redhatgov / ssg-el7-kickstart Goto Github PK

In the FIPS 140-2 Kernel Mode, you set the boot partition by identifying it with "df /boot". This provides the device name for the boot device. However, since one of the best practices (at least according to the DISA STIG) is to use boot=UUID=xxxxxx to make it device independent.

Would it be better to use the UUID taken from blkid?

The banner message text in the ssg-supplemental.sh script is incorrect. This is the line which contains the error:

-This IS includes security measures (e.g., authentication and access controls) \nto protect USG interests -- not for your personal benefit or privacy.

There are no spaces around the double-dash. A common error is to put spaces there. The text is correct at this link, which should be publically accessible.
https://iase.disa.mil/Documents/unclass-consent_banner.zip

Hello,
I am trying to add new firewall rules into the final ISO image, but seems they are not taking into consideration. Even the SSH port is not opened and needs to be readeed, once the new server is deployed.
So far I have tried to add the firewall-cmd rules to the following files:
ssg-rhel.cfg
ssg-supplemental.sh
menu.py

None is taking into consideration the new FW entries.
Any suggestion on this one?
Thank you.

Hi all,
Here's one puzzling problem that kept me awake last night.
I'm a customizing somewhat 'menu.py' and rebuilding the ISO image on a frequent basis (about 15-20 times a day).
At some point, I noticed this behaviour:
Once booted, the install skipped right to the usual RedHat install screen (without stopping at menu.py) and complained about no disk selected.
After a lot of trial and error, I traced it back to this error:
"invalid literal for int() with base 10 python"
for this line in the code:
self.disk_total += int(self.disk_info[i][1])

I had been working on letting using 'Gb' instead of percentage for the sizes of the volumes (only for the user Workstation profile) while preserving the '%' behaviour. In order to do this, I had to avoid rounding errors and keep disk_total in MB's instead of Gb's. I got right of the 'float' a little to quickly.

The reason why I am opening an issue is this:

• I could not reproduce the error with either 'python' from FC25 or 'python' from EL7. I had to actually sabotage the install and drop to an interactive shell where I could run 'python' from the EL7.4 DVD.

Is there a way to make menu.py's invocating by 'python' from 'python' on the DVD image a little easier to debug?

Hi, i created and installed the rhel 7.4 iso using this lockdown scrtipt. The header and footer display:
<span font_family='libera TOP SECRET//SCI

Could you help me to correct this issue. Thanks.

After imaging a machine with the ssg-rhel-7.7.iso, I am unable to use the mouse and keyboard at the login screen. Is this because the script disabled them?

hello,

I get an unterminated s command error when i run your fips-kernel-mode.sh script

After applying the lock down, ldap user can not login. Received error: pam_unix(sshd:auth): authentication failure even thought the password entered correctly.
Any suggestion is appreciated.

When attempting to boot the ssg-rhel-7.1.iso created via the createiso.sh script I receive the error: Warning: /dev/root does not exist. After this, I'm dropped into the dracut emergency shell. For reference, I'm installing in a Virtualbox VM to test prior to deployment, and using the latest RHEL 7.1 Server image.

I would like to change the Licence of this project from GNU Public Licence version 2 (GPLv2) to Apache Public Licence 2.0 (APL2.0) to allow people to utilize this software without having to submit changes back to the project. I believe that this will allow for better use in the DOD/IC without the requirements to give back everything - however, it would still remain open source as a reference model.

Title says it all.
I've opened this BZ to track this:
https://bugzilla.redhat.com/show_bug.cgi?id=1494234

It seems it's a known problem but I believe it should be fixed in our repos.
https://access.redhat.com/solutions/2850911

How can I run this script for CentOS 7?

Hi,
I'm pretty new to pygtk.. I am currently writing some additions to menu.py to let the user specifiy 'Gb' instead of 'percentage' (of disk) for some profiles (most notably Workstation).
The backend code is working fine but I am unable to refresh the Button Labels from '%' to 'Gb' when switching profiles.
I'm specifically talking about this code:
self.label = gtk.Label("% VAR (/var) ")
which I changed to:
self.label = gtk.Label(self.partition_units+" VAR (/var) ")

when I switch profiles, the 'values' get a refresh but not the labels and I'm a little at a loss to iterate through the HBox'es to change the labels.

I would hate to convert -every- profile to 'Gb' instead of '%' and break your current code.
Any hints?

I am trying to add packages to the ssg-rhel.cfg and out of 9 Packages, 4 install. The ones after libnetfilter do not install. Here is my line after -

#Install USB Guard

#Install Suricata
yum localinstall -y /root/hardening/lz4*.rpm
yum localinstall -y /root/hardening/hiredis*.rpm
yum localinstall -y /root/hardening/libnet*.rpm
yum localinstall -y /root/hardening/libnetfilter*.rpm
yum localinstall -y /root/hardening/libprelude*.rpm
yum localinstall -y /root/hardening/libprelude-devel*.rpm
yum localinstall -y /root/hardening/libtool*.rpm
yum localinstall -y /root/hardening/libtool-ltdel*.rpm
yum localinstall -y /root/hardening/suricata*.rpm
systemctl enable suricata

I have all the required packages in the hardening directory and after 5+ tries still unable to get them to install.

Thanks in advance for the assistance.

Hi!

Currently an OpenSCAP scan rule fails when using the audit rules produced by ssg-supplemental.sh. I believe it's because of the way that the scap-security-guide checks the file:

https://github.com/OpenSCAP/scap-security-guide/blob/0f098e5ff5935e74fbb6a56ec03f4bdb5c90ccdd/shared/oval/audit_rules_privileged_commands.xml#L78

I've fixed this tested and fixed this locally and will open a PR now 🦄

Hi,

I just tried creating the new ssg-rhel-7.1.iso using the command:
"createiso.sh rhel-server-7.1-x86_64-dvd.iso"
The new iso is created without any issue but if I try to create a new VM by using ssg-rhel-7.1.iso, it crashes the VMWorkstation. Also, If I burn it to a DVD (wodim -eject -tao speed=0 dev=/dev/scd0 -v -data ssg-rhel-7.1.iso) and try to boot from this image, it does boot from this DVD.

Am I doing something wrong?

Appreciate this kickstart, experience issues related to usb keyboard and usb mouse. The USBguard rpm was not allowing them to be used or even powered on.

• Might have the kickstart script collect attached usb devices at startup and allow those specific USB keyboard and mouse devices

Also, another generic idea is to

• install the ansible package by default since RHEL is moving that way...

Thanks again,

I've used your content for creating a bootable RHEL 6 ISO and did the same for 7. After creating the ISO and booting, it goes to a text based installation menu. Things like partition sizes, FIPS, encryption, etc, cannot be modified or adjusted.

I've tried building the ISO using your script from a RHEL 6.9/7.3/7.4 machine with the same results (all minimal installs). None of your content was modified and was used as-is when executing the script to create the ISO. A quick poking around the menu.py file and it seems it's supposed to be GUI driven like your RHEL 6 content.

The destination system being built is a VM hosted within a vSphere 6.5 environment. Am I doing something incorrect when generating the ISO or is there maybe something missing from the source boxes I'm using to build it from that could be causing this?

https://github.com/OpenSCAP/scap-security-guide/tree/master/rhel7/kickstart

The SSG repo has a spot for kickstart files. Should we contribute this content to the SSG?

Hi, Is there any change for RHEL latest version released (7.7).

Hello,
I was wondering to change the percent-mounts to mb-mounts, but I am not that good in python. First of all I changed it in the redhat6-hardening meny.py and it worked. Now I treid the same with the redhat7-hardening menu.py. Under redhat6-hardening I added a new variable "

self.disk_mb = self.disk_total * 1024

". This new self.disk_mb should be the value:

First step: I changed the luks- configuration:

The server should be started up as far as possible without entering any data. In a data center this is sometimes necessary.

...
self.encrypt_disk = gtk.CheckButton('Encrypt Drives with LUKS')
self.encrypt_disk.set_active(False)
self.encrypt.pack_start(self.encrypt_disk, False, True, 0)
...

Second step: Example:

All partitions should be set from percent to an actual size. This has the advantage that the administrator can leave the defaults independent of the existing hard disk size. At a e.g. 500GB hard drive would be 10 percent for root way too much in my opinion.

root gets 2048MB

...
self.label = gtk.Label(" ROOT (/) ")
self.partitioning1.pack_start(self.label,False,True,0)
self.root_range = gtk.Adjustment(2048,1,self.disk_mb,1,100, 0)
...

Third Step:

There is a division of hard disk mountpoints. Here the standards are taken from a Linux operating system. Here I would separate the mountpoint /usr. With the optional mountpoints /opt or /var/www the question arises under Redhat, if /var/www is really necessary. The admin could set this up at any time on the console, if desired. Because if you also include repositories, under Redhat it can very easily happen that e.g. Apache (http24) does not have its files as usual under /var/www/html. These would then be under /opt/rh/httpd24/root/var/www/.

/usr gets 4096MB

...
self.label = gtk.Label("MB USR /usr ")
self.partitioning3.pack_start(self.label,False,True,0)
self.usr_range = gtk.Adjustment(4096,1,self.disk_mb,1,100, 0)
self.usr_partition = gtk.SpinButton(adjustment=self.usr_range,climb_rate=1,digits=0)
self.usr_partition.connect('value-changed',self.lvm_check)
self.partitioning3.pack_start(self.usr_partition,False,True,0)
...

Now the question:
Does anyone already have such a working version? I would be very happy to get this version of the menu.py file.

Hi, will there be a solution for Redhat8?

Issues after a clean install of Redhat 7.6 Workstation using the DISA STIG security profile:

1. Boot fails:
   dracut: FATAL: FIPS integrity test failed
   dracut: Refusing to continue
   System halted.
   Workaround:
   From the grub edit menu remove fips=1 then CTRL-X to boot
   Edit /etc/default/grub - remove fips=1
   grub2-mkconfig -o /boot/grub2/grub.cfg
   Have not found a real fix for this yet

2. /usr/bin/X missing - X Server excluded by the security profile even if GUI is requested
   Reference:
   https://bugzilla.redhat.com/show_bug.cgi?id=1648162
   https://access.redhat.com/solutions/3755211
   Fix:
   CTRL-ALT-F2 to virtual console and install the missing packages:
   yum groupinstall "X Window System" -y

3. /etc/dconf/db/gdm.d: warning: Failed to read keyfile '/etc/dconf/db/gdm.d/00-security-settings':
   Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1659537
   Fix:
   Change newlines in the banner string to \n
   Edit /etc/dconf/db/gdm.d/00-security-settings and replace the newlines with \n
   Run: dconf update

4. Keyboard and mouse stop working after GUI starts
   Fix::
   Caused when I installed the package xorg-x11-server-Xorg which failed
   to also install the X11 drivers
   The correct fix for item 2 above is:
   yum groupinstall "X Window System" -y

I get this error when I have four disks present but only checking the box to install to one of them. 2 x 960gb, 2 x 3.84tb
Or perhaps any issues with greater than 3TB Drives? My plan was to install to one 960GB and post-install setup two LVM mirrors.

I get errors immediately when starting the install after the custom config menu.

An unknown error has occurred
anaconda 21.48.22.158-1 exception report
Traceback...
File "/usr/lib/python2.7/site-packages/blivet/init.py" line 1141 in newVG

Removing the two 3.84TB Drives from the system allows the install to work as expected.

Is there any support for RHEL 9 and higher?

Hi,
Applying the SSG hardening scripts over an Red Hat 7.3 image left me with an error at the booting sequence:

• dracut-pre-trigger: modprobe: ERROR: could not insert 'camellia_aensi_avx2': No such device
• dracut-pre-trigger: modprobe: ERROR: could not insert 'serpent_avx2': No such device
• dracut-pre-trigger: modprobe: FATAL: Module sha1 not found.

Any recommandations to fix these ones?
Regards,
Constantin

I don't think that this line is well formed:

https://github.com/RedHatGov/ssg-el7-kickstart/blob/master/config/hardening/ssg-supplemental.sh#L335

In menu.py, when using disk encryption, the passphrase fails to passthrough as expected. As far as I can tell from the documentation, --passphrase doesn't accept the crypt()'d value of the root password. So, for this to work, I have to memorize the salt and the salted sha512 value of my password. Solid security. Not easy to use.

Could be that I'm doing it wrong too. If so, please let me know what I'm doing wrong (I would love to be able to store the password in the kickstart not in plaintext).

The first try with RHEL 7.8 didn't work for me.
I updated the following RPMs in the config directory for RHEL 7.8 and had success. It's possible I was doing something wrong the first try, but just in case others have issues.
From RHEL 7.8 DVD:
libqb-1.0.1-9.el7.x86_64.rpm
openscap-python-1.2.17-9.el7.x86_64.rpm
openscap-utils-1.2.17-9.el7.x86_64.rpm
usbguard-0.7.4-3.el7.x86_64.rpm
openscap-1.2.17-9.el7.x86_64.rpm
openscap-scanner-1.2.17-9.el7.x86_64.rpm
scap-security-guide-0.1.46-11.el7.noarch.rpm

anyone been able to fork this to run on CentOS7?