fcaviggia / hardened-centos7-kickstart Goto Github PK

Unless i am missing something, I feel that the media.py is only helpful for attended installations because you need to manually enter parameters on boot. I think it would be better if there were also an option to run menu.py before installation and include a config file that would allow for an automated installation. Thoughts?

I am uploading this to Azure, and need the udf module to load. When I Insmod it works fine, but when I try to modprobe it doesn't work. Am I fighting against something in the security? Preventing modules being loaded?

Greetings, and thanks for the great continuing work.

I noticed 1/29/2019 that hex colors cited in menu.py cause the classification banner to have erroneous text in the workstation build. I replaced (in my local copy, not in your repo) the hex colors with color names (i.e. "#FFFFFF" with "white" and the erroneous text in the classification banner went away.

Kind Regards
RJ

Install type was workstation, hard drive not encrypted, all other setting set to default. GUI will start, but then seems to crash, working on getting logs to post.

Update:
While this isn't a root fix, its a work around. I edited the startup config, set the runlevel to 3, then ran the command 'yum groupinstall "GNOME Desktop" -y' and rebooted and it seems to be working now. Will dig into it a little bit more later when I get some time but figured I would let you know now.

I would be willing to work with you on a STIG profile for centos 8 (non streaming update)

Hello

I would like to know how fiewalld is configured in a chroot environment without using firewall-offline-cmd.
I have checked in your code that it is possible using firewall-cmd directly.

Thanks.

Well thanks to COVID-19 - I'm allowed to work from home on development that would benefit things on alternating weeks - I'm going to take the time to update scripts to Python3 and work on the development for RHEL/CentOS 8. I might take a slightly different take in doing the kickstarts and scripts to be distributed via satellite and/or embed on a DVD (DVD-DL) for installation. Look for an update early next year.

use of grub2-mkconfig -o /boot/grub2/grub.cfg results in no "fips=1" directives (need to update /etc/default/grub)

/etc/default/grub needs the additional configs so that when grub2-mkconfig -o /boot/grub2/grub.cfg will actually receive "fips=1" directives. I had to redo the grub.cfg file due to blacklisting a nouevo (spelling), and that ended up in dropping fips.

See https://access.redhat.com/discussions/3487481 for some specifics, but in particular:
echo 'GRUB_CMDLINE_LINUX_DEFAULT="fips=1"' >> /etc/default.grub

Thanks Frank
RJ

I just wanted to customize a C8 image with a few of our packages, but alas using this technique I can only produce an image that fails to install.

To create the image I patched the createiso.sh, see attached. All goes well until I try to use the iso to install undervirtualbox. It seems to work under libvirt.

I hope it's helpful.

c8.patch.zip

Hello,

I am receiving an error when trying to set an installation source. I used the CentOS-7 1708 ISO version for the hardened ISO. The pre-installation scripts execute fine, and after I set the root password, it starts executing the rest. It comes up with a text menu that has the set Language, Time, Network, and Kdump options. It is also asking for Instillation source, which I am using a DVD with a USB CD-ROM. It errors out when selecting this option, saying "Error setting up software source", which prevents me from continuing the installation. I think this might be an anaconda problem, but I'm not sure..

Frank,

Do you have instructions for how to load and run the software? Also, can the tool be utilized with VMware?
I'm currently attempting create a hardened CENTOS VM and instructions would be a great help.

Hello,
I am trying to install the hardened OS generated from Centos 7.4 on a new physical server with 15Tb (in a single RAID disk/volume).
And I get this error (see ) whatever the partition pourcentage I use - all to 1% give me the same-
Picture

The same generated ISO works fine in smaller VMs.

Does anyone have an idea how to fix this ?

I looked at the menu.py, but I don't see any issue:
f.write('clearpart --all --drives='+str(self.data["INSTALL_DRIVES"])+'\n')
if self.encrypt_disk.get_active() == True:
f.write('part pv.01 --grow --size=200 --encrypted --cipher='aes-xts-plain64' --passphrase='+self.quoted_password+'\n')
else:
f.write('part pv.01 --grow --size=200\n')
f.write('part /boot --fstype=xfs --size=1024\n')
f.write('volgroup vg1 --pesize=4096 pv.01\n')
if os.path.isdir('/sys/firmware/efi'):
f.write('part /boot/efi --fstype=efi --size=200\n')
f.write('logvol / --fstype=xfs --name=lv_root --vgname=vg1 --percent='+str(self.root_partition.get_value_as_int())+'\n')
f.write('logvol /home --fstype=xfs --name=lv_home --vgname=vg1 --percent='+str(self.home_partition.get_value_as_int())+'\n')
f.write('logvol /tmp --fstype=xfs --name=lv_tmp --vgname=vg1 --percent='+str(self.tmp_partition.get_value_as_int())+'\n')

I would be willing to work on this but don't know how to convert say a PCI or a HIPAA compliance profile in the script. Would be willing to work for food.

I'm trying to validate your scripts before utilizing it in our environment. I've downloaded all binaries included in the project directly from the source and comparing the hashes.

ovirt-release42.rpm does not match the hash or size of the same file downloaded from https://resources.ovirt.org/pub/yum-repo/. Would you be able to share where you got this rpm package from? Thank you!

