Skip to content

Instantly share code, notes, and snippets.

@kondor6c

kondor6c/KickCustom.cfg

Last active March 4, 2020 15:02
Show Gist options
  • Save kondor6c/4d011d987c2b355df53af38b0c58665d to your computer and use it in GitHub Desktop.
Save kondor6c/4d011d987c2b355df53af38b0c58665d to your computer and use it in GitHub Desktop.
Download ZIP
qemu-packer-centos
Raw
KickCustom.cfg
# SCAP Security Guide profile kickstart for Red Hat Enterprise Linux 7 Server
# Version: 0.0.2
# Date: 2015-08-02
#
# Based on:
# http://fedoraproject.org/wiki/Anaconda/Kickstart
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
# Install a fresh new system (optional)
install
# Set language to use during installation and the default language to use on the installed system (required)
lang en_US.UTF-8
text
skipx
eula --agreed
# Set system keyboard type / layout (required)
keyboard us
# Configure network information for target system and activate network devices in the installer environment (optional)
# --onboot enable device at a boot time
# --device device to be activated and / or configured with the network command
# --bootproto method to obtain networking configuration for device (default dhcp)
# --noipv6 disable IPv6 on this device
network --onboot yes --device eth0 --bootproto dhcp --noipv6
# Set the system's root password (required)
# Plaintext password is: server
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
# encrypted password form for different plaintext password
rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
# Configure firewall settings for the system (optional)
# --enabled reject incoming connections that are not in response to outbound requests
# --ssh allow sshd service through the firewall
firewall --disable
# Set up the authentication options for the system (required)
# --enableshadow enable shadowed passwords by default
# --passalgo hash / crypt algorithm for new passwords
# See the manual page for authconfig for a complete list of possible options.
authconfig --enableshadow --passalgo=sha512
services --disabled="chronyd" --enabled="sshd"
# State of SELinux on the installed system (optional)
# Defaults to enforcing
selinux --enforcing
# Set the system time zone (required)
timezone --utc America/New_York
# Specify how the bootloader should be installed (required)
# Plaintext password is: password
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
# encrypted password form for different plaintext password
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0
# Initialize (format) all disks (optional)
zerombr
# The following partition layout scheme assumes disk of size 20GB or larger
# Modify size of partitions appropriately to reflect actual machine's hardware
#
# Remove Linux partitions from the system prior to creating new ones (optional)
# --linux erase all Linux partitions
# --initlabel initialize the disk label to the default based on the underlying architecture
ignoredisk --only-use=vda
clearpart --linux --initlabel
user --name=centos --uid=2222 --gid=2000 --gecos=automated
# Create primary system partitions (required for installs)
part /boot --fstype=xfs --size=512
part pv.01 --grow --size=1
# Create a Logical Volume Management (LVM) group (optional)
volgroup VolGroup --pesize=4096 pv.01
# Create particular logical volumes (optional)
logvol / --fstype=xfs --name=rootfs --vgname=VolGroup --size=12288
# CCE-26557-9: Ensure /home Located On Separate Partition
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26435-8: Ensure /tmp Located On Separate Partition
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
# CCE-26639-5: Ensure /var Located On Separate Partition
logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --mkfsoptions="-n ftype=1" --fsoptions="nodev"
# CCE-26215-4: Ensure /var/log Located On Separate Partition
logvol /var/log --fstype=xfs --name=var_log --vgname=VolGroup --size=1024 --fsoptions="nodev"
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
logvol /var/log/audit --fstype=xfs --name=var_log_audit --vgname=VolGroup --size=512 --fsoptions="nodev"
logvol swap --name=lv_swap --vgname=VolGroup --size=2016
#%addon org_fedora_oscap
# content-type = scap-security-guide
# profile = ospp-rhel7-server
#%end
# Packages selection (%packages section is required)
%packages
# Require 'Server with GUI' package environment to be installed
@^minimal
@core
-aic94xx-firmware
-atmel-firmware
-b43-openfwwf
-bfa-firmware
-ipw2100-firmware
-ipw2200-firmware
-ivtv-firmware
-iwl100-firmware
-iwl1000-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6050-firmware
-libertas-usb8388-firmware
-ql2100-firmware
-ql2200-firmware
-ql23xx-firmware
-ql2400-firmware
-ql2500-firmware
-rt61pci-firmware
-rt73usb-firmware
-zd1211-firmware
sudo
rsyslog
openssh-server
# Install selected additional packages (required by PCI-DSS profile)
# CCE-27024-9: Install AIDE
aide
%end # End of %packages section
%post --log /root/oscap.log
yum update -y
%end # End of %post section
# Reboot after the installation is complete (optional)
# --eject attempt to eject CD or DVD media before rebooting
reboot --eject
Raw
packer-qemu-centos.json
{
"variables": {
"ssh_name": "root",
"ssh_pass": "server"
},
"builders": [{
"boot_command": [
"<esc>",
"<tab> linux text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/nist-cent7.ks<enter>"
],
"type": "qemu",
"headless": false,
"disk_size": "20512M",
"accelerator": "kvm",
"format": "qcow2",
"qemuargs": [
[ "-m", "2048M" ],
[ "-M", "q35" ],
[ "-vga", "virtio"],
[ "-smp", "cpus=2,maxcpus=16,cores=4" ]
],
"vm_name": "packer-build",
"ssh_pty" : "true",
"iso_checksum_type": "none",
"iso_url": "/home/kondor6c/mnt/virt/CentOS-7-x86_64-Minimal-1908/CentOS-7-x86_64-Minimal-1908.iso",
"iso_checksum": "9a2c47d97b9975452f7d582264e9fc16d108ed8252ac6816239a3b58cef5c53d",
"output_directory": "cent-qemu-shell",
"boot_wait": "1s",
"disk_interface": "virtio",
"net_device": "virtio-net",
"http_directory": "httpdir",
"ssh_username": "{{user `ssh_name`}}",
"ssh_password": "{{user `ssh_pass`}}",
"ssh_port": "22",
"ssh_wait_timeout": "750s",
"shutdown_command": "echo {{ user `ssh_pass` }} |sudo -S /sbin/shutdown -h -F now "
}],
"provisioners": [
{
"type": "file",
"source": "/home/kondor6c/.ssh/id_ed25519.pub",
"destination": "/tmp/authorized_keys"
},
{
"type": "shell",
"remote_path": "/usr/local/bin/hashicorp_packer_init.sh",
"inline": [
"mkdir /home/centos/.ssh",
"chmod 700 /home/centos/.ssh",
"mv /tmp/authorized_keys /home/centos/.ssh/authorized_keys",
"chown centos:centos /home/centos/.ssh -R",
"chmod 0600 /home/centos/.ssh/authorized_keys",
"yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",
"yum -y install python2-pip cloud-init cloud-utils-growpart dracut-modules-growroot ansible tmux libselinux-python rsync curl lsof ",
"passwd -d root"
]
},
"post-processors": [ {
"type": "amazon-import",
"access_key": "{{ user `aws_access_key_id` }}",
"secret_key": "{{ user `aws_secret_access_key` }}",
"region": "{{ user `aws_default_region` }}",
"s3_bucket_name": "cloud-operations",
"license_type": "BYOL",
"ami_description": "generated from iso",
"ami_kms_key": "aws/ebs",
"ami_name": "centos7-iso-ansible",
"ami_users": "{{ user `acct_ids` }}",
"s3_encryption": "aws:kms"
"tags": { "Description": "packer amazon import " }
} ]
]
}
Raw
qemu-ansible.json
{
"variables": {
"ssh_name": "root",
"ssh_pass": "server"
},
"builders": [{
"boot_command": [
"<esc>",
"<tab> linux text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/nist-cent7.ks<en ter>"
],
"type": "qemu",
"headless": true,
"disk_size": 20512,
"accelerator": "kvm",
"format": "qcow2",
"qemuargs": [
[ "-m", "2048M" ],
[ "-smp", "cpus=2,maxcpus=16,cores=4" ]
],
"vm_name": "packer-build",
"ssh_pty" : "true",
"iso_checksum_type": "none",
"iso_url": "CentOS-7-x86_64-Minimal-1908.iso",
"iso_checksum": "9a2c47d97b9975452f7d582264e9fc16d108ed8252ac6816239a3b58cef 5c53d",
"output_directory": "cent-qemu-shell",
"boot_wait": "1s",
"disk_interface": "virtio",
"net_device": "virtio-net",
"http_directory": "httpdir",
"ssh_username": "{{user `ssh_name`}}",
"ssh_password": "{{user `ssh_pass`}}",
"ssh_port": "22",
"ssh_wait_timeout": "750s",
"shutdown_command": "echo {{ user `ssh_pass` }} |sudo -S /sbin/shutdown -h - F now "
}],
"provisioners": [
{
"type": "file",
"source": "/home/kondor6c/.ssh/id_ed25519.pub",
"destination": "/tmp/authorized_keys"
},
{
"type": "shell",
"remote_path": "/usr/local/bin/hashicorp_packer_init.sh",
"inline": [
"rpm -ql centos-release |grep 'yum.repos.d/*repo' |xargs -I{} rm -f {}",
"mkdir /home/centos/.ssh",
"chmod 700 /home/centos/.ssh",
"mv /tmp/authorized_keys /home/centos/.ssh/authorized_keys",
"chown centos:centos /home/centos/.ssh -R",
"chmod 0600 /home/centos/.ssh/authorized_keys"
]
},
{
"type": "shell",
"remote_path": "/home/centos/ansible.sh",
"inline": [
"rpm -ql centos-release |grep 'yum.repos.d/*repo' |xargs -I{} rm -f {}",
"ls /etc/yum.repos.d/*repo",
"rm -f /etc/yum.repos.d/CentOS-*",
"ls /etc/yum.repos.d/*repo | xargs -I{} cat {}",
"yum install --nogpgcheck -y cloud-init ansible"
]
},
{
"type": "ansible-local",
"playbook_file": "ansible/playbooks/image_build.yml",
"group_vars": "ansible/group_vars/",
"extra_arguments": [
"--skip-tags futures,storage,runtime"
],
"host_vars": "ansible/host_vars/machine__local",
"role_paths": [
"ansible/roles/ansible_linux_common",
"ansible/roles/cloud-operations",
"ansible/roles/ansible_linux_hardening"
],
"clean_staging_directory": "true",
"staging_directory": "/root/ansible",
"inventory_file": "ansible/inventory/local.ini"
},
{
"type": "shell",
"remote_path": "/home/centos/reboot.sh",
"expect_disconnect": "true",
"inline": [
"echo 'tests the ability for the machine to come back online after grub, s ysctl, audit changes'",
"shutdown -r -F now"
]
},
{
"type": "ansible-local",
"pause_before": "15s",
"playbook_file": "ansible/playbooks/container_users.yml",
"group_vars": "ansible/group_vars/",
"host_vars": "ansible/host_vars/machine__local",
"role_paths": [
"ansible/roles/ansible_linux_common",
"ansible/roles/linux_container_deploy"
],
"clean_staging_directory": "true",
"staging_directory": "/root/ansible",
"inventory_file": "ansible/inventory/local.ini"
},
{
"type": "shell",
"remote_path": "/home/centos/last-step.sh",
"inline": [
"restorecon -R /",
"passwd -d root"
]
}
],
"post-processors": [
{
"type": "shell-local",
"script": "./helper_convert_to_vmdk.sh"
},
{
"type": "artifice",
"files": "centos-kvm-shell.vmdk"
},
{
"type": "amazon-import",
"access_key": "{{ user `aws_access_key_id` }}",
"secret_key": "{{ user `aws_secret_access_key` }}",
"region": "{{ user `aws_default_region` }}",
"ami_users": "{{ user `aws_acct_ids` }}",
"s3_bucket_name": "bucket",
"license_type": "BYOL",
"ami_description": "generated from iso",
"ami_name": "centos7-iso-ansible",
"tags": { "Description": "packer amazon import " }
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment