├── Authors
├── CentOS-6-x86_64-OpenNebula.cfg
├── LICENSE
├── README.md
├── basic-desktop.cfg
├── batata.cfg
├── centos-test.cfg
├── centos4-raid0.cfg
├── centos4-raid1.cfg
├── centos4-raid5.cfg
├── centos5-raid0.cfg
├── centos5-raid1.cfg
├── centos5-raid5.cfg
├── centos6-nocps-raid1.cfg
├── centos6-nocps-standard.cfg
├── centos6-raid0-ext4.cfg
├── centos6-raid0.cfg
├── centos6-raid1-ext4.cfg
├── centos6-raid1.cfg
├── centos6-raid5-ext4.cfg
├── centos6-raid5.cfg
├── centos7-minimal.cfg
├── everything.cfg
├── ks-centos5-64.cfg
├── ks-minimalC5-32.cfg
├── ks-minimalC5-64.cfg
├── ks-minimalC6.cfg
├── kvm-host.cfg
├── lan-cluster-node.cfg
├── near-everything.cfg
├── secure-kickstart.cfg
└── workstation-ks.cfg


/Authors:
--------------------------------------------------------------------------------
 1 | People who have contributed to these kickstarts
 2 | Last updated: 2010-04-08
 3 | 
 4 | Karanbir Singh <kbsingh@karan.org>
 5 | Jim Perrin <jperrin@gmail.com>
 6 | Miguel Filho <miguel.filho@gmail.com>
 7 | Phil Schaffner <Philip.R.Schaffner@NASA.gov>
 8 | Manuel Wolfshant <wolfy@nobugconsulting.ro>
 9 | Akemi Yagi <amyagi@gmail.com>
10 | Baptiste AGASSE <baptiste.agasse@lyra-network.com>
11 | Stephen J Smoogen <smooge@gmail.com>
12 | Fabian <arrfab@centos.org>
13 | 


--------------------------------------------------------------------------------
/CentOS-6-x86_64-OpenNebula.cfg:
--------------------------------------------------------------------------------
 1 | # Build a basic CentOS 6 Image for OpenNebula
 2 | lang en_US.UTF-8
 3 | keyboard us
 4 | timezone UTC
 5 | auth --useshadow --enablemd5
 6 | selinux --permissive
 7 | firewall --enabled --ssh
 8 | bootloader --timeout=1 
 9 | network --bootproto=dhcp --device=eth0 --onboot=on
10 | services --enabled=network
11 | zerombr yes
12 | clearpart --all 
13 | part / --grow --size 1 --fstype ext3 
14 | rootpw  --iscrypted $1$xNiXY22.$U1axaH.1SkO6zy8YAqX4S/
15 | poweroff 
16 | 
17 | # Repositories
18 | repo --name=CentOS6-Base --baseurl=http://mirrors.karan.org/centos/6/os/x86_64/
19 | repo --name=CentOS6-Updates --baseurl=http://mirrors.karan.org/centos/6/updates/x86_64/
20 | repo --name=CentOS-ONE --baseurl=https://nazar.karan.org/results/opennebula/
21 | 
22 | #
23 | #
24 | # Add all the packages after the base packages
25 | #
26 | %packages --nobase --instLangs=en --excludedocs
27 | @core
28 | system-config-securitylevel-tui
29 | system-config-firewall-base
30 | audit
31 | pciutils
32 | bash
33 | coreutils
34 | kernel
35 | grub
36 | e2fsprogs
37 | passwd
38 | policycoreutils
39 | chkconfig
40 | rootfiles
41 | yum
42 | vim-minimal
43 | acpid
44 | openssh-clients
45 | openssh-server
46 | curl
47 | 
48 | #Allow for dhcp access
49 | dhclient
50 | iputils
51 | 
52 | #stuff we really done want
53 | -kernel-firmware
54 | -xorg-x11-drv-ati-firmware
55 | -iwl6000g2a-firmware
56 | -aic94xx-firmware
57 | -iwl6000-firmware
58 | -iwl100-firmware
59 | -ql2200-firmware
60 | -libertas-usb8388-firmware
61 | -ipw2100-firmware
62 | -atmel-firmware
63 | -iwl3945-firmware
64 | -ql2500-firmware
65 | -rt61pci-firmware
66 | -ipw2200-firmware
67 | -iwl6050-firmware
68 | -iwl1000-firmware
69 | -bfa-firmware
70 | -iwl5150-firmware
71 | -iwl5000-firmware
72 | -ql2400-firmware
73 | -rt73usb-firmware
74 | -ql23xx-firmware
75 | -iwl4965-firmware
76 | -ql2100-firmware
77 | -ivtv-firmware
78 | -zd1211-firmware
79 | 
80 | #for opennebula
81 | opennebula-context
82 | 
83 | %end
84 | 
85 | #
86 | # Add custom post scripts after the base post.
87 | #
88 | %post
89 | sed -i -e 's/^ACTIVE_CONSOLES=\/dev\/tty\[1-6\]/ACTIVE_CONSOLES=\/dev\/tty1/' /etc/sysconfig/init
90 | sed -i '/HWADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth*
91 | 
92 | # clear out the serial console stuff, sine that messes up VNC
93 | # sessions
94 | 
95 | sed -i -e 's/^serial.*$//' /etc/grub.conf
96 | sed -i -e 's/console=ttyS0,115200//' /etc/grub.conf
97 | %end
98 | 
99 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     {description}
294 |     Copyright (C) {year}  {fullname}
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   {signature of Ty Coon}, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 
341 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Community Kickstarts
 2 | 
 3 | The aim for this repository is to provide functional sample kickstarts and
 4 | snippets for the various types of deployments used in the community. 
 5 | 
 6 | Feel free to contribute against CentOS 5,6 or 7 (or common ones ) for 
 7 | bare metal installs, Xen installs and KVM installs.
 8 | 
 9 | 
10 | ## Guidelines for Kickstarts
11 | 
12 |  * Kickstarts should provide comments explaining actions in each section
13 |  * Kickstarts should end in .cfg or .ks
14 |  * Generally should install from mirror.centos.org unless otherwise noted
15 |  * If a hashed password is provided, include the plaintext version in a comment.
16 |    Since these kickstarts are for example purposes, please use `password` or
17 |    `centos` as the passwords as needed. 
18 |  * Kickstart names should provide a version and brief description, for example
19 |    `centos5-raid5.cfg` or `centos7-workstation.ks`
20 | 
21 | 
22 | ## Guidelines for snippets
23 | 
24 |  * Snippets should provide a complete unique task such as user
25 |    interaction, or registering a system with
26 |    [spacewalk](http://spacewalk.redhat.com/) or
27 |    [foreman](http://theforeman.org/). 
28 |  * Snippets should provide comments documenting usage within kickstart, such as
29 |    where the `%include` should be located
30 |  * Snippets should be named after the version, and function, and have a .snip
31 |    extension. For example `centos7-katello-registration.snip`
32 |  * Contributed snippets should NOT be a simple %packages list, unless for a
33 |    unique or notable reason. 
34 | 
35 | 
36 | ## History
37 | 
38 | This repository is originally forked from the
39 | [bluecain](https://nazar.karan.org/summary/bluecain.git) repository, which is a
40 | collection of Kickstart files that are used to test the CentOS deployment
41 | process.
42 | 
43 | 
44 | ## Licensing
45 | Licensing for this repository is GPLv2 unless otherwise specified in individual
46 | kickstarts or snippets.
47 | 


--------------------------------------------------------------------------------
/basic-desktop.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | #  From: Phil Schaffner <Philip.R.Schaffner@NASA.gov>
 3 | #
 4 | # Kickstart file automatically generated by anaconda.
 5 | 
 6 | install
 7 | cdrom
 8 | lang en_US.UTF-8
 9 | keyboard us
10 | xconfig --startxonboot
11 | network --device eth0 --bootproto dhcp
12 | rootpw --iscrypted $1$1jBzy9QU$Dtyah.fFghDGGPQPlibt10
13 | firewall --enabled --port=22:tcp
14 | authconfig --enableshadow --enablemd5
15 | selinux --enforcing
16 | timezone America/New_York
17 | bootloader --location=mbr --driveorder=sda --append="rhgb quiet"
18 | # The following is the partition information you requested
19 | # Note that any partitions you deleted are not expressed
20 | # here so unless you clear all partitions first, this is
21 | # not guaranteed to work
22 | #clearpart --linux --drives=sda
23 | #part /boot --fstype ext3 --size=100 --ondisk=sda
24 | #part pv.6 --size=0 --grow --ondisk=sda
25 | #volgroup VolGroup00 --pesize=32768 pv.6
26 | #logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 
27 | --grow
28 | #logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 
29 | --size=1000 --grow --maxsize=1984
30 | 
31 | %packages
32 | @office
33 | @development-libs
34 | @editors
35 | @text-internet
36 | @gnome-desktop
37 | @dialup
38 | @core
39 | @base
40 | @games
41 | @emacs
42 | @base-x
43 | @graphics
44 | @printing
45 | @kde-desktop
46 | @sound-and-video
47 | @development-tools
48 | @graphical-internet
49 | kdepim
50 | emacs
51 | device-mapper-multipath
52 | xorg-x11-server-Xnest
53 | xorg-x11-server-Xvfb
54 | kdegraphics
55 | libsane-hpaio
56 | kdemultimedia
57 | imake
58 | -sysreport
59 | 


--------------------------------------------------------------------------------
/batata.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | #  From: Miguel Filho <miguel.filho@gmail.com>
  3 | #
  4 | # kickstart Xen dom0 32 bit
  5 | bootloader --location=mbr
  6 | zerombr
  7 | cmdline
  8 | firewall --disabled
  9 | firstboot --disable
 10 | keyboard br-abnt2
 11 | lang en_US
 12 | reboot
 13 | url --url=http://mirrors.ic.unicamp.br/centos/5/os/i386
 14 | network --bootproto=static --device=eth0 --gateway=xxx --ip=xxx --nameserver=xxx --netmask=255.255.255.192 --onboot=on --hostname="xxxx"
 15 | rootpw xuxuxu
 16 | selinux --disabled
 17 | skipx
 18 | timezone --isUtc America/Sao_Paulo
 19 | install
 20 | 
 21 | clearpart --all 
 22 | part /boot --asprimary --fstype="ext3" --size=100
 23 | # change here!
 24 | part pv.01 --size=1 --grow --ondisk=hde
 25 | part pv.02 --size=1 --grow --ondisk=hdg
 26 | volgroup volumes pv.01 pv.02
 27 | logvol  /  --fstype="ext3" --vgname=volumes  --size=10240  --name=root --fsoptions="noatime,nodiratime"
 28 | logvol  /var  --fstype="ext3" --vgname=volumes  --size=6114  --name=var --fsoptions="noatime,nodiratime"
 29 | logvol  /tmp  --fstype="ext3" --vgname=volumes  --size=2048  --name=tmp --fsoptions="noatime,nodiratime"
 30 | logvol  swap --fstype swap  --vgname=volumes  --size=1024  --name=swap
 31 | 
 32 | %packages --nobase
 33 | -sysklogd
 34 | -selinux-policy-targeted
 35 | -selinux-policy
 36 | -gtk2
 37 | -ecryptfs-utils
 38 | -trousers
 39 | -avahi
 40 | xorg-x11-xauth
 41 | iptables
 42 | audit
 43 | autofs
 44 | nfs-utils
 45 | ntsysv
 46 | rsyslog
 47 | vixie-cron
 48 | crontabs
 49 | vim-enhanced
 50 | psacct
 51 | postfix
 52 | screen
 53 | man
 54 | nc
 55 | ntp
 56 | amanda-client
 57 | sudo
 58 | rsync
 59 | tcpdump
 60 | nmap
 61 | iptraf
 62 | lynx
 63 | wget
 64 | curl
 65 | strace
 66 | dstat
 67 | tcsh
 68 | quota
 69 | bind-utils
 70 | tmpwatch
 71 | krb5-workstation
 72 | pam_krb5
 73 | openldap-clients
 74 | nss_ldap
 75 | cyrus-sasl-gssapi
 76 | xen
 77 | kernel-xen
 78 | 
 79 | %post
 80 | chvt 3
 81 | (
 82 | echo "[+] Ajustando repositorios"
 83 | sed -i "/^#*mirrorlist=/d" /etc/yum.repos.d/CentOS-Base.repo
 84 | sed -i "s/^#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/mirrors.ic.unicamp.br/" /etc/yum.repos.d/CentOS-Base.repo
 85 | sed -i "s/enabled=1/enabled=0/" /etc/yum/pluginconf.d/fastestmirror.conf
 86 | 
 87 | echo "[+] Atualizando pacotes"
 88 | yum clean all
 89 | yum -y update
 90 | yum clean packages
 91 | 
 92 | echo "[+] Configurando autenticacao"
 93 | authconfig  --enableldap --enableldapauth
 94 | --ldapserver="ldap://ldap1.xxx ldap://ldap2.xxx" \
 95 | --ldapbasedn="dc=xx,dc=xx,dc=br" --enablekrb5 --krb5realm=XX.XXXX.XX \
 96 | --krb5kdc="kerberos1.xxx kerberos2.xxx" \
 97 | --krb5adminserver=kerberos1.xxx --enableldaptls --update
 98 | echo "TLS_REQCERT never" >> /etc/openldap/ldap.conf
 99 | 
100 | /usr/sbin/ntpdate -u xxx.xxx
101 | 
102 | echo "[+] Inserindo chaves do Kerberos"
103 | echo -n "[-] Username: "
104 | read username
105 | echo -n "[-] Senha: "
106 | modes=$(stty -g)
107 | stty -echo
108 | read password
109 | stty $oldmodes
110 | 
111 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'addprinc -randkey
112 | nfs/xxx'
113 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'addprinc -randkey
114 | ssh/xxx'
115 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'addprinc -randkey
116 | host/xxx'
117 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'ktadd -e
118 | des-cbc-crc:normal nfs/xxx'
119 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'ktadd ssh/xxx'
120 | /usr/kerberos/sbin/kadmin -w $password -p $username -q 'ktadd host/xxx'
121 | 
122 | echo "[+] Configurando autofs no LDAP"
123 | cat > /etc/sysconfig/autofs <<EOF
124 | SEARCH_BASE="ou=AutoMount,dc=ic,dc=unicamp,dc=br"
125 | MAP_OBJECT_CLASS="automountMap"
126 | ENTRY_OBJECT_CLASS="automount"
127 | MAP_ATTRIBUTE="ou"
128 | ENTRY_ATTRIBUTE="cn"
129 | VALUE_ATTRIBUTE="automountInformation"
130 | LOGGING="verbose"
131 | EOF
132 | 
133 | cat > /etc/autofs_ldap_auth.conf <<EOF
134 | <?xml version="1.0" ?>
135 | <autofs_ldap_sasl_conf
136 |         usetls="yes"
137 |         tlsrequired="yes"
138 |         authrequired="yes"
139 |         authtype="ANONYMOUS"
140 | />
141 | EOF
142 | 
143 | echo "[+] Configurando NFSv4"
144 | sed -i "s/^#SECURE_NFS=\"yes\"/SECURE_NFS=\"yes\"/" /etc/sysconfig/nfs
145 | sed -i "s/^#RPCGSSDARGS=\"-vvv\"/RPCGSSDARGS=\"-vvv\"/" /etc/sysconfig/nfs
146 | 
147 | echo "[+] Configurando amanda"
148 | cat > /var/lib/amanda/.amandahosts <<EOF
149 | amandahost amanda
150 | amandahost.localdomain amanda
151 | xxx amanda
152 | EOF
153 | 
154 | cat > /etc/xinetd.d/amanda <<EOF
155 | service amanda
156 | {
157 |         socket_type             = dgram
158 |         protocol                = udp
159 |         wait                    = yes
160 |         user                    = amanda
161 |         group                   = disk
162 |         server                  = /usr/lib/amanda/amandad
163 |         disable                 = no
164 |         server_args     = -auth=bsd amdump
165 | }
166 | EOF
167 | 
168 | echo "[+] Logrotate"
169 | 
170 | cat > /etc/logrotate.conf <<EOF
171 | 
172 | weekly
173 | rotate 12
174 | create
175 | compress
176 | include /etc/logrotate.d
177 | 
178 | /var/log/wtmp {
179 |     monthly
180 |     minsize 1M
181 |     create 0664 root utmp
182 |     rotate 12
183 | }
184 | EOF
185 | 
186 | cat > /etc/logrotate.d/psacct <<EOF
187 | /var/account/pacct {
188 |     compress
189 |     delaycompress
190 |     notifempty
191 |     daily
192 |     rotate 366
193 |     create 0600 root root
194 |     postrotate
195 | 	if [ -f /var/lock/subsys/psacct ]; then
196 | 	        /usr/sbin/accton /var/account/pacct
197 | 	fi
198 |     endscript
199 | }
200 | EOF
201 | 
202 | echo "[+] Sudo"
203 | cat > /etc/sudoers <<EOF
204 | Defaults    requiretty
205 | 
206 | Defaults    env_reset
207 | Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
208 |                         LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
209 |                         LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
210 |                         LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
211 |                         LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
212 |                         _XKB_CHARSET XAUTHORITY"
213 | %admsis ALL=(ALL)        ALL
214 | EOF
215 | 
216 | echo "[+] Ajustando SSH"
217 | cat > /etc/ssh/sshd_config <<EOF
218 | Port 694
219 | SyslogFacility AUTHPRIV
220 | LogLevel VERBOSE
221 | LoginGraceTime 15s
222 | AllowGroups admins root
223 | PermitRootLogin without-password
224 | MaxStartups 2
225 | ChallengeResponseAuthentication no
226 | AllowTcpForwarding no
227 | X11Forwarding no
228 | Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc
229 | MACs hmac-sha1
230 | GSSAPIAuthentication yes
231 | UsePAM yes
232 | 
233 | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
234 | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
235 | AcceptEnv LC_IDENTIFICATION LC_ALL
236 | Subsystem       sftp    /usr/libexec/openssh/sftp-server
237 | EOF
238 | 
239 | mkdir /root/.ssh
240 | cat > /root/.ssh/authorized_keys <<EOF
241 | from="xxx" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzmhMmtYXOPaCGCvjau5nPnMbDANg0785lgT5bLhHQ7+jGIf9E3qfQYrHmtaEI3ghhEf1DTcGTTUmXV0xifo8pQRjs0f715IvZO2bYGTTsi6dkcVOxM1rujdejHzRj+d2tqZcfNGhl/asa1JeO1ulfhvNFWHETRaytiATlhslYsMuKDuIsR00exUdonIdSTYo9oeTCKhFaOHx2OV8Db+EMfnxhimbN4bJdGyD5LcNqeK4+1tpVa7/C/CsRvF+fFiVc+3cSOYVf0OHSnqZesFZ2GBRPA9pZ3HVh9rGfQpEwXAmx4VUDq+if+awYOE00GmD106asXGQmRIhVknJlamPHw== miguel@quake
242 | EOF
243 | 
244 | echo "[+] Ajustando hosts.allow"
245 | cat > /etc/hosts.allow <<EOF
246 | sshd: @admsis
247 | EOF
248 | 
249 | echo "[+] Ajustando hosts.deny"
250 | cat > /etc/hosts.deny <<EOF
251 | ALL: ALL
252 | EOF
253 | echo "[+] Ajustando GRUB"
254 | sed -i "s/\(kernel.*\/xen.gz.*\)/\1 dom0_mem=256m/" /boot/grub/menu.lst
255 | 
256 | echo "[+] Criando bridge br0"
257 | cat > /etc/sysconfig/network-scripts/ifcfg-br0 <<EOF
258 | DEVICE=br0
259 | BOOTPROTO=static
260 | NO_ALIASROUTING=yes
261 | IPADDR=143.xxx.xxx
262 | NETMASK=255.255.255.192
263 | ONBOOT=yes
264 | TYPE=Bridge
265 | EOF
266 | 
267 | echo "[+] Criando eth0"
268 | MAC=$(egrep HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0)
269 | cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOF
270 | DEVICE=eth0
271 | BOOTPROTO=none
272 | $MAC
273 | ONBOOT=yes
274 | BRIDGE=br0
275 | TYPE=Ethernet
276 | EOF
277 | 
278 | echo "[+] Configurando xend"
279 | sed -i 's/^(network-script network-bridge)$/#(network-script network-bridge)/' /etc/xen/xend-config.sxp
280 | 
281 | echo "[+] Desligando servicos"
282 | chkconfig gpm off
283 | chkconfig iscsi off
284 | chkconfig iscsid off
285 | chkconfig haldaemon off
286 | chkconfig libvirtd off
287 | chkconfig kudzu off
288 | chkconfig messagebus off
289 | chkconfig gpm off
290 | chkconfig avahi-daemon off
291 | chkconfig rawdevices off
292 | chkconfig iptables off
293 | chkconfig ip6tables off
294 | chkconfig saslauthd off
295 | chkconfig mcstrans off
296 | chkconfig restorecond off
297 | chkconfig nfslock on
298 | chkconfig psacct on
299 | chkconfig rsyslog on
300 | chkconfig rpcgssd on
301 | 
302 | echo "[+] Amen!"
303 | ) 2>&1 | tee /root/ks-post.log
304 | 
305 | chvt 1
306 | 
307 | 


--------------------------------------------------------------------------------
/centos-test.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | #  From: Miguel Filho <miguel.filho@gmail.com>
  3 | #
  4 | # kickstart 32bit
  5 | # I use this kickstart to bootstrap VMs for playing arround
  6 | bootloader --location=mbr
  7 | zerombr yes
  8 | cmdline
  9 | firewall --disabled
 10 | firstboot --disable
 11 | keyboard br-abnt2
 12 | lang en_US
 13 | reboot
 14 | url --url=http://mirrors.ic.unicamp.br/centos/5/os/x86_64
 15 | network --bootproto=static --device=eth0 --gateway=10.0.0.1 --ip=10.0.0.2 --nameserver=143.106.7.31,143.106.2.5 --netmask=255.255.255.192 --onboot=on --hostname="centos-test"
 16 | rootpw xuxuxu
 17 | selinux --disabled
 18 | skipx
 19 | timezone --isUtc America/Sao_Paulo
 20 | install
 21 | 
 22 | clearpart --all 
 23 | part /boot --asprimary --fstype="ext3" --size=100
 24 | part pv.01 --size=1 --grow
 25 | volgroup volumes pv.01
 26 | logvol  /  --fstype="ext3" --vgname=volumes  --size=8000  --name=root --fsoptions="noatime,nodiratime"
 27 | #logvol  /var  --fstype="ext3" --vgname=volumes  --size=6114  --name=var --fsoptions="noatime,nodiratime"
 28 | #logvol  /tmp  --fstype="ext3" --vgname=volumes  --size=2048  --name=tmp --fsoptions="noatime,nodiratime"
 29 | logvol  swap --fstype swap  --vgname=volumes  --size=1024  --name=swap
 30 | 
 31 | %packages --nobase
 32 | -sysklogd
 33 | -selinux-policy-targeted
 34 | -selinux-policy
 35 | -gtk2
 36 | -ecryptfs-utils
 37 | -trousers
 38 | -avahi
 39 | xorg-x11-xauth
 40 | iptables
 41 | audit
 42 | autofs
 43 | nfs-utils
 44 | ntsysv
 45 | rsyslog
 46 | vixie-cron
 47 | crontabs
 48 | vim-enhanced
 49 | psacct
 50 | postfix
 51 | screen
 52 | man
 53 | nc
 54 | ntp
 55 | amanda-client
 56 | sudo
 57 | rsync
 58 | tcpdump
 59 | nmap
 60 | iptraf
 61 | lynx
 62 | wget
 63 | curl
 64 | strace
 65 | dstat
 66 | tcsh
 67 | quota
 68 | bind-utils
 69 | tmpwatch
 70 | krb5-workstation
 71 | pam_krb5
 72 | openldap-clients
 73 | nss_ldap
 74 | cyrus-sasl-gssapi
 75 | 
 76 | %post
 77 | chvt 3
 78 | (
 79 | echo "[+] Ajustando repositorios"
 80 | sed -i "/^#*mirrorlist=/d" /etc/yum.repos.d/CentOS-Base.repo
 81 | sed -i "s/^#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/mirrors.ic.unicamp.br/" /etc/yum.repos.d/CentOS-Base.repo
 82 | sed -i "s/enabled=1/enabled=0/" /etc/yum/pluginconf.d/fastestmirror.conf
 83 | 
 84 | echo "[+] Atualizando pacotes"
 85 | yum clean all
 86 | yum -y update
 87 | yum clean packages
 88 | 
 89 | mkdir /root/.ssh
 90 | cat > /root/.ssh/authorized_keys <<EOF
 91 | from="xxx" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzmhMmtYXOPaCGCvjau5nPnMbDAN
 92 | EOF
 93 | 
 94 | 
 95 | echo "[+] Desligando servicos"
 96 | chkconfig gpm off
 97 | chkconfig iscsi off
 98 | chkconfig iscsid off
 99 | chkconfig haldaemon off
100 | chkconfig libvirtd off
101 | chkconfig kudzu off
102 | chkconfig messagebus off
103 | chkconfig gpm off
104 | chkconfig avahi-daemon off
105 | chkconfig rawdevices off
106 | chkconfig iptables off
107 | chkconfig ip6tables off
108 | chkconfig saslauthd off
109 | chkconfig mcstrans off
110 | chkconfig restorecond off
111 | chkconfig nfslock on
112 | chkconfig psacct on
113 | chkconfig rsyslog on
114 | chkconfig rpcgssd on
115 | 
116 | echo "[+] Amen!"
117 | ) 2>&1 | tee /root/ks-post.log
118 | 
119 | chvt 1
120 | 
121 | 


--------------------------------------------------------------------------------
/centos4-raid0.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID0 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID0 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID0 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID0 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid0.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos4-raid1.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID1 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID1 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID1 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid1.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos4-raid5.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID5 on EL-5
 3 | #
 4 | # Requires 4 disks to test (looking for a spare)
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb,sdc,sdd
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | part raid.2 --size=500 --ondisk sdc --asprimary
24 | part raid.3 --size=500 --ondisk sdd --asprimary
25 | ## LVM 1
26 | part raid.4 --size=10000 --ondisk sda --asprimary
27 | part raid.5 --size=10000 --ondisk sdb --asprimary
28 | part raid.6 --size=10000 --ondisk sdc --asprimary
29 | part raid.7 --size=10000 --ondisk sdd --asprimary
30 | ## LVM 2
31 | part raid.8 --size=10000 --ondisk sda --asprimary --grow
32 | part raid.9 --size=10000 --ondisk sdb --asprimary --grow
33 | part raid.a --size=10000 --ondisk sdc --asprimary --grow
34 | part raid.b --size=10000 --ondisk sdd --asprimary --grow
35 | ##
36 | raid /boot --fstype ext3                    --level=RAID1 --device=md0 --spares=1 raid.0 raid.1 raid.2 raid.3
37 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID5 --device=md1 --spares=1 raid.4 raid.5 raid.6 raid.7
38 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID5 --device=md2 --spares=1 raid.8 raid.9 raid.a raid.b
39 | ##
40 | volgroup vg00 --pesize=32768 pv.1
41 | volgroup vg01 --pesize=32768 pv.2
42 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
43 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
44 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
45 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
46 | 
47 | %packages
48 | @Base
49 | 
50 | %post
51 | ##
52 | ## Put things here to test raid5.
53 | ##
54 | 


--------------------------------------------------------------------------------
/centos5-raid0.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID0 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID0 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID0 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID0 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages --resolvedeps --nobase
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid0.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos5-raid1.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID1 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID1 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID1 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid1.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos5-raid5.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID5 on EL-5
 3 | #
 4 | # Requires 4 disks to test (looking for a spare)
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb,sdc,sdd
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | part raid.2 --size=500 --ondisk sdc --asprimary
24 | part raid.3 --size=500 --ondisk sdd --asprimary
25 | ## LVM 1
26 | part raid.4 --size=10000 --ondisk sda --asprimary
27 | part raid.5 --size=10000 --ondisk sdb --asprimary
28 | part raid.6 --size=10000 --ondisk sdc --asprimary
29 | part raid.7 --size=10000 --ondisk sdd --asprimary
30 | ## LVM 2
31 | part raid.8 --size=10000 --ondisk sda --asprimary --grow
32 | part raid.9 --size=10000 --ondisk sdb --asprimary --grow
33 | part raid.a --size=10000 --ondisk sdc --asprimary --grow
34 | part raid.b --size=10000 --ondisk sdd --asprimary --grow
35 | ##
36 | raid /boot --fstype ext3                    --level=RAID1 --device=md0 --spares=1 raid.0 raid.1 raid.2 raid.3
37 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID5 --device=md1 --spares=1 raid.4 raid.5 raid.6 raid.7
38 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID5 --device=md2 --spares=1 raid.8 raid.9 raid.a raid.b
39 | ##
40 | volgroup vg00 --pesize=32768 pv.1
41 | volgroup vg01 --pesize=32768 pv.2
42 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
43 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
44 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
45 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
46 | 
47 | %packages
48 | @Base
49 | 
50 | %post
51 | ##
52 | ## Put things here to test raid5.
53 | ##
54 | 


--------------------------------------------------------------------------------
/centos6-nocps-raid1.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | # WARNING: the disklayout used in this kickstart script gives an error on the Scientific Linux 6 alpha version. ("new lv is too large to fit in free space")
  3 | # The same disklayout works fine in Centos 5.5 though, so I'm submitting this script as a test case nevertheless
  4 | # (if you would like to test it with Centos 5.5, you can use this script, but remove the "%end" lines)
  5 | #
  6 | #
  7 | # Kickstart script generated by our commercial server provisioning software ( http://www.noc-ps.com )
  8 | #
  9 | # Settings used:
 10 | #
 11 | # Disk layout: Soft. RAID1 (2 disks sda sdb)
 12 | # Packages: NOC-PS default (installs local resolving nameserver + SSH)
 13 | # IP/Netmask/Gateway: 10.0.0.100 / 255.255.255.0 / 10.0.0.1
 14 | # Root password: centostest
 15 | # Regular user name: charlie
 16 | # Regular user password: centostest
 17 | #
 18 | #
 19 | # If you change the network settings: please leave the nameserver at 127.0.0.1
 20 | # and specify installation source by IP instead of hostname.
 21 | #
 22 | # After installation BIND is used as local resolving nameserver, so no dependencies
 23 | # exists on other systems
 24 | #
 25 | 
 26 | 
 27 | #System language
 28 | lang en_US
 29 | #Language modules to install
 30 | #langsupport en_US
 31 | #System keyboard
 32 | keyboard us
 33 | #System mouse
 34 | #mouse none
 35 | #System timezone
 36 | timezone Europe/Amsterdam
 37 | #Root password
 38 | rootpw --iscrypted "$1$tEc7zWwN$03s7xjno7IE6mndUQy1E71"
 39 | 
 40 | user --name "charlie" --iscrypted --password "$1$Z2lV1KN3$Nt0/U9cp74UJJjMNUpn9H/"
 41 | #Reboot after installation
 42 | reboot
 43 | #Use text mode install
 44 | text
 45 | #Install OS instead of upgrade
 46 | install
 47 | #Use Web installation
 48 | 
 49 | #url --url http://131.225.110.41/linux/scientific/6rolling/x86_64/os/
 50 | 
 51 | #System bootloader configuration
 52 | bootloader --location=mbr 
 53 | #Clear the Master Boot Record
 54 | #zerombr yes
 55 | zerombr
 56 | #Partition clearing information
 57 | clearpart --all --initlabel 
 58 | #Disk partitioning information
 59 | 
 60 | # Disks for 250 MB boot partition
 61 | 
 62 | part raid.01 --size=250 --asprimary --ondisk=sda
 63 | part raid.02 --size=250 --asprimary --ondisk=sdb
 64 | 
 65 | # Disks for LVM partition
 66 | 
 67 | part raid.11 --size=1 --grow --ondisk=sda
 68 | part raid.12 --size=1 --grow --ondisk=sdb
 69 | 
 70 | # RAID settings
 71 | 
 72 | raid /boot --fstype ext2 --device md0 --level=RAID1 raid.01 raid.02
 73 | raid pv.01 --device md1 --level=RAID1 raid.11 raid.12
 74 | 
 75 | # LVM configuration
 76 | 
 77 | volgroup vg pv.01
 78 | logvol / --vgname=vg --size=1 --grow --fstype ext3 --name=root
 79 | logvol /tmp --vgname=vg --size=1024 --fstype ext3 --name=tmp
 80 | logvol swap --vgname=vg --recommended --name=swap
 81 | #System authorization infomation
 82 | auth  --useshadow  --enablemd5 
 83 | #Network information
 84 | network --bootproto=static --ip=10.0.0.100 --netmask=255.255.255.0 --gateway=10.0.0.1 --nameserver=127.0.0.1 --device=eth0 --hostname=centos6test.noc-ps.com
 85 | #Firewall configuration
 86 | firewall --disabled 
 87 | #Do not configure the X Window System
 88 | skipx
 89 | 
 90 | #%packages --resolvedeps
 91 | %packages
 92 | 
 93 | openssh-server
 94 | caching-nameserver
 95 | 
 96 | %end
 97 | %pre
 98 | 
 99 | 
100 | %end
101 | %post
102 | 
103 | chkconfig named on
104 | 
105 | %end


--------------------------------------------------------------------------------
/centos6-nocps-standard.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # Kickstart script generated by our commercial server provisioning software ( http://www.noc-ps.com )
 3 | # This script is known to work with the Scientific Linux 6 alpha.
 4 | #
 5 | # Settings used:
 6 | #
 7 | # Disk layout: default
 8 | # Packages: NOC-PS default (installs local resolving nameserver + SSH)
 9 | # IP/Netmask/Gateway: 10.0.0.100 / 255.255.255.0 / 10.0.0.1
10 | # Root password: centostest
11 | # Regular user name: charlie
12 | # Regular user password: centostest
13 | #
14 | #
15 | # If you change the network settings: please leave the nameserver at 127.0.0.1
16 | # and specify installation source by IP instead of hostname.
17 | #
18 | # After installation BIND is used as local resolving nameserver, so no dependencies
19 | # exists on other systems
20 | #
21 | 
22 | #System language
23 | lang en_US
24 | #Language modules to install
25 | #langsupport en_US
26 | #System keyboard
27 | keyboard us
28 | #System mouse
29 | #mouse none
30 | #System timezone
31 | timezone Europe/Amsterdam
32 | #Root password
33 | rootpw --iscrypted "$1$g0LgrMHV$qXwnCy387PxR/Nmcote2V/"
34 | 
35 | user --name "charlie" --iscrypted --password "$1$vzpx0Hn5$EH5Xfax2MVzxw26xyQmS0."
36 | #Reboot after installation
37 | reboot
38 | #Use text mode install
39 | text
40 | #Install OS instead of upgrade
41 | install
42 | #Use Web installation
43 | 
44 | #url --url http://131.225.110.41/linux/scientific/6rolling/x86_64/os/
45 | 
46 | #System bootloader configuration
47 | bootloader --location=mbr 
48 | #Clear the Master Boot Record
49 | #zerombr yes
50 | zerombr
51 | #Partition clearing information
52 | clearpart --all --initlabel 
53 | #Disk partitioning information
54 | 
55 | part /boot --fstype ext2 --size 250
56 | part pv.01 --size 1 --grow
57 | volgroup vg pv.01
58 | logvol / --vgname=vg --size=1 --grow --fstype ext4 --name=root
59 | logvol /tmp --vgname=vg --size=1024 --fstype ext4 --name=tmp
60 | logvol swap --vgname=vg --recommended --name=swap
61 | #System authorization infomation
62 | auth  --useshadow  --enablemd5 
63 | #Network information
64 | network --bootproto=static --ip=10.0.0.100 --netmask=255.255.255.0 --gateway=10.0.0.1 --nameserver=127.0.0.1 --device=eth0 --hostname=centos6test.noc-ps.com
65 | #Firewall configuration
66 | firewall --disabled 
67 | #Do not configure the X Window System
68 | skipx
69 | 
70 | #%packages --resolvedeps
71 | %packages
72 | 
73 | openssh-server
74 | caching-nameserver
75 | 
76 | %end
77 | %pre
78 | 
79 | 
80 | %end
81 | %post
82 | 
83 | chkconfig named on
84 | 
85 | %end


--------------------------------------------------------------------------------
/centos6-raid0-ext4.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID0 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext4 --level=RAID0 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID0 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID0 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext4 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext4 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid0.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos6-raid0.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID0 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID0 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID0 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID0 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid0.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos6-raid1-ext4.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID1 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext4 --level=RAID1 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID1 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext4 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext4 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid1.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos6-raid1.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID1 on EL-5
 3 | #
 4 | # Requires 2 disks to test
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | ## LVM 1
24 | part raid.2 --size=10000 --ondisk sda --asprimary
25 | part raid.3 --size=10000 --ondisk sdb --asprimary
26 | ## LVM 2
27 | part raid.3 --size=10000 --ondisk sda --asprimary --grow
28 | part raid.4 --size=10000 --ondisk sdb --asprimary --grow
29 | ##
30 | raid /boot --fstype ext3 --level=RAID1 --device=md0 raid.0 raid.1
31 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.2 raid.3
32 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID1 --device=md2 raid.3 raid.4
33 | ##
34 | volgroup vg00 --pesize=32768 pv.1
35 | volgroup vg01 --pesize=32768 pv.2
36 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
37 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
38 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
39 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
40 | 
41 | %packages
42 | @Base
43 | 
44 | %post
45 | ##
46 | ## Put things here to test raid1.
47 | ##
48 | 


--------------------------------------------------------------------------------
/centos6-raid5-ext4.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID5 on EL-5
 3 | #
 4 | # Requires 4 disks to test (looking for a spare)
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb,sdc,sdd
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | part raid.2 --size=500 --ondisk sdc --asprimary
24 | part raid.3 --size=500 --ondisk sdd --asprimary
25 | ## LVM 1
26 | part raid.4 --size=10000 --ondisk sda --asprimary
27 | part raid.5 --size=10000 --ondisk sdb --asprimary
28 | part raid.6 --size=10000 --ondisk sdc --asprimary
29 | part raid.7 --size=10000 --ondisk sdd --asprimary
30 | ## LVM 2
31 | part raid.8 --size=10000 --ondisk sda --asprimary --grow
32 | part raid.9 --size=10000 --ondisk sdb --asprimary --grow
33 | part raid.a --size=10000 --ondisk sdc --asprimary --grow
34 | part raid.b --size=10000 --ondisk sdd --asprimary --grow
35 | ##
36 | raid /boot --fstype ext4                    --level=RAID1 --device=md0 --spares=1 raid.0 raid.1 raid.2 raid.3
37 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID5 --device=md1 --spares=1 raid.4 raid.5 raid.6 raid.7
38 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID5 --device=md2 --spares=1 raid.8 raid.9 raid.a raid.b
39 | ##
40 | volgroup vg00 --pesize=32768 pv.1
41 | volgroup vg01 --pesize=32768 pv.2
42 | logvol / --fstype ext4 --name=root --vgname=vg00 --size=8192
43 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
44 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
45 | logvol /srv --fstype ext4 --name=root --vgname=vg01 --size=1024
46 | 
47 | %packages
48 | @Base
49 | 
50 | %post
51 | ##
52 | ## Put things here to test raid5.
53 | ##
54 | 


--------------------------------------------------------------------------------
/centos6-raid5.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | # General Kickstart to test software RAID5 on EL-5
 3 | #
 4 | # Requires 4 disks to test (looking for a spare)
 5 | #
 6 | 
 7 | install
 8 | # key --skip ## not needed for CentOS
 9 | lang en_US.UTF-8
10 | cmdline
11 | firewall --disabled
12 | timezone --utc UTC
13 | rootpw Xuxu.p3t4lZ
14 | 
15 | ## Ok if the drives are NOT sda/sdb you will need to change. 
16 | ## there is possibly a way to do this in %pre but man thats magic.
17 | bootloader --location=partition --driveorder=sda,sdb,sdc,sdd
18 | zerombr yes
19 | clearpart --all
20 | ## /boot
21 | part raid.0 --size=500 --ondisk sda --asprimary
22 | part raid.1 --size=500 --ondisk sdb --asprimary
23 | part raid.2 --size=500 --ondisk sdc --asprimary
24 | part raid.3 --size=500 --ondisk sdd --asprimary
25 | ## LVM 1
26 | part raid.4 --size=10000 --ondisk sda --asprimary
27 | part raid.5 --size=10000 --ondisk sdb --asprimary
28 | part raid.6 --size=10000 --ondisk sdc --asprimary
29 | part raid.7 --size=10000 --ondisk sdd --asprimary
30 | ## LVM 2
31 | part raid.8 --size=10000 --ondisk sda --asprimary --grow
32 | part raid.9 --size=10000 --ondisk sdb --asprimary --grow
33 | part raid.a --size=10000 --ondisk sdc --asprimary --grow
34 | part raid.b --size=10000 --ondisk sdd --asprimary --grow
35 | ##
36 | raid /boot --fstype ext3                    --level=RAID1 --device=md0 --spares=1 raid.0 raid.1 raid.2 raid.3
37 | raid pv.1  --fstype "physical volume (LVM)" --level=RAID5 --device=md1 --spares=1 raid.4 raid.5 raid.6 raid.7
38 | raid pv.2  --fstype "physical volume (LVM)" --level=RAID5 --device=md2 --spares=1 raid.8 raid.9 raid.a raid.b
39 | ##
40 | volgroup vg00 --pesize=32768 pv.1
41 | volgroup vg01 --pesize=32768 pv.2
42 | logvol / --fstype ext3 --name=root --vgname=vg00 --size=8192
43 | logvol swap --fstype swap --name=swap0 --vgname=vg00 --size=1024
44 | logvol swap --fstype swap --name=swap1 --vgname=vg01 --size=1024
45 | logvol /srv --fstype ext3 --name=root --vgname=vg01 --size=1024
46 | 
47 | %packages
48 | @Base
49 | 
50 | %post
51 | ##
52 | ## Put things here to test raid5.
53 | ##
54 | 


--------------------------------------------------------------------------------
/centos7-minimal.cfg:
--------------------------------------------------------------------------------
 1 | #  Author: Tomasz Filipiec <tomasz.filipiec@gmail.com>
 2 | #   Desc.: Simple kickstart file for automated installation
 3 | #      OS: CentOS 7 Minimal (core)
 4 | # Version: 1.0
 5 | 
 6 | # Turning on text-mode installation (little quicker than GUI)
 7 | text
 8 | 
 9 | # Setting up authentication and keyboard
10 | auth --enableshadow --passalgo=sha512
11 | keyboard --vckeymap=us --xlayouts='us'
12 | 
13 | # Installation files source (CentOS-7.0-1406-x86_64-Minimal.iso)
14 | cdrom
15 | 
16 | # Using only primary disk, ignoring others
17 | ignoredisk --only-use=sda
18 | 
19 | # Setting up language to English
20 | lang en-US.UTF-8
21 | 
22 | # Setting up network interface to DHCP
23 | network --bootproto=dhcp --ipv6=auto --hostname=centos-ks.local --activate
24 | 
25 | # Root password (remember that plaintext only for information purposes)
26 | rootpw --plaintext centos
27 | 
28 | # Setting up firewall and enabling SSH for remote management
29 | firewall --enabled --service=ssh
30 | 
31 | # Setting timezone
32 | timezone Europe/Warsaw --isUtc
33 | 
34 | # Setting up Security-Enhanced Linux into enforcing
35 | selinux --enforcing
36 | 
37 | # Setting up MBR
38 | bootloader --location=mbr --boot-drive=sda
39 | 
40 | # Setting up Logical Volume Manager and autopartitioning
41 | clearpart --all --drives=sda --initlabel
42 | autopart --type=lvm
43 | 
44 | # Eject cdrom and reboot
45 | reboot --eject
46 | 
47 | # Installing only packages for minimal install 
48 | %packages
49 | @Core
50 | chrony
51 | %end
52 | 


--------------------------------------------------------------------------------
/everything.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | #  From: Phil Schaffner <Philip.R.Schaffner@NASA.gov>
  3 | #
  4 | install
  5 | cdrom
  6 | lang en_US.UTF-8
  7 | keyboard us
  8 | xconfig --startxonboot
  9 | network --device eth0 --bootproto dhcp
 10 | rootpw --iscrypted xxxxxxxxxxxxxxxxxxxxxxxxx
 11 | firewall --enabled --port=22:tcp
 12 | authconfig --enableshadow --enablemd5
 13 | selinux --enforcing
 14 | timezone America/New_York
 15 | bootloader --location=mbr --driveorder=hda --append="rhgb quiet"
 16 | # The following is the partition information you requested
 17 | # Note that any partitions you deleted are not expressed
 18 | # here so unless you clear all partitions first, this is
 19 | # not guaranteed to work
 20 | #clearpart --linux --drives=hda
 21 | #part /boot --fstype ext3 --size=100 --ondisk=hda
 22 | #part pv.6 --size=0 --grow --ondisk=hda
 23 | #volgroup VolGroup00 --pesize=32768 pv.6
 24 | #logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 
 25 | --grow
 26 | #logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 
 27 | --size=512 --grow --maxsize=1024
 28 | 
 29 | %packages
 30 | @admin-tools
 31 | @authoring-and-publishing
 32 | @base
 33 | @cluster-storage
 34 | @clustering
 35 | @core
 36 | @dns-server
 37 | @development-libs
 38 | @development-tools
 39 | @dialup
 40 | @editors
 41 | @emacs
 42 | @engineering-and-scientific
 43 | @ftp-server
 44 | @gnome-desktop
 45 | @gnome-software-development
 46 | @games
 47 | @graphical-internet
 48 | @graphics
 49 | @java
 50 | @java-development
 51 | @kde-desktop
 52 | @kde-software-development
 53 | @kvm
 54 | @legacy-network-server
 55 | @legacy-software-development
 56 | @legacy-software-support
 57 | @mail-server
 58 | @mysql
 59 | @network-server
 60 | @news-server
 61 | @office
 62 | @openfabrics-enterprise-distribution
 63 | @sql-server
 64 | @printing
 65 | @ruby
 66 | @server-cfg
 67 | @sound-and-video
 68 | @system-tools
 69 | @text-internet
 70 | @xen
 71 | @web-server
 72 | @smb-server
 73 | @x-software-development
 74 | @base-x
 75 | keyutils
 76 | kexec-tools
 77 | iscsi-initiator-utils
 78 | trousers
 79 | bridge-utils
 80 | fipscheck
 81 | device-mapper-multipath
 82 | kmod-gnbd-xen
 83 | kmod-gfs-xen
 84 | perl-XML-SAX
 85 | perl-Convert-ASN1
 86 | perl-XML-NamespaceSupport
 87 | python-imaging
 88 | pexpect
 89 | imake
 90 | java-1.6.0-openjdk
 91 | emacs
 92 | kdegraphics
 93 | libsane-hpaio
 94 | kdeadmin
 95 | vnc-server
 96 | kdepim
 97 | kdemultimedia
 98 | createrepo
 99 | audit
100 | mesa-libGLU-devel
101 | xorg-x11-server-Xnest
102 | xorg-x11-server-Xvfb
103 | 
104 | 


--------------------------------------------------------------------------------
/ks-centos5-64.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | #  From: Manuel Wolfshant <wolfy@nobugconsulting.ro>
  3 | #
  4 | # System keyboard
  5 | keyboard us
  6 | # System language
  7 | lang en_US.UTF-8
  8 | # Root password
  9 | rootpw --iscrypted $1$.A66cJ18$2YhwhpQs.fRNno/PAzqc7/
 10 | firewall --disabled
 11 | firstboot --disable
 12 | authconfig --enableshadow --enablemd5
 13 | # SELinux configuration
 14 | selinux --disabled
 15 | # Install OS instead of upgrade
 16 | install
 17 | # Use network installation
 18 | url --url http://internal/mrepo/centos5-x86_64/disc1
 19 | # Use network installation
 20 | network --device eth0 --bootproto dhcp
 21 | # System timezone
 22 | timezone --utc Europe/Bucharest
 23 | # X Window System configuration information
 24 | xconfig  --defaultdesktop=KDE --depth=24 --resolution=1280x1024 --startxonboot
 25 | # System bootloader configuration
 26 | bootloader --location=mbr --driveorder=sda
 27 | # The following is the partition information you requested
 28 | # Note that any partitions you deleted are not expressed
 29 | # here so unless you clear all partitions first, this is
 30 | # not guaranteed to work
 31 | clearpart --all --initlabel
 32 | part /boot --fstype ext3 --size=100
 33 | part pv.6 --size=0 --grow
 34 | volgroup VolGroup00 --pesize=32768 pv.6
 35 | logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
 36 | logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=880 --grow --maxsize=1760
 37 | repo --name=updates --baseurl=http://internal.nobugconsulting.ro/mrepo/centos5-x86_64/RPMS.updates/
 38 | reboot
 39 | 
 40 | %packages
 41 | @core
 42 | @ admin-tools
 43 | @ editors
 44 | @ base-x
 45 | @ printing
 46 | @ kde-desktop
 47 | @ sound-and-video
 48 | @ development-tools
 49 | @ graphical-internet
 50 | kernel-devel
 51 | -bluez-utils
 52 | -cdrecord
 53 | -cdparanoia
 54 | kernel
 55 | -mkisofs
 56 | -dvd+rw-tools
 57 | -kdeaddons
 58 | -evolution-webcal
 59 | -evolution
 60 | -pidgin
 61 | -ppp
 62 | -pcsc-lite
 63 | -pam_ccreds
 64 | -pam_krb5
 65 | -pam_passwdqc
 66 | -pam_pkcs11
 67 | -pam_smb
 68 | -Deployment_Guide-en-US
 69 | -firstboot
 70 | -gcc-gfortran
 71 | -ypbind
 72 | -yp-tools
 73 | -coolkey
 74 | -ccid
 75 | -ifd-egate
 76 | -pcsc-lite
 77 | evolution
 78 | kdesdk
 79 | xchat
 80 | firefox
 81 | thunderbird
 82 | compat-libstdc++-33
 83 | libXp
 84 | libXaw
 85 | libXmu
 86 | mc
 87 | -crash
 88 | -system-config-rootpassword
 89 | -NetworkManager
 90 | 
 91 | 
 92 | %post
 93 | echo 'NFS mount'
 94 | mkdir -p /mnt/{cdrom,floppy}
 95 | /etc/init.d/portmap start
 96 | /etc/init.d/nfslock start
 97 | mount 192.168.50.40:/arhive/linux /mnt/cdrom -o soft,timeo=40
 98 | echo 'copying .ssh'
 99 | mkdir -p /root/.ssh
100 | cp /mnt/cdrom/ks-stuff/authorized_keys /root/.ssh
101 | echo "This is a proprietary computer system. This system is for the use of
102 | authorized users only. Individuals using this computer system without
103 | authority, or beyond the limits of their authority or for inappropriate or
104 | unlawful purposes are subject to having all of their activities on this
105 | system monitored and recorded. In the course of monitoring
106 | individuals improperly using this system, or in the course of system
107 | maintenance, the activities of authorized users may also be monitored.
108 | 
109 | Anyone using this system expressly consents to such monitoring. If
110 | monitoring reveals unauthorized, inappropriate or possible unlawful
111 | activity, system personnel will provide information derived from such
112 | monitoring to NoBug management or outside legal authorities, as
113 | appropriate. Misuse of this system may result in disciplinary action,
114 | including termination.
115 | 
116 | NoBug Consulting" > /etc/motd
117 | sed -ie "s/PASS_MAX_DAYS   99999/PASS_MAX_DAYS   90/;s/PASS_WARN_AGE   7/PASS_WARN_AGE   14/" /etc/login.defs
118 | echo "NOZEROCONF=yes" >> /etc/sysconfig/network
119 | sed -i "/HOSTNAME/d" /etc/sysconfig/network
120 | sed -i -e "s/NETWORKING_IPV6=yes/NETWORKING_IPV6=no/" /etc/sysconfig/network
121 | echo 'copying yum.conf'
122 | cp /mnt/cdrom/distributions/centos/5/CentOS-Base.repo /mnt/cdrom/distributions/centos/5/nobug.repo /etc/yum.repos.d
123 | echo "installing 3rd party repositories"
124 | rpm -i /mnt/cdrom/adobe/adobe-repo.rpm  /mnt/cdrom/distributions/centos/5/rpmforge-release-*.el5.rf.x86_64.rpm  /mnt/cdrom/distributions/centos/5/epel-release-5-3.noarch.rpm
125 | 
126 | #echo 'yum update'
127 | #yum -y update
128 | /bin/mkdir /apps
129 | ln -s /apps/vera.sh /etc/profile.d
130 | ln -s /apps/vcs.sh /etc/profile.d
131 | ln -s /apps/specman.sh /etc/profile.d
132 | ln -s /apps/ncsim.sh /etc/profile.d
133 | ln -s /apps/questasim.sh /etc/profile.d
134 | echo "apps:/apps           /apps                   nfs     defaults,ro,users,exec,noauto       0 0" >> /etc/fstab
135 | 
136 | cp -f /mnt/cdrom/distributions/centos/5/rpmforge.repo /etc/yum.repos.d
137 | echo "installing java and adobe"
138 | yum -y install java-1.5.0-sun.i586 java-1.5.0-sun-fonts.i586 java-1.5.0-sun-plugin.i586 nedit --enablerepo=nobugcustom flash-plugin AdobeReader_enu openoffice\*
139 | 
140 | #yum -y install libXp.i386
141 | 
142 | ln -s /usr/lib/jvm/java-1.5.0-sun-1.5.0.15/jre/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/
143 | 
144 | yum -y install pidgin --enablerepo=nobugcustom --disablerepo=updates
145 | #pac pac
146 | 
147 | umount /mnt/cdrom
148 | %end
149 | 
150 | 


--------------------------------------------------------------------------------
/ks-minimalC5-32.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | #  From: Manuel Wolfshant <wolfy@nobugconsulting.ro>
 3 | #
 4 | #  XXX: Edited to work for a 32bit install
 5 | install
 6 | text
 7 | reboot
 8 | url --url http://mirror.centos.org/centos/5/os/i386/
 9 | lang en_US.UTF-8
10 | keyboard us
11 | skipx
12 | network --device eth0 --bootproto dhcp
13 | rootpw --iscrypted  $1$.A66cJ18$2YhwhpQs.fRNno/PAzqc7/
14 | firewall --disabled
15 | selinux --permissive
16 | authconfig --enableshadow --enablemd5
17 | timezone --utc GMT
18 | bootloader --location=mbr
19 | # The following is the partition information you requested
20 | # Note that any partitions you deleted are not expressed
21 | # here so unless you clear all partitions first, this is
22 | # not guaranteed to work
23 | clearpart --all --initlabel
24 | part /boot --fstype ext3 --size=250
25 | part pv.2 --size=0 --grow
26 | volgroup VolGroup00 --pesize=32768 pv.2
27 | logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
28 | logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=256 --grow --maxsize=512
29 | repo --name=updates --baseurl=http://mirror.centos.org/centos/5/updates/i386/
30 | 
31 | %packages --nobase --excludedocs
32 | coreutils
33 | yum
34 | rpm
35 | e2fsprogs
36 | lvm2
37 | grub
38 | sysstat
39 | ntp
40 | openssh-server
41 | openssh-clients
42 | xorg-x11-xauth
43 | -dhcpv6-client
44 | -iptables-ipv6
45 | -system-config-securitylevel-tui
46 | -wireless-tools
47 | -rhpl
48 | 
49 | 
50 | %post
51 | 
52 | 


--------------------------------------------------------------------------------
/ks-minimalC5-64.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | #  From: Manuel Wolfshant <wolfy@nobugconsulting.ro>
 3 | #
 4 | install
 5 | text
 6 | reboot
 7 | url --url http://mirror.centos.org/centos/5/os/x86_64/
 8 | lang en_US.UTF-8
 9 | keyboard us
10 | skipx
11 | network --device eth0 --bootproto dhcp
12 | rootpw --iscrypted  $1$.A66cJ18$2YhwhpQs.fRNno/PAzqc7/
13 | firewall --disabled
14 | selinux --permissive
15 | authconfig --enableshadow --enablemd5
16 | timezone --utc GMT
17 | bootloader --location=mbr
18 | # The following is the partition information you requested
19 | # Note that any partitions you deleted are not expressed
20 | # here so unless you clear all partitions first, this is
21 | # not guaranteed to work
22 | clearpart --all --initlabel
23 | part /boot --fstype ext3 --size=250
24 | part pv.2 --size=0 --grow
25 | volgroup VolGroup00 --pesize=32768 pv.2
26 | logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
27 | logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=256 --grow --maxsize=512
28 | repo --name=updates --baseurl=http://mirror.centos.org/centos/5/updates/x86_64/
29 | 
30 | %packages --nobase --excludedocs
31 | coreutils
32 | yum
33 | rpm
34 | e2fsprogs
35 | lvm2
36 | grub
37 | sysstat
38 | ntp
39 | openssh-server
40 | openssh-clients
41 | xorg-x11-xauth
42 | -dhcpv6-client
43 | -iptables-ipv6
44 | -system-config-securitylevel-tui
45 | -wireless-tools
46 | -rhpl
47 | 
48 | 
49 | %post
50 | 
51 | 


--------------------------------------------------------------------------------
/ks-minimalC6.cfg:
--------------------------------------------------------------------------------
 1 | #pay attention to the comments inline !!
 2 | 
 3 | 
 4 | install
 5 | text
 6 | reboot
 7 | #uncomment the #cdrom line and comment the url one for installs from DVD
 8 | #cdrom
 9 | #use a mirror close to you or even better, the local one provided by your organization
10 | #replace x86_64 with i386 for 32bit installs
11 | url --url http://mirror.centos.org/centos/6/os/x86_64
12 | lang en_US.UTF-8
13 | keyboard us
14 | skipx
15 | network --device eth0 --bootproto dhcp
16 | #do not forget to change the password !
17 | rootpw test1234
18 | firewall --enabled
19 | selinux --permissive
20 | authconfig --enableshadow --enablemd5
21 | timezone UTC
22 | bootloader --location=mbr
23 | # The following is the partition information you requested
24 | # Note that any partitions you deleted are not expressed
25 | # here so unless you clear all partitions first, this is
26 | # not guaranteed to work
27 | clearpart --all --initlabel
28 | part /boot --fstype ext3 --size=250
29 | part pv.2 --size=5000 --grow 
30 | volgroup VolGroup00 --pesize=32768 pv.2
31 | logvol / --fstype ext4 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
32 | logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=256 --grow --maxsize=512
33 | 
34 | %packages --nobase
35 | #use the next line instead of the previous one if you do not care about the doc files
36 | #%packages --nobase --excludedocs
37 | coreutils
38 | yum
39 | rpm
40 | e2fsprogs
41 | lvm2
42 | grub
43 | openssh-server
44 | openssh-clients
45 | dhclient
46 | yum-presto
47 | -atmel-firmware
48 | -b43-openfwwf
49 | -cronie
50 | -cronie-anacron
51 | -crontabs
52 | -cyrus-sasl
53 | -info
54 | -postfix
55 | -sudo
56 | -sysstat
57 | -xorg-x11-drv-ati-firmware
58 | -yum-utils
59 | -ipw2100-firmware
60 | -ipw2200-firmware
61 | -ivtv-firmware
62 | -iwl1000-firmware
63 | -iwl3945-firmware
64 | -iwl4965-firmware
65 | -iwl5000-firmware
66 | -iwl5150-firmware
67 | -iwl6000-firmware
68 | -iwl6050-firmware
69 | -libertas-usb8388-firmware
70 | -rt61pci-firmware
71 | -rt73usb-firmware
72 | -mysql-libs
73 | -zd1211-firmware
74 | %end
75 | %post
76 | %end
77 | 


--------------------------------------------------------------------------------
/kvm-host.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | #  From: Akemi Yagi <amyagi@gmail.com>
 3 | #
 4 | install
 5 | cdrom
 6 | lang en_US.UTF-8
 7 | keyboard us
 8 | xconfig --startxonboot
 9 | network --device eth0 --bootproto dhcp
10 | rootpw --iscrypted $1$Qa6zqNPv$en7vH5sfohUqx50s83Y3y4
11 | firewall --enabled --port=22:tcp
12 | authconfig --enableshadow --enablemd5
13 | selinux --enforcing
14 | timezone --utc America/Los_Angeles
15 | bootloader --location=mbr --driveorder=sda --append="rhgb quiet"
16 | # The following is the partition information you requested
17 | # Note that any partitions you deleted are not expressed
18 | # here so unless you clear all partitions first, this is
19 | # not guaranteed to work
20 | #clearpart --linux
21 | #part /boot --fstype ext3 --onpart sda8
22 | #part swap --onpart sda7
23 | #part / --fstype ext3 --onpart sda9
24 | 
25 | %packages
26 | @admin-tools
27 | @base
28 | @core
29 | @development-libs
30 | @development-tools
31 | @editors
32 | @gnome-desktop
33 | @graphical-internet
34 | @graphics
35 | @japanese-support
36 | @java
37 | @kde-desktop
38 | @kvm
39 | @printing
40 | @sound-and-video
41 | @system-tools
42 | @text-internet
43 | @base-x
44 | kexec-tools
45 | iscsi-initiator-utils
46 | bridge-utils
47 | fipscheck
48 | device-mapper-multipath
49 | sgpio
50 | python-dmidecode
51 | imake
52 | emacs
53 | libsane-hpaio
54 | audit
55 | xorg-x11-utils
56 | xorg-x11-server-Xnest
57 | xorg-x11-server-Xvfb
58 | 


