# workstation-ks.cfg # version 1.4 2010-06-29 # The purpose of this kickstart is to demonstrate usage of the DoD # standard desktop baseline. # Documentation for Kickstart can be found at: # http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/ch-kickstart2.html # (Required) We want to "install" as opposed to "upgrade" an existing system install # Reboot the machine after the installation is complete # and attempt to eject the CD/DVD/Bootdisk reboot --eject # Appear interactive and take screenshots of setup as it is being configured #autostep --autoscreenshot # Configure networking # Kickstart assumes dhcp over eth0 if not specified otherwise # These can be serialized on a per-machine basis, or # provided on the command line during system installation as described #network --bootproto=static --ip= --netmask= --gateway= --nameserver= # Install from a cdrom # another option is to install via FTP #url --url=ftp:///pub/rhel5/ #url --url=http://127.0.0.1/iso/ cdrom # For use with LiveCD Creator #repo --name=rhel5.5 --baseurl=file:///home/sgrubb/usgcb/repo/rhel5.5 # Set the language lang en_US.UTF-8 # (Required) Set keyboard style keyboard us # Skip the RHN key setup, or enter the key here (will prompt without --skip) key --skip # Adding users and setting passwords: # There are 3 options for setting rootpw (or adding user accounts & passwords) # 1. Do not include the rootpw command and you will be prompted for the root # password during installation. This is the recommended method. # 2. Include a hashed root password inside the kickstart file. This method is # not recommended, and is particularly not recommended if the kickstart will # ever be traveling over a network. # 3. Include a clear text password. This is a generally terrible idea. # (Required) Sets the root password so there is no prompt during installation # Example: encrypted password is "password" #rootpw --iscrypted $6$naSytywF$AyVeKPcxnSMJg2L5b5YWGu7YFmgGW30HJ1qmqvjBBOBIbjQuqicsTuJndm0sns3vFpXGDx0SJzofARe914chx0 # Default firewall rules: reject incoming connections (except ssh, by default) firewall --enabled # Enable SELinux selinux --enforcing # (Required) Wrapper around the authconfig command authconfig --enableshadow --passalgo=sha512 # (Required) Set the timezone timezone --utc America/New_York # (Required) bootloader --location=mbr --append="video=vesafb:ywrap,mtrr vga=0x318 rhgb quiet audit=1" # Partitions (Required for "install") # This setup assumes a disk larger than 20GB, and should be modified with # appropriate size partitions based on the machine's hardware # Format the partitions/mbr first zerombr clearpart --all --initlabel # Create primary partitions part /boot --fstype "ext3" --size=512 --asprimary part swap --fstype "ext3" --size=1024 part pv.01 --size=1 --grow # Create more logical partitions # CCE (Rows 2 - 6) volgroup vgroup1 pv.01 logvol / --fstype ext3 --name=root --vgname=vgroup1 --size=1024 --grow logvol /tmp --fstype ext3 --name=temp --vgname=vgroup1 --size=2048 logvol /home --fstype ext3 --name=home --vgname=vgroup1 --size=6144 logvol /var --fstype ext3 --name=var --vgname=vgroup1 --size=5120 logvol /var/log --fstype ext3 --name=varlog --vgname=vgroup1 --size=1024 logvol /var/log/audit --fstype ext3 --name=audit --vgname=vgroup1 --size=512 %packages # These Package Groups are installed by default @admin-tools @base @base-x @core @dialup @editors @gnome-desktop @graphical-internet @graphics @java @legacy-software-support @office @printing @sound-and-video @text-internet # Individual packages installed by default #kexec-tools fipscheck #sgpio emacs #libsane-hpaio #xorg-x11-server-Xnest postfix vlock # TODO: Does aide get installed by default? (CCE-4209-3 row 13) # These seem to not be downloaded #chkconfig #ntp redhat-release-5Client ## Added to support Puppet ruby # Individual packages to be removed from the groups -xinetd -telnet-server -telnet -krb5-workstation -rsh-server -rsh -tftp-server -sendmail # Post-install commands # Some post-installation configuration can be done from the kickstart file # itself. These actions should not be # relied upon for system configuration/management. Anything in the %post # section should be things that would immediately be done after installation that # are either out of scope for the management software, or help prepare the system # for the management software. %post # Install redhat-release key for later use validating rpms # CCE (row 7) rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-auxiliary rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-former rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-rhx # Disable rhnsd daemon (CCE-3416-5 row 8) /sbin/chkconfig --level 12345 rhnsd off # Disable yum-updatesd daemon (CCE-4218-4 row 10) /sbin/chkconfig --level 12345 yum-updatesd off # Notes (row 11, 12, and 14 are noops) # Enable auditd service (2.6.2.1) /sbin/chkconfig --level 12345 auditd on # Fix up the partitions to be secure # CCE (rows 15 - 25) FSTAB=/etc/fstab SED=/bin/sed # nodev, noexec, and nosuid on /boot if [ $(grep " \/boot " ${FSTAB} | grep -c "noexec") -eq 0 ]; then MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev on /home if [ $(grep " \/home " ${FSTAB} | grep -c "nodev") -eq 0 ]; then MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi # nodev, noexec, and nosuid on /var/log/audit if [ $(grep " \/var\/log\/audit " ${FSTAB} | grep -c "noexec") -eq 0 ]; then MNT_OPTS=$(grep " \/var\/log\/audit " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/var\/log\/audit.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /tmp # (Rows 19 - 21) if [ $(grep " \/tmp " ${FSTAB} | grep -c "noexec") -eq 0 ]; then MNT_OPTS=$(grep " \/tmp " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /dev/shm # (Rows 22 - 24) if [ $(grep " \/dev\/shm " ${FSTAB} | grep -c "noexec") -eq 0 ]; then MNT_OPTS=$(grep " \/tmp " ${FSTAB} | awk '{print $4}') ${SED} -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # Make /var/tmp use /tmp # (Row 25) grep " \/var\/tmp " ${FSTAB} >/dev/null if [ $? -eq 0 ]; then echo -e "/tmp\t\t/var/tmp\t\t\text3\tbind,nodev,noexec,nosuid\t1 2" >> ${FSTAB} fi # TODO: Should these be in a separate file so that updates to # modprobe.conf don't cause problems # Disable mounting of cramfs (row 26) echo -e "install cramfs /bin/true" >> /etc/modprobe.conf # Disable mounting of freevxfs (row 27) echo -e "install freevxfs /bin/true" >> /etc/modprobe.conf # Disable mounting of jffs2 (row 28) echo -e "install jffs2 /bin/true" >> /etc/modprobe.conf # Disable mounting of hfs (row 29) echo -e "install hfs /bin/true" >> /etc/modprobe.conf # Disable mounting of hfsplus (row 30) echo -e "install hfsplus /bin/true" >> /etc/modprobe.conf # Disable mounting of squashfs (row 31) echo -e "install squashfs /bin/true" >> /etc/modprobe.conf # Disable mounting of udf (row 32) echo -e "install udf /bin/true" >> /etc/modprobe.conf # Notes (row 33 - 51 are noops) # TODO: is 027 really good? I remember it breaks some updates # CCE-4220-0 (Row 52) echo -e "umask 027" >> /etc/sysconfig/init # TODO: this only takes effect if pam_limits is invoked (gdm, sshd, crond) # CCE-4225-9 (Row 53) echo -n "* hard core 0" >> /etc/security/limits.conf # Notes (row 54 -57 are noops) # CCE-3485-0, CCE-4256-4 (Rows 58 & 59) sed -i "/^vc/d" /etc/securetty # Notes (row 60 is noop) # (Row 61) sed -i "4s/^#//" /etc/pam.d/su # Notes (rows 62 - 65 are noops) # CCE-4180-6 (Row 66) sed -i "/PASS_MIN_DAYS/s/[0-9]/1/" /etc/login.defs # CCE-4097-2 (Row 67) sed -i "/PASS_WARN_AGE/s/[0-9]/14/" /etc/login.defs # CCE-4092-3 (Row 68) sed -i "/PASS_MAX_DAYS/s/[0-9]\{5\}/60/" /etc/login.defs # CCE-4154-1 (Row 69) sed -i "/PASS_MIN_LEN/s/[0-9]/12/" /etc/login.defs # Notes (rows 70 - 72 are noops) # The following line covers CCE-3410-8, CCE-4154-1 # (rows 73 - 79) sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 difok=3/" /etc/pam.d/system-auth # CCE-3410-8 (row 80) # FIXME # CCE-3952-9 (row 81) chmod 4710 /usr/sbin/userhelper # CCE-4185-2 (row 82) groupadd usergroup chgrp usergroup /usr/sbin/userhelper # (row 83) # TODO check if sha512 is default in login.defs and pam_unix.so sed -i "/pam_unix.so/s/md5/sha512/" /etc/pam.d/system-auth sed -i "/ENCRYPT_METHOD/s/MD5/SHA512/" /etc/login.defs # (row 84) sed -i "/pam_unix.so/s/shadow/shadow remember=24/" /etc/pam.d/system-auth # Notes (rows 85 - 87 are noops) # (row 88) sed -i "/UMASK/s/[0-9]{3}/077/" /etc/login.defs # CCE-3870-3 (row 89) echo "umask 077" >> /etc/profile # CCE-3844-8 (row 90) sed -i "/umask/s/022/077/" /etc/bashrc # CCE-4227-5 (row 91) sed -i "/umask/s/022/077/" /etc/csh.cshrc # Notes CCE-3923-0 (rows 92 - 94 are noops) # CCE-3818-2 (row 95) password --md5 $1$zo4ui/$ToET.Pxb.ZO1X0TfGyTAF0 # Notes CCE-4197-0, CCE-4144-2 (rows 96 - 97 are noops) # CCE-4241-6 (row 98) echo "~:S:wait:/sbin/sulogin" >> /etc/inittab # CCE-4245-7 (row 99) sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init # Setup correct auditing rules FILE=`rpm -ql audit | grep stig` if [ x"$FILE" != "x" ] ; then cp $FILE /etc/audit/audit.rules fi # Update the time from an NTP server (should be customized to a local ntp server) #/usr/sbin/ntpdate time-a.nist.gov # Now do the live CD stuff #%include live2.cfg