Created
January 6, 2017 20:25
-
-
Save racinrandall/50729b3bf0d1c191d21df097aae55cc0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#version=DEVEL | |
# System authorization information | |
auth --enableshadow --passalgo=sha512 | |
# Use network installation | |
# url --url="http://nas1.racinrandall.com/repo/centos/7/os/x86_64/" | |
# Use CD for Install | |
cdrom | |
# Use graphical install | |
text #graphical | |
# Run the Setup Agent on first boot | |
firstboot --disable | |
ignoredisk --only-use=sda | |
# Keyboard layouts | |
keyboard --vckeymap=us --xlayouts='us' | |
# System language | |
lang en_US.UTF-8 | |
# Network information | |
network --bootproto=dhcp --activate | |
network --hostname=pxe.racinrandall.com | |
# Root password | |
rootpw --iscrypted $6$cNl2wLm1IXmotTnK$ww1.YGxFEZQPvWmAmeWVNMWrqoWpcXyIaaXjmhUl1ZaulEmZM/66uLiuR/663uVM7UupB.nKxNt4ZBS.Luv5F. | |
# System services | |
services --enabled=ntpd | |
# System timezone | |
timezone America/Chicago --isUtc | |
user --groups=wheel --homedir=/local_home/admin_local --name=admin_local --password=$6$freQpQPnR/YGSZ8h$.IX2iqdpsa2QdrS7LTH.ae6dYkyi95LTZUD/J85V/HSygwrgd2bkwAzc/ZM8hDD/W4WlCYhUTPDzvXpqs064Q1 --iscrypted --uid=3333 --gecos="Local Administrator" --gid=3333 | |
# X Window System configuration information | |
xconfig --startxonboot | |
# System bootloader configuration | |
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda --iscrypted --password=grub.pbkdf2.sha512.10000.0D9076FAEA29B8039ABEEF6FDBEA312FE2F1D2E1BC25CC47BAEE8479348BA6FD55D283C9167BA7E804573035A2CEEE4B9847B6AC690E8A0B2972B75651EDB026.42F2D24D2C26334140FE8B50C6FB38C3CB6A431789B327F0A449CD764354EC6848715FE7E22BF31E65496D6319E82FEB995BA17717C9329335A4076901B18FDE | |
# Partition clearing information | |
clearpart --all --initlabel | |
# Disk partitioning information | |
part /boot --fstype="xfs" --ondisk=sda --size=500 | |
part pv.144 --fstype="lvmpv" --ondisk=sda --size=50699 | |
volgroup vg_rhel7 --pesize=4096 pv.144 | |
logvol /export/home/oracle --fstype="xfs" --size=5120 --name=lv_export_home_oracle --vgname=vg_rhel7 | |
logvol / --fstype="xfs" --size=10760 --name=lv_root --vgname=vg_rhel7 | |
logvol /var/log --fstype="xfs" --size=2048 --name=lv_var_log --vgname=vg_rhel7 | |
logvol /local_home --fstype="xfs" --size=2048 --name=lv_local_home --vgname=vg_rhel7 | |
logvol /tmp --fstype="xfs" --size=5120 --name=lv_tmp --vgname=vg_rhel7 | |
logvol /var --fstype="xfs" --size=15360 --name=lv_var --vgname=vg_rhel7 | |
logvol swap --fstype="swap" --size=8192 --name=lv_swap --vgname=vg_rhel7 | |
logvol /var/log/audit --fstype="xfs" --size=2048 --name=lv_var_log_audit --vgname=vg_rhel7 | |
# Accept the EULA | |
eula --agreed | |
reboot --eject | |
%packages | |
@base | |
@core | |
@fonts | |
@x11 | |
kexec-tools | |
sssd | |
autofs | |
aide | |
ntp | |
screen | |
ksh | |
zsh | |
net-snmp | |
# Packages required for RAC | |
compat-libcapl | |
gcc | |
gcc-c++ | |
libaio-devel | |
-rhn* | |
-abrt* | |
-Red_Hat_Enterprise_Linux-Release_Notes_7* | |
-qemu-kvm | |
-anaconda-user-help | |
-libvirt* | |
-virt-what | |
-libgovirt | |
-redhat-support* | |
-redhat-indexhtml | |
%end | |
%addon com_redhat_kdump --disable | |
%end | |
%anaconda | |
pwpolicy root --minlen=6 --minquality=50 --notstrict --nochanges --notempty | |
pwpolicy user --minlen=6 --minquality=50 --notstrict --nochanges --notempty | |
pwpolicy luks --minlen=6 --minquality=50 --notstrict --nochanges --notempty | |
%end | |
%post | |
# Remove virsh net | |
virsh net-destroy default | |
virsh net-undefine default | |
# Set selinux custom settings | |
semanage fcontext -a -t home_root_t '/local_home' | |
semanage fcontext -a -t user_home_dir_t '/local_home/admin_local' | |
semanage fcontext -a -t user_home_t '/local_home/admin_local(/.*)?' | |
restorecon -RFvv /local_home | tee -a ${BUILD_LOG} | |
setsebool -P use_nfs_home_dirs 1 | tee -a ${BUILD_LOG} | |
# Remove motherboard custom device names | |
sed -i 's/rhgb quiet/rhgb quiet net.ifnames\=0 biosdevnames\=0/' /etc/default/grub | |
grub2-mkconfig -o /boot/grub2/grub.cfg | |
OLD_NET=`ls -l /etc/sysconfig/network-scripts/ifcfg-* | egrep -v "*.old$|ifcfg-lo$" | awk '{print $9}'` | |
NEW_NET="/etc/sysconfig/network-scripts/ifcfg-eth0" | |
mv ${OLD_NET} ${NEW_NET} | |
OLD_NET_NAME=`echo ${OLD_NET} | sed 's/.*ifcfg-//'` | |
sed -i "s/${OLD_NET_NAME}/eth0/g" ${NEW_NET} | |
sed -i '/IPV6_AUTOCONF/d' ${NEW_NET} | |
sed -i '/IPV6_DEFROUTE/d' ${NEW_NET} | |
sed -i '/IPV6_PEERDNS/d' ${NEW_NET} | |
sed -i '/IPV6_PEERROUTES/d' ${NEW_NET} | |
sed -i '/IPV6_FAILURE_FATAL/d' ${NEW_NET} | |
sed -i '/UUID=/d' ${NEW_NET} | |
# Reboot | |
# init 6 | |
# STIG Lockdowns | |
sed -i 's/\/sbin\/rngd \-f/\/sbin\/rngd \-f \-r \/dev\/urandom \-o \/dev\/random/' /usr/lib/systemd/system/rngd.service | |
systemctl daemon-reload | |
systemctl restart rngd.service | |
# Correct RHEL-06-000027 | |
sed -i '/vc\/[0-9]/d' /etc/securetty | |
# Correct RHEL-06-000069 | |
printf "# STIG ID RHEL-06-000069\nSINGLE=/sbin/sulogin\n" >> /etc/sysconfig/init | |
# Correct RHEL-06-000070 | |
printf "# STIG ID RHEL-06-000070\nPROMPT=no\n" >> /etc/sysconfig/init | |
# Correct RHEL-06-000272 | |
sed -i '/^\[global\]/a client signing = mandatory' /etc/samba/smb.conf | |
# Correct RHEL-06-000308 | |
sed -i '/End of file/d' /etc/security/limits.conf | |
printf "*\t\thard\tcore\t\t0\n" >> /etc/security/limits.conf | |
# Correct RHEL-06-000319 | |
printf "*\t\thard\tmaxlogins\t10\n" >> /etc/security/limits.conf | |
# Correct RHEL-06-000334 | |
sed -i 's/INACTIVE\=\-1/INACTIVE\=35/' /etc/default/useradd | |
# Correct RHEL-06-000340 | |
sed -i '/com2sec\ /d' /etc/snmp/snmpd.conf | |
sed -i '/^group.*\ v1\ /d' /etc/snmp/snmpd.conf | |
sed -i '/^group.*\ v2c\ /d' /etc/snmp/snmpd.conf | |
service snmpd restart | |
# Correct RHEL-06-000509 | |
sed -i 's/^active \= no/active \= yes/' /etc/audisp/plugins.d/syslog.conf | |
# Correct part of RHEL-06-000135 | |
echo "chmod 0600 /var/log/boot.log" >> /etc/rc.d/rc.local | |
chmod u+x /etc/rc.d/rc.local | |
chown root:root /var/log/boot.log | |
chmod 0600 /var/log/boot.log | |
# Correct RHEL-06-000290 | |
systemctl set-default multi-user.target | |
# Correct RHEL-06-000286 | |
systemctl mask ctrl-alt-del.target | |
# Correct RHEL-06-000278 | |
rpm --setperms audit | |
################################################################################ | |
# Fstab cleanup script | |
################################################################################ | |
CUR_DATE=$(date +"%Y%m%d") | |
CUR_TIME=$(date +"%H%M%S") | |
CUR_DATE_TIME=$(date +"%Y%m%d_%H%M%S") | |
CUR_HOST=`uname -n` | |
FSTAB=/etc/fstab | |
TEMP_FSTAB=/tmp/fstab | |
# cd / | |
# Back up previous /etc/fstab | |
if [[ -f ${FSTAB}.${CUR_DATE} ]];then | |
cp ${FSTAB} ${FSTAB}.${CUR_DATE_TIME} | |
FSTAB_BAK=${FSTAB}.${CUR_DATE_TIME} | |
else | |
cp ${FSTAB} ${FSTAB}.${CUR_DATE} | |
FSTAB_BAK=${FSTAB}.${CUR_DATE} | |
fi | |
# Configure the fstab for fsdump and FSCK settings | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_root\ .*/\/dev\/mapper\/vg_rhel7-lv_root\ \/\ xfs\ defaults\ 1\ 1/' ${FSTAB} | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_local_home\ .*/\/dev\/mapper\/vg_rhel7-lv_local_home\ \/local_home\ xfs\ defaults\ 1\ 2/' ${FSTAB} | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_tmp\ .*/\/dev\/mapper\/vg_rhel7-lv_tmp\ \/tmp xfs\ defaults,noexec\ 1\ 2/' ${FSTAB} | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var\ .*/\/dev\/mapper\/vg_rhel7-lv_var\ \/var xfs\ defaults\ 1\ 2/' ${FSTAB} | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var_log\ .*/\/dev\/mapper\/vg_rhel7-lv_var_log\ \/var\/log\ xfs\ defaults\ 1\ 2/' ${FSTAB} | |
sed -i 's\/dev\/mapper\/vg_rhel7-lv_var_log_audit\ .*/\/dev\/mapper\/vg_rhel7-lv_var_log_audit\ \/var\/log\/audit\ xfs\ defaults\ 1\ 2' ${FSTAB} | |
sed -i 's/\/boot\ .*xfs\ .*defaults\ .*/\/boot\ xfs\ defaults\ 1\ 2/' ${FSTAB} | |
# Create column format of /etc/fstab | |
printf "#Device Mountpoint FStype Options FSdump FSCK\n" > ${TEMP_FSTAB} | |
printf "####### ########## ###### ####### ###### ####\n" >> ${TEMP_FSTAB} | |
cat ${FSTAB} | egrep -v '^#|^$' >> ${TEMP_FSTAB} | |
# Generate the header | |
printf "#\n" > ${FSTAB} | |
printf "# /etc/fstab\n" >> ${FSTAB} | |
printf "#\n" >> ${FSTAB} | |
printf "# Hostname:\t${CUR_HOST}\n" >> ${FSTAB} | |
printf "# Generated on:\t${CUR_DATE} at ${CUR_TIME}\n" >> ${FSTAB} | |
printf "#\n" >> ${FSTAB} | |
# Format the fstab | |
column -t ${TEMP_FSTAB} >> ${FSTAB} | |
# Remove temporary fstab | |
rm -f ${TEMP_FSTAB} | |
# Set Variables | |
BACKUP_DIR=/root/sysconfig_backup | |
SSH_CONFIG=/etc/ssh/sshd_config | |
# Configure backup directory | |
if [[ ! -d ${BACKUP_DIR} ]];then | |
mkdir ${BACKUP_DIR} | |
chmod 700 ${BACKUP_DIR} | |
chown root:root ${BACKUP_DIR} | |
fi | |
# Backup settings | |
if [[ -f ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE} ]];then | |
cp ${SSH_CONFIG} ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE}.${CUR_TIME} | |
else | |
cp ${SSH_CONFIG} ${BACKUP_DIR}/etc.ssh.sshd_config.${CUR_DATE} | |
fi | |
# First line should always replace, not append | |
printf "################################################################################\n" > ${SSH_CONFIG} | |
# Start replacing the file | |
printf "#\n" >> ${SSH_CONFIG} | |
printf "# ${SSH_CONFIG}\n" >> ${SSH_CONFIG} | |
printf "# chown root:root\n" >> ${SSH_CONFIG} | |
printf "# chmod 600\n" >> ${SSH_CONFIG} | |
printf "#\n" >> ${SSH_CONFIG} | |
printf "# This sshd_config file is designed to be compliant with all STIG settings for\n" >> ${SSH_CONFIG} | |
printf "# RHEL 6. These are based on:\n" >> ${SSH_CONFIG} | |
printf "#\tRed Hat Enterprise Linux 6 Security Technical Implementation Guide\n" >> ${SSH_CONFIG} | |
printf "#\tVersion 1, Release 13, dated 18 Oct 2016\n" >> ${SSH_CONFIG} | |
printf "#\n" >> ${SSH_CONFIG} | |
printf "################################################################################\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000227\tV-38607\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must be configured to use only the SSHv2 protocol\n" >> ${SSH_CONFIG} | |
printf "Protocol 2\n" >> ${SSH_CONFIG} | |
printf " \n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000230\tV-38608\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must set a timeout interval on idle sessions\n" >> ${SSH_CONFIG} | |
printf "ClientAliveInterval 900\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000231\tV-38610\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must set a timeout count on idle sessions\n" >> ${SSH_CONFIG} | |
printf "ClientAliveCountMax 0\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000234\tV-38611\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must ignore .rhosts files\n" >> ${SSH_CONFIG} | |
