/hardening-script-el6-kickstart

Kickstart based on the hardening-script-el6 scripts, classification-banner.py, and DOD Firefox plugin.
  1. Python 77.0%
  2. Shell 23.0%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

@fcaviggia
fcaviggia Classification Color Code 
Update classification color codes.
Latest commit 72b5cf2 Sep 16, 2017
Permalink
Failed to load latest commit information.
config Classification Color Code Sep 17, 2017
.gitignore Create .gitignore Oct 13, 2014
LICENSE Initial commit Aug 20, 2014
README README Updates Aug 5, 2015
createiso.sh Package Check Fix Mar 23, 2015

README 

###############################################################################
# HARDENED DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 5 August 2015
# This script is NOT SUPPORTED by Red Hat Global Support Services.
# Please contact Rick Tavares for more information.
#
# Author: Frank Caviggia (fcaviggi@redhat.com)
# Copyright: Red Hat, (c) 2014
# License: GPLv2
# Description: Kickstart Installation of RHEL 6 with DISA STIG 
###############################################################################


ABOUT
=====

Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 6. 

The kickstart script involves the integration of the following projects 
into a single installer:

   - hardening-script-*.el6.noarch.rpm (Hardening scripts RPM)
   
        https://github.com/fcaviggia/hardening-script-el6

   - classification-banner.py (Python for displaying graphical classification banner)
   
        https://github.com/RedHatGov/classification-banner

   - SCAP Security Guide (SSG) Content - Benchmark for the system after installation
   
        https://github.com/OpenSCAP/scap-security-guide

   - DOD Firefox Plugin
   
        http://www.forge.mil/Resources-Firefox.html


CONTENT
=======

createiso.sh - installation script to modify RHEL 6.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
	isolinux/
		grub.conf - Menu Configuration for Kickstart
		isolinux.cfg - Menu Configuration for Kickstart
	stig-fix/
		stig-fix.cfg
		
			Kickstart Configuration (Calls menu.py in %pre)
		
		menu.py
		
			Python Script that presents a graphical menu to modify the
			kickstart. Contains the "Profiles" for configuring the 
			system partitioning and packages.

		classification-banner.py
		
			Graphical Classification Banner (for GNOME Desktops User/
			Developer Workstation Profiles)

		dod_firefox_config.tar.gz

			DOD Firefox Plugin and DOD Root CA Certificates for NIPR (SPIR
			CAs would need to be added and repackaged via taring up the
			.mozzilla directory - placed in /etc/skel for all users.

		hardening-script-*-el6.noarch.rpm

			RPM Created from my fork of Tresys CLIP, Aqueduct, NSA SNAC, and USGCB here:

				https://github.com/fcaviggia/hardening-script-el6

			The hardening is run at the last part of the kickstart script to
			lockdown the system, this could theoretically be replaced by the
			SCAP Security Guide Scripts below at a later date.

		scap-security-guide-*.el6.noarch.rpm

			Currently I use ths SSG Scripts to take a benchmark to save in
			root after installation. Updated to the latest version.

		rhevm-preinstall.sh
		rhevm-postinstall.sh

			Scripts to losen settings temporararily to allow registration
			of the system with RHEV-M by allowing root login and allowing
			exec in /tmp. Run rhevm-postinstall.sh after system is added
			into RHEV-M. Copied to /root after kickstart install.

		iptables.sh

			Configures firewall settings to reccomended ports for each 
			product or profile. Copied to /root after kickstart
			install.

		ipa-pam-configuration.sh

			Configures system for using IPA/IdM authentication by
			overwriting the pam.d configurations. Copied to /root
			after kickstart installation/


EXAMPLE
=======

# ./createiso.sh rhel-server-6.5-x86_64-dvd.iso 
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for  /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
	<..........................................>
Using POLIC003.RPM;1 for  ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
  0.27% done, estimate finish Tue Jan 21 22:04:41 2014
	<...........................................>
 99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [hardened-rhel.iso]