############################################################################### # Hardened CentOS 7 DVD CREATOR # # This script was written by Frank Caviggia # Last update was 13 May 2017 # # Author: Frank Caviggia (fcaviggia@gmail.com) # Copyright: Frank Caviggia, (c) 2018 # License: Apache License, Version 2.0 # Description: Hardened Installation of CentOS 7 ############################################################################### ABOUT ===== Modifies a CentOS 7.3+ (1611) (tested with CentOS-7-x86_64-DVD-1702-01.iso) x86_64 DVD with a kickstart that will install a system that is configured and hardened to meet government-level regulations. NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD. The kickstart script involves the integration of the following projects into a single installer: - classification-banner.py (Python for displaying a graphical classification banner) https://github.com/RedHatGov/classification-banner - SCAP Security Guide (SSG) - Hardening Script for CentOS7 https://github.com/openscap/scap-security-guide CONTENT ======= createiso.sh - installation script to modify CentOS 7.2+ ISO image /config - Kickstarts, Python, and RPMs needed to modify image. EFI/BOOT/ grub.cfg - Menu Configuration for UEFI boot isolinux/ isolinux.cfg - Menu Configuration for Kickstart hardening/ hardened-centos.cfg Kickstart Configuration (Calls menu.py in %pre) menu.py Python Script that presents a graphical menu to modify the kickstart. Contains the "Profiles" for configuring the system partitioning and packages. classification-banner.py Graphical Classification Banner (for GNOME Desktops User/ Developer Workstation Profiles) supplemental.sh Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME, wheel group for root access, etc.) ovirt-engine-install.sh Script to install and configure Ovirt Manager. ovirt-kvm-preinstall.sh ovirt-kvm-postinstall.sh Scripts to install Ovirt-Attached KVM hypervisor. Script will loosen settings temporarily to allow registration of the system with Ovirt Manager by allowing root login and allowing exec in /tmp. Run rhevm-postinstall.sh after system is added into Ovirt Manager. Copied to /root after kickstart install iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables) Configures iptables firewall during kickstart installation. Called in menu.py script. Firewall is configured to recommended ports for each product or profile. Copied to /root after kickstart install. FirewallD is default except for KVM systems. ipa-pam-configuration.sh Configures system for using IPA/IdM authentication by overwriting the pam.d configurations. Copied to /root after kickstart installation scap-security-guide-*.el7.noarch.rpm SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox. usbguard-*.x86_64.rpm USB guard will control what USB devices are accessible by the system. HARDENING INFORMATION ===================== Here is some additional information added by the supplemental hardening script in addition to the SSG: 1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu 2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console (scripts are located under /etc/profile.d/autologout.{sh,csh}) 3. The 'wheel' group is required for privileged users (beyond root) to run `su -` or `sudo -i` commands, sudo timeout is 5 minutes 4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group 5. Additional software such as McAfee EPo/HBSS may be required meet site policy 6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf) 7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf) 8. Create users: NOTE: The root user is locked now - use 'admin' user account with sudo instead of root. Local Console Access Only (Unprivileged) # useradd -m -c "Local User" localuser Remote Access (Unprivileged) # useradd -m -c "Remote User" -G sshusers remoteuser System Administrator (SA) (Privileged User) # useradd -m -c "System Administrator" -G sshusers,wheel admin 9. Wireless is disabled in a number of ways with Network Manager including: a.) `nmcli radio all off` command in /etc/rc.local b.) Dconf configurations to disable the creation of wireless networks: /etc/dconf/db/gdm.d/99-gnome-hardening [org.gnome.nm-applet] disable-wifi-create=true /etc/dconf/db/gdm.d/locks/99-gnome-hardening /org/gnome/nm-applet/disable-wifi-create /usr/share/glib-2.0/schemas/99_custom_settings.gschema.override [org.gnome.nm-applet] disable-wifi-create=true Generally, wireless should not be used on a DoD/IC system. EXAMPLE ======= # # ./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso Mounting CentOS DVD Image... mount: /dev/loop1 is write-protected, mounting read-only Done. Copying CentOS DVD Image... Done. Modifying CentOS DVD Image... Done. Remastering CentOS DVD Image... ... 0.23% done, estimate finish Wed Feb 10 07:34:24 2016 0.46% done, estimate finish Wed Feb 10 07:37:59 2016 0.70% done, estimate finish Wed Feb 10 07:36:47 2016 0.93% done, estimate finish Wed Feb 10 07:36:11 2016 1.16% done, estimate finish Wed Feb 10 07:35:50 2016 1.39% done, estimate finish Wed Feb 10 07:35:35 2016 1.62% done, estimate finish Wed Feb 10 07:35:25 2016 1.85% done, estimate finish Wed Feb 10 07:35:17 2016 2.09% done, estimate finish Wed Feb 10 07:35:11 2016 2.32% done, estimate finish Wed Feb 10 07:35:07 2016 2.55% done, estimate finish Wed Feb 10 07:35:03 2016 2.78% done, estimate finish Wed Feb 10 07:34:59 2016 3.01% done, estimate finish Wed Feb 10 07:34:57 2016 3.24% done, estimate finish Wed Feb 10 07:34:54 2016 3.48% done, estimate finish Wed Feb 10 07:34:52 2016 3.71% done, estimate finish Wed Feb 10 07:34:50 2016 3.94% done, estimate finish Wed Feb 10 07:34:49 2016 4.17% done, estimate finish Wed Feb 10 07:34:47 2016 4.40% done, estimate finish Wed Feb 10 07:34:46 2016 4.63% done, estimate finish Wed Feb 10 07:34:45 2016 4.87% done, estimate finish Wed Feb 10 07:34:44 2016 5.10% done, estimate finish Wed Feb 10 07:34:43 2016 5.33% done, estimate finish Wed Feb 10 07:34:42 2016 5.56% done, estimate finish Wed Feb 10 07:34:41 2016 ... 99.87% done, estimate finish Wed Feb 10 07:34:35 2016 Total translation table size: 2048 Total rockridge attributes bytes: 417876 Total directory bytes: 712704 Path table size(bytes): 158 Max brk space used 3af000 2157808 extents written (4214 MB) Done. Signing CentOS DVD Image... Inserting md5sum into iso image... md5 = e526291fc5ff0c83a7de64c183f27b78 Inserting fragment md5sums into iso image... fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b frags = 20 Setting supported flag to 0 Done. DVD Created. [hardened-centos7-x86_64.iso]
stephenwb/hardened-centos7-kickstart
DVD embedded Kickstart for CentOS 7 utilizing SCAP Security Guide (SSG) as a hardening script.
PythonNOASSERTION