How to install RHEL 7 via kickstart - nomorespice/rhel7-howto GitHub Wiki
Red Hat Enterprise Linux 7 provides core operating system functions and capabilities for application infrastructure. This guide will walk you through the process of installing and securing a Red Hat Enterprise Linux 7 server according to the CIS benchmark version 3.1.1.
This document assumes that:
- you are installing the RHEL 7 x64 Operating System
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
Be sure to modify the following to customize for your environment:
- Modify the HTTP install IP/URL address
- Add an encrypted root password
- Modify the initial username and encrypted password
- Modify the timezone
- Set the appropriate partition sizes for the disk mounts
- Add any required initial RPM packages
- Modify the IPv4 and IPv6 addresses for the network interface
- Modify the domain resolultion information
%pre
iotty=`tty`
exec < $iotty > $iotty 2> $iotty
echo -n "Enter hostname: "
read NAME
sleep 1
echo "network --hostname=$NAME" >> /tmp/networkhost.txt
%end
install
text
url --url http://192.168.1.10/rhel_7_x86_64
lang en_US.UTF-8
keyboard --vckeymap=us --xlayouts='us'
network --device=eth0 --onboot=on --noipv6 --activate
%include /tmp/networkhost.txt
rootpw --iscrypted SECRET
firewall --service=ssh
firstboot --disabled
authconfig --enableshadow --passalgo=sha512
user --name=USERNAME --gecos="USER NAME" --uid=1010 --gid=1010 --groups=wheel --password="SECRET" --iscrypted
selinux --enforcing
timezone America/Denver --isUtc --nontp
ignoredisk --only-use=sda
bootloader --location=mbr --boot-drive=sda --append="net.ifnames=0 biosdevname=0 modprobe.blacklist=floppy audit=1"
clearpart --none --initlabel
part swap --fstype="swap" --ondisk=sda --size=2000
part /boot --fstype="xfs" --ondisk=sda --size=500
part /tmp --fstype="xfs" --ondisk=sda --size=2000 --fsoptions="nodev,noexec,nosuid"
part /home --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev"
part /var --fstype="xfs" --ondisk=sda --size=10000 --fsoptions="nodev"
part /var/tmp --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev,noexec,nosuid"
part /var/log --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev,noexec,nosuid"
part /var/log/audit --fstype="xfs" --ondisk=sda --size=5000 --fsoptions="nodev,noexec,nosuid"
part / --fstype="xfs" --ondisk=sda --grow --size=200
repo --name="Red Hat Enterprise Linux 7.7" --baseurl=http://192.168.1.10/rhel_7_x86_64 --cost=100
%packages
@compat-libraries
@core
-aic94xx-firmware
-alsa-firmware
-bfa-firmware
-dracut-config-rescue
-ivtv-firmware
-iwl1000-firmware
-iwl100-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-iwl7260-firmware
-iwl7265-firmware
-libertas-sd8686-firmware
-libertas-sd8787-firmware
-libertas-usb8388-firmware
-microcode_ctl
-NetworkManager
-NetworkManager-tui
-ql2100-firmware
-ql2200-firmware
-ql23xx-firmware
@development
at
bind-utils
chrony
gcc
iptables-services
lsof
mailx
make
mlocate
net-tools
net-snmp
net-snmp-utils
open-vm-tools
policycoreutils-python
postfix
qperf
vim
vim-enhanced
wget
yum-utils
zlib-devel
%end
%post --log=/root/ks-post.log
## Network
/bin/rm -f /etc/sysconfig/network-scripts/ifcfg-ens*
/bin/rm -f /etc/sysconfig/network-scripts/ifcfg-eno*
/bin/cat << EOT >/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE="eth0"
BOOTPROTO=static
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_PEERDNS=no
IPV6_PEERROUTES=no
IPV6_FAILURE_FATAL=no
IPV6ADDR=fd00:0:0:0::63/64
IPV6_DEFAULTGW=fd00:0:0:0::1
IPADDR=192.168.2.10
NETMASK=255.255.255.0
GATEWAY=192.168.2.1
EOT
%end
/bin/cat << EOT >/etc/resolv.conf
domain DOMAIN NAME
options ndots:2
search DOMAIN NAME
nameserver 192.168.1.2
EOT
reboot
Be sure to add your own NTP server IP addresses/host names (NTPSERVER1-3)
/bin/sed -i '1,6d' /etc/chrony.conf
/bin/sed -i '1s/^/server NTPSERVER1 iburst \n/' /etc/chrony.conf
/bin/sed -i '1s/^/server NTPSERVER2 iburst \n/' /etc/chrony.conf
/bin/sed -i '1s/^/server NTPSERVER3 iburst \n/' /etc/chrony.conf
/bin/sed -i 's/OPTIONS=\"\"/OPTIONS=\"-u chrony\"/' /etc/sysconfig/chronyd
/bin/systemctl enable chronyd
Be sure to modify the following to customize for your environment:
