noconnor29/RHEL Deployment Guide.md

## clean.sh
#!/bin/bash

# stop logging services
/usr/bin/systemctl stop rsyslog
/usr/bin/service stop auditd

# Uncomment next line to remove old kernels
# /bin/package-cleanup -oldkernels -count=1

#clean yum cache
/usr/bin/yum clean all

#force logrotate to shrink logspace and remove old logs as well as truncate logs
/usr/sbin/logrotate -f /etc/logrotate.conf
/bin/rm -f /var/log/*-???????? /var/log/*.gz
/bin/rm -f /var/log/dmesg.old
/bin/rm -rf /var/log/anaconda
/bin/cat /dev/null > /var/log/audit/audit.log
/bin/cat /dev/null > /var/log/wtmp
/bin/cat /dev/null > /var/log/lastlog
/bin/cat /dev/null > /var/log/grubby

#remove udev hardware rules
/bin/rm -f /etc/udev/rules.d/70*

#remove uuid from ifcfg scripts
/bin/cat > /etc/sysconfig/network-scripts/ifcfg-ens192 <<EOM
DEVICE=ens192
ONBOOT=yes
EOM

#remove SSH host keys
/bin/rm -f /etc/ssh/*key*

#remove root users shell history
/bin/rm -f ~root/.bash_history
unset HISTFILE

#remove root users SSH history
/bin/rm -rf ~root/.ssh/known_hosts

## RHEL Deployment Guide.md

      
    Raw
  

              RHEL Deployment Guide.md
            
          
    About

This document provides a process for installing Red Hat Enterprise Linux (RHEL) version 8. With modificiations, should be transferrable to later major versions.
Technologies used:

Ansible - declarative configuration management software
Logical Volume Manager (LVM) - a Linux volume manager which abstracts the filesystem from physical/virtual disks to allow online volume resizing.
VMware vCenter - hypervisor platform

Live version available: here
Overview


Install RHEL VM in vCenter
Configure VM to CIS Server Level 1
Convert VM into template
Deploy template, expand disk via LVM

1. Install RHEL

The initial VM install can be configured with:

a minumum size disk to keep template small, or
a reasonable guess so you have to do less tweaking in LVM for each deployment.

During VMware VM resource configuration set a disk size in accordance with option 1) or 2) above. Otherwise configure as normal. Take the following actions during installation.
Root Password

Leaving the root account unconfigured (aka disabled/no password). This can be changed later with a sudo account if needed and does not prevent sudoers from becoming root.
User Creation

Create a user account with administrator/sudo privileges. This account is be used for Ansible configuration later.
Connect to Red Hat (Subscription)

Not sure if this is necessary for our VMware host licensing model. If it's like a Developer Subscription, set up the subscription to get updates but then remove before creating a template.
Installation Destination


The only disk is selected by default. Select "Custom" and click "Done"

"LVM" should be selected by default. If so, click the link "Click here to create them automatically."
This creates the default partitions / (root), /boot, /boot/efi, and swap.


Remove enough space from /root to create three additional partitions required by CIS.
Click "+" in the lower left to create the partitions below. The capacity and filesystem of these partitions is your choice.
- Mount Point: /home
- Mount Point: /var
- Mount Point: /var/tmp
Note: These new partitions are all part of the same volume group ("rhel" by default) so they can be resized later by adding new virtual disk(s).
Click "Done" in upper left.
Click "Accept" in lower right

Network & Host Name:


Select "Network and Host Name"
Enable the NIC
Set a Host Name (can be overridden with template later)
Perform any other NIC configurations (disable IPv6, etc)
Click "Done" in upper left

Security Policy

There is an option to pre-configure the system to CIS Server Level 1. It's not configurable so may not meet needs. If you want to use it, select "Security Profile" > "CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server"
Software Selection


Select "Server"

"Server with GUI" has a package (xorg, the window manager/GUI) which CIS seems not to support.


Check box for "Guest Agents"
Check boxes for other desired software

Install


Select "Begin Installation". Reboot system once complete.
Install perl: sudo dnf install perl

needed to ensure NIC is active when using vCenter's perl-based customization


Apply updates: sudo dnf upgrade

2. Configure VM to CIS Server Level 1

Use Ansible to configure OS to meet CIS benchmarks. Ansible is a declarative configuration management system so a playbook can be run against assets continously to maintain configuration.
Playbook Source: ansible-lockdown: RHEL8-CIS
Process:

Ensure Ansible is installed. No further configuration required.

Linux: sudo [dnf|apt] install ansible


Unzip RHEL-CIS-POC onto a machine
Change directory into RHEL-CIS-POC
Edit defaults/main.yml to configure which settings are applied and what  their values should be.

Descriptions of settings availablein CIS benchmark and in the repo


Add the IP of the VM is present in RHEL-CIS-POC/hosts
Run ansible-playbook to configure:

ansible-playbook --ask-pass --ask-become-pass \ 
  --ssh-common-args='-o StrictHostKeyChecking=accept-new' \
  --inventory hosts site.yml --limit IP_ADDR --tags level1-server \
  --user ADMIN_USER
3. Convert VM into template

Before converting to a template several steps must be completed:

Detach the VM from your Red Hat subscription:

sudo subscription-manager unregister
sudo subscription-manager clean


As root or with sudo, run clean.sh, a script originally from Red Hat. Alternatively, run each command manually.


I got errors that "/usr/bin/service doesn't exist", "unable to read consumer identity", "not registered to an entitlement server" (fine, we already unregistered). These all seem to be normal.

Deploy Template and Expand disk via LVM

Now that a template has been created, deploy through VMware.
The template is configured with multiple partitions (specified by CIS) on a single disk with LVM. Use the following procedure for deployments which require customization of the existing partitions.
LVM Terms:

Physical Volume (PV) - a physical or vitual block storage device
Logical Volume (LV) - a logical storage device with underlying storage by one or more physical volumes.


In the commands below, lvresize should always be used with the --resizefs flag. Without --resizefs the logical volume will be resized but the filesystem will not automatically expand to fill the space.

Once deployed, do the following

In vCenter, select the running VM > Edit Settings > Add New Device > Hard Disk
Execute the following via SSH or the local console:

# Elevate privileges to root
sudo -i 

# Check that the new disk is available
lsblk

# Check for existing physical volumes (PVs) - should only see one.
pvdisplay

# Show logical volumes - should be /home, /root, /var, /var/tmp, /swap
lvs

# Make new disk available to LVM (i.e. create a PV)
pvcreate /path/to/new/disk 
# likely: pvcreate /dev/sdb

# Confirm the new device is available to LVM
lvdiskscan -l

# Resize the logical volume AND filesystem at the same time:
lvresize --size +xG --resizefs /path/to/logical/volume

# Review the new size of logical volumes
lvs

# To see the newly available space
df -H
Resizing Examples:
# To increase /home by 10GiB:
lvresize --size +10G --resizefs /dev/rhel/home

# To increase /root by 25GiB:
lvresize --size +25G --resizefs /dev/rhel/root

# To increase /var by 75% of available free space
lvresize --extents +75%FREE --resizefs /dev/rhel/var
Deployment complete.
Appendix

Ansible

ansible-playbook explained

Full details available with:  man ansible-playbook

ansible-playbook --ask-pass --ask-become-pass \ 
  --ssh-common-args='-o StrictHostKeyChecking=accept-new' \
  --inventory hosts site.yml --limit IP_ADDR --tags level1-server \
  --user ADMIN_USER
Where:


Long Form
Short Form
Description


--ask-pass
-k
prompt for connection password


--ask-become-pass
-K
prompt for a sudo password


--ssh-common-args

don't error on a new SSH host key


--inventory
-i
path to inventory (hosts) file


--limit
-l
limit operation to specified server(s) if there are multiple in inventory file


--tags
-t
run only tasks with a specific tag. Used by the CIS config scripts to set hardening level.


--user
-u
specify the user account on target server


--verbose
-v
enable verbose logging. More v = more verbose, eg. -vvvv.
	#!/bin/bash

	# stop logging services
	/usr/bin/systemctl stop rsyslog
	/usr/bin/service stop auditd

	# Uncomment next line to remove old kernels
	# /bin/package-cleanup -oldkernels -count=1

	#clean yum cache
	/usr/bin/yum clean all

	#force logrotate to shrink logspace and remove old logs as well as truncate logs
	/usr/sbin/logrotate -f /etc/logrotate.conf
	/bin/rm -f /var/log/-???????? /var/log/.gz
	/bin/rm -f /var/log/dmesg.old
	/bin/rm -rf /var/log/anaconda
	/bin/cat /dev/null > /var/log/audit/audit.log
	/bin/cat /dev/null > /var/log/wtmp
	/bin/cat /dev/null > /var/log/lastlog
	/bin/cat /dev/null > /var/log/grubby

	#remove udev hardware rules
	/bin/rm -f /etc/udev/rules.d/70*

	#remove uuid from ifcfg scripts
	/bin/cat > /etc/sysconfig/network-scripts/ifcfg-ens192 <<EOM
	DEVICE=ens192
	ONBOOT=yes
	EOM

	#remove SSH host keys
	/bin/rm -f /etc/ssh/key

	#remove root users shell history
	/bin/rm -f ~root/.bash_history
	unset HISTFILE

	#remove root users SSH history
	/bin/rm -rf ~root/.ssh/known_hosts
Long Form	Short Form	Description
--ask-pass	-k	prompt for connection password
--ask-become-pass	-K	prompt for a sudo password
--ssh-common-args		don't error on a new SSH host key
--inventory	-i	path to inventory (hosts) file
--limit	-l	limit operation to specified server(s) if there are multiple in inventory file
--tags	-t	run only tasks with a specific tag. Used by the CIS config scripts to set hardening level.
--user	-u	specify the user account on target server
--verbose	-v	enable verbose logging. More v = more verbose, eg. -vvvv.