install
url --url http://....
lang en_US.UTF-8
langsupport --default=en_CA.UTF-8 en_CA.UTF-8 en_US.UTF-8
keyboard us
network --device eth0 --bootproto dhcp
rootpw --iscrypted ....
firewall --disabled
selinux --enforcing
authconfig --enableshadow --enablemd5
timezone --utc America/Vancouver
bootloader --location=mbr
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --linux
part /boot --fstype ext3 --size=100 --asprimary
part pv.8 --size=100 --grow
volgroup VolGroup00 --pesize=32768 pv.8
logvol / --fstype ext3 --name=Root --vgname=VolGroup00 --size=512
logvol swap --fstype swap --name=swap --vgname=VolGroup00 --size=1024
logvol /tmp --fstype ext3 --name=Tmp --vgname=VolGroup00 --size=512
logvol /home --fstype ext3 --name=Home --vgname=VolGroup00 --size=1024
logvol /var/log --fstype ext3 --name=VarLog --vgname=VolGroup00 --size=1024
logvol /var --fstype ext3 --name=Var --vgname=VolGroup00 --size=3008
logvol /usr --fstype ext3 --name=Usr --vgname=VolGroup00 --size=2016

%packages
e2fsprogs
grub
lvm2
kernel
dtach
elinks
lslk
ntp
postfix
screen
SL_enable_slocate_cron
SL_inittab_change
sysstat
vim-common
vim-enhanced
which
yum-changelog
yum-conf
yum-installonlyn
yum-protectbase
yum-versionlock

-sendmail
-procmail
-syslinux
-freetype
-nfs-utils
-xorg-x11-libs
-isdn4k-utils
-mkbootdisk
-libjpeg
-wvdial
-bluez-utils
-rdist
-nc
-cups
-lrzsz
-NetworkManager
-setuptool
-libpng
-ipw2200-firmware
-ppp
-hesiod
-m4
-portmap
-autofs
-diskdumputils
-pax
-finger
-bluez-libs
-system-config-mouse
-yp-tools
-pam_krb5
-ipw2100-firmware
-fontconfig
-jpackage-utils
-mtools
-acpid
-system-config-network-tui
-redhat-lsb
-system-config-securitylevel-tui
-libtiff
-ypbind
-xorg-x11-Mesa-libGL
-irda-utils
-talk
-rp-pppoe
-bluez-bluefw
-mt-st
-apmd
-tcpdump
-rsh
-wireless-tools
-cups-libs
-pam_smb
-numactl
-bluez-hcidump
-krb5-workstation
-netconfig

%post
##############
# First Boot #
##############
# A file is created and rc.local set to run on boot.
# The file eats itself once it's done and removes the entry from rc.local

echo '/etc/sysconfig/firstboot' >> /etc/rc.d/rc.local

cat << EOF > /etc/sysconfig/firstboot
/etc/cron.daily/yum.cron
/usr/bin/yum update kernel* -y
/usr/bin/yum install SL_enable_serialconsole -y
/usr/bin/updatedb
sed -i /firstboot/d /etc/rc.d/rc.local
rm -f /etc/sysconfig/firstboot

# cfengine bootstrapping stuff here later
#
reboot                                             # reboot the system
to apply any kernel changes
EOF

chown root:root /etc/sysconfig/firstboot
chmod 700 /etc/sysconfig/firstboot


#################
# Configure Yum #
#################
# Use our local repositories rather than ftp.scientificlinux.org
sed -i /baseurl/c\baseurl=http://......../4x/\$basearch/errata/SL/RPMS
/etc/yum.repos.d/sl-errata.repo
sed -i /baseurl/c\baseurl=http://......../4x/\$basearch/SL/RPMS
/etc/yum.repos.d/sl.repo
sed -i /baseurl/c\baseurl=http://...../4x/\$basearch/errata/fastbug/RPMS
/etc/yum.repos.d/sl-fastbug.repo

###############################
# Send root's email somewhere #
###############################
sed -i /^#root:/c\root:\ root@..... /etc/aliases
newaliases

#######################
## HARDEN THE SYSTEM ##
#######################

# Start by setting the umask so that files that get created aren't
readable by everyone
umask 077

###############################
# Turn off un-needed services #
###############################
for SERVICE in netfs readahead readahead_early cpuspeed rawdevices
xinetd pcmcia iptables mdmonitor anacron atd kudzu;
do
    chkconfig --level 0123456 $SERVICE off
done

##############
# Enable NTP #
##############
chkconfig --level 3 ntpd on

###########################################
# Configure and Enable Process Accounting #
###########################################
# Create the process accounting log file and set it's permissions
touch /var/log/pacct
chmod 600 /var/log/pacct

# The psacct utilities (sa, lastcomm, etc) expect the log file to be at
/var/account/pacct.
# I want all my logs in /var/log/ so I need to change the init script
and create a symlink
# to the default location
sed -i s/ACCTFILE=\/var\/account\/pacct/ACCTFILE=\/var\/log\/pacct/
/etc/rc.d/init.d/psacct
ln -sf /var/log/pacct /var/account/pacct

# Turn on process accounting
chkconfig --level 3 psacct on

# Setup log rotation for process accounting - these logs can take up a
fair bit of space
cat << EOF > /etc/logrotate.d/pacct
# default to rotation schedule set in /etc/logrotate.conf
/var/log/pacct {
    postrotate
    /usr/sbin/accton /var/log/pacct
    endscript
}
EOF

################################
# Set Tighter File Permissions #
################################
# add 'nodev' option to appropriate partitions in /etc/fstab
cp -p /etc/fstab /etc/fstab.tmp
awk '($3 ~ /^ext[23]$/ && $2 != "/") \
    { $4 = $4 ",nodev" }; \
    { print }' /etc/fstab.tmp > /etc/fstab
chown root:root /etc/fstab
chmod 0644 /etc/fstab
rm -f /etc/fstab.tmp

# Set a very restrictive system umask
echo 'umask 077' >> /etc/profile
echo 'umask 077' >> /etc/.bash_profile
echo 'umask 077' >> /etc/csh.login

# Remove rwx from other for the following files
for PROGRAM in /bin/setserial /sbin/badblocks /sbin/ctrlaltdel
/sbin/chkconfig /sbin/debugfs /sbin/depmod /sbin/dump /sbin/dumpe2fs
/sbin/fdisk /sbin/fsck /sbin/fsck.ext2 /sbin/halt /sbin/hdparm
/sbin/hwclock /sbin/ifconfig /sbin/ifdown /sbin/ifup /sbin/init
/sbin/insmod /sbin/killall5 /sbin/mingetty /sbin/mke2fs /sbin/mkfs
/sbin/mkfs.ext2 /sbin/mkfs.msdos /sbin/mkinitrd /sbin/mkswap
/sbin/modinfo /sbin/modprobe /sbin/quotaon /sbin/restore /sbin/runlevel
/sbin/swapon /sbin/tune2fs /usr/bin/eject /usr/bin/minicom /usr/sbin/atd
/usr/sbin/atrun /usr/sbin/crond /usr/sbin/edquota /usr/sbin/groupadd
/usr/sbin/groupdel /usr/sbin/usernetctl /usr/sbin/groupmod
/usr/sbin/grpck /usr/sbin/grpconv /usr/sbin/grpunconv /sbin/klogd
/usr/sbin/logrotate /usr/sbin/newusers /usr/sbin/vipw /usr/sbin/ntpdate
/usr/sbin/ntpq /usr/sbin/ntptime /usr/sbin/ntptrace /usr/sbin/ntsysv
/usr/sbin/pwck /usr/sbin/pwconv /usr/sbin/pwunconv /usr/sbin/rdev
/usr/sbin/rpc.rquotad /usr/sbin/rpcinfo /sbin/syslogd /usr/sbin/tcpd
/usr/sbin/tmpwatch /usr/sbin/tunelp /usr/sbin/useradd /usr/sbin/userdel
/usr/sbin/usermod /usr/sbin/visudo;
do
    chmod 750 $PROGRAM
done

