From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 2 Feb 2021 14:03:09 +0100 Subject: [PATCH] Align ANSSI kickstarts with enhanced level - Keep restricting IPv6 - Audit enabled during boot - No requirement to enforce use of SELinux --- .../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +----- .../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++--------------- 2 files changed, 3 insertions(+), 20 deletions(-) diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg index 2e75873a28a..1d35bedb91c 100644 --- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg @@ -78,10 +78,6 @@ firewall --enabled --ssh # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - # Set the system time zone (required) timezone --utc America/New_York @@ -89,7 +85,7 @@ timezone --utc America/New_York # Plaintext password is: password # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create # encrypted password form for different plaintext password -bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 +bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 # Initialize (format) all disks (optional) zerombr diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg index 4e249f61e25..728946ecb73 100644 --- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg @@ -6,9 +6,6 @@ # https://pykickstart.readthedocs.io/en/latest/ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg -# Install a fresh new system (optional) -install - # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it @@ -52,7 +49,7 @@ keyboard us # "--bootproto=static" must be used. For example: # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 # -network --onboot yes --bootproto dhcp +network --onboot yes --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server @@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf # --ssh allow sshd service through the firewall firewall --enabled --ssh -# Set up the authentication options for the system (required) -# --enableshadow enable shadowed passwords by default -# --passalgo hash / crypt algorithm for new passwords -# See the manual page for authconfig for a complete list of possible options. -authconfig --enableshadow --passalgo=sha512 - -# State of SELinux on the installed system (optional) -# Defaults to enforcing -selinux --enforcing - # Set the system time zone (required) timezone --utc America/New_York @@ -89,7 +76,7 @@ timezone --utc America/New_York # Refer to e.g. # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw # to see how to create encrypted password form for different plaintext password -bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 +bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 # Initialize (format) all disks (optional) zerombr