/hardened-centos7-kickstart

DVD embedded Kickstart for CentOS 7 utilizing SCAP Security Guide (SSG) as a hardening script.

Primary LanguagePythonOtherNOASSERTION

###############################################################################
# Hardened CentOS 7 DVD CREATOR
#
# This script was written by Frank Caviggia
# Last update was 13 May 2017
#
# Author: Frank Caviggia (fcaviggia@gmail.com)
# Copyright: Frank Caviggia, (c) 2018
# License: Apache License, Version 2.0
# Description: Hardened Installation of CentOS 7
###############################################################################


ABOUT
=====

Modifies a CentOS 7.3+ (1611) (tested with CentOS-7-x86_64-DVD-1702-01.iso) 
x86_64 DVD with a kickstart that will install a system  that is configured and hardened
to meet government-level regulations.

NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD.

The kickstart script involves the integration of the following projects 
into a single installer:

   - classification-banner.py (Python for displaying a graphical classification banner)
   
        https://github.com/RedHatGov/classification-banner
        
   - SCAP Security Guide (SSG) - Hardening Script for CentOS7
   
        https://github.com/openscap/scap-security-guide



CONTENT
=======

createiso.sh - installation script to modify CentOS 7.2+ ISO image

/config - Kickstarts, Python, and RPMs needed to modify image.

	EFI/BOOT/
	
		grub.cfg - Menu Configuration for UEFI boot
	
	isolinux/

		isolinux.cfg - Menu Configuration for Kickstart

	hardening/

		hardened-centos.cfg
		
			Kickstart Configuration (Calls menu.py in %pre)
		
		menu.py
		
			Python Script that presents a graphical menu to modify the
			kickstart. Contains the "Profiles" for configuring the 
			system partitioning and packages.

		classification-banner.py
		
			Graphical Classification Banner (for GNOME Desktops User/
			Developer Workstation Profiles)

		supplemental.sh

			Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
			wheel group for root access, etc.)

		ovirt-engine-install.sh
		
			Script to install and configure Ovirt Manager.
		
		ovirt-kvm-preinstall.sh
		ovirt-kvm-postinstall.sh

			Scripts to install Ovirt-Attached KVM hypervisor. Script 
			will loosen settings temporarily to allow registration
			of the system with Ovirt Manager by allowing root login and 
			allowing exec in /tmp. Run rhevm-postinstall.sh after system 
			is added into Ovirt Manager. Copied to /root after kickstart
			install

		iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables)

			Configures iptables firewall during kickstart installation. 
			Called in menu.py script. Firewall is configured to recommended
			ports for each product or profile. Copied to /root after kickstart
			install. FirewallD is default except for KVM systems.

		ipa-pam-configuration.sh

			Configures system for using IPA/IdM authentication by
			overwriting the pam.d configurations. Copied to /root
			after kickstart installation
			
		scap-security-guide-*.el7.noarch.rpm
		
			SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox.
		
		usbguard-*.x86_64.rpm
		
			USB guard will control what USB devices are accessible by the system.

HARDENING INFORMATION
=====================

Here is some additional information added by the supplemental hardening script
in addition to the SSG:

1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu

2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
   console (scripts are located under /etc/profile.d/autologout.{sh,csh})

3. The 'wheel' group is required for privileged users (beyond root) to run 
   `su -` or `sudo -i` commands, sudo timeout is 5 minutes

4. The 'sshusers' group is required for SSH/SFTP access, other users are 
   limited to console access without this group
   
5. Additional software such as McAfee EPo/HBSS may be required meet site 
   policy

6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf)

7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf)

8. Create users:

	NOTE: The root user is locked now - use 'admin' user account with sudo instead of root.

        Local Console Access Only (Unprivileged)
          
               # useradd -m -c "Local User" localuser
               
        Remote Access (Unprivileged)
          
               # useradd -m -c "Remote User" -G sshusers remoteuser
               
        System Administrator (SA) (Privileged User)
               
               # useradd -m -c "System Administrator" -G sshusers,wheel admin
       	

9. Wireless  is disabled in a number of ways with Network Manager including:

	a.) `nmcli radio all off` command in /etc/rc.local
	b.) Dconf configurations to disable the creation of wireless networks:
	
		/etc/dconf/db/gdm.d/99-gnome-hardening
			[org.gnome.nm-applet]
			disable-wifi-create=true

		/etc/dconf/db/gdm.d/locks/99-gnome-hardening
			/org/gnome/nm-applet/disable-wifi-create
	
		/usr/share/glib-2.0/schemas/99_custom_settings.gschema.override
			[org.gnome.nm-applet]
			disable-wifi-create=true

   Generally, wireless should not be used on a DoD/IC system.

EXAMPLE
=======

# # ./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso 
Mounting CentOS DVD Image...
mount: /dev/loop1 is write-protected, mounting read-only
Done.
Copying CentOS DVD Image... Done.
Modifying CentOS DVD Image... Done.
Remastering CentOS DVD Image...
...
  0.23% done, estimate finish Wed Feb 10 07:34:24 2016
  0.46% done, estimate finish Wed Feb 10 07:37:59 2016
  0.70% done, estimate finish Wed Feb 10 07:36:47 2016
  0.93% done, estimate finish Wed Feb 10 07:36:11 2016
  1.16% done, estimate finish Wed Feb 10 07:35:50 2016
  1.39% done, estimate finish Wed Feb 10 07:35:35 2016
  1.62% done, estimate finish Wed Feb 10 07:35:25 2016
  1.85% done, estimate finish Wed Feb 10 07:35:17 2016
  2.09% done, estimate finish Wed Feb 10 07:35:11 2016
  2.32% done, estimate finish Wed Feb 10 07:35:07 2016
  2.55% done, estimate finish Wed Feb 10 07:35:03 2016
  2.78% done, estimate finish Wed Feb 10 07:34:59 2016
  3.01% done, estimate finish Wed Feb 10 07:34:57 2016
  3.24% done, estimate finish Wed Feb 10 07:34:54 2016
  3.48% done, estimate finish Wed Feb 10 07:34:52 2016
  3.71% done, estimate finish Wed Feb 10 07:34:50 2016
  3.94% done, estimate finish Wed Feb 10 07:34:49 2016
  4.17% done, estimate finish Wed Feb 10 07:34:47 2016
  4.40% done, estimate finish Wed Feb 10 07:34:46 2016
  4.63% done, estimate finish Wed Feb 10 07:34:45 2016
  4.87% done, estimate finish Wed Feb 10 07:34:44 2016
  5.10% done, estimate finish Wed Feb 10 07:34:43 2016
  5.33% done, estimate finish Wed Feb 10 07:34:42 2016
  5.56% done, estimate finish Wed Feb 10 07:34:41 2016

...

 99.87% done, estimate finish Wed Feb 10 07:34:35 2016
Total translation table size: 2048
Total rockridge attributes bytes: 417876
Total directory bytes: 712704
Path table size(bytes): 158
Max brk space used 3af000
2157808 extents written (4214 MB)
Done.
Signing CentOS DVD Image...
Inserting md5sum into iso image...
md5 = e526291fc5ff0c83a7de64c183f27b78
Inserting fragment md5sums into iso image...
fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b
frags = 20
Setting supported flag to 0
Done.
DVD Created. [hardened-centos7-x86_64.iso]