-
Notifications
You must be signed in to change notification settings - Fork 706
/
Copy pathssg-rhel8-stig-ks.cfg
141 lines (123 loc) · 6.9 KB
/
ssg-rhel8-stig-ks.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8
#
# Based on:
# https://pykickstart.readthedocs.io/en/latest/
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
# For more information see the following documentation:
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation
# Specify installation method to use for installation
# To use a different one comment out the 'url' one below, update
# the selected choice with proper options & un-comment it
#
# Install from an installation tree on a remote server via FTP or HTTP:
# --url the URL to install from
#
# Example:
#
# url --url=http://192.168.122.1/image
#
# Modify concrete URL in the above example appropriately to reflect the actual
# environment machine is to be installed in
#
# Other possible / supported installation methods:
# * install from the first CD-ROM/DVD drive on the system:
#
# cdrom
#
# * install from a directory of ISO images on a local drive:
#
# harddrive --partition=hdb2 --dir=/tmp/install-tree
#
# * install from provided NFS server:
#
# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
#
# Set language to use during installation and the default language to use on the installed system (required)
lang en_US.UTF-8
# Set system keyboard type / layout (required)
keyboard --vckeymap us
# Configure network information for target system and activate network devices in the installer environment (optional)
# --onboot enable device at a boot time
# --device device to be activated and / or configured with the network command
# --bootproto method to obtain networking configuration for device (default dhcp)
# --noipv6 disable IPv6 on this device
network --onboot yes --bootproto dhcp
# Set the system's root password (required)
# Plaintext password is: server
# Refer to e.g.
# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
# to see how to create encrypted password form for different plaintext password
rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
# The selected profile will restrict root login
# Add a user that can login and escalate privileges
# Plaintext password is: admin123
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
# Configure firewall settings for the system (optional)
# --enabled reject incoming connections that are not in response to outbound requests
# --ssh allow sshd service through the firewall
firewall --enabled --ssh
# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing
# Set the system time zone (required)
timezone --utc America/New_York
# Specify how the bootloader should be installed (required)
# Plaintext password is: password
# Refer to e.g.
# grub2-mkpasswd-pbkdf2
# to see how to create encrypted password form for different plaintext password
bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted
# Initialize (format) all disks (optional)
zerombr
# The following partition layout scheme assumes disk of size 20GB or larger
# Modify size of partitions appropriately to reflect actual machine's hardware
#
# Remove Linux partitions from the system prior to creating new ones (optional)
# --linux erase all Linux partitions
# --initlabel initialize the disk label to the default based on the underlying architecture
clearpart --linux --initlabel
# Create primary system partitions (required for installs)
part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
volgroup VolGroup pv.01
# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
# Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/tmp Located On Separate Partition
logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var Located On Separate Partition
logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
# Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
# Ensure /var/log/audit Located On Separate Partition
logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=10240 --fsoptions="nodev,nosuid,noexec"
logvol swap --name=swap --vgname=VolGroup --size=2016
# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
# content - security policies - on the installed system.This add-on has been enabled by default
# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
# functionality will automatically be installed. However, by default, no policies are enforced,
# meaning that no checks are performed during or after installation unless specifically configured.
#
# Important
# Applying a security policy is not necessary on all systems. This screen should only be used
# when a specific policy is mandated by your organization rules or government regulations.
# Unlike most other commands, this add-on does not accept regular options, but uses key-value
# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
# Values can be optionally enclosed in single quotes (') or double quotes (").
#
# For more details and configuration options see
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
%addon org_fedora_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_stig
%end
# Packages selection (%packages section is required)
%packages
%end
# Reboot after the installation is complete (optional)
# --eject attempt to eject CD or DVD media before rebooting
reboot --eject