From 2a5e10395f17b4a7ffaf725a492d0b032678cb00 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 18 Jul 2023 11:01:34 +0200 Subject: [PATCH 1/4] Create rhel9 kickstart file for CCN Basic --- .../kickstart/ssg-rhel9-ccn_basic-ks.cfg | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg new file mode 100644 index 00000000000..01c91f96875 --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg @@ -0,0 +1,127 @@ +# SCAP Security Guide CCN profile (Basic) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Ensure /dev/shm is a separate partition +part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# Harden installation with CCN profile (Advanced) +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_basic +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject From 60aa82035ff2d1e16f24de5a44421141d64b6140 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 18 Jul 2023 11:02:21 +0200 Subject: [PATCH 2/4] Create rhel9 kickstart file for CCN Intermediate --- .../ssg-rhel9-ccn_intermediate-ks.cfg | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg new file mode 100644 index 00000000000..97d533b94a4 --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg @@ -0,0 +1,127 @@ +# SCAP Security Guide CCN profile (Intermediate) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Ensure /dev/shm is a separate partition +part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# Harden installation with CCN profile (Advanced) +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_intermediate +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject From 31f07efad39f7ddd3fe3988af6b5e449fe037171 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Tue, 18 Jul 2023 11:02:47 +0200 Subject: [PATCH 3/4] Create rhel9 kickstart file for CCN Advanced --- .../kickstart/ssg-rhel9-ccn_advanced-ks.cfg | 127 ++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg new file mode 100644 index 00000000000..bfbdf1dea9e --- /dev/null +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg @@ -0,0 +1,127 @@ +# SCAP Security Guide CCN profile (Advanced) kickstart for Red Hat Enterprise Linux 9 Server +# Version: 0.0.1 +# Date: 2023-07-18 +# +# Based on: +# https://pykickstart.readthedocs.io/en/latest/ +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/performing_an_advanced_rhel_9_installation/starting-kickstart-installations_installing-rhel-as-an-experienced-user + +# Specify installation method to use for installation. To use a different one comment out +# the 'url' one below, update the selected choice with proper options & un-comment it. +# +# Install from an installation tree on a remote server via FTP or HTTP: +# --url the URL to install from +# +# Example: +# url --url=http://192.168.122.1/image +# +# Modify concrete URL in the above example appropriately to reflect the actual +# environment machine is to be installed in. +# +# Other possible / supported installation methods: +# * install from the first CD-ROM/DVD drive on the system: +# +# cdrom +# * install from a directory of ISO images on a local drive: +# +# harddrive --partition=hdb2 --dir=/tmp/install-tree +# * install from provided NFS server: +# +# nfs --server= --dir= [--opts=] + + +# Set language to use during installation and default language on the installed system (required) +lang en_US.UTF-8 + +# Set system keyboard type / layout (required) +keyboard --vckeymap us + +# Configure network information for target system and activate network devices in the +# installer environment (optional): +# --onboot enable device at a boot time +# --device device to be activated and / or configured with the network command +# --bootproto method to obtain networking configuration for device (default dhcp) +# --noipv6 disable IPv6 on this device +network --onboot yes --device eth0 --bootproto dhcp --noipv6 + +# Set the system's root password (required) +# Plaintext password is: server +# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see +# how to create encrypted password form for different plaintext password. +rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +# The selected profile may restrict root login. +# Add a user that can login and escalate privileges. +# Plaintext password is: admin123 +user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted + +# Configure firewall settings for the system (optional) +# --enabled reject incoming connections that are not in response to outbound requests +# --ssh allow sshd service through the firewall +firewall --enabled --ssh + +# State of SELinux on the installed system (optional) +# Defaults to enforcing. +selinux --enforcing + +# Set the system time zone (required) +timezone --utc America/New_York + +# Specify how the bootloader should be installed (required) +# Plaintext password is: password +# Refer to e.g. grub2-mkpasswd-pbkdf2 to see how to create +# encrypted password form for different plaintext password. +bootloader --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted + +# Initialize (format) all disks (optional) +zerombr + +# The following partition layout scheme assumes disk of size 20GB or larger. +# Modify size of partitions appropriately to reflect actual machine's hardware. +# +# Remove Linux partitions from the system prior to creating new ones (optional) +# --linux erase all Linux partitions +# --initlabel initialize the disk label to the default based on the underlying architecture +clearpart --linux --initlabel + +# Create primary system partitions (required for installs) +part /boot --fstype=xfs --size=512 +part pv.01 --grow --size=1 + +# Ensure /dev/shm is a separate partition +part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 + +# Create a Logical Volume Management (LVM) group (optional) +volgroup VolGroup pv.01 + +# Create particular logical volumes (optional) +logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow +# Ensure /home Located On Separate Partition +logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +# Ensure /tmp Located On Separate Partition +logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +# Ensure /var/tmp Located On Separate Partition +logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +# Ensure /var Located On Separate Partition +logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 +# Ensure /var/log Located On Separate Partition +logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 +# Ensure /var/log/audit Located On Separate Partition +logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 +logvol swap --name=swap --vgname=VolGroup --size=2016 + +# Harden installation with CCN profile (Advanced) +# For more details and configuration options see +# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program +%addon com_redhat_oscap + content-type = scap-security-guide + profile = xccdf_org.ssgproject.content_profile_ccn_advanced +%end + +# Packages selection (%packages section is required) +%packages +%end + +# Reboot after the installation is complete (optional) +# --eject attempt to eject CD or DVD media before rebooting +reboot --eject From 0e4ebd7b05819bc5d6cf02b45089c8a62e647aac Mon Sep 17 00:00:00 2001 From: Marcus Burghardt <2074099+marcusburghardt@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:30:26 +0200 Subject: [PATCH 4/4] Apply suggestions from code review Updated profile level in comments of respective kickstart files Co-authored-by: vojtapolasek --- products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg | 2 +- products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg index 01c91f96875..7d2f806bbd2 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg @@ -110,7 +110,7 @@ logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 logvol swap --name=swap --vgname=VolGroup --size=2016 -# Harden installation with CCN profile (Advanced) +# Harden installation with CCN profile (Basic) # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg index 97d533b94a4..897189173cd 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg @@ -110,7 +110,7 @@ logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 logvol swap --name=swap --vgname=VolGroup --size=2016 -# Harden installation with CCN profile (Advanced) +# Harden installation with CCN profile (Intermediate) # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap