-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathREADME
176 lines (122 loc) · 5.34 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
###############################################################################
# SCAP Security Guide RHEL 6 DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 15 April 2017
# This script is NOT SUPPORTED by Red Hat Global Support Services.
#
# Author: Frank Caviggia ([email protected])
# Copyright: Red Hat, (c) 2018
# License: Apache License, Version 2.0
# Description: Kickstart Installation of RHEL 6 with SSG
###############################################################################
ABOUT
=====
Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 6. (Latest Update RHEL 6.9)
The kickstart script involves the integration of the following projects
into a single installer:
- classification-banner.py (Python for displaying graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the
system after installation
https://github.com/OpenSCAP/scap-security-guide
CONTENT
=======
createiso.sh - installation script to modify RHEL 6.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
isolinux/
grub.conf - Menu Configuration for Kickstart
isolinux.cfg - Menu Configuration for Kickstart
hardening/
ssg-rhel.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
scap-security-guide-*.el6.noarch.rpm
Uses OpenSCAP and the SCAP Security Guide (SSG) to test and
remediate system.
ssg-suplemental.sh
Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
wheel group for root access, etc.)
rhevm-preinstall.sh
rhevm-postinstall.sh
Scripts to losen settings temporararily to allow registration
of the system with RHEV-M by allowing root login and allowing
exec in /tmp. Run rhevm-postinstall.sh after system is added
into RHEV-M. Copied to /root after kickstart install
iptables.sh
Configures firewall during kicckstart installation. Called in
menu.py script. Firewall is configured to reccomended ports
for each product or profile. Copied to /root after kickstart
install
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation
HARDENING INFORMATION
=====================
Here is some additional information added by the supplemental hardening script
in addition to the SSG:
1. The kernel is cofigured in FIPS 140-2 mode on install
2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
console
3. The 'wheel' group is required for privleged users (beyond root) to run
`su -` or `sudo -i` commands, sudo timeout is 5 minutes
4. The 'sshusers' group is required for SSH/SFTP access, other users are
limited to console access without this group
5. Runlevel 3 is configured by default to meet requirements, run the following
for an X Windows session:
$ startx
6. Additional Software such as McAfee EPo/HBSS may be required meet site
policy
7. Configure NTP (/etc/ntp.conf) and rsyslog logging to remote server
(/etc/rsyslog.conf)
8. Create users:
Local Console Access Only (Unprivileged)
# useradd -m -c "Local User" localuser
Remote Access (Unprivileged)
# useradd -m -c "Remote User" -G sshusers remoteuser
System Administrator (SA) (Privileged User)
# useradd -m -c "System Administrator" -G sshusers,wheel admin
(Optional) After adding SAs to the system, lock the root account:
# passwd -l root
EXAMPLE
=======
# ./createiso.sh rhel-server-6.6-x86_64-dvd.iso
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
<..........................................>
Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
0.27% done, estimate finish Tue Jan 21 22:04:41 2014
<...........................................>
99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [ssg-rhel.iso]