|
|
76240a |
From ee2da171d5a76202b2aef8231c5af6f97ef156ef Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
76240a |
Date: Thu, 12 Aug 2021 10:36:30 +0200
|
|
|
76240a |
Subject: [PATCH 1/2] add rhel7 kickstarts for cis
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 4 +-
|
|
|
76240a |
.../kickstart/ssg-rhel7-cis_server_l1-ks.cfg | 136 ++++++++++++++++
|
|
|
76240a |
.../ssg-rhel7-cis_workstation_l1-ks.cfg | 137 ++++++++++++++++
|
|
|
76240a |
.../ssg-rhel7-cis_workstation_l2-ks.cfg | 147 ++++++++++++++++++
|
|
|
76240a |
4 files changed, 422 insertions(+), 2 deletions(-)
|
|
|
76240a |
create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg
|
|
|
76240a |
create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg
|
|
|
76240a |
create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg
|
|
|
76240a |
|
|
|
76240a |
diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
index 6ead435b978..00edb9d536c 100644
|
|
|
76240a |
--- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
+++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
@@ -1,6 +1,6 @@
|
|
|
76240a |
-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
+# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
# Version: 0.0.1
|
|
|
76240a |
-# Date: 2020-03-30
|
|
|
76240a |
+# Date: 2021-08-12
|
|
|
76240a |
#
|
|
|
76240a |
# Based on:
|
|
|
76240a |
# https://pykickstart.readthedocs.io/en/latest/
|
|
|
76240a |
diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..333105c4f9e
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg
|
|
|
76240a |
@@ -0,0 +1,136 @@
|
|
|
76240a |
+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
+# Version: 0.0.1
|
|
|
76240a |
+# Date: 2021-08-12
|
|
|
76240a |
+#
|
|
|
76240a |
+# Based on:
|
|
|
76240a |
+# https://pykickstart.readthedocs.io/en/latest/
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
|
|
76240a |
+
|
|
|
76240a |
+# Install a fresh new system (optional)
|
|
|
76240a |
+install
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify installation method to use for installation
|
|
|
76240a |
+# To use a different one comment out the 'url' one below, update
|
|
|
76240a |
+# the selected choice with proper options & un-comment it
|
|
|
76240a |
+#
|
|
|
76240a |
+# Install from an installation tree on a remote server via FTP or HTTP:
|
|
|
76240a |
+# --url the URL to install from
|
|
|
76240a |
+#
|
|
|
76240a |
+# Example:
|
|
|
76240a |
+#
|
|
|
76240a |
+# url --url=http://192.168.122.1/image
|
|
|
76240a |
+#
|
|
|
76240a |
+# Modify concrete URL in the above example appropriately to reflect the actual
|
|
|
76240a |
+# environment machine is to be installed in
|
|
|
76240a |
+#
|
|
|
76240a |
+# Other possible / supported installation methods:
|
|
|
76240a |
+# * install from the first CD-ROM/DVD drive on the system:
|
|
|
76240a |
+#
|
|
|
76240a |
+# cdrom
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from a directory of ISO images on a local drive:
|
|
|
76240a |
+#
|
|
|
76240a |
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from provided NFS server:
|
|
|
76240a |
+#
|
|
|
76240a |
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
|
|
76240a |
+#
|
|
|
76240a |
+
|
|
|
76240a |
+# Set language to use during installation and the default language to use on the installed system (required)
|
|
|
76240a |
+lang en_US.UTF-8
|
|
|
76240a |
+
|
|
|
76240a |
+# Set system keyboard type / layout (required)
|
|
|
76240a |
+keyboard us
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
|
|
76240a |
+# --onboot enable device at a boot time
|
|
|
76240a |
+# --device device to be activated and / or configured with the network command
|
|
|
76240a |
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
|
|
76240a |
+# --noipv6 disable IPv6 on this device
|
|
|
76240a |
+#
|
|
|
76240a |
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
|
|
76240a |
+# "--bootproto=static" must be used. For example:
|
|
|
76240a |
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
|
|
76240a |
+#
|
|
|
76240a |
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system's root password (required)
|
|
|
76240a |
+# Plaintext password is: server
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
|
|
76240a |
+
|
|
|
76240a |
+# The selected profile will restrict root login
|
|
|
76240a |
+# Add a user that can login and escalate privileges
|
|
|
76240a |
+# Plaintext password is: admin123
|
|
|
76240a |
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure firewall settings for the system (optional)
|
|
|
76240a |
+# --enabled reject incoming connections that are not in response to outbound requests
|
|
|
76240a |
+# --ssh allow sshd service through the firewall
|
|
|
76240a |
+firewall --enabled --ssh
|
|
|
76240a |
+
|
|
|
76240a |
+# Set up the authentication options for the system (required)
|
|
|
76240a |
+# --enableshadow enable shadowed passwords by default
|
|
|
76240a |
+# --passalgo hash / crypt algorithm for new passwords
|
|
|
76240a |
+# See the manual page for authconfig for a complete list of possible options.
|
|
|
76240a |
+authconfig --enableshadow --passalgo=sha512
|
|
|
76240a |
+
|
|
|
76240a |
+# State of SELinux on the installed system (optional)
|
|
|
76240a |
+# Defaults to enforcing
|
|
|
76240a |
+selinux --enforcing
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system time zone (required)
|
|
|
76240a |
+timezone --utc America/New_York
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify how the bootloader should be installed (required)
|
|
|
76240a |
+# Plaintext password is: password
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
|
|
76240a |
+
|
|
|
76240a |
+# Initialize (format) all disks (optional)
|
|
|
76240a |
+zerombr
|
|
|
76240a |
+
|
|
|
76240a |
+# The following partition layout scheme assumes disk of size 20GB or larger
|
|
|
76240a |
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
|
|
76240a |
+#
|
|
|
76240a |
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
|
|
76240a |
+# --linux erase all Linux partitions
|
|
|
76240a |
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
|
|
76240a |
+clearpart --linux --initlabel
|
|
|
76240a |
+
|
|
|
76240a |
+# Create primary system partitions (required for installs)
|
|
|
76240a |
+part /boot --fstype=xfs --size=512
|
|
|
76240a |
+part pv.01 --grow --size=1
|
|
|
76240a |
+
|
|
|
76240a |
+# Create a Logical Volume Management (LVM) group (optional)
|
|
|
76240a |
+volgroup VolGroup --pesize=4096 pv.01
|
|
|
76240a |
+
|
|
|
76240a |
+# Create particular logical volumes (optional)
|
|
|
76240a |
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
|
|
76240a |
+# Ensure /tmp Located On Separate Partition
|
|
|
76240a |
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
|
|
76240a |
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+# Harden installation with CIS profile
|
|
|
76240a |
+# For more details and configuration options see command %addon org_fedora_oscap in
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
|
|
76240a |
+%addon org_fedora_oscap
|
|
|
76240a |
+ content-type = scap-security-guide
|
|
|
76240a |
+ profile = xccdf_org.ssgproject.content_profile_cis_server_l1
|
|
|
76240a |
+%end
|
|
|
76240a |
+
|
|
|
76240a |
+# Packages selection (%packages section is required)
|
|
|
76240a |
+%packages
|
|
|
76240a |
+
|
|
|
76240a |
+# Require @Base
|
|
|
76240a |
+@Base
|
|
|
76240a |
+
|
|
|
76240a |
+%end # End of %packages section
|
|
|
76240a |
+
|
|
|
76240a |
+# Reboot after the installation is complete (optional)
|
|
|
76240a |
+# --eject attempt to eject CD or DVD media before rebooting
|
|
|
76240a |
+reboot --eject
|
|
|
76240a |
diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..7ca9fe8558b
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg
|
|
|
76240a |
@@ -0,0 +1,137 @@
|
|
|
76240a |
+# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
+# Version: 0.0.1
|
|
|
76240a |
+# Date: 2021-08-12
|
|
|
76240a |
+#
|
|
|
76240a |
+# Based on:
|
|
|
76240a |
+# https://pykickstart.readthedocs.io/en/latest/
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
|
|
76240a |
+
|
|
|
76240a |
+# Install a fresh new system (optional)
|
|
|
76240a |
+install
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify installation method to use for installation
|
|
|
76240a |
+# To use a different one comment out the 'url' one below, update
|
|
|
76240a |
+# the selected choice with proper options & un-comment it
|
|
|
76240a |
+#
|
|
|
76240a |
+# Install from an installation tree on a remote server via FTP or HTTP:
|
|
|
76240a |
+# --url the URL to install from
|
|
|
76240a |
+#
|
|
|
76240a |
+# Example:
|
|
|
76240a |
+#
|
|
|
76240a |
+# url --url=http://192.168.122.1/image
|
|
|
76240a |
+#
|
|
|
76240a |
+# Modify concrete URL in the above example appropriately to reflect the actual
|
|
|
76240a |
+# environment machine is to be installed in
|
|
|
76240a |
+#
|
|
|
76240a |
+# Other possible / supported installation methods:
|
|
|
76240a |
+# * install from the first CD-ROM/DVD drive on the system:
|
|
|
76240a |
+#
|
|
|
76240a |
+# cdrom
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from a directory of ISO images on a local drive:
|
|
|
76240a |
+#
|
|
|
76240a |
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from provided NFS server:
|
|
|
76240a |
+#
|
|
|
76240a |
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
|
|
76240a |
+#
|
|
|
76240a |
+
|
|
|
76240a |
+# Set language to use during installation and the default language to use on the installed system (required)
|
|
|
76240a |
+lang en_US.UTF-8
|
|
|
76240a |
+
|
|
|
76240a |
+# Set system keyboard type / layout (required)
|
|
|
76240a |
+keyboard us
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
|
|
76240a |
+# --onboot enable device at a boot time
|
|
|
76240a |
+# --device device to be activated and / or configured with the network command
|
|
|
76240a |
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
|
|
76240a |
+# --noipv6 disable IPv6 on this device
|
|
|
76240a |
+#
|
|
|
76240a |
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
|
|
76240a |
+# "--bootproto=static" must be used. For example:
|
|
|
76240a |
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
|
|
76240a |
+#
|
|
|
76240a |
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system's root password (required)
|
|
|
76240a |
+# Plaintext password is: server
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
|
|
76240a |
+
|
|
|
76240a |
+# The selected profile will restrict root login
|
|
|
76240a |
+# Add a user that can login and escalate privileges
|
|
|
76240a |
+# Plaintext password is: admin123
|
|
|
76240a |
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure firewall settings for the system (optional)
|
|
|
76240a |
+# --enabled reject incoming connections that are not in response to outbound requests
|
|
|
76240a |
+# --ssh allow sshd service through the firewall
|
|
|
76240a |
+firewall --enabled --ssh
|
|
|
76240a |
+
|
|
|
76240a |
+# Set up the authentication options for the system (required)
|
|
|
76240a |
+# --enableshadow enable shadowed passwords by default
|
|
|
76240a |
+# --passalgo hash / crypt algorithm for new passwords
|
|
|
76240a |
+# See the manual page for authconfig for a complete list of possible options.
|
|
|
76240a |
+authconfig --enableshadow --passalgo=sha512
|
|
|
76240a |
+
|
|
|
76240a |
+# State of SELinux on the installed system (optional)
|
|
|
76240a |
+# Defaults to enforcing
|
|
|
76240a |
+selinux --enforcing
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system time zone (required)
|
|
|
76240a |
+timezone --utc America/New_York
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify how the bootloader should be installed (required)
|
|
|
76240a |
+# Plaintext password is: password
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
|
|
76240a |
+
|
|
|
76240a |
+# Initialize (format) all disks (optional)
|
|
|
76240a |
+zerombr
|
|
|
76240a |
+
|
|
|
76240a |
+# The following partition layout scheme assumes disk of size 20GB or larger
|
|
|
76240a |
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
|
|
76240a |
+#
|
|
|
76240a |
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
|
|
76240a |
+# --linux erase all Linux partitions
|
|
|
76240a |
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
|
|
76240a |
+clearpart --linux --initlabel
|
|
|
76240a |
+
|
|
|
76240a |
+# Create primary system partitions (required for installs)
|
|
|
76240a |
+part /boot --fstype=xfs --size=512
|
|
|
76240a |
+part pv.01 --grow --size=1
|
|
|
76240a |
+
|
|
|
76240a |
+# Create a Logical Volume Management (LVM) group (optional)
|
|
|
76240a |
+volgroup VolGroup --pesize=4096 pv.01
|
|
|
76240a |
+
|
|
|
76240a |
+# Create particular logical volumes (optional)
|
|
|
76240a |
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
|
|
76240a |
+# Ensure /tmp Located On Separate Partition
|
|
|
76240a |
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
|
|
76240a |
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+# Harden installation with CIS profile
|
|
|
76240a |
+# For more details and configuration options see command %addon org_fedora_oscap in
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
|
|
76240a |
+%addon org_fedora_oscap
|
|
|
76240a |
+ content-type = scap-security-guide
|
|
|
76240a |
+ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1
|
|
|
76240a |
+%end
|
|
|
76240a |
+
|
|
|
76240a |
+# Packages selection (%packages section is required)
|
|
|
76240a |
+%packages
|
|
|
76240a |
+
|
|
|
76240a |
+# Require @Base
|
|
|
76240a |
+@Base
|
|
|
76240a |
+
|
|
|
76240a |
+%end # End of %packages section
|
|
|
76240a |
+
|
|
|
76240a |
+# Reboot after the installation is complete (optional)
|
|
|
76240a |
+# --eject attempt to eject CD or DVD media before rebooting
|
|
|
76240a |
+reboot --eject
|
|
|
76240a |
diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..b9bff5f390e
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg
|
|
|
76240a |
@@ -0,0 +1,147 @@
|
|
|
76240a |
+# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
+# Version: 0.0.1
|
|
|
76240a |
+# Date: 2021-08-12
|
|
|
76240a |
+#
|
|
|
76240a |
+# Based on:
|
|
|
76240a |
+# https://pykickstart.readthedocs.io/en/latest/
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
|
|
|
76240a |
+
|
|
|
76240a |
+# Install a fresh new system (optional)
|
|
|
76240a |
+install
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify installation method to use for installation
|
|
|
76240a |
+# To use a different one comment out the 'url' one below, update
|
|
|
76240a |
+# the selected choice with proper options & un-comment it
|
|
|
76240a |
+#
|
|
|
76240a |
+# Install from an installation tree on a remote server via FTP or HTTP:
|
|
|
76240a |
+# --url the URL to install from
|
|
|
76240a |
+#
|
|
|
76240a |
+# Example:
|
|
|
76240a |
+#
|
|
|
76240a |
+# url --url=http://192.168.122.1/image
|
|
|
76240a |
+#
|
|
|
76240a |
+# Modify concrete URL in the above example appropriately to reflect the actual
|
|
|
76240a |
+# environment machine is to be installed in
|
|
|
76240a |
+#
|
|
|
76240a |
+# Other possible / supported installation methods:
|
|
|
76240a |
+# * install from the first CD-ROM/DVD drive on the system:
|
|
|
76240a |
+#
|
|
|
76240a |
+# cdrom
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from a directory of ISO images on a local drive:
|
|
|
76240a |
+#
|
|
|
76240a |
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
|
|
|
76240a |
+#
|
|
|
76240a |
+# * install from provided NFS server:
|
|
|
76240a |
+#
|
|
|
76240a |
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
|
|
|
76240a |
+#
|
|
|
76240a |
+
|
|
|
76240a |
+# Set language to use during installation and the default language to use on the installed system (required)
|
|
|
76240a |
+lang en_US.UTF-8
|
|
|
76240a |
+
|
|
|
76240a |
+# Set system keyboard type / layout (required)
|
|
|
76240a |
+keyboard us
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure network information for target system and activate network devices in the installer environment (optional)
|
|
|
76240a |
+# --onboot enable device at a boot time
|
|
|
76240a |
+# --device device to be activated and / or configured with the network command
|
|
|
76240a |
+# --bootproto method to obtain networking configuration for device (default dhcp)
|
|
|
76240a |
+# --noipv6 disable IPv6 on this device
|
|
|
76240a |
+#
|
|
|
76240a |
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
|
|
|
76240a |
+# "--bootproto=static" must be used. For example:
|
|
|
76240a |
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
|
|
|
76240a |
+#
|
|
|
76240a |
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system's root password (required)
|
|
|
76240a |
+# Plaintext password is: server
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
|
|
|
76240a |
+
|
|
|
76240a |
+# The selected profile will restrict root login
|
|
|
76240a |
+# Add a user that can login and escalate privileges
|
|
|
76240a |
+# Plaintext password is: admin123
|
|
|
76240a |
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
|
|
|
76240a |
+
|
|
|
76240a |
+# Configure firewall settings for the system (optional)
|
|
|
76240a |
+# --enabled reject incoming connections that are not in response to outbound requests
|
|
|
76240a |
+# --ssh allow sshd service through the firewall
|
|
|
76240a |
+firewall --enabled --ssh
|
|
|
76240a |
+
|
|
|
76240a |
+# Set up the authentication options for the system (required)
|
|
|
76240a |
+# --enableshadow enable shadowed passwords by default
|
|
|
76240a |
+# --passalgo hash / crypt algorithm for new passwords
|
|
|
76240a |
+# See the manual page for authconfig for a complete list of possible options.
|
|
|
76240a |
+authconfig --enableshadow --passalgo=sha512
|
|
|
76240a |
+
|
|
|
76240a |
+# State of SELinux on the installed system (optional)
|
|
|
76240a |
+# Defaults to enforcing
|
|
|
76240a |
+selinux --enforcing
|
|
|
76240a |
+
|
|
|
76240a |
+# Set the system time zone (required)
|
|
|
76240a |
+timezone --utc America/New_York
|
|
|
76240a |
+
|
|
|
76240a |
+# Specify how the bootloader should be installed (required)
|
|
|
76240a |
+# Plaintext password is: password
|
|
|
76240a |
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
|
|
|
76240a |
+# encrypted password form for different plaintext password
|
|
|
76240a |
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
|
|
|
76240a |
+
|
|
|
76240a |
+# Initialize (format) all disks (optional)
|
|
|
76240a |
+zerombr
|
|
|
76240a |
+
|
|
|
76240a |
+# The following partition layout scheme assumes disk of size 20GB or larger
|
|
|
76240a |
+# Modify size of partitions appropriately to reflect actual machine's hardware
|
|
|
76240a |
+#
|
|
|
76240a |
+# Remove Linux partitions from the system prior to creating new ones (optional)
|
|
|
76240a |
+# --linux erase all Linux partitions
|
|
|
76240a |
+# --initlabel initialize the disk label to the default based on the underlying architecture
|
|
|
76240a |
+clearpart --linux --initlabel
|
|
|
76240a |
+
|
|
|
76240a |
+# Create primary system partitions (required for installs)
|
|
|
76240a |
+part /boot --fstype=xfs --size=512
|
|
|
76240a |
+part pv.01 --grow --size=1
|
|
|
76240a |
+
|
|
|
76240a |
+# Create a Logical Volume Management (LVM) group (optional)
|
|
|
76240a |
+volgroup VolGroup --pesize=4096 pv.01
|
|
|
76240a |
+
|
|
|
76240a |
+# Create particular logical volumes (optional)
|
|
|
76240a |
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
|
|
|
76240a |
+# Ensure /home Located On Separate Partition
|
|
|
76240a |
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
|
|
|
76240a |
+# Ensure /tmp Located On Separate Partition
|
|
|
76240a |
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
|
|
|
76240a |
+# Ensure /var/tmp Located On Separate Partition
|
|
|
76240a |
+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
|
|
|
76240a |
+# Ensure /var Located On Separate Partition
|
|
|
76240a |
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
|
|
|
76240a |
+# Ensure /var/log Located On Separate Partition
|
|
|
76240a |
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
|
|
|
76240a |
+# Ensure /var/log/audit Located On Separate Partition
|
|
|
76240a |
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512
|
|
|
76240a |
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+# Harden installation with CIS profile
|
|
|
76240a |
+# For more details and configuration options see command %addon org_fedora_oscap in
|
|
|
76240a |
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands
|
|
|
76240a |
+%addon org_fedora_oscap
|
|
|
76240a |
+ content-type = scap-security-guide
|
|
|
76240a |
+ profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2
|
|
|
76240a |
+%end
|
|
|
76240a |
+
|
|
|
76240a |
+# Packages selection (%packages section is required)
|
|
|
76240a |
+%packages
|
|
|
76240a |
+
|
|
|
76240a |
+# Require @Base
|
|
|
76240a |
+@Base
|
|
|
76240a |
+
|
|
|
76240a |
+%end # End of %packages section
|
|
|
76240a |
+
|
|
|
76240a |
+# Reboot after the installation is complete (optional)
|
|
|
76240a |
+# --eject attempt to eject CD or DVD media before rebooting
|
|
|
76240a |
+reboot --eject
|
|
|
76240a |
|
|
|
76240a |
From 92e84a2c1b302291aa8ffbc08ae3e4ffabd5dfe7 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
76240a |
Date: Wed, 18 Aug 2021 14:24:34 +0200
|
|
|
76240a |
Subject: [PATCH 2/2] Fix typo in the CIS kickstart
|
|
|
76240a |
MIME-Version: 1.0
|
|
|
76240a |
Content-Type: text/plain; charset=UTF-8
|
|
|
76240a |
Content-Transfer-Encoding: 8bit
|
|
|
76240a |
|
|
|
76240a |
Co-authored-by: Jan Černý <jcerny@redhat.com>
|
|
|
76240a |
---
|
|
|
76240a |
products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 2 +-
|
|
|
76240a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
index 00edb9d536c..7062e2974ad 100644
|
|
|
76240a |
--- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
+++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg
|
|
|
76240a |
@@ -1,4 +1,4 @@
|
|
|
76240a |
-# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server
|
|
|
76240a |
# Version: 0.0.1
|
|
|
76240a |
# Date: 2021-08-12
|
|
|
76240a |
#
|