Blame SOURCES/scap-security-guide-0.1.53-cui_kickstart-PR_6035.patch

510a3d
From 8a6e3fcbe387e6b5476375448964dab198d94959 Mon Sep 17 00:00:00 2001
510a3d
From: Vojtech Polasek <vpolasek@redhat.com>
510a3d
Date: Wed, 2 Sep 2020 10:01:45 +0200
510a3d
Subject: [PATCH] add CUI kickstart for rhel8
510a3d
510a3d
---
510a3d
 rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 167 +++++++++++++++++++++++++++
510a3d
 1 file changed, 167 insertions(+)
510a3d
 create mode 100644 rhel8/kickstart/ssg-rhel8-cui-ks.cfg
510a3d
510a3d
diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
510a3d
new file mode 100644
510a3d
index 0000000000..0957fded96
510a3d
--- /dev/null
510a3d
+++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
510a3d
@@ -0,0 +1,167 @@
510a3d
+# SCAP Security Guide CUI profile kickstart for Red Hat Enterprise Linux 8
510a3d
+#
510a3d
+# Based on:
510a3d
+# http://fedoraproject.org/wiki/Anaconda/Kickstart
510a3d
+# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
510a3d
+
510a3d
+# Install a fresh new system (optional)
510a3d
+install
510a3d
+
510a3d
+# Specify installation method to use for installation
510a3d
+# To use a different one comment out the 'url' one below, update
510a3d
+# the selected choice with proper options & un-comment it
510a3d
+#
510a3d
+# Install from an installation tree on a remote server via FTP or HTTP:
510a3d
+# --url		the URL to install from
510a3d
+#
510a3d
+# Example:
510a3d
+#
510a3d
+# url --url=http://192.168.122.1/image
510a3d
+#
510a3d
+# Modify concrete URL in the above example appropriately to reflect the actual
510a3d
+# environment machine is to be installed in
510a3d
+#
510a3d
+# Other possible / supported installation methods:
510a3d
+# * install from the first CD-ROM/DVD drive on the system:
510a3d
+#
510a3d
+# cdrom
510a3d
+#
510a3d
+# * install from a directory of ISO images on a local drive:
510a3d
+#
510a3d
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
510a3d
+#
510a3d
+# * install from provided NFS server:
510a3d
+#
510a3d
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
510a3d
+#
510a3d
+# Set language to use during installation and the default language to use on the installed system (required)
510a3d
+lang en_US.UTF-8
510a3d
+
510a3d
+# Set system keyboard type / layout (required)
510a3d
+keyboard us
510a3d
+
510a3d
+# Configure network information for target system and activate network devices in the installer environment (optional)
510a3d
+# --onboot	enable device at a boot time
510a3d
+# --device	device to be activated and / or configured with the network command
510a3d
+# --bootproto	method to obtain networking configuration for device (default dhcp)
510a3d
+# --noipv6	disable IPv6 on this device
510a3d
+#
510a3d
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
510a3d
+#       "--bootproto=static" must be used. For example:
510a3d
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
510a3d
+#
510a3d
+network --onboot yes --bootproto dhcp
510a3d
+
510a3d
+# Set the system's root password (required)
510a3d
+# Plaintext password is: server
510a3d
+# Refer to e.g.
510a3d
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
510a3d
+# to see how to create encrypted password form for different plaintext password
510a3d
+rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
510a3d
+
510a3d
+# The selected profile will restrict root login
510a3d
+# Add a user that can login and escalate privileges
510a3d
+# Plaintext password is: admin123
510a3d
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
510a3d
+
510a3d
+# Configure firewall settings for the system (optional)
510a3d
+# --enabled	reject incoming connections that are not in response to outbound requests
510a3d
+# --ssh		allow sshd service through the firewall
510a3d
+firewall --enabled --ssh
510a3d
+
510a3d
+# Set up the authentication options for the system (required)
510a3d
+# --enableshadow	enable shadowed passwords by default
510a3d
+# --passalgo		hash / crypt algorithm for new passwords
510a3d
+# See the manual page for authconfig for a complete list of possible options.
