-
Notifications
You must be signed in to change notification settings - Fork 58
/
README
221 lines (154 loc) · 7.09 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
###############################################################################
# Hardened CentOS 7 DVD CREATOR
#
# This script was written by Frank Caviggia
# Last update was 08 JAN 2019
#
# Author: Frank Caviggia ([email protected])
# Copyright: Frank Caviggia, (c) 2018
# License: Apache License, Version 2.0
# Description: Hardened Installation of CentOS 7
###############################################################################
ABOUT
=====
Modifies a CentOS 7.3+ (1611) (tested with CentOS-7-x86_64-DVD-1810.iso)
x86_64 DVD with a kickstart that will install a system that is configured and hardened
to meet government-level regulations.
NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD.
The kickstart script involves the integration of the following projects
into a single installer:
- classification-banner.py (Python for displaying a graphical classification banner)
https://github.com/RedHatGov/classification-banner
- SCAP Security Guide (SSG) - Hardening Script for CentOS7
https://github.com/openscap/scap-security-guide
CONTENT
=======
createiso.sh - installation script to modify CentOS 7.2+ ISO image
/config - Kickstarts, Python, and RPMs needed to modify image.
EFI/BOOT/
grub.cfg - Menu Configuration for UEFI boot
isolinux/
isolinux.cfg - Menu Configuration for Kickstart
hardening/
hardened-centos.cfg
Kickstart Configuration (Calls menu.py in %pre)
menu.py
Python Script that presents a graphical menu to modify the
kickstart. Contains the "Profiles" for configuring the
system partitioning and packages.
classification-banner.py
Graphical Classification Banner (for GNOME Desktops User/
Developer Workstation Profiles)
supplemental.sh
Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
wheel group for root access, etc.)
ovirt-engine-install.sh
Script to install and configure Ovirt Manager.
ovirt-kvm-preinstall.sh
ovirt-kvm-postinstall.sh
Scripts to install Ovirt-Attached KVM hypervisor. Script
will loosen settings temporarily to allow registration
of the system with Ovirt Manager by allowing root login and
allowing exec in /tmp. Run rhevm-postinstall.sh after system
is added into Ovirt Manager. Copied to /root after kickstart
install
iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables)
Configures iptables firewall during kickstart installation.
Called in menu.py script. Firewall is configured to recommended
ports for each product or profile. Copied to /root after kickstart
install. FirewallD is default except for KVM systems.
ipa-pam-configuration.sh
Configures system for using IPA/IdM authentication by
overwriting the pam.d configurations. Copied to /root
after kickstart installation
scap-security-guide-*.el7.noarch.rpm
SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox.
usbguard-*.x86_64.rpm
USB guard will control what USB devices are accessible by the system.
HARDENING INFORMATION
=====================
Here is some additional information added by the supplemental hardening script
in addition to the SSG:
1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu
2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI
console (scripts are located under /etc/profile.d/autologout.{sh,csh})
3. The 'wheel' group is required for privileged users (beyond root) to run
`su -` or `sudo -i` commands, sudo timeout is 5 minutes
4. The 'sshusers' group is required for SSH/SFTP access, other users are
limited to console access without this group
5. Additional software such as McAfee EPo/HBSS may be required meet site
policy
6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf)
7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf)
8. Create users:
NOTE: The root user is locked now - use 'admin' user account with sudo instead of root.
Local Console Access Only (Unprivileged)
# useradd -m -c "Local User" localuser
Remote Access (Unprivileged)
# useradd -m -c "Remote User" -G sshusers remoteuser
System Administrator (SA) (Privileged User)
# useradd -m -c "System Administrator" -G sshusers,wheel admin
9. Wireless is disabled in a number of ways with Network Manager including:
a.) `nmcli radio all off` command in /etc/rc.local
b.) Dconf configurations to disable the creation of wireless networks:
/etc/dconf/db/gdm.d/99-gnome-hardening
[org.gnome.nm-applet]
disable-wifi-create=true
/etc/dconf/db/gdm.d/locks/99-gnome-hardening
/org/gnome/nm-applet/disable-wifi-create
/usr/share/glib-2.0/schemas/99_custom_settings.gschema.override
[org.gnome.nm-applet]
disable-wifi-create=true
Generally, wireless should not be used on a DoD/IC system.
EXAMPLE
=======
# # ./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso
Mounting CentOS DVD Image...
mount: /dev/loop1 is write-protected, mounting read-only
Done.
Copying CentOS DVD Image... Done.
Modifying CentOS DVD Image... Done.
Remastering CentOS DVD Image...
...
0.23% done, estimate finish Wed Feb 10 07:34:24 2016
0.46% done, estimate finish Wed Feb 10 07:37:59 2016
0.70% done, estimate finish Wed Feb 10 07:36:47 2016
0.93% done, estimate finish Wed Feb 10 07:36:11 2016
1.16% done, estimate finish Wed Feb 10 07:35:50 2016
1.39% done, estimate finish Wed Feb 10 07:35:35 2016
1.62% done, estimate finish Wed Feb 10 07:35:25 2016
1.85% done, estimate finish Wed Feb 10 07:35:17 2016
2.09% done, estimate finish Wed Feb 10 07:35:11 2016
2.32% done, estimate finish Wed Feb 10 07:35:07 2016
2.55% done, estimate finish Wed Feb 10 07:35:03 2016
2.78% done, estimate finish Wed Feb 10 07:34:59 2016
3.01% done, estimate finish Wed Feb 10 07:34:57 2016
3.24% done, estimate finish Wed Feb 10 07:34:54 2016
3.48% done, estimate finish Wed Feb 10 07:34:52 2016
3.71% done, estimate finish Wed Feb 10 07:34:50 2016
3.94% done, estimate finish Wed Feb 10 07:34:49 2016
4.17% done, estimate finish Wed Feb 10 07:34:47 2016
4.40% done, estimate finish Wed Feb 10 07:34:46 2016
4.63% done, estimate finish Wed Feb 10 07:34:45 2016
4.87% done, estimate finish Wed Feb 10 07:34:44 2016
5.10% done, estimate finish Wed Feb 10 07:34:43 2016
5.33% done, estimate finish Wed Feb 10 07:34:42 2016
5.56% done, estimate finish Wed Feb 10 07:34:41 2016
...
99.87% done, estimate finish Wed Feb 10 07:34:35 2016
Total translation table size: 2048
Total rockridge attributes bytes: 417876
Total directory bytes: 712704
Path table size(bytes): 158
Max brk space used 3af000
2157808 extents written (4214 MB)
Done.
Signing CentOS DVD Image...
Inserting md5sum into iso image...
md5 = e526291fc5ff0c83a7de64c183f27b78
Inserting fragment md5sums into iso image...
fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b
frags = 20
Setting supported flag to 0
Done.
DVD Created. [hardened-centos7-x86_64.iso]