# Kickstart file automatically generated by anaconda. install url --url=ftp://kickstart.example.com/install/CentOS/x86_64/5.3/ lang en_US.UTF-8 # Use text mode install text keyboard us network --device eth0 --bootproto static --ip 192.168.101.161 --netmask 255.255.255.0 --gateway 192.168.101.1 --nameserver 192.168.101.14 --hostname guineapig.example.com reboot rootpw --iscrypted afdafsf0saf87 firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/Chicago bootloader --location=mbr --driveorder=sda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work clearpart --all --initlabel part / --fstype ext3 --size 7683 part swap --fstype swap --size 509 %packages --nobase --ignoremissing @editors @core bind-utils.x86_64 bind-libs.x86_64 telnet.x86_64 mailx.x86_64 vixie-cron.x86_64 audit.x86_64 man.x86_64 wget.x86_64 sendmail.x86_64 sudo.x86_64 openldap-clients.x86_64 nss_ldap.x86_64 ntp.x86_64 %post ### System Configuration Files Section ### yum update -y # Update default hasing algorith for userPasswords authconfig --passalgo=sha512 --update # /etc/nsswitch.conf cat << EOF1 > /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files ldap shadow: files ldap group: files ldap #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=people,dc=example,dc=com?one EOF1 # /etc/resolv.conf cat << EOF2 > /etc/resolv.conf # Created by Dan Burkland 8/17/2009 domain example.com search example.com nameserver 192.168.101.14 EOF2 # /etc/ssh/sshd_config cat << EOF3 > /etc/ssh/sshd_config #$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 #Protocol 2,1 Protocol 2 #AddressFamily any ListenAddress 192.168.101.161 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: LoginGraceTime 1m PermitRootLogin no #StrictModes yes MaxAuthTries 4 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path Banner /etc/issue # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server EOF3 # /etc/pam.d/system-auth cat << EOF4 > /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so auth required pam_tally2.so deny=3 onerr=fail unlock_time=60 account sufficient pam_ldap.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_tally2.so per_user password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_ldap.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session optional pam_ldap.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF4 # /etc/hosts cat << EOF5 > /etc/hosts 127.0.0.1 localhost localhost.localdomain guineapig.example.com guineapig EOF5 # /etc/issue cat << EOF6 > /etc/issue WARNING This System is for the use of authorized users only. Individuals using this computer without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. EOF6 # /etc/crontab modifications for NTP & Auditd log rotation cat << EOF7 >> /etc/crontab 00 23 * * * root ntpdate north-america.pool.ntp.org 00 0 * * * root /etc/init.d/auditd rotate EOF7 # /etc/ldap.conf cat << EOF8 > /etc/ldap.conf # /etc/ldap.conf - Created by: Dan Burkland 8/17/2009 uri ldaps://ldap.example.com base dc=example,dc=com timelimit 30 TLS_CACERT /etc/pki/tls/certs/cacert.pem ssl on nss_initgroups_ignoreusers root,haldaemon,dbus,ldap EOF8 # /etc/pki/tls/certs/cacert.pem cat << EOF9 > /etc/pki/tls/certs/cacert.pem Certificate contents go here EOF9 rm -f /etc/openldap/ldap.conf ln -s /etc/ldap.conf /etc/openldap/ldap.conf # Create /usr/bin/yum-check and make it executable cat << EOF10 > /usr/bin/yum-check #!/bin/sh # # Name: yum-check # Author: Michael Heiming - 2005-03-11 # Function: Run from cron to check for yum updates # and mail results # Version: 0.7 (initial) # 2005-03-12 0.8 randomize startup (cron only) # Config: /etc/sysconfig/yum # Pull in sysconfig settings . /etc/sysconfig/yum-check maila=${MAILTO:=root} yumdat="/tmp/yum-check-update.$$" yumb="/usr/bin/yum" # wait a random interval if there is not a controlling terminal, # for load management if ! [ -t ] then num=$RANDOM let "num %= ${RANGE:=1}" sleep $num fi rm -f ${yumdat%%[0-9]*}* $yumb check-update >& $yumdat yumstatus="$?" case $yumstatus in 100) cat $yumdat |\ mail -s "Alert ${HOSTNAME} updates available!" $maila exit 0 ;; 0) # Only send mail if debug is turned on if [ ${CHECKWRK} = "yes" ];then cat $yumdat |\ mail -s "Yum check succeeded ${HOSTNAME} zero patches available." $maila fi exit 0 ;; *) # Unexpected yum return status (echo "Undefined, yum return status: ${yumstatus}" && \ [ -e "${yumdat}" ] && cat "${yumdat}" )|\ mail -s "Alert ${HOSTNAME} problems running yum." $maila esac [ -e "${yumdat}" ] && rm ${yumdat} EOF10 chmod +x /usr/bin/yum-check # Create yum-check cronjob and make script executable cat << EOF11 > /etc/cron.daily/yum.cron #!/bin/sh # Pull in sysconfig settings . /etc/sysconfig/yum-check if [ -f /var/lock/subsys/yum ]; then if [ ${CHECKONLY} = "yes" ];then /usr/bin/yum-check fi else /usr/bin/yum -R 10 -e 0 -d 0 -y update yum /usr/bin/yum -R 120 -e 0 -d 0 -y update fi EOF11 chmod +x /etc/cron.daily/yum.cron # Create yum-check configuration file cat << EOF12 > /etc/sysconfig/yum-check # yes sets yum to check for updates and mail only if patches are available # no does enable autoupdate if /var/lock/subsys/yum is available CHECKONLY="yes" # defaults to root, leave empty if .forward/alias in place for root MAILTO="dan@example.com" # Set to yes for debugging only! You'll get a mail for each run! CHECKWRK="no" # Seconds to randomize startup, if running from cron to balance load RANGE="3600" EOF12 # Change logrotate to rotate daily instead of weekly cat << EOF13 > /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly daily # keep 4 days worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly minsize 1M create 0664 root utmp rotate 1 } # system-specific logs may be also be configured here. EOF13 # IPtables rule configuration cat << EOF14 > /etc/sysconfig/iptables *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT COMMIT EOF14 # Disable USB mass storage module cat << EOF15 > /etc/modprobe.d/blacklist-usbstorage blacklist usb-storage EOF15 # Restrict access to the "/root" folder chmod 700 /root # Set default umask to 077 sed -i 's/022/077/' /etc/bashrc sed -i 's/022/077/' /etc/csh.cshrc # Log out idle users after 15 minutes cat << EOF16 > /etc/profile.d/autologout readonly TMOUT=900 readonly HISTFILE EOF16 # Make the os-security.sh executable chmod +x /etc/profile.d/autologout # Enable security-related sysctls cat << EOF17 > /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 # Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736 # Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0 EOF17 # /etc/sudoers cat << EOF18 > /etc/sudoers ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo ", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL example ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now EOF18 # /etc/nscd.conf cat << EOF19 > /etc/nscd.conf server-user nscd debug-level 0 reload-count unlimited paranoia no enable-cache passwd yes positive-time-to-live passwd 3600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 enable-cache hosts no EOF19 # Permantely prevent IPv6 module from being loaded cat << EOF20 > /etc/modprobe.d/disableipv6 install ipv6 /bin/true EOF20 # Disable another IPv6 related setting cat << EOF21 >> /etc/sysconfig/network NETWORKING_IPV6=no EOF21 # Set secure permissions on /etc/sudoers file chmod 440 /etc/sudoers # Set secure permissions on /bin/su chmod 700 /bin/su # Enable/Disable necessary services chkconfig sendmail on chkconfig auditd on chkconfig nscd on chkconfig ip6tables off chkconfig multipathd off chkconfig netconsole off chkconfig netfs off chkconfig netplugd off chkconfig rdisc off