-
Notifications
You must be signed in to change notification settings - Fork 1
/
kickstart-el7-netboot-basic-install.cfg
815 lines (653 loc) · 27.2 KB
/
kickstart-el7-netboot-basic-install.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
# Basic EL 7 Kickstart configuration
# Load form a webserver / GitHub after (network) boot
# Retrieves software directly from CentOS mirror
#
# Security recommendations according to CIS Benchmark for RHEL 7 (v 1.0.0)
# and/or CCE where applicable
# (partly implemented, skip Audit-configuration for non production systems)
#
# 201509 Joachim la Poutre'
################################################################################
# Command Section
################################################################################
# Perform the installation in a completely non-interactive command
# The recommended use is in conjunction with RUNKS=1 and ks=
cmdline
# (Required) We want to "install" as opposed to "upgrade" an existing system
#optional since Fedora 18 #
install
url --url http://mirror.centos.org/centos/7/os/x86_64/
# Use text mode install
text
# Reboot the machine after the installation is complete
# and attempt to eject the CD/DVD/Bootdisk
reboot
# X is not configured except for Desktops
skipx
# Skip EULA (include this for non-interactive install of subcription based EL)
eula --agreed
# System keyboard
keyboard us
# System language
lang en_US.UTF-8
# Setup agent should not start the first time the system boots:
firstboot --disable
# Include created here for the moment not working or required (CD boot)
%include /tmp/network
# (Required) Sets the root password so there is no prompt during installation
rootpw --iscrypted $6$rounds=1000000$Vk3DpNkIQEsP5dsy$4D6K/2L48u1CMJk.l8f8LftXbMP/NVvi2F5xEns7kShS1dhr0CROeecgjj8e1dvUptY0AajecNl/FZVQUkbmq0
# Enable the firewall
firewall --enabled --ssh --port=80:tcp
# shadow configuration:
authconfig --enableshadow --passalgo=sha512
# System timezone
timezone --utc Europe/Amsterdam
# CIS 1.4.1 Enable SELinux (default), 1.4.2 Enforcing, 1.4.3 Targeted Policy
selinux --enforcing
# CIS 1.5.3
# grub2 should be in grub.pbkdf2 format
bootloader --location=mbr --driveorder=sda --iscrypted --password grub.pbkdf2.sha512.10000.5FB84ED41DD9DB673C11AD32.88EC1A3EC9490565E4EE23D75D383FA5F0DB1FB1767E8062675F34D576A959684985B6D4A4B050EC5DDC1AD623E41F2596AC2F69CD9B328EC2F33E6E3B553B38
# Clear the Master Boot Record
zerombr
# Partition clearing information
# The --initlabel option has been deprecated. To initialize disks with invalid partition tables and clear their contents, use the zerombr command.
clearpart --all
# Include generated partition layout
%include /tmp/partitions
################################################################################
# Packages
# see output from 'yum group info Core'' (and 'Base')
################################################################################
%packages # obsolete # --nobase
@core
# add some basic software
acl
authconfig
bash-completion
bc
bind-libs
bind-utils
bridge-utils
bzip2
chrony
cpio
crontabs
ed
ethtool
file
firewalld
gnupg2
krb5-workstation
logrotate
lsof
lvm2
man-db
man-pages
nc
net-tools
openldap-clients
openssh-clients
#VMWare# open-vm-tools
# or in post install?
pam_krb5
pam_ldap
perl
plymouth
prelink
rsync
samba-common
samba-winbind
sssd
strace
tcpdump
tcp_wrappers
telnet
tmux
traceroute
virt-what
wget
which
xfsdump
xz
yum-utils
zip
# remove from Core:
-aic94xx-firmware
-alsa-firmware
-bfa-firmware
-dracut-config-rescue
-ivtv-firmware
-iwl1000-firmware
-iwl100-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-iwl7260-firmware
-kernel-tools
-libertas-sd8686-firmware
-libertas-sd8787-firmware
-libertas-usb8388-firmware
-microcode_ctl
-NetworkManager
-NetworkManager-tui
-ql2100-firmware
-ql2200-firmware
-ql23xx-firmware
%end
################################################################################
# Pre section
################################################################################
%pre --log=/tmp/ks-pre.log
#!/bin/bash
#
# First read the cmdline:
# on installation edit the PXE boot line and add: hostname=<hostname>
#
set -- `cat /proc/cmdline`
for I in $*;
do
case "$I" in
*=*) eval $I
;;
esac;
done
################################################################################
# Configure the network
################################################################################
touch /tmp/routing
# just use DHCP + eth0 (no fancy routing for straight forward VM installation)
if [ "${hostname}" != "" ]; then
echo "network --device=eth0 --bootproto=dhcp --onboot=yes --noipv6" \
--hostname=${hostname} >/tmp/network
else
echo "network --device=eth0 --bootproto=dhcp --onboot=yes --noipv6" \
>/tmp/network
fi
################################################################################
# Configure the boot disk
# NB: VM should be provisioned with minimum size or bigger!
################################################################################
# get the first hard drive from 'list-harddrives'
# e.g. output for one disk:
# sda 61440.0
#
# minimum size of hard drive needed specified in GIGABYTES
MINSIZE=10
INSTDISK=""
# /sys/block/*/size is in 512 byte chunks: GBs = blocks / 2^21
# DEVI=/sys/block/${DEV}
# SIZE=`cat ${DEVI}/size`
# GB=$(($SIZE/2**21))
#list-harddrives >/tmp/list-harddrives.out
# make first drive >= ${MINSIZE} INSTDISK
# WARNING: if your disk is not big enough, Kickstart faile without providing
# very helpful information!!
list-harddrives | while read DEV MSIZE
do
echo "Disk device: ${DEV}"
GBDS=$((${MSIZE%.*}/1024))
echo "Disk size in GB: ${GBDS}"
#if [ `echo $((${GBDS}/${MINSIZE}))` -ge 1 ]; then
if [ ${GBDS} -ge ${MINSIZE} ]; then
echo ${DEV} > /tmp/installdisk
break 1
fi
done
INSTDISK=${DEV}
echo "variable disk: ${INSTDISK}"
INSTDISK=`cat /tmp/installdisk`
echo "Install disk: ${INSTDISK}"
#
# Generate partition and volume layout
# CIS Benchmark 1.1: skip this for non-production
#
if [ "${hostname}" == "" -o "${hostname}" == "localhost" ]; then
vgname=vg_system
else
vgname=vg_${hostname%%.*}
fi
# RAM in GB:
MemTotal=`awk '/MemTotal:/ {print ($2/(1024^2))}' /proc/meminfo`
echo "RAM in GB: ${MemTotal}"
# use recommended swapsize below 32Gb RAM, above make a new decision about disks & swap
# EL 6 "--recommended" should translate to:
# RAM Gb swap space Gb
# =< 2 2 times RAM
# 2 < RAM =< 8 equal to RAM
# 8 < RAM =< 64 0.5 times RAM
# > 64 ???
# (same in EL 7?)
# We tested for a disk >= 60 Gb, with 27.5 Gb file systems that leaves about 32 Gb for paging
# ==> Up to 64 Gb RAM --recommended should work:
if [ ${MemTotal%.*} -lt 65 ]; then
swapsize=recommended
# for large memory systems just use 32Gb and add swap devices if needed:
else
swapsize="size=32768"
# or set swapzize=grow for bigger disks?
fi
# KISS: just /boot, / and swap:
echo "part /boot --fstype ext4 --size=512 --asprimary --ondisk ${INSTDISK}
part pv.3 --size=100 --grow
volgroup ${vgname} pv.3
logvol swap --fstype swap --name=lv_swap --vgname=${vgname} --${swapsize}
logvol / --fstype xfs --name=lv_root --vgname=${vgname} --size=100 --grow --maxsize=7168" >/tmp/partitions
%end
################################################################################
# Post sections follow here
#
# Feel free to re-implement everything using your configuration management
################################################################################
%post --log=/root/ks-post.log
# Get the hostname
echo "${HOSTNAME}" >> /tmp/hostname.txt
# Disables services (if xinetd is installed):
# Disable chargen-dgram: chkconfig chargen-dgram off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/chargen-dgram
# Disable chargen-stream: chkconfig chargen-stream off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/chargen-stream
# Disable daytime-dgram: chkconfig daytime-dgram off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/daytime-dgram
# Disable daytime-stream: chkconfig daytime-stream off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/daytime-stream
# Disable echo-dgram: chkconfig echo-dgram off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/echo-dgram
# Disable echo-stream: chkconfig echo-stream off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/echo-stream
# Disable tcpmux-server: chkconfig tcpmux-server off
sed -i 's/disable.*no/disable = yes/' /etc/xinetd.d/tcpmux-server
# Disable syslog, since we use rsyslog
# no longer in Core or Base: chkconfig syslog off
# CIS 1.4.4 Remove/disable SETroubleshoot, GUI should not be installed
# CIS 1.4.5 Disable SELinux Context Translation System Daemon
systemctl disable mcstransd.service
#
# System bootloader configuration
# CIS 1.5.1 Set the owner/group on /boot/grub2/grub.cfg
chown -L root:root /boot/grub2/grub.cfg
# CIS 1.5.1 Set restrictive permissions on the grub.conf file
chmod og-rwx /boot/grub2/grub.cfg
# CIS 6.1.2 Enable the Cron Daemon
systemctl enable crond.service
# Add includedir statement to the sudoers file, already in there also on EL 7
#echo "#includedir /etc/sudoers.d" >>/etc/sudoers
#
# Fix up the partitions to be secure
# CIS 1.1
#
FSTAB=/etc/fstab
# follow recommendations for /tmp and /shm for /boot:
# nodev, noexec, and nosuid on /boot
TEST="`grep ' \/boot ' ${FSTAB} | grep -c 'noexec'`"
if [ "$TEST" = "0" ]; then
MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}')
sed -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
fi
#
# nodev, noexec, and nosuid on /dev/shm
# CIS 1.1.14-16
#
TEST="`grep ' \/dev\/shm ' ${FSTAB} | grep -c 'noexec'`"
if [ "$TEST" = "0" ]; then
MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}')
sed -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
fi
# CIS 1.1.6
# Make /var/tmp use /tmp: makes no sense in EL 7 (behaves like SunOS)
# CIS 1.1.18 Disable mounting of cramfs
echo -e "install cramfs /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.19 Disable mounting of freevxfs
echo -e "install freevxfs /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.20 Disable mounting of jffs2
echo -e "install jffs2 /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.21 Disable mounting of hfs
echo -e "install hfs /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.22 Disable mounting of hfsplus
echo -e "install hfsplus /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.23 Disable mounting of squashfs
echo -e "install squashfs /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 1.1.24 Disable mounting of udf
echo -e "install udf /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 3.1 Set the daemon umask for legacy (SysV init) functions
