-
Notifications
You must be signed in to change notification settings - Fork 54
/
README
197 lines (135 loc) · 6.17 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
###############################################################################
# SCAP Security Guide RHEL 7 DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 6 August 2017
# This script is NOT SUPPORTED by Red Hat Global Support Services.
#
# Author: Frank Caviggia ([email protected])
# Copyright: Red Hat, (c) 2015
# License: Apache License, Version 2.0
# Description: Kickstart Installation of RHEL 7 with SCAP Security Guide (SSG)
###############################################################################
ABOUT
=====
Modifies a RHEL 7.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 7.
NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD.
The kickstart script involves the integration of the following projects
into a single installer:
- classification-banner.py (Python for displaying a graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the
system after installation
https://github.com/OpenSCAP/scap-security-guide
CONTENT
=======
createiso.sh - installation script to modify RHEL 7.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
EFI/BOOT/
grub.cfg - Menu Configuration for UEFI boot
isolinux/
isolinux.cfg - Menu Configuration for Kickstart
hardening/
ssg-rhel.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
openscap*.rpm
scap-security-guide-*.el7.noarch.rpm
Uses OpenSCAP and the SCAP Security Guide (SSG) to test and
remediate system.
ssg-suplemental.sh
Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
wheel group for root access, etc.)
rhevm-preinstall.sh
rhevm-postinstall.sh
Scripts to loosen settings temporarily to allow registration
of the system with RHEV-M by allowing root login and allowing
exec in /tmp. Run rhevm-postinstall.sh after system is added
into RHEV-M. Copied to /root after kickstart install
iptables.sh (use with KVM host - which prefers iptables/ebtables)
Configures iptables firewall during kickstart installation.
Called in menu.py script. Firewall is configured to recommended
ports for each product or profile. Copied to /root after kickstart
install. FirewallD is default except for KVM systems.
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation
usbguard-*.x86_64.rpm
USB guard will control what USB devices are accessible by the system.
HARDENING INFORMATION
=====================
Here is some additional information added by the supplemental hardening script
in addition to the SSG:
1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu
2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
console
3. The 'wheel' group is required for privileged users (beyond root) to run
`su -` or `sudo -i` commands, sudo timeout is 5 minutes
4. The 'sshusers' group is required for SSH/SFTP access, other users are
limited to console access without this group
5. Additional Software such as McAfee EPo/HBSS may be required meet site
policy
6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf)
7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf)
8. Create users:
NOTE: The root user is locked now - use 'admin' user account with sudo instead of root.
Local Console Access Only (Unprivileged)
# useradd -m -c "Local User" localuser
Remote Access (Unprivileged)
# useradd -m -c "Remote User" -G sshusers remoteuser
System Administrator (SA) (Privileged User)
# useradd -m -c "System Administrator" -G sshusers,wheel admin
9. Wireless is disabled in a number of ways with Network Manager including:
a.) `nmcli radio all off` command in /etc/rc.local
b.) Dconf configurations to disable the creation of wireless networks:
/etc/dconf/db/gdm.d/99-gnome-hardening
[org.gnome.nm-applet]
disable-wifi-create=true
/etc/dconf/db/gdm.d/locks/99-gnome-hardening
/org/gnome/nm-applet/disable-wifi-create
/usr/share/glib-2.0/schemas/99_custom_settings.gschema.override
[org.gnome.nm-applet]
disable-wifi-create=true
Generally, wireless should not be used on a DoD/IC system.
EXAMPLE
=======
# ./createiso.sh rhel-server-7.1-x86_64-dvd.iso
Mounting RHEL DVD Image...
mount: /dev/loop0 is write-protected, mounting read-only
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html)
<..........................................>
Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm)
Size of boot image is 4 sectors -> No emulation
0.27% done, estimate finish Tue Jan 21 22:04:41 2014
<...........................................>
99.86% done, estimate finish Tue Jan 21 22:06:46 2014
Total translation table size: 976326
Total rockridge attributes bytes: 430528
Total directory bytes: 661504
Path table size(bytes): 286
Max brk space used 3ee000
1882600 extents written (3676 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = ec4618f4ccc6ccac3cfed291ef341012
Inserting fragment md5sums into iso image...
fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79
frags = 20
Setting supported flag to 0
Done.
DVD Created. [ssg-rhel-7.1.iso]