gregelin · June 12, 2016 22:25
diff --git a/ssg-rhel6-stig-ks.cfg b/ssg-rhel6-stig-ks.cfg
 # SCAP Security Guide DoD STIG  profile kickstart for Red Hat Enterprise Linux 6 Server
 # Version: 0.0.1
 # Date: 2015-04-08
 # Url: http://people.redhat.com/swells/ssg-rhel6-stig-ks.cfg
 #
 # Based on:
 # http://fedoraproject.org/wiki/Anaconda/Kickstart
 # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html
 # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
 #
 # NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification,
 # while applying DoD-specific controls (and ignoring those waived by DoD)
 #


 # Install a fresh new system (optional)
 install

 # Specify installation method to use for installation
 # To use a different one comment out the 'url' one below, update
 # the selected choice with proper options & un-comment it
 #
 # Install from an installation tree on a remote server via FTP or HTTP:
 # --url		the URL to install from
 #
 #url --url=http://192.168.122.1/image
 #
 # Other possible / supported installation methods:
 # * install from the first CD-ROM/DVD drive on the system:
 #
 # cdrom
 #
 # * install from a directory of ISO images on a local drive:
 #
 # harddrive --partition=hdb2 --dir=/tmp/install-tree
 #
 # * install from provided NFS server:
 #
 # nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
 #

 # Set language to use during installation and the default language to use on the installed system (required)
 lang en_US.UTF-8

 # Set system keyboard type / layout (required)
 keyboard us

 # Configure network information for target system and activate network devices in the installer environment (optional)
 # --onboot	enable device at a boot time
 # --device	device to be activated and / or configured with the network command
 # --bootproto	method to obtain networking configuration for device (default dhcp)
 # --noipv6	disable IPv6 on this device
 network --onboot yes --device eth0 --bootproto dhcp --noipv6

 # Set the system's root password (required)
 # Plaintext password is: server
 # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
 # encrypted password form for different plaintext password
 rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0

 # Configure firewall settings for the system (optional)
 # --enabled	reject incoming connections that are not in response to outbound requests
 # --ssh		allow sshd service through the firewall
 firewall --enabled --ssh

 # Set up the authentication options for the system (required)
 # --enableshadow	enable shadowed passwords by default
 # --passalgo		hash / crypt algorithm for new passwords
 # See the manual page for authconfig for a complete list of possible options.
 authconfig --enableshadow --passalgo=sha512

 # State of SELinux on the installed system (optional)
 # Defaults to enforcing
 selinux --enforcing

 # Set the system time zone (required)
 timezone --utc America/New_York

 # Specify how the bootloader should be installed (required)
 # Plaintext password is: password
 # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
 # encrypted password form for different plaintext password
 bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

 # Initialize (format) all disks (optional)
 zerombr

 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
 # 
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
 clearpart --linux --initlabel

 # Create primary system partitions (required for installs)
 part /boot --fstype=ext4 --size=512
 part pv.01 --grow --size=1

 # Create a Logical Volume Management (LVM) group (optional)
 volgroup VolGroup --pesize=4096 pv.01

 # Create particular logical volumes (optional)
 logvol / --fstype=ext4 --name=LogVol06 --vgname=VolGroup --size=12288 --grow
 # CCE-26557-9: Ensure /home Located On Separate Partition
 logvol /home --fstype=ext4 --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
 # CCE-26435-8: Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=ext4 --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 # CCE-26639-5: Ensure /var Located On Separate Partition
 logvol /var --fstype=ext4 --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
 # CCE-26215-4: Ensure /var/log Located On Separate Partition
 logvol /var/log --fstype=ext4 --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
 # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
 logvol /var/log/audit --fstype=ext4 --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016

