Blame SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch

c99e83
From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001
c99e83
From: Vojtech Polasek <vpolasek@redhat.com>
c99e83
Date: Mon, 25 May 2020 12:17:48 +0200
c99e83
Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8
c99e83
c99e83
---
c99e83
 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
c99e83
 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++
c99e83
 2 files changed, 250 insertions(+)
c99e83
 create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
c99e83
 create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
c99e83
c99e83
diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
c99e83
new file mode 100644
c99e83
index 0000000000..14c82c4231
c99e83
--- /dev/null
c99e83
+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg
c99e83
@@ -0,0 +1,125 @@
c99e83
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server
c99e83
+# Version: 0.0.1
c99e83
+# Date: 2020-05-25
c99e83
+#
c99e83
+# Based on:
c99e83
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
c99e83
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
c99e83
+
c99e83
+# Install a fresh new system (optional)
c99e83
+install
c99e83
+
c99e83
+# Specify installation method to use for installation
c99e83
+# To use a different one comment out the 'url' one below, update
c99e83
+# the selected choice with proper options & un-comment it
c99e83
+#
c99e83
+# Install from an installation tree on a remote server via FTP or HTTP:
c99e83
+# --url		the URL to install from
c99e83
+#
c99e83
+# Example:
c99e83
+#
c99e83
+# url --url=http://192.168.122.1/image
c99e83
+#
c99e83
+# Modify concrete URL in the above example appropriately to reflect the actual
c99e83
+# environment machine is to be installed in
c99e83
+#
c99e83
+# Other possible / supported installation methods:
c99e83
+# * install from the first CD-ROM/DVD drive on the system:
c99e83
+#
c99e83
+# cdrom
c99e83
+#
c99e83
+# * install from a directory of ISO images on a local drive:
c99e83
+#
c99e83
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
c99e83
+#
c99e83
+# * install from provided NFS server:
c99e83
+#
c99e83
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
c99e83
+#
c99e83
+
c99e83
+# Set language to use during installation and the default language to use on the installed system (required)
c99e83
+lang en_US.UTF-8
c99e83
+
c99e83
+# Set system keyboard type / layout (required)
c99e83
+keyboard us
c99e83
+
c99e83
+# Configure network information for target system and activate network devices in the installer environment (optional)
c99e83
+# --onboot	enable device at a boot time
c99e83
+# --device	device to be activated and / or configured with the network command
c99e83
+# --bootproto	method to obtain networking configuration for device (default dhcp)
c99e83
+# --noipv6	disable IPv6 on this device
c99e83
+#
c99e83
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
c99e83
+#       "--bootproto=static" must be used. For example:
c99e83
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
c99e83
+#
c99e83
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
c99e83
+
c99e83
+# Set the system's root password (required)
c99e83
+# Plaintext password is: server
c99e83
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
c99e83
+# encrypted password form for different plaintext password
c99e83
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
c99e83
+
c99e83
+# The selected profile will restrict root login
c99e83
+# Add a user that can login and escalate privileges
c99e83
+# Plaintext password is: admin123
c99e83
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
c99e83
+
c99e83
+# Configure firewall settings for the system (optional)
c99e83
+# --enabled	reject incoming connections that are not in response to outbound requests
c99e83
+# --ssh		allow sshd service through the firewall
c99e83
+firewall --enabled --ssh
c99e83
+
c99e83
+# Set up the authentication options for the system (required)
c99e83
+# --enableshadow	enable shadowed passwords by default
c99e83
+# --passalgo		hash / crypt algorithm for new passwords
c99e83
+# See the manual page for authconfig for a complete list of possible options.
c99e83
+authconfig --enableshadow --passalgo=sha512
c99e83
+
c99e83
+# State of SELinux on the installed system (optional)
c99e83
+# Defaults to enforcing
c99e83
+selinux --enforcing
c99e83
+
c99e83
+# Set the system time zone (required)
c99e83
+timezone --utc America/New_York
c99e83
+
c99e83
+# Specify how the bootloader should be installed (required)
c99e83
+# Plaintext password is: password
c99e83
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
c99e83
+# encrypted password form for different plaintext password
c99e83
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
c99e83
+
c99e83
+# Initialize (format) all disks (optional)
c99e83
+zerombr
c99e83
+
c99e83
+# The following partition layout scheme assumes disk of size 20GB or larger
c99e83
+# Modify size of partitions appropriately to reflect actual machine's hardware
c99e83
+#
c99e83
+# Remove Linux partitions from the system prior to creating new ones (optional)
c99e83
+# --linux	erase all Linux partitions
c99e83
+# --initlabel	initialize the disk label to the default based on the underlying architecture
c99e83
+clearpart --linux --initlabel
c99e83
+
c99e83
+# Create primary system partitions (required for installs)
c99e83
+autopart
c99e83
+
c99e83
+# Harden installation with HIPAA profile
c99e83
+# For more details and configuration options see command %addon org_fedora_oscap in
c99e83
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
c99e83
+%addon org_fedora_oscap
c99e83
+        content-type = scap-security-guide
c99e83
+        profile = xccdf_org.ssgproject.content_profile_hipaa
c99e83
+%end
