├── .gitignore ├── config ├── hardening │ ├── dod_firefox_config.tar.gz │ ├── hardening-script-1.0-el6.noarch.rpm │ ├── scap-security-guide-0.1.21-3.el6.noarch.rpm │ ├── rhevm-postinstall.sh │ ├── rhevm-preinstall.sh │ ├── hardened-rhel.cfg │ ├── ipa-pam-configuration.sh │ ├── iptables.sh │ ├── classification-banner.py │ └── menu.py └── isolinux │ ├── grub.conf │ └── isolinux.cfg ├── createiso.sh ├── README └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore ISO 2 | *.iso 3 | -------------------------------------------------------------------------------- /config/hardening/dod_firefox_config.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fcaviggia/hardening-script-el6-kickstart/HEAD/config/hardening/dod_firefox_config.tar.gz -------------------------------------------------------------------------------- /config/hardening/hardening-script-1.0-el6.noarch.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fcaviggia/hardening-script-el6-kickstart/HEAD/config/hardening/hardening-script-1.0-el6.noarch.rpm -------------------------------------------------------------------------------- /config/hardening/scap-security-guide-0.1.21-3.el6.noarch.rpm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fcaviggia/hardening-script-el6-kickstart/HEAD/config/hardening/scap-security-guide-0.1.21-3.el6.noarch.rpm -------------------------------------------------------------------------------- /config/isolinux/grub.conf: -------------------------------------------------------------------------------- 1 | #debug --graphics 2 | default=0 3 | splashimage=@SPLASHPATH@ 4 | timeout 5 5 | hiddenmenu 6 | title @PRODUCT@ @VERSION@ 7 | kernel @KERNELPATH@ ks=cdrom:/hardening/hardened-rhel.cfg audit=1 8 | initrd @INITRDPATH@ 9 | title Install system with basic video driver 10 | kernel @KERNELPATH@ xdriver=vesa nomodeset askmethod ks=cdrom:/hardening/hardened-rhel.cfg audit=1 11 | initrd @INITRDPATH@ 12 | title rescue 13 | kernel @KERNELPATH@ rescue askmethod 14 | initrd @INITRDPATH@ 15 | -------------------------------------------------------------------------------- /config/hardening/rhevm-postinstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script was written by Frank Caviggia, Red Hat Consulting 3 | # Last update was 11 March 2015 4 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 5 | # Please contact Rick Tavares for more information. 6 | # 7 | # Script: rhevm-postinstall.sh 8 | # Description: Losens Hardening settings temporarily to allow registration with RHEVM 3.x 9 | # License: GPL (see COPYING) 10 | # Copyright: Red Hat Consulting, March 2015 11 | 12 | # Check for root user 13 | if [[ $EUID -ne 0 ]]; then 14 | tput setaf 1;echo -e "\033[1mPlease re-run this script as root!\033[0m";tput sgr0 15 | exit 1 16 | fi 17 | 18 | echo -e "\033[3m\033[1mRHEV Post-Install Script\033[0m\033[0m" 19 | 20 | # Disallow Root Login 21 | gpasswd -d root sshusers 22 | sed -i "/^PermitRootLogin/ c\PermitRootLogin no" /etc/ssh/sshd_config 23 | sed -e "/pam_succeed_if.so uid/s/^#//g" -i /etc/pam.d/password-auth 24 | 25 | # Restart SSHD Service 26 | service sshd restart 27 | 28 | # Remount /tmp Partition 29 | mount -o remount,defaults /tmp 30 | -------------------------------------------------------------------------------- /config/isolinux/isolinux.cfg: -------------------------------------------------------------------------------- 1 | default vesamenu.c32 2 | #prompt 1 3 | timeout 600 4 | 5 | display boot.msg 6 | 7 | menu background splash.jpg 8 | menu title Welcome to Red Hat Enterprise Linux 6 - Hardened DVD 9 | menu color border 0 #ffffffff #00000000 10 | menu color sel 7 #ffffffff #ff000000 11 | menu color title 0 #ffffffff #00000000 12 | menu color tabmsg 0 #ffffffff #00000000 13 | menu color unsel 0 #ffffffff #00000000 14 | menu color hotsel 0 #ff000000 #ffffffff 15 | menu color hotkey 7 #ffffffff #ff000000 16 | menu color scrollbar 0 #ffffffff #00000000 17 | 18 | label linux 19 | menu label ^Install system with hardened configurations 20 | menu default 21 | kernel vmlinuz 22 | append initrd=initrd.img ks=cdrom:/hardening/hardened-rhel.cfg audit=1 23 | label vesa 24 | menu label Install system with hardening and ^basic video driver 25 | kernel vmlinuz 26 | append initrd=initrd.img xdriver=vesa nomodeset ks=cdrom:/hardening/hardened-rhel.cfg audit=1 27 | label rescue 28 | menu label ^Rescue installed system 29 | kernel vmlinuz 30 | append initrd=initrd.img rescue 31 | label local 32 | menu label Boot from ^local drive 33 | localboot 0xffff 34 | label memtest86 35 | menu label ^Memory test 36 | kernel memtest 37 | append - 38 | 39 | -------------------------------------------------------------------------------- /config/hardening/rhevm-preinstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script was written by Frank Caviggia, Red Hat Consulting 3 | # Last update was 11 March 2015 4 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 5 | # Please contact Rick Tavares for more information. 6 | # 7 | # Script: rhevm-preinstall.sh 8 | # Description: Losens Hardening settings temporarily to allow registration with RHEVM 3.x 9 | # License: GPL (see COPYING) 10 | # Copyright: Red Hat Consulting, March 2015 11 | 12 | # Check for root user 13 | if [[ $EUID -ne 0 ]]; then 14 | tput setaf 1;echo -e "\033[1mPlease re-run this script as root!\033[0m";tput sgr0 15 | exit 1 16 | fi 17 | 18 | echo -e "\033[3m\033[1mRHEV Pre-Install Script\033[0m\033[0m" 19 | echo 20 | echo -e "\033[1mThis script losens hardening settings to allow RHEV-M to attach a system.\033[0m" 21 | echo 22 | echo -ne "\033[1mDo you want to continue?\033[0m [y/n]: " 23 | while read a; do 24 | case "$a" in 25 | y|Y) break;; 26 | n|N) exit 1;; 27 | *) echo -n "[y/n]: ";; 28 | esac 29 | done 30 | 31 | # Permit Root Login 32 | usermod -a -G sshusers root 33 | sed -i "/^PermitRootLogin/ c\PermitRootLogin yes" /etc/ssh/sshd_config 34 | sed -e "/pam_succeed_if.so uid/s/^/#/g" -i /etc/pam.d/password-auth 35 | 36 | # Restart SSHD Service 37 | service sshd restart 38 | 39 | # Remount /tmp Partition 40 | mount -o remount,exec /tmp 41 | 42 | # UMASK 0022 for root to allow VDSMD configuration 43 | if [ $(greq -c "umask 0022" /root/.bashrc) -eq 0 ]; then 44 | echo "umask 0022" >> /root/.bashrc 45 | fi 46 | -------------------------------------------------------------------------------- /createiso.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | ############################################################################### 3 | # HARDENED RHEL DVD CREATOR 4 | # 5 | # This script was written by Frank Caviggia, Red Hat Consulting 6 | # Last update was 20 March 2015 7 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 8 | # Please contact Josh Waldman for more information. 9 | # 10 | # Author: Frank Caviggia (fcaviggi@redhat.com) 11 | # Copyright: Red Hat, (c) 2014 12 | # Version: 1.2 13 | # License: GPLv2 14 | # Description: Kickstart Installation of RHEL 6 with DISA STIG 15 | ############################################################################### 16 | 17 | # GLOBAL VARIABLES 18 | DIR=`pwd` 19 | 20 | # USAGE STATEMENT 21 | function usage() { 22 | cat << EOF 23 | usage: $0 rhel-server-6.5-x86_64-dvd.iso 24 | 25 | Hardened RHEL Kickstart RHEL 6.4+ 26 | 27 | Customizes a RHEL 6.4+ x86_64 Server or Workstation DVD to install 28 | with the following hardening: 29 | 30 | - DISA STIG/USGCB/NSA SNAC for Red Hat Enterprise Linux 31 | - DISA STIG for Firefox (User/Developer Workstation) 32 | - Classification Banner (Graphical Desktop) 33 | 34 | EOF 35 | } 36 | 37 | while getopts ":vhq" OPTION; do 38 | case $OPTION in 39 | h) 40 | usage 41 | exit 0 42 | ;; 43 | ?) 44 | echo "ERROR: Invalid Option Provided!" 45 | echo 46 | usage 47 | exit 1 48 | ;; 49 | esac 50 | done 51 | 52 | # Check for root user 53 | if [[ $EUID -ne 0 ]]; then 54 | if [ -z "$QUIET" ]; then 55 | echo 56 | tput setaf 1;echo -e "\033[1mPlease re-run this script as root!\033[0m";tput sgr0 57 | fi 58 | exit 1 59 | fi 60 | 61 | # Check for required packages 62 | rpm -q genisoimage &> /dev/null 63 | if [ $? -ne 0 ]; then 64 | yum install -y genisoimage 65 | fi 66 | 67 | rpm -q isomd5sum &> /dev/null 68 | if [ $? -ne 0 ]; then 69 | yum install -y isomd5sum 70 | fi 71 | 72 | # Determine if DVD is Bootable 73 | `file $1 | grep 9660 | grep -q bootable` 74 | if [[ $? -eq 0 ]]; then 75 | echo "Mounting RHEL DVD Image..." 76 | mkdir -p /rhel 77 | mkdir $DIR/rhel-dvd 78 | mount -o loop $1 /rhel 79 | echo "Done." 80 | # Tests DVD for RHEL 6.4+ 81 | if [[ $(grep "Red Hat" /rhel/.discinfo | awk '{ print $5 }' | awk -F '.' '{ print $1 }') -ne 6 ]]; then 82 | echo "ERROR: Image is not RHEL 6.4+" 83 | umount /rhel 84 | rm -rf /rhel 85 | exit 1 86 | fi 87 | if [[ $(grep "Red Hat" /rhel/.discinfo | awk '{ print $5 }' | awk -F '.' '{ print $2 }') -lt 4 ]]; then 88 | echo "ERROR: Image is not RHEL 6.4+" 89 | umount /rhel 90 | rm -rf /rhel 91 | exit 1 92 | fi 93 | echo -n "Copying RHEL DVD Image..." 94 | cp -a /rhel/* $DIR/rhel-dvd/ 95 | cp -a /rhel/.discinfo $DIR/rhel-dvd/ 96 | echo " Done." 97 | umount /rhel 98 | rm -rf /rhel 99 | else 100 | echo "ERROR: ISO image is not bootable." 101 | exit 1 102 | fi 103 | 104 | echo -n "Modifying RHEL DVD Image..." 105 | cp -a $DIR/config/* $DIR/rhel-dvd/ 106 | # RHEL 6.6 included the SCAP Security Guide (SSG) RPM 107 | if [[ $(grep "Red Hat" $DIR/rhel-dvd/.discinfo | awk '{ print $5 }' | awk -F '.' '{ print $2 }') -ge 6 ]]; then 108 | rm -f $DIR/rhel-dvd/hardening/scap-security-guide*rpm 109 | sed -i "s/xml-common/scap-security-guide\nxml-common/" $DIR/rhel-dvd/hardening/hardened-rhel.cfg 110 | fi 111 | echo " Done." 112 | 113 | echo "Remastering RHEL DVD Image..." 114 | cd $DIR/rhel-dvd 115 | chmod u+w isolinux/isolinux.bin 116 | find . -name TRANS.TBL -exec rm '{}' \; 117 | /usr/bin/mkisofs -J -T -o $DIR/hardened-rhel.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -R -m TRANS.TBL . 118 | cd $DIR 119 | rm -rf $DIR/rhel-dvd 120 | echo "Done." 121 | 122 | echo "Signing RHEL DVD Image..." 123 | /usr/bin/implantisomd5 $DIR/hardened-rhel.iso 124 | echo "Done." 125 | 126 | echo "DVD Created. [hardend-rhel.iso]" 127 | 128 | exit 0 129 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # HARDENED DVD CREATOR 3 | # 4 | # This script was written by Frank Caviggia, Red Hat Consulting 5 | # Last update was 5 August 2015 6 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 7 | # Please contact Rick Tavares for more information. 8 | # 9 | # Author: Frank Caviggia (fcaviggi@redhat.com) 10 | # Copyright: Red Hat, (c) 2014 11 | # License: GPLv2 12 | # Description: Kickstart Installation of RHEL 6 with DISA STIG 13 | ############################################################################### 14 | 15 | 16 | ABOUT 17 | ===== 18 | 19 | Modifies a RHEL 6.4+ x86_64 Workstation or Server DVD with a kickstart 20 | that will install a system that is configured and hardened for 21 | Red Hat Enterprise Linux 6. 22 | 23 | The kickstart script involves the integration of the following projects 24 | into a single installer: 25 | 26 | - hardening-script-*.el6.noarch.rpm (Hardening scripts RPM) 27 | 28 | https://github.com/fcaviggia/hardening-script-el6 29 | 30 | - classification-banner.py (Python for displaying graphical classification banner) 31 | 32 | https://github.com/RedHatGov/classification-banner 33 | 34 | - SCAP Security Guide (SSG) Content - Benchmark for the system after installation 35 | 36 | https://github.com/OpenSCAP/scap-security-guide 37 | 38 | - DOD Firefox Plugin 39 | 40 | http://www.forge.mil/Resources-Firefox.html 41 | 42 | 43 | CONTENT 44 | ======= 45 | 46 | createiso.sh - installation script to modify RHEL 6.4+ ISO image 47 | /config - Kickstarts, Python, and RPMs needed to modify image. 48 | isolinux/ 49 | grub.conf - Menu Configuration for Kickstart 50 | isolinux.cfg - Menu Configuration for Kickstart 51 | stig-fix/ 52 | stig-fix.cfg 53 | 54 | Kickstart Configuration (Calls menu.py in %pre) 55 | 56 | menu.py 57 | 58 | Python Script that presents a graphical menu to modify the 59 | kickstart. Contains the "Profiles" for configuring the 60 | system partitioning and packages. 61 | 62 | classification-banner.py 63 | 64 | Graphical Classification Banner (for GNOME Desktops User/ 65 | Developer Workstation Profiles) 66 | 67 | dod_firefox_config.tar.gz 68 | 69 | DOD Firefox Plugin and DOD Root CA Certificates for NIPR (SPIR 70 | CAs would need to be added and repackaged via taring up the 71 | .mozzilla directory - placed in /etc/skel for all users. 72 | 73 | hardening-script-*-el6.noarch.rpm 74 | 75 | RPM Created from my fork of Tresys CLIP, Aqueduct, NSA SNAC, and USGCB here: 76 | 77 | https://github.com/fcaviggia/hardening-script-el6 78 | 79 | The hardening is run at the last part of the kickstart script to 80 | lockdown the system, this could theoretically be replaced by the 81 | SCAP Security Guide Scripts below at a later date. 82 | 83 | scap-security-guide-*.el6.noarch.rpm 84 | 85 | Currently I use ths SSG Scripts to take a benchmark to save in 86 | root after installation. Updated to the latest version. 87 | 88 | rhevm-preinstall.sh 89 | rhevm-postinstall.sh 90 | 91 | Scripts to losen settings temporararily to allow registration 92 | of the system with RHEV-M by allowing root login and allowing 93 | exec in /tmp. Run rhevm-postinstall.sh after system is added 94 | into RHEV-M. Copied to /root after kickstart install. 95 | 96 | iptables.sh 97 | 98 | Configures firewall settings to reccomended ports for each 99 | product or profile. Copied to /root after kickstart 100 | install. 101 | 102 | ipa-pam-configuration.sh 103 | 104 | Configures system for using IPA/IdM authentication by 105 | overwriting the pam.d configurations. Copied to /root 106 | after kickstart installation/ 107 | 108 | 109 | EXAMPLE 110 | ======= 111 | 112 | # ./createiso.sh rhel-server-6.5-x86_64-dvd.iso 113 | Mounting RHEL DVD Image... 114 | mount: /dev/loop0 is write-protected, mounting read-only 115 | Done. 116 | Copying RHEL DVD Image... Done. 117 | Modifying RHEL DVD Image... Done. 118 | Remastering RHEL DVD Image... 119 | I: -input-charset not specified, using utf-8 (detected in locale settings) 120 | Using RELEA000.HTM;1 for /RELEASE-NOTES-ja-JP.html (RELEASE-NOTES-ta-IN.html) 121 | <..........................................> 122 | Using POLIC003.RPM;1 for ./Packages/policycoreutils-python-2.0.83-19.39.el6.x86_64.rpm (policycoreutils-newrole-2.0.83-19.39.el6.x86_64.rpm) 123 | Size of boot image is 4 sectors -> No emulation 124 | 0.27% done, estimate finish Tue Jan 21 22:04:41 2014 125 | <...........................................> 126 | 99.86% done, estimate finish Tue Jan 21 22:06:46 2014 127 | Total translation table size: 976326 128 | Total rockridge attributes bytes: 430528 129 | Total directory bytes: 661504 130 | Path table size(bytes): 286 131 | Max brk space used 3ee000 132 | 1882600 extents written (3676 MB) 133 | Done. 134 | Signing RHEL DVD Image... 135 | Inserting md5sum into iso image... 136 | md5 = ec4618f4ccc6ccac3cfed291ef341012 137 | Inserting fragment md5sums into iso image... 138 | fragmd5 = e115ca49531d6adfee6caadeaf6a895cdc4c3e8b9341f58f5e11e9113a79 139 | frags = 20 140 | Setting supported flag to 0 141 | Done. 142 | DVD Created. [hardened-rhel.iso] 143 | -------------------------------------------------------------------------------- /config/hardening/hardened-rhel.cfg: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # hardened rhel kickstart 3 | # 4 | # this script was written by frank caviggia, red hat consulting 5 | # last update was 19 March 2015 6 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 7 | # Please contact Josh Waldman for more information. 8 | # 9 | # Author: Frank Caviggia (fcaviggi@redhat.com) 10 | # Copyright: Red Hat, (c) 2013 11 | # Version: 1.3 12 | # License: GPLv2 13 | # Description: Installation of Hardened RHEL 6 14 | ############################################################################### 15 | 16 | 17 | ############################################################################### 18 | # Kickstart Configuration 19 | ############################################################################### 20 | install 21 | cdrom 22 | lang en_US.UTF-8 23 | keyboard us 24 | firewall --service=ssh 25 | authconfig --enableshadow --passalgo=sha512 26 | selinux --enforcing 27 | firstboot --disable 28 | timezone --utc America/New_York 29 | 30 | # Include hardening with kickstart options 31 | %include /tmp/hardening 32 | %include /tmp/partitioning 33 | 34 | ############################################################################### 35 | # Package Selection 36 | ############################################################################### 37 | %packages 38 | # MINIMUM 39 | @core 40 | #dracut-fips 41 | fipscheck 42 | logwatch 43 | scrub 44 | aide 45 | vlock 46 | screen 47 | openswan 48 | ntp 49 | rsyslog 50 | gnupg2 51 | yum-plugin-security 52 | yum-utils 53 | tpm-tools 54 | trousers 55 | which 56 | unzip 57 | bzip2 58 | zip 59 | # SCAP CONTENT 60 | openscap 61 | openscap-utils 62 | xml-common 63 | # OPTIONAL 64 | openssh-clients 65 | cryptsetup-luks 66 | krb5-libs 67 | krb5-workstation 68 | pam_krb5 69 | virt-what 70 | dos2unix 71 | unix2dos 72 | xz 73 | # REMOVE PACKAGES 74 | -abrt* 75 | # ADDITIONAL PACKAGE SELECTION 76 | %include /tmp/hardening-packages 77 | %end 78 | 79 | ############################################################################### 80 | # Pre-Installation Scripts 81 | ############################################################################### 82 | %pre 83 | #!/bin/bash 84 | 85 | # Create Configurations 86 | /bin/touch /tmp/hardening 87 | /bin/touch /tmp/partitioning 88 | /bin/touch /tmp/hardening-packages 89 | /bin/touch /tmp/hardening-post 90 | /bin/touch /tmp/hardening-post-nochroot 91 | /bin/touch /tmp/classification-banner 92 | 93 | # Launch XWindows and menu.py to configure system 94 | /usr/bin/Xorg -br :0 & 95 | /usr/bin/metacity --display :0 --sm-disable & 96 | export DISPLAY=:0 97 | /usr/bin/python /mnt/stage2/hardening/menu.py 98 | unset DISPLAY 99 | killall metacity 100 | killall Xorg 101 | 102 | %end 103 | 104 | ############################################################################### 105 | # Post-Installation Scripts (nochroot) 106 | ############################################################################### 107 | %post --nochroot 108 | #!/bin/bash 109 | 110 | # Create Directory 111 | mkdir -p /mnt/sysimage/root/hardening 112 | 113 | # Firefox DISA STIG Configuration 114 | cp /mnt/source/hardening/* /mnt/sysimage/root/hardening/ 115 | 116 | # Classification Banner Configuration 117 | cp /tmp/classification-banner /mnt/sysimage/etc/classification-banner 118 | rm 119 | ############################################################################### 120 | # Custom Post-Installation Scripts (nochroot) 121 | ############################################################################### 122 | %include /tmp/hardening-post-nochroot 123 | 124 | %end 125 | 126 | ############################################################################### 127 | # Post-Installation Scripts 128 | ############################################################################### 129 | %post 130 | #!/bin/bash 131 | 132 | # Install Firefox DISA STIG Configuration 133 | -rf /root/.mozilla 134 | rm -rf /etc/skel/.mozilla 135 | /bin/tar xvzf /root/hardening/dod_firefox_config.tar.gz -C /root/ 136 | /bin/tar xvzf /root/hardening/dod_firefox_config.tar.gz -C /etc/skel/ 137 | 138 | # Create Repository for Local Patching 139 | cat << EOF > /etc/yum.repos.d/rhel-dvd.repo 140 | [rhel-dvd] 141 | name=Red Hat Enterprise Linux - DVD 142 | baseurl=file:///media/ 143 | enabled=0 144 | gpgcheck=1 145 | gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 146 | EOF 147 | 148 | # Add Classification Banner (Graphical) 149 | if [[ -d /etc/xdg/autostart/ ]]; then 150 | cat << EOF > /etc/xdg/autostart/classification-banner.desktop 151 | [Desktop Entry] 152 | Name=Classification Banner 153 | Exec=/usr/local/bin/classification-banner.py 154 | Comment=User Notification for Security Level of System. 155 | Type=Application 156 | Encoding=UTF-8 157 | Version=1.0 158 | MimeType=application/python; 159 | Categories=Utility; 160 | X-GNOME-Autostart-enabled=true 161 | StartupNotify=false 162 | Terminal=false 163 | EOF 164 | fi 165 | 166 | # Install Hardening Script 167 | /usr/bin/yum localinstall -y /root/hardening/*rpm 168 | 169 | # Remove nfs-utils to fix missing rpcbind package 170 | /usr/bin/yum erase -y nfs-utils 171 | 172 | # Copy shell scripts to root 173 | cp /root/hardening/*.sh /root/ 174 | chmod u+x /root/*.sh 175 | 176 | # Clean Up 177 | rm -rf /root/hardening 178 | 179 | # Clean Yum 180 | yum clean all &> /dev/null 181 | 182 | 183 | ############################################################################### 184 | # Custom Post-Installation Scripts - Hardening script now called in menu.py 185 | ############################################################################### 186 | %include /tmp/hardening-post 187 | 188 | # Use SCAP Security Guide to take a benchmark of the Installed System as a baseline 189 | /usr/bin/oscap xccdf eval --profile stig-rhel6-server-upstream --results /root/`hostname`-ssg-results.xml --report /root/`hostname`-ssg-results.html --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml 190 | 191 | %end 192 | -------------------------------------------------------------------------------- /config/hardening/ipa-pam-configuration.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script was written by Frank Caviggia, Red Hat Consulting 3 | # Last update was 8 June 2015 4 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 5 | # Please contact Rick Tavares for more information. 6 | # 7 | # Script: ipa-pam-configuration.sh (system-hardening) 8 | # Description: RHEL 6 Hardening Supplemental to SSG, configures PAM with sssd if system is registered with IdM. 9 | # License: GPL 10 | # Copyright: Red Hat Consulting, March 2015 11 | # Author: Frank Caviggia 12 | 13 | # Backup originial configuration 14 | if [ ! -e /etc/pam.d/system-auth-local.orig ]; then 15 | cp /etc/pam.d/system-auth-local /etc/pam.d/system-auth-local.orig 16 | fi 17 | if [ ! -e /etc/pam.d/password-auth-local.orig ]; then 18 | cp /etc/pam.d/password-auth-local /etc/pam.d/password-auth-local.orig 19 | fi 20 | if [ ! -e /etc/pam.d/gnome-screensaver.orig ]; then 21 | cp /etc/pam.d/gnome-screensaver /etc/pam.d/gnome-screensaver.orig 22 | fi 23 | 24 | # Deploy Configuruation 25 | cat < /etc/pam.d/system-auth-local 26 | #%PAM-1.0 27 | auth required pam_env.so 28 | auth required pam_lastlog.so inactive=35 29 | auth required pam_faillock.so preauth silent audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 30 | auth sufficient pam_unix.so try_first_pass 31 | auth sufficient pam_sss.so try_first_pass 32 | auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 33 | auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 34 | auth requisite pam_succeed_if.so uid >= 500 quiet 35 | auth required pam_deny.so 36 | 37 | account required pam_faillock.so 38 | account required pam_unix.so 39 | account required pam_lastlog.so inactive=35 40 | account sufficient pam_localuser.so 41 | account sufficient pam_succeed_if.so uid < 500 quiet 42 | account [default=bad success=ok user_unknown=ignore] pam_sss.so 43 | account required pam_permit.so 44 | 45 | #password required pam_passwdqc.so min=disabled,disabled,16,12,8 random=42 46 | password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3 maxrepeat=3 47 | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 48 | password sufficient pam_sss.so use_authtok 49 | password required pam_deny.so 50 | 51 | session required pam_lastlog.so showfailed 52 | session optional pam_keyinit.so revoke 53 | session required pam_limits.so 54 | session optional pam_oddjob_mkhomedir.so umask=0077 55 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 56 | session required pam_unix.so 57 | session optional pam_sss.so 58 | EOF 59 | ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth 60 | 61 | 62 | cat < /etc/pam.d/password-auth-local 63 | #%PAM-1.0 64 | auth required pam_env.so 65 | auth required pam_lastlog.so inactive=35 66 | auth required pam_faillock.so preauth silent audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 67 | auth sufficient pam_unix.so try_first_pass 68 | auth sufficient pam_sss.so try_first_pass 69 | auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 70 | auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 71 | auth requisite pam_succeed_if.so uid >= 500 quiet 72 | auth required pam_deny.so 73 | 74 | account required pam_faillock.so 75 | account required pam_unix.so 76 | account required pam_lastlog.so inactive=35 77 | account sufficient pam_localuser.so 78 | account sufficient pam_succeed_if.so uid < 500 quiet 79 | account [default=bad success=ok user_unknown=ignore] pam_sss.so 80 | account required pam_permit.so 81 | 82 | #password required pam_passwdqc.so min=disabled,disabled,16,12,8 random=42 83 | password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3 maxrepeat=3 84 | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 85 | password sufficient pam_sss.so use_authtok 86 | password required pam_deny.so 87 | 88 | session required pam_lastlog.so showfailed 89 | session optional pam_keyinit.so revoke 90 | session required pam_limits.so 91 | session optional pam_oddjob_mkhomedir.so umask=0077 92 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 93 | session required pam_unix.so 94 | session optional pam_sss.so 95 | EOF 96 | ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth 97 | 98 | cat < /etc/pam.d/gnome-screensaver 99 | %PAM-1.0 100 | auth [success=done ignore=ignore default=bad] pam_selinux_permit.so 101 | auth required pam_env.so 102 | auth required pam_lastlog.so 103 | auth required pam_faillock.so preauth silent audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 104 | auth sufficient pam_unix.so try_first_pass 105 | auth sufficient pam_sss.so try_first_pass 106 | auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 107 | auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root root_unlock_time=900 unlock_time=604800 fail_interval=900 108 | auth requisite pam_succeed_if.so uid >= 500 quiet 109 | auth required pam_deny.so 110 | auth optional pam_gnome_keyring.so 111 | 112 | account required pam_faillock.so 113 | account required pam_unix.so 114 | account required pam_lastlog.so 115 | account sufficient pam_localuser.so 116 | account sufficient pam_succeed_if.so uid < 500 quiet 117 | account [default=bad success=ok user_unknown=ignore] pam_sss.so 118 | account required pam_permit.so 119 | 120 | #password required pam_passwdqc.so min=disabled,disabled,16,12,8 random=42 121 | password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3 maxrepeat=3 122 | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 123 | password sufficient pam_sss.so use_authtok 124 | password required pam_deny.so 125 | 126 | session required pam_lastlog.so showfailed 127 | session optional pam_keyinit.so revoke 128 | session required pam_limits.so 129 | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 130 | session required pam_unix.so 131 | session optional pam_sss.so 132 | EOF 133 | 134 | exit 0 135 | -------------------------------------------------------------------------------- /config/hardening/iptables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # This script was written by Frank Caviggia, Red Hat Consulting 3 | # Last update was 2 June 2015 4 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 5 | # Please contact Rick Tavares for more information. 6 | # 7 | # Script: iptables.sh (system-hardening) 8 | # Description: RHEL 6 Hardening Supplemental to SSG firewall configuration script 9 | # License: GPL 10 | # Copyright: Red Hat Consulting, March 2015 11 | # Author: Frank Caviggia 12 | 13 | # USAGE STATEMENT 14 | function usage() { 15 | cat << EOF 16 | usage: $0 [options] 17 | 18 | -h,--help Show this message 19 | 20 | --http Allows HTTP (80/tcp) 21 | --https Allows HTTPS (443/tcp) 22 | --dns Allows DNS (53/tcp/udp) 23 | --ntp Allows NTP (123/tcp/udp) 24 | --dhcp Allows DHCP (67,68/tcp/udp) 25 | --tftp Allows TFTP (69/tcp/udp) 26 | --rsyslog Allows RSYSLOG (514/tcp/udp) 27 | --kerberos Allows Kerberos (88,464/tcp/udp) 28 | --ldap Allows LDAP (389/tcp/udp) 29 | --ldaps Allows LDAPS (636/tcp/udp) 30 | 31 | --samba Allows Samba Services (137,138/udp;139,445/tcp) 32 | --mysql Allows MySQL (3306/tcp) 33 | --postgresql Allows PostgreSQL (5432/tcp) 34 | --kvm Allows KVM Hypervisor (RHEV-attached) 35 | --rhevm Allows RHEV-M Specific Ports 36 | --ipa Allows IPA/IdM Authentication Server 37 | 38 | Configures iptables firewall rules for RHEL. 39 | 40 | EOF 41 | } 42 | 43 | # Get options 44 | OPTS=`getopt -o h --long http,https,dns,ldap,ldaps,kvm,rhevm,nfsv4,iscsi,idm,ipa,krb5,kerberos,rsyslog,dhcp,bootp,tftp,ntp,smb,samba,cifs,mysql,mariadb,postgres,postgresql,help -- "$@"` 45 | if [ $? != 0 ]; then 46 | exit 1 47 | fi 48 | eval set -- "$OPTS" 49 | 50 | while true ; do 51 | case "$1" in 52 | --http) HTTP=1 ; shift ;; 53 | --https) HTTPS=1 ; shift ;; 54 | --dns) DNS=1 ; shift ;; 55 | --dhcp) DHCP=1 ; shift ;; 56 | --ldap) LDAP=1 ; shift ;; 57 | --ldaps) LDAPS=1 ; shift ;; 58 | --kerberos) KERBEROS=1 ; shift ;; 59 | --idm) KERBEROS=1 ; LDAP=1; LDAPS=1; DNS=1; NTP=1; HTTPS=1; shift ;; 60 | --ipa) KERBEROS=1 ; LDAP=1; LDAPS=1; DNS=1; NTP=1; HTTPS=1; shift ;; 61 | --krb5) KERBEROS=1 ; shift ;; 62 | --kvm) KVM=1 ; shift ;; 63 | --rhevm) HTTPS=1; RHEVM=1 ; shift ;; 64 | --iscsi) ISCSI=1 ; shift ;; 65 | --nfsv4) NFSV4=1 ; shift ;; 66 | --tftp) TFTP=1 ; shift ;; 67 | --dhcp) DHCP=1 ; shift ;; 68 | --bootp) DHCP=1 ; shift ;; 69 | --ntp) NTP=1 ; shift ;; 70 | --smb) SAMBA=1 ; shift ;; 71 | --samba) SAMBA=1 ; shift ;; 72 | --cifs) SAMBA=1 ; shift ;; 73 | --mysql) MARIADB=1 ; shift ;; 74 | --mariadb) MARIADB=1 ; shift ;; 75 | --postgres) POSTGRESQL=1 ; shift ;; 76 | --postgresql) POSTGRESQL=1 ; shift ;; 77 | --rsyslog) RSYSLOG=1 ; shift ;; 78 | --) shift ; break ;; 79 | *) usage ; exit 0 ;; 80 | esac 81 | done 82 | 83 | 84 | # Check for root user 85 | if [[ $EUID -ne 0 ]]; then 86 | tput setaf 1;echo -e "\033[1mPlease re-run this script as root!\033[0m";tput sgr0 87 | exit 1 88 | fi 89 | 90 | # Check if iptables package is installed 91 | if [ ! -e $(which iptables) ]; then 92 | echo "ERROR: The iptables package is not installed." 93 | exit 1 94 | fi 95 | 96 | # Backup originial configuration 97 | if [ ! -e /etc/sysconfig/iptables.orig ]; then 98 | cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig 99 | fi 100 | 101 | # Basic rule set - allows established/related pakets and SSH through firewall 102 | cat < /etc/sysconfig/iptables 103 | ################################################################################################################# 104 | # HARDENING SCRIPT IPTABLES Configuration 105 | ################################################################################################################# 106 | *filter 107 | :INPUT DROP [0:0] 108 | :FORWARD DROP [0:0] 109 | :OUTPUT ACCEPT [0:0] 110 | # Allow Traffic that is established or related 111 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 112 | # Allow ICMP (Ping) 113 | -A INPUT -p icmp -j ACCEPT 114 | # Allow Traffic on LOCALHOST/127.0.0.1 115 | -A INPUT -i lo -j ACCEPT 116 | #### SSH/SCP/SFTP 117 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 118 | EOF 119 | 120 | if [ ! -z $DNS ]; then 121 | cat <> /etc/sysconfig/iptables 122 | #### DNS Services (ISC BIND/IdM/IPA) 123 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT 124 | -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT 125 | EOF 126 | fi 127 | 128 | if [ ! -z $DHCP ]; then 129 | cat <> /etc/sysconfig/iptables 130 | #### DHCP Server 131 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 67 -j ACCEPT 132 | -A INPUT -m state --state NEW -m udp -p udp --dport 67 -j ACCEPT 133 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 68 -j ACCEPT 134 | -A INPUT -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT 135 | EOF 136 | fi 137 | 138 | if [ ! -z $TFTP ]; then 139 | cat <> /etc/sysconfig/iptables 140 | #### TFTP Server 141 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT 142 | -A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT 143 | EOF 144 | fi 145 | 146 | if [ ! -z $HTTP ]; then 147 | cat <> /etc/sysconfig/iptables 148 | #### HTTPD - Recommend forwarding traffic to HTTPS 443 149 | #### Recommended Article: http://www.cyberciti.biz/tips/howto-apache-force-https-secure-connections.html 150 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT 151 | EOF 152 | fi 153 | 154 | if [ ! -z $KERBEROS ]; then 155 | cat <> /etc/sysconfig/iptables 156 | #### Kerberos Authentication (IdM/IPA) 157 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT 158 | -A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT 159 | #### Kerberos Authentication - kpasswd (IdM/IPA) 160 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT 161 | -A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT 162 | EOF 163 | fi 164 | 165 | if [ ! -z $NTP ]; then 166 | cat <> /etc/sysconfig/iptables 167 | #### NTP Server 168 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT 169 | -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT 170 | EOF 171 | fi 172 | 173 | if [ ! -z $LDAP ]; then 174 | cat <> /etc/sysconfig/iptables 175 | #### LDAP (IdM/IPA) 176 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT 177 | -A INPUT -m state --state NEW -m udp -p udp --dport 389 -j ACCEPT 178 | EOF 179 | fi 180 | 181 | if [ ! -z $HTTPS ]; then 182 | cat <> /etc/sysconfig/iptables 183 | #### HTTPS 184 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT 185 | EOF 186 | fi 187 | 188 | if [ ! -z $RSYSLOG ]; then 189 | cat <> /etc/sysconfig/iptables 190 | #### RSYSLOG Server 191 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT 192 | -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT 193 | EOF 194 | fi 195 | 196 | if [ ! -z $LDAPS ]; then 197 | cat <> /etc/sysconfig/iptables 198 | #### LDAPS - LDAP via SSL (IdM/IPA) 199 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT 200 | -A INPUT -m state --state NEW -m udp -p udp --dport 636 -j ACCEPT 201 | EOF 202 | fi 203 | 204 | if [ ! -z $NFSV4 ]; then 205 | cat <> /etc/sysconfig/iptables 206 | #### NFSv4 Server 207 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT 208 | EOF 209 | fi 210 | 211 | if [ ! -z $ISCSI ]; then 212 | cat <> /etc/sysconfig/iptables 213 | #### iSCSI Server 214 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 3260 -j ACCEPT 215 | EOF 216 | fi 217 | 218 | if [ ! -z $POSTGRESQL ]; then 219 | cat <> /etc/sysconfig/iptables 220 | #### PostgreSQL Server 221 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT 222 | EOF 223 | fi 224 | 225 | if [ ! -z $MARIADB ]; then 226 | cat <> /etc/sysconfig/iptables 227 | #### MariaDB/MySQL Server 228 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT 229 | EOF 230 | fi 231 | 232 | if [ ! -z $SAMBA ]; then 233 | cat <> /etc/sysconfig/iptables 234 | #### Samba/CIFS Server 235 | -A INPUT -m udp -p udp --dport 137 -j ACCEPT 236 | -A INPUT -m udp -p udp --dport 138 -j ACCEPT 237 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT 238 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT 239 | EOF 240 | fi 241 | 242 | if [ ! -z $KVM ]; then 243 | cat <> /etc/sysconfig/iptables 244 | #### SPICE/VNC Client (KVM) 245 | -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 5634:6166 -j ACCEPT 246 | #### KVM Virtual Desktop and Server Manager (VDSM) Service 247 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 54321 -j ACCEPT 248 | #### KVM VM Migration 249 | -A INPUT -m state --state NEW -m tcp -p tcp --dport 16514 -j ACCEPT 250 | -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 49152:49216 -j ACCEPT 251 | EOF 252 | fi 253 | 254 | if [ ! -z $RHEVM ]; then 255 | cat <> /etc/sysconfig/iptables 256 | #### RHEVM (ActiveX Client) 257 | -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 8006:8009 -j ACCEPT 258 | #### RHEVM (ActiveX Client) 259 | -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 8006:8009 -j ACCEPT 260 | EOF 261 | fi 262 | 263 | cat <> /etc/sysconfig/iptables 264 | ################################################################################################################# 265 | # Block timestamp-request and timestamp-reply 266 | 267 | -A INPUT -p ICMP --icmp-type timestamp-request -j DROP 268 | -A INPUT -p ICMP --icmp-type timestamp-reply -j DROP 269 | -A INPUT -j REJECT --reject-with icmp-host-prohibited 270 | -A FORWARD -j REJECT --reject-with icmp-host-prohibited 271 | COMMIT 272 | EOF 273 | 274 | exit 0 275 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /config/hardening/classification-banner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Classification Banner 3 | # 4 | # Last update was 16 September 2017 5 | # 6 | # Script: classification-banner.py 7 | # Description: Displays a Classification for an Xwindows session 8 | # Copyright: Frank Caviggia, 2017 9 | # Author: Frank Caviggia 10 | # Version: 1.6.5 11 | # License: GPLv2 12 | 13 | import sys,os,optparse,time 14 | from socket import gethostname 15 | 16 | # Check if DISPLAY variable is set 17 | try: 18 | os.environ["DISPLAY"] 19 | import pygtk,gtk 20 | except: 21 | print("Error: DISPLAY environment variable not set.") 22 | sys.exit(1) 23 | 24 | # Global Configuration File 25 | CONF_FILE = "/etc/classification-banner" 26 | 27 | # Returns Username 28 | def get_user(): 29 | try: 30 | user = os.getlogin() 31 | except: 32 | user = '' 33 | pass 34 | return user 35 | 36 | # Returns Hostname 37 | def get_host(): 38 | host = gethostname() 39 | host = host.split('.')[0] 40 | return host 41 | 42 | # Classification Banner Class 43 | class Classification_Banner: 44 | """Class to create and refresh the actual banner.""" 45 | 46 | def __init__(self, message="UNCLASSIFIED", fgcolor="#000000", 47 | bgcolor="#00CC00", face="liberation-sans", size="small", 48 | weight="bold", x=0, y=0, esc=True, opacity=0.75, sys_info=False): 49 | 50 | """Set up and display the main window 51 | 52 | Keyword arguments: 53 | message -- The classification level to display 54 | fgcolor -- Foreground color of the text to display 55 | bgcolor -- Background color of the banner the text is against 56 | face -- Font face to use for the displayed text 57 | size -- Size of font to use for text 58 | weight -- Bold or normal 59 | hres -- Horizontal Screen Resolution (int) [ requires vres ] 60 | vres -- Vertical Screen Resolution (int) [ requires hres ] 61 | opacity -- Opacity of window (float) [0 .. 1, default 0.75] 62 | """ 63 | self.hres = x 64 | self.vres = y 65 | 66 | # Dynamic Resolution Scaling 67 | self.monitor = gtk.gdk.Screen() 68 | self.monitor.connect("size-changed", self.resize) 69 | 70 | # Newer versions of pygtk have this method 71 | try: 72 | self.monitor.connect("monitors-changed", self.resize) 73 | except: 74 | pass 75 | 76 | # Create Main Window 77 | self.window = gtk.Window() 78 | self.window.set_position(gtk.WIN_POS_CENTER) 79 | self.window.connect("hide", self.restore) 80 | self.window.connect("key-press-event", self.keypress) 81 | self.window.modify_bg(gtk.STATE_NORMAL, gtk.gdk.color_parse(bgcolor)) 82 | self.window.set_property('skip-taskbar-hint', True) 83 | self.window.set_property('skip-pager-hint', True) 84 | self.window.set_property('destroy-with-parent', True) 85 | self.window.stick() 86 | self.window.set_decorated(False) 87 | self.window.set_keep_above(True) 88 | self.window.set_app_paintable(True) 89 | 90 | try: 91 | self.window.set_opacity(opacity) 92 | except: 93 | pass 94 | 95 | # Set the default window size 96 | self.window.set_default_size(int(self.hres), 5) 97 | 98 | # Create Main Horizontal Box to Populate 99 | self.hbox = gtk.HBox() 100 | 101 | # Create the Center Vertical Box 102 | self.vbox_center = gtk.VBox() 103 | self.center_label = gtk.Label( 104 | "%s" % 105 | (face, weight, fgcolor, size, message)) 106 | self.center_label.set_use_markup(True) 107 | self.center_label.set_justify(gtk.JUSTIFY_CENTER) 108 | self.vbox_center.pack_start(self.center_label, True, True, 0) 109 | 110 | # Create the Right-Justified Vertical Box to Populate for hostname 111 | self.vbox_right = gtk.VBox() 112 | self.host_label = gtk.Label( 113 | "%s" % 114 | (face, weight, fgcolor, size, get_host())) 115 | self.host_label.set_use_markup(True) 116 | self.host_label.set_justify(gtk.JUSTIFY_RIGHT) 117 | self.host_label.set_width_chars(20) 118 | 119 | # Create the Left-Justified Vertical Box to Populate for user 120 | self.vbox_left = gtk.VBox() 121 | self.user_label = gtk.Label( 122 | "%s" % 123 | (face, weight, fgcolor, size, get_user())) 124 | self.user_label.set_use_markup(True) 125 | self.user_label.set_justify(gtk.JUSTIFY_LEFT) 126 | self.user_label.set_width_chars(20) 127 | 128 | # Create the Right-Justified Vertical Box to Populate for ESC message 129 | self.vbox_esc_right = gtk.VBox() 130 | self.esc_label = gtk.Label( 131 | " (ESC to hide temporarily) " % 132 | (fgcolor)) 133 | self.esc_label.set_use_markup(True) 134 | self.esc_label.set_justify(gtk.JUSTIFY_RIGHT) 135 | self.esc_label.set_width_chars(20) 136 | 137 | # Empty Label for formatting purposes 138 | self.vbox_empty = gtk.VBox() 139 | self.empty_label = gtk.Label( 140 | " ") 141 | self.empty_label.set_use_markup(True) 142 | self.empty_label.set_width_chars(20) 143 | 144 | if not esc: 145 | if not sys_info: 146 | self.hbox.pack_start(self.vbox_center, True, True, 0) 147 | else: 148 | self.vbox_right.pack_start(self.host_label, True, True, 0) 149 | self.vbox_left.pack_start(self.user_label, True, True, 0) 150 | self.hbox.pack_start(self.vbox_right, False, True, 20) 151 | self.hbox.pack_start(self.vbox_center, True, True, 0) 152 | self.hbox.pack_start(self.vbox_left, False, True, 20) 153 | 154 | else: 155 | if esc and not sys_info: 156 | self.empty_label.set_justify(gtk.JUSTIFY_LEFT) 157 | self.vbox_empty.pack_start(self.empty_label, True, True, 0) 158 | self.vbox_esc_right.pack_start(self.esc_label, True, True, 0) 159 | self.hbox.pack_start(self.vbox_esc_right, False, True, 0) 160 | self.hbox.pack_start(self.vbox_center, True, True, 0) 161 | self.hbox.pack_start(self.vbox_empty, False, True, 0) 162 | 163 | if sys_info: 164 | self.vbox_right.pack_start(self.host_label, True, True, 0) 165 | self.vbox_left.pack_start(self.user_label, True, True, 0) 166 | self.hbox.pack_start(self.vbox_right, False, True, 20) 167 | self.hbox.pack_start(self.vbox_center, True, True, 0) 168 | self.hbox.pack_start(self.vbox_left, False, True, 20) 169 | 170 | self.window.add(self.hbox) 171 | self.window.show_all() 172 | self.width, self.height = self.window.get_size() 173 | 174 | # Restore Minimized Window 175 | def restore(self, widget, data=None): 176 | self.window.deiconify() 177 | self.window.present() 178 | 179 | return True 180 | 181 | # Destroy Classification Banner Window on Resize (Display Banner Will Relaunch) 182 | def resize(self, widget, data=None): 183 | self.window.destroy() 184 | 185 | return True 186 | 187 | # Press ESC to hide window for 15 seconds 188 | def keypress(self, widget, event=None): 189 | if event.keyval == 65307: 190 | if not gtk.events_pending(): 191 | self.window.iconify() 192 | self.window.hide() 193 | time.sleep(15) 194 | self.window.show() 195 | self.window.deiconify() 196 | self.window.present() 197 | 198 | return True 199 | 200 | 201 | class Display_Banner: 202 | 203 | """Display Classification Banner Message""" 204 | def __init__(self): 205 | # Dynamic Resolution Scaling 206 | self.monitor = gtk.gdk.Screen() 207 | self.monitor.connect("size-changed", self.resize) 208 | 209 | # Newer versions of pygtk have this method 210 | try: 211 | self.monitor.connect("monitors-changed", self.resize) 212 | except: 213 | pass 214 | 215 | # Launch Banner 216 | self.config, self.args = self.configure() 217 | self.execute(self.config) 218 | 219 | # Read Global configuration 220 | def configure(self): 221 | config = {} 222 | try: 223 | execfile(CONF_FILE, config) 224 | except: 225 | pass 226 | 227 | defaults = {} 228 | defaults["message"] = config.get("message", "UNCLASSIFIED") 229 | defaults["fgcolor"] = config.get("fgcolor", "#FFFFFF") 230 | defaults["bgcolor"] = config.get("bgcolor", "#007A33") 231 | defaults["face"] = config.get("face", "liberation-sans") 232 | defaults["size"] = config.get("size", "small") 233 | defaults["weight"] = config.get("weight", "bold") 234 | defaults["show_top"] = config.get("show_top", True) 235 | defaults["show_bottom"] = config.get("show_bottom", True) 236 | defaults["hres"] = config.get("hres", 0) 237 | defaults["vres"] = config.get("vres", 0) 238 | defaults["sys_info"] = config.get("sys_info", False) 239 | defaults["opacity"] = config.get("opacity", 0.75) 240 | defaults["esc"] = config.get("esc", True) 241 | defaults["spanning"] = config.get("spanning", False) 242 | 243 | # Use the global config to set defaults for command line options 244 | parser = optparse.OptionParser() 245 | parser.add_option("-m", "--message", default=defaults["message"], 246 | help="Set the Classification message") 247 | parser.add_option("-f", "--fgcolor", default=defaults["fgcolor"], 248 | help="Set the Foreground (text) color") 249 | parser.add_option("-b", "--bgcolor", default=defaults["bgcolor"], 250 | help="Set the Background color") 251 | parser.add_option("-x", "--hres", default=defaults["hres"], type="int", 252 | help="Set the Horizontal Screen Resolution") 253 | parser.add_option("-y", "--vres", default=defaults["vres"], type="int", 254 | help="Set the Vertical Screen Resolution") 255 | parser.add_option("-o", "--opacity", default=defaults["opacity"], 256 | type="float", dest="opacity", 257 | help="Set the window opacity for composted window managers") 258 | parser.add_option("--face", default=defaults["face"], help="Font face") 259 | parser.add_option("--size", default=defaults["size"], help="Font size") 260 | parser.add_option("--weight", default=defaults["weight"], 261 | help="Set the Font weight") 262 | parser.add_option("--disable-esc-msg", default=defaults["esc"], 263 | dest="esc", action="store_false", 264 | help="Disable the 'ESC to hide' message") 265 | parser.add_option("--hide-top", default=defaults["show_top"], 266 | dest="show_top", action="store_false", 267 | help="Disable the top banner") 268 | parser.add_option("--hide-bottom", default=defaults["show_bottom"], 269 | dest="show_bottom", action="store_false", 270 | help="Disable the bottom banner") 271 | parser.add_option("--system-info", default=defaults["sys_info"], 272 | dest="sys_info", action="store_true", 273 | help="Show user and hostname in the top banner") 274 | parser.add_option("--enable-spanning", default=defaults["spanning"], 275 | dest="spanning", action="store_true", 276 | help="Enable banner(s) to span across screens as a single banner") 277 | 278 | options, args = parser.parse_args() 279 | return options, args 280 | 281 | # Launch the Classification Banner Window(s) 282 | def execute(self, options): 283 | self.num_monitor = 0 284 | 285 | if options.hres == 0 or options.vres == 0: 286 | # Try Xrandr to determine primary monitor resolution 287 | try: 288 | self.screen = os.popen("xrandr | grep ' current ' | awk '{ print $8$9$10+0 }'").readlines()[0] 289 | self.x = self.screen.split('x')[0] 290 | self.y = self.screen.split('x')[1].split('+')[0] 291 | 292 | except: 293 | try: 294 | self.screen = os.popen("xrandr | grep ' connected ' | awk '{ print $3 }'").readlines()[0] 295 | self.x = self.screen.split('x')[0] 296 | self.y = self.screen.split('x')[1].split('+')[0] 297 | 298 | except: 299 | self.screen = os.popen("xrandr | grep '^\*0' | awk '{ print $2$3$4 }'").readlines()[0] 300 | self.x = self.screen.split('x')[0] 301 | self.y = self.screen.split('x')[1].split('+')[0] 302 | 303 | else: 304 | # Fail back to GTK method 305 | self.display = gtk.gdk.display_get_default() 306 | self.screen = self.display.get_default_screen() 307 | self.x = self.screen.get_width() 308 | self.y = self.screen.get_height() 309 | else: 310 | # Resoultion Set Staticly 311 | self.x = options.hres 312 | self.y = options.vres 313 | 314 | if not options.spanning and self.num_monitor > 1: 315 | for monitor in range(self.num_monitor): 316 | mon_geo = self.screen.get_monitor_geometry(monitor) 317 | self.x_location, self.y_location, self.x, self.y = mon_geo 318 | self.banners(options) 319 | else: 320 | self.x_location = 0 321 | self.y_location = 0 322 | self.banners(options) 323 | 324 | def banners(self, options): 325 | if options.show_top: 326 | top = Classification_Banner( 327 | options.message, 328 | options.fgcolor, 329 | options.bgcolor, 330 | options.face, 331 | options.size, 332 | options.weight, 333 | self.x, 334 | self.y, 335 | options.esc, 336 | options.opacity, 337 | options.sys_info) 338 | top.window.move(self.x_location, self.y_location) 339 | 340 | if options.show_bottom: 341 | bottom = Classification_Banner( 342 | options.message, 343 | options.fgcolor, 344 | options.bgcolor, 345 | options.face, 346 | options.size, 347 | options.weight, 348 | self.x, 349 | self.y, 350 | options.esc, 351 | options.opacity) 352 | bottom.window.move(self.x_location, int(bottom.vres)) 353 | 354 | # Relaunch the Classification Banner on Screen Resize 355 | def resize(self, widget, data=None): 356 | self.config, self.args = self.configure() 357 | self.execute(self.config) 358 | return True 359 | 360 | 361 | # Main Program Loop 362 | if __name__ == "__main__": 363 | run = Display_Banner() 364 | gtk.main() 365 | -------------------------------------------------------------------------------- /config/hardening/menu.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Graphical Kickstart Script 3 | # 4 | # This script was written by Frank Caviggia, Red Hat Consulting 5 | # Last update was 19 March 2015 6 | # This script is NOT SUPPORTED by Red Hat Global Support Services. 7 | # Please contact Rick Tavares for more information. 8 | # 9 | # Author: Frank Caviggia (fcaviggi@redhat.com) 10 | # Copyright: Red Hat, (C) 2014 11 | # License: GPLv2 12 | 13 | import os,sys,re,crypt,random 14 | try: 15 | os.environ['DISPLAY'] 16 | import pygtk,gtk 17 | except: 18 | print "Error: DISPLAY environment varible not set." 19 | sys.exit(1) 20 | 21 | # Class containing verification items 22 | class Verification: 23 | # Name/Comment Check 24 | def check_name(self,name): 25 | pattern = re.compile(r"^[ a-zA-Z']+$",re.VERBOSE) 26 | if re.match(pattern,name): 27 | return True 28 | else: 29 | return False 30 | 31 | # Check for vaild Unix username 32 | def check_username(self,username): 33 | pattern = re.compile(r"^\w{5,255}$",re.VERBOSE) 34 | if re.match(pattern,username): 35 | return True 36 | else: 37 | return False 38 | 39 | # Check for vaild Unix UID 40 | def check_uid(self,uid): 41 | pattern = re.compile(r"^\d{1,10}$",re.VERBOSE) 42 | if re.match(pattern,uid): 43 | return True 44 | else: 45 | return False 46 | 47 | # Check for vaild IP address 48 | def check_ip(self,ip): 49 | pattern = re.compile(r"\b(([01]?\d?\d|2[0-4]\d|25[0-5])\.){3}([01]?\d?\d|2[0-4]\d|25[0-3])\b",re.VERBOSE) 50 | if re.match(pattern,ip) and ip != "0.0.0.0": 51 | return True 52 | else: 53 | return False 54 | 55 | # Check for vaild system hostanme 56 | def check_hostname(self,hostname): 57 | pattern = re.compile(r"^[a-zA-Z0-9\-\.]{1,100}$",re.VERBOSE) 58 | if re.match(pattern,hostname): 59 | return True 60 | else: 61 | return False 62 | 63 | 64 | # Display Menu 65 | class Display_Menu: 66 | def __init__(self): 67 | 68 | # Initalize Additional Configuration Files 69 | f = open('/tmp/hardening-post','w') 70 | f.write('') 71 | f.close() 72 | f = open('/tmp/hardening-packages','w') 73 | f.write('') 74 | f.close() 75 | 76 | # Data Storage 77 | self.data = {} 78 | 79 | # Verification Functions 80 | self.verify = Verification() 81 | 82 | # Create Main Window 83 | self.window = gtk.Window() 84 | self.window.set_title("Red Hat Enterprise Linux - Hardened Installation") 85 | self.window.set_position(gtk.WIN_POS_CENTER) 86 | self.window.connect("delete_event",gtk.main_quit) 87 | self.display = gtk.gdk.display_get_default() 88 | self.screen = self.display.get_default_screen() 89 | self.hres = self.screen.get_width() 90 | self.vres = self.screen.get_height() 91 | self.window.connect("key-release-event",self.event_key) 92 | 93 | # Create Main Vertical Box to Populate 94 | self.vbox = gtk.VBox() 95 | 96 | if self.hres == 640: 97 | self.window.resize(640,480) 98 | elif self.hres > 640: 99 | self.window.resize(800,600) 100 | # RedHat Logo 101 | self.logo = gtk.Image() 102 | self.logo.set_from_file("/usr/share/anaconda/pixmaps/anaconda_header.png") 103 | self.logo.set_alignment(0,0) 104 | self.logo.set_padding(0,0) 105 | self.vbox.add(self.logo) 106 | 107 | # Creates Header 108 | self.header = gtk.HBox() 109 | self.label = gtk.Label(" Red Hat Enterprise Linux - Hardened Installation ") 110 | self.label.set_use_markup(True) 111 | self.header.add(self.label) 112 | self.vbox.add(self.header) 113 | 114 | # Creates Information Message 115 | self.label = gtk.Label('This DVD installs Red Hat Enterprise Linux 6 with configurations required by multiple government regulations.') 116 | self.vbox.add(self.label) 117 | self.label = gtk.Label('RHEL 6 (Hardened DVD Installer v.1.4.1)') 118 | self.vbox.add(self.label) 119 | 120 | # Blank Label 121 | self.label = gtk.Label("") 122 | self.vbox.add(self.label) 123 | 124 | # System Configuration 125 | self.system = gtk.HBox() 126 | self.label = gtk.Label(" Hostame: ") 127 | self.system.pack_start(self.label,False,True, 0) 128 | self.hostname = gtk.Entry(100) 129 | self.hostname.set_size_request(225,-1) 130 | self.system.pack_start(self.hostname,False,True,0) 131 | try: 132 | if os.environ['HOSTNAME'] != '': 133 | self.hostname.set_text(os.environ['HOSTNAME']) 134 | else: 135 | self.hostname.set_text('localhost.localdomain') 136 | except: 137 | self.hostname.set_text('localhost.localdomain') 138 | self.label = gtk.Label(" System Profile: ") 139 | self.system.pack_start(self.label,False,True, 0) 140 | self.system_profile = gtk.combo_box_new_text() 141 | self.system_profile.append_text("Minimal Installation") 142 | self.system_profile.append_text("User Workstation") 143 | self.system_profile.append_text("Developer Workstation") 144 | self.system_profile.append_text("RHN Satellite 5.x Server") 145 | self.system_profile.append_text("RHN Satellite 6.x Server") 146 | self.system_profile.append_text("Proprietary Database Server") 147 | self.system_profile.append_text("RHEV-Attached KVM Server") 148 | #self.system_profile.append_text("Standalone KVM Server") 149 | #self.system_profile.append_text("Apache Web Server") 150 | #self.system_profile.append_text("Tomcat Web Server") 151 | #self.system_profile.append_text("PostgreSQL Database Server") 152 | #self.system_profile.append_text("MySQL Database Server") 153 | self.system_profile.set_active(0) 154 | self.system_profile.connect('changed',self.configure_system_profile) 155 | self.system.pack_start(self.system_profile,False,True,0) 156 | self.vbox.add(self.system) 157 | 158 | 159 | self.classification = gtk.HBox() 160 | self.label = gtk.Label(" System Classification: ") 161 | self.classification.pack_start(self.label,False,True, 0) 162 | self.system_classification = gtk.combo_box_new_text() 163 | self.system_classification.append_text("UNCLASSIFIED") 164 | self.system_classification.append_text("UNCLASSIFIED//FOUO") 165 | self.system_classification.append_text("CONFIDENTIAL") 166 | self.system_classification.append_text("SECRET") 167 | self.system_classification.append_text("TOP SECRET") 168 | self.system_classification.append_text("TOP SECRET//SCI") 169 | self.system_classification.append_text("TOP SECRET//SCI//NOFORN") 170 | self.system_classification.set_active(0) 171 | self.classification.pack_start(self.system_classification,False,True,0) 172 | self.vbox.add(self.classification) 173 | 174 | # Blank Label 175 | self.label = gtk.Label("") 176 | self.vbox.add(self.label) 177 | 178 | # System Information 179 | self.cpu_cores = 0 180 | self.cpu_model = '' 181 | self.cpu_arch = '' 182 | self.system_memory = {} 183 | with open('/proc/cpuinfo') as f: 184 | for line in f: 185 | if line.strip(): 186 | if line.rstrip('\n').startswith('model name'): 187 | self.cpu_model = line.rstrip('\n').split(':')[1] 188 | self.cpu_cores += 1 189 | elif line.rstrip('\n').startswith('flags') or line.rstrip('\n').startswith('Features'): 190 | if 'lm' in line.rstrip('\n').split(): 191 | self.cpu_arch = '64-bit' 192 | else: 193 | self.cpu_arch = '32-bit' 194 | f.close() 195 | 196 | with open('/proc/meminfo') as f: 197 | for line in f: 198 | self.system_memory[line.split(':')[0]] = line.split(':')[1].strip() 199 | f.close() 200 | 201 | self.cpu_information = gtk.HBox() 202 | self.label = gtk.Label(" CPU Model: ") 203 | self.cpu_information.pack_start(self.label,False,True, 0) 204 | self.label = gtk.Label(" %s "%(self.cpu_model)) 205 | self.cpu_information.pack_start(self.label,False,True, 0) 206 | self.label = gtk.Label(" CPU Threads: ") 207 | self.cpu_information.pack_start(self.label,False,True, 0) 208 | self.label = gtk.Label(" %d "%(self.cpu_cores)) 209 | self.cpu_information.pack_start(self.label,False,True, 0) 210 | self.label = gtk.Label(" Architecure: ") 211 | self.cpu_information.pack_start(self.label,False,True, 0) 212 | self.label = gtk.Label(" %s "%(self.cpu_arch)) 213 | self.cpu_information.pack_start(self.label,False,True, 0) 214 | self.vbox.add(self.cpu_information) 215 | 216 | self.memory_information = gtk.HBox() 217 | self.label = gtk.Label(" Total System Memory: ") 218 | self.memory_information.pack_start(self.label,False,True, 0) 219 | self.label = gtk.Label(" %s "%(self.system_memory['MemTotal'])) 220 | self.memory_information.pack_start(self.label,False,True, 0) 221 | self.label = gtk.Label(" Free Memory: ") 222 | self.memory_information.pack_start(self.label,False,True, 0) 223 | self.label = gtk.Label(" %s "%(self.system_memory['MemFree'])) 224 | self.memory_information.pack_start(self.label,False,True, 0) 225 | self.vbox.add(self.memory_information) 226 | 227 | # Disk Partitioning Section 228 | self.label = gtk.Label("\nDisk Partitioning") 229 | self.label.set_use_markup(True) 230 | self.vbox.add(self.label) 231 | 232 | # Blank Label 233 | self.label = gtk.Label("") 234 | self.vbox.add(self.label) 235 | 236 | # List Disks 237 | self.disk_list = gtk.HBox() 238 | 239 | self.disk_info = [] 240 | self.disk_total = 0 241 | self.output = os.popen('list-harddrives') 242 | for self.line in self.output: 243 | self.line = self.line.strip() 244 | if not ('fd0' in self.line or 'sr0' in self.line): 245 | self.disk_info.append(self.line.split(' ')) 246 | 247 | self.label = gtk.Label(" Available Disks: ") 248 | self.disk_list.pack_start(self.label, False, True, 0) 249 | 250 | if len(self.disk_info) == 0: 251 | self.label = gtk.Label("No Drives Available.") 252 | self.disk_list.pack_start(self.label,False,True,0) 253 | else: 254 | for i in range(len(self.disk_info)): 255 | if len(self.disk_info) > 5: 256 | exec("self.disk%d = gtk.CheckButton(self.disk_info[%d][0])"%(i,i)) 257 | else: 258 | exec("self.disk%s = gtk.CheckButton(self.disk_info[%d][0] +' ('+ str(int(float(self.disk_info[%d][1]))/1024) +'Gb)')"%(i,i,i)) 259 | exec("self.disk%d.set_active(True)"%(i)) 260 | exec("self.disk_list.pack_start(self.disk%d, False, True, 0)"%(i)) 261 | self.disk_total += int(float(self.disk_info[i][1])/1024) 262 | 263 | self.vbox.add(self.disk_list) 264 | 265 | # Disk Encryption (Ability to disable LUKS for self encrypting drives) 266 | self.encrypt = gtk.HBox() 267 | 268 | self.label = gtk.Label(" ") 269 | self.encrypt.pack_start(self.label, False, True, 0) 270 | 271 | 272 | self.encrypt_disk = gtk.CheckButton('Encrypt Drives with LUKS') 273 | self.encrypt_disk.set_active(True) 274 | self.encrypt.pack_start(self.encrypt_disk, False, True, 0) 275 | 276 | self.vbox.add(self.encrypt) 277 | 278 | 279 | # Minimal Installation Warning 280 | if self.disk_total < 8: 281 | self.MessageBox(self.window,"Recommended minimum of 8Gb disk space for a Minimal Install!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 282 | 283 | # Blank Label 284 | self.label = gtk.Label("") 285 | self.vbox.add(self.label) 286 | 287 | # Partitioning 288 | self.label = gtk.Label('Required LVM Partitioning Percentage') 289 | self.vbox.add(self.label) 290 | self.partitioning1 = gtk.HBox() 291 | self.label = gtk.Label(" ROOT (/) ") 292 | self.partitioning1.pack_start(self.label,False,True,0) 293 | self.root_range = gtk.Adjustment(30,1,95,1,0, 0) 294 | self.root_partition = gtk.SpinButton(adjustment=self.root_range,climb_rate=1,digits=0) 295 | self.root_partition.connect('value-changed',self.lvm_check) 296 | self.partitioning1.pack_start(self.root_partition,False,True,0) 297 | self.label = gtk.Label("% HOME (/home) ") 298 | self.partitioning1.pack_start(self.label,False,True,0) 299 | self.home_range = gtk.Adjustment(25,1,95,1,0, 0) 300 | self.home_partition = gtk.SpinButton(adjustment=self.home_range,climb_rate=1,digits=0) 301 | self.home_partition.connect('value-changed',self.lvm_check) 302 | self.partitioning1.pack_start(self.home_partition,False,True,0) 303 | self.label = gtk.Label("% TMP (/tmp) ") 304 | self.partitioning1.pack_start(self.label,False,True,0) 305 | self.tmp_range = gtk.Adjustment(10,1,60,1,0, 0) 306 | self.tmp_partition = gtk.SpinButton(adjustment=self.tmp_range,climb_rate=1,digits=0) 307 | self.tmp_partition.connect('value-changed',self.lvm_check) 308 | self.partitioning1.pack_start(self.tmp_partition,False,True,0) 309 | self.label = gtk.Label("% VAR (/var) ") 310 | self.partitioning1.pack_start(self.label,False,True,0) 311 | self.var_range = gtk.Adjustment(10,1,95,1,0, 0) 312 | self.var_partition = gtk.SpinButton(adjustment=self.var_range,climb_rate=1,digits=0) 313 | self.var_partition.connect('value-changed',self.lvm_check) 314 | self.partitioning1.pack_start(self.var_partition,False,True,0) 315 | self.label = gtk.Label("%") 316 | self.partitioning1.pack_start(self.label,False,True,0) 317 | 318 | self.vbox.add(self.partitioning1) 319 | self.partitioning2 = gtk.HBox() 320 | self.label = gtk.Label(" LOG (/var/log) ") 321 | self.partitioning2.pack_start(self.label,False,True,0) 322 | self.log_range = gtk.Adjustment(10,1,75,1,0, 0) 323 | self.log_partition = gtk.SpinButton(adjustment=self.log_range,climb_rate=1,digits=0) 324 | self.log_partition.connect('value-changed',self.lvm_check) 325 | self.partitioning2.pack_start(self.log_partition,False,True,0) 326 | self.label = gtk.Label("% AUDIT (/var/log/audit) ") 327 | self.partitioning2.pack_start(self.label,False,True,0) 328 | self.audit_range = gtk.Adjustment(10,1,75,1,0, 0) 329 | self.audit_partition = gtk.SpinButton(adjustment=self.audit_range,climb_rate=1,digits=0) 330 | self.audit_partition.connect('value-changed',self.lvm_check) 331 | self.partitioning2.pack_start(self.audit_partition,False,True,0) 332 | self.label = gtk.Label("% SWAP ") 333 | self.partitioning2.pack_start(self.label,False,True,0) 334 | self.swap_range = gtk.Adjustment(5,1,25,1,0, 0) 335 | self.swap_partition = gtk.SpinButton(adjustment=self.swap_range,climb_rate=1,digits=0) 336 | self.swap_partition.connect('value-changed',self.lvm_check) 337 | self.partitioning2.pack_start(self.swap_partition,False,True,0) 338 | self.label = gtk.Label("%") 339 | self.partitioning2.pack_start(self.label,False,True,0) 340 | self.vbox.add(self.partitioning2) 341 | # Blank Label 342 | self.label = gtk.Label("") 343 | self.vbox.add(self.label) 344 | self.label = gtk.Label('Optional LVM Partitioning Percentage') 345 | self.vbox.add(self.label) 346 | self.partitioning3 = gtk.HBox() 347 | self.label = gtk.Label(" WWW (/var/www) ") 348 | self.partitioning3.pack_start(self.label,False,True,0) 349 | self.www_range = gtk.Adjustment(0,0,90,1,0, 0) 350 | self.www_partition = gtk.SpinButton(adjustment=self.www_range,climb_rate=1,digits=0) 351 | self.www_partition.connect('value-changed',self.lvm_check) 352 | self.partitioning3.pack_start(self.www_partition,False,True,0) 