Align ANSSI kickstarts with enhanced level

- Keep restricting IPv6 - Audit enabled during boot - No requirement to enforce use of SELinux
brett060102 · Feb 8, 2021 · 745ec9b · 745ec9b
1 parent 3884ae5
commit 745ec9b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 20 deletions.
diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
@@ -78,18 +78,14 @@ firewall --enabled --ssh
 # See the manual page for authconfig for a complete list of possible options.
 authconfig --enableshadow --passalgo=sha512
 
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
 # Set the system time zone (required)
 timezone --utc America/New_York
 
 # Specify how the bootloader should be installed (required)
 # Plaintext password is: password
 # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
 # encrypted password form for different plaintext password
-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
 
 # Initialize (format) all disks (optional)
 zerombr

diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -6,9 +6,6 @@
 # https://pykickstart.readthedocs.io/en/latest/
 # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
 
-# Install a fresh new system (optional)
-install
-
 # Specify installation method to use for installation
 # To use a different one comment out the 'url' one below, update
 # the selected choice with proper options & un-comment it
@@ -52,7 +49,7 @@ keyboard us
 #       "--bootproto=static" must be used. For example:
 # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
 #
-network --onboot yes --bootproto dhcp
+network --onboot yes --bootproto dhcp --noipv6
 
 # Set the system's root password (required)
 # Plaintext password is: server
@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
 # --ssh		allow sshd service through the firewall
 firewall --enabled --ssh
 
-# Set up the authentication options for the system (required)
-# --enableshadow	enable shadowed passwords by default
-# --passalgo		hash / crypt algorithm for new passwords
-# See the manual page for authconfig for a complete list of possible options.
-authconfig --enableshadow --passalgo=sha512
-
-# State of SELinux on the installed system (optional)
-# Defaults to enforcing
-selinux --enforcing
-
 # Set the system time zone (required)
 timezone --utc America/New_York
 
@@ -89,7 +76,7 @@ timezone --utc America/New_York
 # Refer to e.g.
 #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
 # to see how to create encrypted password form for different plaintext password
-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
 
 # Initialize (format) all disks (optional)
 zerombr