- Modify syslocation
- Add a valid syscontact
- Add appropriate disk mounts to monitor
- Modify the SNMP username
- Modify the SHA hash and AES keys
/bin/mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig
/bin/cat << EOT >/etc/snmp/snmpd.conf
view all included .1 80
syslocation SOME LOCATION
syscontact [email protected]
disk / 10000
disk /boot 10000
disk /var 10000
disk /tmp 10000
disk /home 10000
disk /var/log 10000
disk /var/log/audit 10000
disk /var/tmp 10000
dontLogTCPWrappersConnects yes
rouser USERNAME
EOT
/bin/echo -E 'createUser USERNAME SHA "SHA-HASH" AES AES-KEY' >> /var/lib/net-snmp/snmpd.conf
/bin/systemctl enable snmpd
Be sure to modify the following to customize for your environment:
- Modify the relay host (if one exists)
- Add a valid email address to forward mail that is destined for the local root account
- Modify the State, City and Organization for the self signed certificate
cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
sed -i '/an.ip.add.ress/ a relayhost = [relay.example.com]' /etc/postfix/main.cf
sed -i 's/#header_checks/header_checks/' /etc/postfix/main.cf
echo -E 'disable_vrfy_command = yes' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_security_level = may' >> /etc/postfix/mail.cf
echo -E 'smtpd_enforce_tls = no' >> /etc/postfix/mail.cf
echo -E 'smtp_use_tls = yes' >> /etc/postfix/mail.cf
echo -E 'smtpd_use_tls = yes' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_key_file = /etc/postfix/postfix.key' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_cert_file = /etc/postfix/postfix.cert' >> /etc/postfix/mail.cf
echo -E 'smtp_tls_CAfile = /etc/postfix/cacert.pem' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_loglevel = 3' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_received_header = yes' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_session_cache_timeout = 3600s' >> /etc/postfix/mail.cf
echo -E 'tls_random_source = dev:/dev/urandom' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_mandatory_ciphers = high' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5' >> /etc/postfix/mail.cf
echo -E 'smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3' >> /etc/postfix/mail.cf
echo -E 'recipient_canonical_maps = hash:/etc/postfix/recipient_canonical' >> /etc/postfix/mail.cf
echo -E 'root [email protected]' > /etc/postfix/recipient_canonical
/sbin/postmap /etc/postfix/recipient_canonical
/bin/openssl req -new -newkey rsa:4096 -days 2000 -nodes -x509 -subj "/C=CN/ST=STATE/L=CITY/O=ORG/CN=$HOSTNAME" -keyout /etc/postfix/postfix.key -out /etc/postfix/postfix.cert
/bin/cat <<\EOT >/etc/postfix/Equifax_Secure_CA.pem
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
B0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPR
fM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW
8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAG
A1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UE
CxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoG
A1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvS
spXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMB
Af8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961
zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kB
BIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee95
70+sB3c4
-----END CERTIFICATE-----
EOT
/bin/cat <<\EOT >/etc/postfix/Thawte_Premium_Server_CA.pem
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3Vs
dGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UE
AxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZl
ckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZ
cHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2
aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIh
Udib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/
qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAm
SCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUIhfzJATj/Tb7yFkJD57taRvvBxhEf
8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7t
UCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
EOT
/bin/cp /etc/postfix/postfix.cert /etc/postfix/cacert.pem
/bin/cat /etc/postfix/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem
/bin/echo >> /etc/postfix/cacert.pem
/bin/cat /etc/postfix/Thawte_Premium_Server_CA.pem >> /etc/postfix/cacert.pem
/bin/sed -i "/#### RULES ####/ i # Disable rate-limiting" /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i \$SystemLogRateLimitInterval 0' /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i \$SystemLogRateLimitBurst 0' /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i \$RepeatedMsgReduction off' /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i #' /etc/rsyslog.conf
/bin/sed -i "/#### RULES ####/ i # Default file permissions" /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i \$FileCreateMode 0640' /etc/rsyslog.conf
/bin/sed -i '/#### RULES ####/ i #' /etc/rsyslog.conf
/bin/sed -i 's/\#ForwardToSyslog=yes/ForwardToSyslog=yes/' /etc/systemd/journald.conf
/bin/sed -i 's/\#Compress=yes/Compress=yes/' /etc/systemd/journald.conf
/bin/sed -i 's/\#Storage=auto/Storage=persistent/' /etc/systemd/journald.conf
Modify the sshd port and address family and allowed users as required
/bin/sed -i "s/#AddressFamily any/AddressFamily inet6/" /etc/ssh/sshd_config
/bin/sed -i "s/#Port 22/Port 5224/" /etc/ssh/sshd_config
/bin/sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
/bin/sed -i "s/#Banner none/Banner \/etc\/issue/" /etc/ssh/sshd_config
/bin/sed -i "s/X11Forwarding yes/X11Forwarding no/" /etc/ssh/sshd_config
/bin/sed -i "s/#MaxAuthTries 6/MaxAuthTries 3/" /etc/ssh/sshd_config
/bin/sed -i '/RekeyLimit/ a Ciphers aes256-ctr,aes192-ctr,aes128-ctr' /etc/ssh/sshd_config
/bin/sed -i "s/#LoginGraceTime 2m/LoginGraceTime 60/" /etc/ssh/sshd_config
/bin/sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 300/" /etc/ssh/sshd_config
/bin/echo "MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
/bin/echo "KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1" >> /etc/ssh/sshd_config
/bin/echo "AllowUsers USERNAME" >> /etc/ssh/sshd_config
Be sure to modify the OSSEC server IP address and install type
/bin/mkdir /var/src
/bin/wget -q https://github.com/ossec/ossec-hids/archive/3.3.0.tar.gz -O /var/src/ossec-hids-3.3.0.tar.gz
/bin/tar -zxvf /var/src/ossec-hids-3.3.0.tar.gz -C /var/src
/bin/cat <<\EOT >/var/src/ossec-hids-3.3.0/etc/preloaded-vars.conf
USER_NO_STOP="y"
USER_INSTALL_TYPE="agent"
USER_DIR="/var/ossec"
USER_ENABLE_ACTIVE_RESPONSE="y"
USER_ENABLE_SYSCHECK="y"
USER_ENABLE_ROOTCHECK="y"
USER_UPDATE="y"
USER_UPDATE_RULES="y"
USER_AGENT_SERVER_IP="192.168.1.10"
EOT
/var/src/ossec-hids-3.3.0/install.sh
/bin/touch /var/ossec/etc/shared/agent.conf
/bin/cat <<\EOT >/var/ossec/etc/ossec.conf
<ossec_config>
<client>
<server-ip>192.168.1.10</server-ip>
</client>
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>79200</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
<!-- Files/directories to ignore --> <ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/etc/alsa/pcm</ignore>
<ignore>/etc/asound.state</ignore>
<ignore>/etc/blkid/blkid.tab.old</ignore>
<ignore>/etc/blkid/blkid.tab</ignore>
<ignore>/etc/aliases.db</ignore>
<ignore>/etc/sysconfig/hwconf</ignore>
</syscheck>
<rootcheck>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
</rootcheck>
<active-response>
<disabled>yes</disabled>
</active-response>
<!-- Files to monitor (localfiles) -->
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>last -n 5</command>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/iptables</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/cron</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/audit/audit.log</location>
</localfile>
</ossec_config>
EOT
/bin/chown ossec:ossec /var/ossec/etc/ossec.conf
/bin/chmod 640 /var/ossec/etc/ossec.conf
/bin/wget -q https://raw.githubusercontent.com/nomorespice/ossec-extras/master/cis_rhel7_linux_rcl.txt -O /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/bin/chown ossec:ossec /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/bin/chmod 640 /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/bin/systemctl mask ctrl-alt-del.target
/bin/systemctl mask rsyncd
/usr/bin/touch /etc/securetty
Be sure to add any inbound access rules that are required.
/bin/systemctl enable iptables
/bin/systemctl enable ip6tables
/bin/systemctl mask firewalld
mkdir /script
/bin/cat <<\EOT >/script/fw.sh
#!/bin/bash
# fw.sh
# Firewall Configuration Script
#
#IPv4
#
# Command Variables
IPTABLES=/sbin/iptables
SAVE=/sbin/iptables-save
SYSTEMCTL=/bin/systemctl
#
# File/Directory Variables
IPCONF=/etc/sysconfig/iptables
#
# Flush all firewall chains
$IPTABLES -F
$IPTABLES -t nat -F
#
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# Set the default policies to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP
#
# Use connection state to bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# Inbound
#$IPTABLES -A INPUT -s 192.168.2.10/32 -p tcp --dport 22 -m state --state NEW -j ACCEPT
#
# DROP broadcast/multicast packets
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
#
# DROP invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
#
# LOG and DROP all other packets
$IPTABLES -A INPUT -p all -j LOG --log-prefix "IPTABLE-IN " --log-level debug
$IPTABLES -A INPUT -p all -j DROP
#
# Have these rules take effect when iptables is started
$SAVE > $IPCONF
#
#IPv6
#
# Command Variables
IP6TABLES=/sbin/ip6tables
SAVE=/sbin/ip6tables-save
#
# File/Directory Variables
IPCONF=/etc/sysconfig/ip6tables
#
# Flush all firewall chains
$IP6TABLES -F
$IP6TABLES -X
#
# Set the default policies to DROP
$IP6TABLES --policy INPUT DROP
$IP6TABLES --policy OUTPUT DROP
$IP6TABLES --policy FORWARD DROP
#
# Allow loopback interface
$IP6TABLES -A INPUT -i lo -s ::1/128 -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -d ::1/128 -j ACCEPT
#
# Allow ICMPv6 Traffic
$IP6TABLES -A INPUT -s fd00:0:0:0::/60 -p icmpv6 -j ACCEPT
$IP6TABLES -A INPUT -s fe80::/10 -p icmpv6 -j ACCEPT
$IP6TABLES -A OUTPUT -p icmpv6 -j ACCEPT
#
# Use connection state to bypass rule checking
$IP6TABLES -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IP6TABLES -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Inbound
$IP6TABLES -A INPUT -s fd00:0:0:1::10/128 -p tcp --dport 22 -m state --state NEW -j ACCEPT
#
# Deny link-local all nodes multicast group
$IP6TABLES -A INPUT -d ff02::1 -j DROP
#
# LOG and DROP all other packets
$IP6TABLES -A INPUT -p all -j LOG --log-prefix "IP6TABLE-IN " --log-level debug
$IP6TABLES -A INPUT -p all -j DROP
#
# Have these rules take effect when iptables is started
$SAVE > $IPCONF
#
exit
EOT
/bin/chmod 700 /script/fw.sh
/bin/touch /var/log/iptables
/bin/chmod 600 /var/log/iptables
/bin/sed -i "/messages/ i \/var\/log\/iptables" /etc/logrotate.d/syslog
/bin/cat << EOT >/etc/rsyslog.d/10-iptables.conf
:msg, contains, "IPTABLE" -/var/log/iptables
& stop
:msg, contains, "IP6TABLE" -/var/log/iptables
& stop
EOT
mkdir /etc/tuned/system_vm
cat << EOT >/etc/tuned/system_vm/tuned.conf
[main]
summary=Custom system profile
include=virtual-guest
[selinux]
avc_cache_threshold=8192
[sysctl]
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_local_port_range=16384 65535
net.ipv4.tcp_keepalive_time=300
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.disable_ipv6=0
net.ipv6.conf.default.disable_ipv6=0
net.ipv6.conf.lo.disable_ipv6=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
kernel.randomize_va_space=2
fs.suid_dumpable=0
EOT
/sbin/tuned-adm profile system_vm
/bin/mv /etc/issue /etc/issue.orig
/bin/cat << EOT >/etc/issue
WARNING: To protect the system from fraud and abuse, activities
on this system are monitored and subject to audit. Use of this
system is expressed consent to monitor.
EOT
/bin/mv /etc/issue.net /etc/issue.net.orig
/bin/cat << EOT >/etc/issue.net
WARNING: To protect the system from fraud and abuse, activities
on this system are monitored and subject to audit. Use of this
system is expressed consent to monitor.
EOT
/bin/echo -E "alias vi='vim'" >> /root/.bashrc
/bin/echo -E "HISTTIMEFORMAT=\"%Y/%m/%d - %H:%M:%S \"" >> /root/.bashrc
/bin/echo -E "TMOUT=3600" >> /root/.bashrc
/bin/echo -E "readonly TMOUT" >> /root/.bashrc
/bin/echo -E "export TMOUT" >> /root/.bashrc
/bin/echo -E "alias vi='vim'" >> /etc/skel/.bashrc
/bin/echo -E "HISTTIMEFORMAT=\"%Y/%m/%d - %H:%M:%S \"" >> /etc/skel/.bashrc
/bin/echo -E "TMOUT=3600" >> /etc/skel/.bashrc
/bin/echo -E "readonly TMOUT" >> /etc/skel/.bashrc
/bin/echo -E "export TMOUT" >> /etc/skel/.bashrc
/bin/sed -i 's/umask 002/umask 027/' /etc/bashrc
/bin/sed -i 's/umask 002/umask 027/' /etc/profile
/bin/echo "readonly TMOUT=900 ; export TMOUT" >> /etc/bashrc
/bin/echo "readonly TMOUT=900 ; export TMOUT" >> /etc/profile
/bin/sed -i "/Defaults specification/ a Defaults use_pty" /etc/sudoers
/bin/sed -i "/Defaults specification/ a Defaults logfile\=\"\/var\/log\/sudo.log\"" /etc/sudoers
/bin/touch /var/log/sudo.log
/bin/sed -i 's/sudoers: files sss/sudoers: files/' /etc/nsswitch.conf
/bin/sed -i "/messages/ i \/var\/log\/sudo.log" /etc/logrotate.d/syslog
/bin/cat << EOT >/etc/modprobe.d/CIS.conf
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install vfat /bin/true
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true
install usb-storage /bin/true
EOT
/bin/echo -E "tmpfs /dev/shm tmpfs nodev,noexec,nosuid 0 0" >> /etc/fstab
Be sure to modify the encrypted password.
