This script collection is designed to work on Redhat / AlmaLinux / RockyLinux / CentOS and other EL8 / EL9 clones.
The script allows to configure an existing Enterprise Linux in order to be compliant with ANSSI BP-028 High, and configure various enhancements. The script is already included in the kickstart file.
To configure an existing setup, you can use the following
curl -sSfL https://raw.githubusercontent.com/netinvent/el_scripts/main/kickstart_source_script/el_configurator.sh | sh -
The kickstart file contains a python script which handles automagic partitioning and other small adjustemnts as pre script, and a machine setup script as post script, that will install additions and configure the system.
With the pre-script, kickstart will handle MBR, GPT and LVM style partitioning, while being able to autosize partitions.
The python script is to be executed as %pre --interpreter=/bin/python3
script and will create the following:
Automatic setup of machines with
- Dynamic partition schema depending on selected target:
hv
: Hypervisor layout with 30GB root partition and/var/lib/livirt/images
maximum partition sizehv-stateless
: The same as above but with a 30GB size partition with labelSTATEFULRW
for stateful storagestateless
: A 50% size root partition and 50% size partition with labelSTATEFULRW
for stateful storagegeneric
: A 100% size root partitionweb
: A secure web server (subset of ANSSI BP-028-High)anssi
: ANSSI BP-028-High compatible partition schema
Of course, you can adjust those values or create new partition schemas directly in the python script.
The kickstat post-script section also provides the following:
- Optional packages if physical machine
- pre-configured smartmontools daemon
- Optional IT8613 support
- Intel TCO Watchdog support
- Tuned config profiles npf-eco and npf-perf
- Optional setups on virtual machines
- Exclusion of firmware packages
- Qemu guest agent setup on KVM machines
- Enabling serial console on tty and grub interface
- Add resize_term() and resize_term2() functions which allows to deal with tty resizing in terminal
- Optional steps if DHCP internet is found
- Installation of non standard packages
- ANSSI-BP028-High SCAP Profile configuration with report
- Prometheus Node exporter installation
- Enable cockpit and allow non root users
- Cleanup of image after setup
Instead of relying on anaconda for partitioning, the script will handle partitioning via parted to allow usage of non mounted partitions for readonly-root setups with stateful partitions which should not be mounted via fstab.
The script can also optionally reserve 5% disk space at the end of physical disk, in order to have some reserved space left for SSD drives.
If the installation fails for some reason, the logs will be found in /tmp/prescript.log
Using LVM partitioning is incompatible with stateless partitioning since the latter requires partitions without mountpoints.
As of today, the python script only uses a single disk. Multi disk support can be added on request.
When anaconda install fails, you have to change the terminal (CTRL+ALT+F2) in order to check file /tmp/prescript.log
.
Using a serial console, you'll have to use ESC+TAB in order to change terminal.
When installing on an existing disk, the script is not capable to unload LVM partitions, hence it may zero the disk, but the kernel will still think the LVM partitions exist.
In that case, just reboot and reinstall, since the disk has been emptied, everything will work properly.
The machine setup script is the same as the post-script section of the kickstart script, but can be executed on an already running system.
It provides the same services as the kickstart script.
Setup KVM environment including X11 forwarding and bridging.
Download and instlal OPNSense firewall and passthrough PCI NICS according to their address.
Transform a RHEL 9 machine into readonly, especially if hypervisor exists
Setup and run prometheus, including blackbox_exporter, ipmi_exporter and snmp_exporter
Setup simplehelp service, compatible with readonly linux