Skip to content

Instantly share code, notes, and snippets.

@racinrandall

racinrandall/anaconda-ks.cfg

Created January 6, 2017 20:25
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save racinrandall/50729b3bf0d1c191d21df097aae55cc0 to your computer and use it in GitHub Desktop.
Save racinrandall/50729b3bf0d1c191d21df097aae55cc0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
anaconda-ks.cfg
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use network installation
# url --url="http://nas1.racinrandall.com/repo/centos/7/os/x86_64/"
# Use CD for Install
cdrom
# Use graphical install
text #graphical
# Run the Setup Agent on first boot
firstboot --disable
ignoredisk --only-use=sda
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --activate
network --hostname=pxe.racinrandall.com
# Root password
rootpw --iscrypted $6$cNl2wLm1IXmotTnK$ww1.YGxFEZQPvWmAmeWVNMWrqoWpcXyIaaXjmhUl1ZaulEmZM/66uLiuR/663uVM7UupB.nKxNt4ZBS.Luv5F.
# System services
services --enabled=ntpd
# System timezone
timezone America/Chicago --isUtc
user --groups=wheel --homedir=/local_home/admin_local --name=admin_local --password=$6$freQpQPnR/YGSZ8h$.IX2iqdpsa2QdrS7LTH.ae6dYkyi95LTZUD/J85V/HSygwrgd2bkwAzc/ZM8hDD/W4WlCYhUTPDzvXpqs064Q1 --iscrypted --uid=3333 --gecos="Local Administrator" --gid=3333
# X Window System configuration information
xconfig --startxonboot
# System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda --iscrypted --password=grub.pbkdf2.sha512.10000.0D9076FAEA29B8039ABEEF6FDBEA312FE2F1D2E1BC25CC47BAEE8479348BA6FD55D283C9167BA7E804573035A2CEEE4B9847B6AC690E8A0B2972B75651EDB026.42F2D24D2C26334140FE8B50C6FB38C3CB6A431789B327F0A449CD764354EC6848715FE7E22BF31E65496D6319E82FEB995BA17717C9329335A4076901B18FDE
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part /boot --fstype="xfs" --ondisk=sda --size=500
part pv.144 --fstype="lvmpv" --ondisk=sda --size=50699
volgroup vg_rhel7 --pesize=4096 pv.144
logvol /export/home/oracle --fstype="xfs" --size=5120 --name=lv_export_home_oracle --vgname=vg_rhel7
logvol / --fstype="xfs" --size=10760 --name=lv_root --vgname=vg_rhel7
logvol /var/log --fstype="xfs" --size=2048 --name=lv_var_log --vgname=vg_rhel7
logvol /local_home --fstype="xfs" --size=2048 --name=lv_local_home --vgname=vg_rhel7
logvol /tmp --fstype="xfs" --size=5120 --name=lv_tmp --vgname=vg_rhel7
logvol /var --fstype="xfs" --size=15360 --name=lv_var --vgname=vg_rhel7
logvol swap --fstype="swap" --size=8192 --name=lv_swap --vgname=vg_rhel7
logvol /var/log/audit --fstype="xfs" --size=2048 --name=lv_var_log_audit --vgname=vg_rhel7
# Accept the EULA
eula --agreed
reboot --eject
%packages
@base
@core
@fonts
@x11
kexec-tools
sssd
autofs
aide
ntp
screen
ksh
zsh
net-snmp
# Packages required for RAC
compat-libcapl
gcc
gcc-c++
libaio-devel
-rhn*
-abrt*
-Red_Hat_Enterprise_Linux-Release_Notes_7*
-qemu-kvm
-anaconda-user-help
-libvirt*
-virt-what
-libgovirt
-redhat-support*
-redhat-indexhtml
%end
%addon com_redhat_kdump --disable
%end
%anaconda
pwpolicy root --minlen=6 --minquality=50 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=50 --notstrict --nochanges --notempty
pwpolicy luks --minlen=6 --minquality=50 --notstrict --nochanges --notempty
%end
%post
# Remove virsh net
virsh net-destroy default
virsh net-undefine default
# Set selinux custom settings
semanage fcontext -a -t home_root_t '/local_home'
semanage fcontext -a -t user_home_dir_t '/local_home/admin_local'
semanage fcontext -a -t user_home_t '/local_home/admin_local(/.*)?'
