Giter Site home page Giter Site logo

ssg-el6-kickstart's Introduction

###############################################################################
# SCAP Security Guide RHEL 6 DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 15 April 2017
# This script is NOT SUPPORTED by Red Hat Global Support Services.
#
# Author: Frank Caviggia ([email protected])
# Copyright: Red Hat, (c) 2018
# License: Apache License, Version 2.0
# Description: Kickstart Installation of RHEL 6 with SSG
###############################################################################


ABOUT
=====

Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 6. (Latest Update RHEL 6.9)

The kickstart script involves the integration of the following projects 
into a single installer:

   - classification-banner.py (Python for displaying graphical classification banner)
   
        https://github.com/RedHatGov/classification-banner

   - SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the 
     system after installation
   
        https://github.com/OpenSCAP/scap-security-guide


CONTENT
=======

createiso.sh - installation script to modify RHEL 6.4+ ISO image

/config - Kickstarts, Python, and RPMs needed to modify image.

	isolinux/

		grub.conf - Menu Configuration for Kickstart

		isolinux.cfg - Menu Configuration for Kickstart

	hardening/

		ssg-rhel.cfg
		
			Kickstart Configuration (Calls menu.py in %pre)
		
		menu.py
		
			Python Script that presents a graphical menu to modify the
			kickstart. Contains the "Profiles" for configuring the 
			system partitioning and packages.

		classification-banner.py
		
			Graphical Classification Banner (for GNOME Desktops User/
			Developer Workstation Profiles)

		scap-security-guide-*.el6.noarch.rpm

			Uses OpenSCAP and the SCAP Security Guide (SSG) to test and
			remediate system.

		ssg-suplemental.sh

			Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
			wheel group for root access, etc.)

		rhevm-preinstall.sh
		rhevm-postinstall.sh

			Scripts to losen settings temporararily to allow registration
			of the system with RHEV-M by allowing root login and allowing
			exec in /tmp. Run rhevm-postinstall.sh after system is added
			into RHEV-M. Copied to /root after kickstart install

		iptables.sh

			Configures firewall during kicckstart installation. Called in
			menu.py script. Firewall is configured to reccomended ports
			for each product or profile. Copied to /root after kickstart
			install

		ipa-pam-configuration.sh

			Configures system for using IPA/IdM authentication by
			overwriting the pam.d configurations. Copied to /root
			after kickstart installation

HARDENING INFORMATION
=====================

Here is some additional information added by the supplemental hardening script
in addition to the SSG:

1. The kernel is cofigured in FIPS 140-2 mode on install

2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
   console

3. The 'wheel' group is required for privleged users (beyond root) to run 
   `su -` or `sudo -i` commands, sudo timeout is 5 minutes

4. The 'sshusers' group is required for SSH/SFTP access, other users are 
   limited to console access without this group
   
5. Runlevel 3 is configured by default to meet requirements, run the following
   for an X Windows session:
   
   	$ startx

6. Additional Software such as McAfee EPo/HBSS may be required meet site 
   policy

7. Configure NTP (/etc/ntp.conf) and rsyslog logging to remote server 
   (/etc/rsyslog.conf)

8. Create users:

        Local Console Access Only (Unprivileged)
          
               # useradd -m -c "Local User" localuser
               
        Remote Access (Unprivileged)
          
               # useradd -m -c "Remote User" -G sshusers remoteuser
               
        System Administrator (SA) (Privileged User)
               
               # useradd -m -c "System Administrator" -G sshusers,wheel admin
               
        (Optional) After adding SAs to the system, lock the root account:
          
               # passwd -l root


EXAMPLE
=======

# ./createiso.sh rhel-server-6.6-x86_64-dvd.iso 
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for  /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
	<..........................................>
Using POLIC003.RPM;1 for  ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
  0.27% done, estimate finish Tue Jan 21 22:04:41 2014
	<...........................................>
 99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [ssg-rhel.iso]

ssg-el6-kickstart's People

Contributors

fcaviggia avatar rexperalta avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

ssg-el6-kickstart's Issues

Licence Change (GPLv2 -> APL2.0)

I would like to change the Licence of this project from GNU Public Licence version 2 (GPLv2) to Apache Public Licence 2.0 (APL2.0) to allow people to utilize this software without having to submit changes back to the project. I believe that this will allow for better use in the DOD/IC without the requirements to give back everything - however, it would still remain open source as a reference model.

Typo in /etc/pam.d/gnome-screensaver

Hello,

I have been using the ssg-el6-kickstart for a hardened baseline build for a few years now with great results. I noticed one small issue with the latest release that is easily fixed:

When operating in runlevel 5 I was unable to log back in to the machine once it reached the lock screen. After unsuccessfully trying a few fixes I noticed a sequence in /var/log/secure that pointed the culprit out.

Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) illegal module type: %PAM-1.0
Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) no control flag supplied
Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) no module name supplied

The first line of /etc/pam.d/gnome-screensaver should be "#%PAM-1.0" instead of "%PAM-1.0". Looks to have the typo in ipa-pam-configuration.sh also.

Otherwise everything else is excellent. I hope this helps.

Remote Desktop not working at all, Am I missing something in the config scripts?

For the life of me, I cannot seem to figure out how to make Remote Desktop / XRDP work. I have tried everything I can find, performed multiple re-installs, along with different workstation types. But nothing seems to change the fact that I cannot connect to the hardened workstation via remote desktop.

Note I have managed to get the hardening script to work with CentOS 6.8 without issue or error during the installation.

I've tested my procedure of setting up Remote Desktop / XRDP on an unhardened instance and it works without issue but to no avail it will not work with the hardened image.

Am I missing something within the hardening configuration scripts that is preventing the ability for me to remote desktop into the machine?

Any insight or assistance someone could lend would be greatly appreciated!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.