How to install CentOS 8 via kickstart - nomorespice/centos8-howto GitHub Wiki
CentOS from Community Enterprise Operating System is a Linux distribution that provides a free, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL). This guide will walk you through the process of installing and securing a CentOS 8 Linux server according to the CIS benchmark version 1.0.0.
This document assumes that:
- you are installing the CentOS 8 x64 Operating System
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
Be sure to modify the following to customize for your environment:
- Modify the HTTP install IP/URL address
- Add an encrypted root password
- Modify the initial username and encrypted password
- Modify the timezone
- Set the appropriate partition sizes for the disk mounts
- Add any required initial RPM packages
- Modify the domain resolution information
%pre
iotty=`tty`
exec < $iotty > $iotty 2> $iotty
echo -n "Enter hostname: "
read NAME
sleep 1
echo "network --hostname=$NAME" >> /tmp/networkhost.txt
%end
install
text
url --url=http://192.168.1.10/centos8
lang en_US.UTF-8
keyboard --vckeymap=us --xlayouts='us'
network --device=eth0 --onboot=on --activate
%include /tmp/networkhost.txt
rootpw --iscrypted SECRET
firewall --service=ssh
firstboot --disabled
authconfig --enableshadow --passalgo=sha512
user --name=USERNAME --gecos="USER NAME" --uid=1010 --gid=1010 --groups=wheel --password="SECRET" --iscrypted
selinux --enforcing
timezone America/Denver --isUtc --nontp
ignoredisk --only-use=sda
bootloader --location=mbr --boot-drive=sda --append="net.ifnames=0 biosdevname=0 modprobe.blacklist=floppy audit=1 audit_backlog_limit=8192"
clearpart --none --initlabel
part swap --fstype="swap" --ondisk=sda --size=2000
part /boot --fstype="xfs" --ondisk=sda --size=500
part /tmp --fstype="xfs" --ondisk=sda --size=2000 --fsoptions="nodev"
part /home --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev"
part /var --fstype="xfs" --ondisk=sda --size=10000 --fsoptions="nodev"
part /var/tmp --fstype="xfs" --ondisk=sda --size=2000 --fsoptions="nodev,noexec,nosuid"
part /var/log --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev,noexec,nosuid"
part /var/log/audit --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev,noexec,nosuid"
part / --fstype="xfs" --ondisk=sda --grow --size=200
repo --name="BaseOS" --baseurl=http://192.168.1.10/mirror/centos_8_x86_64/BaseOS
repo --name="appstream" --baseurl=http://192.168.1.10/mirror/centos_8_x86_64/AppStream
%packages --ignoremissing
@core
-iwl1000-firmware
-iwl100-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6050-firmware
-iwl7260-firmware
at
bind-utils
chrony
gcc
lsof
mailx
make
mlocate
net-tools
net-snmp
net-snmp-utils
policycoreutils-python-utils
postfix
qperf
setools
vim-enhanced
wget
zlib-devel
%end
%post --log=/root/ks-post.log
## Network
/bin/touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
/bin/rm -f /etc/sysconfig/network-scripts/ifcfg-ens*
/bin/rm -f /etc/sysconfig/network-scripts/ifcfg-eno*
/bin/cat << EOT >/etc/resolv.conf
domain DOMAIN NAME
options ndots:2
search DOMAIN NAME
nameserver 192.168.1.2
EOT
%end
reboot
Be sure to add your own NTP server IP address/host name.
/bin/sed -i '1,3d' /etc/chrony.conf
/bin/sed -i '1s/^/server 192.168.1.2 iburst \n/' /etc/chrony.conf
/bin/systemctl enable chronyd
Be sure to modify the following to customize for your environment:
- Modify syslocation
- Add a valid syscontact
- Add appropriate disk mounts to monitor
- Modify the SNMP username
- Modify the SHA hash and AES keys
/bin/mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
/bin/cat << EOT >/etc/snmp/snmpd.conf
view all included .1 80
syslocation SOME LOCATION
syscontact [email protected]
disk / 10000
disk /boot 10000
disk /var 10000
disk /tmp 10000
disk /home 10000
disk /var/log 10000
disk /var/log/audit 10000
disk /var/tmp 10000
dontLogTCPWrappersConnects yes
rouser USERNAME
EOT
/bin/echo -E 'createUser USERNAME SHA "SHA-HASH" AES AES-KEY' >> /var/lib/net-snmp/snmpd.conf
/bin/systemctl enable snmpd
Be sure to modify the following to customize for your environment:
- Modify the relay host (if one exists)
- Add a valid email address to forward mail that is destined for the local root account
/bin/sed -i "/an.ip.add.ress/ a relayhost = [RELAY.EXAMPLE.COM]" /etc/postfix/main.cf
/bin/sed -i "s/#header_checks/header_checks/g" /etc/postfix/main.cf
/bin/echo -E "disable_vrfy_command = yes" >> /etc/postfix/main.cf
/bin/echo -E "smtp_tls_fingerprint_digest = sha256" >> /etc/postfix/main.cf
/bin/echo -E "recipient_canonical_maps = hash:/etc/postfix/recipient_canonical" >> /etc/postfix/main.cf
/bin/echo -E "root [email protected]" >> /etc/postfix/recipient_canonical
/sbin/postmap hash:/etc/postfix/recipient_canonical
/bin/systemctl enable postfix
/bin/sed -i 's/SysSock.Use="off")/SysSock.Use="off" /g' /etc/rsyslog.conf
/bin/sed -i '/SysSock.Use=/ a\ SysSock.RateLimit.Interval="0"' /etc/rsyslog.conf
/bin/sed -i '/SysSock.RateLimit/ a\ SysSock.RateLimit.Burst="0")' /etc/rsyslog.conf
/bin/sed -i "/#### RULES ####/ i # Disable rate-limiting" /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i \$RepeatedMsgReduction off' /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i #' /etc/rsyslog.conf
/bin/sed -i 's/#ForwardToSyslog=no/ForwardToSyslog=yes/' /etc/systemd/journald.conf
/bin/sed -i 's/#Compress=yes/Compress=yes/' /etc/systemd/journald.conf
/bin/sed -i 's/#Storage=auto/Storage=persistent/' /etc/systemd/journald.conf
/bin/echo "root" > /etc/cron.allow
/bin/echo "root" > /etc/at.allow
- Modify the sshd port and address family as required
/bin/sed -i "s/#AddressFamily any/AddressFamily inet6/" /etc/ssh/sshd_config
/bin/sed -i "s/#Port 22/Port 5224/" /etc/ssh/sshd_config
/bin/sed -i "s/PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
/bin/sed -i "s/#Banner none/Banner \/etc\/issue/" /etc/ssh/sshd_config
/bin/sed -i "s/X11Forwarding yes/X11Forwarding no/" /etc/ssh/sshd_config
/bin/sed -i "s/#MaxAuthTries 6/MaxAuthTries 3/" /etc/ssh/sshd_config
/bin/sed -i '/RekeyLimit/ a Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config
/bin/sed -i "s/#LoginGraceTime 2m/LoginGraceTime 60/" /etc/ssh/sshd_config
/bin/sed -i "s/#AllowTcpForwarding yes/AllowTcpForwarding no/" /etc/ssh/sshd_config
/bin/sed -i "s/#MaxStartups 10:30:100/MaxStartups 10:30:60/" /etc/ssh/sshd_config
/bin/sed -i "s/#MaxSessions 10/MaxSessions 4/" /etc/ssh/sshd_config
/bin/sed -i 's/HostKey \/etc\/ssh\/ssh_host_ed25519_key/#HostKey \/etc\/ssh\/ssh_host_ed25519_key/' /etc/ssh/sshd_config
Be sure to modify the OSSEC server IP address and install type
/bin/mkdir /var/src
/bin/wget -q https://github.com/ossec/ossec-hids/archive/3.6.0.tar.gz -O /var/src/ossec-hids-3.6.0.tar.gz
/bin/tar -zxvf /var/src/ossec-hids-3.6.0.tar.gz -C /var/src
/bin/cat <<\EOT >/var/src/ossec-hids-3.6.0/etc/preloaded-vars.conf
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_UPDATE="y"
USER_UPDATE_RULES="y"
USER_AGENT_SERVER_IP="192.168.1.10"
EOT
/var/src/ossec-hids-3.3.0/install.sh
/bin/touch /var/ossec/etc/shared/agent.conf