sed -i 's/umask 022/umask 027/' /etc/init.d/functions
# CIS 3.2 default target is "Multi user". NB: this enables some services
# that should be disabled following the benchmark!
systemctl set-default multi-user.target
# Disable Virtual Consoles
sed -i "/^vc/d" /etc/securetty
# CIS 8.1 Set Banner in /etc/issue
echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quid igitur, inquit,
eos responsuros putas? Sed erat aequius Triarium aliquid de dissensione nostra
iudicare. Itaque ab his ordiamur. Duo Reges: constructio interrete. Recte,
inquit, intellegis. Stuprata per vim Lucretia a regis filio testata civis se
ipsa interemit.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > /etc/issue
# CIS 8.2 Remove OS information from login
# /etc/issue done in 8.1, telnetd should not be installed, change anyway
echo "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quid igitur, inquit,
eos responsuros putas? Sed erat aequius Triarium aliquid de dissensione nostra
iudicare. Itaque ab his ordiamur. Duo Reges: constructio interrete. Recte,
inquit, intellegis. Stuprata per vim Lucretia a regis filio testata civis se
ipsa interemit.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" > /etc/issue.net
## CIS 8.3 Gnome Bannner --> N/A
# CIS 4.1.1: Disable IP forwarding
echo -e "\n# Changes for EL 7 content" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "net.ipv4.route.flush = 1" >> /etc/sysctl.conf
# CIS 4.1.2 Disable Send Redirects & Default Send Redirects
echo "net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
# CIS 4.2.1 Disable Accept All Source Route
echo "net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
# CIS 4.2.2 Disable ICMP redirect acceptance
echo "net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
# CIS 4.2.3 Disable secure ICMP redirect acceptance
echo "net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
# CIS 4.2.4 Log All martian network packets
echo "net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1 " >> /etc/sysctl.conf
# CIS 4.2.5 Ignore ICMP Broadcasts
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
# CIS 4.2.6 Ignore ICMP Bogus Error Responses
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
# CIS 4.2.7 Enable Reverse Path Filtering
echo "net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
# CIS 4.2.8 Enable tcp Syncookies to protect agains SYN flood attacks
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
# CIS 4.4.1.1 Disable aceptance of router advertisements
echo "net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
# CIS 4.4.1.2 Disable ipv6 accept redirects
echo "net.ipv6.conf.all.accept_redirect = 0
net.ipv6.conf.default.accept_redirect = 0" >> /etc/sysctl.conf
# CIS 4.4.2 Disable ipv6 <-- just disable configuring IPv6 stack in grub.cfg
# instead if you are really only using IPv4 (makes life easier with apache)
# CIS 1.6.1 Disable core dumps
echo "
# Disable dumps on termination du to segment violation or unexpected error
* hard core 0" >> /etc/security/limits.conf
echo "
# Disallow core dumping by setuid and setgid programs
fs.suid_dumpable = 0" >> /etc/sysctl.conf
# CIS 1.6.2 Configure ExecShield
echo "# Enable Execshield
kernel.exec-shield = 1" >> /etc/sysctl.conf
# CIS 1.6.3 Enable Randomized Virtual Memory Region Placement
echo "
# 0 Disable ASLR. This setting is applied if the kernel is booted with the norandmaps boot parameter.
# 1 Randomize the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions.
# The base address of the data segment is located immediately after the end of the executable code segment.
# 2 Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. This is the default setting.
kernel.randomize_va_space = 2" >> /etc/sysctl.conf
# Configure firewalld
# ...
# Don't use modprobe.conf, put changes in 1 place
touch /etc/modprobe.d/CIS-blacklist.conf
# CIS 4.6.1 Blacklist dccp
echo -e "install dccp /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 4.6.2 Blacklist sctp
echo -e "install sctp /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 4.6.3 Blacklist rds
echo -e "install rds /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 4.6.4 Blacklist tipc
echo -e "install tipc /bin/true" >> /etc/modprobe.d/CIS-blacklist.conf
# CIS 4.7 Enable iptables
systemctl enable iptables.service firewalld.service
# CIS 4.8 This is being set to off because IPv6 is disabled
systemctl disable ip6tables.service
# CIS 5.1.2 Activate rsyslog
systemctl enable rsyslog.service
# CIS 5.1.3 configure & 5.1.4 set permissions on rsyslog.conf
# CIS 5.1.5 send logging to remote server <-- if you have a syslog server
# CIS 5.2.2 Enable auditd daemon <-- only for production systems
# CIS 5.2.3 Make sure that daemons which start before the auditd daemon get audited too
# Eventually:
# CIS 4.4.2 only disable assigning IPv6 addresses (recommended)
# just SELinux in our case:
sed -i '/vmlinuz/ s/$/ selinux=1 enforcing=1/' /boot/grub2/grub.cfg
# Make the same change to the defaults
sed -i '/GRUB_CMDLINE_LINUX/ s/$/ selinux=1 enforcing=1/' /etc/default/grub
#
# Configure audit and auditing rules <-- not for non-production, see CIS
#
# CIS 5.3 Configure logrotate ==> default
# Disable readahead collection
systemctl disable systemd-readahead-collect.service systemd-readahead-done.service systemd-readahead-drop.service systemd-readahead-replay.service systemd-readahead-done.timer
# Disable bluetooth daemon
# static service, can't be disabled
# Disable hidd daemon
# see bluetooth
# Blacklist some Modules
# Don't use modprobe.conf, put changes in 1 place
# does net-pf-31 still exist?
touch /etc/modprobe.d/el7-blacklist.conf
echo "alias net-pf-31 off" >> /etc/modprobe.d/rhel7-blacklist.conf
echo "alias bluetooth off" >> /etc/modprobe.d/rhel7-blacklist.conf
# Disable ZEROCONF Networking Setup
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
# CIS 6.1.3 Set restrictive permissions on the anacrontab file
chmod 0600 /etc/anacrontab
# CIS 6.1.4 Set restrictive permissions on the crontab file
chmod 0600 /etc/crontab
# CIS 6.1.5 Set restrictive permissions on the cron.hourly file
chmod 0700 /etc/cron.hourly
# CIS 6.1.6 Set restrictive permissions on the cron.daily file
chmod 0700 /etc/cron.daily
# CIS 6.1.7 Set restrictive permissions on the cron.weekly file
chmod 0700 /etc/cron.weekly
# CIS 6.1.8 Set restrictive permissions on the cron.monthly file
chmod 0700 /etc/cron.monthly
# CIS 6.1.9 Set restrictive permissions on the cron.d directory
chmod og-rwx /etc/cron.d
# CIS 6.1.9 Set Correct User/group ownership on cron.d directory
chown root:root /etc/cron.d
# CIS 6.2.1 Set Correct user/group ownership on sshd_config file
# Protocol 2 <== default
# CIS 6.2.2 Set the LogLevel to INFO
# Default "INFO" (or change to VERBOSE)
#sed -i "s/#LogLevel INFO/LogLevel VERBOSE/" /etc/ssh/sshd_config
# CIS 6.2.3 Set Correct user/group ownership and permissions on sshd_config file
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
# CIS 6.2.4 Disable X11Forwarding
sed -i "s/^X11Forwarding yes/X11Forwarding no/" /etc/ssh/sshd_config
# CIS 6.2.5 Set MaxAuthTries to 4 <-- Not Followed, keep it 6 or higher
#sed -i "s/#MaxAuthTries 6/MaxAuthTries 4/" /etc/ssh/sshd_config
# CIS 6.2.6 Set IgnoreRhosts to yes --> Default
#sed -i "s/#IgnoreRhosts yes/IgnoreRhosts yes/" /etc/ssh/sshd_config
# CIS 6.2.7 Disable HostbasesAuthentication --> Default
#sed -i "s/#HostbasedAuthentication no/HostbasedAuthentication no/" /etc/ssh/sshd_config
# CIS 6.2.8 Disable Root login via ssh <-- To Do
#sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
# CIS 6.2.9 Disable Empty Passwords --> Default
#sed -i "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/" /etc/ssh/sshd_config
# CIS 6.2.10 Disable UserEnvironment --> Default
#sed -i "s/#PermitUserEnvironment no/PermitUserEnvironment no/" /etc/ssh/sshd_config
# CIS 6.2.11 Restrict available ciphers in ssh
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
# CIS 6.2.12 Set Client Alive Interval in sshd --> Not Followed!
#sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 300/" /etc/ssh/sshd_config