 # Packages selection (%packages section is required)
 #
 %packages
 ################################################
 ##
 ## Package listing
 ## ---------------
 ##
 ## The following list specifies the packages installed onto a bare minimum
 ## system. To allow an administrator to install the absolute minimum
 ## set of packages, the list is partitioned into common sets which are marked
 ## to belong to one of the following categories.
 ##
 ## Categories and their meaning:
 ##
 ##   Mandatory   You MUST install the set of packages if the given condition
 ##               applies.
 ##   Default     You MAY choose to not install the packages. However, these
 ##               packages provide functionality specified in the Security
 ##               Target that is outlined in the package set description.
 ##               If you intend to enable the respective functionality, you
 ##               MUST use these packages. Any other package from the
 ##               distribution that would provide similar functionality MUST NOT
 ##               be used as it is not ensured that those packages implement
 ##               all required functional aspects.
 ##               Note that you either MUST install all packages or none out of
 ##               the given set.
 ##   Optional    You MAY choose to not install the packages. Packages can be
 ##               selectively installed per package set (i.e. it is not
 ##               required to fully install all packages for one package set
 ##               or none at all).
 ##   Prohibited  These packages MUST NOT be installed. This is ensured by
 ##               listing the packages with a minus sign prepended. Therefore
 ##               you MUST NOT add comment signs to these sets.
 ##
 ################################################
 ## Package set: base packages
 ## Condition:   Mandatory in Base and MLS mode
 ##
 audit
 bridge-utils
 libnl
 policycoreutils
 python-rhsm
 python-simplejson
 PyXML
 prelink
 rdate
 rng-tools
 screen
 sudo
 virt-what

 ################################################
 ## Package set: This package set provides the functionality to allow the
 ##              system to send audit data to a central audit server
 ## Condition:   Default in Base and MLS mode
 ##
 audispd-plugins

 ################################################
 ## Package set: base packages providing MLS environment
 ## Condition:   Mandatory in MLS mode, Optional in Base mode
 ##
 checkpolicy
 policycoreutils-newrole
 policycoreutils-python
 selinux-policy-mls
 xinetd

 ################################################
 ## Package set: Disk encryption support utilities to use a dm-crypt partition
 ## Condition:   Default in Base and MLS mode
 cryptsetup-luks

 ################################################
 ## Package set: Labeled printing support
 ## Condition:   Default in MLS mode, Optional in Base mode
 cups
 foomatic
 ghostscript
 ghostscript-fonts

 ################################################
 ## Package set: CIPSO labeled networking support
 ## Condition:   Default in MLS mode, Optional in Base mode (labeled networking
 ##              functionality unusable in Base mode)
 netlabel_tools

 ################################################
 ## Package set: IPSec-based labeled networking support
 ## Condition:   Default in MLS mode, Optional in Base mode (labeled networking
 ##              functionality unusable in Base mode)
 iproute
 iputils
 openswan

 ################################################
 ## Package set: FIPS 140-2 mode support - this package MUST be installed
 ##              if the TOE shall be operated in FIPS 140-2 compliant mode
 ##              for all cryptographic modules - as FIPS 140-2 is no requirement
 ##              for the Common Criteria evaluation, this package set is
 ##              considered to be optional.
 ## Condition:   Optional in Base and MLS mode
 dracut-fips

 ################################################
 ## Package set: Prohibited packages in any configuration
 ## Condition:   Prohibited in Base and MLS mode
 -sendmail
 -krb5-workstation
 -abrt-addon-kerneloops
 -abrt-addon-python
 -abrt-addon-ccpp
 -abrt-plugin-rhtsupport
 -abrt-plugin-logger
 -abrt-plugin-sosreport
 -abrt-cli
 -abrt
 -subscription-manager

 ################################################
 ## Package set: Convenience functions to provide administrators with
 ##              utilities that he may expect from other systems.
 ## Condition:   Optional in Base and MLS mode
 ##
 aide
 lsof
 openssh-clients
 man-pages
 man-pages-overrides
 mlocate
 parted
 pciutils
 postfix
 quota
 rsync
 scrub
 smartmontools
 stunnel
 tcpdump
 traceroute
 vim-enhanced
 wget

 ################################################
 ## Package set: Minimal development environment used to perform the
 ##              testing of the system.
 ## Condition:   Optional in Base and MLS mode
 ##
 audit-libs-devel
 autoconf
 automake
 bison
 cvs
 cyrus-sasl-devel.x86_64
 elinks
 expect
 flex
 gcc
 gcc-c++
 keyutils-libs
 keyutils-libs-devel
 kpartx
 libattr-devel
 libcap-devel
 libvirt-python
 libselinux-devel.x86_64
 libsepol-devel.x86_64
 make
 openscap
 openssl-devel.x86_64
 pam-devel.x86_64
 perl-devel
 perl-Digest-HMAC
 perl-Digest-SHA1
 python-devel
 python-virtinst
 readline-devel
 rpm-build
 setools-console
 strace
 swig
 tcl
 texinfo
 tk
 zlib-devel

 ################################################
 ## Package set: Base packages required for the x86_64 environment
 ## Condition:   Mandatory in Base and MLS mode
 ##
 dmidecode
 glibc.i686
 glibc-devel.i686
 glibc-devel.x86_64
 libgcc.i686
 libgcc.x86_64
 libattr.i686
 cracklib.i686
 audit-libs.i686
 openssl.i686
 openssl-devel.i686
 libgcrypt.i686

 ################################################
 ## Package set: Convenience functions to provide administrators with
 ##              utilities that he may expect from other systems.
 ## Condition:   Optional in Base and MLS mode
 ##
 acpid
 cpuspeed
 irqbalance
 usbutils

 ################################################
 ## Package set: Virtualization environment support packages to enable the
 ##              KVM support
 ## Condition:   Default
 ##
 #@virtualization
 #@virtualization-client
 #@virtualization-platform
 #@virtualization-tools
 #-virt-manager
 #-virt-viewer
 #ebtables

 ################################################
 ## Package set: Development packages
 ## Condition:   Optional
 ##
 libcap-devel.i686
 libselinux-devel.i686

 # Install git package so we can clone SCAP Security Guide repository below
 git

 # Install selected additional packages (required by USGCB profile)
 # CCE-27024-9: Install AIDE
 aide

 # Install openscap-utils so it's possible to perform remediation once the
 # installation is complete
 openscap-utils

 %end # End of %packages section

 %post --log /root/oscap.log

 SSG_GIT_CONTENT="/root/scap-security-guide"
 SSG_GIT_RHEL6="$SSG_GIT_CONTENT/RHEL/6"
 SSG_GIT_URI="https://github.com/OpenSCAP/scap-security-guide.git"
 SSG_SHARE_DIR="/usr/share/scap-security-guide"

 # Retrieve the most recent SCAP Security Guide repository content & build
 # the RHEL-6 benchmark.

 # NOTE: Pointing to upstream SCAP Security Guide repository. Downstream/stable editions
 #       (e.g. those to ship natively with Red Hat Enterprise Linux 6) will be updated to
 #       point to natively included scap-security-guide RPM package.

 git clone $SSG_GIT_URI $SSG_GIT_CONTENT
 cd $SSG_GIT_RHEL6
 make

 # Copy the remediation functions library to the system too
 mkdir -p $SSG_SHARE_DIR
 cp -a $SSG_GIT_RHEL6/input/fixes/bash/templates/functions $SSG_SHARE_DIR/functions

 # Perform post installation system remediation according to the USGCB profile via the oscap tool
 # To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected
 # profile name after the --profile oscap tool option

 oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --report /root/oscap_stig_remediation_report.html \
 "$SSG_GIT_RHEL6/output/ssg-rhel6-xccdf.xml"

