Blame SOURCES/remove-ANSSI-high-ks.patch

d10e36
From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
d10e36
From: Watson Sato <wsato@redhat.com>
d10e36
Date: Wed, 17 Feb 2021 15:36:59 +0100
d10e36
Subject: [PATCH] Remove kickstart for profile not shipped
d10e36
d10e36
RHEL-8 ANSSI high is not shipped at the momment
d10e36
---
d10e36
 .../ssg-rhel8-anssi_bp28_high-ks.cfg          | 167 ------------------
d10e36
 1 file changed, 167 deletions(-)
d10e36
 delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
d10e36
d10e36
diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
d10e36
deleted file mode 100644
d10e36
index b5c09253a..000000000
d10e36
--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
d10e36
+++ /dev/null
d10e36
@@ -1,167 +0,0 @@
d10e36
-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
d10e36
-# Version: 0.0.1
d10e36
-# Date: 2020-12-10
d10e36
-#
d10e36
-# Based on:
d10e36
-# https://pykickstart.readthedocs.io/en/latest/
d10e36
-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
d10e36
-
d10e36
-# Specify installation method to use for installation
d10e36
-# To use a different one comment out the 'url' one below, update
d10e36
-# the selected choice with proper options & un-comment it
d10e36
-#
d10e36
-# Install from an installation tree on a remote server via FTP or HTTP:
d10e36
-# --url		the URL to install from
d10e36
-#
d10e36
-# Example:
d10e36
-#
d10e36
-# url --url=http://192.168.122.1/image
d10e36
-#
d10e36
-# Modify concrete URL in the above example appropriately to reflect the actual
d10e36
-# environment machine is to be installed in
d10e36
-#
d10e36
-# Other possible / supported installation methods:
d10e36
-# * install from the first CD-ROM/DVD drive on the system:
d10e36
-#
d10e36
-# cdrom
d10e36
-#
d10e36
-# * install from a directory of ISO images on a local drive:
d10e36
-#
d10e36
-# harddrive --partition=hdb2 --dir=/tmp/install-tree
d10e36
-#
d10e36
-# * install from provided NFS server:
d10e36
-#
d10e36
-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
d10e36
-#
d10e36
-# Set language to use during installation and the default language to use on the installed system (required)
d10e36
-lang en_US.UTF-8
d10e36
-
d10e36
-# Set system keyboard type / layout (required)
d10e36
-keyboard us
d10e36
-
d10e36
-# Configure network information for target system and activate network devices in the installer environment (optional)
d10e36
-# --onboot	enable device at a boot time
d10e36
-# --device	device to be activated and / or configured with the network command
d10e36
-# --bootproto	method to obtain networking configuration for device (default dhcp)
d10e36
-# --noipv6	disable IPv6 on this device
d10e36
-#
d10e36
-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
d10e36
-#       "--bootproto=static" must be used. For example:
d10e36
-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
d10e36
-#
d10e36
-network --onboot yes --bootproto dhcp --noipv6
d10e36
-
d10e36
-# Set the system's root password (required)
d10e36
-# Plaintext password is: server
d10e36
-# Refer to e.g.
d10e36
-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
d10e36
-# to see how to create encrypted password form for different plaintext password
d10e36
-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
d10e36
-
d10e36
-# The selected profile will restrict root login
d10e36
-# Add a user that can login and escalate privileges
d10e36
-# Plaintext password is: admin123
d10e36
-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
d10e36
-
d10e36
-# Configure firewall settings for the system (optional)
d10e36
-# --enabled	reject incoming connections that are not in response to outbound requests
d10e36
-# --ssh		allow sshd service through the firewall
d10e36
-firewall --enabled --ssh
d10e36
-
d10e36
-# State of SELinux on the installed system (optional)
d10e36
-# Defaults to enforcing
d10e36
-selinux --enforcing
d10e36
-
d10e36
-# Set the system time zone (required)
d10e36
-timezone --utc America/New_York
d10e36
-
d10e36
-# Specify how the bootloader should be installed (required)
d10e36
-# Plaintext password is: password
d10e36
-# Refer to e.g.
d10e36
-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
d10e36
-# to see how to create encrypted password form for different plaintext password
d10e36
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
d10e36
-
d10e36
-# Initialize (format) all disks (optional)
d10e36
-zerombr
d10e36
-
d10e36
-# The following partition layout scheme assumes disk of size 20GB or larger
d10e36
-# Modify size of partitions appropriately to reflect actual machine's hardware
d10e36
-# 
d10e36
-# Remove Linux partitions from the system prior to creating new ones (optional)
d10e36
-# --linux	erase all Linux partitions
d10e36
-# --initlabel	initialize the disk label to the default based on the underlying architecture
d10e36
-clearpart --linux --initlabel
d10e36
-
d10e36
-# Create primary system partitions (required for installs)
d10e36
-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
d10e36
-part pv.01 --grow --size=1
d10e36
-
d10e36
-# Create a Logical Volume Management (LVM) group (optional)
d10e36
-volgroup VolGroup --pesize=4096 pv.01
d10e36
-
d10e36
-# Create particular logical volumes (optional)
d10e36
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
d10e36
-# Ensure /usr Located On Separate Partition
d10e36
-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
d10e36
-# Ensure /opt Located On Separate Partition
d10e36
-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
d10e36
-# Ensure /srv Located On Separate Partition
d10e36
-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
d10e36
-# Ensure /home Located On Separate Partition
d10e36
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
d10e36
-# Ensure /tmp Located On Separate Partition
d10e36
-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
d10e36
-# Ensure /var/tmp Located On Separate Partition
d10e36
-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
d10e36
-# Ensure /var Located On Separate Partition
d10e36
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
d10e36
-# Ensure /var/log Located On Separate Partition
d10e36
-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
d10e36
-# Ensure /var/log/audit Located On Separate Partition
d10e36
-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
d10e36
-logvol swap --name=swap --vgname=VolGroup --size=2016
d10e36
-
d10e36
-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
d10e36
-# content - security policies - on the installed system.This add-on has been enabled by default
d10e36
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
d10e36
-# functionality will automatically be installed. However, by default, no policies are enforced,
d10e36
-# meaning that no checks are performed during or after installation unless specifically configured.
d10e36
-#  
d10e36
-#  Important
d10e36
-#   Applying a security policy is not necessary on all systems. This screen should only be used
d10e36
-#   when a specific policy is mandated by your organization rules or government regulations.
d10e36
-#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
d10e36
-#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
d10e36
-#   Values can be optionally enclosed in single quotes (') or double quotes (").
d10e36
-#   
d10e36
-#  The following keys are recognized by the add-on:
d10e36
-#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
d10e36
-#      - If the content-type is scap-security-guide, the add-on will use content provided by the
d10e36
-#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
d10e36
-#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
d10e36
-#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
d10e36
-#    xccdf-id - ID of the benchmark you want to use.
d10e36
-#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
d10e36
-#    profile - ID of the profile to be applied. Use default to apply the default profile.
d10e36
-#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
d10e36
-#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
d10e36
-#
d10e36
-#  The following is an example %addon org_fedora_oscap section which uses content from the
d10e36
-#  scap-security-guide on the installation media: 
d10e36
-%addon org_fedora_oscap
d10e36
-	content-type = scap-security-guide
d10e36
-	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
d10e36
-%end
d10e36
-
d10e36
-# Packages selection (%packages section is required)
d10e36
-%packages
d10e36
-
d10e36
-# Require @Base
d10e36
-@Base
d10e36
-
d10e36
-%end # End of %packages section
d10e36
-
d10e36
-# Reboot after the installation is complete (optional)
d10e36
-# --eject	attempt to eject CD or DVD media before rebooting
d10e36
-reboot --eject
d10e36
-- 
d10e36
2.26.2
d10e36