# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
#
# Based on:
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
#
# Install from an installation tree on a remote server via FTP or HTTP:
# --url the URL to install from
#
# Example:
#
# url --url=http://192.168.122.1/image
#
# Modify concrete URL in the above example appropriately to reflect the actual
# environment machine is to be installed in
#
# Other possible / supported installation methods:
# * install from the first CD-ROM/DVD drive on the system:
#
# cdrom
#
# * install from a directory of ISO images on a local drive:
#
# harddrive --partition=hdb2 --dir=/tmp/install-tree
#
# * install from provided NFS server:
#
# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
#
# Set language to use during installation and the default language to use on the installed system (required)
lang en_US.UTF-8
# Set system keyboard type / layout (required)
keyboard us
# Configure network information for target system and activate network devices in the installer environment (optional)
# --onboot enable device at a boot time
# --device device to be activated and / or configured with the network command
# --bootproto method to obtain networking configuration for device (default dhcp)
# --noipv6 disable IPv6 on this device
#
# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
# "--bootproto=static" must be used. For example:
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
#
network --onboot yes --bootproto dhcp
# Add additional repos
repo --name="appstream" --baseurl=http://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/
# Set the system's root password (required)
# Plaintext password is: server
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
rootpw --iscrypted $6$qIjpTpkJcE9yTrXy$2K.VU2ERiYPy7H8iHZccVmHTaJ07hJG01BKwcl4WFFb441a7fSF3h.b.v2ZN79YcPaD1gvgxoPJ4hBvir4LCB.
# The selected profile will restrict root login
# Add a user that can login and escalate privileges
# Plaintext password is: admin123
# user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
# Configure firewall settings for the system (optional)
# --enabled reject incoming connections that are not in response to outbound requests
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
# authselect --enableshadow --passalgo=sha512
# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing
# Set the system time zone (required)
timezone --utc America/New_York
# Specify how the bootloader should be installed (required)
# Plaintext password is: password
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
# Initialize (format) all disks (optional)
zerombr
# The following partition layout scheme assumes disk of size 20GB or larger
# Modify size of partitions appropriately to reflect actual machine's hardware
#
# Remove Linux partitions from the system prior to creating new ones (optional)
# --linux erase all Linux partitions
# --initlabel initialize the disk label to the default based on the underlying architecture
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
part /boot --fstype=ext4 --size=1024 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
logvol / --fstype=ext4 --name=root --vgname=VolGroup --size=20480
# Ensure /home Located On Separate Partition
logvol /home --fstype=ext4 --name=home --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=ext4 --name=tmp --vgname=VolGroup --size=3072 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=ext4 --name=vartmp --vgname=VolGroup --size=3072 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
logvol /var --fstype=ext4 --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" --grow
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=ext4 --name=log --vgname=VolGroup --size=3072 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
logvol /var/log/audit --fstype=ext4 --name=audit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=swap --vgname=VolGroup --size=2016
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
# content - security policies - on the installed system.This add-on has been enabled by default
# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
# functionality will automatically be installed. However, by default, no policies are enforced,
# meaning that no checks are performed during or after installation unless specifically configured.
#
# Important
# Applying a security policy is not necessary on all systems. This screen should only be used
# when a specific policy is mandated by your organization rules or government regulations.
# Unlike most other commands, this add-on does not accept regular options, but uses key-value
# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
# Values can be optionally enclosed in single quotes (') or double quotes (").
#
# The following keys are recognized by the add-on:
# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
# - If the content-type is scap-security-guide, the add-on will use content provided by the
# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
# xccdf-id - ID of the benchmark you want to use.
# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
# profile - ID of the profile to be applied. Use default to apply the default profile.
# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
#
# The following is an example %addon org_fedora_oscap section which uses content from the
# scap-security-guide on the installation media:
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig
%end
# Packages selection (%packages section is required)
%packages
# Require @Base
@Base
%end # End of %packages section
# Reboot after the installation is complete (optional)
# --eject attempt to eject CD or DVD media before rebooting
reboot --eject
%post
#!/bin/bash
curl -L -o /tmp/bootstrap_salt.sh https://bootstrap.saltstack.com;
/bin/sh /tmp/bootstrap_salt.sh -X -x python3 -i $(hostname) -A nacl.cybbh.space 3003
### The below is a hack to work around https://github.com/saltstack/salt/issues/55316
sed -i -e '/^ExecStart=/a ExecStartPre=\/bin\/sleep 10' -e '/^After=network.target/a Wants=network-online.target' /usr/lib/systemd/system/salt-minion.service
%end