From ee2da171d5a76202b2aef8231c5af6f97ef156ef Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 12 Aug 2021 10:36:30 +0200 Subject: [PATCH 1/2] add rhel7 kickstarts for cis --- products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 4 +- .../kickstart/ssg-rhel7-cis_server_l1-ks.cfg | 136 ++++++++++++++++ .../ssg-rhel7-cis_workstation_l1-ks.cfg | 137 ++++++++++++++++ .../ssg-rhel7-cis_workstation_l2-ks.cfg | 147 ++++++++++++++++++ 4 files changed, 422 insertions(+), 2 deletions(-) create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg create mode 100644 products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg index 6ead435b978..00edb9d536c 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg @@ -1,6 +1,6 @@ -# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 7 Server +# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server # Version: 0.0.1 -# Date: 2020-03-30 +# Date: 2021-08-12 # # Based on: # https://pykickstart.readthedocs.io/en/latest/ diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg new file mode 100644 index 00000000000..333105c4f9e --- /dev/null +++ b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg @@ -0,0 +1,136 @@ +# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 7 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + +# Harden installation with CIS profile +# For more details and configuration options see command %addon org_fedora_oscap in +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_server_l1 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg new file mode 100644 index 00000000000..7ca9fe8558b --- /dev/null +++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg @@ -0,0 +1,137 @@ +# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + + +# Harden installation with CIS profile +# For more details and configuration options see command %addon org_fedora_oscap in +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg new file mode 100644 index 00000000000..b9bff5f390e --- /dev/null +++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg @@ -0,0 +1,147 @@ +# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 7 Server +# Version: 0.0.1 +# Date: 2021-08-12 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html + +# Install a fresh new system (optional) +install + +# Specify installation method to use for installation +# To use a different one comment out the 'url' one below, update +# the selected choice with proper options & un-comment it +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] +# + +# Set language to use during installation and the default language to use on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard us + +# Configure network information for target system and activate network devices in the installer environment (optional) +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +# +# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +# "--bootproto=static" must be used. For example: +# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +# +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile will restrict root login +# Add a user that can login and escalate privileges +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# Set up the authentication options for the system (required) +# --enableshadow enable shadowed passwords by default +# --passalgo hash / crypt algorithm for new passwords +# See the manual page for authconfig for a complete list of possible options. +authconfig --enableshadow --passalgo=sha512 + +# State of SELinux on the installed system (optional) +# Defaults to enforcing +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create +# encrypted password form for different plaintext password +bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger +# Modify size of partitions appropriately to reflect actual machine's hardware +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup --pesize=4096 pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 +logvol swap --name=lv_swap --vgname=VolGroup --size=2016 + + + +# Harden installation with CIS profile +# For more details and configuration options see command %addon org_fedora_oscap in +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands +%addon org_fedora_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2 +%end + +# Packages selection (%packages section is required) +%packages + +# Require @Base +@Base + +%end # End of %packages section + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject From 92e84a2c1b302291aa8ffbc08ae3e4ffabd5dfe7 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 18 Aug 2021 14:24:34 +0200 Subject: [PATCH 2/2] Fix typo in the CIS kickstart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jan Černý --- products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg index 00edb9d536c..7062e2974ad 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg @@ -1,4 +1,4 @@ -# SCAP Security Guide CIS profile (Leve 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server +# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 7 Server # Version: 0.0.1 # Date: 2021-08-12 #