#!/bin/bash # this is beta until I test it, but I have high confidence it will work # # I ran these commands manually after making a RHEL 8.4 build from the RHEL 8.4 iso selecting the server role, and the security profile mentioned in the discussion. These commands were ran AFTER BUILD and it brought the system to 99.6% compliance. NOTE, you MUST have the proper partitions established with the proper directives. # ### the things here are what was needed to take the basic DISA STIG security ### profile load to 99.6% in this example. ### READ the warnings/and other expectation-management things at top. #==# xccdf_mil.disa.stig_rule_SV-230233r743919_rule RHEL-08-010130 # Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. # Edit/modify the following line in the "/etc/pam.d/password-auth" file and set "rounds" to a value no lower than "5000": # password sufficient pam_unix.so sha512 rounds=5000 # There is no possibility I'm going to sed the files to achive this. # This is going to be one file that I download at the end #--# xccdf_mil.disa.stig_rule_SV-230235r743925_rule RHEL-08-010150 # sudo grub2-setpassword # resultant example is in in this kickstart file earlier # this is only because I had an httpd server, I'll fix the packages later systemctl is-enabled && systemctl disable httpd #--# xccdf_mil.disa.stig_rule_SV-230287r743951_rule RHEL-08-010490 #--# medium chmod 0600 /etc/ssh/ssh_host*key # xccdf_mil.disa.stig_rule_SV-230257r627750_rule RHEL-08-010300 # RHEL 8 system commands must have mode 0755 or less permissive # files are 755, however, the suid or sgid bits seem sane. # seems to be full of false positives, will revisit though # I am going to put in a case with Red Hat, this is the only remaining item in my example to resolve. #--# xccdf_mil.disa.stig_rule_SV-230288r627750_rule RHEL-08-010500 # The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files. # StrictModes yes # I'll make a final sshd_config and download it at the end, because there's a lot of these edits, however... sed -i "s/.*StrictModes.*/StrictModes yes/" /etc/ssh/sshd_config # the system will reboot, so there's no need to restart sshd. mydate=`date '+%Y%m%d'` # make a backup cp /etc/ssh/sshd_config{,.$mydate} #--# xccdf_mil.disa.stig_rule_SV-230291r743957_rule RHEL-08-010521 # Configure the SSH daemon to not allow Kerberos authentication. # Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": # KerberosAuthentication no # I'll make a final sshd_config and download it at the end, because there's a lot of these edits, however... sed -i 's/.*KerberosAuthentication.*/KerberosAuthentication no/' /etc/ssh/sshd_config # the system will reboot, so there's no need to restart sshd. #--# # xccdf_mil.disa.stig_rule_SV-230311r627750_rule RHEL-08-010671 # RHEL 8 must disable the kernel.core_pattern. echo 'kernel.core_pattern = |/bin/false' >> /etc/sysctl.d/rhel-08-010671.conf # the system will reboot, no need to run "sysctl -p /etc/sysctl.conf #--# xccdf_mil.disa.stig_rule_SV-230330r646870_rule RHEL-08-010830 # RHEL 8 must not allow users to override SSH environment variables. # add this to /etc/ssh/sshd_config # PermitUserEnvironment no # I'll make a final sshd_config and download it at the end, because there's a lot of these edits, however... # # update, I believe I covered all edits to /etc/ssh/sshd_config sed -i 's/.*PermitUserEnvironment.*/PermitUserEnvironment no/' /etc/ssh/sshd_config # the system will reboot, so there's no need to restart sshd. #--# xccdf_mil.disa.stig_rule_SV-230333r743966_rule RHEL-08-020011 # RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. # Configure the operating system to lock an account when three unsuccessful logon attempts occur. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # deny = 3 # so /etc/security/faillock.conf is new in rhel8, not in previous rhel editions cp /etc/security/faillock.conf{,.$mydate) sed -i 's/^#.*deny = 3/deny = 3/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230335r743969_rule -08-020013 # RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. # Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # fail_interval = 900 sed -i 's/^# fail_interval.*/fail_interval = 900/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230337r743972_rule RHEL-08-020015 # RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. # Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # unlock_time = 0 sed -i 's/^# unlock_time.*/unlock_time=0/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230341r743978_rule RHEL-08-020019 # RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. # Configure the operating system to prevent informative messages from being presented at logon attempts. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # silent sed -i 's/^# silent/silent/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230343r743981_rule RHEL-08-020021 # RHEL 8 must log user name information when unsuccessful logon attempts occur. # Configure the operating system to log user name information when unsuccessful logon attempts occur. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # audit sed -i 's/^# audit/audit/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230345r743984_rule RHEL-08-020023 # RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. # Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. # Add/Modify the "/etc/security/faillock.conf" file to match the following line: # even_deny_root sed -i 's/^# even_deny_root/even_deny_root/' /etc/security/faillock.conf #--# xccdf_mil.disa.stig_rule_SV-230349r627750_rule RHEL-08-020041 # never seen this in a previous edition of RHEL, ineresting. # RHEL 8 must ensure session control is automatically started at shell initialization. # Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following line to the end of the "/etc/bashrc" configuration file: # I wonder if they resolve other people's default shells. # [ -n "$PS1" -a -z "$TMUX" ] && exec tmux # This setting will take effect at next logon. echo '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' >> /etc/bashrc #--# xccdf_mil.disa.stig_rule_SV-230356r627750_rule RHEL-08-020100 # RHEL 8 must ensure a password complexity module is enabled. # Configure the operating system to use "pwquality" to enforce password complexity rules. # Add the following line to both "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" (or modify the line to have the required value): # password required pam_pwquality.so retry=3 # I will put this in a master /etc/pam.d/ files called for later in the kickstart #--# xccdf_mil.disa.stig_rule_SV-230364r627750_rule RHEL-08-020180 # RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. # Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: # sudo chage -m 1 [user] # requires manual review. If you have a maintenance account you routinely use, you may want to consider some alternative so you don't get totally locked out... really. This is a real Thing when you use Amazon AWS #--# xccdf_mil.disa.stig_rule_SV-230367r627750_rule RHEL-08-020210 # RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. # manual review, you have to check your own system # sudo chage -M 60 [user] # requires manual review. If you have a maintenance account you routinely use, you may want to consider some alternative so you don't get totally locked out... really. This is a real Thing when you use Amazon AWS #--# xccdf_mil.disa.stig_rule_SV-230368r627750_rule RHEL-08-020220 # RHEL 8 passwords must be prohibited from reuse for a minimum of five generations. # Configure the operating system to prohibit password reuse for a minimum of five generations. # Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value): # password required pam_pwhistory.so use_authtok remember=5 retry=3 #--# xccdf_mil.disa.stig_rule_SV-230377r627750_rule RHEL-08-020300 # RHEL 8 must prevent the use of dictionary words for passwords. # Configure RHEL 8 to prevent the use of dictionary words for passwords. # Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: # dictcheck=1 sed -i 's/^# dictcheck.*/dictcheck = 1/' /etc/security/pwquality.conf #--# xccdf_mil.disa.stig_rule_SV-230382r627750_rule RHEL-08-020350 # RHEL 8 must display the date and time of the last successful account logon upon an SSH logon. # Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: # PrintLastLog yes # restart sshd sed -i 's/^#.*PrintLastLog.*/PrintLastLog yes/' /etc/ssh/sshd_config ### IMPORTANT WORD ABOUT AUDIT RULES # there are a lot of audit rules for this form of hardening. It is best to take a known good worked-out list than attempt to put them in one at a time with command-line. I usually don't like saying "I'm speaking from experience, but here, I really am. # I'll take down one master file and put in into place # # audit rules # ### all of these things call for audit rules. I'm not about to use sed or whatever, I will make one good audit.rules file and push it. # xccdf_mil.disa.stig_rule_SV-230386r627750_rule RHEL-08-030000 # xccdf_mil.disa.stig_rule_SV-230386r627750_rule RHEL-08-030000 # xccdf_mil.disa.stig_rule_SV-230402r627750_rule RHEL-08-030121 # xccdf_mil.disa.stig_rule_SV-230403r627750_rule RHEL-08-030122 # xccdf_mil.disa.stig_rule_SV-230404r627750_rule RHEL-08-030130 # xccdf_mil.disa.stig_rule_SV-230405r627750_rule RHEL-08-030140 # xccdf_mil.disa.stig_rule_SV-230406r627750_rule RHEL-08-030150 # xccdf_mil.disa.stig_rule_SV-230407r627750_rule RHEL-08-030160 # xccdf_mil.disa.stig_rule_SV-230408r627750_rule RHEL-08-030170 # xccdf_mil.disa.stig_rule_SV-230409r627750_rule RHEL-08-030171 # xccdf_mil.disa.stig_rule_SV-230410r627750_rule RHEL-08-030172 # xccdf_mil.disa.stig_rule_SV-230412r627750_rule RHEL-08-030190 # xccdf_mil.disa.stig_rule_SV-230413r627750_rule RHEL-08-030200 # xccdf_mil.disa.stig_rule_SV-230414r627750_rule RHEL-08-030210 # xccdf_mil.disa.stig_rule_SV-230415r627750_rule RHEL-08-030220 # xccdf_mil.disa.stig_rule_SV-230416r627750_rule RHEL-08-030230 # xccdf_mil.disa.stig_rule_SV-230417r627750_rule RHEL-08-030240 # xccdf_mil.disa.stig_rule_SV-230418r627750_rule RHEL-08-030250 # xccdf_mil.disa.stig_rule_SV-230419r627750_rule RHEL-08-030260 # xccdf_mil.disa.stig_rule_SV-230420r627750_rule RHEL-08-030270 # xccdf_mil.disa.stig_rule_SV-230421r627750_rule RHEL-08-030280 # xccdf_mil.disa.stig_rule_SV-230422r627750_rule RHEL-08-030290 # xccdf_mil.disa.stig_rule_SV-230423r627750_rule RHEL-08-030300 # xccdf_mil.disa.stig_rule_SV-230424r627750_rule RHEL-08-030301 # xccdf_mil.disa.stig_rule_SV-230425r627750_rule RHEL-08-030302 # xccdf_mil.disa.stig_rule_SV-230426r627750_rule RHEL-08-030310 # xccdf_mil.disa.stig_rule_SV-230427r627750_rule RHEL-08-030311 # xccdf_mil.disa.stig_rule_SV-230428r627750_rule RHEL-08-030312 # xccdf_mil.disa.stig_rule_SV-230429r627750_rule RHEL-08-030313 # xccdf_mil.disa.stig_rule_SV-230430r627750_rule RHEL-08-030314 # xccdf_mil.disa.stig_rule_SV-230431r627750_rule RHEL-08-030315 # xccdf_mil.disa.stig_rule_SV-230432r627750_rule RHEL-08-030316 # xccdf_mil.disa.stig_rule_SV-230433r627750_rule RHEL-08-030317 # xccdf_mil.disa.stig_rule_SV-230434r744002_rule RHEL-08-030320 # xccdf_mil.disa.stig_rule_SV-230435r627750_rule RHEL-08-030330 # xccdf_mil.disa.stig_rule_SV-230436r627750_rule RHEL-08-030340 # xccdf_mil.disa.stig_rule_SV-230437r627750_rule RHEL-08-030350 # xccdf_mil.disa.stig_rule_SV-230438r627750_rule RHEL-08-030360 # xccdf_mil.disa.stig_rule_SV-230439r627750_rule RHEL-08-030361 # xccdf_mil.disa.stig_rule_SV-230440r627750_rule RHEL-08-030362 # xccdf_mil.disa.stig_rule_SV-230441r627750_rule RHEL-08-030363 # xccdf_mil.disa.stig_rule_SV-230442r627750_rule RHEL-08-030364 # xccdf_mil.disa.stig_rule_SV-230443r627750_rule RHEL-08-030365 # xccdf_mil.disa.stig_rule_SV-230444r627750_rule RHEL-08-030370 # xccdf_mil.disa.stig_rule_SV-230445r627750_rule RHEL-08-030380 # xccdf_mil.disa.stig_rule_SV-230446r627750_rule RHEL-08-030390 # xccdf_mil.disa.stig_rule_SV-230447r627750_rule RHEL-08-030400 # xccdf_mil.disa.stig_rule_SV-230448r627750_rule RHEL-08-030410 # xccdf_mil.disa.stig_rule_SV-230449r627750_rule RHEL-08-030420 # xccdf_mil.disa.stig_rule_SV-230450r627750_rule RHEL-08-030430 # xccdf_mil.disa.stig_rule_SV-230451r627750_rule RHEL-08-030440 # xccdf_mil.disa.stig_rule_SV-230452r627750_rule RHEL-08-030450 # xccdf_mil.disa.stig_rule_SV-230453r627750_rule RHEL-08-030460 # xccdf_mil.disa.stig_rule_SV-230454r627750_rule RHEL-08-030470 # xccdf_mil.disa.stig_rule_SV-230455r627750_rule RHEL-08-030480 # xccdf_mil.disa.stig_rule_SV-230456r627750_rule RHEL-08-030490 # xccdf_mil.disa.stig_rule_SV-230457r627750_rule RHEL-08-030500 # xccdf_mil.disa.stig_rule_SV-230458r627750_rule RHEL-08-030510 # xccdf_mil.disa.stig_rule_SV-230459r627750_rule RHEL-08-030520 # xccdf_mil.disa.stig_rule_SV-230460r627750_rule RHEL-08-030530 # xccdf_mil.disa.stig_rule_SV-230461r627750_rule RHEL-08-030540 # xccdf_mil.disa.stig_rule_SV-230462r627750_rule RHEL-08-030550 # xccdf_mil.disa.stig_rule_SV-230463r627750_rule RHEL-08-030560 # xccdf_mil.disa.stig_rule_SV-230464r627750_rule RHEL-08-030570 # xccdf_mil.disa.stig_rule_SV-230465r627750_rule RHEL-08-030580 # xccdf_mil.disa.stig_rule_SV-230467r627750_rule RHEL-08-030600 #--# xccdf_mil.disa.stig_rule_SV-230483r744014_rule RHEL-08-030730 # RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. # Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. # space_left = 25% # Note: Option names and values in the auditd.conf file are case insensitive # # the service looks for "%" - so I added it. sed -i 's/^space_left = 75/space_left = 25%/' /etc/audit/auditd.conf # without this next line, auditd fails, highly recommend sending audit files etc off-server to a proper log ingest clustered server that someone sane actually maintains. # # the service did NOT complain of the lack of "%", so I didn't add it. sed -i 's/^admin_space_left = 50/admin_space_left = 24/' /etc/audit/auditd.conf #--# xccdf_mil.disa.stig_rule_SV-230494r627750_rule RHEL-08-040021 # RHEL 8 must disable the asynchronous transfer mode (ATM) protocol # Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install ATM /bin/true # blacklist ATM echo 'install ATM /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist ATM' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230495r627750_rule RHEL-08-040022 # RHEL 8 must disable the controller area network (CAN) protocol. # add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install CAN /bin/true # blacklist CAN echo 'install CAN /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist CAN' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230496r744017_rule RHEL-08-040023 # RHEL 8 must disable the stream control transmission protocol (SCTP). # Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install SCTP /bin/true # blacklist SCTP echo 'install SCTP /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist SCTP' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230497r627750_rule RHEL-08-040024 # RHEL 8 must disable the transparent inter-process communication (TIPC) protocol. #Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install TIPC /bin/true # blacklist TIPC echo 'install TIPC /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist TIPC' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230498r627750_rule RHEL-08-040025 # Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install cramfs /bin/true # blacklist cramfs echo 'install cramfs /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist cramfs' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230499r627750_rule RHEL-08-040026 # RHEL 8 must disable IEEE 1394 (FireWire) Support. # Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": # install firewire-core /bin/true # blacklist firewire-core echo 'install firewire-core /bin/true' >> /etc/modprobe.d/blacklist.conf echo 'blacklist firewire-core' >> /etc/modprobe.d/blacklist.conf # Reboot the system for the settings to take effect., however in a kickstart, the next thing done IS a reboot. #--# xccdf_mil.disa.stig_rule_SV-230503r627750_rule RHEL-08-040080 # RHEL 8 must be configured to disable USB mass storage. # note, if you have DTAs, they may need this disabled, contact your sedcurity office. echo 'install usb-storage /bin/true' > /etc/modprobe.d/usb-storage.conf echo 'blacklist usb-storage' >> /etc/modprobe.d/blacklist.conf #--# xccdf_mil.disa.stig_rule_SV-230540r627750_rule RHEL-08-040260 # RHEL 8 must not be performing packet forwarding unless the system is a router. echo 'net.ipv4.ip_forward=0' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding=0' >> /etc/sysctl.conf #If "0" is not the system's default value then add or update the following lines in the appropriate file under "/etc/sysctl.d": echo 'net.ipv4.ip_forward=0' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding=0' >> /etc/sysctl.conf ## note, some of these may break your functions if you use docker/podman/kubernetes #--# xccdf_mil.disa.stig_rule_SV-230546r627750_rule RHEL-08-040282 # RHEL 8 must restrict usage of ptrace to descendant processes # Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file in the "/etc/sysctl.d" directory: #echo 'kernel.yama.ptrace_scope = 1' >> /etc/sysctl.conf # the disa stig profile puts the wrong value in the below file. This following command fixes it. I have filed a bugzilla report that is not visible to the public. sed -i 's/^kernel.yama.ptrace_scope.*/kernel.yama.ptrace_scope = 1/' /lib/sysctl.d/10-default-yama-scope.conf # this is a kickstart, the next thing is a reboot. #--# xccdf_mil.disa.stig_rule_SV-230556r627750_rule RHEL-08-040341 # The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display. # put this in /etc/ssh/sshd_config if it is not already there (it is not by default) sed -i 's/^#X11UseLocalhost.*/X11UseLocalhost yes/' /etc/ssh/sshd_config #--# xccdf_mil.disa.stig_rule_SV-237642r646896_rule RHEL-08-010383 # RHEL 8 must use the invoking user's password for privilege escalation for "sudo". # Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: cp /etc/sudoers{,.original} echo 'Defaults !targetpw' >> /etc/sudoers echo 'Defaults !rootpw' >> /etc/sudoers echo 'Defaults !runaspw' >> /etc/sudoers #--# xccdf_mil.disa.stig_rule_SV-237643r646899_rule RHEL-08-010384 # RHEL 8 must require re-authentication when using the "sudo" command. # When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. echo 'Defaults timestamp_timeout=0' >> /etc/sudoers #--# This below are the resolutions to the two files system-auth and password-auth in /etc/pam.d # There are numerous edits within these two files that are completed in the cat << EOF > /actual/location/file below # IMPORTANT NOTE: the files system-auth and password-auth that you find are symbolic links leading # to /etc/authselect/ where the actual files reside. # So the backup files I create are there with a time-date stamp training the file # Make a backup first # this will make a backup copy of /etc/authselect/password-auth # to a file named password-auth.YYYYMMDD with the date variable I created earlier ## you will find this defined variable earlier as this: mydate=`date '+%Y%m%d'` cp /etc/authselect/password-auth{,.$mydate} cp /etc/authselect/system-auth{,.$mydate} ## this will overwrite password-auth ##### cat << EOF > /etc/authselect/password-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 rounds=5000 password sufficient pam_sss.so use_authtok password required pam_pwhistory.so use_authtok remember=5 retry=3 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so EOF # this is the end of the overwrite of /etc/authselect/password-auth file ##### #### #--# This is the beginning of the overwrite of /etc/authselect/system-auth # The edits below are from the STIG # There are numerous edits within these two files that are completed in the cat << EOF > /actual/location/file below # IMPORTANT NOTE: the files system-auth and password-auth that you find are symbolic links leading # to /etc/authselect/ where the actual files reside. # So the backup files I create are there with a time-date stamp training the file # Make a backup first # this made a backup copy of /etc/authselect/system-auth above in the kickstart # to a file named password-auth.YYYYMMDD with the date variable I created earlier ## you will find this defined variable earlier as this: mydate=`date '+%Y%m%d'` cat << EOF > /etc/authselect/system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_fprintd.so auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth [default=1 ignore=ignore success=ok] pam_localuser.so auth required pam_faillock.so preauth silent deny=3 fail_interval=900 even_deny_root unlock_time=0 auth sufficient pam_unix.so try_first_pass auth [default=die] pam_faillock.so authfail deny=3 fail_interval=900 even_deny_root unlock_time=0 auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_faillock.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_usertype.so issystem account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5 password sufficient pam_sss.so use_authtok password required pam_pwhistory.so use_authtok remember=5 retry=3 password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so EOF ## This avoids annoying errors later due to the Red Hat provided signing-keys not being ingested rpm --import /etc/pki/rpm-gpg/* ## yes, I could put the entire audit.rules.master.v3 here and do my typical "cat << EOF > /etc/audit/audit.rules, however, I'll make it a separate script, or you can use this if you stage it at a http visible location: # stage on your web server you have direct control over. Make sure the permissions and SELinux context are correct. Test the wget prior to committing this to your kickstart! # wget http://ip_address_2_your_websever/pub/files/common/audit.rules.master.v3 -O /var/tmp/audit.rules # # I do this to avert mangling SELinux rules. # cp /etc/audit/audit.rules{,.$mydate} # # cat /var/tmp/audit.rules.master.v3 > /etc/audit/audit.rules # this is the end of the kickstart ####