# Ensure that all log file perms are set correctly
cd /var/log
chmod o-rwx boot.log* cron* dmesg ksysms* httpd/* maillog* messages*
news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler*
squid/* vbox/* wtmp
chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler*
squid/* sa/*
chmod g-w boot.log* cron* dmesg ksysms* httpd/* maillog* messages* pgsql
rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler*
chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler*
chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod o-rx httpd/ samba/ squid/ sa/
chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod g-rx httpd/ samba/ sa/
chmod u-x kernel syslog loginlog
chown -R root:root .
chgrp utmp wtmp
[ -e news ] && chown -R news:news news
[ -e pgsql ] && chown postgres:postgres pgsql
chown -R squid:squid squid
cd -

# Set some misc permissions
chmod 2750 /sbin/netreport
chmod 4750 /usr/bin/gpasswd
chmod 4710 /usr/sbin/userhelper
chmod 550 /usr/sbin/quotastats
chmod 550 /usr/sbin/repquota
chmod 400 /etc/crontab
chmod 700 /var/spool/cron
chmod -R go-rwx /etc/cron.allow /etc/cron.deny /etc/cron.d
/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly

##################
# SUID Lock Down #
##################
for PROGRAM in /bin/mount /bin/umount /bin/ping /usr/bin/at
/usr/sbin/traceroute /bin/traceroute6;
do
    chmod 755 $PROGRAM
done

chmod 750 /usr/sbin/usernetctl

#################################
# Lock Down Individual Services #
#################################
# Deny anyone the ability to use the //at// and //batch// commands
touch /etc/at.allow
chmod go-rwx /etc/at.allow /etc/at.deny

# Deny anyone, but root, the ability to use cron
echo root > /etc/cron.allow

# Lock down the ssh client and server
cat << EOF >> /etc/ssh/sshd_config
Protocol 2
PermitRootLogin no
Banner /etc/issue.net
EOF

echo '      Protocol 2' >> /etc/ssh/ssh_config

####################################
# Enforce a Strong Password Policy #
####################################
# This policy enforces a minimum password length of 8 characters,
# cannot be based upon a dictionary word, and should have
# uppercase, lowercase, digits and symbols.

sed -i s/PASS_MIN_LEN.*/PASS_MIN_LEN\ 8/ /etc/login.defs
sed -i s/pam_cracklib.so\ retry=3/pam_cracklib.so\ retry=3\ minlen=12\
dcredit=1\ ucredit=1\ lcredit=1\ ocredit=1\ difok=0/ /etc/pam.d/system-auth

#########################
# Kernel Network Tuning #
#########################
# !!Note: This will probably be handled by shorewall if I decide
# to put shorewall on all boxes!!
cat << EOF > /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
EOF
chown root:root /etc/sysctl.conf
chmod 0600 /etc/sysctl.conf

##################
# Misc Lock Down #
##################
# Configure TCPwrappers
cat << EOF >> /etc/hosts.allow
ALL : localhost : ALLOW
in.fingerd :  ALL :  DENY
sshd :  ALL :  ALLOW
EOF

echo 'ALL :  ALL :  spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s
"Port Denial noted %d-%h" root) & :  DENY' >> /etc/hosts.deny

# set some system limits so that a given user can't DOS the system
cat << EOF >> /etc/security/limits.conf
# prevent core dumps
*       hard    core    0

#limit user processes per user to 150
*       soft    nproc   100
*       hard    nproc   150
EOF

# Turn off the magic sysrequest key feature
echo '#Disable the magic sysrequest key feature' >> /etc/sysctl.conf
echo 'kernel.sysrq = 0' >> /etc/sysctl.conf

# Set a legal warning in /etc/issue* so that anyone logging in will be
informed of the consequences of their actions.
ln -sf /etc/issue /etc/issue.net
cat << EOF > /etc/issue
***************************************************************************
                                 NOTICE


This computer system is the private property of .............
It is for authorized use only.  Users (authorized or
unauthorized) have no explicit or implicit expectation of privacy.

Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.

By using this system, the user consents to such interception,
monitoring, recording, copying, auditing, inspection, and
disclosure at the discretion of such personnel or officials.
Unauthorized or improper use of this system may result in
civil and criminal penalties and administrative or disciplinary
action, as appropriate. By continuing to use this system you
indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree
to the conditions stated in this warning.

****************************************************************************