This project forked from fcaviggia/hardened-centos7-kickstart
DVD embedded Kickstart for CentOS 7 utilizing SCAP Security Guide (SSG) as a hardening script.
License: GNU General Public License v2.0
############################################################################### # Hardened CentOS 7 DVD CREATOR # # This script was written by Frank Caviggia # Last update was 19 Dec 2016 # # Author: Frank Caviggia ([email protected]) # Copyright: Frank Caviggia, (c) 2016 # License: GPLv2 # Description: Hardened Installation of CentOS 7 ############################################################################### ABOUT ===== Modifies a CentOS 7.3+ (tested with CentOS-7-x86_64-DVD-1611.iso) x86_64 DVD with a kickstart that will install a system that is configured and hardened to meet government-level regulations. NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD. The kickstart script involves the integration of the following projects into a single installer: - classification-banner.py (Python for displaying a graphical classification banner) https://github.com/RedHatGov/classification-banner - SCAP Security Guide (SSG) - Hardening Script for CentOS7 https://github.com/openscap/scap-security-guide CONTENT ======= createiso.sh - installation script to modify CentOS 7.2+ ISO image /config - Kickstarts, Python, and RPMs needed to modify image. isolinux/ isolinux.cfg - Menu Configuration for Kickstart hardening/ hardened-centos.cfg Kickstart Configuration (Calls menu.py in %pre) menu.py Python Script that presents a graphical menu to modify the kickstart. Contains the "Profiles" for configuring the system partitioning and packages. classification-banner.py Graphical Classification Banner (for GNOME Desktops User/ Developer Workstation Profiles) supplemental.sh Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME, wheel group for root access, etc.) ovirt-engine-install.sh Script to install and configure Ovirt Manager. ovirt-kvm-preinstall.sh ovirt-kvm-postinstall.sh Scripts to install Ovirt-Attached KVM hypervisor. Script will loosen settings temporarily to allow registration of the system with Ovirt Manager by allowing root login and allowing exec in /tmp. Run rhevm-postinstall.sh after system is added into Ovirt Manager. Copied to /root after kickstart install iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables) Configures iptables firewall during kickstart installation. Called in menu.py script. Firewall is configured to recommended ports for each product or profile. Copied to /root after kickstart install. FirewallD is default except for KVM systems. ipa-pam-configuration.sh Configures system for using IPA/IdM authentication by overwriting the pam.d configurations. Copied to /root after kickstart installation scap-security-guide-*.el7.noarch.rpm SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox. usbguard-*.x86_64.rpm USB guard will control what USB devices are accessible by the system. HARDENING INFORMATION ===================== Here is some additional information added by the supplemental hardening script in addition to the SSG: 1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu 2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console 3. The 'wheel' group is required for privileged users (beyond root) to run `su -` or `sudo -i` commands, sudo timeout is 5 minutes 4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group 5. Additional software such as McAfee EPo/HBSS may be required meet site policy 6. Configure NTP (/etc/chrony.conf) and rsyslog logging to remote server (/etc/rsyslog.conf) 8. Create users: NOTE: The root user is locked now - use 'admin' user account with sudo instead of root. Local Console Access Only (Unprivileged) # useradd -m -c "Local User" localuser Remote Access (Unprivileged) # useradd -m -c "Remote User" -G sshusers remoteuser System Administrator (SA) (Privileged User) # useradd -m -c "System Administrator" -G sshusers,wheel admin 9. Wireless is disabled in a number of ways with Network Manager including: a.) `nmcli radio all off` command in /etc/rc.local b.) Dconf configurations to disable the creation of wireless networks: /etc/dconf/db/gdm.d/99-gnome-hardening [org.gnome.nm-applet] disable-wifi-create=true /etc/dconf/db/gdm.d/locks/99-gnome-hardening /org/gnome/nm-applet/disable-wifi-create /usr/share/glib-2.0/schemas/99_custom_settings.gschema.override [org.gnome.nm-applet] disable-wifi-create=true Generally, wireless should not be used on a DoD/IC system. EXAMPLE ======= # # ./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso Mounting CentOS DVD Image... mount: /dev/loop1 is write-protected, mounting read-only Done. Copying CentOS DVD Image... Done. Modifying CentOS DVD Image... Done. Remastering CentOS DVD Image... ... 0.23% done, estimate finish Wed Feb 10 07:34:24 2016 0.46% done, estimate finish Wed Feb 10 07:37:59 2016 0.70% done, estimate finish Wed Feb 10 07:36:47 2016 0.93% done, estimate finish Wed Feb 10 07:36:11 2016 1.16% done, estimate finish Wed Feb 10 07:35:50 2016 1.39% done, estimate finish Wed Feb 10 07:35:35 2016 1.62% done, estimate finish Wed Feb 10 07:35:25 2016 1.85% done, estimate finish Wed Feb 10 07:35:17 2016 2.09% done, estimate finish Wed Feb 10 07:35:11 2016 2.32% done, estimate finish Wed Feb 10 07:35:07 2016 2.55% done, estimate finish Wed Feb 10 07:35:03 2016 2.78% done, estimate finish Wed Feb 10 07:34:59 2016 3.01% done, estimate finish Wed Feb 10 07:34:57 2016 3.24% done, estimate finish Wed Feb 10 07:34:54 2016 3.48% done, estimate finish Wed Feb 10 07:34:52 2016 3.71% done, estimate finish Wed Feb 10 07:34:50 2016 3.94% done, estimate finish Wed Feb 10 07:34:49 2016 4.17% done, estimate finish Wed Feb 10 07:34:47 2016 4.40% done, estimate finish Wed Feb 10 07:34:46 2016 4.63% done, estimate finish Wed Feb 10 07:34:45 2016 4.87% done, estimate finish Wed Feb 10 07:34:44 2016 5.10% done, estimate finish Wed Feb 10 07:34:43 2016 5.33% done, estimate finish Wed Feb 10 07:34:42 2016 5.56% done, estimate finish Wed Feb 10 07:34:41 2016 ... 99.87% done, estimate finish Wed Feb 10 07:34:35 2016 Total translation table size: 2048 Total rockridge attributes bytes: 417876 Total directory bytes: 712704 Path table size(bytes): 158 Max brk space used 3af000 2157808 extents written (4214 MB) Done. Signing CentOS DVD Image... Inserting md5sum into iso image... md5 = e526291fc5ff0c83a7de64c183f27b78 Inserting fragment md5sums into iso image... fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b frags = 20 Setting supported flag to 0 Done. DVD Created. [hardened-centos7-x86_64.iso]
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