# CIS 6.2.12 Set Client Alive Count Max --> Not Followed!
#sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 0/" /etc/ssh/sshd_config
# CIS 6.2.13 Limit Access via SSH (AllowUsers/Groups DenyUsers/Groups) --> Not followed
# CIS 6.2.14 Point ssh banner to /etc/issue
sed -i "s/.*Banner.*/Banner \/etc\/issue/" /etc/ssh/sshd_config
# CIS 6.3.1 password hashing SHA-512 --> Default in EL 6+, add some nuber of rounds
# Default in EL 7
#sed -i "/pam_unix.so/s/sha512/sha512 rounds=1000000/" /etc/pam.d/system-auth-ac
# Set minimum number of rounds for sha
echo "SHA_CRYPT_MIN_ROUNDS=1000000" >> /etc/login.defs
# CIS 6.3.2 The following line covers the configuration of pam_cracklib --> Already followed via AD, root password procedure, implement anyway
#sed -i "s/retry=3 type=$/retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3 type=/" /etc/pam.d/system-auth-ac
sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth-ac
# password also:
sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/password-auth-ac
# CIS 6.3.3 Set Lockout for Failed Password Attempts --> not followed, already configured in AD
# CIS 6.3.4 Limit Password Reuse --> not followed, already configured in AD
# CIS 6.4 Disable Root login via ssh --> To configure in the production version of kickstart:
#sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
# Use SSSD for login:
#sed -i "s/#UsePAM no/UsePAM yes/" /etc/ssh/sshd_config # <-- already inserted below in EL
# Do not use 'kinit' (Kerberos) directly, let SSSD do it:
sed -i -e 's/^[#]KerberosAuthentication.*/KerberosAuthentication no/' /etc/ssh/sshd_config
# append EL specific option for keys
# sed -i -e '/^UsePAM.*/a\AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n' /etc/ssh/sshd_config
# CIS 6.5 restrict su to members of the wheel group --> Default in EL 6+
# CIS 7.1.1 Set Password Expiration Days --> not followed
# CIS 7.2 Disable System Accounts, (most) system accounts already have nologin in EL 6+
# CIS 7.3 Set default group for root account, --> this is default
# usermod -g 0 root
# CIS 7.4 Set Systemwide umask for Bourne-compatible shells
# Set Umask on login.defs (CCE 1410-7)
sed -i "/UMASK/s/[0-9]\{3\}/077/" /etc/login.defs
#sed -i "/umask/s/022/077/" /etc/csh.cshrc # tcsh not installed!
sed -i 's/umask[ ]*002/umask 077/' /etc/profile
sed -i 's/umask[ ]*002/umask 077/' /etc/bashrc
sed -i 's/umask[ ]*022/umask 027/' /etc/profile
sed -i 's/umask[ ]*022/umask 027/' /etc/bashrc
echo "umask 077" >> /root/.bashrc
chmod 0700 /root
# CIS 7.5 Lock inactive user accounts after 35 days --> not followed
#useradd -D -f 35
# Keep EL 7 defaults (same or more restrictive)
# CIS 9.1.2 Set restrictive permissions on the passwd file
#chmod 644 /etc/passwd
# CIS 9.1.6 Set Correct user/group ownership on passwd file
#chown root:root /etc/passwd
# CIS 9.1.3 Set restrictive permissions on the shadow file
#chmod 400 /etc/shadow
# CIS 9.1.7 Set Correct user/group ownership on shadow file
#chown root:root /etc/shadow
# CIS 9.1.4 Set restrictive permissions on the gshadow file
#chmod 400 /etc/gshadow
# CIS 9.1.8 Set Correct user/group ownership on gshadow file
#chown root:root /etc/gshadow
# CIS 9.1.5 Set restrictive permissions on the group file
#chmod 644 /etc/group
# CIS 9.1.9 Set Correct user/group ownership on group file
#chown root:root /etc/group
# CIS 6.2.1 Set restrictive permissions on the motd, issue and issue.net files
#chown root:root /etc/motd
#chown root:root /etc/issue
#chown root:root /etc/issue.net
#chmod 644 /etc/motd
#chmod 644 /etc/issue
#chmod 644 /etc/issue.net
# Disable the ATD daemon
systemctl disable atd.service
# Disable listening on tcp for the Xserver
if [ -f /etc/X11/xinit/xserverrc ]; then
echo "exec X :0 -nolisten tcp \$@" > /etc/X11/xinit/xserverrc
fi
# Point Gnome greeter to /etc/issue <-- no GDM installed
# CIS 3.3: Disable the avahi-daemon
systemctl disable avahi-daemon.service avahi-daemon.socket
# CIS 3.4 Disable cups (and HPLIP?), careful multi-user.target wants this!
systemctl disable cups.path cups-browsed.service cups.service cups.socket
# Disable hplip
#chkconfig hplip off # does not exist as a service in EL 7
# CIS 3.5 Disable DHCPD
systemctl disable dhcpd.service dhcpd6.service
# CIS 3.6 Enable ntp
timedatectl set-ntp yes
systemctl enable chronyd.service
# change to your own NTP servers if needed
sed -i -e '/^server.*/,/^$/c\server 0.europe.pool.ntp.org iburst\nserver 1.europe.pool.ntp.org iburst\nserver 2.europe.pool.ntp.org\n' /etc/chrony.conf
# CIS 3.7 do not install openldap-server but openldap-client is needed with AD
# Configure tls for OpenLDAP Client
# put SSSD configurations here
# Fix SELinux context on first login:
echo "# Fix SELinux context on first login:
if [ ! -f .context ]; then
/sbin/restorecon -R \`pwd\`
/bin/touch .context
fi" >> /etc/skel/.bashrc
# CIS 3.8 disable NFS and RPC (unless Tibco). NB: CIS has wrong commands!
# Disable nfslock
systemctl disable nfs-lock.service
systemctl disable nfslock.service
# Disable rpcgssd
systemctl disable rpcgssd.service
# Disable rpcbind
systemctl disable rpcbind.service
systemctl disable rpcbind.socket
#systemctl disable rpcbind.target <-- static!
# Disable rpcidmapd
systemctl disable rpcidmapd.service
# Disable rpcsvcgssd
systemctl disable rpcsvcgssd.service
# Disable netfs
systemctl disable remote-fs.target
# Disable portmapper
# see rpcbind: # systemctl disable rpcbind.service
# Disable NFS
systemctl disable nfs-secure.service nfs-server.service nfs.service nfslock.service nfs.target
# We turn this off since we already configured things
# obsolete? # chkconfig firstboot off # <-- see firstboot above
# Disable autofs
systemctl disable autofs.service
# CIS 3.9 3.16: bind, vsftpd, .. should not be installed unless needed
# CIS 3.16: postfix listening on localhost is the default in EL 6+
# If you prefer Emacs, remove these:
echo "set -o vi" >> /etc/profile
echo "set -o vi" >> /etc/bashrc
################################################################################
# Post install configurations:
################################################################################
# Specific sudo configurations should go in /etc/sudoers.d/<username>
# (sudo) history configuration ( should always work for EL
# most likely bash is compiled with “-DSYS_BASHRC=”/etc/bashrc” )
cat >> /etc/profile.d/history.sh << EOF
# Note:
# This will save your bash history no matter how many logon sessions are active.
shopt -s histappend
PROMPT_COMMAND='history -a'
# Define default history file and max history file size
if [ "\`/usr/bin/whoami\`" = "root" ]
then
export HISTFILE=\${HOME}/.hist.sa.\`logname\`
else
export HISTFILE=\${HOME}/.hist.\`logname\`
fi
HISTSIZE=5120
readonly HISTFILE HISTSIZE
EOF
# needs to be readable for everybody!
chmod 644 /etc/profile.d/history.sh
echo -e "#search my.domain.com
nameserver 8.8.8.8
nameserver 8.8.4.4" > /etc/resolv.conf
# Vagrant:
useradd -m -d /home/vagrant -s /bin/bash -p '$6$rounds=1000000$KKaL8Z6CY+YxSbNh$CfE6VGt92n6ESZOhYPRO7hMwBhoFpYCPwc7qqjPPEdJzp8kpkPCUA46zLDyuLgcnMaF32mFuaiukmCC3jSmQk/' -c "Vagrant Administrator" vagrant
mkdir /home/vagrant/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" > /home/vagrant/.ssh/authorized_keys
chmod 700 /u01/app/wlsofm/.ssh
chmod 600 /u01/app/wlsofm/.ssh/authorized_keys
################################################################################
# End post install configurations
################################################################################
###passwd -e root # <-- if you want to type in a complicated password ;-)
touch /.autorelabel
%end
%post --nochroot
cp /tmp/* /mnt/sysimage/tmp/
%end
# Reboot machine after installation
reboot