/bin/cat << EOT >/boot/grub2/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.PASSWORD
EOT
/bin/chmod 600 /boot/grub2/user.cfg
/usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
/bin/echo '* hard core 0' >> /etc/security/limits.conf
/bin/echo "Storage=none" >> /etc/systemd/coredump.conf
/bin/echo "ProcessSizeMax=0" >> /etc/systemd/coredump.conf
/bin/sed -i '/auth sufficient pam_unix.so nullok try_first_pass/ i auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600' /etc/pam.d/system-auth
/bin/sed -i '/auth sufficient pam_unix.so nullok try_first_pass/ a auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600' /etc/pam.d/system-auth
/bin/sed -i '/account required pam_unix.so/ i account required pam_faillock.so' /etc/pam.d/system-auth
/bin/sed -i 's/use_authtok/use_authtok remember=5/' /etc/pam.d/system-auth
/bin/sed -i '/auth sufficient pam_unix.so nullok try_first_pass/ i auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600' /etc/pam.d/password-auth
/bin/sed -i '/auth sufficient pam_unix.so nullok try_first_pass/ a auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600' /etc/pam.d/password-auth
/bin/sed -i '/account required pam_unix.so/ i account required pam_faillock.so' /etc/pam.d/password-auth
/bin/sed -i 's/use_authtok/use_authtok remember=5/' /etc/pam.d/password-auth
/bin/sed -i 's/#auth\t\trequired/auth\t\trequired/' /etc/pam.d/su
/bin/sed -i 's/\pam_wheel.so use_uid/pam_wheel.so use_uid group=wheel/' /etc/pam.d/su
/bin/sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t90/' /etc/login.defs
/bin/sed -i 's/PASS_MIN_DAYS\t0/PASS_MIN_DAYS\t7/' /etc/login.defs
/bin/sed -i "s/# minlen = 9/minlen = 14/" /etc/security/pwquality.conf
/bin/sed -i "s/# dcredit = 1/dcredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# ucredit = 1/ucredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# lcredit = 1/lcredit = -1/" /etc/security/pwquality.conf
/bin/sed -i "s/# ocredit = 1/ocredit = -1/" /etc/security/pwquality.conf
/sbin/useradd -D -f 30
/bin/sed -i "s/space_left_action = SYSLOG/space_left_action = EMAIL/" /etc/audit/auditd.conf
/bin/sed -i 's/admin_space_left_action = SUSPEND/admin_space_left_action = HALT/' /etc/audit/auditd.conf
/bin/sed -i 's/max_log_file_action = ROTATE/max_log_file_action = keep_logs/' /etc/audit/auditd.conf
/bin/cat << EOT >/etc/audit/rules.d/audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
## Ensure events that modify date and time information are collected
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
## Ensure events that modify user/group information are collected
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Ensure events that modify the system's network environment are collected
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale
## Ensure events that modify the system's Mandatory Access Controls are collected
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
## Ensure login and logout events are collected
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
## Ensure session initiation information is collected
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
## Ensure discretionary access control permission modification events are collected
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295
-k perm_mod
## Ensure unsuccessful unauthorized file access attempts are collected
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
## Ensure successful file system mounts are collected
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
## Ensure file deletion events by users are collected
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
## Ensure changes to system administration scope (sudoers) is collected
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
## Ensure system administrator actions (sudolog) are collected
-w /var/log/sudo.log -p wa -k actions
## Ensure kernel module loading and unloading is collected
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
EOT
/bin/chmod 600 /etc/audit/rules.d/audit.rules
Be sure to modify the Red Hat subscription username and password.
/bin/yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
/bin/yum-config-manager --disable epel
/sbin/subscription-manager register --username=USER --password='PASSWORD'
/sbin/subscription-manager subscribe --auto
/sbin/subscription-manager repos --enable rhel-7-server-optional-rpms
/bin/yum -y update
/bin/cat << EOT >/root/runonce.sh
#!/bin/bash
/sbin/semanage port -a -t ssh_port_t -p tcp 5224
/script/fw.sh
/bin/sed -i '/runonce.sh/d' /etc/rc.local
EOT
/bin/chmod 700 /root/runonce.sh
/bin/echo -E "/root/runonce.sh" >> /etc/rc.local
/bin/chmod 700 /etc/rc.d/rc.local
reboot