forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kickstarts for each ANSSI hardening level
- Loading branch information
Showing
7 changed files
with
980 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
# SCAP Security Guide ANSSI BP-028 (enhanced) profile kickstart for Red Hat Enterprise Linux 7 Server | ||
# Version: 0.0.1 | ||
# Date: 2021-01-28 | ||
# | ||
# Based on: | ||
# https://pykickstart.readthedocs.io/en/latest/ | ||
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html | ||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg | ||
|
||
# Install a fresh new system (optional) | ||
install | ||
|
||
# Specify installation method to use for installation | ||
# To use a different one comment out the 'url' one below, update | ||
# the selected choice with proper options & un-comment it | ||
# | ||
# Install from an installation tree on a remote server via FTP or HTTP: | ||
# --url the URL to install from | ||
# | ||
# Example: | ||
# | ||
# url --url=http://192.168.122.1/image | ||
# | ||
# Modify concrete URL in the above example appropriately to reflect the actual | ||
# environment machine is to be installed in | ||
# | ||
# Other possible / supported installation methods: | ||
# * install from the first CD-ROM/DVD drive on the system: | ||
# | ||
# cdrom | ||
# | ||
# * install from a directory of ISO images on a local drive: | ||
# | ||
# harddrive --partition=hdb2 --dir=/tmp/install-tree | ||
# | ||
# * install from provided NFS server: | ||
# | ||
# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>] | ||
# | ||
|
||
# Set language to use during installation and the default language to use on the installed system (required) | ||
lang en_US.UTF-8 | ||
|
||
# Set system keyboard type / layout (required) | ||
keyboard us | ||
|
||
# Configure network information for target system and activate network devices in the installer environment (optional) | ||
# --onboot enable device at a boot time | ||
# --device device to be activated and / or configured with the network command | ||
# --bootproto method to obtain networking configuration for device (default dhcp) | ||
# --noipv6 disable IPv6 on this device | ||
# | ||
# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, | ||
# "--bootproto=static" must be used. For example: | ||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 | ||
# | ||
network --onboot yes --device eth0 --bootproto dhcp --noipv6 | ||
|
||
# Set the system's root password (required) | ||
# Plaintext password is: server | ||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create | ||
# encrypted password form for different plaintext password | ||
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 | ||
|
||
# The selected profile will restrict root login | ||
# Add a user that can login and escalate privileges | ||
# Plaintext password is: admin123 | ||
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted | ||
|
||
# Configure firewall settings for the system (optional) | ||
# --enabled reject incoming connections that are not in response to outbound requests | ||
# --ssh allow sshd service through the firewall | ||
firewall --enabled --ssh | ||
|
||
# Set up the authentication options for the system (required) | ||
# --enableshadow enable shadowed passwords by default | ||
# --passalgo hash / crypt algorithm for new passwords | ||
# See the manual page for authconfig for a complete list of possible options. | ||
authconfig --enableshadow --passalgo=sha512 | ||
|
||
# State of SELinux on the installed system (optional) | ||
# Defaults to enforcing | ||
selinux --enforcing | ||
|
||
# Set the system time zone (required) | ||
timezone --utc America/New_York | ||
|
||
# Specify how the bootloader should be installed (required) | ||
# Plaintext password is: password | ||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create | ||
# encrypted password form for different plaintext password | ||
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 | ||
|
||
# Initialize (format) all disks (optional) | ||
zerombr | ||
|
||
# The following partition layout scheme assumes disk of size 20GB or larger | ||
# Modify size of partitions appropriately to reflect actual machine's hardware | ||
# | ||
# Remove Linux partitions from the system prior to creating new ones (optional) | ||
# --linux erase all Linux partitions | ||
# --initlabel initialize the disk label to the default based on the underlying architecture | ||
clearpart --linux --initlabel | ||
|
||
# Create primary system partitions (required for installs) | ||
part /boot --fstype=xfs --size=512 | ||
part pv.01 --grow --size=1 | ||
|
||
# Create a Logical Volume Management (LVM) group (optional) | ||
volgroup VolGroup --pesize=4096 pv.01 | ||
|
||
# Create particular logical volumes (optional) | ||
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow | ||
# Ensure /usr Located On Separate Partition | ||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" | ||
# Ensure /opt Located On Separate Partition | ||
logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" | ||
# Ensure /srv Located On Separate Partition | ||
logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" | ||
# Ensure /home Located On Separate Partition | ||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" | ||
# Ensure /tmp Located On Separate Partition | ||
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" | ||
# Ensure /var/tmp Located On Separate Partition | ||
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" | ||
# Ensure /var Located On Separate Partition | ||
logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" | ||
# Ensure /var/log Located On Separate Partition | ||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" | ||
# Ensure /var/log/audit Located On Separate Partition | ||
logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" | ||
logvol swap --name=lv_swap --vgname=VolGroup --size=2016 | ||
|
||
# Despite the ID referencing NT-28, the profile is aligned to BP-028 | ||
%addon org_fedora_oscap | ||
content-type = scap-security-guide | ||
profile = xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced | ||
%end | ||
|
||
# Packages selection (%packages section is required) | ||
%packages | ||
|
||
# Require @Base | ||
@Base | ||
|
||
%end # End of %packages section | ||
|
||
# Reboot after the installation is complete (optional) | ||
# --eject attempt to eject CD or DVD media before rebooting | ||
reboot --eject |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
150 changes: 150 additions & 0 deletions
150
rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
# SCAP Security Guide ANSSI BP-028 (intermediary) profile kickstart for Red Hat Enterprise Linux 7 Server | ||
# Version: 0.0.1 | ||
# Date: 2021-01-28 | ||
# | ||
# Based on: | ||
# https://pykickstart.readthedocs.io/en/latest/ | ||
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html | ||
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg | ||
|
||
# Install a fresh new system (optional) | ||
install | ||
|
||
# Specify installation method to use for installation | ||
# To use a different one comment out the 'url' one below, update | ||
# the selected choice with proper options & un-comment it | ||
# | ||
# Install from an installation tree on a remote server via FTP or HTTP: | ||
# --url the URL to install from | ||
# | ||
# Example: | ||
# | ||
# url --url=http://192.168.122.1/image | ||
# | ||
# Modify concrete URL in the above example appropriately to reflect the actual | ||
# environment machine is to be installed in | ||
# | ||
# Other possible / supported installation methods: | ||
# * install from the first CD-ROM/DVD drive on the system: | ||
# | ||
# cdrom | ||
# | ||
# * install from a directory of ISO images on a local drive: | ||
# | ||
# harddrive --partition=hdb2 --dir=/tmp/install-tree | ||
# | ||
# * install from provided NFS server: | ||
# | ||
# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>] | ||
# | ||
|
||
# Set language to use during installation and the default language to use on the installed system (required) | ||
lang en_US.UTF-8 | ||
|
||
# Set system keyboard type / layout (required) | ||
keyboard us | ||
|
||
# Configure network information for target system and activate network devices in the installer environment (optional) | ||
# --onboot enable device at a boot time | ||
# --device device to be activated and / or configured with the network command | ||
# --bootproto method to obtain networking configuration for device (default dhcp) | ||
# --noipv6 disable IPv6 on this device | ||
# | ||
# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, | ||
# "--bootproto=static" must be used. For example: | ||
# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 | ||
# | ||
network --onboot yes --device eth0 --bootproto dhcp --noipv6 | ||
|
||
# Set the system's root password (required) | ||
# Plaintext password is: server | ||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create | ||
# encrypted password form for different plaintext password | ||
rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 | ||
|
||
# The selected profile will restrict root login | ||
# Add a user that can login and escalate privileges | ||
# Plaintext password is: admin123 | ||
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted | ||
|
||
# Configure firewall settings for the system (optional) | ||
# --enabled reject incoming connections that are not in response to outbound requests | ||
# --ssh allow sshd service through the firewall | ||
firewall --enabled --ssh | ||
|
||
# Set up the authentication options for the system (required) | ||
# --enableshadow enable shadowed passwords by default | ||
# --passalgo hash / crypt algorithm for new passwords | ||
# See the manual page for authconfig for a complete list of possible options. | ||
authconfig --enableshadow --passalgo=sha512 | ||
|
||
# State of SELinux on the installed system (optional) | ||
# Defaults to enforcing | ||
selinux --enforcing | ||
|
||
# Set the system time zone (required) | ||
timezone --utc America/New_York | ||
|
||
# Specify how the bootloader should be installed (required) | ||
# Plaintext password is: password | ||
# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create | ||
# encrypted password form for different plaintext password | ||
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 | ||
|
||
# Initialize (format) all disks (optional) | ||
zerombr | ||
|
||
# The following partition layout scheme assumes disk of size 20GB or larger | ||
# Modify size of partitions appropriately to reflect actual machine's hardware | ||
# | ||
# Remove Linux partitions from the system prior to creating new ones (optional) | ||
# --linux erase all Linux partitions | ||
# --initlabel initialize the disk label to the default based on the underlying architecture | ||
clearpart --linux --initlabel | ||
|
||
# Create primary system partitions (required for installs) | ||
part /boot --fstype=xfs --size=512 | ||
part pv.01 --grow --size=1 | ||
|
||
# Create a Logical Volume Management (LVM) group (optional) | ||
volgroup VolGroup --pesize=4096 pv.01 | ||
|
||
# Create particular logical volumes (optional) | ||
logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow | ||
# Ensure /usr Located On Separate Partition | ||
logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" | ||
# Ensure /opt Located On Separate Partition | ||
logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" | ||
# Ensure /srv Located On Separate Partition | ||
logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" | ||
# Ensure /home Located On Separate Partition | ||
logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" | ||
# Ensure /tmp Located On Separate Partition | ||
logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" | ||
# Ensure /var/tmp Located On Separate Partition | ||
logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" | ||
# Ensure /var Located On Separate Partition | ||
logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" | ||
# Ensure /var/log Located On Separate Partition | ||
logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" | ||
# Ensure /var/log/audit Located On Separate Partition | ||
logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" | ||
logvol swap --name=lv_swap --vgname=VolGroup --size=2016 | ||
|
||
# Despite the ID referencing NT-28, the profile is aligned to BP-028 | ||
%addon org_fedora_oscap | ||
content-type = scap-security-guide | ||
profile = xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary | ||
%end | ||
|
||
# Packages selection (%packages section is required) | ||
%packages | ||
|
||
# Require @Base | ||
@Base | ||
|
||
%end # End of %packages section | ||
|
||
# Reboot after the installation is complete (optional) | ||
# --eject attempt to eject CD or DVD media before rebooting | ||
reboot --eject |
Oops, something went wrong.