 # Delete the retrieved GIT content
 rm -rf $SSG_GIT_CONTENT

 %end # End of %post section

 # Reboot after the installation is complete (optional)
 # --eject	attempt to eject CD or DVD media before rebooting
 reboot --eject
	# SCAP Security Guide DoD STIG profile kickstart for Red Hat Enterprise Linux 6 Server
	# Version: 0.0.1
	# Date: 2015-04-08
	# Url: http://people.redhat.com/swells/ssg-rhel6-stig-ks.cfg
	#
	# Based on:
	# http://fedoraproject.org/wiki/Anaconda/Kickstart
	# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html
	# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
	#
	# NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification,
	# while applying DoD-specific controls (and ignoring those waived by DoD)
	#


	# Install a fresh new system (optional)
	install

	# Specify installation method to use for installation
	# To use a different one comment out the 'url' one below, update
	# the selected choice with proper options & un-comment it
	#
	# Install from an installation tree on a remote server via FTP or HTTP:
	# --url the URL to install from
	#
	#url --url=http://192.168.122.1/image
	#
	# Other possible / supported installation methods:
	# * install from the first CD-ROM/DVD drive on the system:
	#
	# cdrom
	#
	# * install from a directory of ISO images on a local drive:
	#
	# harddrive --partition=hdb2 --dir=/tmp/install-tree
	#
	# * install from provided NFS server:
	#
	# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
	#

	# Set language to use during installation and the default language to use on the installed system (required)
	lang en_US.UTF-8

	# Set system keyboard type / layout (required)
	keyboard us

	# Configure network information for target system and activate network devices in the installer environment (optional)
	# --onboot enable device at a boot time
	# --device device to be activated and / or configured with the network command
	# --bootproto method to obtain networking configuration for device (default dhcp)
	# --noipv6 disable IPv6 on this device
	network --onboot yes --device eth0 --bootproto dhcp --noipv6

	# Set the system's root password (required)
	# Plaintext password is: server
	# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
	# encrypted password form for different plaintext password
	rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0

	# Configure firewall settings for the system (optional)
	# --enabled reject incoming connections that are not in response to outbound requests
	# --ssh allow sshd service through the firewall
	firewall --enabled --ssh

	# Set up the authentication options for the system (required)
	# --enableshadow enable shadowed passwords by default
	# --passalgo hash / crypt algorithm for new passwords
	# See the manual page for authconfig for a complete list of possible options.
	authconfig --enableshadow --passalgo=sha512

	# State of SELinux on the installed system (optional)
	# Defaults to enforcing
	selinux --enforcing

	# Set the system time zone (required)
	timezone --utc America/New_York

	# Specify how the bootloader should be installed (required)
	# Plaintext password is: password
	# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
	# encrypted password form for different plaintext password
	bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

	# Initialize (format) all disks (optional)
	zerombr

	# The following partition layout scheme assumes disk of size 20GB or larger
	# Modify size of partitions appropriately to reflect actual machine's hardware
	#
	# Remove Linux partitions from the system prior to creating new ones (optional)
	# --linux erase all Linux partitions
	# --initlabel initialize the disk label to the default based on the underlying architecture
	clearpart --linux --initlabel

	# Create primary system partitions (required for installs)
	part /boot --fstype=ext4 --size=512
	part pv.01 --grow --size=1

	# Create a Logical Volume Management (LVM) group (optional)
	volgroup VolGroup --pesize=4096 pv.01

	# Create particular logical volumes (optional)
	logvol / --fstype=ext4 --name=LogVol06 --vgname=VolGroup --size=12288 --grow
	# CCE-26557-9: Ensure /home Located On Separate Partition
	logvol /home --fstype=ext4 --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
	# CCE-26435-8: Ensure /tmp Located On Separate Partition
	logvol /tmp --fstype=ext4 --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
	# CCE-26639-5: Ensure /var Located On Separate Partition
	logvol /var --fstype=ext4 --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
	# CCE-26215-4: Ensure /var/log Located On Separate Partition
	logvol /var/log --fstype=ext4 --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
	# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
	logvol /var/log/audit --fstype=ext4 --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
	logvol swap --name=lv_swap --vgname=VolGroup --size=2016