printf "IgnoreRhosts yes\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000236\tV-38612\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must not allow host-based authentication\n" >> ${SSH_CONFIG} | |
printf "HostbasedAuthentication no\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000237\tV-38613\n" >> ${SSH_CONFIG} | |
printf "# The system must not permit root logins using remote access programs such as ssh\n" >> ${SSH_CONFIG} | |
printf "PermitRootLogin no\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000239\tV-38614\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must not allow authentication using an empty password\n" >> ${SSH_CONFIG} | |
printf "PermitEmptyPasswords no\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000240\tV-38615\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must be configured with the Department of Defense (DoD) login banner\n" >> ${SSH_CONFIG} | |
printf "Banner /etc/issue\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000241\tV-38616\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must not permit user environment settings\n" >> ${SSH_CONFIG} | |
printf "PermitUserEnvironment no\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000243\tV-38617\n" >> ${SSH_CONFIG} | |
printf "# The SSH daemon must be configured to use only FIPS 140-2 approved ciphers\n" >> ${SSH_CONFIG} | |
printf "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "# RHEL-06-000507\tV-38484\n" >> ${SSH_CONFIG} | |
printf "# The operating system, upon successful logon, must display to the user the date\n" >> ${SSH_CONFIG} | |
printf "# and time of the last logon or access via ssh\n" >> ${SSH_CONFIG} | |
printf "PrintLastLog yes\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "################################################################################\n" >> ${SSH_CONFIG} | |
printf "# End of STIG settings, beginning of custom settings\n" >> ${SSH_CONFIG} | |
printf "################################################################################\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "HostKey /etc/ssh/ssh_host_rsa_key\n" >> ${SSH_CONFIG} | |
printf "HostKey /etc/ssh/ssh_host_ecdsa_key\n" >> ${SSH_CONFIG} | |
printf "HostKey /etc/ssh/ssh_host_ed25519_key\n" >> ${SSH_CONFIG} | |
printf "AuthorizedKeysFile .ssh/authorized_keys\n" >> ${SSH_CONFIG} | |
printf "PasswordAuthentication yes\n" >> ${SSH_CONFIG} | |
printf "ChallengeResponseAuthentication no\n" >> ${SSH_CONFIG} | |
printf "GSSAPIAuthentication yes\n" >> ${SSH_CONFIG} | |
printf "GSSAPICleanupCredentials yes\n" >> ${SSH_CONFIG} | |
printf "UsePAM yes\n" >> ${SSH_CONFIG} | |
printf "AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\n" >> ${SSH_CONFIG} | |
printf "AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\n" >> ${SSH_CONFIG} | |
printf "AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\n" >> ${SSH_CONFIG} | |
printf "AcceptEnv XMODIFIERS\n" >> ${SSH_CONFIG} | |
printf "X11Forwarding yes\n" >> ${SSH_CONFIG} | |
printf "Subsystem sftp /usr/libexec/openssh/sftp-server\n" >> ${SSH_CONFIG} | |
printf "UsePrivilegeSeparation sandbox\n" >> ${SSH_CONFIG} | |
printf "\n" >> ${SSH_CONFIG} | |
printf "################################################################################\n" >> ${SSH_CONFIG} | |
printf "# End of File\n" >> ${SSH_CONFIG} | |
printf "################################################################################\n" >> ${SSH_CONFIG} | |
%end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment