-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathks.cfg
executable file
·247 lines (205 loc) · 7.53 KB
/
ks.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use graphical install
text
# Run the Setup Agent on first boot
firstboot --disable
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --device=eth0 --ipv6=auto --activate
network --hostname=snipe-it
# Root password
rootpw --iscrypted $6$dnsLCX0eC1A7IAmD$8TVED7AnMjJi6KJ03wq10YjvpYmTsUp.Y.6Hxt.6VVyNQlGOAYANLdlnNlgXOHRq5804W81fOx7iI7K7rQYTh0
# System services
services --disabled="chronyd"
# System timezone
timezone Etc/UTC --isUtc --nontp
# Create admin user
user --groups=wheel --name=snipeit --password=$6$kwQCTNf1kkHqWEQg$2kV7yaWRcjGUBsDW817khy5ycTShDSa8SbSMqJkqSxZno4t.yXy6PRajpyqfgOsmSK46Iw1WG4AaUPSwiQzx01 --iscrypted --gecos="Snipe-IT"
# System bootloader configuration
zerombr
# Partition clearing and creation
clearpart --all --initlabel
autopart --type=lvm
%packages
@^minimal
@core
kexec-tools
httpd
httpd-tools
git
python
perl
mariadb-server
unzip
policycoreutils-python
expect
mod_ssl
%end
%packages --nobase
epel-release
ius-release
libmcrypt
php72u-gd
php72u-bcmath
php72u-common
php72u-xml
php72u-json
php72u-mbstring
php72u-embedded
php72u-process
mod_php72u
php72u-ldap
php72u-cli
php72u-pdo
php72u-mysqlnd
libargon2
oniguruma
fail2ban
fail2ban-firewalld
fail2ban-sendmail
fail2ban-server
systemd-python
mod_ssl
-alsa-firmware
-alsa-lib
-alsa-tools-firmware
-ivtv-firmware
-iwl2030-firmware
-iwl6050-firmware
-iwl3160-firmware
-iwl5000-firmware
-iwl6000g2b-firmware
-iwl6000g2a-firmware
-iwl105-firmware
-iwl1000-firmware
-iwl135-firmware
-iwl7260-firmware
-iwl4965-firmware
-iwl6000-firmware
-iwl100-firmware
-iwl3945-firmware
-iwl2000-firmware
-iwl7265-firmware
-iwl5150-firmware
-aic94xx-firmware
%end
%addon com_redhat_kdump --enable --reserve-mb='auto'
%end
%anaconda
pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
%end
reboot
%post --log=/root/ks-post.log
# Harden SSH
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' /etc/ssh/sshd_config
sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' /etc/ssh/sshd_config
sed -i 's/X11Forwarding yes/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/ssh/sshd_config
sed -i 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' /etc/ssh/sshd_config
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "# Restrict access to Snipe-IT user" >> /etc/ssh/sshd_config
echo "AllowUsers snipeit" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "# Permit supported Ciphers, MAC and Algorithms" >> /etc/ssh/sshd_config
echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com" >> /etc/ssh/sshd_config
echo "" >> /etc/ssh/sshd_config
echo "KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256" >> /etc/ssh/sshd_config
# Enforce password policy
sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 90/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN 5/PASS_MIN_LEN 9/g' /etc/login.defs
sed -i 's/PASS_WARN_AGE 7/PASS_WARN_AGE 14/g' /etc/login.defs
echo "FAILLOG_ENAB yes" >> /etc/login.defs
sed -i 's/# minlen = 9/minlen = 9/g' /etc/security/pwquality.conf
sed -i 's/# minclass = 0/minclass = 9/g' /etc/security/pwquality.conf
sed -i 's/# dcredit = 1/dcredit = 1/g' /etc/security/pwquality.conf
sed -i 's/# ucredit = 1/ucredit = 1/g' /etc/security/pwquality.conf
sed -i 's/# lcredit = 1/lcredit = 1/g' /etc/security/pwquality.conf
sed -i 's/# ocredit = 1/ocredit = 1/g' /etc/security/pwquality.conf
