# workstation-ks.cfg # version 0.7 2010-08-25 # Copyright 2010 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Authors: # Steve Grubb # The purpose of this kickstart is to demonstrate usage of the USGCB # standard desktop baseline. Documentation for Kickstart can be found at: # http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/ch-kickstart2.html # (Required) We want to "install" as opposed to "upgrade" an existing system install # Reboot the machine after the installation is complete # and attempt to eject the CD/DVD/Bootdisk reboot --eject # Configure networking # Kickstart assumes dhcp over eth0 if not specified otherwise # These can be serialized on a per-machine basis, or # provided on the command line during system installation as described #network --bootproto=static --ip= --netmask= --gateway= --nameserver= network --bootproto=static --ip=192.168.122.99 --netmask=255.255.255.0 --gateway=192.168.122.1 --nameserver=192.168.122.1 # Install from a cdrom cdrom # another option is to install via HTTP #url --url=http://192.168.122.1/iso/ # For use with LiveCD Creator #repo --name=rhel5.5 --baseurl=file:///home/sgrubb/usgcb/repo/rhel5.5 # Set the language lang en_US.UTF-8 # (Required) Set keyboard style keyboard us # Skip the RHN key setup, or enter the key here (will prompt without --skip) key --skip # Adding users and setting passwords: # There are 3 options for setting rootpw (or adding user accounts & passwords) # 1. Do not include the rootpw command and you will be prompted for the root # password during installation. This is the recommended method. # 2. Include a hashed root password inside the kickstart file. This method is # not recommended, and is particularly not recommended if the kickstart will # ever be traveling over a network. # 3. Include a clear text password. This is a generally terrible idea. # (Required) Sets the root password so there is no prompt during installation # Example: encrypted password is "password" rootpw --iscrypted $6$naSytywF$AyVeKPcxnSMJg2L5b5YWGu7YFmgGW30HJ1qmqvjBBOBIbjQuqicsTuJndm0sns3vFpXGDx0SJzofARe914chx0 # Default firewall rules: reject incoming connections (except ssh, by default) firewall --enabled # Enable SELinux selinux --enforcing # (Required) Wrapper around the authconfig command authconfig --enableshadow --passalgo=sha512 # (Required) Set the timezone timezone --utc America/New_York # (Required) (row 146) bootloader --location=mbr --append="rhgb quiet audit=1" # Partitions (Required for "install") # This setup assumes a disk larger than 20GB, and should be modified with # appropriate size partitions based on the machine's hardware # Format the partitions/mbr first zerombr clearpart --all --initlabel # Create primary partitions part /boot --fstype "ext3" --size=512 --asprimary part swap --fstype "ext3" --size=1024 part pv.01 --size=1 --grow # Create more logical partitions # CCE (Rows 2 - 6) volgroup vgroup1 pv.01 logvol / --fstype ext3 --name=root --vgname=vgroup1 --size=4096 --grow logvol /tmp --fstype ext3 --name=temp --vgname=vgroup1 --size=256 logvol /home --fstype ext3 --name=home --vgname=vgroup1 --size=1024 logvol /var --fstype ext3 --name=var --vgname=vgroup1 --size=2048 logvol /var/log --fstype ext3 --name=varlog --vgname=vgroup1 --size=512 logvol /var/log/audit --fstype ext3 --name=audit --vgname=vgroup1 --size=256 %packages # These Package Groups are installed by default @admin-tools @base @base-x @core @dialup @editors @gnome-desktop @graphical-internet @graphics @java @legacy-software-support @office @printing @sound-and-video @text-internet # Individual packages not installed by default emacs # (row 226) postfix # CCE-3910-7 (row 102) vlock # CCE-4209-3 (row 13) aide ## Added to support Puppet ruby # Make sure we are using a desktop package set redhat-release-5Client # Individual packages to be removed from the groups -xinetd -telnet-server -telnet -krb5-workstation -rsh-server -rsh -tftp-server # (row 225) -sendmail # (row 222) -dhcp # (row 243) -vsftpd # (row 245) -httpd # Post-install commands # Some post-installation configuration can be done from the kickstart file # itself. These actions should not be relied upon for system # configuration/management. Anything in the %post section should be things # that would immediately be done after installation that are either out of # scope for the management software, or help prepare the system for the # management software. %post # Install redhat-release key for later use validating rpms # CCE (row 7) rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-auxiliary rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-former rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-rhx # Disable rhnsd daemon (CCE-3416-5 row 8) chkconfig rhnsd off # Disable yum-updatesd daemon (CCE-4218-4 row 10) chkconfig yum-updatesd off # Notes (row 11, 12, and 14 are noops) # Fix up the partitions to be secure # CCE (rows 15 - 25) FSTAB=/etc/fstab # nodev, noexec, and nosuid on /boot TEST="`grep ' \/boot ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev on /home TEST="`grep ' \/home ' ${FSTAB} | grep -c 'nodev'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/home " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB} fi # nodev, noexec, and nosuid on /var/log/audit TEST="`grep ' \/var\/log\/audit ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/var\/log\/audit " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/var\/log\/audit.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /var/log TEST="`grep ' \/var\/log ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/var\/log " ${FSTAB} | awk '{print $4}') sed -i "/varlog/s/\( \/var\/log.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /tmp # (Rows 19 - 21) TEST="`grep ' \/tmp ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/tmp " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/tmp.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /dev/shm # (Rows 22 - 24) TEST="`grep ' \/dev\/shm ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # FIXME: This causes boot problems - thinks file system is corrupted # Make /var/tmp use /tmp # (Row 25) grep " \/var\/tmp " ${FSTAB} >/dev/null if [ $? -eq 0 ]; then echo -e "/tmp\t\t/var/tmp\t\t\text3\tbind,nodev,noexec,nosuid\t1 2" >> ${FSTAB} fi # Don't use modprobe.conf, put changes in 1 place touch /etc/modprobe.d/usgcb-blacklist # Disable mounting of cramfs (row 26) echo -e "install cramfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of freevxfs (row 27) echo -e "install freevxfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of jffs2 (row 28) echo -e "install jffs2 /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of hfs (row 29) echo -e "install hfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of hfsplus (row 30) echo -e "install hfsplus /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of squashfs (row 31) echo -e "install squashfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of udf (row 32) echo -e "install udf /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Notes (row 33 - 51 are noops) # TODO: is 027 really good? I remember it breaks some updates # CCE-4220-0 (Row 52) echo -e "umask 027" >> /etc/sysconfig/init # CCE-4225-9 (Row 53) echo -n "* hard core 0" >> /etc/security/limits.conf # Notes (row 54 -57 are noops) # CCE-3485-0, CCE-4256-4 (Rows 58 & 59) sed -i "/^vc/d" /etc/securetty # Notes (row 60 is noop) # (Row 61) sed -i "4s/^#//" /etc/pam.d/su # Notes (rows 62 - 65 are noops) # CCE-4180-6 (Row 66) sed -i "/PASS_MIN_DAYS/s/[0-9]/1/" /etc/login.defs # CCE-4097-2 (Row 67) sed -i "/PASS_WARN_AGE/s/[0-9]/14/" /etc/login.defs # CCE-4092-3 (Row 68) sed -i "/PASS_MAX_DAYS/s/[0-9]\{5\}/60/" /etc/login.defs # CCE-4154-1 (Row 69) sed -i "/PASS_MIN_LEN/s/[0-9]/12/" /etc/login.defs # Notes (rows 70 - 72 are noops) # The following line covers CCE-3410-8, CCE-4154-1 # (rows 73 - 79) sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 difok=3/" /etc/pam.d/system-auth # CCE-3410-8 (row 80) gdm, sshd, and login sed -i "/^auth/s/system-auth/system-auth\nauth\trequired\tpam_tally2.so deny=5 onerr=fail/" /etc/pam.d/gdm sed -i "/^account/s/system-auth/system-auth\naccount\trequired\tpam_tally2.so/" /etc/pam.d/gdm sed -i "/^auth/s/system-auth/system-auth\nauth\trequired\tpam_tally2.so deny=5 onerr=fail/" /etc/pam.d/sshd sed -i "/^account/s/system-auth/system-auth\naccount\trequired\tpam_tally2.so/" /etc/pam.d/sshd sed -i "/^auth/s/system-auth/system-auth\nauth\trequired\tpam_tally2.so deny=5 onerr=fail/" /etc/pam.d/login sed -i "/^account/s/system-auth/system-auth\naccount\trequired\tpam_tally2.so/" /etc/pam.d/login # CCE-3952-9 (row 81) chmod 4710 /usr/sbin/userhelper # CCE-4185-2 (row 82) groupadd usergroup chgrp usergroup /usr/sbin/userhelper # (row 83) # TODO check if sha512 is default in login.defs and pam_unix.so sed -i "/pam_unix.so/s/md5/sha512/" /etc/pam.d/system-auth sed -i "/ENCRYPT_METHOD/s/MD5/SHA512/" /etc/login.defs # (row 84) sed -i "/pam_unix.so/s/shadow/shadow remember=24/" /etc/pam.d/system-auth # Notes (rows 85 - 87 are noops) # (row 88) sed -i "/UMASK/s/[0-9]{3}/077/" /etc/login.defs # CCE-3870-3 (row 89) echo "umask 077" >> /etc/profile # CCE-3844-8 (row 90) sed -i "/umask/s/022/077/" /etc/bashrc # CCE-4227-5 (row 91) sed -i "/umask/s/022/077/" /etc/csh.cshrc # Notes CCE-3923-0 (rows 92 is a noop) # FIXME: This edit seems to get overwritten by anaconda # CCE-3818-2 (row 93) # grub password is: rhel5 sed -i "s/hiddenmenu/hiddenmenu\npassword --md5 \$1\$zo4ui\/\$ToET.Pxb.ZO1X0TfGyTAF0/" /etc/grub.conf # Notes CCE-4197-0, CCE-4144-2 (rows 94 - 95 are noops) # CCE-4241-6 (row 96) echo "~:S:wait:/sbin/sulogin" >> /etc/inittab # CCE-4245-7 (row 97) sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init # CCE-3315-9 (row 98) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15 # (row 99) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true # (row 100) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true # (row 101) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only # (row 103) echo -e "-- WARNING --\nThis system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials." > /etc/issue # (row 104) sed -i "15s//\n \n \n \n \n \n-- WARNING --\nThis system is for the use of authorized users only. Individuals using this computer system without authority or in excess of their authority are subject to having all their activities on this system monitored and recorded by system personnel. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity system personal may provide the evidence of such monitoring to law enforcement officials.\n <\/text>\n <\/item>\n <\/box>\n <\/item>\n\n /" /usr/share/gdm/themes/RHEL/RHEL.xml # CCE-3977-6, CCE-3999-0, and CCE-3624-4 (rows 105 - 107) are noops # CCE-3668-1 (row 108) chkconfig mcstrans off # (row 109) is noop # CCE-3561-8 (row 110) echo -e "\n# Changes for USGCB content" >> /etc/sysctl.conf echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf # CCE-4155-8 (row 111) echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf # CCE-4151-7 (row 112) echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf # CCE-3472-8 (row 113) echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf # CCE-4217-6 (row 114) echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf # CCE-4236-6 (row 115) echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf # CCE-3339-9 (row 116) echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf # CCE-4186-3 (row 117) echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf # CCE-4091-5 (row 118) echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf # CCE-4133-5 (row 119) echo "net.ipv4.icmp_ignore_bogus_error_messages = 1" >> /etc/sysctl.conf # CCE-3644-2 (row 120) echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf # CCE-4320-8 (row 121) echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf # CCE-4080-8 (row 122) echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf # CCE-4265-5 (row 123) echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf # CCE-3840-6 (row 124) echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf # CCE-4276-2 (rows 125 and 126) are noops # CCE-4170-7 (row 127) TODO: need module list # CCE-3562-6 (row 128) echo -e "install ipv6 /bin/true" >> /etc/modprobe.d/usgcb-blacklist # CCE-4313-3 (row 129) echo "net.ipv6.conf.default.accept_redirect=0" >> /etc/sysctl.conf # CCE-4269-7 (row 130) echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf # CCE-4167-3 (row 131) chkconfig ip6tables on # CCE-4189-7 (row 132) chkconfig iptables on # (row 133) # FIXME: This causes an X11 hang on boot #sed -i "/INPUT/s/ACCEPT/DROP/" /etc/sysconfig/iptables # (row 134) echo -e "install dccp /bin/true" >> /etc/modprobe.d/usgcb-blacklist # (row 135) echo -e "install sctp /bin/true" >> /etc/modprobe.d/usgcb-blacklist # (row 136) echo -e "install rds /bin/true" >> /etc/modprobe.d/usgcb-blacklist # (row 137) echo -e "install ticp /bin/true" >> /etc/modprobe.d/usgcb-blacklist # (rows 138 and 141) are noops # TODO: send logging to remote server (row 142) # CCE-3382-9 CCE-4182-2 (row 143 - 144) is noop # CCE-4292-9 (row 145) chkconfig auditd on # (rows 147 - 154, 156 - 158) FILE=`rpm -ql audit | grep stig` if [ x"$FILE" != "x" ] ; then cat $FILE | egrep -v 'immutable|ping|-e 2' > /etc/audit/audit.rules fi # (row 155) find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{printf "-a always,exit -F path=%s -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\n", $1 }' >> /etc/audit/audit.rules echo -e "\n" >> /etc/audit/audit.rules # (row 159) echo -e "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules echo -e "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules echo -e "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules echo -e "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules echo -e "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules echo -e "\n" >> /etc/audit/audit.rules # (row 160) echo -e "-e 2" >> /etc/audit/audit.rules # (rows 161 - 174) are noops # CCE-4421-4 (row 175) chkconfig readahead_early off # CCE-4302-6 (row 176) chkconfig readahead_later off # CCE-4355-4 (row 177) chkconfig bluetooth off # CCE-4377-8 (row 178) chkconfig hidd off # (row 179) echo "alias net-pf-31 off" >> /etc/modprobe.d/usgcb-blacklist echo "alias bluetooth off" >> /etc/modprobe.d/usgcb-blacklist # (row 180 - 182) are noops # (row 183) echo "NOZEROCONF=yes" >> /etc/sysconfig/network # (rows 184 - 205) are noops # (row 206) chkconfig atd off # CCE-4325-7 (row 207) is a noop # (row 208) sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 0/" /etc/ssh/sshd_config # CCE-3845-5 (row 209) sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 300/" /etc/ssh/sshd_config # (rows 210- 211) are noop # CCE-4387-7 (row 212) sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config # CCE-3660-8 (row 213) is a noop # CCE-4431-8 (row 214) sed -i "s/#Banner \/some\/path/Banner \/etc\/issue/" /etc/ssh/sshd_config # (row 215) is noop # (row 216) echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config # CCE-4074-1 (row 217) echo "exec X :0 -nolisten tcp $@" > /etc/X11/xinit/xserverrc # (row 218) sed -i "s/\[greeter\]/\[greeter\]\nInfoMsgFile=\/etc\/issue\n/" /etc/gdm/custom.conf # CCE-4365-3 (row 219) chkconfig avahi-daemon off # CCE-4425-5 (row 220) chkconfig hplip off # CCE-4336-4 (row 221) noop due to (row 222) # CCE-4376-0 (row 223) chkconfig ntpd on # row 224: ntp.conf has some ntp servers in it # Row 227 is a noop # (row 228) sed -i "s/#ssl start_tls/ssl start_tls/" /etc/ldap.conf sed -i "s/#tls_checkpeer/tls_checkpeer/" /etc/ldap.conf sed -i "s/#tls_cacertdir \/etc\/ssl\/certs/tls_cacertdir \/etc\/pki\/tls\/CA/" /etc/ldap.conf sed -i "s/#tls_cacertfile \/etc\/ssl\/ca.cert\/tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem/" /etc/ldap.conf # CCE-3501-4 (row 229) noop since openldap not installed # CCE-4396-8 (row 230) chkconfig nfslock off # CCE-3535-2 (row 231) chkconfig rpcgssd off # CCE-3568-3 (row 232) chkconfig rpcidmapd off # CCE-4533-6 (row 233) TODO: are we sure about this? samba? chkconfig netfs off # CCE-4550-0 (row 234) chkconfig portmap off # CCE-4473-5 (row 235) chkconfig nfs off # CCE-4491-7 (row 236) chkconfig rpcsvcgssd off # (rows 237 - 239) are noops # CCE-3578-2 (row 240 & 241) noop # CCE-3919-8 (row 242) noop since 243 has it uninstalled # (rows 244) is a noop since httpd not installed # (rows 246 - 247) are noops since dovecot is not installed # (rows 248) is a noops since the server is not installed # (row 249) sed -i "s/\[global\]/\[global\]\nclient signing = mandatory/" /etc/samba/smb.conf # row 250 is a noop due to needing to be done in fstab # (rows 251 and 252) are noops due to squid not being installed # (rows 253 and 254) are noops since net-snmp is not installed # We turn this off since we already configured things chkconfig firstboot off #touch /.autorelabel # Now do the live CD stuff #%include live2.cfg