There are no reviews yet. Be the first to send feedback to the community and the maintainers!
############################################################################### # Hardened CentOS 7 DVD CREATOR # # This script was written by Frank Caviggia # Last update was 08 JAN 2019 # # Author: Frank Caviggia ([email protected]) # Copyright: Frank Caviggia, (c) 2018 # License: Apache License, Version 2.0 # Description: Hardened Installation of CentOS 7 ############################################################################### ABOUT ===== Modifies a CentOS 7.3+ (1611) (tested with CentOS-7-x86_64-DVD-1810.iso) x86_64 DVD with a kickstart that will install a system that is configured and hardened to meet government-level regulations. NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD. The kickstart script involves the integration of the following projects into a single installer: - classification-banner.py (Python for displaying a graphical classification banner) https://github.com/RedHatGov/classification-banner - SCAP Security Guide (SSG) - Hardening Script for CentOS7 https://github.com/openscap/scap-security-guide CONTENT ======= createiso.sh - installation script to modify CentOS 7.2+ ISO image /config - Kickstarts, Python, and RPMs needed to modify image. EFI/BOOT/ grub.cfg - Menu Configuration for UEFI boot isolinux/ isolinux.cfg - Menu Configuration for Kickstart hardening/ hardened-centos.cfg Kickstart Configuration (Calls menu.py in %pre) menu.py Python Script that presents a graphical menu to modify the kickstart. Contains the "Profiles" for configuring the system partitioning and packages. classification-banner.py Graphical Classification Banner (for GNOME Desktops User/ Developer Workstation Profiles) supplemental.sh Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME, wheel group for root access, etc.) ovirt-engine-install.sh Script to install and configure Ovirt Manager. ovirt-kvm-preinstall.sh ovirt-kvm-postinstall.sh Scripts to install Ovirt-Attached KVM hypervisor. Script will loosen settings temporarily to allow registration of the system with Ovirt Manager by allowing root login and allowing exec in /tmp. Run rhevm-postinstall.sh after system is added into Ovirt Manager. Copied to /root after kickstart install iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables) Configures iptables firewall during kickstart installation. Called in menu.py script. Firewall is configured to recommended ports for each product or profile. Copied to /root after kickstart install. FirewallD is default except for KVM systems. ipa-pam-configuration.sh Configures system for using IPA/IdM authentication by overwriting the pam.d configurations. Copied to /root after kickstart installation scap-security-guide-*.el7.noarch.rpm SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox. usbguard-*.x86_64.rpm USB guard will control what USB devices are accessible by the system. HARDENING INFORMATION ===================== Here is some additional information added by the supplemental hardening script in addition to the SSG: 1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu 2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console (scripts are located under /etc/profile.d/autologout.{sh,csh}) 3. The 'wheel' group is required for privileged users (beyond root) to run `su -` or `sudo -i` commands, sudo timeout is 5 minutes 4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group 5. Additional software such as McAfee EPo/HBSS may be required meet site policy 6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf) 7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf) 8. Create users: NOTE: The root user is locked now - use 'admin' user account with sudo instead of root. Local Console Access Only (Unprivileged) # useradd -m -c "Local User" localuser Remote Access (Unprivileged) # useradd -m -c "Remote User" -G sshusers remoteuser System Administrator (SA) (Privileged User) # useradd -m -c "System Administrator" -G sshusers,wheel admin 9. Wireless is disabled in a number of ways with Network Manager including: a.) `nmcli radio all off` command in /etc/rc.local b.) Dconf configurations to disable the creation of wireless networks: /etc/dconf/db/gdm.d/99-gnome-hardening [org.gnome.nm-applet] disable-wifi-create=true /etc/dconf/db/gdm.d/locks/99-gnome-hardening /org/gnome/nm-applet/disable-wifi-create /usr/share/glib-2.0/schemas/99_custom_settings.gschema.override [org.gnome.nm-applet] disable-wifi-create=true Generally, wireless should not be used on a DoD/IC system. EXAMPLE ======= # # ./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso Mounting CentOS DVD Image... mount: /dev/loop1 is write-protected, mounting read-only Done. Copying CentOS DVD Image... Done. Modifying CentOS DVD Image... Done. Remastering CentOS DVD Image... ... 0.23% done, estimate finish Wed Feb 10 07:34:24 2016 0.46% done, estimate finish Wed Feb 10 07:37:59 2016 0.70% done, estimate finish Wed Feb 10 07:36:47 2016 0.93% done, estimate finish Wed Feb 10 07:36:11 2016 1.16% done, estimate finish Wed Feb 10 07:35:50 2016 1.39% done, estimate finish Wed Feb 10 07:35:35 2016 1.62% done, estimate finish Wed Feb 10 07:35:25 2016 1.85% done, estimate finish Wed Feb 10 07:35:17 2016 2.09% done, estimate finish Wed Feb 10 07:35:11 2016 2.32% done, estimate finish Wed Feb 10 07:35:07 2016 2.55% done, estimate finish Wed Feb 10 07:35:03 2016 2.78% done, estimate finish Wed Feb 10 07:34:59 2016 3.01% done, estimate finish Wed Feb 10 07:34:57 2016 3.24% done, estimate finish Wed Feb 10 07:34:54 2016 3.48% done, estimate finish Wed Feb 10 07:34:52 2016 3.71% done, estimate finish Wed Feb 10 07:34:50 2016 3.94% done, estimate finish Wed Feb 10 07:34:49 2016 4.17% done, estimate finish Wed Feb 10 07:34:47 2016 4.40% done, estimate finish Wed Feb 10 07:34:46 2016 4.63% done, estimate finish Wed Feb 10 07:34:45 2016 4.87% done, estimate finish Wed Feb 10 07:34:44 2016 5.10% done, estimate finish Wed Feb 10 07:34:43 2016 5.33% done, estimate finish Wed Feb 10 07:34:42 2016 5.56% done, estimate finish Wed Feb 10 07:34:41 2016 ... 99.87% done, estimate finish Wed Feb 10 07:34:35 2016 Total translation table size: 2048 Total rockridge attributes bytes: 417876 Total directory bytes: 712704 Path table size(bytes): 158 Max brk space used 3af000 2157808 extents written (4214 MB) Done. Signing CentOS DVD Image... Inserting md5sum into iso image... md5 = e526291fc5ff0c83a7de64c183f27b78 Inserting fragment md5sums into iso image... fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b frags = 20 Setting supported flag to 0 Done. DVD Created. [hardened-centos7-x86_64.iso]
hardening-script-el6
DISA STIG/USGCB/NSA SNAC Hardening Scripts for Red Hat Enterprise Linux 6classification-banner
Displays Classification Banner for a Graphical Sessionhardening-script-el6-kickstart
Kickstart based on the hardening-script-el6 scripts, classification-banner.py, and DOD Firefox plugin.user-virus-scan
Script to use inotify and clamscan (clamav) to monitor directories for files containing viruses. Developed work like Fireclam to scan downloaded files from Firefox and Chrome.Love Open Source and this site? Check out how you can help us