtsupport
-abrt-plugin-logger
-abrt-plugin-sosreport
-abrt-cli
-abrt
-subscription-manager

################################################
## Package set: Convenience functions to provide administrators with
##              utilities that he may expect from other systems.
## Condition:   Optional in Base and MLS mode
##
aide
lsof
openssh-clients
man-pages
man-pages-overrides
mlocate
parted
pciutils
postfix
quota
rsync
scrub
smartmontools
stunnel
tcpdump
traceroute
vim-enhanced
wget

################################################
## Package set: Minimal development environment used to perform the
##              testing of the system.
## Condition:   Optional in Base and MLS mode
##
audit-libs-devel
autoconf
automake
bison
cvs
cyrus-sasl-devel.x86_64
elinks
expect
flex
gcc
gcc-c++
keyutils-libs
keyutils-libs-devel
kpartx
libattr-devel
libcap-devel
libvirt-python
libselinux-devel.x86_64
libsepol-devel.x86_64
make
openscap
openssl-devel.x86_64
pam-devel.x86_64
perl-devel
perl-Digest-HMAC
perl-Digest-SHA1
python-devel
python-virtinst
readline-devel
rpm-build
setools-console
strace
swig
tcl
texinfo
tk
zlib-devel

################################################
## Package set: Base packages required for the x86_64 environment
## Condition:   Mandatory in Base and MLS mode
##
dmidecode
glibc.i686
glibc-devel.i686
glibc-devel.x86_64
libgcc.i686
libgcc.x86_64
libattr.i686
cracklib.i686
audit-libs.i686
openssl.i686
openssl-devel.i686
libgcrypt.i686

################################################
## Package set: Convenience functions to provide administrators with
##              utilities that he may expect from other systems.
## Condition:   Optional in Base and MLS mode
##
acpid
cpuspeed
irqbalance
usbutils

################################################
## Package set: Virtualization environment support packages to enable the
##              KVM support
## Condition:   Default
##
#@virtualization
#@virtualization-client
#@virtualization-platform
#@virtualization-tools
#-virt-manager
#-virt-viewer
#ebtables

################################################
## Package set: Development packages
## Condition:   Optional
##
libcap-devel.i686
libselinux-devel.i686

# Install git package so we can clone SCAP Security Guide repository below
git

# Install selected additional packages (required by USGCB profile)
# CCE-27024-9: Install AIDE
aide

# Install openscap-utils so it's possible to perform remediation once the
# installation is complete
openscap-utils

%end # End of %packages section

%post --log /root/oscap.log

SSG_GIT_CONTENT="/root/scap-security-guide"
SSG_GIT_RHEL6="$SSG_GIT_CONTENT/RHEL/6"
SSG_GIT_URI="https://github.com/OpenSCAP/scap-security-guide.git"
SSG_SHARE_DIR="/usr/share/scap-security-guide"

# Retrieve the most recent SCAP Security Guide repository content & build
# the RHEL-6 benchmark.

# NOTE: Pointing to upstream SCAP Security Guide repository. Downstream/stable editions
#       (e.g. those to ship natively with Red Hat Enterprise Linux 6) will be updated to
#       point to natively included scap-security-guide RPM package.

git clone $SSG_GIT_URI $SSG_GIT_CONTENT
cd $SSG_GIT_RHEL6
make

# Copy the remediation functions library to the system too
mkdir -p $SSG_SHARE_DIR
cp -a $SSG_GIT_RHEL6/input/fixes/bash/templates/functions $SSG_SHARE_DIR/functions

# Perform post installation system remediation according to the USGCB profile via the oscap tool
# To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected
# profile name after the --profile oscap tool option

oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --report /root/oscap_stig_remediation_report.html \
"$SSG_GIT_RHEL6/output/ssg-rhel6-xccdf.xml"

