############################################################################### # # Kickstart for DISA STIG for Red Hat Enterprise Linux 9 # # Profile Description: # This profile contains configuration checks that align to the # DISA STIG for Red Hat Enterprise Linux 9 V1R3. # In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this # configuration baseline as applicable to the operating system tier of # Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as: # - Red Hat Enterprise Linux Server # - Red Hat Enterprise Linux Workstation and Desktop # - Red Hat Enterprise Linux for HPC # - Red Hat Storage # - Red Hat Containers with a Red Hat Enterprise Linux 9 image # # Profile ID: xccdf_org.ssgproject.content_profile_stig # Benchmark ID: xccdf_org.ssgproject.content_benchmark_RHEL-9 # Benchmark Version: 0.1.74 # XCCDF Version: 1.2 # # This file was generated by OpenSCAP 1.4.0 using: # $ oscap xccdf generate fix --profile xccdf_org.ssgproject.content_profile_stig --fix-type kickstart /home/jcerny/work/git/scap-security-guide/build/ssg-rhel9-ds.xml # # This Kickstart is generated from an OpenSCAP profile without preliminary evaluation. # It attempts to fix every selected rule, even if the system is already compliant. # # How to apply this Kickstart: # Review the kickstart and customize the kickstart for your deployment. # Pay attention to items marked as "required for security compliance". # Install the operating system using this kickstart. # ############################################################################### # Default values for automated installation lang en_US.UTF-8 keyboard --vckeymap us timezone --utc America/New_York # Root password is required for system rescue tasks rootpw changeme # Create partition layout scheme (required for security compliance) zerombr clearpart --all --initlabel reqpart --add-boot part pv.01 --grow --size=1 volgroup system pv.01 logvol / --name=root --vgname=system --size=2000 --grow logvol swap --name=swap --vgname=system --size=1000 logvol /home --name=home --vgname=system --size=1024 logvol /tmp --name=tmp --vgname=system --size=1024 logvol /var --name=var --vgname=system --size=3072 logvol /var/log --name=varlog --vgname=system --size=1024 logvol /var/log/audit --name=varlogaudit --vgname=system --size=10240 logvol /var/tmp --name=vartmp --vgname=system --size=1024 # Configure boot loader options (required for security compliance) bootloader --append="pti=on vsyscall=none page_poison=1 slub_debug=P audit=1 audit_backlog_limit=8192" # Disable and enable systemd services (required for security compliance) services --disabled=debug-shell,autofs,kdump --enabled=pcscd,rsyslog,systemd-journald,firewalld,fapolicyd,chronyd,sshd,usbguard,auditd # Packages selection (required for security compliance) %packages openscap-scanner scap-security-guide aide crypto-policies sudo gnutls-utils nss-tools rng-tools subscription-manager tmux opensc pcsc-lite openssl-pkcs11 rsyslog-gnutls rsyslog firewalld libreswan policycoreutils-python-utils policycoreutils fapolicyd s-nail chrony openssh-clients openssh-server usbguard audispd-plugins audit -gssproxy -iprutils -tuned -vsftpd -sendmail -nfs-utils -ypserv -rsh-server -telnet-server -tftp-server -quagga %end # Perform OpenSCAP hardening (required for security compliance) %post --erroronfail oscap xccdf eval --remediate --results-arf /root/oscap_arf.xml --report /root/oscap_report.html --profile 'xccdf_org.ssgproject.content_profile_stig' /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml [ $? -eq 0 -o $? -eq 2 ] %end # Reboot after the installation is complete reboot