c99e83
+
c99e83
+# Packages selection (%packages section is required)
c99e83
+%packages
c99e83
+
c99e83
+# Require @Base
c99e83
+@Base
c99e83
+
c99e83
+%end # End of %packages section
c99e83
+
c99e83
+# Reboot after the installation is complete (optional)
c99e83
+# --eject	attempt to eject CD or DVD media before rebooting
c99e83
+reboot --eject
c99e83
diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
c99e83
new file mode 100644
c99e83
index 0000000000..861db36f18
c99e83
--- /dev/null
c99e83
+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg
c99e83
@@ -0,0 +1,125 @@
c99e83
+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server
c99e83
+# Version: 0.0.1
c99e83
+# Date: 2020-05-25
c99e83
+#
c99e83
+# Based on:
c99e83
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
c99e83
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
c99e83
+
c99e83
+# Install a fresh new system (optional)
c99e83
+install
c99e83
+
c99e83
+# Specify installation method to use for installation
c99e83
+# To use a different one comment out the 'url' one below, update
c99e83
+# the selected choice with proper options & un-comment it
c99e83
+#
c99e83
+# Install from an installation tree on a remote server via FTP or HTTP:
c99e83
+# --url		the URL to install from
c99e83
+#
c99e83
+# Example:
c99e83
+#
c99e83
+# url --url=http://192.168.122.1/image
c99e83
+#
c99e83
+# Modify concrete URL in the above example appropriately to reflect the actual
c99e83
+# environment machine is to be installed in
c99e83
+#
c99e83
+# Other possible / supported installation methods:
c99e83
+# * install from the first CD-ROM/DVD drive on the system:
c99e83
+#
c99e83
+# cdrom
c99e83
+#
c99e83
+# * install from a directory of ISO images on a local drive:
c99e83
+#
c99e83
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
c99e83
+#
c99e83
+# * install from provided NFS server:
c99e83
+#
c99e83
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
c99e83
+#
c99e83
+
c99e83
+# Set language to use during installation and the default language to use on the installed system (required)
c99e83
+lang en_US.UTF-8
c99e83
+
c99e83
+# Set system keyboard type / layout (required)
c99e83
+keyboard us
c99e83
+
c99e83
+# Configure network information for target system and activate network devices in the installer environment (optional)
c99e83
+# --onboot	enable device at a boot time
c99e83
+# --device	device to be activated and / or configured with the network command
c99e83
+# --bootproto	method to obtain networking configuration for device (default dhcp)
c99e83
+# --noipv6	disable IPv6 on this device
c99e83
+#
c99e83
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
c99e83
+#       "--bootproto=static" must be used. For example:
c99e83
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
c99e83
+#
c99e83
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
c99e83
+
c99e83
+# Set the system's root password (required)
c99e83
+# Plaintext password is: server
c99e83
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
c99e83
+# encrypted password form for different plaintext password
c99e83
+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
c99e83
+
c99e83
+# The selected profile will restrict root login
c99e83
+# Add a user that can login and escalate privileges
c99e83
+# Plaintext password is: admin123
c99e83
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
c99e83
+
c99e83
+# Configure firewall settings for the system (optional)
c99e83
+# --enabled	reject incoming connections that are not in response to outbound requests
c99e83
+# --ssh		allow sshd service through the firewall
c99e83
+firewall --enabled --ssh
c99e83
+
c99e83
+# Set up the authentication options for the system (required)
c99e83
+# sssd profile sets sha512 to hash passwords
c99e83
+# passwords are shadowed by default
c99e83
+# See the manual page for authselect-profile for a complete list of possible options.
c99e83
+authselect select sssd
c99e83
+
c99e83
+# State of SELinux on the installed system (optional)
c99e83
+# Defaults to enforcing
c99e83
+selinux --enforcing
c99e83
+
c99e83
+# Set the system time zone (required)
c99e83
+timezone --utc America/New_York
c99e83
+
c99e83
+# Specify how the bootloader should be installed (required)
c99e83
+# Plaintext password is: password
c99e83
+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
c99e83
+# encrypted password form for different plaintext password
c99e83
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
c99e83
+
c99e83
+# Initialize (format) all disks (optional)
c99e83
+zerombr
c99e83
+
c99e83
+# The following partition layout scheme assumes disk of size 20GB or larger
c99e83
+# Modify size of partitions appropriately to reflect actual machine's hardware
c99e83
+# 
c99e83
+# Remove Linux partitions from the system prior to creating new ones (optional)
c99e83
+# --linux	erase all Linux partitions
c99e83
+# --initlabel	initialize the disk label to the default based on the underlying architecture
c99e83
+clearpart --linux --initlabel
c99e83
+
c99e83
+# Create primary system partitions (required for installs)
c99e83
+autopart
c99e83
+
c99e83
+# Harden installation with HIPAA profile
c99e83
+# For more details and configuration options see
c99e83
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
c99e83
+%addon org_fedora_oscap
c99e83
+        content-type = scap-security-guide
c99e83
+        profile = xccdf_org.ssgproject.content_profile_hipaa
c99e83
+%end
c99e83
+
c99e83
+# Packages selection (%packages section is required)
c99e83
+%packages
c99e83
+
c99e83
+# Require @Base
c99e83
+@Base
c99e83
+
c99e83
+%end # End of %packages section
c99e83
+
c99e83
+# Reboot after the installation is complete (optional)
c99e83
+# --eject	attempt to eject CD or DVD media before rebooting
c99e83
+reboot --eject