-
Notifications
You must be signed in to change notification settings - Fork 15
/
Copy pathREADME
142 lines (105 loc) · 4.53 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
###############################################################################
# HARDENED DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 5 August 2015
# This script is NOT SUPPORTED by Red Hat Global Support Services.
# Please contact Rick Tavares for more information.
#
# Author: Frank Caviggia ([email protected])
# Copyright: Red Hat, (c) 2014
# License: GPLv2
# Description: Kickstart Installation of RHEL 6 with DISA STIG
###############################################################################
ABOUT
=====
Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 6.
The kickstart script involves the integration of the following projects
into a single installer:
- hardening-script-*.el6.noarch.rpm (Hardening scripts RPM)
https://github.com/fcaviggia/hardening-script-el6
- classification-banner.py (Python for displaying graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) Content - Benchmark for the system after installation
https://github.com/OpenSCAP/scap-security-guide
- DOD Firefox Plugin
http://www.forge.mil/Resources-Firefox.html
CONTENT
=======
createiso.sh - installation script to modify RHEL 6.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
isolinux/
grub.conf - Menu Configuration for Kickstart
isolinux.cfg - Menu Configuration for Kickstart
stig-fix/
stig-fix.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
dod_firefox_config.tar.gz
DOD Firefox Plugin and DOD Root CA Certificates for NIPR (SPIR
CAs would need to be added and repackaged via taring up the
.mozzilla directory - placed in /etc/skel for all users.
hardening-script-*-el6.noarch.rpm
RPM Created from my fork of Tresys CLIP, Aqueduct, NSA SNAC, and USGCB here:
https://github.com/fcaviggia/hardening-script-el6
The hardening is run at the last part of the kickstart script to
lockdown the system, this could theoretically be replaced by the
SCAP Security Guide Scripts below at a later date.
scap-security-guide-*.el6.noarch.rpm
Currently I use ths SSG Scripts to take a benchmark to save in
root after installation. Updated to the latest version.
rhevm-preinstall.sh
rhevm-postinstall.sh
Scripts to losen settings temporararily to allow registration
of the system with RHEV-M by allowing root login and allowing
exec in /tmp. Run rhevm-postinstall.sh after system is added
into RHEV-M. Copied to /root after kickstart install.
iptables.sh
Configures firewall settings to reccomended ports for each
product or profile. Copied to /root after kickstart
install.
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation/
EXAMPLE
=======
# ./createiso.sh rhel-server-6.5-x86_64-dvd.iso
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
<..........................................>
Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
0.27% done, estimate finish Tue Jan 21 22:04:41 2014
<...........................................>
99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [hardened-rhel.iso]