# el6.ks - Minimal RHEL/CentOS 6 Anaconda Kickstart # Copyright (C) 2013 Matous J. Fialka, # Released under the terms of The MIT License # # <<>> TODO <<>> # # - Add OpenSSH daemon configuration according to the CCEs # - Add NTP daemon configuration according to the CCEs # - Add IPv4 firewall rules to /etc/sysconfig/iptables # - Add IPv6 firewall rules to /etc/sysconfig/ip6tables # - Add TCP wrapper rules to /etc/hosts.deny (ALL: ALL) # - Add TCP wrapper rules to /etc/hosts.allow (SSH, FTP, SMTP, HTTP) # - Add missing CCE identifiers everywhere # - Add package exludes # # # <<>> INSTALLATION <<>> # install # # Uncomment for debugging purposes only # #interactive # # Do NOT run graphical installation # text # # Set mirror list # url --url "http://mirror.centos.org/centos/6/os/x86_64" # # Set verbosity level for logging to TTY3 # logging --level debug # # Set language # lang "en_US.UTF-8" # # Set keyboard # keyboard us # # Set timezone # timezone --utc "Europe/Prague" # # Zero Master Boot Record (MBR) # zerombr # # Clear all partition tables # clearpart --all --initlabel # # Partitioning (rough and approximate) examples # # RAM 256 1024 4096 8192 # HDD 10240 20480 81920 512000 # / 2040 4080 5120 5120 # /boot 384 384 384 384 # swap 512 2048 6144 10240 # /home 510 1020 1024 1024 # /var 4626 (~45%) 8740 (~28%) 58882 (~72%) 482816 (~94%) # /var/log 1020 2040 2048 2048 # /var/log/audit 128 128 128 128 # /tmp 1020 2040 8190 10240 # # # Create separate partition for /boot mountpoint # # Note: There is no special remark on /boot partition size in the OS manual, # but we asume that 384 is good enough for most systems. # part /boot --asprimary --label part1_bootfs --fstype ext2 --fsoptions nodev,noexec,nosuid,sync --size 384 # # Create separate partition for system swap # # Note: There is a special remark on swap partition size in the OS manual # represented by the following formula. # # m <= 32768: # (m <= 2048: ; multiplication boundary # (m <= 128: # s = 256, ; mininal size # s = 2 * m), # s = m + 2048), # s = 32768; ; maximal size # part swap --asprimary --label part2_swapfs --fstype swap --maxsize 32768 --size 256 --recommended # # Create physical volume pv0 on the remaining disk space # part pv.0 --asprimary --label part3_pv0 --size 1 --grow # # Create volume group vg0_system on pv0 # volgroup vg0_system pv.0 # # Create logical volume lv0_rootfs on vg0_system for / mountpoint # # Note: There is a special remark on / partition size in the OS manual # saying that 5 GiB should be good enough for full installation. # logvol / --vgname vg0_system --name lv0_rootfs --fstype ext4 --fsoptions noatime,acl,user_xattr,errors=remount-ro --percent 20 --maxsize 5120 --size 1 --grow # # Create logical volume lv1_homefs on vg0_system for /home mountpoint # logvol /home --vgname vg0_system --name lv1_homefs --fstype ext4 --fsoptions data=journal,nodev,nosuid,acl,user_xattr --percent 5 --maxsize 1024 --size 1 --grow # # Create logical volume lv2_varfs on vg0_system for /var mountpoint # logvol /var --vgname vg0_system --name lv2_varfs --fstype ext4 --fsoptions noatime,nodev,nosuid,noexec,acl,user_xattr --size 1 --grow # # Create logical volume lv3_logfs on vg0_system for /var/log mountpoint # logvol /var/log --vgname vg0_system --name lv3_logfs --fstype ext4 --fsoptions data=writeback,nodev,nosuid,noexec,acl,user_xattr --percent 10 --maxsize 2048 --size 1 --grow # # Create logical volume lv4_auditfs on vg0_system for /var/log/audit mountpoint # logvol /var/log/audit --vgname vg0_system --name lv4_auditfs --fstype ext4 --fsoptions data=journal,noatime,nodev,nosuid,noexec,acl,user_xattr --size 128 # # Create logical volume lv5_tmpfs on vg0_system for /tmp (and /var/tmp) mountpoint # logvol /tmp --vgname vg0_system --name lv5_tmpfs --fstype ext4 --fsoptions data=writeback,nodev,nosuid,noexec,acl,user_xattr --percent 10 --maxsize 10240 --size 1 --grow # # Enable NSA Security Enhanced Linux (SELinux) # selinux --enforcing # # Enable shadow passwords hashed using SHA-512 # authconfig --enableshadow --passalgo sha512 # # Enable firewall and access using SSH protocol # firewall --enable --ssh # # Set password for superuser account # rootpw "Change password for root!" # # Configure bootloader location, password and Linux command line # bootloader --driveorder sda,hda --location mbr --timeout 1 --password "Change password for bootloader!" --append "rhgb quiet audit=1" # # Disable running setup utility on first boot # firstboot --disable # # Enable and disable system services # services --enable ssh # # <<>> PACKAGES <<>> # %packages --nobase --excludedocs # # Included packages # audit coreutils e2fsprogs grub iptables iptables-ipv6 lvm2 ntp openssh-server policycoreutils policycoreutils-python selinux-policy-targeted setools-console yum yum-plugin-fastestmirror yum-plugin-protectbase yum-plugin-remove-with-leaves yum-plugin-show-leaves yum-presto # # Excluded packages # %end # # <<>> POST <<>> # %post --interpreter "/bin/sh" --log "/root/post-install.log" # # Define useful aliases # alias %with='sed '\''s/[ \t]*#.*$//; /^[ \t]*$/ d'\'' <<- %feed |' # Here be dragons! # # Update installed system # yum -y clean all yum -y update yum -y clean packages # # Fix enabled or disabled services # %with # # Syntax: # # System service # Boolean "on" / "off" switch # # # Enabled services # auditd on iptables on ip6tables on network on sshd on # # Disabled services # # CCE 03668-1, 04129-3 mcstrans off # CCE END netfs off ntpd off postfix off restorecond off %feed while read service switch do chkconfig $service $switch unset service switch done # # Fix filesystem objects ownerships and modes # %with # # Syntax: # # One of "own", "mod", "attr", "acl", "con", "cat" # The "ch" command first argument # The "ch" command second and further arguments # own root:root /etc/passwd # CCE 03988-3 own root:root /etc/shadow # CCE 03883-6 own root:root /etc/group # CCE 03276-3 own root:root /etc/gshadow # CCE 03932-1 mod 0600 /etc/anacrontab mod 0700 /etc/cron.daily mod 0700 /etc/cron.hourly mod 0700 /etc/cron.monthly mod 0600 /etc/crontab mod 0700 /etc/cron.weekly mod 0644 /etc/passwd # CCE 04064-2 mod 0644 /etc/group # CCE 04210-1 mod 0400 /etc/shadow # CCE 03918-0 mod 0400 /etc/gshadow # CCE 03566-7 mod 0700 /root mod 0700 /var/log/audit mod 0600 /var/log/audit/* %feed while read subject value object do ch$subject $value $object unset subject value object done # # Fix or add /var/tmp mountpoint record to filesystem table # sed -i '/^\/\+tmp\/*[ \t]\+\/\+var\/\+tmp\/*[ \t]\+/d' /etc/fstab %with # # Syntax: any valid filesystem table (/etc/fstab) entry # /tmp /var/tmp none rw,nodev,nosuid,noexec,bind 0 0 # CCE 14584-7 %feed cat >> /etc/fstab # # Fix or add proper umask for init(1) program # sed -i '/^[ \t]*umask[ \t]\+[0-9]\+/d' /etc/sysconfig/init %with # # Syntax: things to be appended to /etc/sysconfig/init # umask 027 # CCE 04220-0 %feed cat >> /etc/sysconfig/init # # Fix system configuration in /etc/sysconfig/ # %with # # Syntax: