Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Virtual machine
- # 2 hard disks. 1st 512Mb and 2nd 9Gb
- # Indifferent CPU & RAM
- # LVM on 2nd disk
- # IPv6 disable. Ip by DHCP
- # Spanish language and keyboard
- # Follow me on Linkedin:
- # https://goo.gl/dBfnuZ
- # Installation logging level
- logging --level=info
- # Install OS instead of upgrade
- install
- url --url http://mirror.centos.org/centos/7.5.1804/os/x86_64/
- # Keyboard layouts
- keyboard 'es'
- # Root password
- rootpw --iscrypted $1$p7H6id/d$U7Ix4o4Gu9X1kZY0my/3e/
- # System authorization information
- auth --enableshadow --passalgo=sha512
- # System language
- lang es_ES
- # Use graphical mode install
- text
- # Run the Setup Agent on first boot
- firstboot --disable
- # SELinux configuration
- selinux --enforcing
- # System timezone
- timezone Europe/Madrid
- # Network information
- network --bootproto=dhcp --device=ens160 --onboot=on
- # System bootloader configuration
- bootloader --location=mbr
- # Clear the Master Boot Record
- zerombr
- # Partition clearing information
- clearpart --all
- # Disk partitioning information
- part /boot --asprimary --fstype="ext2" --ondisk=sda --size=511 --label=boot --mkfsoptions="-m 0"
- # LVM
- part pv.01 --size=1 --grow --ondisk=sdb
- volgroup vgsys --pesize=8192 pv.01
- logvol / --fstype="xfs" --size=1024 --vgname=vgsys --name=root
- logvol /usr --fstype="xfs" --size=2048 --vgname=vgsys --name=usr
- logvol /tmp --fstype="xfs" --size=512 --vgname=vgsys --name=tmp --fsoptions="rw,nodev,noexec,nosuid,relatime"
- logvol /var --fstype="xfs" --size=1024 --vgname=vgsys --name=var --fsoptions="rw,nodev,nosuid"
- logvol /var/log --fstype="xfs" --size=256 --vgname=vgsys --name=varlog --fsoptions="rw,nodev,noexec,nosuid"
- logvol /var/log/audit --fstype="xfs" --size=128 --vgname=vgsys --name=audit --fsoptions="rw,nodev,noexec,nosuid"
- logvol /opt --fstype="xfs" --size=256 --vgname=vgsys --name=opt
- logvol /home --fstype="xfs" --size=128 --vgname=vgsys --name=home --fsoptions="rw,nodev,nosuid"
- logvol swap --fstype="swap" --size=512 --vgname=vgsys --name=swap
- # Install core 7 & packages
- %packages
- @core
- open-vm-tools
- libselinux
- yum-utils
- ntp
- wget
- net-tools
- iptables
- iptables-utils
- iptables-services
- aide
- # Exclude unnecessary packages
- -abrt*
- -avahi*
- -iwl*firmware
- -aic94xx-firmware
- -ivtv-*
- -chrony
- -openldap-clients
- -alsa-*
- -firewalld
- -xorg-x11*
- -postfix
- -autofs
- -prelink
- %end
- %post
- exec < /dev/tty3 > /dev/tty3
- chvt 3
- echo
- echo "##############################"
- echo "# Running Post Configuration #"
- echo "##############################"
- tuned-adm profile throughput-performance
- systemd-analyze set-log-level notice
- systemctl enable iptables
- systemctl enable ntpd
- systemctl disable kdump.service
- systemctl mask kdump.service
- # Update OS
- yum update -y
- yum install epel-release -y
- echo "###################" >> /etc/fstab
- echo "# FSTAB Hardening #" >> /etc/fstab
- echo "###################" >> /etc/fstab
- echo "/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0" >> /etc/fstab
- echo "tmpfs /dev/shm none rw,nodev,noexec,nosuid 0 0" >> /etc/fstab
- echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab
- echo "/dev/cdrom /mnt/cdrom iso9660 ro,noexec,nosuid,nodev,noauto 0 0" >> /etc/fstab
- echo "#################"
- echo "# CIS Hardening #"
- echo "#################"
- echo 'install usb-storage /bin/true' >> /etc/modprobe.d/disable-usb-storage.conf
- echo "blacklist firewire-core" >> /etc/modprobe.d/blacklist-firewire.conf
- echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf
- echo "NOZEROCONF=yes" >> /etc/sysconfig/network
- echo "install cramfs /bin/false" > /etc/modprobe.d/CIS.conf
- echo "install freevxfs /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "install jffs2 /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "install hfs /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "install hfsplus /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "install squashfs /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "install udf /bin/false" >> /etc/modprobe.d/CIS.conf
- echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
- echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net
- sed 's/^PASS_MAX_DAYS.*99999/PASS_MAX_DAYS 365/' -i /etc/login.defs
- sed 's/^PASS_MIN_DAYS.*0/PASS_MIN_DAYS 7/' -i /etc/login.defs
- sed 's/^PASS_MIN_LEN.*5/PASS_MIN_LEN 8/' -i /etc/login.defs
- sed 's/^PASS_WARN_AGE.*7/PASS_WARN_AGE 14/' -i /etc/login.defs
- cat /dev/null > /etc/securetty
- echo "tty1" > /etc/securetty
- echo "tty2" >> /etc/securetty
- echo "tty3" >> /etc/securetty
- ### Shell timeout
- touch /etc/profile.d/autologout.sh
- chmod +x /etc/profile.d/autologout.sh
- echo "TMOUT=3600" > /etc/profile.d/autologout.sh
- echo "readonly TMOUT" >> /etc/profile.d/autologout.sh
- echo "export TMOUT" >> /etc/profile.d/autologout.sh
- ### NTP
- cat /dev/null > /etc/ntp.conf
- touch /var/log/ntpstats/ntpd.log
- echo "server YOURLOCALNTP" > /etc/ntp.conf
- echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf
- echo "logfile /var/log/ntpstats/ntpd.log" >> /etc/ntp.conf
- echo "restrict default nomodify notrap nopeer noquery" >> /etc/ntp.conf
- echo "restrict 127.0.0.1" >> /etc/ntp.conf
- echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf
- echo "keys /etc/ntp/keys" >> /etc/ntp.conf
- echo "#################"
- echo "# SSH Hardening #"
- echo "#################"
- # Details : AllowTcpForwarding (YES --> NO)
- sed 's/#AllowTcpForwarding yes/AllowTcpForwarding no/g' -i /etc/ssh/sshd_config
- # ClientAliveCountMax (3 --> 0)
- sed 's/#ClientAliveCountMax 3/ClientAliveCountMax 0/g' -i /etc/ssh/sshd_config
- # Compression (YES --> (DELAYED|NO))
- sed 's/#Compression delayed/Compression no/g' -i /etc/ssh/sshd_config
- # LogLevel (INFO --> VERBOSE)
- sed 's/#LogLevel INFO/LogLevel VERBOSE/g' -i /etc/ssh/sshd_config
- # MaxAuthTries (6 --> 2)
- sed 's/#MaxAuthTries 6/MaxAuthTries 2/g' -i /etc/ssh/sshd_config
- # MaxSessions (10 --> 2)
- sed 's/#MaxSessions 10/MaxSessions 2/g' -i /etc/ssh/sshd_config
- # PermitRootLogin (YES --> NO)
- sed 's/#PermitRootLogin yes/PermitRootLogin no/g' -i /etc/ssh/sshd_config
- # TCPKeepAlive (YES --> NO)
- sed 's/#TCPKeepAlive yes/TCPKeepAlive no/g' -i /etc/ssh/sshd_config
- # UseDNS (YES --> NO)
- sed 's/#UseDNS yes/UseDNS no/g' -i /etc/ssh/sshd_config
- # X11Forwarding (YES --> NO)
- sed 's/X11Forwarding yes/X11Forwarding no/g' -i /etc/ssh/sshd_config
- # AllowAgentForwarding (YES --> NO)
- sed 's/#AllowAgentForwarding yes/AllowAgentForwarding no/g' -i /etc/ssh/sshd_config
- # IgnoreRhosts (YES)
- sed 's/#IgnoreRhosts yes/IgnoreRhosts yes/g' -i /etc/ssh/sshd_config
- # PermitEmptyPasswords (NO)
- sed 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' -i /etc/ssh/sshd_config
- # PermitUserEnvironment (NO)
- sed 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' -i /etc/ssh/sshd_config
- echo "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]" >> /etc/ssh/sshd_config
- echo "Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
- echo "KexAlgorithms [email protected],ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config
- echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
- echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
- echo "Protocol 2" >> /etc/ssh/sshd_config
- rm /etc/ssh/ssh_host_rsa_key* -f && ssh-keygen -q -f /etc/ssh/ssh_host_rsa_key -b 4096 -N ""
- rm /etc/ssh/ssh_host_ecdsa_key* -f && ssh-keygen -q -f /etc/ssh/ssh_host_ecdsa_key -b 4096 -N ""
- rm /etc/ssh/ssh_host_ed25519_key -f && ssh-keygen -q -f /etc/ssh/ssh_host_ed25519_key -N ""
- chown root:root /etc/motd && chmod 644 /etc/motd
- chown root:root /etc/issue && chmod 644 /etc/issue
- chown root:root /etc/issue.net && chmod 644 /etc/issue.net
- rm -f /root/.ssh/id*
- ssh-keygen -b 4096 -t rsa -N "" -f /root/.ssh/id_rsa && ssh-keygen -t ed25519 -N "" -f /root/.ssh/id_ed25519 && ssh-keygen -b 521 -t ecdsa -N "" -f /root/.ssh/id_ecdsa
- chmod 700 /root/.ssh
- chmod 644 /etc/hosts.deny && chmod 644 /etc/hosts.allow
- chown root:root /etc/ssh/sshd_config && chmod 600 /etc/ssh/sshd_config
- chmod 640 /etc/shadow && chmod 644 /etc/passwd && chmod 644 /etc/group && chown root:root /etc/passwd && chown root:root /etc/group
- chmod 0644 /etc/passwd && chown root /etc/passwd && chgrp root /etc/passwd
- ### Sysctl Tunning
- echo "Sysctl.conf Hardening"
- cd /
- mv /etc/sysctl.conf /etc/sysctl.old
- wget YOURREPO/CentOS/7/sysctl.conf
- mv sysctl.conf /etc/sysctl.conf
- ### Audit Rules
- echo "Audit Rules"
- cd /
- mv /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.old
- wget YOURREPO/CentOS/7/audit.rules
- mv audit.rules /etc/audit/rules.d/audit.rules
- ### Audit configuration
- sed 's/^max_log_file.*/max_log_file = 25/' -i /etc/audit/auditd.conf
- sed 's/^num_logs.*/num_logs = 4/' -i /etc/audit/auditd.conf
- sed 's/^space_left_action.*/space_left_action = email/' -i /etc/audit/auditd.conf
- sed 's/^action_mail_acct.*/action_mail_acct = root/' -i /etc/audit/auditd.conf
- sed 's/^admin_space_left_action.*/admin_space_left_action = halt/' -i /etc/audit/auditd.conf
- sed 's/^max_log_file_action.*/max_log_file_action = keep_logs/' -i /etc/audit/auditd.conf
- ### Disable Ctrl-Alt-Del Reboot Activation
- systemctl mask ctrl-alt-del.target
- ### Disable accounts as soon as the password has expired
- sed -i 's/^INACTIVE.*/INACTIVE=0/' /etc/default/useradd
- ### Remember in the command history to 5000
- sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
- echo "###############"
- echo "# GRUB Config #"
- echo "###############"
- sed 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=2/g' -i /etc/default/grub
- sed -e '/GRUB_CMDLINE_LINUX/s/"$/ audit=1 ipv6.disable=1"/' -i /etc/default/grub
- grub2-mkconfig -o /boot/grub2/grub.cfg
- chown root:root /boot/grub2/grub.cfg && chmod og-rwx /boot/grub2/grub.cfg
- ### Fixing permissions
- find /var/log -type f -exec chmod g-wx,o-rwx {} +
- chown root:root /etc/crontab
- chmod og-rwx /etc/crontab
- chown root:root /etc/cron.hourly
- chmod og-rwx /etc/cron.hourly
- chown root:root /etc/cron.daily
- chmod og-rwx /etc/cron.daily
- chown root:root /etc/cron.weekly
- chmod og-rwx /etc/cron.weekly
- chown root:root /etc/cron.monthly
- chmod og-rwx /etc/cron.monthly
- chown root:root /etc/cron.d
- chmod og-rwx /etc/cron.d
- rm /etc/cron.deny
- rm /etc/at.deny
- touch /etc/cron.allow
- touch /etc/at.allow
- chmod og-rwx /etc/cron.allow
- chmod og-rwx /etc/at.allow
- chown root:root /etc/cron.allow
- chown root:root /etc/at.allow
- chown root:root /etc/shadow
- chmod 000 /etc/shadow
- chown root:root /etc/gshadow
- chmod 000 /etc/gshadow
- chown root:root /etc/passwd-
- chmod u-x,go-wx /etc/passwd-
- chown root:root /etc/group-
- chmod u-x,go-wx /etc/group-
- chown root:root /etc/gshadow-
- chmod 000 /etc/gshadow-
- ### AIDE
- rm -rf /var/cache/yum
- /usr/sbin/aide --init
- cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
- /usr/sbin/aide --check
- # Diary execution
- echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
- # Weekly update
- echo "00 3 * * root /usr/sbin/aide --update" >> /etc/crontab
- chvt 1
- %end
- # Reboot after installation
- reboot --eject
Advertisement
Add Comment
Please, Sign In to add comment
