Last active
August 7, 2024 11:35
-
-
Save ares/ffdb060ac44a809db14f9a75e81a4408 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### PARTITION TABLE START | |
| # Create partition layout scheme (required for security compliance) | |
| zerombr | |
| clearpart --all --initlabel | |
| reqpart --add-boot | |
| part pv.01 --grow --size=1 | |
| volgroup system pv.01 | |
| logvol / --name=root --vgname=system --size=2000 --grow | |
| logvol swap --name=swap --vgname=system --size=1000 | |
| logvol /home --name=home --vgname=system --size=1024 | |
| logvol /tmp --name=tmp --vgname=system --size=1024 | |
| logvol /var --name=var --vgname=system --size=3072 | |
| logvol /var/log --name=varlog --vgname=system --size=1024 | |
| logvol /var/log/audit --name=varlogaudit --vgname=system --size=10240 | |
| logvol /var/tmp --name=vartmp --vgname=system --size=1024 | |
| ### PARTITION TABLE END | |
| ### BOOTLOADER START (we need to parse append section from this and merge it with our defaults) | |
| # Configure boot loader options (required for security compliance) | |
| bootloader --append="audit=1 audit_backlog_limit=8192" | |
| ### BOOTLOADER END | |
| ### SERVICES START (our default list is different and is not customizable) | |
| ### services --disabled gpm,sendmail,cups,pcmcia,isdn,rawdevices,hpoj,bluetooth,openibd,avahi-daemon,avahi-dnsconfd,hidd,hplip,pcscd | |
| # Disable and enable systemd services (required for security compliance) | |
| services --disabled=nftables,bluetooth,autofs,avahi-daemon,rpcbind,nfs-server,cups --enabled=systemd-journald,firewalld,crond,auditd | |
| ### SERVICES END | |
| ### PACKAGES START (will need to ve appedended to our part | |
| # Packages selection (required for security compliance) | |
| %packages | |
| openscap-scanner | |
| scap-security-guide | |
| aide | |
| sudo | |
| libpwquality | |
| systemd-journal-remote | |
| firewalld | |
| nftables | |
| libselinux | |
| audit-libs | |
| audit | |
| -gdm | |
| -mcstrans | |
| -setroubleshoot | |
| -dhcp-server | |
| -dnsmasq | |
| -bind | |
| -ftp | |
| -vsftpd | |
| -httpd | |
| -nginx | |
| -cyrus-imapd | |
| -dovecot | |
| -openldap-clients | |
| -rsync-daemon | |
| -xinetd | |
| -ypbind | |
| -ypserv | |
| -telnet-server | |
| -telnet | |
| -tftp-server | |
| -tftp | |
| -squid | |
| -samba | |
| -net-snmp | |
| -xorg-x11-server-common | |
| %end | |
| ### PACKAGES END | |
| ### POST START (need to be inserted somewhere in our %post) | |
| # Perform OpenSCAP hardening (required for security compliance) | |
| %post --erroronfail | |
| oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.ssgproject.content_profile_cis' /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml | |
| [ $? -eq 0 -o $? -eq 2 ] || exit 1 | |
| %end | |
| ### POST END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment