# SCAP Security Guide SCAP Test Suite node # This kickstart is known to apply for: # - Red Hat Enterprise Linux 8 - when using additional repository AppStream # - Red Hat Enterprise Linux 9 - when using additional repository AppStream # - Red Hat Enterprise Linux 10 - when using additional repository AppStream # - Fedora # # Based on: # https://pykickstart.readthedocs.io/en/latest/ # https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg # To enable custom repositories for the machine after installation use: #repo --name=myrepo --baseurl=http://... &&YUM_EXTRA_REPO&& # Set language to use during installation and the default language to use on the installed system (required) lang en_US.UTF-8 # Set system keyboard type / layout (required) keyboard us # Configure network information for target system and activate network devices in the installer environment (optional) # --onboot enable device at a boot time # --device device to be activated and / or configured with the network command # --bootproto method to obtain networking configuration for device (default dhcp) # --noipv6 disable IPv6 on this device network --onboot yes --device eth0 --bootproto dhcp --noipv6 # Set the system's root password (required) # Plaintext password is: server # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create # encrypted password form for different plaintext password rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 # The selected profile will restrict root login # Add a user that can login and escalate privileges # Plaintext password is: admin123 user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted # Configure firewall settings for the system (optional) # --enabled reject incoming connections that are not in response to outbound requests # --ssh allow sshd service through the firewall firewall --enabled --ssh # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Set the system time zone (required) timezone --utc America/New_York # Specify how the bootloader should be installed (required) # Refer to e.g. # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw # to see how to create encrypted password form for different plaintext password bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" # Initialize (format) all disks (optional) zerombr # The following partition layout scheme assumes disk of size 20GB or larger # Modify size of partitions appropriately to reflect actual machine's hardware # # Remove Linux partitions from the system prior to creating new ones (optional) # --linux erase all Linux partitions # --initlabel initialize the disk label to the default based on the underlying architecture clearpart --linux --initlabel # Create primary system partitions (required for installs) part biosboot --fstype biosboot --size=1 part /boot --fstype=xfs --size=1152 --fsoptions="nosuid,noexec" part pv.01 --grow --size=1 # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup --pesize=4096 pv.01 # Create particular logical volumes (optional) logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=2936 --grow # Ensure /usr Located On Separate Partition logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5384 --fsoptions="nodev" # Ensure /opt Located On Separate Partition logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" # Ensure /srv Located On Separate Partition logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid" # Ensure /home Located On Separate Partition logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=768 --fsoptions="nodev" # Ensure /tmp Located On Separate Partition logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/tmp Located On Separate Partition logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var Located On Separate Partition logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" # Ensure /var/log Located On Separate Partition logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" # Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 # Packages selection (%packages section is required) %packages qemu-guest-agent openscap-scanner openssh-clients openssh-server tar %end # End of %packages section %post --log /root/post-install.log --interpreter /bin/bash # initialize guest agent for Automatus systemctl enable qemu-guest-agent.service mkdir -p /root/.ssh printf "%s\n" "&&HOST_PUBLIC_KEY&&" >> /root/.ssh/authorized_keys chmod og-rw /root/.ssh /root/.ssh/authorized_keys systemctl enable sshd # This is needed to add entries about password change into /etc/shadow # so the remediation of the rule accounts_password_set_max_life_existing # won't request a password change in our automated tests. echo "admin123" | passwd --stdin admin echo "server" | passwd --stdin root # create yum/dnf repository from URL if replaced by install_vm.py if ! [[ '&&YUM_REPO_URL&&' =~ YUM_REPO_URL ]]; then cat > /etc/yum.repos.d/inst-ks.repo <> /etc/yum.repos.d/inst-ks.repo <