# Configure SSH and HTTPS only
/usr/bin/firewall-offline-cmd --set-default-zone=drop
/usr/bin/firewall-offline-cmd --zone=drop --add-service=ssh
/usr/bin/firewall-offline-cmd --zone=drop --add-service=https
# Enable Services
/bin/systemctl enable mariadb
/bin/systemctl enable httpd
/bin/systemctl enable fail2ban
/bin/systemctl enable rc-local
# Enable SELinux Boolean
/sbin/setsebool -P httpd_can_sendmail on
/sbin/setsebool -P httpd_can_connect_ldap on
/sbin/setsebool -P httpd_can_network_connect on
# Disable uncommon protocols
echo "install dccp /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install sctp /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install rds /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install tipc /bin/false" >> /etc/modprobe.d/CIS.conf
# Disable unused filesystems
echo "install cramfs /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install freevxfs /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install jffs2 /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install hfs /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install hfsplus /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install squashfs /bin/false" >> /etc/modprobe.d/CIS.conf
echo "install udf /bin/false" >> /etc/modprobe.d/CIS.conf
# Disconnect idle sessions
echo "export TMOUT=900" >> /etc/profile
# Hide apache version
echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
# Fix composer cache files
mkdir -pv /usr/share/httpd/.composer
chgrp apache /usr/share/httpd/.composer
chmod g+w /usr/share/httpd/.composer
%end
%post --nochroot
# redirect the output to the log file
exec >/mnt/sysimage/root/ks-post-anaconda-chroot.log 2>&1
# show the output on the 7th console
tail -f /mnt/sysimage/root/ks-post-anaconda-chroot.log >/dev/tty7 &
# changing to VT 7 that we can see what's going on
/usr/bin/chvt 7
export SRCDIR="/run/install/repo"
export DSTDIR="/mnt/sysimage"
cp -v -r $SRCDIR/postinstall/. $DSTDIR/root/
find $DSTDIR/root/ -name "TRANS.TBL" -delete
# copy scripts to the destintion of the server
mv -v $DSTDIR/etc/issue $DSTDIR/etc/issue-backup
mv -v $DSTDIR/etc/issue.net $DSTDIR/etc/issue.net-backup
mv -v $DSTDIR/etc/rc.d/rc.local $DSTDIR/etc/rc.d/rc.local-backup
cp -v $SRCDIR/postinstall/pre_issue $DSTDIR/etc/issue
cp -v $SRCDIR/postinstall/pre_issue $DSTDIR/etc/issue.net
cp -v $SRCDIR/postinstall/snipeit_mail_setup.sh $DSTDIR/usr/local/bin/snipeit_mail.setup.sh
cp -v $SRCDIR/postinstall/mariadb_pass_change.sh $DSTDIR/usr/local/bin/mariadb_pass_change.sh
cp -v $SRCDIR/postinstall/snipeit.sh $DSTDIR/etc/profile.d/snipeit.sh
cp -v $SRCDIR/postinstall/issue $DSTDIR/root/issue
cp -vf $SRCDIR/postinstall/snipe_alias.sh $DSTDIR/home/snipeit/.bashrc
cp -v $SRCDIR/postinstall/snipe_upgrade.sh $DSTDIR/etc/cron.weekly/snipe_upgrade.sh
cp -v $SRCDIR/postinstall/rc.local $DSTDIR/etc/rc.d/rc.local
cp -v $SRCDIR/postinstall/jail.local $DSTDIR/etc/fail2ban/jail.local
cp -v $SRCDIR/postinstall/fail2ban.local $DSTDIR/etc/fail2ban/fail2ban.local
cp -v $SRCDIR/postinstall/audit.rules $DSTDIR/etc/audit/rules.d/audit.rules
mkdir -v $DSTDIR/var/www/html/snipeit
rsync -rauv $SRCDIR/snipeit/ $DSTDIR/var/www/html/snipeit/
# Make scripts executable
chmod +x $DSTDIR/etc/profile.d/snipeit.sh
chmod +x $DSTDIR/etc/rc.d/rc.local
chmod +x $DSTDIR/usr/local/bin/snipeit_mail.setup.sh
chmod +x $DSTDIR/usr/local/bin/mariadb_pass_change.sh
chmod +x $DSTDIR/etc/cron.weekly/snipe_upgrade.sh
echo "Rebooting..."
%end
reboot