###############################################################################

Hardened CentOS 7 DVD CREATOR

#

This script was written by Frank Caviggia

Last update was 08 JAN 2019

#

Author: Frank Caviggia (fcaviggia@gmail.com)

Copyright: Frank Caviggia, (c) 2018

License: Apache License, Version 2.0

Description: Hardened Installation of CentOS 7

###############################################################################

ABOUT

Modifies a CentOS 7.3+ (1611) (tested with CentOS-7-x86_64-DVD-1810.iso) x86_64 DVD with a kickstart that will install a system that is configured and hardened to meet government-level regulations.

NOTE: ROOT ACCOUNT IS LOCKED WITH INSTALL USE 'admin' ACCOUNT WITH 'sudo' INSTEAD.

The kickstart script involves the integration of the following projects into a single installer:

• classification-banner.py (Python for displaying a graphical classification banner)

  https://github.com/RedHatGov/classification-banner

• SCAP Security Guide (SSG) - Hardening Script for CentOS7

  https://github.com/openscap/scap-security-guide

CONTENT

createiso.sh - installation script to modify CentOS 7.2+ ISO image

/config - Kickstarts, Python, and RPMs needed to modify image.

EFI/BOOT/

    grub.cfg - Menu Configuration for UEFI boot

isolinux/

    isolinux.cfg - Menu Configuration for Kickstart

hardening/

    hardened-centos.cfg

        Kickstart Configuration (Calls menu.py in %pre)

    menu.py

        Python Script that presents a graphical menu to modify the
        kickstart. Contains the "Profiles" for configuring the 
        system partitioning and packages.

    classification-banner.py

        Graphical Classification Banner (for GNOME Desktops User/
        Developer Workstation Profiles)

    supplemental.sh

        Additional system lockdowns (FIPS 140-2 Kernel Mode, GNOME,
        wheel group for root access, etc.)

    ovirt-engine-install.sh

        Script to install and configure Ovirt Manager.

    ovirt-kvm-preinstall.sh
    ovirt-kvm-postinstall.sh

        Scripts to install Ovirt-Attached KVM hypervisor. Script 
        will loosen settings temporarily to allow registration
        of the system with Ovirt Manager by allowing root login and 
        allowing exec in /tmp. Run rhevm-postinstall.sh after system 
        is added into Ovirt Manager. Copied to /root after kickstart
        install

    iptables.sh (use with KVM and Ovirt hosts, uses iptables/ebtables)

        Configures iptables firewall during kickstart installation. 
        Called in menu.py script. Firewall is configured to recommended
        ports for each product or profile. Copied to /root after kickstart
        install. FirewallD is default except for KVM systems.

    ipa-pam-configuration.sh

        Configures system for using IPA/IdM authentication by
        overwriting the pam.d configurations. Copied to /root
        after kickstart installation

    scap-security-guide-*.el7.noarch.rpm

        SCAP Security Guide for implimenting DISA STIG profile on CentOS and Firefox.

    usbguard-*.x86_64.rpm

        USB guard will control what USB devices are accessible by the system.

HARDENING INFORMATION

Here is some additional information added by the supplemental hardening script in addition to the SSG:

1. The kernel option for FIPS 140-2 mode is contained on the kickstart menu

2. Shell timeout (bash/csh) is 15 minutes of inactivity, vlock will lock CLI console (scripts are located under /etc/profile.d/autologout.{sh,csh})

3. The 'wheel' group is required for privileged users (beyond root) to run su - or sudo -i commands, sudo timeout is 5 minutes

4. The 'sshusers' group is required for SSH/SFTP access, other users are limited to console access without this group

5. Additional software such as McAfee EPo/HBSS may be required meet site policy

6. Configure PTP or NTP for time synchronization (/etc/chrony.conf or /etc/ntp.conf)

7. Configure rsyslog to send logs to a centralized log monitoring. (/etc/rsyslog.conf)

8. Create users:

   NOTE: The root user is locked now - use 'admin' user account with sudo instead of root.

