# SCAP Security Guide PCI-DSS profile kickstart for Red Hat Enterprise Linux 9 # # Based on: # https://pykickstart.readthedocs.io/en/latest/ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # For more information see the following documentation: # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/scanning-the-system-for-configuration-compliance-and-vulnerabilities_security-hardening#deploying-baseline-compliant-rhel-systems-using-kickstart_deploying-systems-that-are-compliant-with-a-security-profile-immediately-after-an-installation # Specify installation method to use for installation # To use a different one comment out the 'url' one below, update # the selected choice with proper options & un-comment it # # Install from an installation tree on a remote server via FTP or HTTP: # --url the URL to install from # # Example: # # url --url=http://192.168.122.1/image # # Modify concrete URL in the above example appropriately to reflect the actual # environment machine is to be installed in # # Other possible / supported installation methods: # * install from the first CD-ROM/DVD drive on the system: # # cdrom # # * install from a directory of ISO images on a local drive: # # harddrive --partition=hdb2 --dir=/tmp/install-tree # # * install from provided NFS server: # # nfs --server= --dir= [--opts=] # # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard --vckeymap us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw # to see how to create encrypted password form for different plaintext password rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Plaintext password is: password # Refer to e.g. # grub2-mkpasswd-pbkdf2 # to see how to create encrypted password form for different plaintext password bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.45912D32B964BA58B91EAF9847F3CCE6F4C962638922543AFFAEE4D29951757F4336C181E6FC9030E07B7D9874DAD696A1B18978D995B1D7F27AF9C38159FDF3.99F65F3896012A0A3D571A99D6E6C695F3C51BE5343A01C1B6907E1C3E1373CB7F250C2BC66C44BB876961E9071F40205006A05189E51C2C14770C70C723F3FD --iscrypted # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow # CCE-26557-9: Ensure /home Located On Separate Partition logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26435-8: Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" # CCE-26639-5: Ensure /var Located On Separate Partition logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" # CCE-26215-4: Ensure /var/log Located On Separate Partition logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev" # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev" logvol swap --name=swap --vgname=VolGroup --size=2016 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) # content - security policies - on the installed system.This add-on has been enabled by default # since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this # functionality will automatically be installed. However, by default, no policies are enforced, # meaning that no checks are performed during or after installation unless specifically configured. # # Important # Applying a security policy is not necessary on all systems. This screen should only be used # when a specific policy is mandated by your organization rules or government regulations. # Unlike most other commands, this add-on does not accept regular options, but uses key-value # pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. # Values can be optionally enclosed in single quotes (') or double quotes ("). # # For more details and configuration options see # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program %addon com_redhat_oscap content-type = scap-security-guide profile = xccdf_org.ssgproject.content_profile_pci-dss %end # Packages selection (%packages section is required) %packages %end # Reboot after the installation is complete (optional) # --eject attempt to eject CD or DVD media before rebooting reboot --eject