-
Notifications
You must be signed in to change notification settings - Fork 17
DVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
License
RedHatGov/ssg-el6-kickstart
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
###############################################################################
# SCAP Security Guide RHEL 6 DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 15 April 2017
# This script is NOT SUPPORTED by Red Hat Global Support Services.
#
# Author: Frank Caviggia (fcaviggia@gmail.com)
# Copyright: Red Hat, (c) 2018
# License: Apache License, Version 2.0
# Description: Kickstart Installation of RHEL 6 with SSG
###############################################################################
ABOUT
=====
Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 6. (Latest Update RHEL 6.9)
The kickstart script involves the integration of the following projects
into a single installer:
- classification-banner.py (Python for displaying graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the
system after installation
https://github.com/OpenSCAP/scap-security-guide
CONTENT
=======
createiso.sh - installation script to modify RHEL 6.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
isolinux/
grub.conf - Menu Configuration for Kickstart
isolinux.cfg - Menu Configuration for Kickstart
hardening/
ssg-rhel.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
scap-security-guide-*.el6.noarch.rpm
Uses OpenSCAP and the SCAP Security Guide (SSG) to test and
remediate system.
ssg-suplemental.sh
Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
wheel group for root access, etc.)
rhevm-preinstall.sh
rhevm-postinstall.sh
Scripts to losen settings temporararily to allow registration
of the system with RHEV-M by allowing root login and allowing
exec in /tmp. Run rhevm-postinstall.sh after system is added
into RHEV-M. Copied to /root after kickstart install
iptables.sh
Configures firewall during kicckstart installation. Called in
menu.py script. Firewall is configured to reccomended ports
for each product or profile. Copied to /root after kickstart
install
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation
HARDENING INFORMATION
=====================
Here is some additional information added by the supplemental hardening script
in addition to the SSG:
1. The kernel is cofigured in FIPS 140-2 mode on install
2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
console
3. The 'wheel' group is required for privleged users (beyond root) to run
`su -` or `sudo -i` commands, sudo timeout is 5 minutes
4. The 'sshusers' group is required for SSH/SFTP access, other users are
limited to console access without this group
5. Runlevel 3 is configured by default to meet requirements, run the following
for an X Windows session:
$ startx
6. Additional Software such as McAfee EPo/HBSS may be required meet site
policy
7. Configure NTP (/etc/ntp.conf) and rsyslog logging to remote server
(/etc/rsyslog.conf)
8. Create users:
Local Console Access Only (Unprivileged)
# useradd -m -c "Local User" localuser
Remote Access (Unprivileged)
# useradd -m -c "Remote User" -G sshusers remoteuser
System Administrator (SA) (Privileged User)
# useradd -m -c "System Administrator" -G sshusers,wheel admin
(Optional) After adding SAs to the system, lock the root account:
# passwd -l root
EXAMPLE
=======
# ./createiso.sh rhel-server-6.6-x86_64-dvd.iso
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
<..........................................>
Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
0.27% done, estimate finish Tue Jan 21 22:04:41 2014
<...........................................>
99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [ssg-rhel.iso]
About
DVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published