/bin/cat <<\EOT >/var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server-ip>192.168.1.10</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/alsa/pcm</ignore>
<ignore>/etc/asound.state</ignore>
<ignore>/etc/blkid/blkid.tab.old</ignore>
<ignore>/etc/blkid/blkid.tab</ignore>
<ignore>/etc/aliases.db</ignore>
<ignore>/etc/sysconfig/hwconf</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel8_linux_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/nftables</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cron</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/sudo.log</location>
</localfile>
</ossec_config>
EOT
/bin/chown ossec:ossec /var/ossec/etc/ossec.conf
/bin/chmod 640 /var/ossec/etc/ossec.conf
/bin/wget -q https://raw.githubusercontent.com/nomorespice/ossec-extras/master/cis_rhel8_linux_rcl.txt -O /var/ossec/etc/shared/cis_rhel8_linux_rcl.txt
/bin/chown ossec:ossec /var/ossec/etc/shared/cis_rhel8_linux_rcl.txt
/bin/chmod 640 /var/ossec/etc/shared/cis_rhel8_linux_rcl.txt
Be sure to add any inbound access rules that are required (ie- ssh).
/bin/systemctl stop firewalld
/bin/systemctl disable firewalld
/bin/systemctl mask ctrl-alt-del.target
mkdir /script
/bin/cat <<\EOT >/script/fw.sh
#!/bin/bash
# fw.sh
# Firewall Configuration Script
#
# Command Variables
NFT=/usr/sbin/nft
#
# File/Directory Variables
NFTCONF=/etc/sysconfig/nftables.conf
#
# Flush all firewall chains
$NFT flush ruleset
#
$NFT add table inet filter
$NFT add chain inet filter INPUT { type filter hook input priority 0\; policy drop \; }
$NFT add chain inet filter FORWARD { type filter hook forward priority 0\; policy drop \; }
$NFT add chain inet filter OUTPUT { type filter hook output priority 0\; policy drop \; }
#
$NFT add rule inet filter INPUT ct state related,established accept
$NFT add rule inet filter INPUT ct state invalid drop
$NFT add rule inet filter INPUT iif lo accept
$NFT add rule inet filter INPUT iif lo ip6 saddr ::1 accept
$NFT add rule inet filter INPUT meta l4proto ipv6-icmp ip6 saddr fe80::/10 accept
$NFT add rule inet filter INPUT ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit } ip6 hoplimit 255 accept
$NFT add rule inet filter INPUT fib daddr type { broadcast, multicast } drop
$NFT add rule inet filter INPUT ip6 daddr ff02::1 drop
$NFT add rule inet filter INPUT ip version 4 log prefix \"NFTABLE-IN \" level debug drop
$NFT add rule inet filter INPUT ip6 version 6 log prefix \"NF6TABLE-IN \" level debug drop
$NFT add rule inet filter INPUT counter drop
#
$NFT add rule inet filter OUTPUT oif lo accept
$NFT add rule inet filter OUTPUT oif lo ip6 saddr ::1 accept
$NFT add rule inet filter OUTPUT meta l4proto ipv6-icmp accept
$NFT add rule inet filter OUTPUT ct state invalid drop
$NFT add rule inet filter OUTPUT counter ct state new,related,established accept
#
#
# Have these rules take effect when server is started
$NFT list ruleset > $NFTCONF
#
exit
EOT
/bin/chmod 700 /script/fw.sh
/bin/touch /var/log/nftables
/bin/chmod 600 /var/log/nftables
/bin/sed -i "/messages/ i \/var\/log\/nftables" /etc/logrotate.d/syslog
/bin/cat << EOT >/etc/rsyslog.d/10-nftables.conf
:msg, contains, "NFTABLE" -/var/log/nftables
& stop
:msg, contains, "NF6TABLE" -/var/log/nftables
& stop
EOT
mkdir /etc/tuned/system_vm
cat << EOT >/etc/tuned/system_vm/tuned.conf
[main]
summary=Custom system profile
include=virtual-guest
[selinux]
avc_cache_threshold=8192
[sysctl]
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_local_port_range=16384 65535
net.ipv4.tcp_keepalive_time=300
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
net.ipv6.conf.lo.disable_ipv6=0
EOT
/sbin/tuned-adm profile system_vm
/bin/mv /etc/issue /etc/issue.orig
/bin/cat << EOT >/etc/issue
WARNING: To protect the system from fraud and abuse, activities
on this system are monitored and subject to audit. Use of this
system is expressed consent to monitor.
EOT
/bin/mv /etc/issue.net /etc/issue.net.orig
/bin/cat << EOT >/etc/issue.net
WARNING: To protect the system from fraud and abuse, activities
on this system are monitored and subject to audit. Use of this
system is expressed consent to monitor.
EOT
/bin/echo -E "alias vi='vim'" >> /root/.bashrc
/bin/echo -E "HISTTIMEFORMAT=\"%Y/%m/%d - %H:%M:%S \"" >> /root/.bashrc
/bin/echo -E "TMOUT=3600" >> /root/.bashrc
/bin/echo -E "readonly TMOUT" >> /root/.bashrc
/bin/echo -E "export TMOUT" >> /root/.bashrc
/bin/echo -E "alias vi='vim'" >> /etc/skel/.bashrc
/bin/echo -E "HISTTIMEFORMAT=\"%Y/%m/%d - %H:%M:%S \"" >> /etc/skel/.bashrc
/bin/echo -E "TMOUT=3600" >> /etc/skel/.bashrc
/bin/echo -E "readonly TMOUT" >> /etc/skel/.bashrc
/bin/echo -E "export TMOUT" >> /etc/skel/.bashrc
/bin/sed -i 's/umask 002/umask 027/' /etc/bashrc
/bin/sed -i 's/umask 002/umask 027/' /etc/profile
/bin/echo "TMOUT=900" >> /etc/bashrc
/bin/echo "TMOUT=900" >> /etc/profile
/bin/cat << EOT >/etc/modprobe.d/cramfs.conf
install cramfs /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/squashfs.conf
install squashfs /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/udf.conf
install udf /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/dccp.conf
install dccp /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/sctp.conf
install sctp /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/rds.conf
install rds /bin/true
EOT
/bin/cat << EOT >/etc/modprobe.d/tipc.conf
install tipc /bin/true
EOT
/bin/echo -E "tmpfs /dev/shm tmpfs nodev,noexec,nosuid 0 0" >> /etc/fstab
/bin/sed -i "/Defaults specification/ a Defaults use_pty" /etc/sudoers
/bin/sed -i "/Defaults specification/ a Defaults logfile\=\"\/var\/log\/sudo.log\"" /etc/sudoers
/bin/touch /var/log/sudo.log
/bin/sed -i "/messages/ i \/var\/log\/sudo.log" /etc/logrotate.d/syslog
Be sure to modify the encrypted password.
/bin/cat << EOT >/boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.PASSWORD
EOT
/bin/chmod 600 /boot/grub2/user.cfg
/usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
/bin/echo '* hard core 0' >> /etc/security/limits.conf
/bin/echo > /etc/securetty
/bin/sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
/bin/sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs
/bin/sed -i "s/# minlen = 9/minlen = 14/" /etc/security/pwquality.conf
/bin/sed -i "s/# dcredit = 1/dcredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# ucredit = 1/ucredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# lcredit = 1/lcredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# ocredit = 1/ocredit = -1/" /etc/security/pwquality.conf
/sbin/useradd -D -f 30
/bin/sed -i "s/space_left_action = SYSLOG/space_left_action = EMAIL/" /etc/audit/auditd.conf
/bin/sed -i 's/admin_space_left_action = SUSPEND/admin_space_left_action = HALT/' /etc/audit/auditd.conf
/bin/sed -i 's/max_log_file_action = ROTATE/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
cat << EOT >/etc/audit/rules.d/audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
## Ensure events that modify date and time information are collected
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
## Ensure events that modify user/group information are collected
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Ensure events that modify the system's network environment are collected
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale
## Ensure events that modify the system's Mandatory Access Controls are collected
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
## Ensure login and logout events are collected
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
## Ensure session initiation information is collected
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
## Ensure discretionary access control permission modification events are collected
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
## Ensure unsuccessful unauthorized file access attempts are collected
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
## Ensure successful file system mounts are collected
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
## Ensure file deletion events by users are collected
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
## Ensure changes to system administration scope (sudoers) is collected
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
## Ensure system administrator actions (sudolog) are collected
-w /var/log/sudo.log -p wa -k actions
## Ensure kernel module loading and unloading is collected
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
EOT
/bin/chmod 600 /etc/audit/rules.d/audit.rules
/usr/bin/dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
/usr/bin/dnf config-manager --disable epel
/bin/sed -i "s/^#baseurl/baseurl/" CentOS-Base.repo
/bin/sed -i "s/^mirrorlist/#mirrorlist/" CentOS-Base.repo
/bin/sed -i "s/^#baseurl/baseurl/" CentOS-AppStream.repo
/bin/sed -i "s/^mirrorlist/#mirrorlist/" CentOS-AppStream.repo
/usr/bin/dnf -y update
Be sure to modify the IP addresses/host names.
/bin/echo -E "#!/bin/bash" > /root/runonce.sh
/bin/echo -E '/bin/nmcli con del "Wired connection 1"' >> /root/runonce.sh
/bin/echo -E '/bin/nmcli con add con-name eth0 ifname eth0 type ethernet ip4 192.168.1.10/24 gw4 192.168.1.1 ip6 fd00:0:0:0::63/64 gw6 fd00:0:0:0::1' >> /root/runonce.sh
/bin/echo -E 'nmcli con mod eth0 ipv6.addresses "fd00:0:0:0::63/64"' >> /root/runonce.sh
/bin/echo -E "/bin/nmcli networking off" >> /root/runonce.sh
/bin/echo -E "/bin/nmcli networking on" >> /root/runonce.sh
/bin/echo -E "/sbin/semanage port -a -t ssh_port_t -p tcp 5224" >> /root/runonce.sh
/bin/echo -E "/usr/sbin/restorecon /etc/init.d/ossec" >> /root/runonce.sh
/bin/echo -E "/usr/sbin/restorecon -R /var/ossec" >> /root/runonce.sh
/bin/echo -E "/script/fw.sh" >> /root/runonce.sh
/bin/echo -E "/usr/bin/fips-mode-setup --enable" >> /root/runonce.sh
/bin/echo -E "/usr/bin/authselect create-profile custom-profile -b sssd --symlink-meta" >> /root/runonce.sh
/bin/echo -E "/usr/bin/authselect select custom/custom-profile --force with-sudo with-faillock without-nullok" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i 's/deny=4 unlock_time=1200/deny=3 unlock_time=600/' /etc/pam.d/system-auth" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i 's/deny=4 unlock_time=1200/deny=3 unlock_time=600/' /etc/pam.d/password-auth" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i 's/use_authtok/use_authtok remember=5/' /etc/pam.d/system-auth" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i 's/use_authtok/use_authtok remember=5/' /etc/pam.d/password-auth" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i 's/#auth\t\trequired/auth\t\trequired/' /etc/pam.d/su" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i '2i \ auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so' /etc/pam.d/login" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i '/runonce.sh/d' /etc/rc.local" >> /root/runonce.sh
/bin/echo -E "/bin/sed -i '/runonce/d' /etc/rc.d/rc.local" >> /root/runonce.sh
/bin/chmod 700 /root/runonce.sh
/bin/echo -E "/root/runonce.sh" >> /etc/rc.local
/bin/chmod 700 /etc/rc.d/rc.local
reboot