###############################################################################
# SCAP Security Guide RHEL 8 DVD CREATOR
#
# This script was written by Frank Caviggia, Red Hat Consulting
# Last update was 6 August 2017
# This script is NOT SUPPORTED by Red Hat Global Support Services.
#
# Author: Frank Caviggia (fcaviggia@gmail.com)
# Copyright: Red Hat, (c) 2015
# License: Apache License, Version 2.0
# Description: Kickstart Installation of RHEL 8 with SCAP Security Guide (SSG)
###############################################################################
ABOUT
=====
Modifies a RHEL 8.4+ x86_64 Workstation or Server DVD with a kickstart
that will install a system that is configured and hardened for
Red Hat Enterprise Linux 8.
NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD.
The kickstart script involves the integration of the following projects
into a single installer:
- classification-banner.py (Python for displaying a graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) Content - Benchmark and hardening scripts for the
system after installation
https://github.com/OpenSCAP/scap-security-guide
CONTENT
=======
createiso.sh - installation script to modify RHEL 8.4+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
EFI/BOOT/
grub.cfg - Menu Configuration for UEFI boot
isolinux/
isolinux.cfg - Menu Configuration for Kickstart
hardening/
ssg-rhel.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
openscap*.rpm
scap-security-guide-*.el8.noarch.rpm
Uses OpenSCAP and the SCAP Security Guide (SSG) to test and
remediate system.
ssg-suplemental.sh
Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
wheel group for root access, etc.)
rhevm-preinstall.sh
rhevm-postinstall.sh
Scripts to loosen settings temporarily to allow registration
of the system with RHEV-M by allowing root login and allowing
exec in /tmp. Run rhevm-postinstall.sh after system is added
into RHEV-M. Copied to /root after kickstart install
iptables.sh (use with KVM host - which prefers iptables/ebtables)
Configures iptables firewall during kickstart installation.
Called in menu.py script. Firewall is configured to recommended
ports for each product or profile. Copied to /root after kickstart
install. FirewallD is default except for KVM systems.
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation
usbguard-*.x86_64.rpm
USB guard will control what USB devices are accessible by the system.
HARDENING INFORMATION
=====================
Here is some additional information added by the supplemental hardening script
in addition to the SSG:
1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu
2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
console
3. The 'wheel' group is required for privileged users (beyond root) to run
`su -` or `sudo -i` commands, sudo timeout is 5 minutes
4. The 'sshusers' group is required for SSH/SFTP access, other users are
limited to console access without this group
5. Additional Software such as McAfee EPo/HBSS may be required meet site
policy
6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf)
7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf)
8. Create users:
NOTE: The root user is locked now - use 'admin' user account with sudo instead of root.
Local Console Access Only (Unprivileged)
# useradd -m -c "Local User" localuser
Remote Access (Unprivileged)
# useradd -m -c "Remote User" -G sshusers remoteuser
System Administrator (SA) (Privileged User)
# useradd -m -c "System Administrator" -G sshusers,wheel admin
9. Wireless is disabled in a number of ways with Network Manager including:
a.) `nmcli radio all off` command in /etc/rc.local
b.) Dconf configurations to disable the creation of wireless networks:
/etc/dconf/db/gdm.d/99-gnome-hardening
[org.gnome.nm-applet]
disable-wifi-create=true
/etc/dconf/db/gdm.d/locks/99-gnome-hardening
/org/gnome/nm-applet/disable-wifi-create
/usr/share/glib-2.0/schemas/99_custom_settings.gschema.override
[org.gnome.nm-applet]
disable-wifi-create=true
Generally, wireless should not be used on a DoD/IC system.
EXAMPLE
=======
# ./createiso.sh rhel-8.4-x86_64-dvd.iso
Mounting RHEL DVD Image...
mount: /rhel: WARNING: device write-protected, mounted read-only.
Done.
Copying RHEL DVD Image... Done.
Modifying RHEL DVD Image... Done.
Remastering RHEL DVD Image...
I: -input-charset not specified, using utf-8 (detected in locale settings)
Using RPM_G000.;1 for /RPM-GPG-KEY-redhat-release (RPM-GPG-KEY-redhat-beta)
Using ZZIPL000.RPM;1 for ./AppStream/Packages/zziplib-utils-0.13.68-8.el8.x86_64.rpm (zziplib-0.13.68-8.el8.x86_64.rpm)
[OUTPUT TRUNCATED]
Total translation table size: 1999620
Total rockridge attributes bytes: 904193
Total directory bytes: 1343488
Path table size(bytes): 204
Max brk space used 7e9000
4995428 extents written (9756 MB)
Done.
Signing RHEL DVD Image...
Inserting md5sum into iso image...
md5 = d751d2627c174667ce81e69c34f89c74
Inserting fragment md5sums into iso image...
fragmd5 = 73e2e1dcdd1188893e1479d1ecc5b17c65b516613712f47414b31b12edc5
frags = 20
Setting supported flag to 0
Done.
DVD Created. [ssg-rhel-8.4.0.iso]
eldorplus/ssg-el8-kickstart
Modifies a RHEL 8.4+ x86_64 Workstation or Server DVD with a kickstart that will install a system that is configured and hardened for Red Hat Enterprise Linux 8.
PythonNOASSERTION