redhatgov / ssg-el6-kickstart Goto Github PK
View Code? Open in Web Editor NEWDVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
License: Other
DVD embedded Kickstart for RHEL 6 utilizing SCAP Security Guide (SSG) as a hardening script.
License: Other
############################################################################### # SCAP Security Guide RHEL 6 DVD CREATOR # # This script was written by Frank Caviggia, Red Hat Consulting # Last update was 15 April 2017 # This script is NOT SUPPORTED by Red Hat Global Support Services. # # Author: Frank Caviggia ([email protected]) # Copyright: Red Hat, (c) 2018 # License: Apache License, Version 2.0 # Description: Kickstart Installation of RHEL 6 with SSG ############################################################################### ABOUT ===== Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart that will install a system that is configured and hardened for Red Hat Enterprise Linux 6. (Latest Update RHEL 6.9) The kickstart script involves the integration of the following projects into a single installer: - classification-banner.py (Python for displaying graphical classification banner) https://github.com/RedHatGov/classification-banner - SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the system after installation https://github.com/OpenSCAP/scap-security-guide CONTENT ======= createiso.sh - installation script to modify RHEL 6.4+ ISO image /config - Kickstarts, Python, and RPMs needed to modify image. isolinux/ grub.conf - Menu Configuration for Kickstart isolinux.cfg - Menu Configuration for Kickstart hardening/ ssg-rhel.cfg Kickstart Configuration (Calls menu.py in %pre) menu.py Python Script that presents a graphical menu to modify the kickstart. Contains the "Profiles" for configuring the system partitioning and packages. classification-banner.py Graphical Classification Banner (for GNOME Desktops User/ Developer Workstation Profiles) scap-security-guide-*.el6.noarch.rpm Uses OpenSCAP and the SCAP Security Guide (SSG) to test and remediate system. ssg-suplemental.sh Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME, wheel group for root access, etc.) rhevm-preinstall.sh rhevm-postinstall.sh Scripts to losen settings temporararily to allow registration of the system with RHEV-M by allowing root login and allowing exec in /tmp. Run rhevm-postinstall.sh after system is added into RHEV-M. Copied to /root after kickstart install iptables.sh Configures firewall during kicckstart installation. Called in menu.py script. Firewall is configured to reccomended ports for each product or profile. Copied to /root after kickstart install ipa-pam-configuration.sh Configures system for using IPA/IdM authentication by overwriting the pam.d configurations. Copied to /root after kickstart installation HARDENING INFORMATION ===================== Here is some additional information added by the supplemental hardening script in addition to the SSG: 1. The kernel is cofigured in FIPS 140-2 mode on install 2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console 3. The 'wheel' group is required for privleged users (beyond root) to run `su -` or `sudo -i` commands, sudo timeout is 5 minutes 4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group 5. Runlevel 3 is configured by default to meet requirements, run the following for an X Windows session: $ startx 6. Additional Software such as McAfee EPo/HBSS may be required meet site policy 7. Configure NTP (/etc/ntp.conf) and rsyslog logging to remote server (/etc/rsyslog.conf) 8. Create users: Local Console Access Only (Unprivileged) # useradd -m -c "Local User" localuser Remote Access (Unprivileged) # useradd -m -c "Remote User" -G sshusers remoteuser System Administrator (SA) (Privileged User) # useradd -m -c "System Administrator" -G sshusers,wheel admin (Optional) After adding SAs to the system, lock the root account: # passwd -l root EXAMPLE ======= # ./createiso.sh rhel-server-6.6-x86_64-dvd.iso Mounting RHEL DVD Image... mount: /dev/loop0 is write-protected, mounting read-only Done. Copying RHEL DVD Image... Done. Modifying RHEL DVD Image... Done. Remastering RHEL DVD Image... I: -input-charset not specified, using utf-8 (detected in locale settings) Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html) <..........................................> Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm) Size of boot image is 4 sectors -> No emulation 0.27% done, estimate finish Tue Jan 21 22:04:41 2014 <...........................................> 99.86% done, estimate finish Tue Jan 21 22:06:46 2014 Total translation table size: 976326 Total rockridge attributes bytes: 430528 Total directory bytes: 661504 Path table size(bytes): 286 Max brk space used 3ee000 1882600 extents written (3676 MB) Done. Signing RHEL DVD Image... Inserting md5sum into iso image... md5 = ec4618f4ccc6ccac3cfed291ef341012 Inserting fragment md5sums into iso image... fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79 frags = 20 Setting supported flag to 0 Done. DVD Created. [ssg-rhel.iso]
I would like to change the Licence of this project from GNU Public Licence version 2 (GPLv2) to Apache Public Licence 2.0 (APL2.0) to allow people to utilize this software without having to submit changes back to the project. I believe that this will allow for better use in the DOD/IC without the requirements to give back everything - however, it would still remain open source as a reference model.
Hello,
I have been using the ssg-el6-kickstart for a hardened baseline build for a few years now with great results. I noticed one small issue with the latest release that is easily fixed:
When operating in runlevel 5 I was unable to log back in to the machine once it reached the lock screen. After unsuccessfully trying a few fixes I noticed a sequence in /var/log/secure that pointed the culprit out.
Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) illegal module type: %PAM-1.0
Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) no control flag supplied
Aug 15 16:35:32 XXX gnome-screensaver-dialog: PAM (gnome-screensaver) no module name supplied
The first line of /etc/pam.d/gnome-screensaver should be "#%PAM-1.0" instead of "%PAM-1.0". Looks to have the typo in ipa-pam-configuration.sh also.
Otherwise everything else is excellent. I hope this helps.
For the life of me, I cannot seem to figure out how to make Remote Desktop / XRDP work. I have tried everything I can find, performed multiple re-installs, along with different workstation types. But nothing seems to change the fact that I cannot connect to the hardened workstation via remote desktop.
Note I have managed to get the hardening script to work with CentOS 6.8 without issue or error during the installation.
I've tested my procedure of setting up Remote Desktop / XRDP on an unhardened instance and it works without issue but to no avail it will not work with the hardened image.
Am I missing something within the hardening configuration scripts that is preventing the ability for me to remote desktop into the machine?
Any insight or assistance someone could lend would be greatly appreciated!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.