510a3d
+authconfig --enableshadow --passalgo=sha512
510a3d
+
510a3d
+# State of SELinux on the installed system (optional)
510a3d
+# Defaults to enforcing
510a3d
+selinux --enforcing
510a3d
+
510a3d
+# Set the system time zone (required)
510a3d
+timezone --utc America/New_York
510a3d
+
510a3d
+# Specify how the bootloader should be installed (required)
510a3d
+# Refer to e.g.
510a3d
+#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
510a3d
+# to see how to create encrypted password form for different plaintext password
510a3d
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none"
510a3d
+
510a3d
+# Initialize (format) all disks (optional)
510a3d
+zerombr
510a3d
+
510a3d
+# The following partition layout scheme assumes disk of size 20GB or larger
510a3d
+# Modify size of partitions appropriately to reflect actual machine's hardware
510a3d
+# 
510a3d
+# Remove Linux partitions from the system prior to creating new ones (optional)
510a3d
+# --linux	erase all Linux partitions
510a3d
+# --initlabel	initialize the disk label to the default based on the underlying architecture
510a3d
+clearpart --linux --initlabel
510a3d
+
510a3d
+# Create primary system partitions (required for installs)
510a3d
+part /boot --fstype=xfs --size=512
510a3d
+part pv.01 --grow --size=1
510a3d
+
510a3d
+# Create a Logical Volume Management (LVM) group (optional)
510a3d
+volgroup VolGroup --pesize=4096 pv.01
510a3d
+
510a3d
+# Create particular logical volumes (optional)
510a3d
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
510a3d
+# Ensure /home Located On Separate Partition
510a3d
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
510a3d
+# Ensure /tmp Located On Separate Partition
510a3d
+logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
510a3d
+# Ensure /var/tmp Located On Separate Partition
510a3d
+logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
510a3d
+# Ensure /var Located On Separate Partition
510a3d
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
510a3d
+# Ensure /var/log Located On Separate Partition
510a3d
+logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
510a3d
+# Ensure /var/log/audit Located On Separate Partition
510a3d
+logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
510a3d
+logvol swap --name=swap --vgname=VolGroup --size=2016
510a3d
+
510a3d
+# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
510a3d
+# content - security policies - on the installed system.This add-on has been enabled by default
510a3d
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
510a3d
+# functionality will automatically be installed. However, by default, no policies are enforced,
510a3d
+# meaning that no checks are performed during or after installation unless specifically configured.
510a3d
+#  
510a3d
+#  Important
510a3d
+#   Applying a security policy is not necessary on all systems. This screen should only be used
510a3d
+#   when a specific policy is mandated by your organization rules or government regulations.
510a3d
+#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
510a3d
+#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
510a3d
+#   Values can be optionally enclosed in single quotes (') or double quotes (").
510a3d
+#   
510a3d
+#  The following keys are recognized by the add-on:
510a3d
+#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
510a3d
+#      - If the content-type is scap-security-guide, the add-on will use content provided by the
510a3d
+#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
510a3d
+#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
510a3d
+#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
510a3d
+#    xccdf-id - ID of the benchmark you want to use.
510a3d
+#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
510a3d
+#    profile - ID of the profile to be applied. Use default to apply the default profile.
510a3d
+#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
510a3d
+#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
510a3d
+#
510a3d
+#  The following is an example %addon org_fedora_oscap section which uses content from the
510a3d
+#  scap-security-guide on the installation media: 
510a3d
+%addon org_fedora_oscap
510a3d
+	content-type = scap-security-guide
510a3d
+	profile = xccdf_org.ssgproject.content_profile_cui
510a3d
+%end
510a3d
+
510a3d
+# Packages selection (%packages section is required)
510a3d
+%packages
510a3d
+
510a3d
+# Require @Base
510a3d
+@Base
510a3d
+
510a3d
+%end # End of %packages section
510a3d
+
510a3d
+# Reboot after the installation is complete (optional)
510a3d
+# --eject	attempt to eject CD or DVD media before rebooting
510a3d
+reboot --eject