   Local Console Access Only (Unprivileged)
   
          # useradd -m -c "Local User" localuser
   
   Remote Access (Unprivileged)
   
          # useradd -m -c "Remote User" -G sshusers remoteuser
   
   System Administrator (SA) (Privileged User)
   
          # useradd -m -c "System Administrator" -G sshusers,wheel admin

9. Wireless is disabled in a number of ways with Network Manager including:

   a.) nmcli radio all off command in /etc/rc.local b.) Dconf configurations to disable the creation of wireless networks:

   /etc/dconf/db/gdm.d/99-gnome-hardening
       [org.gnome.nm-applet]
       disable-wifi-create=true
   
   /etc/dconf/db/gdm.d/locks/99-gnome-hardening
       /org/gnome/nm-applet/disable-wifi-create
   
   /usr/share/glib-2.0/schemas/99_custom_settings.gschema.override
       [org.gnome.nm-applet]
       disable-wifi-create=true

   Generally, wireless should not be used on a DoD/IC system.

EXAMPLE

./createiso.sh CentOS-7-x86_64-DVD-1601-01.iso

Mounting CentOS DVD Image... mount: /dev/loop1 is write-protected, mounting read-only Done. Copying CentOS DVD Image... Done. Modifying CentOS DVD Image... Done. Remastering CentOS DVD Image... ... 0.23% done, estimate finish Wed Feb 10 07:34:24 2016 0.46% done, estimate finish Wed Feb 10 07:37:59 2016 0.70% done, estimate finish Wed Feb 10 07:36:47 2016 0.93% done, estimate finish Wed Feb 10 07:36:11 2016 1.16% done, estimate finish Wed Feb 10 07:35:50 2016 1.39% done, estimate finish Wed Feb 10 07:35:35 2016 1.62% done, estimate finish Wed Feb 10 07:35:25 2016 1.85% done, estimate finish Wed Feb 10 07:35:17 2016 2.09% done, estimate finish Wed Feb 10 07:35:11 2016 2.32% done, estimate finish Wed Feb 10 07:35:07 2016 2.55% done, estimate finish Wed Feb 10 07:35:03 2016 2.78% done, estimate finish Wed Feb 10 07:34:59 2016 3.01% done, estimate finish Wed Feb 10 07:34:57 2016 3.24% done, estimate finish Wed Feb 10 07:34:54 2016 3.48% done, estimate finish Wed Feb 10 07:34:52 2016 3.71% done, estimate finish Wed Feb 10 07:34:50 2016 3.94% done, estimate finish Wed Feb 10 07:34:49 2016 4.17% done, estimate finish Wed Feb 10 07:34:47 2016 4.40% done, estimate finish Wed Feb 10 07:34:46 2016 4.63% done, estimate finish Wed Feb 10 07:34:45 2016 4.87% done, estimate finish Wed Feb 10 07:34:44 2016 5.10% done, estimate finish Wed Feb 10 07:34:43 2016 5.33% done, estimate finish Wed Feb 10 07:34:42 2016 5.56% done, estimate finish Wed Feb 10 07:34:41 2016

...

99.87% done, estimate finish Wed Feb 10 07:34:35 2016 Total translation table size: 2048 Total rockridge attributes bytes: 417876 Total directory bytes: 712704 Path table size(bytes): 158 Max brk space used 3af000 2157808 extents written (4214 MB) Done. Signing CentOS DVD Image... Inserting md5sum into iso image... md5 = e526291fc5ff0c83a7de64c183f27b78 Inserting fragment md5sums into iso image... fragmd5 = 631648db156318da3cf5aef0db4d65efa7a774fcceabc45e9ecd7476f22b frags = 20 Setting supported flag to 0 Done. DVD Created. [hardened-centos7-x86_64.iso]