--------------------------------------------------------------------------------
/lan-cluster-node.cfg:
--------------------------------------------------------------------------------
  1 | ##############################################################################
  2 | #                                                                            #
  3 | # Kickstart file for LAN cluster node.                                       #
  4 | #  Submitted by baptiste.agasse@lyra-network.com Baptiste AGASSE             #
  5 | #                                                                            #
  6 | ##############################################################################
  7 | 
  8 | #
  9 | # Install type
 10 | ###############################################################################
 11 | 
 12 | install
 13 | cdrom
 14 | text
 15 | firstboot --disabled
 16 | reboot
 17 | 
 18 | #
 19 | # Locale, timezone and keymap
 20 | ###############################################################################
 21 | 
 22 | lang fr_FR.UTF-8
 23 | keyboard fr-latin9
 24 | timezone --utc Europe/Paris
 25 | 
 26 | 
 27 | #
 28 | # Network configuration
 29 | ###############################################################################
 30 | 
 31 | ### Bond1
 32 | # Admin and VMs network interface available on "public" cluster network (bonding)
 33 | network --device eth0 --onboot yes --bootproto static --ip 192.168.2.99 --netmask 255.255.255.240 --gateway 192.168.2.106 --nameserver 192.168.1.10 --hostname sirislanxen1.exemple.com
 34 | network --device eth5 --onboot yes --bootproto static --ip 192.168.2.99 --netmask 255.255.255.240 --gateway 192.168.2.106 --nameserver 192.168.1.10 --hostname sirislanxen1.exemple.com
 35 | ### End Bond1
 36 | 
 37 | 
 38 | ### ISCSI
 39 | # SAN interfaces
 40 | network --device eth1 --onboot yes --bootproto static --ip 10.1.1.51 --mtu 9000 --netmask 255.255.255.0 --hostname node1.exemple.com
 41 | network --device eth2 --onboot yes --bootproto static --ip 10.1.1.52 --mtu 9000 --netmask 255.255.255.0 --hostname node1.exemple.com
 42 | ### End ISCSI
 43 | 
 44 | 
 45 | ### Bond0
 46 | # Cluster management interfaces (bonding)
 47 | network --device eth3 --onboot yes --bootproto static --ip 10.1.0.2 --netmask 255.255.255.0 --hostname node1.exemple.com
 48 | network --device eth4 --onboot yes --bootproto static --ip 10.1.0.2 --netmask 255.255.255.0 --hostname node1.exemple.com
 49 | ### End bond0
 50 | 
 51 | 
 52 | #
 53 | # Firewall, SELinux, services and security configuration
 54 | ###############################################################################
 55 | 
 56 | # default root password : 'foo11bar'
 57 | rootpw --iscrypted $1$L.LWW5FI$kGSjEOyma9dWQA0NV/9aK1
 58 | 
 59 | 
 60 | firewall --disabled
 61 | services --disabled cups,iptables,ip6tables,kudzu,netfs,xendomains,avahi-daemon,acpid
 62 | services --enabled multipathd
 63 | authconfig --enableshadow --enablemd5
 64 | selinux --permissive
 65 | 
 66 | #
 67 | # Disk and partition configuration
 68 | ###############################################################################
 69 | 
 70 | bootloader --location=mbr --driveorder=sda
 71 | clearpart --all
 72 | part /boot --fstype ext3 --size=100
 73 | part pv.5 --size=100 --grow
 74 | volgroup VolGroupXen1 --pesize=32768 pv.5
 75 | logvol / --fstype ext3 --name=LogVolRoot --vgname=VolGroupXen1 --size=6000
 76 | logvol /var --fstype ext3 --name=LogVolVar --vgname=VolGroupXen1 --size=2048
 77 | logvol swap --fstype swap --name=LogVolSwap --vgname=VolGroupXen1 --size=2048
 78 | logvol /tmp --fstype ext3 --name=LogVolTmp --vgname=VolGroupXen1 --size=2048
 79 | 
 80 | 
 81 | #
 82 | # Common packages for all cluster nodes
 83 | ###############################################################################
 84 | 
 85 | %packages
 86 | 
 87 | @editors
 88 | @text-internet
 89 | @virtualization
 90 | @core
 91 | @base
 92 | @network-server
 93 | @clustering
 94 | @french-support
 95 | iscsi-initiator-utils
 96 | bridge-utils
 97 | device-mapper-multipath
 98 | vnc-server
 99 | OpenIPMI
100 | OpenIPMI-tools
101 | #yum-allowdowngrade
102 | #yum-priorities
103 | yum-security
104 | ntp
105 | luci
106 | -cadaver
107 | -gnome-applet-vm
108 | -words
109 | -coolkey
110 | -nano
111 | -autofs
112 | -pcmciautils
113 | -mtools
114 | -NetworkManager
115 | -nfs-utils
116 | -mkbootdisk
117 | -irda-utils
118 | -amtu
119 | -ypbind
120 | -smartmontools
121 | -ccid
122 | -anacron
123 | -bluez-utils
124 | -talk
125 | -system-config-cluster
126 | -ipvsadm
127 | -piranha
128 | -firstboot-tui
129 | -firstboot
130 | 
131 | 
132 | #
133 | # Post install script
134 | ###############################################################################
135 | 
136 | %post
137 | #
138 | # Bonding configuration
139 | #
140 | 
141 | ### Modprobe
142 | # Modify the modprobe.conf file
143 | echo "alias bnx2i off" >> /etc/modprobe.conf
144 | echo "alias bond0 bonding" >> /etc/modprobe.conf
145 | echo "alias bond1 bonding" >> /etc/modprobe.conf
146 | echo "options bond0 miimon=80 mode=1 primary=eth4" >> /etc/modprobe.conf
147 | echo "options bond1 miimon=80 mode=1 primary=eth0" >> /etc/modprobe.conf
148 | ### End Modprobe
149 | 
150 | ### Bond0
151 | # Create network interface config file for bond0
152 | echo -e DEVICE=bond0\\nIPADDR=10.1.0.2\\nNETMASK=255.255.255.0\\nONBOOT=yes\\nBOOTPROTO=static\\nUSERCTL=no > /etc/sysconfig/network-scripts/ifcfg-bond0
153 | ### End Bond0
154 | 
155 | ### Bond1
156 | # Create network interface config file for bond1
157 | echo -e DEVICE=bond1\\nIPADDR=192.168.2.99\\nNETMASK=255.255.255.240\\nONBOOT=yes\\nBOOTPROTO=static\\nUSERCTL=no > /etc/sysconfig/network-scripts/ifcfg-bond1
158 | ### End Bond1
159 | 
160 | ### MTU
161 | # Add MTU configuration for ISCSI
162 | echo "MTU=9000" >> /etc/sysconfig/network-scripts/ifcfg-eth1
163 | echo "MTU=9000" >> /etc/sysconfig/network-scripts/ifcfg-eth2
164 | ### End MTU
165 | 
166 | ### Bond0 IFACEs
167 | # Modifiy slaves network interfaces config files for bond0 (eth3, eth4)
168 | sed -i -e '/^IPADDR=*/ s/^/#/' -e '/^NETMASK=*/ s/^/#/' -e '/^NETWORK=*/ s/^/#/' -e '/^DHCPCLASS=*/ s/^/#/' /etc/sysconfig/network-scripts/ifcfg-eth3
169 | echo -e SLAVE=yes\\nMASTER=bond0 >> /etc/sysconfig/network-scripts/ifcfg-eth3
170 | sed -i -e '/^IPADDR=*/ s/^/#/' -e '/^NETMASK=*/ s/^/#/' -e '/^NETWORK=*/ s/^/#/' -e '/^DHCPCLASS=*/ s/^/#/' /etc/sysconfig/network-scripts/ifcfg-eth4
171 | echo -e SLAVE=yes\\nMASTER=bond0 >> /etc/sysconfig/network-scripts/ifcfg-eth4
172 | ### End Bond0 IFACEs
173 | 
174 | ### Bond1 IFACEs
175 | # Modifiy slaves network interfaces config files for bond1 (eth0, eth5)
176 | sed -i -e '/^IPADDR=*/ s/^/#/' -e '/^NETMASK=*/ s/^/#/' -e '/^NETWORK=*/ s/^/#/' -e '/^DHCPCLASS=*/ s/^/#/' /etc/sysconfig/network-scripts/ifcfg-eth0
177 | echo -e SLAVE=yes\\nMASTER=bond1 >> /etc/sysconfig/network-scripts/ifcfg-eth0
178 | sed -i -e '/^IPADDR=*/ s/^/#/' -e '/^NETMASK=*/ s/^/#/' -e '/^NETWORK=*/ s/^/#/' -e '/^DHCPCLASS=*/ s/^/#/' /etc/sysconfig/network-scripts/ifcfg-eth5
179 | echo -e SLAVE=yes\\nMASTER=bond1 >> /etc/sysconfig/network-scripts/ifcfg-eth5
180 | ### End Bond1 IFACEs
181 | 
182 | #
183 | # VLAN configuration for VMs
184 | #
185 | 
186 | #### VLAN 12
187 | echo -e DEVICE=bond1.12\\nBRIDGE=vlanbr0\\nONBOOT=yes\\nBOOTPROTO=static\\nVLAN=yes > /etc/sysconfig/network-scripts/ifcfg-bond0.12
188 | echo -e DEVICE=vlanbr0\\nTYPE=bridge\\nONBOOT=yes\\nBOOTPROTO=static\\nSTP=off\\nDELAY=0 > /etc/sysconfig/network-scripts/ifcfg-vlanbr0
189 | ### End VLAN 12
190 | 
191 | ### VLAN 10
192 | echo -e DEVICE=bond1.10\\nBRIDGE=vlanbr1\\nONBOOT=yes\\nBOOTPROTO=static\\nVLAN=yes > /etc/sysconfig/network-scripts/ifcfg-bond0.10
193 | echo -e DEVICE=vlanbr1\\nTYPE=bridge\\nONBOOT=yes\\nBOOTPROTO=static\\nSTP=off\\nDELAY=0 > /etc/sysconfig/network-scripts/ifcfg-vlanbr1
194 | ### End VLAN 10
195 | 
196 | ### VLAN 17
197 | echo -e DEVICE=bond1.17\\nBRIDGE=vlanbr2\\nONBOOT=yes\\nBOOTPROTO=static\\nVLAN=yes > /etc/sysconfig/network-scripts/ifcfg-bond0.17
198 | echo -e DEVICE=vlanbr2\\nTYPE=bridge\\nONBOOT=yes\\nBOOTPROTO=static\\nSTP=off\\nDELAY=0 > /etc/sysconfig/network-scripts/ifcfg-vlanbr2
199 | ### End VLAN 17
200 | 
201 | ### VLAN 11
202 | echo -e DEVICE=bond1.11\\nBRIDGE=vlanbr3\\nONBOOT=yes\\nBOOTPROTO=static\\nVLAN=yes > /etc/sysconfig/network-scripts/ifcfg-bond0.11
203 | echo -e DEVICE=vlanbr3\\nTYPE=bridge\\nONBOOT=yes\\nBOOTPROTO=static\\nSTP=off\\nDELAY=0 > /etc/sysconfig/network-scripts/ifcfg-vlanbr3
204 | ### End VLAN 11
205 | 
206 | 
207 | #
208 | # Xen configuration
209 | #
210 | 
211 | # Modify xen config file to set right params for network and min memory amount for xen
212 | sed -i -e '/(network-script network-bridge)/a (network-script /bin/true)' -e '/(dom0-min-mem 256)/a (dom0-min-mem 1024)' -e '/(network-script network-bridge)/ s/^/#/' -e '/(dom0-min-mem 256)/ s/^/#/' /etc/xen/xend-config.sxp
213 | 
214 | # Configure xen migration
215 | sed -i -e '/#(xend-relocation-server no)/a (xend-relocation-server yes)' -e '/#(xend-relocation-port 8002)/a (xend-relocation-port 8002)' /etc/xen/xend-config.sxp
216 | sed -i -e "/#(xend-relocation-address '')/a (xend-relocation-address '10.1.0.2')" -e '/^(xend-relocation-hosts-allow*/ s/^/#/' -e "//a (xend-relocation-hosts-allow '')" /etc/xen/xend-config.sxp
217 | 
218 | ### Hosts configuration
219 | sed -i -e '/^127.0.0.1/a 127.0.0.1\tlocalhost.localdomain localhost ' -e '/^127.0.0.1/D' /etc/hosts
220 | echo 10.1.0.2   node1.exemple.com node1 >> /etc/hosts
221 | echo 10.1.0.4   node2.exemple.com node2 >> /etc/hosts
222 | echo 10.1.0.6   node3.exemple.com node3 >> /etc/hosts
223 | echo 10.1.0.8   node4.exemple.com node4 >> /etc/hosts
224 | ### End Host configuration
225 | 
226 | #
227 | # EOF
228 | #####
229 | 
230 | 


--------------------------------------------------------------------------------
/near-everything.cfg:
--------------------------------------------------------------------------------
 1 | #
 2 | #  From: Akemi Yagi <amyagi@gmail.com>
 3 | #
 4 | install
 5 | nfs --server=xxx.xxx.xxx.xxx --dir=/xx/yy/x86_64
 6 | lang en_US.UTF-8
 7 | keyboard us
 8 | xconfig --startxonboot
 9 | network --device eth0 --bootproto dhcp
10 | rootpw --iscrypted $1$i5igsWCm$HDinvvd/qCs5J4./e987T.
11 | firewall --enabled --port=22:tcp
12 | authconfig --enableshadow --enablemd5
13 | selinux --enforcing
14 | timezone America/Los_Angeles
15 | bootloader --location=mbr --driveorder=sda --append="rhgb quiet"
16 | # The following is the partition information you requested
17 | # Note that any partitions you deleted are not expressed
18 | # here so unless you clear all partitions first, this is
19 | # not guaranteed to work
20 | #clearpart --linux --drives=sda
21 | #part /boot --fstype ext3 --size=100 --ondisk=sda
22 | #part pv.2 --size=0 --grow --ondisk=sda
23 | #volgroup VolGroup00 --pesize=32768 pv.2
24 | #logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow
25 | #logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=1008 --grow --maxsize=2016
26 | 
27 | %packages
28 | @admin-tools
29 | @authoring-and-publishing
30 | @base
31 | @core
32 | @dns-server
33 | @development-libs
34 | @development-tools
35 | @dialup
36 | @editors
37 | @engineering-and-scientific
38 | @ftp-server
39 | @gnome-desktop
40 | @gnome-software-development
41 | @graphical-internet
42 | @graphics
43 | @java
44 | @java-development
45 | @kde-desktop
46 | @kde-software-development
47 | @legacy-network-server
48 | @legacy-software-development
49 | @legacy-software-support
50 | @mail-server
51 | @mysql
52 | @network-server
53 | @news-server
54 | @office
55 | @openfabrics-enterprise-distribution
56 | @sql-server
57 | @printing
58 | @ruby
59 | @server-cfg
60 | @sound-and-video
61 | @system-tools
62 | @text-internet
63 | @web-server
64 | @smb-server
65 | @x-software-development
66 | @base-x
67 | kexec-tools
68 | fipscheck
69 | device-mapper-multipath
70 | sgpio
71 | perl-Convert-ASN1
72 | python-dmidecode
73 | imake
74 | emacs
75 | libsane-hpaio
76 | tftp-server
77 | vnc-server
78 | dnsmasq
79 | audit
80 | mesa-libGLU-devel
81 | xorg-x11-utils
82 | xorg-x11-server-Xnest
83 | xorg-x11-server-Xvfb
84 | 