Hi,
a new version of scap-security-guid (0.1.35) exists
url: https://github.com/OpenSCAP/scap-security-guide/releases
url to rpm file -> https://copr-be.cloud.fedoraproject.org/results/openscapmaint/openscap-latest/epel-7-x86_64/00595351-scap-security-guide/

We are using an ISO with the hardened CentOS7 on several VMs in our JWICS lab. They were installed with the Workstation configuration to enable access to GNOME. There are no issues when the VMs are actively being used. However, we've experienced odd behavior after not using a VM for a few days. The VM appears to be frozen, no mouse or keyboard actions work. Then, after restarting the guest, the OS boots but to a black screen and not the GNOME login screen. There appears to be an image covering the login screen. We thought the user could have been locked out, but when booting into troubleshooting, the user is not locked out (via grep'ing /etc/shadow). We changed the root and admin passwords, but were still unable to get to the GNOME login. This has happened on several occasions on different VMs. We even had a snapshot and a template, but when either restoring the snapshot or creating a new VM from the template, the same behavior was seen. Is there some sort of lock-out mechanism at play in this hardened OS? Stopping and re-starting the VM does nothing. The only option has been to reinstall. Any guidance will be very much appreciated. We're looking to deploy a system of record with this OS and need to have confidence that it will operate properly. I haven't seen any documentation that could possibly explain our issue.

Remastering CentOS DVD Image...
genisoimage: option '-e' is ambiguous; possibilities: '--eltorito-boot' '--exchange' '--ethershare' '--exclude-list' '--exclude' '--eltorito-catalog' '--eltorito-alt-boot'
Usage: genisoimage [options] -o file directory ...

I did try to use to create a hyperv type 2 vm (which only will boot efi) any special options to make work? Not a huge deal more of a question. The supplied iso didn't boot in efi mode, only in legacy mode.

Thomas

I've attempted to use the hardened CentOS 7 ISO on two different machines and keep running into an issue where the keyboard and mouse are non-responsive after install. They do work fine during the installation. I've attempted removing usbguard from the hardening config but that wasn't the issue. I was wondering if you've experienced this issue or what part of the config or SCAP guide may be causing this? I perused the CFG files but beyond usbguard nothing stood out.

This is not really an issue but why is there no hardened-centos7-kickstart?

When i boot in BIOS mode i see the Hardened install menu but booting in UEFI mode displays the regular Centos 7 install menu.

I have tried using your workstation version for this but i cant get past gnome login

Love this project! I performed this install on a test VM and then ran nessus against it and a few items were found.

STIG 030010
shut down the system if it fails to audit log
grep "f 1" /etc/audit/rules.d/audit.rules || echo '-f 1' >> /etc/audit/rules.d/audit.rules

STIG 010270
remember=5 not in /etc/pam.d/system-auth-ac

STIG 040510
firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m -tcp -p tcp -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

STIG 020100
this is a finding, but usb storage is disabled in another way
echo blacklist usb-storage >> /etc/modprobe.d/blacklist.conf

STIG 040680
postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

STIG 040160
sed -i "s|TMOUT=900|TMOUT=600|g" /etc/profile.d/autologout.sh

That is all I've found so far. There were some smartcard stuff an some other random things that I don't think can be addressed in this project. Overall I'm impressed and I plan to utilize this project on future builds.

I'm experiencing the issue shown below on both bare metal and in VirtualBox. If I type 'yes' to continue it will keep prompting with the next RPM to install. Happens with both DHCP and static IP, and I am able to ping external IP addresses when this is happening.

After booting I receive timeouts. "dracut initque hook script timeouts". Tried multiple ways to create bootable USB image (dd, rufus, etc). Tried multiple devices to boot from. all ending up with the same timeout error. Even on a VM.

any ideas how to fix this?

I would like to change the Licence of this project from GNU Public Licence version 2 (GPLv2) to Apache Public Licence 2.0 (APL2.0) to allow people to utilize this software without having to submit changes back to the project. I believe that this will allow for better use in the DOD/IC without the requirements to give back everything - however, it would still remain open source as a reference model.

I was installing centos on ipv6 only and can't get just ipv6 only. Any way to fix this?

check for and install syslinux package in createiso.sh. this is needed for isohybrid.

Hi Frank,

This is more of a question than an issue, but thought I'd ask anyway.

https://github.com/fcaviggia/hardened-centos7-kickstart/blob/master/config/hardening/hardened-centos.cfg#L150

Here I see that you've added the CentOS-DVD as a yum repo, but not enabled. (enabled=0) Later, there are calls to yum install. Without specifying --enablerepo=centos-dvd, wouldn't this cause yum to fetch packages from whichever repos are enabled? Unless I'm misunderstanding something, the CentOS-DVD repo should be added with enabled=1. ???

I'm currently working on making this package work in an offline environment, so it's important that no remote fetches happen.

Thanks for any clarification on the intent here.

Should it work on Rocky linux too?

Line 176 of hardened-centos.cfg is

chmod 600 /boot/grub2/grub2.cfg

it should be

chmod 600 /boot/grub2/grub.cfg