353 | self.label = gtk.Label("% OPT (/opt) ") 354 | self.partitioning3.pack_start(self.label,False,True,0) 355 | self.opt_range = gtk.Adjustment(0,0,90,1,0, 0) 356 | self.opt_partition = gtk.SpinButton(adjustment=self.opt_range,climb_rate=1,digits=0) 357 | self.opt_partition.connect('value-changed',self.lvm_check) 358 | self.partitioning3.pack_start(self.opt_partition,False,True,0) 359 | self.label = gtk.Label("%") 360 | self.partitioning3.pack_start(self.label,False,True,0) 361 | self.vbox.add(self.partitioning3) 362 | 363 | # Blank Label 364 | self.label = gtk.Label("") 365 | self.vbox.add(self.label) 366 | 367 | self.partition_message = gtk.HBox() 368 | self.label = gtk.Label(' Note: LVM Partitions should add up to 100% or less before proceeding. Currently Used: ') 369 | self.label.set_use_markup(True) 370 | self.partition_message.pack_start(self.label,False,True,0) 371 | self.partition_used = gtk.Label('100%') 372 | self.partition_message.pack_start(self.partition_used,False,True,0) 373 | self.vbox.add(self.partition_message) 374 | 375 | # Button Bar at the Bottom of the Window 376 | self.label = gtk.Label("") 377 | self.vbox.add(self.label) 378 | self.button_bar = gtk.HBox() 379 | 380 | # Apply Configurations 381 | self.button1 = gtk.Button(None,gtk.STOCK_OK) 382 | self.button1.connect("clicked",self.apply_configuration) 383 | self.button_bar.pack_end(self.button1,False,True,0) 384 | 385 | # Help 386 | self.button2 = gtk.Button(None,gtk.STOCK_HELP) 387 | self.button2.connect("clicked",self.show_help_main) 388 | self.button_bar.pack_end(self.button2,False,True,0) 389 | 390 | self.vbox.add(self.button_bar) 391 | self.window.add(self.vbox) 392 | self.window.show_all() 393 | 394 | ## STOCK CONFIGURATIONS (Minimal Install) 395 | # Post Configuration (nochroot) 396 | f = open('/tmp/hardening-post-nochroot','w') 397 | f.write('') 398 | f.close() 399 | # Post Configuration 400 | f = open('/tmp/hardening-post','w') 401 | # Run Hardening Script 402 | f.write('/sbin/system-hardening -q &> /dev/null\n') 403 | f.close() 404 | # Package Selection 405 | f = open('/tmp/hardening-packages','w') 406 | f.write('') 407 | f.close() 408 | 409 | 410 | 411 | # Key Press Event 412 | def event_key(self,args,event): 413 | if event.keyval == gtk.keysyms.F12: 414 | self.apply_configuration(args) 415 | elif event.keyval == gtk.keysyms.F1: 416 | self.show_help_main(args) 417 | 418 | # Shows Help for Main Install 419 | def show_help_main(self,args): 420 | self.help_text = ("Install Help\n\n- All LVM partitions need to take less than or equal to 100% of the LVM Volume Group.\n\n- Pressing OK prompts for a password to encrypt Disk (LUKS), GRUB, and Root password.\n\n- The sshusers group controls remote access, wheel group is for root users, and isso group is for limited root with auditing permissions.\n\n- To access root remotely via ssh you need to create a user and add them to the wheel and sshusers groups.\n\n- Minimum password length is 14 characters, using a strong password is recommended.\n") 421 | self.MessageBox(self.window,self.help_text,gtk.MESSAGE_INFO) 422 | 423 | 424 | # System Profile Configuration 425 | def configure_system_profile(self,args): 426 | # Zero out partitioning 427 | self.opt_partition.set_value(0) 428 | self.www_partition.set_value(0) 429 | self.swap_partition.set_value(0) 430 | self.tmp_partition.set_value(0) 431 | self.var_partition.set_value(0) 432 | self.log_partition.set_value(0) 433 | self.audit_partition.set_value(0) 434 | self.home_partition.set_value(0) 435 | self.root_partition.set_value(0) 436 | 437 | ################################################################################################################ 438 | # Minimal (Defualts to Kickstart) 439 | ################################################################################################################ 440 | if int(self.system_profile.get_active()) == 0: 441 | # Partitioning 442 | if self.disk_total < 8: 443 | self.MessageBox(self.window,"Recommended minimum of 8Gb disk space for a Minimal Install!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 444 | self.opt_partition.set_value(0) 445 | self.www_partition.set_value(0) 446 | self.swap_partition.set_value(5) 447 | self.tmp_partition.set_value(10) 448 | self.var_partition.set_value(10) 449 | self.log_partition.set_value(10) 450 | self.audit_partition.set_value(10) 451 | self.home_partition.set_value(25) 452 | self.root_partition.set_value(30) 453 | # Post Configuration (nochroot) 454 | f = open('/tmp/hardening-post-nochroot','w') 455 | f.write('') 456 | f.close() 457 | # Post Configuration 458 | f = open('/tmp/hardening-post','w') 459 | # Run Hardening Script 460 | f.write('/sbin/system-hardening -q &> /dev/null\n') 461 | f.close() 462 | # Package Selection 463 | f = open('/tmp/hardening-packages','w') 464 | f.write('') 465 | f.close() 466 | 467 | ################################################################################################################ 468 | # User Workstation 469 | ################################################################################################################ 470 | if int(self.system_profile.get_active()) == 1: 471 | # Partitioning 472 | if self.disk_total < 12: 473 | self.MessageBox(self.window,"Recommended minimum of 12Gb disk space for a User Workstation!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 474 | self.opt_partition.set_value(0) 475 | self.www_partition.set_value(0) 476 | self.swap_partition.set_value(5) 477 | self.tmp_partition.set_value(10) 478 | self.var_partition.set_value(10) 479 | self.log_partition.set_value(10) 480 | self.audit_partition.set_value(10) 481 | self.home_partition.set_value(25) 482 | self.root_partition.set_value(30) 483 | # Post Configuration (nochroot) 484 | f = open('/tmp/hardening-post-nochroot','w') 485 | f.write('cp /mnt/source/hardening/classification-banner.py /mnt/sysimage/usr/local/bin/\n') 486 | f.write('chmod a+rx /mnt/sysimage/usr/local/bin/classification-banner.py\n') 487 | f.close() 488 | # Post Configuration 489 | f = open('/tmp/hardening-post','w') 490 | # Run Hardening Script 491 | f.write('/sbin/system-hardening -q &> /dev/null\n') 492 | f.close() 493 | # Package Selection 494 | f = open('/tmp/hardening-packages','w') 495 | f.write('@additional-devel\n') 496 | f.write('@basic-desktop\n') 497 | f.write('@desktop-platform\n') 498 | f.write('@directory-client\n') 499 | f.write('@general-desktop\n') 500 | f.write('@graphical-admin-tools\n') 501 | f.write('@input-methods\n') 502 | f.write('@internet-browser\n') 503 | f.write('@java-platform\n') 504 | f.write('@legacy-x\n') 505 | f.write('@x11\n') 506 | f.write('pcsc*\n') 507 | f.write('coolkey\n') 508 | f.write('liberation-*\n') 509 | f.write('dejavu-*\n') 510 | f.write('icedtea-web\n') 511 | f.write('krb5-auth-dialog\n') 512 | f.write('seahorse-plugins\n') 513 | f.write('vim-X11\n') 514 | f.write('system-config-lvm\n') 515 | f.write('audit-viewer\n') 516 | f.write('openmotif\n') 517 | f.write('libXmu\n') 518 | f.write('libXp\n') 519 | f.write('openmotif22\n') 520 | f.write('-samba-winbind\n') 521 | f.write('-certmonger\n') 522 | f.write('-gnome-applets\n') 523 | f.write('-vino\n') 524 | f.write('-ypbind\n') 525 | f.write('-cheese\n') 526 | f.write('-gnome-backgrounds\n') 527 | f.write('-compiz-gnome\n') 528 | f.write('-gnome-bluetooth\n') 529 | f.write('-gnome-user-share\n') 530 | f.write('-sound-juicer\n') 531 | f.write('-rhythmbox\n') 532 | f.write('-brasero\n') 533 | f.write('-brasero-nautilus\n') 534 | f.write('-brasero-libs\n') 535 | f.write('-NetworkManager\n') 536 | f.write('-NetworkManager-gnome\n') 537 | f.write('-evolution-data-server\n') 538 | f.write('-NetworkManager-glib\n') 539 | f.write('-m17n-contrib-bengali\n') 540 | f.write('-m17n-contrib-punjabi\n') 541 | f.write('-ibus-sayura\n') 542 | f.write('-m17n-contrib-assamese\n') 543 | f.write('-m17n-contrib-oriya\n') 544 | f.write('-m17n-contrib-kannada\n') 545 | f.write('-m17n-contrib-telugu\n') 546 | f.write('-m17n-contrib-hindi\n') 547 | f.write('-m17n-contrib-maithili\n') 548 | f.write('-m17n-db-sinhala\n') 549 | f.write('-m17n-contrib-marathi\n') 550 | f.write('-m17n-db-thai\n') 551 | f.write('-ibus-pinyin\n') 552 | f.write('-m17n-contrib-urdu\n') 553 | f.write('-m17n-contrib-tamil\n') 554 | f.write('-ibus-chewing\n') 555 | f.write('-ibus-hangul\n') 556 | f.write('-ibus-anthy\n') 557 | f.write('-m17n-contrib-malayalam\n') 558 | f.write('-m17n-contrib-gujarati\n') 559 | f.close() 560 | 561 | 562 | ################################################################################################################ 563 | # Developer Workstation 564 | ################################################################################################################ 565 | if int(self.system_profile.get_active()) == 2: 566 | # Partitioning 567 | if self.disk_total < 16: 568 | self.MessageBox(self.window,"Recommended minimum 16Gb disk space for a Developer Workstation!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 569 | self.opt_partition.set_value(0) 570 | self.www_partition.set_value(0) 571 | self.swap_partition.set_value(5) 572 | self.tmp_partition.set_value(10) 573 | self.var_partition.set_value(10) 574 | self.log_partition.set_value(10) 575 | self.audit_partition.set_value(10) 576 | self.home_partition.set_value(25) 577 | self.root_partition.set_value(30) 578 | # Post Configuration (nochroot) 579 | f = open('/tmp/hardening-post-nochroot','w') 580 | f.write('cp /mnt/source/hardening/classification-banner.py /mnt/sysimage/usr/local/bin/\n') 581 | f.write('chmod a+rx /mnt/sysimage/usr/local/bin/classification-banner.py\n') 582 | f.close() 583 | # Post Configuration 584 | f = open('/tmp/hardening-post','w') 585 | # Run Hardening Script 586 | f.write('/sbin/system-hardening -q &> /dev/null \n') 587 | f.close() 588 | # Package Selection 589 | f = open('/tmp/hardening-packages','w') 590 | f.write('@additional-devel\n') 591 | f.write('@basic-desktop\n') 592 | f.write('@desktop-platform\n') 593 | f.write('@desktop-platform-devel\n') 594 | f.write('@development\n') 595 | f.write('@directory-client\n') 596 | f.write('@eclipse\n') 597 | f.write('@general-desktop\n') 598 | f.write('@graphical-admin-tools\n') 599 | f.write('@input-methods\n') 600 | f.write('@internet-browser\n') 601 | f.write('@java-platform\n') 602 | f.write('@legacy-x\n') 603 | f.write('@server-platform-devel\n') 604 | f.write('@x11\n') 605 | f.write('pcsc*\n') 606 | f.write('coolkey\n') 607 | f.write('liberation-*\n') 608 | f.write('dejavu-*\n') 609 | f.write('icedtea-web\n') 610 | f.write('libXinerama-devel\n') 611 | f.write('openmotif-devel\n') 612 | f.write('libXmu-devel\n') 613 | f.write('xorg-x11-proto-devel\n') 614 | f.write('startup-notification-devel\n') 615 | f.write('libgnomeui-devel\n') 616 | f.write('libbonobo-devel\n') 617 | f.write('junit\n') 618 | f.write('libXau-devel\n') 619 | f.write('libgcrypt-devel\n') 620 | f.write('popt-devel\n') 621 | f.write('gnome-python2-desktop\n') 622 | f.write('libdrm-devel\n') 623 | f.write('libXrandr-devel\n') 624 | f.write('libxslt-devel\n') 625 | f.write('libglade2-devel\n') 626 | f.write('gnutls-devel\n') 627 | f.write('desktop-file-utils\n') 628 | f.write('ant\n') 629 | f.write('rpmdevtools\n') 630 | f.write('gcc-java\n') 631 | f.write('jpackage-utils\n') 632 | f.write('rpmlint\n') 633 | f.write('krb5-auth-dialog\n') 634 | f.write('seahorse-plugins\n') 635 | f.write('vim-X11\n') 636 | f.write('system-config-lvm\n') 637 | f.write('audit-viewer\n') 638 | f.write('openmotif\n') 639 | f.write('libXmu\n') 640 | f.write('libXp\n') 641 | f.write('openmotif22\n') 642 | f.write('-samba-winbind\n') 643 | f.write('-certmonger\n') 644 | f.write('-gnome-applets\n') 645 | f.write('-vino\n') 646 | f.write('-ypbind\n') 647 | f.write('-cheese\n') 648 | f.write('-gnome-backgrounds\n') 649 | f.write('-compiz-gnome\n') 650 | f.write('-gnome-bluetooth\n') 651 | f.write('-gnome-user-share\n') 652 | f.write('-sound-juicer\n') 653 | f.write('-rhythmbox\n') 654 | f.write('-brasero\n') 655 | f.write('-brasero-nautilus\n') 656 | f.write('-brasero-libs\n') 657 | f.write('-NetworkManager\n') 658 | f.write('-NetworkManager-gnome\n') 659 | f.write('-evolution-data-server\n') 660 | f.write('-evolution-data-server-devel\n') 661 | f.write('-NetworkManager-glib\n') 662 | f.write('-m17n-contrib-bengali\n') 663 | f.write('-m17n-contrib-punjabi\n') 664 | f.write('-ibus-sayura\n') 665 | f.write('-m17n-contrib-assamese\n') 666 | f.write('-m17n-contrib-oriya\n') 667 | f.write('-m17n-contrib-kannada\n') 668 | f.write('-m17n-contrib-telugu\n') 669 | f.write('-m17n-contrib-hindi\n') 670 | f.write('-m17n-contrib-maithili\n') 671 | f.write('-m17n-db-sinhala\n') 672 | f.write('-m17n-contrib-marathi\n') 673 | f.write('-m17n-db-thai\n') 674 | f.write('-ibus-pinyin\n') 675 | f.write('-m17n-contrib-urdu\n') 676 | f.write('-m17n-contrib-tamil\n') 677 | f.write('-ibus-chewing\n') 678 | f.write('-ibus-hangul\n') 679 | f.write('-ibus-anthy\n') 680 | f.write('-m17n-contrib-malayalam\n') 681 | f.write('-m17n-contrib-gujarati\n') 682 | f.close() 683 | 684 | 685 | ################################################################################################################ 686 | # RHN Satellite 5.x Install 687 | ################################################################################################################ 688 | if int(self.system_profile.get_active()) == 3: 689 | # Partitioning 690 | if self.disk_total < 120: 691 | self.MessageBox(self.window,"Recommended minimum of 120Gb disk space for a RHN Satelite Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 692 | self.opt_partition.set_value(0) 693 | self.www_partition.set_value(3) 694 | self.swap_partition.set_value(1) 695 | self.tmp_partition.set_value(2) 696 | self.var_partition.set_value(80) 697 | self.log_partition.set_value(3) 698 | self.audit_partition.set_value(3) 699 | self.home_partition.set_value(3) 700 | self.root_partition.set_value(5) 701 | # Post Configuration (nochroot) 702 | f = open('/tmp/hardening-post-nochroot','w') 703 | f.write('') 704 | f.close() 705 | # Post Configuration 706 | f = open('/tmp/hardening-post','w') 707 | # Run Hardening Script 708 | f.write('/sbin/system-hardening -q &> /dev/null\n') 709 | # RHN Satellite requires umask of 022 for installation only for root 710 | f.write('sed -i \':a;N;$!ba;s/077/022/2\' /etc/profile\n') 711 | f.close() 712 | # Package Selection 713 | f = open('/tmp/hardening-packages','w') 714 | f.write('') 715 | f.close() 716 | 717 | 718 | ################################################################################################################ 719 | # Proprietary Database 720 | ################################################################################################################ 721 | if int(self.system_profile.get_active()) == 4: 722 | # Partitioning 723 | if self.disk_total < 60: 724 | self.MessageBox(self.window,"Recommended minimum of 60Gb disk space for a Proprietary Database Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 725 | self.www_partition.set_value(0) 726 | self.home_partition.set_value(5) 727 | self.swap_partition.set_value(5) 728 | self.var_partition.set_value(7) 729 | self.log_partition.set_value(10) 730 | self.audit_partition.set_value(10) 731 | self.tmp_partition.set_value(15) 732 | self.opt_partition.set_value(30) 733 | self.root_partition.set_value(18) 734 | # Post Configuration (nochroot) 735 | f = open('/tmp/hardening-post-nochroot','w') 736 | f.write('cp /mnt/source/hardening/classification-banner.py /mnt/sysimage/usr/local/bin/\n') 737 | f.write('chmod a+rx /mnt/sysimage/usr/local/bin/classification-banner.py\n') 738 | f.close() 739 | # Post Configuration 740 | f = open('/tmp/hardening-post','w') 741 | # Run Hardening Script 742 | f.write('/sbin/system-hardening -q &> /dev/null \n') 743 | f.close() 744 | # Package Selection 745 | f = open('/tmp/hardening-packages','w') 746 | f.write('xorg-x11-server-Xorg\n') 747 | f.write('xorg-x11-xinit\n') 748 | f.write('xterm\n') 749 | f.write('twm\n') 750 | f.write('liberation-*\n') 751 | f.write('dejavu-*\n') 752 | f.write('openmotif\n') 753 | f.write('libXmu\n') 754 | f.write('libXp\n') 755 | f.write('openmotif22\n') 756 | f.write('kernel-devel\n') 757 | f.write('kernel-headers\n') 758 | f.write('gcc\n') 759 | f.write('gcc-c++\n') 760 | f.write('libgcc\n') 761 | f.write('autoconf\n') 762 | f.write('make\n') 763 | f.write('libstdc++\n') 764 | f.write('compat-libstdc++\n') 765 | f.write('libaio\n') 766 | f.write('libaio-devel\n') 767 | f.write('unixODBC\n') 768 | f.write('unixODBC-devel\n') 769 | f.write('sysstat\n') 770 | f.write('ksh\n') 771 | f.close() 772 | 773 | ################################################################################################################ 774 | # RHN Satellite 5.x Install 775 | ################################################################################################################ 776 | if int(self.system_profile.get_active()) == 3: 777 | # Partitioning 778 | if self.disk_total < 120: 779 | self.MessageBox(self.window,"Recommended minimum of 120Gb disk space for a RHN Satelite Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 780 | self.opt_partition.set_value(0) 781 | self.www_partition.set_value(3) 782 | self.swap_partition.set_value(1) 783 | self.tmp_partition.set_value(2) 784 | self.var_partition.set_value(80) 785 | self.log_partition.set_value(3) 786 | self.audit_partition.set_value(3) 787 | self.home_partition.set_value(3) 788 | self.root_partition.set_value(5) 789 | # Post Configuration (nochroot) 790 | f = open('/tmp/hardening-post-nochroot','w') 791 | f.write('') 792 | f.close() 793 | # Post Configuration 794 | f = open('/tmp/hardening-post','w') 795 | # Run Hardening Script 796 | f.write('/sbin/system-hardening -q &> /dev/null\n') 797 | # RHN Satellite requires umask of 022 for installation only for root 798 | f.write('sed -i \':a;N;$!ba;s/077/022/2\' /etc/profile\n') 799 | f.close() 800 | # Package Selection 801 | f = open('/tmp/hardening-packages','w') 802 | f.write('') 803 | f.close() 804 | 805 | ################################################################################################################ 806 | # RHN Satellite 6.x Install 807 | ################################################################################################################ 808 | if int(self.system_profile.get_active()) == 4: 809 | # Partitioning 810 | if self.disk_total < 120: 811 | self.MessageBox(self.window,"Recommended minimum of 120Gb disk space for a RHN Satelite Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 812 | self.opt_partition.set_value(70) 813 | self.www_partition.set_value(3) 814 | self.swap_partition.set_value(1) 815 | self.tmp_partition.set_value(2) 816 | self.var_partition.set_value(10) 817 | self.log_partition.set_value(3) 818 | self.audit_partition.set_value(3) 819 | self.home_partition.set_value(3) 820 | self.root_partition.set_value(5) 821 | # Post Configuration (nochroot) 822 | f = open('/tmp/hardening-post-nochroot','w') 823 | f.write('') 824 | f.close() 825 | # Post Configuration 826 | f = open('/tmp/hardening-post','w') 827 | # Run Hardening Script 828 | f.write('/sbin/system-hardening -q &> /dev/null\n') 829 | # RHN Satellite requires umask of 022 for installation only for root 830 | f.write('sed -i \':a;N;$!ba;s/077/022/2\' /etc/profile\n') 831 | f.close() 832 | # Package Selection 833 | f = open('/tmp/hardening-packages','w') 834 | f.write('libyaml\n') 835 | f.write('tomcat6\n') 836 | f.write('java-1.6.0-openjdk\n') 837 | f.close() 838 | 839 | 840 | ################################################################################################################ 841 | # Proprietary Database 842 | ################################################################################################################ 843 | if int(self.system_profile.get_active()) == 5: 844 | # Partitioning 845 | if self.disk_total < 60: 846 | self.MessageBox(self.window,"Recommended minimum of 60Gb disk space for a Proprietary Database Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 847 | self.www_partition.set_value(0) 848 | self.home_partition.set_value(5) 849 | self.swap_partition.set_value(5) 850 | self.var_partition.set_value(7) 851 | self.log_partition.set_value(10) 852 | self.audit_partition.set_value(10) 853 | self.tmp_partition.set_value(15) 854 | self.opt_partition.set_value(30) 855 | self.root_partition.set_value(18) 856 | # Post Configuration (nochroot) 857 | f = open('/tmp/hardening-post-nochroot','w') 858 | f.write('cp /mnt/source/hardening/classification-banner.py /mnt/sysimage/usr/local/bin/\n') 859 | f.write('chmod a+rx /mnt/sysimage/usr/local/bin/classification-banner.py\n') 860 | f.close() 861 | # Post Configuration 862 | f = open('/tmp/hardening-post','w') 863 | # Run Hardening Script 864 | f.write('/sbin/system-hardening -q &> /dev/null\n') 865 | f.close() 866 | # Package Selection 867 | f = open('/tmp/hardening-packages','w') 868 | f.write('xorg-x11-server-Xorg\n') 869 | f.write('xorg-x11-xinit\n') 870 | f.write('xterm\n') 871 | f.write('twm\n') 872 | f.write('liberation-*\n') 873 | f.write('dejavu-*\n') 874 | f.write('openmotif\n') 875 | f.write('libXmu\n') 876 | f.write('libXp\n') 877 | f.write('openmotif22\n') 878 | f.write('kernel-devel\n') 879 | f.write('kernel-headers\n') 880 | f.write('gcc\n') 881 | f.write('gcc-c++\n') 882 | f.write('libgcc\n') 883 | f.write('autoconf\n') 884 | f.write('make\n') 885 | f.write('libstdc++\n') 886 | f.write('compat-libstdc++\n') 887 | f.write('libaio\n') 888 | f.write('libaio-devel\n') 889 | f.write('unixODBC\n') 890 | f.write('unixODBC-devel\n') 891 | f.write('sysstat\n') 892 | f.write('ksh\n') 893 | f.close() 894 | 895 | 896 | 897 | ################################################################################################################ 898 | # RHEV-Attached KVM Server (HARDENING SCRIPT NOT RUN UNTIL AFTER CONNECTION TO RHEVM SERVER) 899 | ################################################################################################################ 900 | if int(self.system_profile.get_active()) == 6: 901 | # WARNING - HARDENDING SCRIPT NOT RUN! 902 | self.MessageBox(self.window,"THIS PROFILE WILL NOT RUN THE HARDENING SCRIPT!\n\nPlease run the system hardening script after system has been attached to the RHEV-M server using the following command:\n\n # hardening",gtk.MESSAGE_WARNING) 903 | # Partitioning 904 | if self.disk_total < 60: 905 | self.MessageBox(self.window,"Recommended minimum of 60Gb disk space for a RHEV-Attached KVM Server Install!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 906 | self.opt_partition.set_value(0) 907 | self.www_partition.set_value(0) 908 | self.swap_partition.set_value(5) 909 | self.tmp_partition.set_value(10) 910 | self.var_partition.set_value(10) 911 | self.log_partition.set_value(10) 912 | self.audit_partition.set_value(10) 913 | self.home_partition.set_value(25) 914 | self.root_partition.set_value(30) 915 | # Post Configuration (nochroot) 916 | f = open('/tmp/hardening-post-nochroot','w') 917 | f.write('') 918 | f.close() 919 | # Post Configuration 920 | f = open('/tmp/hardening-post','w') 921 | # Allow 'root' to login via SSH - Required by RHEV-M 922 | f.write('sed -i "/^PermitRootLogin/ c\PermitRootLogin yes" /etc/ssh/sshd_config') 923 | f.close() 924 | # Package Selection 925 | f = open('/tmp/hardening-packages','w') 926 | f.write('') 927 | f.close() 928 | 929 | 930 | ################################################################################################################ 931 | # Standalone KVM Installation 932 | ################################################################################################################ 933 | if int(self.system_profile.get_active()) == 7: 934 | # Partitioning 935 | if self.disk_total < 60: 936 | self.MessageBox(self.window,"Recommended minimum 60Gb disk space for a RHEL/KVM Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 937 | self.opt_partition.set_value(0) 938 | self.www_partition.set_value(0) 939 | self.swap_partition.set_value(2) 940 | self.tmp_partition.set_value(3) 941 | self.var_partition.set_value(65) 942 | self.log_partition.set_value(5) 943 | self.audit_partition.set_value(5) 944 | self.home_partition.set_value(5) 945 | self.root_partition.set_value(15) 946 | # Post Configuration (nochroot) 947 | f = open('/tmp/hardening-post-nochroot','w') 948 | f.write('') 949 | f.close() 950 | # Post Configuration 951 | f = open('/tmp/hardening-post','w') 952 | # Run Hardening Script 953 | f.write('/sbin/system-hardening -q &> /dev/null\n') 954 | f.close() 955 | # Package Selection 956 | f = open('/tmp/hardening-packages','w') 957 | f.write('@storage-client-iscsi\n') 958 | f.write('@virtualization\n') 959 | f.write('@virtualization-client\n') 960 | f.write('@virtualization-platform\n') 961 | f.write('@virtualization-tools\n') 962 | f.write('perl-Sys-Virt\n') 963 | f.write('qemu-kvm-tools\n') 964 | f.write('fence-virtd-libvirt\n') 965 | f.write('virt-v2v\n') 966 | f.write('libguestfs-tools\n') 967 | f.close() 968 | 969 | 970 | ################################################################################################################ 971 | # Apache HTTP (Web Server) 972 | ################################################################################################################ 973 | if int(self.system_profile.get_active()) == 8: 974 | # Partitioning 975 | if self.disk_total < 10: 976 | self.MessageBox(self.window,"Recommended minimum of 10Gb disk space for a Web Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 977 | self.opt_partition.set_value(0) 978 | self.www_partition.set_value(0) 979 | self.swap_partition.set_value(5) 980 | self.tmp_partition.set_value(10) 981 | self.var_partition.set_value(10) 982 | self.log_partition.set_value(10) 983 | self.audit_partition.set_value(10) 984 | self.home_partition.set_value(25) 985 | self.root_partition.set_value(30) 986 | # Post Configuration (nochroot) 987 | f = open('/tmp/hardening-post-nochroot','w') 988 | f.write('') 989 | f.close() 990 | # Post Configuration 991 | f = open('/tmp/hardening-post','w') 992 | # Run Hardening Script 993 | f.write('/sbin/system-hardening -q &> /dev/null\n') 994 | f.close() 995 | # Package Selection 996 | f = open('/tmp/hardening-packages','w') 997 | f.write('httpd\n') 998 | f.close() 999 | 1000 | 1001 | ################################################################################################################ 1002 | # Apache Tomcat 1003 | ################################################################################################################ 1004 | if int(self.system_profile.get_active()) == 9: 1005 | # Partitioning 1006 | if self.disk_total < 10: 1007 | self.MessageBox(self.window,"Recommended minimum of 10Gb disk space for an Apache Tomcat Web Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 1008 | self.opt_partition.set_value(0) 1009 | self.www_partition.set_value(0) 1010 | self.swap_partition.set_value(5) 1011 | self.tmp_partition.set_value(10) 1012 | self.var_partition.set_value(10) 1013 | self.log_partition.set_value(10) 1014 | self.audit_partition.set_value(10) 1015 | self.home_partition.set_value(25) 1016 | self.root_partition.set_value(30) 1017 | # Post Configuration (nochroot) 1018 | f = open('/tmp/hardening-post-nochroot','w') 1019 | f.write('') 1020 | f.close() 1021 | # Post Configuration 1022 | f = open('/tmp/hardening-post','w') 1023 | # Run Hardening Script 1024 | f.write('/sbin/system-hardening -q &> /dev/null\n') 1025 | f.close() 1026 | # Package Selection 1027 | f = open('/tmp/hardening-packages','w') 1028 | f.write('tomcat6\n') 1029 | f.close() 1030 | 1031 | 1032 | ################################################################################################################ 1033 | # PostgreSQL Database 1034 | ################################################################################################################ 1035 | if int(self.system_profile.get_active()) == 10: 1036 | # Partitioning 1037 | if self.disk_total < 16: 1038 | self.MessageBox(self.window,"Recommended minimum of 16Gb disk space for a PostgreSQL Database Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 1039 | self.opt_partition.set_value(0) 1040 | self.www_partition.set_value(0) 1041 | self.swap_partition.set_value(5) 1042 | self.tmp_partition.set_value(10) 1043 | self.var_partition.set_value(10) 1044 | self.log_partition.set_value(10) 1045 | self.audit_partition.set_value(10) 1046 | self.home_partition.set_value(25) 1047 | self.root_partition.set_value(30) 1048 | # Post Configuration (nochroot) 1049 | f = open('/tmp/hardening-post-nochroot','w') 1050 | f.write('') 1051 | f.close() 1052 | # Post Configuration 1053 | f = open('/tmp/hardening-post','w') 1054 | # Run Hardening Script 1055 | f.write('/sbin/system-hardening -q &> /dev/null\n') 1056 | f.close() 1057 | # Package Selection 1058 | f = open('/tmp/hardening-packages','w') 1059 | f.write('postgresql\n') 1060 | f.close() 1061 | 1062 | 1063 | ################################################################################################################ 1064 | # MySQL Database 1065 | ################################################################################################################ 1066 | if int(self.system_profile.get_active()) == 11: 1067 | # Partitioning 1068 | if self.disk_total < 16: 1069 | self.MessageBox(self.window,"Recommended minimum of 16Gb disk space for a MariaDB Database Server!\n\n You have "+str(self.disk_total)+"Gb available.",gtk.MESSAGE_WARNING) 1070 | self.opt_partition.set_value(0) 1071 | self.www_partition.set_value(0) 1072 | self.swap_partition.set_value(5) 1073 | self.tmp_partition.set_value(10) 1074 | self.var_partition.set_value(10) 1075 | self.log_partition.set_value(10) 1076 | self.audit_partition.set_value(10) 1077 | self.home_partition.set_value(25) 1078 | self.root_partition.set_value(30) 1079 | # Post Configuration (nochroot) 1080 | f = open('/tmp/hardening-post-nochroot','w') 1081 | f.write('') 1082 | f.close() 1083 | # Post Configuration 1084 | f = open('/tmp/hardening-post','w') 1085 | # Run Hardening Script 1086 | f.write('/sbin/system-hardening -q &> /dev/null\n') 1087 | f.close() 1088 | # Package Selection 1089 | f = open('/tmp/hardening-packages','w') 1090 | f.write('mysql-server\n') 1091 | f.close() 1092 | 1093 | # Check LVM Partitioning 1094 | def lvm_check(self,args): 1095 | self.lvm = self.root_partition.get_value_as_int()+self.home_partition.get_value_as_int()+self.tmp_partition.get_value_as_int()+self.var_partition.get_value_as_int()+self.log_partition.get_value_as_int()+self.audit_partition.get_value_as_int()+self.swap_partition.get_value_as_int()+self.www_partition.get_value_as_int()+self.opt_partition.get_value_as_int() 1096 | self.partition_used.set_label(str(self.lvm)+'%') 1097 | if int(self.lvm) > 100: 1098 | self.MessageBox(self.window,"Verify that LVM configuration is not over 100%!",gtk.MESSAGE_ERROR) 1099 | return False 1100 | else: 1101 | return True 1102 | 1103 | 1104 | # Display Message Box (e.g. Help Screen, Warning Screen, etc.) 1105 | def MessageBox(self,parent,text,type=gtk.MESSAGE_INFO): 1106 | message = gtk.MessageDialog(parent,0,type,gtk.BUTTONS_OK) 1107 | message.set_markup(text) 1108 | response = message.run() 1109 | if response == gtk.RESPONSE_OK: 1110 | message.destroy() 1111 | 1112 | 1113 | # Get Password 1114 | def get_password(self,parent): 1115 | dialog = gtk.Dialog("Configure System Password",parent,gtk.DIALOG_MODAL|gtk.DIALOG_DESTROY_WITH_PARENT,(gtk.STOCK_CANCEL,gtk.RESPONSE_REJECT,gtk.STOCK_OK,gtk.RESPONSE_ACCEPT)) 1116 | self.pass1 = gtk.HBox() 1117 | self.label1 = gtk.Label(" Passsword: ") 1118 | self.pass1.pack_start(self.label1,False,True,0) 1119 | self.password1 = gtk.Entry() 1120 | self.password1.set_visibility(False) 1121 | self.pass1.pack_start(self.password1,False,True,0) 1122 | dialog.vbox.add(self.pass1) 1123 | self.pass2 = gtk.HBox() 1124 | self.label2 = gtk.Label(" Verify Password: ") 1125 | self.pass2.pack_start(self.label2,False,True,0) 1126 | self.password2 = gtk.Entry() 1127 | self.password2.set_visibility(False) 1128 | self.pass2.pack_start(self.password2,False,True,0) 1129 | dialog.vbox.add(self.pass2) 1130 | dialog.show_all() 1131 | response = dialog.run() 1132 | if response == gtk.RESPONSE_ACCEPT: 1133 | self.a = self.password1.get_text() 1134 | self.b = self.password2.get_text() 1135 | dialog.destroy() 1136 | else: 1137 | self.a = '' 1138 | self.b = '' 1139 | dialog.destroy() 1140 | 1141 | # Appply Configurations to Kickstart File 1142 | def apply_configuration(self,args): 1143 | 1144 | # Set system password 1145 | while True: 1146 | self.get_password(self.window) 1147 | if self.a == self.b: 1148 | if len(self.a) == 0: 1149 | return 1150 | elif len(self.a) >= 14: 1151 | self.passwd = self.a 1152 | break 1153 | else: 1154 | self.MessageBox(self.window,"Password too short! 14 Characters Required.",gtk.MESSAGE_ERROR) 1155 | else: 1156 | self.MessageBox(self.window,"Passwords Don't Match!",gtk.MESSAGE_ERROR) 1157 | 1158 | self.error = 0 1159 | 1160 | if self.verify.check_hostname(self.hostname.get_text()) == False: 1161 | self.MessageBox(self.window,"Invalid Hostname!",gtk.MESSAGE_ERROR) 1162 | self.error = 1 1163 | 1164 | # Check Install Disks 1165 | self.install_disks = "" 1166 | self.ignore_disks = "" 1167 | for i in range(len(self.disk_info)): 1168 | if eval("self.disk%d.get_active()"%(i)) == True: 1169 | self.install_disks += self.disk_info[i][0]+"," 1170 | else: 1171 | self.ignore_disks += self.disk_info[i][0]+"," 1172 | self.data["INSTALL_DRIVES"] = self.install_disks[:-1] 1173 | self.data["IGNORE_DRIVES"] = self.ignore_disks[:-1] 1174 | if self.install_disks == "": 1175 | self.MessageBox(self.window,"Please select at least one install disk!",gtk.MESSAGE_ERROR) 1176 | self.error = 1 1177 | 1178 | # Check LVM Partitioning 1179 | if self.lvm_check(args) == False: 1180 | self.error = 1 1181 | 1182 | # Write Kickstart File 1183 | if self.error == 0: 1184 | 1185 | # Generate Salt 1186 | self.salt = '' 1187 | self.alphabet = '.abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ' 1188 | for self.i in range(16): 1189 | self.index = random.randrange(len(self.alphabet)) 1190 | self.salt = self.salt+self.alphabet[self.index] 1191 | 1192 | # Encrypt Password 1193 | self.salt = '$6$'+self.salt 1194 | self.password = crypt.crypt(self.passwd,self.salt) 1195 | 1196 | # Write Classification Banner Settings 1197 | f = open('/tmp/classification-banner','w') 1198 | f.write('message = "'+str(self.system_classification.get_active_text())+'"\n') 1199 | if int(self.system_classification.get_active()) == 0 or int(self.system_classification.get_active()) == 1: 1200 | f.write('fgcolor = "#FFFFFF"\n') 1201 | f.write('bgcolor = "#007A33"\n') 1202 | elif int(self.system_classification.get_active()) == 2: 1203 | f.write('fgcolor = "#FFFFFF"\n') 1204 | f.write('bgcolor = "#0033A0"\n') 1205 | elif int(self.system_classification.get_active()) == 3: 1206 | f.write('fgcolor = "#FFFFFF"\n') 1207 | f.write('bgcolor = "#C8102E"\n') 1208 | elif int(self.system_classification.get_active()) == 4: 1209 | f.write('fgcolor = "#FFFFFF"\n') 1210 | f.write('bgcolor = "#FF671F"\n') 1211 | elif int(self.system_classification.get_active()) == 5: 1212 | f.write('fgcolor = "#FFFFF"\n') 1213 | f.write('bgcolor = "#F7EA48"\n') 1214 | elif int(self.system_classification.get_active()) == 6: 1215 | f.write('fgcolor = "#000000"\n') 1216 | f.write('bgcolor = "#F7EA48"\n') 1217 | else: 1218 | f.write('fgcolor = "#FFFFFF"\n') 1219 | f.write('bgcolor = "#007A33"\n') 1220 | f.close() 1221 | 1222 | # Write Kickstart Configuration (Hostname/Passwords) 1223 | f = open('/tmp/hardening','w') 1224 | f.write('network --device eth0 --bootproto dhcp --noipv6 --hostname '+self.hostname.get_text()+'\n') 1225 | f.write('rootpw --iscrypted '+str(self.password)+'\n') 1226 | f.write('bootloader --location=mbr --driveorder='+str(self.data["INSTALL_DRIVES"])+' --append="crashkernel=auto rhgb quiet audit=1" --password='+str(self.a)+'\n') 1227 | f.close() 1228 | # Write Kickstart Configuration (Hostname/Passwords) 1229 | f = open('/tmp/partitioning','w') 1230 | if self.data["IGNORE_DRIVES"] != "": 1231 | f.write('ignoredisk --drives='+str(self.data["IGNORE_DRIVES"])+'\n') 1232 | f.write('zerombr\n') 1233 | f.write('clearpart --all --drives='+str(self.data["INSTALL_DRIVES"])+'\n') 1234 | if self.encrypt_disk.get_active() == True: 1235 | f.write('part pv.01 --grow --size=200 --encrypted --cipher=\'aes-xts-plain64\' --passphrase='+str(self.passwd)+'\n') 1236 | else: 1237 | f.write('part pv.01 --grow --size=200\n') 1238 | f.write('part /boot --fstype=ext4 --size=1024\n') 1239 | f.write('volgroup vg1 --pesize=4096 pv.01\n') 1240 | f.write('logvol / --fstype=ext4 --name=lv_root --vgname=vg1 --size=2048 --grow --percent='+str(self.root_partition.get_value_as_int())+'\n') 1241 | f.write('logvol /home --fstype=ext4 --name=lv_home --vgname=vg1 --size=1024 --grow --percent='+str(self.home_partition.get_value_as_int())+'\n') 1242 | f.write('logvol /tmp --fstype=ext4 --name=lv_tmp --vgname=vg1 --size=512 --grow --percent='+str(self.tmp_partition.get_value_as_int())+'\n') 1243 | f.write('logvol /var --fstype=ext4 --name=lv_var --vgname=vg1 --size=512 --grow --percent='+str(self.var_partition.get_value_as_int())+'\n') 1244 | f.write('logvol /var/log --fstype=ext4 --name=lv_log --vgname=vg1 --size=512 --grow --percent='+str(self.log_partition.get_value_as_int())+'\n') 1245 | f.write('logvol /var/log/audit --fstype=ext4 --name=lv_audit --vgname=vg1 --size=512 --grow --percent='+str(self.audit_partition.get_value_as_int())+'\n') 1246 | f.write('logvol swap --fstype=swap --name=lv_swap --vgname=vg1 --size=256 --maxsize=4096 --grow --percent='+str(self.swap_partition.get_value_as_int())+'\n') 1247 | if self.opt_partition.get_value_as_int() >= 1: 1248 | f.write('logvol /opt --fstype=ext4 --name=lv_opt --vgname=vg1 --size=512 --grow --percent='+str(self.opt_partition.get_value_as_int())+'\n') 1249 | if self.www_partition.get_value_as_int() >= 1: 1250 | f.write('logvol /var/www --fstype=ext4 --name=lv_www --vgname=vg1 --size=512 --grow --percent='+str(self.www_partition.get_value_as_int())+'\n') 1251 | f.close() 1252 | gtk.main_quit() 1253 | 1254 | 1255 | # Executes Window Display 1256 | if __name__ == "__main__": 1257 | window = Display_Menu() 1258 | gtk.main() 1259 | --------------------------------------------------------------------------------