# SCAP Security Guide STIG profile kickstart for Red Hat Enterprise Linux 8 # Ansible remediation tags that can be applied post installation to remediate the remaining STIG items # - CCE-85902-5 # - CCE-85897-7 # - CCE-80788-3 # - CCE-86534-5 # - CCE-80789-1 # Use graphical install (optional) graphical # Packages to be installed on the system (Minimal Install, Headless Management, Security Tools) generates this list %packages @^minimal-environment @headless-management @security-tools aide audit fapolicyd firewalld mailx opensc openscap openscap-scanner openssh-server openssl-pkcs11 policycoreutils postfix rng-tools rsyslog rsyslog-gnutls tmux usbguard -abrt -abrt-addon-ccpp -abrt-addon-kerneloops -abrt-cli -abrt-plugin-sosreport -iprutils -krb5-server -krb5-workstation -libreport-plugin-logger -libreport-plugin-rhtsupport -python3-abrt-addon -rsh-server -sendmail -telnet-server -tftp-server -tuned -vsftpd -xorg-x11-server-Xorg -xorg-x11-server-Xwayland -xorg-x11-server-common -xorg-x11-server-utils %end # Keyboard layouts keyboard --xlayouts='us' # System language lang en_US.UTF-8 # Network information network --bootproto=static --device=eth0 --gateway=10.0.0.1 --ip=10.0.0.15 --nameserver=10.0.0.10,10.0.0.11 --netmask=255.255.255.0 --noipv6 --activate --ipv4-dns-search=corp.ritcsusa.com network --hostname=ansible.corp.#####.com # Configure firewall settings for the system (optional) # --ssh allow sshd service through the firewall firewall --enabled --ssh --service=cockpit # State of SELinux on the installed system (optional) # Defaults to enforcing selinux --enforcing # Run the Setup Agent on first boot firstboot --enable # Only use disk with the identifier "sda" during the installation process. ignoredisk --only-use=sda # Partition clearing information clearpart --none --initlabel # Disk partitioning information part /boot --fstype="xfs" --ondisk=sda --size=1024 --label=ansible part /boot/efi --fstype="efi" --ondisk=sda --size=600 --fsoptions="umask=0077,shortname=winnt" --label=ansible part pv.1 --fstype="lvmpv" --ondisk=sda --size=254374 volgroup rhel_ansible --pesize=4096 pv.1 logvol /var/tmp --fstype="xfs" --size=10240 --label="ansible" --name=var_tmp --vgname=rhel_ansible logvol /tmp --fstype="xfs" --size=10240 --label="ansible" --name=tmp --vgname=rhel_ansible logvol /var --fstype="xfs" --size=108064 --label="ansible" --name=var --vgname=rhel_ansible logvol /var/log --fstype="xfs" --size=10240 --label="ansible" --name=var_log --vgname=rhel_ansible logvol / --fstype="xfs" --grow --maxsize=71680 --size=1024 --label="ansible" --name=root --vgname=rhel_ansible logvol /home --fstype="xfs" --size=25600 --label="ansible" --name=home --vgname=rhel_ansible logvol swap --fstype="swap" --size=8065 --name=swap --vgname=rhel_ansible logvol /var/log/audit --fstype="xfs" --size=10240 --label="ansible" --name=var_log_audit --vgname=rhel_ansible # System timezone timezone America/New_York --isUtc # Root password (!QAZ@WSX1qaz2wsx) rootpw --iscrypted $6$wuXazJVyKNFLUvKX$8gipM8xeUE23FDsdOYtUNBSM.mrESOSFtM7CqsV3iaX4pRWm3uwKNECNCRXab2ypXDqeXEEJjFI9HDgIsHSyn/ user --groups=wheel --name=admin --password=$6$8ZLnYyHlz5zyhpU/$Ygy6QaicjospbXD499.UJUnfKzavw0IaZQ5U5l07MxZM9gXuvYqq0mBvAsIFnQo9R4lD0eVOlQg1awoV.ARF.0 --iscrypted --gecos="admin" # Set grub2 password (CCE-80829-5) / (!QAZ@WSX1qaz2wsx) bootloader --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=grub.pbkdf2.sha512.10000.B55C0F753F88EFC0E8C37681FBCF10FEDD818698EEA97528780C79E2BCA572B18A68B60CE7BD2E60CE9581D72E8A753122E5643F7C8661E4C0A50BF42E0DE7E1.CE02145FFE349026C00F55E8F0A87CC08D6707DF9F192E952BE67BA0836DFA9625F579FEE37F2F82E1BCB26C9A6D376456E98029E40F13AF884E1D20ACB09C07 --iscrypted # Registers the system with Red Hat Subscription Manager (optional) # This information is used to associate this system with your organization # To organization number and activation key go to: https://console.redhat.com/insights/connector/activation-keys # Requires a Red Hat account and subscription to Insights (free with Developer subscription) rhsm --organization=####### --activation-key=######## --connect-to-insights # Disables kdump (CCE-80878-2) %addon com_redhat_kdump --disable --reserve-mb='auto' %end # Applies the latest DISA STIG using a remote source repository # Current SCAP profiles can be obtained from https://github.com/ComplianceAsCode/content/releases # Example below is hosted on GitHub and the system needs to be able to reach the internet to download the profile # TO LATER BE REPLACED WITH LOCAL REPO %addon org_fedora_oscap content-type = datastream content-url = https://raw.githubusercontent.com/rathbunr/kickstart/main/ssg-rhel8-ds.xml datastream-id = scap_org.open-scap_datastream_from_xccdf_ssg-rhel8-xccdf.xml xccdf-id = scap_org.open-scap_cref_ssg-rhel8-xccdf.xml content-path = /tmp/openscap_data/ssg-rhel8-ds.xml profile = xccdf_org.ssgproject.content_profile_stig %end # Reboot after installation (required to apply DISA STIG settings properly) reboot --eject