-
Notifications
You must be signed in to change notification settings - Fork 71
/
Copy pathsecure-kickstart.cfg
595 lines (500 loc) · 19.1 KB
/
secure-kickstart.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
#
# From: Jim Perrin <[email protected]>
#
############## Secure Kickstart version 1.0 ##############
##########################################################
#
# Name: secure-kickstart.cfg
# Description: Kickstart file with many of the DISA STIG
# changes applied via %post functionality
# Distro: CentOS 5 or RHEL 5
#
#
#################### End User Notes ######################
#
# There are a number of considerations to be made when
# using this document. Partitioning space, system use,
# and other tasks that make servers different.
#
#
####################### Usage ############################
#
# 1. Set up partitioning, or leave commented to get the
# anaconda partitioner.
# 2. Review the package list. Add or remove as needed
# 3. This kickstart assumes a local mirror to install
# from. Change this to suit your needs.
install
cdrom
#url --url http://192.168.1.1./installmedia
lang en_US.UTF-8
keyboard us
network --noipv6 --onboot=yes --bootproto=dhcp
#text
########## !! CHANGE THIS !! ##########
#zerombr
#clearpart --all
#partition /boot --fstype "ext3" --size=128 --ondisk=sda
#partition pv.2 --size=0 --grow --ondisk=sda
#volgroup OS_VOL --pesize=32768 pv.2
#logvol swap --fstype swap --name=lvSwap --vgname=OS_VOL --size=2048
#logvol / --fstype ext3 --name=lvRoot --vgname=OS_VOL --size=10240
#logvol /var --fstype ext3 --name=lvVar --vgname=OS_VOL --size=10240
#logvol /home --fstype ext3 --name=lvHome --vgname=OS_VOL --size=10240
#logvol /tmp --fstype ext3 --name=lvTMP --vgname=OS_VOL --size=4096
#logvol /opt --fstype ext3 --name=lvopt --vgname=OS_VOL --size=10240
bootloader --location mbr --password Sekrit
authconfig --enableshadow --enablemd5
selinux --enforcing
rootpw ChangeMe
timezone --utc America/New_York
firewall --enabled --port=22:tcp # This will be further restricted later
reboot
########## UPDATE THE PACKAGE LIST #############
%packages --resolvedeps
# For bare systems, these are the groups you need initially.
@Base
@text-internet
@editors
# For something with a gui, uncomment these
#@gnome-desktop
#@system-tools
#@base-x
#@graphics
#@printing
#@sound-and-video
# Packages added for security
aide
audit
vlock
# Packages removed because we don't need/use them
-compiz
-emacs-leim
-emacspeak
-ethereal
-ethereal-gnome
-gnome-games
-isdn4k-utils
-nmap
-octave
-oprofile
-rcs
-tcpdump
-valgrind
-zsh
%pre
%post --nochroot
mkdir /mnt/sysimage/tmp/ks-tree-copy
if [ -d /oldtmp/ks-tree-shadow ]; then
cp -fa /oldtmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
elif [ -d /tmp/ks-tree-shadow ]; then
cp -fa /tmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
fi
cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
%post
## Log errors by creating one big subshell
(
if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
rpm --import /usr/share/rhn/RPM-GPG-KEY
elif [ -f /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 ]; then
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
fi
############# Adding Security Enhancements ############################
################# User Login Security Changes #####################
# GEN000020 (G001)
# GEN000040 (G002)
# GEN000060 (G003)
# Require root password for single user mode
echo "Locking down GEN000020, GEN000040, GEN000060"
echo "Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "GEN000020, GEN000040,GEN000060 Complete"
## Prevent entering interactive boot
perl -npe 's/PROMPT=yes/PROMPT=no/' -i /etc/sysconfig/init
echo "Interactive Boot disabled"
# LNX00580 (L222)
echo "Locking down LNX00580"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
echo "LNX00580 Complete"
# We'll get to the updated versions once we configure pam.
# GEN000700
# Change the password expiration time from undefined to 60 days
echo "Locking down GEN000700"
perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs
chage -M 60 root
echo "GEN000700 Complete"
# GEN000540
# Ensure that the user cannot change their password more than once a day.
echo "Locking down GEN000540"
perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
echo "GEN000540 Complete"
# GEN000480 (G015)
echo "Locking down GEN000480"
echo "Make the user waits four seconds if they fail after LOGIN_RETRIES" >> /etc/login.defs
echo "FAIL_DELAY 4" >> /etc/login.defs
echo "GEN000480 Complete"
# GEN000820
echo "Locking down GEN000820"
perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN 9/' -i /etc/login.defs
#STIG specifies using foloowing, but it's not a valid parameter
#echo "PASSLENGTH 9" >> /etc/login.defs
echo "GEN000820 Complete"
## As of RHEL/CentOS 5.3, authconfig supports SHA password encryption
## This cannot be set by default using auth earlier in the KS, so it must be done in %post
echo "Using SHA512 for the password algorithm"
authconfig --passalgo=sha512 --update
echo "Done"
###### PAM Modifications
# These modifications apply to GEN000460, GEN000600 and GEN000620
touch /var/log/tallylog
cat << 'EOF' > /etc/pam.d/system-auth-local
#%PAM-1.0
# Auth Section
auth required pam_tally2.so unlock_time=900 onerr=fail no_magic_root
auth required pam_faildelay.so delay=5000000
auth include system-auth-ac
# Accounts Section
account required pam_tally2.so
account include system-auth-ac
# Password Section
password required pam_pwhistory.so use_authtok remember=5 retry=3
password requisite pam_passwdqc.so min=disabled,disabled,16,12,8
password include system-auth-ac
# Session Section
## By default we're only going to log what root does
## This gets really verbose if we log more.
## If you want to log everyone, remove disable=*
session required pam_tty_audit.so disable=* enable=root
session include system-auth-ac
EOF
# Create some basic shell rules for users.
echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=600" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh
# GEN002560
# Reset the umasks for all users to 077
echo "Locking down GEN002560"
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
echo "GEN002560 Complete"
## Require GUI consoles to lock if idle longer than 10 minutes.
if [ -f /etc/gconf/gconf.xml.mandatory ]; then
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool --set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type string \
--set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type int \
--set /apps/gnome-screensaver/idle_delay 10
fi
## No one gets to run cron or at jobs unless we say so.
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
# GEN000400 (G010)
echo "Locking down GEN000400"
# Set the /etc/issue file to something scary. This one has no linefeeds, so it will wrap accordingly.
# Change this to your own banner for organizations outside the Scary Zone
cat << 'EOF' >/etc/issue
USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
EOF
echo "GEN000400 Completed"
# The banner above works great for shell logins, but won't work for gui logins.
if [ -f /etc/gdm/PreSession/Default ]; then
# GEN000420 (G011)
# This part creates the same login banner once your username and password has been entered. This has linefeeds in it.
# Text needs to be cleaned up a touch.
echo "Locking down GEN000420"
perl -npe 's/exit\s0/\n/' -i /etc/gdm/PreSession/Default
cat << 'EOF' >> /etc/gdm/PreSession/Default
/usr/bin/gdialog --yesno "Agree = 'OK' Disagree = 'Cancel'
USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
Agree = 'OK' Disagree = 'Cancel'"
if ( test 1 -eq $? ); then
/usr/bin/gdialog --infobox "Logging out in 10 Seconds" 1 20 &
sleep 10
exit 1
fi
exit 0
EOF
echo "GEN000420 Completed"
fi
################## File and Directory Security #########################
# Restrict mount points with noexec, nosuid, and nodev where applicable
# GEN002420
echo "Locking down GEN002420"
FSTAB=/etc/fstab
SED=/bin/sed
#nosuid on /home
if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi
# nosuid on /sys
if [ $(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi
## nosuid on /boot
if [ $(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/boot.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi
# nodev on /usr
if [ $(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/usr.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi
#nodev on /home
if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi
# nodev on /usr/local
if [ $(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/usr\/local.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi
# nodev and noexec on /tmp
if [ $(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
fi
# nodev and noexec on /var/tmp
if [ $(grep "[[:blank:]]\/var/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/var/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
fi
# nodev on /var
if [ $(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
MNT_OPTS=$(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | awk '{print $4}')
${SED} -i "s/\([[:blank:]]\/var.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi
echo "GEN002420 Complete"
# By default /root has permissions of 750. Change this to 700
# GEN000920 (G023)
echo "Locking down GEN000920"
# Correct the permissions on /root to a DISA allowed 700
chmod 700 /root
echo "GEN000920 Complete"
# GEN002680 (G094)
# reset permissions on audit logs
echo "Locking down GEN002680"
chmod 700 /var/log/audit
chmod 600 /var/log/audit/*
echo "GEN002680 Complete"
# GEN003080
echo "Locking down GEN003080"
chmod 600 /etc/crontab
chmod 700 /usr/share/logwatch/scripts/logwatch.pl
echo "GEN003080 Complete"
# GEN003520 ( RHEL5 default anyway )
echo "Locking down GEN003520"
chmod 700 /var/crash
chown -R root.root /var/crash
echo "GEN003520 Complete"
# GEN006520
echo "Locking down GEN006520"
chmod 740 /etc/rc.d/init.d/iptables
chmod 740 /sbin/iptables
chmod 740 /usr/share/logwatch/scripts/services/iptables
echo "GEN006520 Complete"
# GEN001560
echo "Locking down GEN001560"
chmod -R 700 /etc/skel
echo "GEN001560 Complete"
# GEN005400 (G656)
# Reset the permissions to a DISA-blessed rw-r-----
echo "Locking down GEN005400"
chmod 640 /etc/syslog.conf
echo "GEN005400 Complete"
# LNX00440 (L046)
# Set mode to DISA-blessed rw-r------
echo "Locking down LNX00440"
chmod 640 /etc/security/access.conf
echo "LNX00440 Complete"
# GEN001260
echo "Locking down GEN001260"
perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
echo "GEN001260"
# LNX00520 (L208)
echo "Locking down LNX00520"
chmod 600 /etc/sysctl.conf
echo "LNX00520 Complete"
# Add some enhancements to sysctl
cat << 'EOF' >> /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
EOF
########## Turn off the uneeded stuff #############
# IAVA0410 (G592) and GEN003700
# Turn off unneeded services
# You may want to leave sendmail enabled but the STIG says otherwise
# I mark this as mitigated by the firewall, and not accepting outside
# connections. The NSA RHEL5 guide has a full service list
# with recommendations
echo "Locking down IAVA0410 and GEN003700"
/sbin/chkconfig bluetooth off
/sbin/chkconfig irda off
/sbin/chkconfig lm_sensors off
/sbin/chkconfig portmap off
/sbin/chkconfig rawdevices off
/sbin/chkconfig rpcgssd off
/sbin/chkconfig rpcidmapd off
/sbin/chkconfig rpcsvcgssd off
/sbin/chkconfig sendmail off
/sbin/chkconfig xinetd off
/sbin/chkconfig kudzu off
echo "IAVA0410 and GEN003700 Complete"
######### Remove useless users ##############
# This isn't strictly needed as they have a default shell of nologin
# but we're removing them anyway to be safe.
echo "Locking down LNX0034 and GEN004840"
/usr/sbin/userdel shutdown
/usr/sbin/userdel halt
/usr/sbin/userdel games
/usr/sbin/userdel operator
/usr/sbin/userdel ftp
/usr/sbin/userdel news
/usr/sbin/userdel gopher
echo "LNX0034 and GEN004840 Complete"
############# SSH restrictions ###############
#
# Uncomment this if you have physical access to the machine.
# This will lock root out from ssh.
# GEN001120 (G500)
# We need to restrict ssh root logins;
#echo "Locking down GEN001120"
#perl -npe 's/#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config
#echo "GEN001120 Complete"
#GEN005540
echo "Locking down GEN005540"
perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config
echo "GEN005540 Complete"
perl -npe 's/^#ServerKeyBits 768/ServerKeyBits 2048/g' -i /etc/ssh/sshd_config
perl -npe 's/^#MaxAuthTries 6/MaxAuthTries 3/g' -i /etc/ssh/sshd_config
################ Configure a better default firewall ###############
cat << 'EOF' > /etc/sysconfig/iptables
#Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
EOF
###### Check to see if we have network access for updates ##########
# For RHEL systems, change the profile name and key
# Documentation for activation keys can be found at
# http://kbase.redhat.com/faq/docs/DOC-2475
2>/dev/null >/dev/tcp/google.com/80
if [ $? -eq 0 ]; then
if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
rhnreg_ks --profilename=secure-rhel --activationkey=xxxxxxxxxxx
fi
cat << 'EOF' >> /etc/yum.conf
exclude = *.i?86
EOF
yum -y remove *.i?86
yum -y update
else
echo "There's no network. No updates performed"
fi
############### Beef up the default ruleset for AIDE #################
# Setup AIDE off this baseline
echo "Setting up baseline AIDE configuration ...."
echo "NOTE!!! PLEASE REVIEW THIS, AND EDIT FOR YOUR SPECIFIC CONFIGURATION!"
# Write /etc/aide.conf
echo "Appending default setuid/setgid and 666 f/d to default /etc/aide.conf"
cat << 'EOF' >> /etc/aide.conf
# World-Writable files and directories
# Note: There are no ww files in the base install
# World-Writable Directories in base install
/tmp PERMS
/tmp/.pk11ipc1 PERMS
/tmp/.font-unix PERMS
/tmp/.ICE-unix PERMS
/tmp/.X11-unix PERMS
/var/tmp PERMS
# set-UID and set-GID files in base install
/sbin/netreport PERMS
/usr/libexec/utempter/utempter PERMS
/usr/sbin/lockdev PERMS
/usr/sbin/sendmail.sendmail PERMS
/usr/lib/vte/gnome-pty-helper PERMS
/usr/bin/locate PERMS
/usr/bin/write PERMS
/usr/bin/wall PERMS
/usr/bin/ssh-agent PERMS
/usr/bin/lockfile PERMS
/usr/bin/screen PERMS
EOF
echo "done adding to /etc/aide.conf"
echo ""
echo "Building a initial AIDE DB..."
/usr/sbin/aide -i
echo "Initial AIDE DB complete"
echo ""
echo "Copping initial AIDE DB to initial baseline AIDE DB..."
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "done copping initital AIDE DB"
echo ""
echo ""
echo "Please review your AIDE configuration, default DB locations,"
echo "cron jobs, etc. to fit your needs"
echo ""
echo "GEN02440 and GEN2380 Complete"
) > /root/kickstart-log.txt 2>&1