# SCAP Security Guide DoD STIG profile kickstart for Red Hat Enterprise Linux 6 Server # Version: 0.0.2 # Date: 2015-12-08 # # Based on: # http://fedoraproject.org/wiki/Anaconda/Kickstart # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-kickstart2-options.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # # NOTE: This kickstart attempts to stay within the bounds of RHEL6's Common Criteria certification, # while applying DoD-specific controls (and ignoring those waived by DoD) # # Install a fresh new system (optional) install # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # #url --url=http://192.168.122.1/image # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # Set up the authentication options for the system (required) # --enableshadow enable shadowed passwords by default # --passalgo hash / crypt algorithm for new passwords # See the manual page for authconfig for a complete list of possible options. authconfig --enableshadow --passalgo=sha512 # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create # encrypted password form for different plaintext password bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=ext4 --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup vg_sys --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=ext4 --name=lv_root --vgname=vg_sys --size=12288 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=ext4 --name=lv_home --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg_sys --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=ext4 --name=lv_var --vgname=vg_sys --size=2048 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=ext4 --name=lv_var_log --vgname=vg_sys --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=ext4 --name=lv_var_log_audit --vgname=vg_sys --size=512 --fsoptions="nodev" logvol swap --name=lv_swap --vgname=vg_sys --size=2016 # Packages selection (%packages section is required) # %packages ################################################ ## ## Package listing ## --------------- ## ## The following list specifies the packages installed onto a bare minimum ## system. To allow an administrator to install the absolute minimum ## set of packages, the list is partitioned into common sets which are marked ## to belong to one of the following categories. ## ## Categories and their meaning: ## ## Mandatory You MUST install the set of packages if the given condition ## applies. ## Default You MAY choose to not install the packages. However, these ## packages provide functionality specified in the Security ## Target that is outlined in the package set description. ## If you intend to enable the respective functionality, you ## MUST use these packages. Any other package from the ## distribution that would provide similar functionality MUST NOT ## be used as it is not ensured that those packages implement ## all required functional aspects. ## Note that you either MUST install all packages or none out of ## the given set. ## Optional You MAY choose to not install the packages. Packages can be ## selectively installed per package set (i.e. it is not ## required to fully install all packages for one package set ## or none at all). ## Prohibited These packages MUST NOT be installed. This is ensured by ## listing the packages with a minus sign prepended. Therefore ## you MUST NOT add comment signs to these sets. ## ################################################ ## Package set: base packages ## Condition: Mandatory in Base and MLS mode ## audit bridge-utils libnl policycoreutils python-rhsm python-simplejson PyXML prelink rdate rng-tools screen sudo virt-what ################################################ ## Package set: This package set provides the functionality to allow the ## system to send audit data to a central audit server ## Condition: Default in Base and MLS mode ## audispd-plugins ################################################ ## Package set: base packages providing MLS environment ## Condition: Mandatory in MLS mode, Optional in Base mode ## checkpolicy policycoreutils-newrole policycoreutils-python #selinux-policy-mls #xinetd ################################################ ## Package set: Disk encryption support utilities to use a dm-crypt partition ## Condition: Default in Base and MLS mode cryptsetup-luks ################################################ ## Package set: Labeled printing support ## Condition: Default in MLS mode, Optional in Base mode cups foomatic ghostscript ghostscript-fonts ################################################ ## Package set: CIPSO labeled networking support ## Condition: Default in MLS mode, Optional in Base mode (labeled networking ## functionality unusable in Base mode) netlabel_tools ################################################ ## Package set: IPSec-based labeled networking support ## Condition: Default in MLS mode, Optional in Base mode (labeled networking ## functionality unusable in Base mode) iproute iputils openswan ################################################ ## Package set: FIPS 140-2 mode support - this package MUST be installed ## if the TOE shall be operated in FIPS 140-2 compliant mode ## for all cryptographic modules - as FIPS 140-2 is no requirement ## for the Common Criteria evaluation, this package set is ## considered to be optional. ## Condition: Optional in Base and MLS mode dracut-fips ################################################ ## Package set: Prohibited packages in any configuration ## Condition: Prohibited in Base and MLS mode -sendmail -krb5-workstation -abrt-addon-kerneloops -abrt-addon-python -abrt-addon-ccpp -abrt-plugin-rhtsupport -abrt-plugin-logger -abrt-plugin-sosreport -abrt-cli -abrt -subscription-manager ################################################ ## Package set: Convenience functions to provide administrators with ## utilities that he may expect from other systems. ## Condition: Optional in Base and MLS mode ## aide lsof openssh-clients man-pages man-pages-overrides mlocate parted pciutils postfix quota rsync scrub smartmontools stunnel tcpdump traceroute vim-enhanced wget ################################################ ## Package set: Minimal development environment used to perform the ## testing of the system. ## Condition: Optional in Base and MLS mode ## audit-libs-devel autoconf automake bison cvs cyrus-sasl-devel.x86_64 elinks expect flex gcc gcc-c++ keyutils-libs keyutils-libs-devel kpartx libattr-devel libcap-devel libvirt-python libselinux-devel.x86_64 libsepol-devel.x86_64 make openscap openssl-devel.x86_64 pam-devel.x86_64 perl-devel perl-Digest-HMAC perl-Digest-SHA1 python-devel python-virtinst readline-devel rpm-build setools-console strace swig tcl texinfo tk zlib-devel ################################################ ## Package set: Base packages required for the x86_64 environment ## Condition: Mandatory in Base and MLS mode ## dmidecode glibc.i686 glibc-devel.i686 glibc-devel.x86_64 libgcc.i686 libgcc.x86_64 libattr.i686 cracklib.i686 audit-libs.i686 openssl.i686 openssl-devel.i686 libgcrypt.i686 ################################################ ## Package set: Convenience functions to provide administrators with ## utilities that he may expect from other systems. ## Condition: Optional in Base and MLS mode ## acpid cpuspeed irqbalance usbutils ################################################ ## Package set: Virtualization environment support packages to enable the ## KVM support ## Condition: Default ## #@virtualization #@virtualization-client #@virtualization-platform #@virtualization-tools #-virt-manager #-virt-viewer #ebtables ################################################ ## Package set: Development packages ## Condition: Optional ## libcap-devel.i686 libselinux-devel.i686 # Install selected additional packages (required by DoD STIG profile for Red Hat Enterprise Linux 6 Server) # CCE-27024-9: Install AIDE aide # Install openscap-utils so it's possible to perform remediation once the # installation is complete openscap-utils # Install the scap-security-guide package scap-security-guide %end # End of %packages section %post --log /root/oscap.log # Perform post installation system remediation according to the DoD STIG profile # for Red Hat Enterprise Linux 6 Server via the oscap tool # To create a system compliant against different RHEL-6 SCAP Security Guide profile specify selected # profile name after the --profile oscap tool option oscap xccdf eval --remediate --profile stig-rhel6-server-upstream \ --results /root/oscap_stig_remediation_result.xml \ --report /root/oscap_stig_remediation_report.html \ /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml %end # End of %post section # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject