# workstation-ks.cfg # version 1.0.1 2012-03-15 # Copyright 2010,2011,2012 Red Hat Inc., Durham, North Carolina. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Authors: # Steve Grubb # The purpose of this kickstart is to demonstrate usage of the USGCB # standard desktop baseline. Documentation for Kickstart can be found at: # http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/Installation_Guide-en-US/ch-kickstart2.html # (Required) We want to "install" as opposed to "upgrade" an existing system install # Reboot the machine after the installation is complete # and attempt to eject the CD/DVD/Bootdisk reboot --eject ## ## This next section needs site specific customizations. If installing by ## Network, you should update the URL line to point to the location where ## the image is stored.. If you are instead using the CDROM method, comment # out the URL line and uncomment the CDROM line. # Configure networking # Kickstart assumes dhcp over eth0 if not specified otherwise # These can be serialized on a per-machine basis, or # provided on the command line during system installation as described #network --bootproto=static --ip= --netmask= --gateway= --nameserver= #network --bootproto=dhcp network --bootproto=static --ip=192.168.122.99 --netmask=255.255.255.0 --gateway=192.168.122.1 --nameserver=192.168.122.1 # Install from a cdrom #cdrom # another option is to install via HTTP url --url=http://192.168.122.1/iso/ # Set the language lang en_US.UTF-8 # (Required) Set keyboard style keyboard us # Skip the RHN key setup, or enter the key here (will prompt without --skip) key --skip ## The following section needs customization or at a minimum change ## The root password after first boot. # Adding users and setting passwords: # There are 3 options for setting rootpw (or adding user accounts & passwords) # 1. Do not include the rootpw command and you will be prompted for the root # password during installation. This is the recommended method. # 2. Include a hashed root password inside the kickstart file. This method is # not recommended, and is particularly not recommended if the kickstart will # ever be traveling over a network. # 3. Include a clear text password. This is a generally terrible idea. # (Required) Sets the root password so there is no prompt during installation # Example: encrypted password is "password" rootpw --iscrypted $6$naSytywF$AyVeKPcxnSMJg2L5b5YWGu7YFmgGW30HJ1qmqvjBBOBIbjQuqicsTuJndm0sns3vFpXGDx0SJzofARe914chx0 # Enable the firewall firewall --enabled # Enable SELinux CCE-3999-0 (row 102) selinux --enforcing # (Required) Wrapper around the authconfig command CCE-14063-2 (row 80) authconfig --enableshadow --passalgo=sha512 # (Required) Set the timezone timezone --utc America/New_York ## This line needs site specific customizations. Or at a minimum change ## the password on first boot. # CCE-3818-2 (row 90) Add a grub bootloader password (password is: rhel5) # CCE-15026-8 (row 143) enable audit at boot bootloader --location=mbr --password=rhel5 --append="rhgb quiet audit=1" # Partitions (Required for "install") # This setup assumes a disk larger than 20GB, and should be modified with # appropriate size partitions based on the machine's hardware # Format the partitions/mbr first zerombr clearpart --all --initlabel # Create primary partitions part /boot --fstype "ext3" --size=512 --asprimary part swap --fstype swap --size=1024 part pv.01 --size=1 --grow # Create more logical partitions # CCE-14161-4, CCE-14777-2, CCE-14011-1, CCE-14171-3, CCE-14559-9 (Rows 2 - 6) volgroup vgroup1 pv.01 logvol / --fstype ext3 --name=root --vgname=vgroup1 --size=2560 --grow logvol /tmp --fstype ext3 --name=temp --vgname=vgroup1 --size=256 --fsoptions="nodev,noexec,nosuid" logvol /home --fstype ext3 --name=home --vgname=vgroup1 --size=1024 --fsoptions="nodev" logvol /var --fstype ext3 --name=var --vgname=vgroup1 --size=1024 --fsoptions="nodev" logvol /var/log --fstype ext3 --name=varlog --vgname=vgroup1 --size=512 --fsoptions="nodev,noexec,nosuid" logvol /var/log/audit --fstype ext3 --name=audit --vgname=vgroup1 --size=256 --fsoptions="nodev,noexec,nosuid" %packages # These Package Groups are installed by default @admin-tools @base @base-x @core @dialup @editors @gnome-desktop @graphical-internet @graphics @java @legacy-software-support @office @printing @sound-and-video @text-internet # Individual packages not installed by default emacs # CCE-14068-1 (row 223) postfix # CCE-3910-7 (row 99) vlock # CCE-4209-3 (row 13) aide ## Added to support Puppet ruby # Make sure we are using a desktop package set redhat-release-5Client # Individual packages to be removed from the groups -xinetd -telnet-server -telnet -krb5-workstation -rsh-server -rsh -tftp-server # CCE-14495-6 (row 222) -sendmail # CCE-4464-4 (row 219) -dhcp # CCE-14881-7 (row 240) -vsftpd # CCE-4514-6 (row 241) -httpd -gnome-user-share # CCE-14825-4 (row 178) -isdn4k-utils # CCE-17504-2 (row 255) -irda-utils # CCE-18200-6 (row 253) -talk ## If you have a 32 bit system, comment out the next line -*.i?86 # CCE-18031-5 (row 250) -ipsec-tools # CCE-17250-2 (row 251) -pam_ccreds # FIXME: need row openswan # CCE-17742-8 (row 134) -sysklogd rsyslog # Post-install commands # Some post-installation configuration can be done from the kickstart file # itself. These actions should not be relied upon for system # configuration/management. Anything in the %post section should be things # that would immediately be done after installation that are either out of # scope for the management software, or help prepare the system for the # management software. %post # Install redhat-release key for later use validating rpms # CCE-14440-2 (row 7) rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-auxiliary rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-former rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-rhx # Disable rhnsd daemon (CCE-3416-5 row 8) chkconfig rhnsd off # Disable yum-updatesd daemon (CCE-4218-4 row 10) chkconfig yum-updatesd off # Notes CCE-14914-6, CCE-14813-0, CCE-14931-0 (row 11, 12, and 14 are noops) # Fix up the partitions to be secure # CCE (rows 15 - 25) FSTAB=/etc/fstab # nodev, noexec, and nosuid on /boot TEST="`grep ' \/boot ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/boot " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/boot.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # nodev, noexec, and nosuid on /dev/shm # CCE-15007-8, CCE-14306-5, CCE-14703-3 (Rows 22 - 24) TEST="`grep ' \/dev\/shm ' ${FSTAB} | grep -c 'noexec'`" if [ "$TEST" = "0" ]; then MNT_OPTS=$(grep " \/dev\/shm " ${FSTAB} | awk '{print $4}') sed -i "s/\( \/dev\/shm.*${MNT_OPTS}\)/\1,nodev,noexec,nosuid/" ${FSTAB} fi # Make /var/tmp use /tmp # CCE-14584-7 (Row 25) grep " \/var\/tmp " ${FSTAB} >/dev/null if [ $? -eq 1 ]; then echo -e "/tmp\t\t/var/tmp\t\t\text3\tdefaults,bind,nodev,noexec,nosuid\t0 0" >> ${FSTAB} fi # Don't use modprobe.conf, put changes in 1 place touch /etc/modprobe.d/usgcb-blacklist # Disable mounting of cramfs CCE-14089-7 (row 26) echo -e "install cramfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of freevxfs CCE-14457-6 (row 27) echo -e "install freevxfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of hfs CCE-15087-0 (row 28) echo -e "install hfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of hfsplus CCE-14093-9 (row 29) echo -e "install hfsplus /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of jffs2 CCE-14853-6 (row 30) echo -e "install jffs2 /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of squashfs CCE-14118-4 (row 31) echo -e "install squashfs /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Disable mounting of udf CCE-14871-8 (row 32) echo -e "install udf /bin/true" >> /etc/modprobe.d/usgcb-blacklist # Notes (row 33 - 51 are noops) # CCE-4220-0 (Row 52) echo -e "umask 027" >> /etc/sysconfig/init # CCE-4225-9 (Row 53) echo -e "* hard core 0" >> /etc/security/limits.conf # Notes CCE-4225-9, CCE-4146-7, CCE-4172-3 (row 54 -57 are noops) # CCE-3485-0, CCE-4256-4 (Rows 58 & 59) sed -i "/^vc/d" /etc/securetty # CCE-15047-4 (Row 60) sed -i "6s/^#//" /etc/pam.d/su # Notes CCE-14088-9 (row 61 is noop) # Notes CCE-3987-5, CCE-4238-2, CCE-14300-8, CCE-4009-7 (rows 62 - 65 are noops) # CCE-4180-6 (Row 66) sed -i "/PASS_MIN_DAYS/s/[0-9]/1/" /etc/login.defs # CCE-4097-2 (Row 67) sed -i "/PASS_WARN_AGE/s/[0-9]/14/" /etc/login.defs # CCE-4092-3 (Row 68) sed -i "/PASS_MAX_DAYS/s/[0-9]\{5\}/60/" /etc/login.defs # CCE-4154-1 (Row 69) sed -i "/PASS_MIN_LEN/s/[0-9]/12/" /etc/login.defs # Notes CCE-14675-3, CCE-4114-5, CCE-14071-5 (rows 70 - 72 are noops) # The following line covers # (rows 73 - 78) sed -i "/pam_cracklib.so/s/retry=3/retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=3/" /etc/pam.d/system-auth # CCE-3410-8 (row 79) system-auth sed -i "5i\auth\trequired\tpam_tally2.so deny=5 onerr=fail" /etc/pam.d/system-auth #sed -i "/^auth/s/sufficient/required/" /etc/pam.d/system-auth ##sed -i "/^auth/s/requisite/required/" /etc/pam.d/system-auth #sed -i "/^auth/d/requisite/" /etc/pam.d/system-auth #sed -i "/pam_deny/d" /etc/pam.d/system-auth # The old way #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/gdm #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/sshd #sed -i "/^auth/s/include/required\tpam_tally2.so deny=5 onerr=fail\nauth\tinclude\t/" /etc/pam.d/login # CCE-14063-2(row 80) is a noop since this is the defaults # CCE-14939-3 (row 81) sed -i "/pam_unix.so/s/shadow/shadow remember=24/" /etc/pam.d/system-auth # Notes CCE-3301-9, CCE-14957-5, CCE-4090-7 (rows 82 - 84 are noops) # CCE-14107-7 (row 85) sed -i "/UMASK/s/[0-9]\{3\}/077/" /etc/login.defs # CCE-14847-8 (row 86) echo "umask 077" >> /etc/profile # CCE-3844-8 (row 87) sed -i "/umask/s/022/077/" /etc/bashrc # CCE-4227-5 (row 88) sed -i "/umask/s/022/077/" /etc/csh.cshrc # Notes CCE-3923-0 (rows 89 is a noop) # Notes CCE-4197-0, CCE-4144-2 (rows 91 - 92 are noops) # CCE-4241-6 (row 93) echo "~:S:wait:/sbin/sulogin" >> /etc/inittab # CCE-4245-7 (row 94) sed -i "/PROMPT/s/yes/no/" /etc/sysconfig/init # CCE-3315-9 (row 95) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type int \ --set /apps/gnome-screensaver/idle_delay 15 # CCE-14604-3 (row 96) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true # CCE-14023-6 (row 97) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type bool \ --set /apps/gnome-screensaver/lock_enabled true # CCE-14735-5 (row 98) gconftool-2 --direct \ --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ --type string \ --set /apps/gnome-screensaver/mode blank-only # CCE-4060-0 (row 100) echo -e "\n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials.\n" > /etc/issue # CCE-4188-9 (row 101) sed -i "15s//\n \n \n \n \n \n-- WARNING --\nThis system is for the use of authorized users only. Individuals\nusing this computer system without authority or in excess of their\nauthority are subject to having all their activities on this system\nmonitored and recorded by system personnel. Anyone using this\nsystem expressly consents to such monitoring and is advised that\nif such monitoring reveals possible evidence of criminal activity\nsystem personal may provide the evidence of such monitoring to law\nenforcement officials.\n <\/text>\n <\/item>\n <\/box>\n <\/item>\n\n /" /usr/share/gdm/themes/RHEL/RHEL.xml # CCE-3977-6, CCE-3999-0, and CCE-3624-4 (rows 102 - 104) are noops # CCE-3668-1 (row 105) chkconfig mcstrans off # CCE-14991-4 (row 106) is noop # CCE-3561-8 (row 107) echo -e "\n# Changes for USGCB content" >> /etc/sysctl.conf echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf # CCE-4155-8 (row 108) echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf # CCE-4151-7 (row 109) echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf # CCE-3472-8 (row 110) echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf # CCE-4217-6 (row 111) echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf # CCE-4236-6 (row 112) echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf # CCE-3339-9 (row 113) echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf # CCE-4186-3 (row 114) echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf # CCE-4091-5 (row 115) echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf # CCE-4133-5 (row 116) echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf # CCE-3644-2 (row 117) echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf # CCE-4320-8 (row 118) echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf # CCE-4080-8 (row 119) echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf # CCE-4265-5 (row 120) echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf # CCE-3840-6 (row 121) echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf # CCE-15013-6, CCE-4276-2 (rows 122 and 123) are noops # CCE-18455-6 (row 124) echo -e "options ipv6 disable=1" >> /etc/modprobe.d/usgcb-blacklist # CCE-4313-3 (row 125) echo "net.ipv6.conf.default.accept_redirect=0" >> /etc/sysctl.conf # CCE-4269-7 (row 126) echo "net.ipv6.conf.default.accept_ra=0" >> /etc/sysctl.conf # CCE-4167-3 (row 127) # This is being set to off because IPv6 is disabled chkconfig ip6tables off # CCE-4189-7 (row 128) chkconfig iptables on # CCE-14264-6 (row 129) sed -i "/^:INPUT/s/ACCEPT/DROP/" /etc/sysconfig/iptables # CCE-14268-7 (row 130) echo -e "install dccp /bin/true" >> /etc/modprobe.d/usgcb-blacklist # CCE-14235-5 (row 131) echo -e "install sctp /bin/true" >> /etc/modprobe.d/usgcb-blacklist #i CCE-14027-7 (row 132) echo -e "install rds /bin/true" >> /etc/modprobe.d/usgcb-blacklist # CCE-14911-2 (row 133) echo -e "install tipc /bin/true" >> /etc/modprobe.d/usgcb-blacklist # CCE-17698-2 (row 135) chkconfig rsyslog on chkconfig rsyslog --levels 345 on # (rows 136 - 138) are noops # send logging to remote server CCE-17248-6 (row 139) mkdir -m 0700 /etc/pki/rsyslog ## ## The following lines need site specific customizations ## #echo "" >> /etc/rsyslog.conf #echo '# make gtls driver the default' >> /etc/rsyslog.conf #echo '$DefaultNetstreamDriver gtls' >> /etc/rsyslog.conf #echo "" >> /etc/rsyslog.conf #echo '# certificate files' >> /etc/rsyslog.conf #echo '$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem' >> /etc/rsyslog.conf #echo '$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/machine-cert.pem' >> /etc/rsyslog.conf #echo '$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/machine-key.pem' >> /etc/rsyslog.conf #echo "" >> /etc/rsyslog.conf #echo '$ActionSendStreamDriverAuthMode x509/name' >> /etc/rsyslog.conf #echo '$ActionSendStreamDriverPermittedPeer central.example.net' >> /etc/rsyslog.conf #echo '$ActionSendStreamDriverMode 1 # run driver in TLS-only mode' >> /etc/rsyslog.conf #echo '*.* @@central.example.net:10000 # forward everything to remote server port 10000' >> /etc/rsyslog.conf # CCE-17639-6 (row 140) is a noop # CCE-4182-2 (row 141) is noop # CCE-4292-9 (row 142) chkconfig auditd on # (rows 144 - 151, 153 - 155) FILE=`rpm -ql audit | grep stig` if [ x"$FILE" != "x" ] ; then cat $FILE | egrep -v 'immutable|ping|-e 2' > /etc/audit/audit.rules fi sed -i -e 's/^#\(-a always,exit -F arch=b.. -S clock_settime\)/\1 -F a0=0/g' /etc/audit/audit.rules # CCE-14296-8 (row 152) find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{printf "-a always,exit -F path=%s -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged\n", $1 }' >> /etc/audit/audit.rules echo -e "\n" >> /etc/audit/audit.rules # CCE-14688-6 (row 156) echo -e "-w /sbin/insmod -p x -k modules" >> /etc/audit/audit.rules echo -e "-w /sbin/rmmod -p x -k modules" >> /etc/audit/audit.rules echo -e "-w /sbin/modprobe -p x -k modules" >> /etc/audit/audit.rules echo -e "-a always,exit -F arch=b32 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules echo -e "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" >> /etc/audit/audit.rules echo -e "\n" >> /etc/audit/audit.rules # CCE-14692-8 (row 157) echo -e "-e 2" >> /etc/audit/audit.rules # (rows 158 - 171) are noops # CCE-4421-4 (row 172) chkconfig readahead_early off # CCE-4302-6 (row 173) chkconfig readahead_later off # CCE-4355-4 (row 174) chkconfig bluetooth off # CCE-4377-8 (row 175) chkconfig hidd off # CCE-14948-4 (row 176) echo "alias net-pf-31 off" >> /etc/modprobe.d/usgcb-blacklist echo "alias bluetooth off" >> /etc/modprobe.d/usgcb-blacklist # CCE-4286-1, CCE-14825-4, CCE-3425-6 (row 177 - 179) are noops # CCE-14054-1 (row 180) echo "NOZEROCONF=yes" >> /etc/sysconfig/network # CCE-4324-0 row 181 is a noop # CCE-4304-2 (row 182) chmod 0600 /etc/anacrontab # CCE-4388-5 (row 183) chmod 0600 /etc/crontab # CCE-4250-7 (row 184) is a noop # CCE-4450-3 (row 185) chmod 0700 /etc/cron.daily # CCE-4106-1 (row 186) chmod 0700 /etc/cron.hourly # CCE-4251-5 (row 187) chmod 0700 /etc/cron.monthly # CCE-4203-6 (row 188) chmod 0700 /etc/cron.weekly # (rows 189 - 202) are noops # CCE-14466-7 (row 203) chkconfig atd off # CCE-4325-7 (row 204) is a noop # CCE-14061-6 (row 205) sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 0/" /etc/ssh/sshd_config # CCE-3845-5 (row 206) sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 900/" /etc/ssh/sshd_config # CCE-4475-0, CCE-4370-3 (rows 207- 208) are noop # CCE-4387-7 (row 209) sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config # CCE-3660-8 (row 210) is a noop # CCE-4431-8 (row 211) sed -i "s/#Banner \/some\/path/Banner \/etc\/issue/" /etc/ssh/sshd_config # CCE-14716-5 (row 212) is noop # CCE-14491-5 (row 213) echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config # CCE-4074-1 (row 214) echo "exec X :0 -nolisten tcp \$@" > /etc/X11/xinit/xserverrc # CCE-3717-6 (row 215) sed -i "s/\[greeter\]/\[greeter\]\nInfoMsgFile=\/etc\/issue\n/" /etc/gdm/custom.conf # CCE-4365-3 (row 216) chkconfig avahi-daemon off # CCE-4425-5 (row 217) chkconfig hplip off # CCE-4336-4 (row 218) noop due to (row 219) # CCE-4376-0 (row 220) chkconfig ntpd on # CCE-4385-1 (row 221) ntp.conf has some ntp servers in it # CCE-15018-5 (row 224) is a noop # CCE-14894-0 (row 225) sed -i "s/#ssl start_tls/ssl start_tls/" /etc/ldap.conf sed -i "s/#tls_checkpeer/tls_checkpeer/" /etc/ldap.conf sed -i "s/#tls_cacertdir \/etc\/ssl\/certs/tls_cacertdir \/etc\/pki\/tls\/CA/" /etc/ldap.conf #sed -i "s/#tls_cacertfile \/etc\/ssl\/ca.cert\/tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem/" /etc/ldap.conf sed -i "s/#tls_cacertfile \/etc\/ssl\/ca.cert/tls_cacertfile \/etc\/pki\/tls\/CA\/cacert.pem/" /etc/ldap.conf # CCE-3501-4 (row 226) noop since openldap not installed # CCE-4396-8 (row 227) chkconfig nfslock off # CCE-3535-2 (row 228) chkconfig rpcgssd off # CCE-3568-3 (row 229) chkconfig rpcidmapd off # CCE-4533-6 (row 230) chkconfig netfs off # CCE-4550-0 (row 231) chkconfig portmap off # CCE-4473-5 (row 232) chkconfig nfs off # CCE-4491-7 (row 233) chkconfig rpcsvcgssd off # CCE-4368-7, CCE-4024-6, CCE-3578-2 (rows 234 - 236) are noops # CCE-3578-2 (row 237 & 238) noop # CCE-3919-8 (row 239) noop since 243 has it uninstalled # CCE-4338-0 (rows 240) is a noop since httpd not installed # CCE-3847-1, CCE-4239-0 (rows 242 - 243) are noops since dovecot is not installed # CCE-4551-8 (rows 244) is a noop since the server is not installed # CCE-14075-6 (row 245) sed -i "s/\[global\]/\[global\]\nclient signing = mandatory/" /etc/samba/smb.conf # CCE-15029-1 (row 246) is a noop due to needing to be done in fstab # CCE-4556-7, CCE-4076-6 (rows 247, 248) noops due to squid not being installed # CCE-3765-5, CCE-14081-4 (rows 249, 250) noops since net-snmp is not installed # CCE-18200-6 (row 252) is noop since talk-server is not installed # CCE-17504-2 (row 253) is noop since irda-utils is not installed # We turn this off since we already configured things chkconfig firstboot off # turn off selinux troubleshooter since root is needed chkconfig setroubleshoot off # CCE-3649-1 (row 254) sed -i "/631/d" /etc/sysconfig/iptables # CCE-18037-2 (row 255) sed -i "/5353/d" /etc/sysconfig/iptables # CCE-4072-5 (row 256) chkconfig autofs off # CCE-17816-0 (row 257) chkconfig rawdevices off # CCE-18412-7 (row 259) useradd -D -f 30 # CCE-XXXXX-X (row XXX) disable gnome thumbnailers. Skipped for now. #gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /desktop/gnome/thumbnailers/disable_all true # Workaround esound creating the directory in conflict with CCE-14794-2 mkdir -m 1777 /tmp/.esd