restorecon -RFvv /local_home | tee -a ${BUILD_LOG}
setsebool -P use_nfs_home_dirs 1 | tee -a ${BUILD_LOG}
# Remove motherboard custom device names
sed -i 's/rhgb quiet/rhgb quiet net.ifnames\=0 biosdevnames\=0/' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
OLD_NET=`ls -l /etc/sysconfig/network-scripts/ifcfg-* | egrep -v "*.old$|ifcfg-lo$" | awk '{print $9}'`
NEW_NET="/etc/sysconfig/network-scripts/ifcfg-eth0"
mv ${OLD_NET} ${NEW_NET}
OLD_NET_NAME=`echo ${OLD_NET} | sed 's/.*ifcfg-//'`
sed -i "s/${OLD_NET_NAME}/eth0/g" ${NEW_NET}
sed -i '/IPV6_AUTOCONF/d' ${NEW_NET}
sed -i '/IPV6_DEFROUTE/d' ${NEW_NET}
sed -i '/IPV6_PEERDNS/d' ${NEW_NET}
sed -i '/IPV6_PEERROUTES/d' ${NEW_NET}
sed -i '/IPV6_FAILURE_FATAL/d' ${NEW_NET}
sed -i '/UUID=/d' ${NEW_NET}
# Reboot
# init 6
# STIG Lockdowns
sed -i 's/\/sbin\/rngd \-f/\/sbin\/rngd \-f \-r \/dev\/urandom \-o \/dev\/random/' /usr/lib/systemd/system/rngd.service
systemctl daemon-reload
systemctl restart rngd.service
# Correct RHEL-06-000027
sed -i '/vc\/[0-9]/d' /etc/securetty
# Correct RHEL-06-000069
printf "# STIG ID RHEL-06-000069\nSINGLE=/sbin/sulogin\n" >> /etc/sysconfig/init
# Correct RHEL-06-000070
printf "# STIG ID RHEL-06-000070\nPROMPT=no\n" >> /etc/sysconfig/init
# Correct RHEL-06-000272
sed -i '/^\[global\]/a client signing = mandatory' /etc/samba/smb.conf
# Correct RHEL-06-000308
sed -i '/End of file/d' /etc/security/limits.conf
printf "*\t\thard\tcore\t\t0\n" >> /etc/security/limits.conf
# Correct RHEL-06-000319
printf "*\t\thard\tmaxlogins\t10\n" >> /etc/security/limits.conf
# Correct RHEL-06-000334
sed -i 's/INACTIVE\=\-1/INACTIVE\=35/' /etc/default/useradd
# Correct RHEL-06-000340
sed -i '/com2sec\ /d' /etc/snmp/snmpd.conf
sed -i '/^group.*\ v1\ /d' /etc/snmp/snmpd.conf
sed -i '/^group.*\ v2c\ /d' /etc/snmp/snmpd.conf
service snmpd restart
# Correct RHEL-06-000509
sed -i 's/^active \= no/active \= yes/' /etc/audisp/plugins.d/syslog.conf
# Correct part of RHEL-06-000135
echo "chmod 0600 /var/log/boot.log" >> /etc/rc.d/rc.local
chmod u+x /etc/rc.d/rc.local
chown root:root /var/log/boot.log
chmod 0600 /var/log/boot.log
# Correct RHEL-06-000290
systemctl set-default multi-user.target
# Correct RHEL-06-000286
systemctl mask ctrl-alt-del.target
# Correct RHEL-06-000278
rpm --setperms audit
################################################################################
# Fstab cleanup script
################################################################################
CUR_DATE=$(date +"%Y%m%d")
CUR_TIME=$(date +"%H%M%S")
CUR_DATE_TIME=$(date +"%Y%m%d_%H%M%S")
CUR_HOST=`uname -n`
FSTAB=/etc/fstab
TEMP_FSTAB=/tmp/fstab
# cd /
# Back up previous /etc/fstab
if [[ -f ${FSTAB}.${CUR_DATE} ]];then
cp ${FSTAB} ${FSTAB}.${CUR_DATE_TIME}
FSTAB_BAK=${FSTAB}.${CUR_DATE_TIME}
else
cp ${FSTAB} ${FSTAB}.${CUR_DATE}
FSTAB_BAK=${FSTAB}.${CUR_DATE}
fi
# Configure the fstab for fsdump and FSCK settings
sed -i 's\/dev\/mapper\/vg_rhel7-lv_root\ .*/\/dev\/mapper\/vg_rhel7-lv_root\ \/\ xfs\ defaults\ 1\ 1/' ${FSTAB}
sed -i 's\/dev\/mapper\/vg_rhel7-lv_local_home\ .*/\/dev\/mapper\/vg_rhel7-lv_local_home\ \/local_home\ xfs\ defaults\ 1\ 2/' ${FSTAB}
sed -i 's\/dev\/mapper\/vg_rhel7-lv_tmp\ .*/\/dev\/mapper\/vg_rhel7-lv_tmp\ \/tmp xfs\ defaults,noexec\ 1\ 2/' ${FSTAB}
