-
Notifications
You must be signed in to change notification settings - Fork 17
DVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
License
RedHatGov/ssg-el6-kickstart
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
############################################################################### # SCAP Security Guide RHEL 6 DVD CREATOR # # This script was written by Frank Caviggia, Red Hat Consulting # Last update was 15 April 2017 # This script is NOT SUPPORTED by Red Hat Global Support Services. # # Author: Frank Caviggia (fcaviggia@gmail.com) # Copyright: Red Hat, (c) 2018 # License: Apache License, Version 2.0 # Description: Kickstart Installation of RHEL 6 with SSG ############################################################################### ABOUT ===== Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart that will install a system that is configured and hardened for Red Hat Enterprise Linux 6. (Latest Update RHEL 6.9) The kickstart script involves the integration of the following projects into a single installer: - classification-banner.py (Python for displaying graphical classification banner) https://github.com/RedHatGov/classification-banner - SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the system after installation https://github.com/OpenSCAP/scap-security-guide CONTENT ======= createiso.sh - installation script to modify RHEL 6.4+ ISO image /config - Kickstarts, Python, and RPMs needed to modify image. isolinux/ grub.conf - Menu Configuration for Kickstart isolinux.cfg - Menu Configuration for Kickstart hardening/ ssg-rhel.cfg Kickstart Configuration (Calls menu.py in %pre) menu.py Python Script that presents a graphical menu to modify the kickstart. Contains the "Profiles" for configuring the system partitioning and packages. classification-banner.py Graphical Classification Banner (for GNOME Desktops User/ Developer Workstation Profiles) scap-security-guide-*.el6.noarch.rpm Uses OpenSCAP and the SCAP Security Guide (SSG) to test and remediate system. ssg-suplemental.sh Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME, wheel group for root access, etc.) rhevm-preinstall.sh rhevm-postinstall.sh Scripts to losen settings temporararily to allow registration of the system with RHEV-M by allowing root login and allowing exec in /tmp. Run rhevm-postinstall.sh after system is added into RHEV-M. Copied to /root after kickstart install iptables.sh Configures firewall during kicckstart installation. Called in menu.py script. Firewall is configured to reccomended ports for each product or profile. Copied to /root after kickstart install ipa-pam-configuration.sh Configures system for using IPA/IdM authentication by overwriting the pam.d configurations. Copied to /root after kickstart installation HARDENING INFORMATION ===================== Here is some additional information added by the supplemental hardening script in addition to the SSG: 1. The kernel is cofigured in FIPS 140-2 mode on install 2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console 3. The 'wheel' group is required for privleged users (beyond root) to run `su -` or `sudo -i` commands, sudo timeout is 5 minutes 4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group 5. Runlevel 3 is configured by default to meet requirements, run the following for an X Windows session: $ startx 6. Additional Software such as McAfee EPo/HBSS may be required meet site policy 7. Configure NTP (/etc/ntp.conf) and rsyslog logging to remote server (/etc/rsyslog.conf) 8. Create users: Local Console Access Only (Unprivileged) # useradd -m -c "Local User" localuser Remote Access (Unprivileged) # useradd -m -c "Remote User" -G sshusers remoteuser System Administrator (SA) (Privileged User) # useradd -m -c "System Administrator" -G sshusers,wheel admin (Optional) After adding SAs to the system, lock the root account: # passwd -l root EXAMPLE ======= # ./createiso.sh rhel-server-6.6-x86_64-dvd.iso Mounting RHEL DVD Image... mount: /dev/loop0 is write-protected, mounting read-only Done. Copying RHEL DVD Image... Done. Modifying RHEL DVD Image... Done. Remastering RHEL DVD Image... I: -input-charset not specified, using utf-8 (detected in locale settings) Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html) <..........................................> Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm) Size of boot image is 4 sectors -> No emulation 0.27% done, estimate finish Tue Jan 21 22:04:41 2014 <...........................................> 99.86% done, estimate finish Tue Jan 21 22:06:46 2014 Total translation table size: 976326 Total rockridge attributes bytes: 430528 Total directory bytes: 661504 Path table size(bytes): 286 Max brk space used 3ee000 1882600 extents written (3676 MB) Done. Signing RHEL DVD Image... Inserting md5sum into iso image... md5 = ec4618f4ccc6ccac3cfed291ef341012 Inserting fragment md5sums into iso image... fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79 frags = 20 Setting supported flag to 0 Done. DVD Created. [ssg-rhel.iso]
About
DVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published