	# Packages selection (%packages section is required)
	#
	%packages
	################################################
	##
	## Package listing
	## ---------------
	##
	## The following list specifies the packages installed onto a bare minimum
	## system. To allow an administrator to install the absolute minimum
	## set of packages, the list is partitioned into common sets which are marked
	## to belong to one of the following categories.
	##
	## Categories and their meaning:
	##
	## Mandatory You MUST install the set of packages if the given condition
	## applies.
	## Default You MAY choose to not install the packages. However, these
	## packages provide functionality specified in the Security
	## Target that is outlined in the package set description.
	## If you intend to enable the respective functionality, you
	## MUST use these packages. Any other package from the
	## distribution that would provide similar functionality MUST NOT
	## be used as it is not ensured that those packages implement
	## all required functional aspects.
	## Note that you either MUST install all packages or none out of
	## the given set.
	## Optional You MAY choose to not install the packages. Packages can be
	## selectively installed per package set (i.e. it is not
	## required to fully install all packages for one package set
	## or none at all).
	## Prohibited These packages MUST NOT be installed. This is ensured by
	## listing the packages with a minus sign prepended. Therefore
	## you MUST NOT add comment signs to these sets.
	##
	################################################
	## Package set: base packages
	## Condition: Mandatory in Base and MLS mode
	##
	audit
	bridge-utils
	libnl
	policycoreutils
	python-rhsm
	python-simplejson
	PyXML
	prelink
	rdate
	rng-tools
	screen
	sudo
	virt-what

	################################################
	## Package set: This package set provides the functionality to allow the
	## system to send audit data to a central audit server
	## Condition: Default in Base and MLS mode
	##
	audispd-plugins

	################################################
	## Package set: base packages providing MLS environment
	## Condition: Mandatory in MLS mode, Optional in Base mode
	##
	checkpolicy
	policycoreutils-newrole
	policycoreutils-python
	selinux-policy-mls
	xinetd

	################################################
	## Package set: Disk encryption support utilities to use a dm-crypt partition
	## Condition: Default in Base and MLS mode
	cryptsetup-luks

	################################################
	## Package set: Labeled printing support
	## Condition: Default in MLS mode, Optional in Base mode
	cups
	foomatic
	ghostscript
	ghostscript-fonts

	################################################
	## Package set: CIPSO labeled networking support
	## Condition: Default in MLS mode, Optional in Base mode (labeled networking
	## functionality unusable in Base mode)
	netlabel_tools

	################################################
	## Package set: IPSec-based labeled networking support
	## Condition: Default in MLS mode, Optional in Base mode (labeled networking
	## functionality unusable in Base mode)
	iproute
	iputils
	openswan

	################################################
	## Package set: FIPS 140-2 mode support - this package MUST be installed
	## if the TOE shall be operated in FIPS 140-2 compliant mode
	## for all cryptographic modules - as FIPS 140-2 is no requirement
	## for the Common Criteria evaluation, this package set is
	## considered to be optional.
	## Condition: Optional in Base and MLS mode
	dracut-fips

	################################################
	## Package set: Prohibited packages in any configuration
	## Condition: Prohibited in Base and MLS mode
	-sendmail
	-krb5-workstation
	-abrt-addon-kerneloops
	-abrt-addon-python
	-abrt-addon-ccpp
	-abrt-plugin-rhtsupport
	-abrt-plugin-logger
	-abrt-plugin-sosreport
	-abrt-cli
	-abrt
	-subscription-manager

	################################################
	## Package set: Convenience functions to provide administrators with
	## utilities that he may expect from other systems.
	## Condition: Optional in Base and MLS mode
	##
	aide
	lsof
	openssh-clients
	man-pages
	man-pages-overrides
	mlocate
	parted
	pciutils
	postfix
	quota
	rsync
	scrub
	smartmontools
	stunnel
	tcpdump
	traceroute
	vim-enhanced
	wget

	################################################
	## Package set: Minimal development environment used to perform the
	## testing of the system.
	## Condition: Optional in Base and MLS mode
	##
	audit-libs-devel
	autoconf
	automake
	bison
	cvs
	cyrus-sasl-devel.x86_64
	elinks
	expect
	flex
	gcc
	gcc-c++
	keyutils-libs
	keyutils-libs-devel
	kpartx
	libattr-devel
	libcap-devel
	libvirt-python
	libselinux-devel.x86_64
	libsepol-devel.x86_64
	make
	openscap
	openssl-devel.x86_64
	pam-devel.x86_64
	perl-devel
	perl-Digest-HMAC
	perl-Digest-SHA1
	python-devel
	python-virtinst
	readline-devel
	rpm-build
	setools-console
	strace
	swig
	tcl
	texinfo
	tk
	zlib-devel

	################################################
	## Package set: Base packages required for the x86_64 environment
	## Condition: Mandatory in Base and MLS mode
	##
	dmidecode
	glibc.i686
	glibc-devel.i686
	glibc-devel.x86_64
	libgcc.i686
	libgcc.x86_64
	libattr.i686
	cracklib.i686
	audit-libs.i686
	openssl.i686
	openssl-devel.i686
	libgcrypt.i686

	################################################
	## Package set: Convenience functions to provide administrators with
	## utilities that he may expect from other systems.
	## Condition: Optional in Base and MLS mode
	##
	acpid
	cpuspeed
	irqbalance
	usbutils

	################################################
	## Package set: Virtualization environment support packages to enable the
	## KVM support
	## Condition: Default
	##
	#@virtualization
	#@virtualization-client
	#@virtualization-platform
	#@virtualization-tools
	#-virt-manager
	#-virt-viewer
	#ebtables

	################################################
	## Package set: Development packages
	## Condition: Optional
	##
	libcap-devel.i686
	libselinux-devel.i686

	# Install git package so we can clone SCAP Security Guide repository below
	git

	# Install selected additional packages (required by USGCB profile)
	# CCE-27024-9: Install AIDE
	aide

	# Install openscap-utils so it's possible to perform remediation once the
	# installation is complete
	openscap-utils

	%end # End of %packages section

	%post --log /root/oscap.log

	SSG_GIT_CONTENT="/root/scap-security-guide"
	SSG_GIT_RHEL6="$SSG_GIT_CONTENT/RHEL/6"
	SSG_GIT_URI="https://github.com/OpenSCAP/scap-security-guide.git"
	SSG_SHARE_DIR="/usr/share/scap-security-guide"

	# Retrieve the most recent SCAP Security Guide repository content & build
	# the RHEL-6 benchmark.

	# NOTE: Pointing to upstream SCAP Security Guide repository. Downstream/stable editions
	# (e.g. those to ship natively with Red Hat Enterprise Linux 6) will be updated to
	# point to natively included scap-security-guide RPM package.

	git clone $SSG_GIT_URI $SSG_GIT_CONTENT
	cd $SSG_GIT_RHEL6
	make

	# Copy the remediation functions library to the system too
	mkdir -p $SSG_SHARE_DIR
	cp -a $SSG_GIT_RHEL6/input/fixes/bash/templates/functions $SSG_SHARE_DIR/functions

	# Perform post installation system remediation according to the USGCB profile via the oscap tool
	# To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected
	# profile name after the --profile oscap tool option

	oscap xccdf eval --remediate --profile stig-rhel6-server-upstream --report /root/oscap_stig_remediation_report.html \
	"$SSG_GIT_RHEL6/output/ssg-rhel6-xccdf.xml"

	# Delete the retrieved GIT content
	rm -rf $SSG_GIT_CONTENT

	%end # End of %post section

	# Reboot after the installation is complete (optional)
	# --eject attempt to eject CD or DVD media before rebooting
	reboot --eject