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var\ .*/\/dev\/mapper\/vg_rhel7-lv_var\ \/var xfs\ defaults\ 1\ 2/' ${FSTAB}
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var_log\ .*/\/dev\/mapper\/vg_rhel7-lv_var_log\ \/var\/log\ xfs\ defaults\ 1\ 2/' ${FSTAB}
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var_log_audit\ .*/\/dev\/mapper\/vg_rhel7-lv_var_log_audit\ \/var\/log\/audit\ xfs\ defaults\ 1\ 2' ${FSTAB}
sed -i 's/\/boot\ .*xfs\ .*defaults\ .*/\/boot\ xfs\ defaults\ 1\ 2/' ${FSTAB}
# Create column format of /etc/fstab
printf "#Device Mountpoint FStype Options FSdump FSCK\n" > ${TEMP_FSTAB}
printf "####### ########## ###### ####### ###### ####\n" >> ${TEMP_FSTAB}
cat ${FSTAB} | egrep -v '^#|^$' >> ${TEMP_FSTAB}
# Generate the header
printf "#\n" > ${FSTAB}
printf "# /etc/fstab\n" >> ${FSTAB}
printf "#\n" >> ${FSTAB}
printf "# Hostname:\t${CUR_HOST}\n" >> ${FSTAB}
printf "# Generated on:\t${CUR_DATE} at ${CUR_TIME}\n" >> ${FSTAB}
printf "#\n" >> ${FSTAB}
# Format the fstab
column -t ${TEMP_FSTAB} >> ${FSTAB}
# Remove temporary fstab
rm -f ${TEMP_FSTAB}
# Set Variables
BACKUP_DIR=/root/sysconfig_backup
SSH_CONFIG=/etc/ssh/sshd_config
# Configure backup directory
if [[ ! -d ${BACKUP_DIR} ]];then
mkdir ${BACKUP_DIR}
chmod 700 ${BACKUP_DIR}
chown root:root ${BACKUP_DIR}
fi
# Backup settings
if [[ -f ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE} ]];then
cp ${SSH_CONFIG} ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE}.${CUR_TIME}
else
cp ${SSH_CONFIG} ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE}
fi
# First line should always replace, not append
printf "################################################################################\n" > ${SSH_CONFIG}
# Start replacing the file
printf "#\n" >> ${SSH_CONFIG}
printf "# ${SSH_CONFIG}\n" >> ${SSH_CONFIG}
printf "# chown root:root\n" >> ${SSH_CONFIG}
printf "# chmod 600\n" >> ${SSH_CONFIG}
printf "#\n" >> ${SSH_CONFIG}
printf "# This sshd_config file is designed to be compliant with all STIG settings for\n" >> ${SSH_CONFIG}
printf "# RHEL 6. These are based on:\n" >> ${SSH_CONFIG}
printf "#\tRed Hat Enterprise Linux 6 Security Technical Implementation Guide\n" >> ${SSH_CONFIG}
printf "#\tVersion 1, Release 13, dated 18 Oct 2016\n" >> ${SSH_CONFIG}
printf "#\n" >> ${SSH_CONFIG}
printf "################################################################################\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000227\tV-38607\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must be configured to use only the SSHv2 protocol\n" >> ${SSH_CONFIG}
printf "Protocol 2\n" >> ${SSH_CONFIG}
printf " \n" >> ${SSH_CONFIG}
printf "# RHEL-06-000230\tV-38608\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must set a timeout interval on idle sessions\n" >> ${SSH_CONFIG}
printf "ClientAliveInterval 900\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000231\tV-38610\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must set a timeout count on idle sessions\n" >> ${SSH_CONFIG}
printf "ClientAliveCountMax 0\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000234\tV-38611\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must ignore .rhosts files\n" >> ${SSH_CONFIG}
printf "IgnoreRhosts yes\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000236\tV-38612\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must not allow host-based authentication\n" >> ${SSH_CONFIG}
printf "HostbasedAuthentication no\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000237\tV-38613\n" >> ${SSH_CONFIG}
printf "# The system must not permit root logins using remote access programs such as ssh\n" >> ${SSH_CONFIG}
printf "PermitRootLogin no\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000239\tV-38614\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must not allow authentication using an empty password\n" >> ${SSH_CONFIG}
printf "PermitEmptyPasswords no\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000240\tV-38615\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must be configured with the Department of Defense (DoD) login banner\n" >> ${SSH_CONFIG}
printf "Banner /etc/issue\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000241\tV-38616\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must not permit user environment settings\n" >> ${SSH_CONFIG}
printf "PermitUserEnvironment no\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000243\tV-38617\n" >> ${SSH_CONFIG}
printf "# The SSH daemon must be configured to use only FIPS 140-2 approved ciphers\n" >> ${SSH_CONFIG}
printf "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "# RHEL-06-000507\tV-38484\n" >> ${SSH_CONFIG}
printf "# The operating system, upon successful logon, must display to the user the date\n" >> ${SSH_CONFIG}
printf "# and time of the last logon or access via ssh\n" >> ${SSH_CONFIG}
printf "PrintLastLog yes\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "################################################################################\n" >> ${SSH_CONFIG}
printf "# End of STIG settings, beginning of custom settings\n" >> ${SSH_CONFIG}
printf "################################################################################\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "HostKey /etc/ssh/ssh_host_rsa_key\n" >> ${SSH_CONFIG}
printf "HostKey /etc/ssh/ssh_host_ecdsa_key\n" >> ${SSH_CONFIG}
printf "HostKey /etc/ssh/ssh_host_ed25519_key\n" >> ${SSH_CONFIG}
printf "AuthorizedKeysFile .ssh/authorized_keys\n" >> ${SSH_CONFIG}
printf "PasswordAuthentication yes\n" >> ${SSH_CONFIG}
printf "ChallengeResponseAuthentication no\n" >> ${SSH_CONFIG}
printf "GSSAPIAuthentication yes\n" >> ${SSH_CONFIG}
printf "GSSAPICleanupCredentials yes\n" >> ${SSH_CONFIG}
printf "UsePAM yes\n" >> ${SSH_CONFIG}
printf "AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\n" >> ${SSH_CONFIG}
printf "AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\n" >> ${SSH_CONFIG}
printf "AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\n" >> ${SSH_CONFIG}
printf "AcceptEnv XMODIFIERS\n" >> ${SSH_CONFIG}
printf "X11Forwarding yes\n" >> ${SSH_CONFIG}
printf "Subsystem sftp /usr/libexec/openssh/sftp-server\n" >> ${SSH_CONFIG}
printf "UsePrivilegeSeparation sandbox\n" >> ${SSH_CONFIG}
printf "\n" >> ${SSH_CONFIG}
printf "################################################################################\n" >> ${SSH_CONFIG}
printf "# End of File\n" >> ${SSH_CONFIG}
printf "################################################################################\n" >> ${SSH_CONFIG}
%end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment