CentOS Locked Down Kickstart

From ChekMate Security Group

Contents 1 Introduction 1.1 What is CentOS Locked Down Kickstart? 1.2 Dependencies 1.3 Maintainer 2 Recent News 3 Download 4 Installation 4.1 Install and Configure YAM 4.2 Configure local Web server for Yam 4.3 Configure yum.conf to point to local repositories 4.4 Configure YAM Repository to Support Kickstart Installations 5 Using KickStart 6 Online Usage Manual 7 Change Log 8 Screenshots 9 References 10 License

Introduction

What is CentOS Locked Down Kickstart?

As described by RedHat:

"Many system administrators would prefer to use an automated installation method to install Red Hat Enterprise Linux on their machines. To answer this need, Red Hat created the kickstart installation method. Using kickstart, a system administrator can create a single file containing the answers to all the questions that would normally be asked during a typical installation.

Kickstart files can be kept on a single server system and read by individual computers during the installation. This installation method can support the use of a single kickstart file to install Red Hat Enterprise Linux on multiple machines, making it ideal for network and system administrators.

Kickstart provides a way for users to automate a Red Hat Enterprise Linux installation. "

I have built a Kickstart script to automate the build of CentOS 4 and harden the server - removing packages that are not needed or necessary, etc.

This process has saved a large number of hours on our work environments and also ensure a higher level of consistency when it comes to how each server has been hardened.

While my opinion is "A manual process for hardening servers is just not effective or efficient." It is extremely important to understand what is happening during the process and why. Failure to do so will leave your environment in a questionable state. It will be difficult to manage and items will not work as expected due to nature of the security controls applied.

As such NO WARRANTIES or ASSUMPTION OF RISKS are given to anyone using these scripts or documentation. USE AT YOUR OWN RISK.

Dependencies

These scripts have been built within a network infrastructure that includes a local YUM repository (using YAM), a centralized syslog server, a centralized NTP server, a mail gateway server and a SNMP server. You will need to modify the script to meet your environment requirements.

Maintainer

Shannon McNaught (smcnaught)

Recent News

• 15:10, 22 November 2005 (MST) - There is an issue with the SNMP configuration, as the Kickstart scripts adds your secret to the file but the default configuration still contains the public secret. (smcnaught)

Download

Individual scripts can be located within the Installation documentation.

Installation

With this build of KickStart we use a local repository that we have created with YAM.

Install and Configure YAM

Install new-style Yum repository, generating xml metadata instead.

wget http://dag.wieers.com/packages/createrepo/createrepo-0.4.2-1.2.el4.rf.noarch.rpm
rpm -ivh createrepo-0.4.2-1.2.el4.rf.noarch.rpm

Install YAM

wget http://dag.wieers.com/packages/yam/yam-0.7.3-1.2.el4.rf.noarch.rpm
rpm -ivh yam-0.7.3-1.2.el4.rf.noarch.rpm
emacs /etc/yam.conf

yum install lftp

Now run Yam with no actions to see if the ISO files are mounted and all your configuration options have been used:

yam -vv

Then run Yam to update the OS packages and updates:

yam -uvv

Then run Yam to update the other repositories:

yam -xvv

Then generate the Yam repositories by doing:

yam -gvv

Run all the above in one command

yam -uxgv

Configure local Web server for Yam

If you have apache, this package should already have done a good job by installing the default Yam configuration file as:

/etc/httpd/conf.d/yam.conf

Now, you probably want to change the default to prevent people from accessing your Yam website, or because you have another domain-name or simply because you don't want the generic /yam/-Alias.

The config file provided is just a default that helps to set up your initial environment and it is there to be adapted. It uses by default the hostname 'yam' and if you define 'yam' as a name on your local network, it may work without change.

For browsing and remote network installations via HTTP the webserver can be accessed at:

http://localhost/yam/

or

http://yam/

If you want to enable HTTP authentication to prevent people accessing your Yam repository, look at

/etc/httpd/conf.d/yam.conf

And adapt to your needs. More information about HTTP authentication and Apache can be found at:

http://httpd.apache.org/docs-2.0/howto/auth.html

Of course, to make it work you need to start Apache by doing eg:

service httpd start

Configure yum.conf to point to local repositories

Update /etc/yum.conf as displayed in yum.conf

Modify /etc/yum.repos.d/CentOS-Base.repo to have "enabled=0" for each repository.

Configure YAM Repository to Support Kickstart Installations

On the YAM-SERVER:

• mkdir /var/www/yam/centos4-i386/CentOS/
• mkdir /var/www/yam/centos4-i386/CentOS/base/
• cd /var/www/yam/centos4-i386/CentOS/base/

The comps files contains the general package group:

• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/comps.rpm
• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/comps.xml

The hdlist files contains dependancies, package info, etc:

• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/hdlist
• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/hdlist2

The stg2 files are the cramfs images (which contains anaconda) for the installer:

• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/hdstg2.img
• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/netstg2.img
• wget http://mirror.arcticnetwork.ca/pub/centos/4/os/i386/CentOS/base/stage2.img

Link to the YAM repository:

• ln -s /var/www/yam/centos4-i386/RPMS.os /var/www/yam/centos4-i386/CentOS/RPMS

Add the GPG Keys for the repositories:

• cd /var/www/yam/
• wget http://centos.arcticnetwork.ca/4/os/i386/RPM-GPG-KEY
• wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
• wget http://centos.arcticnetwork.ca/4/os/i386/RPM-GPG-KEY-centos4

Add Kickstart Files to /var/www/yam/

• vi ks.cfg
• vi post-kickstart.sh

Add additional support files to /var/www/yam/

• vi rc.local
• vi yum.conf

Using KickStart

Insert DISK 1 of CentOS 4.2 into the new computer.

Boot up the computer. Ensure that the BIOS will load the CDROM on Boot.

At the Linux LILO Prompt, enter:

linux ks=http://YOUR-YAM-SERVER/yam/ks.cfg

This will instruct Linux to load the kickstart configuration and build the environment for you.

The kickstart will ask you about your network configuration after it was completed the package installation.

Additional parameters may be required. For example, I need to add "acpi=off" on some environments.

Online Usage Manual

For details on the individual commands that the Hardening Script automates, please refer to the "Hardening Linux" documentation.

1 Hardware Specifications

2 Recommended Partition Table

3 Base Linux Installation

4 Software that must be uninstalled after installation

4.1 Descriptions of programs that must be uninstalled after installation of the server

4.2 Additional Packages to remove

5 Remove unnecessary documentation files

6 Installed RPMs

7 Linux General System Security

7.1 BIOS

7.2 Choose a right password

7.3 The root account

7.4 Set login time out for the root account

7.5 The /etc/exports file

7.6 The single-user login mode of Linux

7.7 The LILO and /etc/lilo.conf file

7.8 Disabling Ctrl-Alt-Delete keyboard shutdown command

7.9 The /etc/services file

7.10 The /etc/securetty file

7.11 Special accounts

7.12 Control mounting a file system

7.13 Mounting the /boot directory of Linux as read-only

7.14 Conceal binary RPM

7.15 Shell logging

7.16 Physical hard copies of all-important logs

7.17 Tighten scripts under /etc/rc.d/init.d/

7.18 The /etc/rc.local file

7.19 Bits from root-owned programs

7.20 Finding all files with the SUID/SGID bit enabled

7.21 Don't let internal machines tell the server what their MAC address is

7.22 Unusual or hidden files

7.23 Finding Group and World Writable files and directories

7.24 Unowned Files

7.25 Finding .rhosts files

8 Linux Pluggable Authentication Modules

8.1 The password length

8.2 Disabling console program access

8.3 Disabling all console access

8.4 The Login access control table

8.5 Tighten console permissions for privileged users

8.6 Putting limits on resource

8.7 Controlling access time to services

8.8 Blocking; su to root, by one and sundry

Change Log

None at the moment.

Screenshots

None

References

• RedHat Online Manual RHEL 4: Kickstart Installations

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/ch-kickstart2.html

• YAM home page:

http://dag.wieers.com/packages/yam

License

Kickstart script for hardening CentOS 4.2 OS

Copyright (c) 2005 Shannon McNaught

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Most of this code has been designed, written and is maintained by Shannon McNaught. See online wiki for specific developer credit. Any questions or comments regarding this code should be directed to: smcnaught@axia.com

NO WARRANTIES:

TO THE EXTENT PERMITTED BY APPLICABLE LAW, NEITHER SHANNON MCNAUGHT, NOR ANY PERSON, EITHER EXPRESSLY OR IMPLICITY, WARRANTS ANY ASPECT OF THIS SOFTWARE OR PROGRAM, INCLUDING ANY OUTPUT OR RESULTS OF THIS SOFTWARE OR PROGRAM. UNLESS AGREED TO IN WRITING. THIS SOFTWARE AND PROGRAM IS BEING PROVIDED "AS IS", WITHOUT ANY WARRANTY OF ANY TYPE OR NATURE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTY THAT THIS SOFTWARE OR PROGRAM IS FREE FROM DEFECTS.

ASSUMPTION OF RISK:

THE RISK OF ANY AND ALL LOSS, DAMAGE, OR UNSATISFACTORY PERFORMANCE OF THIS SOFTWARE OR PROGRAM RESTS WITH YOU AS THE USER. TO THE EXTENT PERMITTED BY LAW, NEITHER SHANNON MCNAUGHT, NOR ANY PERSON EITHER EXPRESSLY OR IMPLICITLY, MAKES ANY REPRESENTATION OR WARRANTY REGARDING THE APPROPRIATNESS OF THE USE, OUTPUT, OR RESULTS OF THE USE OF THIS SOFTWARE OR PROGRAM IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY, BEING CURRENT OR OTHERWISE. NOR DO THEY HAVE ANY OBLIGATION TO CORRECT ERRORS, MAKE CHANGES, SUPPORT THIS SOFTWARE OR PROGRAM, DISTRIBUTE UPDATES, OR PROVIDE NOTIFICATION OF ANY ERROR OR DEFECT, KNOWN OR UNKNOWN. IF YOU RELY UPON THIS SOFTWARE OR PROGRAM, YOU DO SO AT YOUR OWN RISK, AND YOU ASSUME THE RESPONSIBILTY FOR THE RESULTS. SHOULD THIS SOFTWARE OR PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL LOSSES, INCLUDING, BUT NOT LIMITED TO, ANY NECESSARY SERVICING, REPAIR OR CORRECTION OF ANY PROPERTY INVOLVED.

DISCLAIMER:

IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, SHALL SHANNON MCNAUGHT, OR ANY PERSON BE LIABLE FOR ANY LOSS, EXPENSE OR DAMAGE, OF ANY TYPE OR NATURE ARISING OUT OF THE USE OF, OR INABILITY TO USE THIS SOFTWARE OR PROGRAM, INCLUDING, BUT NOT LIMITED TO, CLAIMS, SUITS OR CAUSES OF ACTION INVOLVING ALLEGED INFRINGEMENT OF COPYRIGHTS, PATENTS, TRADEMARKS, TRADE SECRETS, OR UNFAIR COMPETITION.