--------------------------------------------------------------------------------
/secure-kickstart.cfg:
--------------------------------------------------------------------------------
  1 | #
  2 | # From: Jim Perrin <jperrin@gmail.com>
  3 | #
  4 | ############## Secure Kickstart version 1.0 ##############
  5 | ##########################################################
  6 | #
  7 | # Name: secure-kickstart.cfg
  8 | # Description: Kickstart file with many of the DISA STIG
  9 | #	       changes applied via %post functionality
 10 | # Distro: CentOS 5 or RHEL 5
 11 | # 
 12 | #
 13 | #################### End User Notes ######################
 14 | #
 15 | #   There are a number of considerations to be made when 
 16 | # using this document. Partitioning space, system use, 
 17 | # and other tasks that make servers different.
 18 | #
 19 | #
 20 | ####################### Usage ############################
 21 | #
 22 | # 1. Set up partitioning, or leave commented to get the 
 23 | #    anaconda partitioner. 
 24 | # 2. Review the package list. Add or remove as needed
 25 | # 3. This kickstart assumes a local mirror to install
 26 | #     from. Change this to suit your needs.
 27 | 
 28 | install
 29 | cdrom
 30 | #url --url http://192.168.1.1./installmedia
 31 | lang en_US.UTF-8
 32 | keyboard us
 33 | network --noipv6 --onboot=yes --bootproto=dhcp 
 34 | #text
 35 | ########## !! CHANGE THIS !! ##########
 36 | #zerombr
 37 | #clearpart --all
 38 | #partition /boot --fstype "ext3" --size=128 --ondisk=sda
 39 | #partition pv.2 --size=0 --grow --ondisk=sda
 40 | #volgroup OS_VOL --pesize=32768 pv.2
 41 | #logvol swap --fstype swap --name=lvSwap --vgname=OS_VOL --size=2048
 42 | #logvol / --fstype ext3 --name=lvRoot --vgname=OS_VOL --size=10240
 43 | #logvol /var --fstype ext3 --name=lvVar --vgname=OS_VOL --size=10240
 44 | #logvol /home --fstype ext3 --name=lvHome --vgname=OS_VOL --size=10240
 45 | #logvol /tmp --fstype ext3 --name=lvTMP --vgname=OS_VOL --size=4096
 46 | #logvol /opt --fstype ext3 --name=lvopt --vgname=OS_VOL --size=10240
 47 | 
 48 | bootloader --location mbr --password Sekrit
 49 | authconfig --enableshadow --enablemd5
 50 | selinux --enforcing
 51 | rootpw ChangeMe
 52 | timezone --utc America/New_York
 53 | firewall --enabled --port=22:tcp  # This will be further restricted later
 54 | reboot
 55 | 
 56 | ########## UPDATE THE PACKAGE LIST #############
 57 | %packages --resolvedeps
 58 | # For bare systems, these are the groups you need initially.
 59 | @Base
 60 | @text-internet
 61 | @editors
 62 | # For something with a gui, uncomment these
 63 | #@gnome-desktop
 64 | #@system-tools
 65 | #@base-x
 66 | #@graphics
 67 | #@printing
 68 | #@sound-and-video
 69 | 
 70 | # Packages added for security
 71 | aide
 72 | audit
 73 | vlock
 74 | # Packages removed because we don't need/use them
 75 | -compiz
 76 | -emacs-leim
 77 | -emacspeak
 78 | -ethereal
 79 | -ethereal-gnome
 80 | -gnome-games
 81 | -isdn4k-utils
 82 | -nmap
 83 | -octave
 84 | -oprofile
 85 | -rcs
 86 | -tcpdump
 87 | -valgrind
 88 | -zsh
 89 | 
 90 | %pre
 91 | 
 92 | %post --nochroot
 93 | mkdir /mnt/sysimage/tmp/ks-tree-copy
 94 | if [ -d /oldtmp/ks-tree-shadow ]; then
 95 |     cp -fa /oldtmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
 96 | elif [ -d /tmp/ks-tree-shadow ]; then
 97 |     cp -fa /tmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
 98 | fi
 99 | cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
100 | 
101 | %post
102 | 
103 | ## Log errors by creating one big subshell
104 | (
105 | 
106 | if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
107 |   rpm --import /usr/share/rhn/RPM-GPG-KEY 
108 | elif [ -f /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 ]; then
109 |   rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
110 | fi
111 | 
112 | ############# Adding Security Enhancements ############################
113 | 
114 | 
115 | ################# User Login Security Changes #####################
116 | # GEN000020 (G001)
117 | # GEN000040 (G002)
118 | # GEN000060 (G003)
119 | # Require root password for single user mode
120 | echo "Locking down GEN000020, GEN000040, GEN000060"
121 | echo "Require the root pw when booting into single user mode" >> /etc/inittab
122 | echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
123 | echo "GEN000020, GEN000040,GEN000060 Complete"
124 | 
125 | 
126 | ## Prevent entering interactive boot
127 | perl -npe 's/PROMPT=yes/PROMPT=no/' -i /etc/sysconfig/init
128 | echo "Interactive Boot disabled"
129 | 
130 | # LNX00580 (L222)
131 | echo "Locking down LNX00580"
132 | perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
133 | echo "LNX00580 Complete"
134 | 
135 | 
136 | # We'll get to the updated versions once we configure pam.
137 | 
138 | # GEN000700
139 | # Change the password expiration time from undefined to 60 days
140 | echo "Locking down GEN000700"
141 | perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs
142 | chage -M 60 root
143 | echo "GEN000700 Complete"
144 | 
145 | # GEN000540
146 | # Ensure that the user cannot change their password more than once a day.
147 | echo "Locking down GEN000540"
148 | perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
149 | echo "GEN000540 Complete"
150 | 
151 | # GEN000480 (G015)
152 | echo "Locking down GEN000480"
153 | echo "Make the user waits four seconds if they fail after LOGIN_RETRIES" >> /etc/login.defs
154 | echo "FAIL_DELAY 4" >> /etc/login.defs
155 | echo "GEN000480 Complete"
156 | 
157 | # GEN000820
158 | echo "Locking down GEN000820"
159 | perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN  9/' -i /etc/login.defs
160 | #STIG specifies using foloowing, but it's not a valid parameter
161 | #echo "PASSLENGTH 9" >> /etc/login.defs
162 | echo "GEN000820 Complete"
163 | 
164 | ## As of RHEL/CentOS 5.3, authconfig supports SHA password encryption
165 | ## This cannot be set by default using auth earlier in the KS, so it must be done in %post
166 | echo "Using SHA512 for the password algorithm"
167 | authconfig --passalgo=sha512 --update
168 | echo "Done"
169 | 
170 | ###### PAM Modifications
171 | # These modifications apply to GEN000460, GEN000600 and GEN000620
172 | touch /var/log/tallylog
173 | 
174 | cat << 'EOF' > /etc/pam.d/system-auth-local
175 | #%PAM-1.0
176 | # Auth Section
177 | auth required pam_tally2.so unlock_time=900 onerr=fail no_magic_root
178 | auth required pam_faildelay.so delay=5000000
179 | auth include system-auth-ac
180 | 
181 | # Accounts Section
182 | account required pam_tally2.so
183 | account include system-auth-ac
184 | 
185 | # Password Section
186 | password required pam_pwhistory.so   use_authtok remember=5 retry=3
187 | password requisite pam_passwdqc.so min=disabled,disabled,16,12,8
188 | password include system-auth-ac
189 | 
190 | # Session Section
191 | ## By default we're only going to log what root does
192 | ## This gets really verbose if we log more.
193 | ## If you want to log everyone, remove disable=*
194 | session required pam_tty_audit.so disable=* enable=root
195 | session include system-auth-ac
196 | EOF
197 | 
198 | 
199 | # Create some basic shell rules for users. 
200 | 
201 | echo "Idle users will be removed after 15 minutes"
202 | echo "readonly TMOUT=600" >> /etc/profile.d/os-security.sh
203 | echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
204 | chmod +x /etc/profile.d/os-security.sh
205 | 
206 | # GEN002560
207 | # Reset the umasks for all users to 077
208 | echo "Locking down GEN002560"
209 | perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
210 | perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
211 | echo "GEN002560 Complete"
212 | 
213 | 
214 | ## Require GUI consoles to lock if idle longer than 10 minutes. 
215 | if [ -f /etc/gconf/gconf.xml.mandatory ]; then 
216 |   gconftool-2 --direct \
217 | 	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
218 | 	--type bool \
219 | 	--set /apps/gnome-screensaver/idle_activation_enabled true
220 |   gconftool-2 --direct \
221 | 	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
222 | 	--type bool --set /apps/gnome-screensaver/lock_enabled true
223 |   gconftool-2 --direct \
224 | 	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
225 | 	--type string \
226 | 	--set /apps/gnome-screensaver/mode blank-only
227 |   gconftool-2 --direct \
228 | 	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
229 | 	--type int \
230 | 	--set /apps/gnome-screensaver/idle_delay 10
231 | fi
232 | 
233 | ## No one gets to run cron or at jobs unless we say so.
234 | echo "Locking down Cron"
235 | touch /etc/cron.allow
236 | chmod 600 /etc/cron.allow
237 | awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
238 | echo "Locking down AT"
239 | touch /etc/at.allow
240 | chmod 600 /etc/at.allow
241 | awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny
242 | 
243 | 
244 | 
245 | # GEN000400 (G010)
246 | echo "Locking down GEN000400"
247 | # Set the /etc/issue file to something scary.  This one has no linefeeds, so it will wrap accordingly.
248 | # Change this to your own banner for organizations outside the Scary Zone
249 | 
250 | cat << 'EOF' >/etc/issue
251 | USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM.  UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION.  EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.  USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
252 | EOF
253 | echo "GEN000400 Completed"
254 | 
255 | 
256 | # The banner above works great for shell logins, but won't work for gui logins. 
257 | if [ -f /etc/gdm/PreSession/Default ]; then
258 | # GEN000420 (G011)
259 | # This part creates the same login banner once your username and password has been entered.  This has linefeeds in it.
260 | # Text needs to be cleaned up a touch.
261 | echo "Locking down GEN000420"
262 | perl -npe 's/exit\s0/\n/' -i /etc/gdm/PreSession/Default
263 | 
264 | cat << 'EOF' >> /etc/gdm/PreSession/Default
265 | /usr/bin/gdialog --yesno "Agree = 'OK'   Disagree = 'Cancel'
266 | 
267 | USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM.  UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION.  EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.  USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
268 | 
269 | Agree = 'OK'   Disagree = 'Cancel'"
270 | if ( test 1 -eq $? ); then
271 |         /usr/bin/gdialog --infobox "Logging out in 10 Seconds" 1 20 &
272 |         sleep 10
273 |         exit 1
274 | fi
275 | 
276 | exit 0
277 | EOF
278 | echo "GEN000420 Completed"
279 | fi
280 | 
281 | ################## File and Directory Security #########################
282 | 
283 | # Restrict mount points with noexec, nosuid, and nodev where applicable
284 | 
285 | # GEN002420
286 | echo "Locking down GEN002420"
287 | FSTAB=/etc/fstab
288 | SED=/bin/sed
289 | 
290 | #nosuid on /home
291 | if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
292 |         MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
293 |         ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
294 | fi
295 | 
296 | # nosuid on /sys
297 | if [ $(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
298 |         MNT_OPTS=$(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | awk '{print $4}')
299 |         ${SED} -i "s/\([[:blank:]]\/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
300 | fi
301 | 
302 | ## nosuid on /boot
303 | if [ $(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
304 |         MNT_OPTS=$(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | awk '{print $4}')
305 |         ${SED} -i "s/\([[:blank:]]\/boot.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
306 | fi
307 | 
308 | # nodev on /usr
309 | if [ $(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
310 |         MNT_OPTS=$(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | awk '{print $4}')
311 |        ${SED} -i "s/\([[:blank:]]\/usr.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
312 | fi
313 | 
314 | #nodev on /home
315 | if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
316 |         MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
317 |         ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
318 | fi
319 | 
320 | # nodev on /usr/local
321 | if [ $(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
322 |         MNT_OPTS=$(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | awk '{print $4}')
323 |         ${SED} -i "s/\([[:blank:]]\/usr\/local.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
324 | fi
325 | 
326 | # nodev and noexec on /tmp
327 | if [ $(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
328 |         MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
329 |         ${SED} -i "s/\([[:blank:]]\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
330 | fi
331 | # nodev and noexec on /var/tmp
332 | if [ $(grep "[[:blank:]]\/var/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
333 |         MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
334 |         ${SED} -i "s/\([[:blank:]]\/var/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
335 | fi
336 | 
337 | # nodev on /var
338 | if [ $(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
339 |        MNT_OPTS=$(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | awk '{print $4}')
340 |         ${SED} -i "s/\([[:blank:]]\/var.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
341 | fi
342 | 
343 | echo "GEN002420 Complete"
344 | 
345 | 
346 | 
347 | # By default  /root has permissions of 750. Change this to 700
348 | # GEN000920 (G023)
349 | echo "Locking down GEN000920"
350 | # Correct the permissions on /root to a DISA allowed 700
351 | chmod 700 /root
352 | echo "GEN000920 Complete"
353 | 
354 | 
355 | # GEN002680 (G094)
356 | # reset permissions on audit logs
357 | echo "Locking down GEN002680"
358 | chmod 700 /var/log/audit
359 | chmod 600 /var/log/audit/*
360 | echo "GEN002680 Complete"
361 | 
362 | 
363 | # GEN003080
364 | echo "Locking down GEN003080"
365 | chmod 600 /etc/crontab
366 | chmod 700 /usr/share/logwatch/scripts/logwatch.pl
367 | echo "GEN003080 Complete"
368 | 
369 | # GEN003520 ( RHEL5 default anyway )
370 | echo "Locking down GEN003520"
371 | chmod 700 /var/crash
372 | chown -R root.root /var/crash
373 | echo "GEN003520 Complete"
374 | 
375 | # GEN006520
376 | echo "Locking down GEN006520"
377 | chmod 740 /etc/rc.d/init.d/iptables
378 | chmod 740 /sbin/iptables
379 | chmod 740 /usr/share/logwatch/scripts/services/iptables
380 | echo "GEN006520 Complete"
381 | 
382 | # GEN001560
383 | echo "Locking down GEN001560"
384 | chmod -R 700 /etc/skel
385 | echo "GEN001560 Complete"
386 | 
387 | # GEN005400 (G656)
388 | # Reset the permissions to a DISA-blessed rw-r-----
389 | echo "Locking down GEN005400"
390 | chmod 640 /etc/syslog.conf
391 | echo "GEN005400 Complete"
392 | 
393 | # LNX00440 (L046)
394 | # Set mode to DISA-blessed rw-r------
395 | echo "Locking down LNX00440"
396 | chmod 640 /etc/security/access.conf
397 | echo "LNX00440 Complete"
398 | 
399 | 
400 | # GEN001260
401 | echo "Locking down GEN001260"
402 | perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
403 | echo "GEN001260"
404 | 
405 | # LNX00520 (L208)
406 | echo "Locking down LNX00520"
407 | chmod 600 /etc/sysctl.conf
408 | echo "LNX00520 Complete"
409 | 
410 | # Add some enhancements to sysctl
411 | cat << 'EOF' >> /etc/sysctl.conf
412 | net.ipv4.ip_forward = 0
413 | net.ipv4.conf.all.send_redirects = 0
414 | net.ipv4.conf.default.send_redirects = 0
415 | net.ipv4.tcp_max_syn_backlog = 1280
416 | net.ipv4.icmp_echo_ignore_broadcasts = 1
417 | net.ipv4.conf.all.accept_source_route = 0
418 | net.ipv4.conf.all.accept_redirects = 0
419 | net.ipv4.conf.all.secure_redirects = 0
420 | net.ipv4.conf.all.log_martians = 1
421 | net.ipv4.conf.default.accept_source_route = 0
422 | net.ipv4.conf.default.accept_redirects = 0
423 | net.ipv4.conf.default.secure_redirects = 0
424 | net.ipv4.icmp_echo_ignore_broadcasts = 1
425 | net.ipv4.icmp_ignore_bogus_error_responses = 1
426 | net.ipv4.tcp_syncookies = 1
427 | net.ipv4.conf.all.rp_filter = 1
428 | net.ipv4.conf.default.rp_filter = 1
429 | net.ipv4.tcp_timestamps = 0
430 | kernel.exec-shield = 1
431 | kernel.randomize_va_space = 1
432 | EOF
433 | 
434 | ########## Turn off the uneeded stuff #############
435 | # IAVA0410 (G592) and GEN003700
436 | # Turn off unneeded services
437 | # You may want to leave sendmail enabled but the STIG says otherwise
438 | # I mark this as mitigated by the firewall, and not accepting outside
439 | # connections. The NSA RHEL5 guide has a full service list 
440 | # with recommendations
441 | echo "Locking down IAVA0410 and GEN003700"
442 | /sbin/chkconfig bluetooth off
443 | /sbin/chkconfig irda off
444 | /sbin/chkconfig lm_sensors off
445 | /sbin/chkconfig portmap off
446 | /sbin/chkconfig rawdevices off
447 | /sbin/chkconfig rpcgssd off
448 | /sbin/chkconfig rpcidmapd off
449 | /sbin/chkconfig rpcsvcgssd off
450 | /sbin/chkconfig sendmail off
451 | /sbin/chkconfig xinetd off
452 | /sbin/chkconfig kudzu off
453 | echo "IAVA0410 and GEN003700 Complete"
454 | 
455 | ######### Remove useless users ##############
456 | # This isn't strictly needed as they have a default shell of nologin
457 | # but we're removing them anyway to be safe.
458 | 
459 | echo "Locking down LNX0034 and GEN004840"
460 | /usr/sbin/userdel shutdown
461 | /usr/sbin/userdel halt
462 | /usr/sbin/userdel games
463 | /usr/sbin/userdel operator
464 | /usr/sbin/userdel ftp
465 | /usr/sbin/userdel news
466 | /usr/sbin/userdel gopher
467 | echo "LNX0034 and GEN004840 Complete"
468 | 
469 | 
470 | 
471 | ############# SSH restrictions ###############
472 | #
473 | # Uncomment this if you have physical access to the machine.
474 | # This will lock root out from ssh.
475 | # GEN001120 (G500)
476 | 
477 | # We need to restrict ssh root logins; 
478 | #echo "Locking down GEN001120"
479 | #perl -npe 's/#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config
480 | #echo "GEN001120 Complete"
481 | 
482 | #GEN005540
483 | echo "Locking down GEN005540"
484 | perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config
485 | echo "GEN005540 Complete"
486 | 
487 | perl -npe 's/^#ServerKeyBits 768/ServerKeyBits 2048/g' -i /etc/ssh/sshd_config
488 | perl -npe 's/^#MaxAuthTries 6/MaxAuthTries 3/g' -i /etc/ssh/sshd_config
489 | 
490 | 
491 | ################ Configure a better default firewall ###############
492 | cat << 'EOF' > /etc/sysconfig/iptables
493 | #Drop anything we aren't explicitly allowing. All outbound traffic is okay
494 | *filter
495 | :INPUT DROP [0:0]
496 | :FORWARD DROP [0:0]
497 | :OUTPUT ACCEPT [0:0]
498 | :RH-Firewall-1-INPUT - [0:0]
499 | -A INPUT -j RH-Firewall-1-INPUT
500 | -A FORWARD -j RH-Firewall-1-INPUT
501 | -A RH-Firewall-1-INPUT -i lo -j ACCEPT
502 | -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
503 | -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
504 | -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
505 | # Accept Pings
506 | -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
507 | # Log anything on eth0 claiming it's from a local or non-routable network
508 | # If you're using one of these local networks, remove it from the list below
509 | -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
510 | -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
511 | -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
512 | -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
513 | # Accept any established connections
514 | -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
515 | # Accept ssh traffic. Restrict this to known ips if possible.
516 | -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
517 | #Log and drop everything else
518 | -A RH-Firewall-1-INPUT -j LOG
519 | -A RH-Firewall-1-INPUT -j DROP
520 | COMMIT
521 | EOF
522 | 
523 | ###### Check to see if we have network access for updates ##########
524 | # For RHEL systems, change the profile name and key
525 | # Documentation for activation keys can be found at 
526 | # http://kbase.redhat.com/faq/docs/DOC-2475
527 | 2>/dev/null >/dev/tcp/google.com/80
528 | if [ $? -eq 0 ]; then
529 |   if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
530 |     rhnreg_ks --profilename=secure-rhel --activationkey=xxxxxxxxxxx
531 |   fi
532 |   cat << 'EOF' >> /etc/yum.conf
533 | exclude = *.i?86
534 | EOF
535 |   yum -y remove *.i?86
536 |   yum -y update
537 | else
538 | echo "There's no network. No updates performed"
539 | fi
540 | 
541 | ############### Beef up the default ruleset for AIDE #################
542 | # Setup AIDE off this baseline
543 | echo "Setting up baseline AIDE configuration ...."
544 | echo "NOTE!!! PLEASE REVIEW THIS, AND EDIT FOR YOUR SPECIFIC CONFIGURATION!"
545 | 
546 | # Write /etc/aide.conf
547 | echo "Appending default setuid/setgid and 666 f/d to default /etc/aide.conf"
548 | cat << 'EOF' >> /etc/aide.conf
549 | 
550 | # World-Writable files and directories
551 | # Note: There are no ww files in the base install
552 | 
553 | # World-Writable Directories in base install
554 | 
555 | /tmp                            PERMS
556 | /tmp/.pk11ipc1                  PERMS
557 | /tmp/.font-unix                 PERMS
558 | /tmp/.ICE-unix                  PERMS
559 | /tmp/.X11-unix                  PERMS
560 | /var/tmp                        PERMS
561 | 
562 | # set-UID and set-GID files in base install
563 | 
564 | /sbin/netreport                 PERMS
565 | /usr/libexec/utempter/utempter  PERMS
566 | /usr/sbin/lockdev               PERMS
567 | /usr/sbin/sendmail.sendmail     PERMS
568 | /usr/lib/vte/gnome-pty-helper   PERMS
569 | /usr/bin/locate                 PERMS
570 | /usr/bin/write                  PERMS
571 | /usr/bin/wall                   PERMS
572 | /usr/bin/ssh-agent              PERMS
573 | /usr/bin/lockfile               PERMS
574 | /usr/bin/screen                 PERMS
575 | EOF
576 | 
577 | echo "done adding to /etc/aide.conf" 
578 | echo ""
579 | echo "Building a initial AIDE DB..."
580 | /usr/sbin/aide -i
581 | echo "Initial AIDE DB complete"
582 | echo ""
583 | echo "Copping initial AIDE DB to initial baseline AIDE DB..."
584 | cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
585 | echo "done copping initital AIDE DB"
586 | echo ""
587 | echo ""
588 | echo "Please review your AIDE configuration, default DB locations,"
589 | echo "cron jobs, etc. to fit your needs"
590 | echo ""
591 | echo "GEN02440 and GEN2380 Complete"
592 | 
593 | 
594 | 
595 | ) > /root/kickstart-log.txt 2>&1
596 | 


--------------------------------------------------------------------------------
/workstation-ks.cfg:
--------------------------------------------------------------------------------
  1 | # workstation-ks.cfg
  2 | # version 1.0.0 2011-09-30
  3 | # Copyright 2010,2011 Red Hat Inc., Durham, North Carolina.
  4 | # All Rights Reserved.
  5 | #
  6 | # This program is free software; you can redistribute it and/or modify
  7 | # it under the terms of the GNU General Public License as published by
  8 | # the Free Software Foundation; either version 2 of the License, or
  9 | # (at your option) any later version.
 10 | #
 11 | # This program is distributed in the hope that it will be useful,
 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14 | # GNU General Public License for more details.
 15 | #
 16 | # You should have received a copy of the GNU General Public License
 17 | # along with this program; if not, write to the Free Software
 18 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 19 | #
 20 | # Authors:
 21 | #   Steve Grubb <sgrubb@redhat.com>
 22 | 
 23 | # The purpose of this kickstart is to demonstrate usage of the USGCB
 24 | # standard desktop baseline. Documentation for Kickstart can be found at:
 25 | # http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/ch-kickstart2.html
 26 | 
 27 | # (Required) We want to "install" as opposed to "upgrade" an existing system
 28 | install
 29 | 
 30 | # Reboot the machine after the installation is complete
 31 | # and attempt to eject the CD/DVD/Bootdisk
 32 | reboot --eject
 33 | 
 34 | ##
 35 | ## This next section needs site specific customizations. If installing by
 36 | ## Network, you should update the URL line to point to the location where
 37 | ## the image is stored.. If you are instead using the CDROM method, comment
 38 | # out the URL line and uncomment the CDROM line.
 39 | # Configure networking
 40 | # Kickstart assumes dhcp over eth0 if not specified otherwise
 41 | # These can be serialized on a per-machine basis, or 
 42 | # provided on the command line during system installation as described 
 43 | #network --bootproto=static --ip=<ip address> --netmask=<netmask> --gateway=<ip address> --nameserver=<ip address>
 44 | #network --bootproto=dhcp
 45 | network --bootproto=static --ip=192.168.122.99 --netmask=255.255.255.0 --gateway=192.168.122.1 --nameserver=192.168.122.1
 46 | 
 47 | # Install from a cdrom
 48 | #cdrom
 49 | # another option is to install via  HTTP
 50 | url --url=http://192.168.122.1/iso/
 51 | 
 52 | #  Set the language 
 53 | lang en_US.UTF-8
 54 | 
 55 | # (Required) Set keyboard style
 56 | keyboard us
 57 | 
 58 | # Skip the RHN key setup, or enter the key here (will prompt without --skip)
 59 | key --skip
 60 | 
 61 | ## The following section needs customization or at a minimum change
 62 | ## The root password after first boot.
 63 | # Adding users and setting passwords:
 64 | # There are 3 options for setting rootpw (or adding user accounts & passwords)
 65 | # 1. Do not include the rootpw command and you will be prompted for the root 
 66 | #    password during installation.  This is the recommended method.
 67 | # 2. Include a hashed root password inside the kickstart file.  This method is 
 68 | #    not recommended, and is particularly not recommended if the kickstart will 
 69 | #    ever be traveling over a network. 
 70 | # 3. Include a clear text password.  This is a generally terrible idea.
 71 | 
 72 | # (Required) Sets the root password so there is no prompt during installation
 73 | # Example: encrypted password is "password"
 74 | rootpw --iscrypted $6$naSytywF$AyVeKPcxnSMJg2L5b5YWGu7YFmgGW30HJ1qmqvjBBOBIbjQuqicsTuJndm0sns3vFpXGDx0SJzofARe914chx0
 75 | 
 76 | # Enable the firewall
 77 | firewall --enabled
 78 | 
 79 | # Enable SELinux CCE-3999-0 (row 102)
 80 | selinux --enforcing
 81 | 
 82 | # (Required) Wrapper around the authconfig command CCE-14063-2 (row 80)
 83 | authconfig --enableshadow --passalgo=sha512 
 84 | 
 85 | # (Required) Set the timezone
 86 | timezone --utc America/New_York
 87 | 
 88 | ## This line needs site specific customizations. Or at a minimum change
 89 | ## the password on first boot.
 90 | # CCE-3818-2 (row 90) Add a grub bootloader password (password is: rhel5)
 91 | # CCE-15026-8 (row 143) enable audit at boot
 92 | bootloader --location=mbr --password=rhel5 --append="rhgb quiet audit=1"
 93 | 
 94 | # Partitions (Required for "install")
 95 | # This setup assumes a disk larger than 20GB, and should be modified with 
 96 | # appropriate size partitions based on the machine's hardware
 97 | 
 98 | # Format the partitions/mbr first
 99 | zerombr 
100 | clearpart --all --initlabel
101 | 
102 | # Create primary partitions
103 | part /boot --fstype "ext3" --size=512 --asprimary
104 | part swap --fstype swap --size=1024
105 | part pv.01 --size=1 --grow
106 | 
107 | # Create more logical partitions
108 | # CCE-14161-4, CCE-14777-2, CCE-14011-1, CCE-14171-3, CCE-14559-9  (Rows 2 - 6)
109 | volgroup vgroup1 pv.01
110 | logvol /     --fstype ext3 --name=root --vgname=vgroup1 --size=2560 --grow
111 | logvol /tmp  --fstype ext3 --name=temp --vgname=vgroup1 --size=256 --fsoptions="nodev,noexec,nosuid"
112 | logvol /home --fstype ext3 --name=home --vgname=vgroup1 --size=1024 --fsoptions="nodev"
113 | logvol /var  --fstype ext3 --name=var  --vgname=vgroup1 --size=1024 --fsoptions="nodev"
114 | logvol /var/log --fstype ext3 --name=varlog --vgname=vgroup1 --size=512 --fsoptions="nodev,noexec,nosuid"
115 | logvol /var/log/audit --fstype ext3 --name=audit --vgname=vgroup1 --size=256 --fsoptions="nodev,noexec,nosuid"
116 | 
117 | %packages
118 | # These Package Groups are installed by default
119 | @admin-tools
120 | @base
121 | @base-x
122 | @core
123 | @dialup
124 | @editors
125 | @gnome-desktop
126 | @graphical-internet
127 | @graphics
128 | @java
129 | @legacy-software-support
130 | @office
131 | @printing
132 | @sound-and-video
133 | @text-internet
134 | 
135 | # Individual packages not installed by default
136 | emacs
137 | # CCE-14068-1 (row 223)
138 | postfix
139 | # CCE-3910-7 (row 99)
140 | vlock 
141 | # CCE-4209-3  (row 13)
142 | aide
143 | ## Added to support Puppet
144 | ruby
145 | # Make sure we are using a desktop package set
146 | redhat-release-5Client
147 | 
148 | # Individual packages to be removed from the groups
149 | -xinetd
150 | -telnet-server
151 | -telnet
152 | -krb5-workstation
153 | -rsh-server
154 | -rsh
155 | -tftp-server
156 | # CCE-14495-6 (row 222)
157 | -sendmail
158 | # CCE-4464-4 (row 219)
159 | -dhcp
160 | # CCE-14881-7 (row 240)
161 | -vsftpd
162 | # CCE-4514-6 (row 241)
163 | -httpd
164 | -gnome-user-share
165 | # CCE-14825-4 (row 178)
166 | -isdn4k-utils
167 | # CCE-17504-2 (row 255)
168 | -irda-utils
169 | # CCE-18200-6 (row 253)
170 | -talk
171 | ## If you have a 32 bit system, comment out the next line
172 | -*.i?86
173 | # CCE-18031-5 (row 250)
174 | -ipsec-tools
175 | # CCE-17250-2 (row 251)
176 | -pam_ccreds
177 | # FIXME: need row
178 | openswan
179 | # CCE-17742-8 (row 134)
180 | -sysklogd
181 | rsyslog
182 | 
183 | 
184 | # Post-install commands
185 | 
186 | # Some post-installation configuration can be done from the kickstart file
187 | # itself.  These actions should not be relied upon for system 
188 | # configuration/management.  Anything in the %post section should be things
189 | # that would immediately be done after installation that are either out of
190 | # scope for the management software, or help prepare the system for the
191 | # management software.
192 | 
193 | %post
194 | # Install redhat-release key for later use validating rpms
195 | # CCE-14440-2 (row 7)
196 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-auxiliary
197 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-former
198 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
199 | rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-rhx
200 | 
201 | # Disable rhnsd daemon (CCE-3416-5  row 8)
202 | chkconfig rhnsd off
203 | 
204 | # Disable yum-updatesd daemon (CCE-4218-4  row 10)
205 | chkconfig yum-updatesd off
206 | 
207 | # Notes CCE-14914-6, CCE-14813-0, CCE-14931-0 (row 11, 12, and 14 are noops)
208 | 
209 | # Fix up the partitions to be secure
210 | # CCE    (rows 15 - 25)
211 | FSTAB=/etc/fstab
212 | # nodev, noexec, and nosuid on /boot
213 | TEST="`grep ' \/boot ' ${FSTAB} | grep -c 'noexec'`"
214 | if [ "$TEST" = "0" ]; then
215 |         MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}')
216 |         sed -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
217 | fi
218 | # nodev, noexec, and nosuid on /dev/shm
219 | # CCE-15007-8, CCE-14306-5, CCE-14703-3 (Rows 22 - 24)
220 | TEST="`grep ' \/dev\/shm ' ${FSTAB} | grep -c 'noexec'`"
221 | if [ "$TEST" = "0" ]; then
222 |         MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}')
223 |         sed -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB}
224 | fi
225 | # Make /var/tmp use /tmp
226 | # CCE-14584-7 (Row 25)
227 | grep " \/var\/tmp " ${FSTAB} >/dev/null
228 | if [ $? -eq 1 ]; then
229 |         echo -e "/tmp\t\t/var/tmp\t\t\text3\tdefaults,bind,nodev,noexec,nosuid\t0 0" >> ${FSTAB}
230 | fi
231 | 
232 | # Don't use modprobe.conf, put changes in 1 place
233 | touch /etc/modprobe.d/usgcb-blacklist
234 | 
235 | # Disable mounting of cramfs CCE-14089-7 (row 26)
236 | echo -e "install cramfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist
237 | # Disable mounting of freevxfs CCE-14457-6 (row 27)
238 | echo -e "install freevxfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist
239 | # Disable mounting of hfs CCE-15087-0 (row 28)
240 | echo -e "install hfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist
241 | # Disable mounting of hfsplus CCE-14093-9 (row 29)
242 | echo -e "install hfsplus /bin/true" >> /etc/modprobe.d/usgcb-blacklist
243 | # Disable mounting of jffs2 CCE-14853-6 (row 30)
244 | echo -e "install jffs2 /bin/true" >> /etc/modprobe.d/usgcb-blacklist
245 | # Disable mounting of squashfs CCE-14118-4 (row 31)
246 | echo -e "install squashfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist
247 | # Disable mounting of udf CCE-14871-8 (row 32)
248 | echo -e "install udf /bin/true" >> /etc/modprobe.d/usgcb-blacklist
249 | 
250 | # Notes (row 33 - 51 are noops)
251 | 
252 | # CCE-4220-0  (Row 52)
253 | echo -e "umask 027" >> /etc/sysconfig/init
254 | 
255 | # CCE-4225-9 (Row 53)
256 | echo -n "* hard core 0" >> /etc/security/limits.conf
257 | 
258 | # Notes CCE-4225-9, CCE-4146-7, CCE-4172-3 (row 54 -57 are noops)
259 | 
260 | # CCE-3485-0, CCE-4256-4  (Rows 58 & 59)
261 | sed -i "/^vc/d" /etc/securetty
262 | 
263 | # CCE-15047-4 (Row 60)
264 | sed -i "6s/^#//" /etc/pam.d/su
265 | 
266 | # Notes CCE-14088-9 (row 61 is noop)
267 | 
268 | # Notes CCE-3987-5, CCE-4238-2, CCE-14300-8, CCE-4009-7 (rows 62 - 65 are noops)
269 | 
270 | # CCE-4180-6 (Row 66)
271 | sed -i "/PASS_MIN_DAYS/s/[0-9]/1/" /etc/login.defs
272 | 
273 | # CCE-4097-2 (Row 67)
274 | sed -i "/PASS_WARN_AGE/s/[0-9]/14/" /etc/login.defs
275 | 
276 | # CCE-4092-3 (Row 68)
277 | sed -i "/PASS_MAX_DAYS/s/[0-9]\{5\}/60/" /etc/login.defs
278 | 
279 | # CCE-4154-1 (Row 69)
280 | sed -i "/PASS_MIN_LEN/s/[0-9]/12/" /etc/login.defs
281 | 
282 | # Notes CCE-14675-3, CCE-4114-5, CCE-14071-5 (rows 70 - 72 are noops)
283 | 
284 | # The following line covers
285 | # (rows 73 - 78)
286 | sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth
287 | 
288 | # CCE-3410-8 (row 79) system-auth
289 | sed -i "5i\auth\trequired\tpam_tally2.so deny=5 onerr=fail" /etc/pam.d/system-auth
290 | #sed -i "/^auth/s/sufficient/required/" /etc/pam.d/system-auth
291 | ##sed -i "/^auth/s/requisite/required/" /etc/pam.d/system-auth
292 | #sed -i "/^auth/d/requisite/" /etc/pam.d/system-auth
293 | #sed -i "/pam_deny/d" /etc/pam.d/system-auth
294 | 
295 | # The old way
296 | #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/gdm
297 | #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/sshd
298 | #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/login
299 | 
300 | 
301 | # CCE-14063-2(row 80) is a noop since this is the defaults
302 | 
303 | # CCE-14939-3 (row 81)
304 | sed -i "/pam_unix.so/s/shadow/shadow remember=24/" /etc/pam.d/system-auth
305 | 
306 | # Notes CCE-3301-9, CCE-14957-5, CCE-4090-7 (rows 82 - 84 are noops)
307 | 
308 | # CCE-14107-7 (row 85)
309 | sed -i "/UMASK/s/[0-9]\{3\}/077/" /etc/login.defs
310 | 
311 | # CCE-14847-8 (row 86)
312 | echo "umask 077" >> /etc/profile
313 | 
314 | # CCE-3844-8  (row 87)
315 | sed -i "/umask/s/022/077/" /etc/bashrc
316 | 
317 | # CCE-4227-5  (row 88)
318 | sed -i "/umask/s/022/077/" /etc/csh.cshrc
319 | 
320 | # Notes CCE-3923-0  (rows 89 is a noop)
321 | 
322 | # Notes CCE-4197-0, CCE-4144-2  (rows 91 - 92 are noops)
323 | 
324 | # CCE-4241-6 (row 93)
325 | echo "~:S:wait:/sbin/sulogin" >> /etc/inittab
326 | 
327 | # CCE-4245-7 (row 94)
328 | sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init
329 | 
330 | # CCE-3315-9 (row 95)
331 | gconftool-2 --direct \
332 |               --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
333 |               --type int \
334 |               --set /apps/gnome-screensaver/idle_delay 15
335 | 
336 | # CCE-14604-3 (row 96)
337 | gconftool-2 --direct \
338 |               --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
339 |               --type bool \
340 |               --set /apps/gnome-screensaver/idle_activation_enabled true
341 | 
342 | # CCE-14023-6 (row 97)
343 | gconftool-2 --direct \
344 |               --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
345 |               --type bool \
346 |               --set /apps/gnome-screensaver/lock_enabled true
347 | 
348 | # CCE-14735-5 (row 98)
349 | gconftool-2 --direct \
350 |               --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
351 |               --type string \
352 |               --set /apps/gnome-screensaver/mode blank-only
353 | 
354 | # CCE-4060-0 (row 100)
355 | echo -e "\n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials.\n" > /etc/issue
356 | 
357 | # CCE-4188-9 (row 101)
358 | sed -i "15s/<item type=\"rect\">/<item type=\"rect\" id=\"custom-usgcb-banner\">\n        <posv anchor=\"nw\" x=\"20%\" y=\"10\" width=\"80%\" height=\"100%\"\/>\n        <box>\n            <item type=\"label\">\n            <normal font=\"Sans Bold 9\" color=\"#ffffff\"\/>\n            <text>\n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials.\n            <\/text>\n            <\/item>\n        <\/box>\n    <\/item>\n\n    <item type=\"rect\">/" /usr/share/gdm/themes/RHEL/RHEL.xml
359 | 
360 | 
361 | # CCE-3977-6, CCE-3999-0, and CCE-3624-4 (rows 102 - 104) are noops
362 | 
363 | # CCE-3668-1 (row 105)
364 | chkconfig mcstrans off
365 | 
366 | # CCE-14991-4 (row 106) is noop
367 | 
368 | # CCE-3561-8 (row 107)
369 | echo -e "\n# Changes for USGCB content" >> /etc/sysctl.conf
370 | echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
371 | 
372 | # CCE-4155-8 (row 108)
373 | echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
374 | 
375 | # CCE-4151-7 (row 109)
376 | echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
377 | 
378 | # CCE-3472-8 (row 110)
379 | echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
380 | 
381 | # CCE-4217-6 (row 111)
382 | echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
383 | 
384 | # CCE-4236-6 (row 112)
385 | echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
386 | 
387 | # CCE-3339-9 (row 113)
388 | echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
389 | 
390 | # CCE-4186-3 (row 114)
391 | echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
392 | 
393 | # CCE-4091-5 (row 115)
394 | echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
395 | 
396 | # CCE-4133-5 (row 116)
397 | echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf
398 | 
399 | # CCE-3644-2 (row 117)
400 | echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf
401 | 
402 | # CCE-4320-8 (row 118)
403 | echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
404 | 
405 | # CCE-4080-8 (row 119)
406 | echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
407 | 
408 | # CCE-4265-5 (row 120)
409 | echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
410 | 
411 | # CCE-3840-6 (row 121)
412 | echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
413 | 
414 | # CCE-15013-6, CCE-4276-2 (rows 122 and 123) are noops
415 | 
416 | # CCE-18455-6 (row 124)
417 | echo -e "options ipv6 disable=1" >> /etc/modprobe.d/usgcb-blacklist
418 | 
419 | # CCE-4313-3 (row 125)
420 | echo "net.ipv6.conf.default.accept_redirect=0" >> /etc/sysctl.conf
421 | 
422 | # CCE-4269-7 (row 126)
423 | echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf
424 | 
425 | # CCE-4167-3 (row 127)
426 | # This is being set to off because IPv6 is disabled
427 | chkconfig ip6tables off
428 | 
429 | # CCE-4189-7 (row 128)
430 | chkconfig iptables on
431 | 
432 | # CCE-14264-6 (row 129)
433 | sed -i "/^:INPUT/s/ACCEPT/DROP/" /etc/sysconfig/iptables
434 | 
435 | # CCE-14268-7 (row 130)
436 | echo -e "install dccp /bin/true" >> /etc/modprobe.d/usgcb-blacklist
437 | 
438 | # CCE-14235-5 (row 131)
439 | echo -e "install sctp /bin/true" >> /etc/modprobe.d/usgcb-blacklist
440 | 
441 | #i CCE-14027-7 (row 132)
442 | echo -e "install rds /bin/true" >> /etc/modprobe.d/usgcb-blacklist
443 | 
444 | # CCE-14911-2 (row 133)
445 | echo -e "install tipc /bin/true" >> /etc/modprobe.d/usgcb-blacklist
446 | 
447 | # CCE-17698-2 (row 135)
448 | chkconfig rsyslog on
449 | chkconfig rsyslog --levels 345 on
450 | 
451 | # (rows 136 - 138) are noops
452 | 
453 | # send logging to remote server CCE-17248-6 (row 139)
454 | mkdir -m 0700 /etc/pki/rsyslog
455 | ##
456 | ## The following lines need site specific customizations
457 | ##
458 | #echo "" >> /etc/rsyslog.conf
459 | #echo '# make gtls driver the default' >> /etc/rsyslog.conf
460 | #echo '$DefaultNetstreamDriver gtls' >> /etc/rsyslog.conf
461 | #echo "" >> /etc/rsyslog.conf
462 | #echo '# certificate files' >> /etc/rsyslog.conf
463 | #echo '$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem' >> /etc/rsyslog.conf
464 | #echo '$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/machine-cert.pem' >> /etc/rsyslog.conf
465 | #echo '$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/machine-key.pem' >> /etc/rsyslog.conf
466 | #echo "" >> /etc/rsyslog.conf
467 | #echo '$ActionSendStreamDriverAuthMode x509/name' >> /etc/rsyslog.conf
468 | #echo '$ActionSendStreamDriverPermittedPeer central.example.net' >> /etc/rsyslog.conf
469 | #echo '$ActionSendStreamDriverMode 1 # run driver in TLS-only mode' >> /etc/rsyslog.conf
470 | #echo '*.* @@central.example.net:10000 # forward everything to remote server port 10000' >> /etc/rsyslog.conf
471 | 
472 | # CCE-17639-6 (row 140) is a noop
473 | 
474 | # CCE-4182-2 (row 141) is noop
475 | 
476 | # CCE-4292-9 (row 142)
477 | chkconfig auditd on
478 | 
479 | # (rows 144 - 151, 153 - 155) 
480 | FILE=`rpm -ql audit | grep stig`
481 | if [ x"$FILE" != "x" ] ; then
482 | 	cat $FILE | egrep -v 'immutable|ping|-e 2' > /etc/audit/audit.rules
483 | fi
484 | 
485 | sed -i -e 's/^#\(-a always,exit -F arch=b.. -S clock_settime\)/\1 -F a0=0/g' /etc/audit/audit.rules
486 | 
487 | # CCE-14296-8 (row 152)
488 | find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{printf "-a always,exit -F path=%s -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\n", $1 }' >> /etc/audit/audit.rules
489 | echo -e "\n" >> /etc/audit/audit.rules
490 | 
491 | # CCE-14688-6 (row 156)
492 | echo -e "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules
493 | echo -e "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules
494 | echo -e "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules
495 | echo -e "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules
496 | echo -e "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules
497 | echo -e "\n" >> /etc/audit/audit.rules
498 | 
499 | # CCE-14692-8 (row 157)
500 | echo -e "-e 2" >> /etc/audit/audit.rules
501 | 
502 | # (rows 158 - 171) are noops
503 | 
504 | # CCE-4421-4 (row 172)
505 | chkconfig readahead_early off
506 | 
507 | # CCE-4302-6 (row 173)
508 | chkconfig readahead_later off
509 | 
510 | # CCE-4355-4 (row 174)
511 | chkconfig bluetooth off
512 | 
513 | # CCE-4377-8 (row 175)
514 | chkconfig hidd off
515 | 
516 | # CCE-14948-4 (row 176)
517 | echo "alias net-pf-31 off" >> /etc/modprobe.d/usgcb-blacklist
518 | echo "alias bluetooth off" >> /etc/modprobe.d/usgcb-blacklist
519 | 
520 | # CCE-4286-1, CCE-14825-4, CCE-3425-6 (row 177 - 179) are noops
521 | 
522 | # CCE-14054-1 (row 180)
523 | echo "NOZEROCONF=yes" >> /etc/sysconfig/network
524 | 
525 | # CCE-4324-0 row 181 is a noop
526 | 
527 | # CCE-4304-2 (row 182)
528 | chmod 0600 /etc/anacrontab
529 | 
530 | # CCE-4388-5 (row 183)
531 | chmod 0600 /etc/crontab
532 | 
533 | # CCE-4250-7 (row 184) is a noop
534 | 
535 | # CCE-4450-3 (row 185)
536 | chmod 0700 /etc/cron.daily
537 | 
538 | # CCE-4106-1 (row 186)
539 | chmod 0700 /etc/cron.hourly
540 | 
541 | # CCE-4251-5 (row 187)
542 | chmod 0700 /etc/cron.monthly
543 | 
544 | # CCE-4203-6 (row 188)
545 | chmod 0700 /etc/cron.weekly
546 | 
547 | # (rows 189 - 202) are noops
548 | 
549 | # CCE-14466-7 (row 203)
550 | chkconfig atd off
551 | 
552 | # CCE-4325-7 (row 204) is a noop
553 | 
554 | # CCE-14061-6 (row 205)
555 | sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 0/" /etc/ssh/sshd_config
556 | 
557 | # CCE-3845-5 (row 206)
558 | sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 900/" /etc/ssh/sshd_config
559 | 
560 | # CCE-4475-0, CCE-4370-3 (rows 207- 208) are noop
561 | 
562 | # CCE-4387-7 (row 209)
563 | sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
564 | 
565 | # CCE-3660-8 (row 210) is a noop
566 | 
567 | # CCE-4431-8 (row 211)
568 | sed -i "s/#Banner \/some\/path/Banner \/etc\/issue/" /etc/ssh/sshd_config
569 | 
570 | # CCE-14716-5 (row 212) is noop
571 | 
572 | # CCE-14491-5 (row 213)
573 | echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
574 | 
575 | # CCE-4074-1 (row 214)
576 | echo "exec X :0 -nolisten tcp \$@" > /etc/X11/xinit/xserverrc
577 | 
578 | # CCE-3717-6 (row 215)
579 | sed -i "s/\[greeter\]/\[greeter\]\nInfoMsgFile=\/etc\/issue\n/" /etc/gdm/custom.conf
580 | 
581 | # CCE-4365-3 (row 216)
582 | chkconfig avahi-daemon off
583 | 
584 | # CCE-4425-5 (row 217)
585 | chkconfig hplip off
586 | 
587 | # CCE-4336-4 (row 218) noop due to (row 219)
588 | 
589 | # CCE-4376-0 (row 220)
590 | chkconfig ntpd on
591 | 
592 | # CCE-4385-1 (row 221) ntp.conf has some ntp servers in it
593 | 
594 | # CCE-15018-5 (row 224) is a noop
595 | 
596 | # CCE-14894-0 (row 225) 
597 | sed -i "s/#ssl start_tls/ssl start_tls/" /etc/ldap.conf
598 | sed -i "s/#tls_checkpeer/tls_checkpeer/" /etc/ldap.conf
599 | sed -i "s/#tls_cacertdir \/etc\/ssl\/certs/tls_cacertdir \/etc\/pki\/tls\/CA/" /etc/ldap.conf
600 | #sed -i "s/#tls_cacertfile \/etc\/ssl\/ca.cert\/tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem/" /etc/ldap.conf
601 | sed -i "s/#tls_cacertfile \/etc\/ssl\/ca.cert/tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem/" /etc/ldap.conf
602 | 
603 | # CCE-3501-4 (row 226) noop since openldap not installed
604 | 
605 | # CCE-4396-8 (row 227)
606 | chkconfig nfslock off
607 | 
608 | # CCE-3535-2 (row 228)
609 | chkconfig rpcgssd off
610 | 
611 | # CCE-3568-3 (row 229)
612 | chkconfig rpcidmapd off
613 | 
614 | # CCE-4533-6 (row 230)
615 | chkconfig netfs off
616 | 
617 | # CCE-4550-0 (row 231)
618 | chkconfig portmap off
619 | 
620 | # CCE-4473-5 (row 232)
621 | chkconfig nfs off
622 | 
623 | # CCE-4491-7 (row 233)
624 | chkconfig rpcsvcgssd off
625 | 
626 | # CCE-4368-7, CCE-4024-6, CCE-3578-2 (rows 234 - 236) are noops
627 | 
628 | # CCE-3578-2 (row 237 & 238) noop
629 | 
630 | # CCE-3919-8 (row 239) noop since 243 has it uninstalled
631 | 
632 | # CCE-4338-0 (rows 240) is a noop since httpd not installed
633 | 
634 | # CCE-3847-1, CCE-4239-0 (rows 242 - 243) are noops since dovecot is not installed
635 | 
636 | # CCE-4551-8 (rows 244) is a noop since the server is not installed
637 | 
638 | # CCE-14075-6 (row 245)
639 | sed -i "s/\[global\]/\[global\]\nclient signing = mandatory/" /etc/samba/smb.conf
640 | 
641 | # CCE-15029-1 (row 246) is a noop due to needing to be done in fstab
642 | 
643 | # CCE-4556-7, CCE-4076-6 (rows 247, 248) noops due to squid not being installed
644 | 
645 | # CCE-3765-5, CCE-14081-4 (rows 249, 250) noops since net-snmp is not installed
646 | 
647 | # CCE-18200-6 (row 252) is noop since talk-server is not installed
648 | 
649 | # CCE-17504-2 (row 253) is noop since irda-utils is not installed
650 | 
651 | # We turn this off since we already configured things
652 | chkconfig firstboot off
653 | 
654 | # turn off selinux troubleshooter since root is needed
655 | chkconfig setroubleshoot off
656 | 
657 | # CCE-3649-1 (row 254)
658 | sed -i "/631/d"  /etc/sysconfig/iptables
659 | 
660 | # CCE-18037-2 (row 255)
661 | sed -i "/5353/d"  /etc/sysconfig/iptables
662 | 
663 | # CCE-4072-5 (row 256)
664 | chkconfig autofs off
665 | 
666 | # CCE-17816-0 (row 257)
667 | chkconfig rawdevices off
668 | 
669 | # CCE-18412-7 (row 259)
670 | useradd -D -f 30
671 | 
672 | # CCE-XXXXX-X (row XXX) disable gnome thumbnailers. Skipped for now.
673 | #gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /desktop/gnome/thumbnailers/disable_all true
674 | 
675 | # Workaround esound creating the directory in conflict with CCE-14794-2
676 | mkdir -m 1777 /tmp/.esd
677 | 
678 | 


--------------------------------------------------------------------------------