# Delete the retrieved GIT content
rm -rf $SSG_GIT_CONTENT

%end # End of %post section

# Reboot after the installation is complete (optional)
# --eject	attempt to eject CD or DVD media before rebooting
reboot --eject
	# SCAP Security Guide DoD STIG profile kickstart for Red Hat Enterprise Linux 6 Server
	# Version: 0.0.1
	# Date: 2015-04-08
	# Url: http://people.redhat.com/swells/ssg-rhel6-stig-ks.cfg
	#
	# Based on:
	# http://fedoraproject.org/wiki/Anaconda/Kickstart
	# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html
	# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
	#
	# NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification,
	# while applying DoD-specific controls (and ignoring those waived by DoD)
	#


	# Install a fresh new system (optional)
	install

	# Specify installation method to use for installation
	# To use a different one comment out the 'url' one below, update
	# the selected choice with proper options & un-comment it
	#
	# Install from an installation tree on a remote server via FTP or HTTP:
	# --url the URL to install from
	#
	#url --url=http://192.168.122.1/image
	#
	# Other possible / supported installation methods:
	# * install from the first CD-ROM/DVD drive on the system:
	#
	# cdrom
	#
	# * install from a directory of ISO images on a local drive:
	#
	# harddrive --partition=hdb2 --dir=/tmp/install-tree
	#
	# * install from provided NFS server:
	#
	# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
	#

	# Set language to use during installation and the default language to use on the installed system (required)
	lang en_US.UTF-8

	# Set system keyboard type / layout (required)
	keyboard us

	# Configure network information for target system and activate network devices in the installer environment (optional)
	# --onboot enable device at a boot time
	# --device device to be activated and / or configured with the network command
	# --bootproto method to obtain networking configuration for device (default dhcp)
	# --noipv6 disable IPv6 on this device
	network --onboot yes --device eth0 --bootproto dhcp --noipv6

	# Set the system's root password (required)
	# Plaintext password is: server
	# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
	# encrypted password form for different plaintext password
	rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0

	# Configure firewall settings for the system (optional)
	# --enabled reject incoming connections that are not in response to outbound requests
	# --ssh allow sshd service through the firewall
	firewall --enabled --ssh

	# Set up the authentication options for the system (required)
	# --enableshadow enable shadowed passwords by default
	# --passalgo hash / crypt algorithm for new passwords
	# See the manual page for authconfig for a complete list of possible options.
	authconfig --enableshadow --passalgo=sha512

	# State of SELinux on the installed system (optional)
	# Defaults to enforcing
	selinux --enforcing

	# Set the system time zone (required)
	timezone --utc America/New_York

	# Specify how the bootloader should be installed (required)
	# Plaintext password is: password
	# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
	# encrypted password form for different plaintext password
	bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

	# Initialize (format) all disks (optional)
	zerombr

	# The following partition layout scheme assumes disk of size 20GB or larger
	# Modify size of partitions appropriately to reflect actual machine's hardware
	#
	# Remove Linux partitions from the system prior to creating new ones (optional)
	# --linux erase all Linux partitions
	# --initlabel initialize the disk label to the default based on the underlying architecture
	clearpart --linux --initlabel

	# Create primary system partitions (required for installs)
	part /boot --fstype=ext4 --size=512
	part pv.01 --grow --size=1

	# Create a Logical Volume Management (LVM) group (optional)
	volgroup VolGroup --pesize=4096 pv.01

	# Create particular logical volumes (optional)
	logvol / --fstype=ext4 --name=LogVol06 --vgname=VolGroup --size=12288 --grow
	# CCE-26557-9: Ensure /home Located On Separate Partition
	logvol /home --fstype=ext4 --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
	# CCE-26435-8: Ensure /tmp Located On Separate Partition
	logvol /tmp --fstype=ext4 --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
	# CCE-26639-5: Ensure /var Located On Separate Partition
	logvol /var --fstype=ext4 --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
	# CCE-26215-4: Ensure /var/log Located On Separate Partition
	logvol /var/log --fstype=ext4 --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
	# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
	logvol /var/log/audit --fstype=ext4 --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
	logvol swap --name=lv_swap --vgname=VolGroup --size=2016

	# Packages selection (%packages section is required)
	#
	%packages
	################################################
	##
	## Package listing
	## ---------------
	##
	## The following list specifies the packages installed onto a bare minimum
	## system. To allow an administrator to install the absolute minimum
	## set of packages, the list is partitioned into common sets which are marked
	## to belong to one of the following categories.
	##
	## Categories and their meaning:
	##
	## Mandatory You MUST install the set of packages if the given condition
	## applies.
	## Default You MAY choose to not install the packages. However, these
	## packages provide functionality specified in the Security
	## Target that is outlined in the package set description.
	## If you intend to enable the respective functionality, you
	## MUST use these packages. Any other package from the
	## distribution that would provide similar functionality MUST NOT
	## be used as it is not ensured that those packages implement
	## all required functional aspects.
	## Note that you either MUST install all packages or none out of
	## the given set.
	## Optional You MAY choose to not install the packages. Packages can be
	## selectively installed per package set (i.e. it is not
	## required to fully install all packages for one package set
	## or none at all).
	## Prohibited These packages MUST NOT be installed. This is ensured by
	## listing the packages with a minus sign prepended. Therefore
	## you MUST NOT add comment signs to these sets.
	##
	################################################
	## Package set: base packages
	## Condition: Mandatory in Base and MLS mode
	##
	audit
	bridge-utils
	libnl
	policycoreutils
	python-rhsm
	python-simplejson
	PyXML
	prelink
	rdate
	rng-tools
	screen
	sudo
	virt-what

	################################################
	## Package set: This package set provides the functionality to allow the
	## system to send audit data to a central audit server
	## Condition: Default in Base and MLS mode
	##
	audispd-plugins

	################################################
	## Package set: base packages providing MLS environment
	## Condition: Mandatory in MLS mode, Optional in Base mode
	##
	checkpolicy
	policycoreutils-newrole
	policycoreutils-python
	selinux-policy-mls
	xinetd

	################################################
	## Package set: Disk encryption support utilities to use a dm-crypt partition
	## Condition: Default in Base and MLS mode
	cryptsetup-luks

	################################################
	## Package set: Labeled printing support
	## Condition: Default in MLS mode, Optional in Base mode
	cups
	foomatic
	ghostscript
	ghostscript-fonts

	################################################
	## Package set: CIPSO labeled networking support
	## Condition: Default in MLS mode, Optional in Base mode (labeled networking
	## functionality unusable in Base mode)
	netlabel_tools

	################################################
	## Package set: IPSec-based labeled networking support
	## Condition: Default in MLS mode, Optional in Base mode (labeled networking
	## functionality unusable in Base mode)
	iproute
	iputils
	openswan

	################################################
	## Package set: FIPS 140-2 mode support - this package MUST be installed
	## if the TOE shall be operated in FIPS 140-2 compliant mode
	## for all cryptographic modules - as FIPS 140-2 is no requirement
	## for the Common Criteria evaluation, this package set is
	## considered to be optional.
	## Condition: Optional in Base and MLS mode
	dracut-fips

	################################################
	## Package set: Prohibited packages in any configuration
	## Condition: Prohibited in Base and MLS mode
	-sendmail
	-krb5-workstation
	-abrt-addon-kerneloops
	-abrt-addon-python
	-abrt-addon-ccpp
	-abrt-plugin-rhtsupport
	-abrt-plugin-logger
	-abrt-plugin-sosreport
	-abrt-cli
	-abrt
	-subscription-manager

	################################################
	## Package set: Convenience functions to provide administrators with
	## utilities that he may expect from other systems.
	## Condition: Optional in Base and MLS mode
	##
	aide
	lsof
	openssh-clients
	man-pages
	man-pages-overrides
	mlocate
	parted
	pciutils
	postfix
	quota
	rsync
	scrub
	smartmontools
	stunnel
	tcpdump
	traceroute
	vim-enhanced
	wget

	################################################
	## Package set: Minimal development environment used to perform the
	## testing of the system.
	## Condition: Optional in Base and MLS mode
	##
	audit-libs-devel
	autoconf
	automake
	bison
	cvs
	cyrus-sasl-devel.x86_64
	elinks
	expect
	flex
	gcc
	gcc-c++
	keyutils-libs
	keyutils-libs-devel
	kpartx
	libattr-devel
	libcap-devel
	libvirt-python
	libselinux-devel.x86_64
	libsepol-devel.x86_64
	make
	openscap
	openssl-devel.x86_64
	pam-devel.x86_64
	perl-devel
	perl-Digest-HMAC
	perl-Digest-SHA1
	python-devel
	python-virtinst
	readline-devel
	rpm-build
	setools-console
	strace
	swig
	tcl
	texinfo
	tk
	zlib-devel

	################################################
	## Package set: Base packages required for the x86_64 environment
	## Condition: Mandatory in Base and MLS mode
	##
	dmidecode
	glibc.i686
	glibc-devel.i686
	glibc-devel.x86_64
	libgcc.i686
	libgcc.x86_64
	libattr.i686
	cracklib.i686
	audit-libs.i686
	openssl.i686
	openssl-devel.i686
	libgcrypt.i686

	################################################
	## Package set: Convenience functions to provide administrators with
	## utilities that he may expect from other systems.
	## Condition: Optional in Base and MLS mode
	##
	acpid
	cpuspeed
	irqbalance
	usbutils

	################################################
	## Package set: Virtualization environment support packages to enable the
	## KVM support
	## Condition: Default
	##
	#@virtualization
	#@virtualization-client
	#@virtualization-platform
	#@virtualization-tools
	#-virt-manager
	#-virt-viewer
	#ebtables

	################################################
	## Package set: Development packages
	## Condition: Optional
	##
	libcap-devel.i686
	libselinux-devel.i686

	# Install git package so we can clone SCAP Security Guide repository below
	git

	# Install selected additional packages (required by USGCB profile)
	# CCE-27024-9: Install AIDE
	aide

	# Install openscap-utils so it's possible to perform remediation once the
	# installation is complete
	openscap-utils

	%end # End of %packages section

	%post --log /root/oscap.log

	SSG_GIT_CONTENT="/root/scap-security-guide"
	SSG_GIT_RHEL6="$SSG_GIT_CONTENT/RHEL/6"
	SSG_GIT_URI="https://github.com/OpenSCAP/scap-security-guide.git"
	SSG_SHARE_DIR="/usr/share/scap-security-guide"

	# Retrieve the most recent SCAP Security Guide repository content & build
	# the RHEL-6 benchmark.

	# NOTE: Pointing to upstream SCAP Security Guide repository. Downstream/stable editions
	# (e.g. those to ship natively with Red Hat Enterprise Linux 6) will be updated to
	# point to natively included scap-security-guide RPM package.

	git clone $SSG_GIT_URI $SSG_GIT_CONTENT
	cd $SSG_GIT_RHEL6
	make

	# Copy the remediation functions library to the system too
	mkdir -p $SSG_SHARE_DIR
	cp -a $SSG_GIT_RHEL6/input/fixes/bash/templates/functions $SSG_SHARE_DIR/functions

	# Perform post installation system remediation according to the USGCB profile via the oscap tool
	# To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected
	# profile name after the --profile oscap tool option

	oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --report /root/oscap_stig_remediation_report.html \
	"$SSG_GIT_RHEL6/output/ssg-rhel6-xccdf.xml"

	# Delete the retrieved GIT content
	rm -rf $SSG_GIT_CONTENT

	%end # End of %post section

	# Reboot after the installation is complete (optional)
	# --eject attempt to eject CD or DVD media before rebooting
	reboot --eject