From 6dcc73bc19c63a090c0aa76a8958e40190194a05 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 11 Dec 2018 14:56:26 +0100

Subject: [PATCH 1/6] Add RHEL8 kickstart files for OSPP and PCI-DSS profiles.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg        | 179 +++++++++++++++++++

 rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg | 163 +++++++++++++++++

 2 files changed, 342 insertions(+)

 create mode 100644 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

 create mode 100644 rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

new file mode 100644

index 0000000000..9077e09c9f

--- /dev/null

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -0,0 +1,179 @@

+# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server

+# Version: 0.0.2

+# Date: 2015-11-19

+#

+# Based on:

+# http://fedoraproject.org/wiki/Anaconda/Kickstart

+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html

+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg

+

+# Install a fresh new system (optional)

+install

+

+# Specify installation method to use for installation

+# To use a different one comment out the 'url' one below, update

+# the selected choice with proper options & un-comment it

+#

+# Install from an installation tree on a remote server via FTP or HTTP:

+# --url		the URL to install from

+#

+# Example:

+#

+# url --url=http://192.168.122.1/image

+#

+# Modify concrete URL in the above example appropriately to reflect the actual

+# environment machine is to be installed in

+#

+# Other possible / supported installation methods:

+# * install from the first CD-ROM/DVD drive on the system:

+#

+# cdrom

+#

+# * install from a directory of ISO images on a local drive:

+#

+# harddrive --partition=hdb2 --dir=/tmp/install-tree

+#

+# * install from provided NFS server:

+#

+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]

+#

+# Set language to use during installation and the default language to use on the installed system (required)

+lang en_US.UTF-8

+

+# Set system keyboard type / layout (required)

+keyboard us

+

+# Configure network information for target system and activate network devices in the installer environment (optional)

+# --onboot	enable device at a boot time

+# --device	device to be activated and / or configured with the network command

+# --bootproto	method to obtain networking configuration for device (default dhcp)

+# --noipv6	disable IPv6 on this device

+#

+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,

+#       "--bootproto=static" must be used. For example:

+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1

+#

+network --onboot yes --device eth0 --bootproto dhcp

+

+# Set the system's root password (required)

+# Plaintext password is: server

+# Refer to e.g.

+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw

+# to see how to create encrypted password form for different plaintext password

+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220

+

+# The selected profile will restrict root login

+# Add a user that can login and escalate privileges

+# Plaintext password is: admin123

+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted

+

+# Configure firewall settings for the system (optional)

+# --enabled	reject incoming connections that are not in response to outbound requests

+# --ssh		allow sshd service through the firewall

+firewall --enabled --ssh

+

+# Set up the authentication options for the system (required)

+# --enableshadow	enable shadowed passwords by default

+# --passalgo		hash / crypt algorithm for new passwords

+# See the manual page for authconfig for a complete list of possible options.

+authconfig --enableshadow --passalgo=sha512

+

+# State of SELinux on the installed system (optional)

+# Defaults to enforcing

+selinux --enforcing

+

+# Set the system time zone (required)

+timezone --utc America/New_York

+

+# Specify how the bootloader should be installed (required)

+# Plaintext password is: password

+# Refer to e.g.

+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw

+# to see how to create encrypted password form for different plaintext password

+#

+# PASSWORD TEMPORARILY DISABLED - see bz1651624

+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"

+#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

+

+# Initialize (format) all disks (optional)

+zerombr

+

+# The following partition layout scheme assumes disk of size 20GB or larger

+# Modify size of partitions appropriately to reflect actual machine's hardware

+# 

+# Remove Linux partitions from the system prior to creating new ones (optional)

+# --linux	erase all Linux partitions

+# --initlabel	initialize the disk label to the default based on the underlying architecture

+clearpart --linux --initlabel

+

+# Create primary system partitions (required for installs)

+part /boot --fstype=xfs --size=512

+part pv.01 --grow --size=1

+

+# Create a Logical Volume Management (LVM) group (optional)

+volgroup VolGroup --pesize=4096 pv.01

+

+# Create particular logical volumes (optional)

+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=12288 --grow

+# CCE-26557-9: Ensure /home Located On Separate Partition

+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"

+# CCE-26435-8: Ensure /tmp Located On Separate Partition

+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"

+# CCE-26639-5: Ensure /var Located On Separate Partition

+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"

+# CCE-26215-4: Ensure /var/log Located On Separate Partition

+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"

+# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition

+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"

+logvol swap --name=swap --vgname=VolGroup --size=2016

+

+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)

+# content - security policies - on the installed system.This add-on has been enabled by default

+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 

+# functionality will automatically be installed. However, by default, no policies are enforced,

+# meaning that no checks are performed during or after installation unless specifically configured.

+#  

+#  Important

+#   Applying a security policy is not necessary on all systems. This screen should only be used

+#   when a specific policy is mandated by your organization rules or government regulations.

+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value

+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.

+#   Values can be optionally enclosed in single quotes (') or double quotes (").

+#   

+#  The following keys are recognized by the add-on:

+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.

+#      - If the content-type is scap-security-guide, the add-on will use content provided by the

+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.

+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.

+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.

+#    xccdf-id - ID of the benchmark you want to use.

+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.

+#    profile - ID of the profile to be applied. Use default to apply the default profile.

+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.

+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.

+#

+#  The following is an example %addon org_fedora_oscap section which uses content from the

+#  scap-security-guide on the installation media: 

+%addon org_fedora_oscap

+	content-type = scap-security-guide

+	profile = xccdf_org.ssgproject.content_profile_ospp

+%end

+

+# Packages selection (%packages section is required)

+%packages

+

+# Require @Base

+@Base

+

+# Install selected additional packages (required by profile)

+# CCE-27024-9: Install AIDE

+aide

+

+# Install libreswan package

+libreswan

+

+%end # End of %packages section

+

+# Reboot after the installation is complete (optional)

+# --eject	attempt to eject CD or DVD media before rebooting

+reboot --eject

\ No newline at end of file

diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg

new file mode 100644

index 0000000000..524c90d85e

--- /dev/null

+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg

@@ -0,0 +1,163 @@

+# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server

+# Version: 0.0.2

+# Date: 2015-08-02

+#

+# Based on:

+# http://fedoraproject.org/wiki/Anaconda/Kickstart

+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html

+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg

+

+# Install a fresh new system (optional)

+install

+

+# Specify installation method to use for installation

+# To use a different one comment out the 'url' one below, update

+# the selected choice with proper options & un-comment it

+#

+# Install from an installation tree on a remote server via FTP or HTTP:

+# --url		the URL to install from

+#

+# Example:

+#

+# url --url=http://192.168.122.1/image

+#

+# Modify concrete URL in the above example appropriately to reflect the actual

+# environment machine is to be installed in

+#

+# Other possible / supported installation methods:

+# * install from the first CD-ROM/DVD drive on the system:

+#

+# cdrom

+#

+# * install from a directory of ISO images on a local drive:

+#

+# harddrive --partition=hdb2 --dir=/tmp/install-tree

+#

+# * install from provided NFS server:

+#

+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]

+#

+

+# Set language to use during installation and the default language to use on the installed system (required)

+lang en_US.UTF-8

+

+# Set system keyboard type / layout (required)

+keyboard us

+

+# Configure network information for target system and activate network devices in the installer environment (optional)

+# --onboot	enable device at a boot time

+# --device	device to be activated and / or configured with the network command

+# --bootproto	method to obtain networking configuration for device (default dhcp)

+# --noipv6	disable IPv6 on this device

+network --onboot yes --device eth0 --bootproto dhcp --noipv6

+

+# Set the system's root password (required)

+# Plaintext password is: server

+# Refer to e.g.

+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw

+# to see how to create encrypted password form for different plaintext password

+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220

+

+# Configure firewall settings for the system (optional)

+# --enabled	reject incoming connections that are not in response to outbound requests

+# --ssh		allow sshd service through the firewall

+firewall --enabled --ssh

+

+# Set up the authentication options for the system (required)

+# --enableshadow	enable shadowed passwords by default

+# --passalgo		hash / crypt algorithm for new passwords

+# See the manual page for authconfig for a complete list of possible options.

+authconfig --enableshadow --passalgo=sha512

+

+# State of SELinux on the installed system (optional)

+# Defaults to enforcing

+selinux --enforcing

+

+# Set the system time zone (required)

+timezone --utc America/New_York

+

+# Specify how the bootloader should be installed (required)

+# Plaintext password is: password

+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create

+# encrypted password form for different plaintext password

+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

+

+# Initialize (format) all disks (optional)

+zerombr

+

+# The following partition layout scheme assumes disk of size 20GB or larger

+# Modify size of partitions appropriately to reflect actual machine's hardware

+# 

+# Remove Linux partitions from the system prior to creating new ones (optional)

+# --linux	erase all Linux partitions

+# --initlabel	initialize the disk label to the default based on the underlying architecture

+clearpart --linux --initlabel

+

+# Create primary system partitions (required for installs)

+part /boot --fstype=xfs --size=512

+part pv.01 --grow --size=1

+

+# Create a Logical Volume Management (LVM) group (optional)

+volgroup VolGroup --pesize=4096 pv.01

+

+# Create particular logical volumes (optional)

+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow

+# CCE-26557-9: Ensure /home Located On Separate Partition

+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"

+# CCE-26435-8: Ensure /tmp Located On Separate Partition

+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"

+# CCE-26639-5: Ensure /var Located On Separate Partition

+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"

+# CCE-26215-4: Ensure /var/log Located On Separate Partition

+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"

+# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition

+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"

+logvol swap --name=lv_swap --vgname=VolGroup --size=2016

+

+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)

+# content - security policies - on the installed system.This add-on has been enabled by default

+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 

+# functionality will automatically be installed. However, by default, no policies are enforced,

+# meaning that no checks are performed during or after installation unless specifically configured.

+#  

+#  Important

+#   Applying a security policy is not necessary on all systems. This screen should only be used

+#   when a specific policy is mandated by your organization rules or government regulations.

+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value

+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.

+#   Values can be optionally enclosed in single quotes (') or double quotes (").

+#   

+#  The following keys are recognized by the add-on:

+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.

+#      - If the content-type is scap-security-guide, the add-on will use content provided by the

+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.

+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.

+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.

+#    xccdf-id - ID of the benchmark you want to use.

+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.

+#    profile - ID of the profile to be applied. Use default to apply the default profile.

+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.

+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.

+#

+#  The following is an example %addon org_fedora_oscap section which uses content from the

+#  scap-security-guide on the installation media: 

+%addon org_fedora_oscap

+        content-type = scap-security-guide

+        profile = xccdf_org.ssgproject.content_profile_pci-dss

+%end

+

+# Packages selection (%packages section is required)

+%packages

+

+# Install selected additional packages (required by PCI-DSS profile)

+# CCE-27024-9: Install AIDE

+aide

+

+# Install libreswan package

+libreswan

+

+%end # End of %packages section

+

+# Reboot after the installation is complete (optional)

+# --eject	attempt to eject CD or DVD media before rebooting

+reboot --eject

From 46b3cb9b9231513fa59e9612d034a267ede7b618 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Tue, 11 Dec 2018 17:03:50 +0100

Subject: [PATCH 2/6] Fix references for RHEL8 and remove date/version from

 RHEL8 kickstart files.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg                       | 4 +---

 ...sg-rhel8-pci-dss-oaa-ks.cfg => ssg-rhel8-pci-dss-ks.cfg} | 6 ++----

 2 files changed, 3 insertions(+), 7 deletions(-)

 rename rhel8/kickstart/{ssg-rhel8-pci-dss-oaa-ks.cfg => ssg-rhel8-pci-dss-ks.cfg} (98%)

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

index 9077e09c9f..3cda22fd49 100644

--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -1,6 +1,4 @@

-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 7 Server

-# Version: 0.0.2

-# Date: 2015-11-19

+# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 Server

 #

 # Based on:

 # http://fedoraproject.org/wiki/Anaconda/Kickstart

diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

similarity index 98%

rename from rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg

rename to rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

index 524c90d85e..8f333864fb 100644

--- a/rhel8/kickstart/ssg-rhel8-pci-dss-oaa-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

@@ -1,6 +1,4 @@

-# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 7 Server

-# Version: 0.0.2

-# Date: 2015-08-02

+# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 Server

 #

 # Based on:

 # http://fedoraproject.org/wiki/Anaconda/Kickstart

@@ -15,7 +13,7 @@ install

 # the selected choice with proper options & un-comment it

 #

 # Install from an installation tree on a remote server via FTP or HTTP:

-# --url		the URL to install from

+# --url	        the URL to install from

 #

 # Example:

 #

From 16dea2bcffff16d85ae65d54df37f653c8a3d5cd Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 12 Dec 2018 09:48:56 +0100

Subject: [PATCH 3/6] Remove RHEL7 references from RHEL8 kickstart files.

Remove variant "Server" as it doesn't exist in RHEL8 anymore.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg    | 3 +--

 rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 3 +--

 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

index 3cda22fd49..8f701fe7aa 100644

--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -1,8 +1,7 @@

-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8 Server

+# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8

 #

 # Based on:

 # http://fedoraproject.org/wiki/Anaconda/Kickstart

-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html

 # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg

 # Install a fresh new system (optional)

diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

index 8f333864fb..a01025d122 100644

--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

@@ -1,8 +1,7 @@

-# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8 Server

+# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 8

 #

 # Based on:

 # http://fedoraproject.org/wiki/Anaconda/Kickstart

-# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html

 # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg

 # Install a fresh new system (optional)

From 3d244c082c8068462da75a4d25c039b105577a1c Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Wed, 12 Dec 2018 13:34:12 +0100

Subject: [PATCH 4/6] Remove USGCB reference from RHEL8 OSPP profile kickstart.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

index 8f701fe7aa..920de1c7d9 100644

--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -1,4 +1,4 @@

-# SCAP Security Guide OSPP/USGCB profile kickstart for Red Hat Enterprise Linux 8

+# SCAP Security Guide OSPP profile kickstart for Red Hat Enterprise Linux 8

 #

 # Based on:

 # http://fedoraproject.org/wiki/Anaconda/Kickstart

From 0a86d0f204e9d49115a40585f4a1a72689f02b7a Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 13 Dec 2018 17:29:14 +0100

Subject: [PATCH 5/6] Remove device "eth0" option from RHEL8 kickstart files.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg    | 2 +-

 rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 2 +-

 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

index 920de1c7d9..352035db56 100644

--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -50,7 +50,7 @@ keyboard us

 #       "--bootproto=static" must be used. For example:

 # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1

 #

-network --onboot yes --device eth0 --bootproto dhcp

+network --onboot yes --bootproto dhcp

 # Set the system's root password (required)

 # Plaintext password is: server

diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

index a01025d122..c8d634266a 100644

--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

@@ -46,7 +46,7 @@ keyboard us

 # --device	device to be activated and / or configured with the network command

 # --bootproto	method to obtain networking configuration for device (default dhcp)

 # --noipv6	disable IPv6 on this device

-network --onboot yes --device eth0 --bootproto dhcp --noipv6

+network --onboot yes --bootproto dhcp --noipv6

 # Set the system's root password (required)

 # Plaintext password is: server

From a929f93bc25a6f749083437eb4622db2c13963bf Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Fri, 14 Dec 2018 16:04:01 +0100

Subject: [PATCH 6/6] Disable default password for MBR encryption from RHEL8

 kickstart files.

There is a bug preventing that to work properly and it should be

reverted when it gets fixed.

---

 rhel8/kickstart/ssg-rhel8-ospp-ks.cfg    |  4 ----

 rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 11 ++++++++---

 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

index 352035db56..5c6210a097 100644

--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg

@@ -83,14 +83,10 @@ selinux --enforcing

 timezone --utc America/New_York

 # Specify how the bootloader should be installed (required)

-# Plaintext password is: password

 # Refer to e.g.

 #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw

 # to see how to create encrypted password form for different plaintext password

-#

-# PASSWORD TEMPORARILY DISABLED - see bz1651624

 bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"

-#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

 # Initialize (format) all disks (optional)

 zerombr

diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

index c8d634266a..a00476c8f4 100644

--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

+++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg

@@ -75,9 +75,14 @@ timezone --utc America/New_York

 # Specify how the bootloader should be installed (required)

 # Plaintext password is: password

-# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create

-# encrypted password form for different plaintext password

-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

+# Refer to e.g.

+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw

+# to see how to create encrypted password form for different plaintext password

+#

+# PASSWORD TEMPORARILY DISABLED

+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"

+#bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0

+

 # Initialize (format) all disks (optional)

 zerombr