# Kickstart file automatically generated by anaconda. # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user #version=DEVEL #install graphical #text %include /tmp/repo-include #Langue et keymap keyboard --vckeymap=fr-latin9 --xlayouts='fr (latin9)' lang fr_FR.UTF-8 timezone Europe/Paris --isUtc # Skip EULA eula --agreed # Run the Setup Agent on first boot firstboot --disabled #unsupported_hardware # Installation logging level logging --level=debug # Réseaux #network --onboot yes --device eth0 --bootproto static --ip 88.190.41.95 --netmask 255.255.255.0 --gateway 88.190.41.1 --noipv6 --nameserver 88.191.254.70,88.191.254.60 --hostname max.reslinger.net #network --onboot no --device eth1 --bootproto dhcp --noipv6 %include /tmp/network-include # Authentification et Sécurité authselect --enableshadow --passalgo=sha512 --passminlen=10 --passmaxrepeat=2 --passminclass=4 --enablereqlower --enablerequpper --enablereqdigit --enablereqother #authselect select sssd with-ecryptfs #authselect select sssd rootpw --iscrypted thereisnopasswordanditslocked firewall --service=ssh selinux --enforcing user --groups=wheel --homedir=/home/adrien --name=adrien --uid=1000 --gid=1000 --password=$6$2/XYIHJ8zfgFPaJD$0eyYczGoQ5CnhT88I9brCiwr2fM23mY0Ai19XbON.NI1V/xQC1dnfw65PdYGoVrSmVerVvSFILYWhoLucwfia/ --iscrypted --gecos="Adrien Reslinger" sshkey --username=adrien "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBolqsVpjBurjb0SYcUwKS07oPrpq3x4TCYQ97tZ4enj adrien@Jupiter" sshkey --username=root "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBolqsVpjBurjb0SYcUwKS07oPrpq3x4TCYQ97tZ4enj adrien@Jupiter" # System services services --enabled="chronyd" services --enabled=sshd services --enabled=rngd # Accès distant sshpw --username=root --iscrypted $6$h2g0.aIuG34zJ7U8$Nq0eFxAd7Vw1aabcJqONiS1yqkjpnk.4rAn8SkaTHRtSFljllmrtQOiiC9NKImNhvDGwltOMlhPsDuiQ1Ydol1 #Booltloader %include /tmp/grub-include #Partitionement %include /tmp/part-include %anaconda pwpolicy root --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy user --minlen=8 --minquality=1 --notstrict --nochanges --notempty pwpolicy luks --minlen=8 --minquality=1 --notstrict --nochanges --notempty %end #Reboot apres la fin de l'install reboot %include /tmp/packages-include # role: Red Hat Enterprise Linux Server, Red Hat Enterprise Linux Workstation, Red Hat Enterprise Linux Compute Node #syspurpose ---sla="Self-Support" -role="Red Hat Enterprise Linux Server" --usage=Production #%addon com_redhat_kdump --enable --reserve-mb='auto' # ou 128 %addon com_redhat_kdump --disable %end #%addon org_fedora_oscap # content-type = scap-security-guide # profile = pci-dss #%end ####################################################################### ####################################################################### # PRE ####################################################################### ####################################################################### %pre source /etc/os-release # Installation de la clef SSH pour l'installeur mkdir -m 700 /root/.ssh echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBolqsVpjBurjb0SYcUwKS07oPrpq3x4TCYQ97tZ4enj adrien@Jupiter" >> /root/.ssh/authorized_keys if [ -z "${ARCH}" ]; then ARCH="`uname -m | sed 's|i.86|i386|'`" fi #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=1 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Microsoft Corporation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac if [ $(grep -E -c '\snouefi($|\s)' /proc/cmdline) -eq 1 ]; then UEFI=false else if [ -d /sys/firmware/efi ]; then UEFI=true else UEFI=false fi fi if [ $(grep -E -c '\scrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=true fi if [ $(grep -E -c '\snocrypt($|\s)' /proc/cmdline) -eq 1 ]; then HDDCRYPT=false fi ####################################################################### # Récupération de la configuration réseaux ####################################################################### IF="$(ip route show | grep ^default | sed 's/.* dev \([^ ]*\) *.*/\1/' | sort -u)" IP="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f1)" PREFIX="$(ip addr show $IF | grep inet\ | awk '{print $2}' | cut -d/ -f2)" #MASK="$(ipcalc -m $IP/$PREFIX | cut -d= -f2)" MASK="$(ifconfig $IF | grep $IP | awk '{print $4}')" GW="$(ip route show | grep ^default | sed 's/.* via \([^ ]*\) *.*/\1/' | sort -u)" MAC="$(ip addr show $IF | grep ether\ | awk '{print $2}' | cut -d/ -f2 | tr [A-Z] [a-z])" DNS="$(grep nameserver /etc/resolv.conf | grep -v 127.0.0.1 | awk '{printf $2","}' | sed 's/,$//')" #if [ $(sed 's/ /\n/g' /proc/cmdline | grep -c ip=) -gt 1 ]; then # HOSTNAME="$(sed 's/ /\n/g' /proc/cmdline | grep ip= | cut -d: -f5)" #else # HOSTNAME="$(curl --silent http://169.254.169.254/2009-04-04/meta-data/hostname | cut -f1 -d.)" #fi if [ $(grep -E -c '\sip='$IP /proc/cmdline) -eq 1 ]; then HOSTNAME="$(sed 's/ /\n/g' /proc/cmdline | grep ip= | cut -d: -f5)" echo network --onboot yes --device eth0 --bootproto static --ip $IP --netmask $MASK --gateway $GW --noipv6 --nameserver $DNS --hostname $HOSTNAME > /tmp/network-include #network --onboot no --device eth1 --bootproto dhcp --noipv6 # curl --silent http://169.254.169.254/2009-04-04/meta-data/hostname | cut -f1 -d. # curl --silent http://169.254.169.254/2009-04-04/meta-data/local-ipv4 # curl --silent http://169.254.169.254/2009-04-04/meta-data/public-ipv4 fi if [ ! -f /tmp/network-include ]; then touch /tmp/network-include fi ####################################################################### # Amélioration de l'entropie ####################################################################### #dd if=/dev/random of=/dev/urandom bs=1M count=2 ####################################################################### # Configuration des dépôts ( pas d'espace dans le nom ) ####################################################################### REPO_EPEL=true REPO_ELREPO=true REPO_CRYPTSSH=true REPO_FORENSICS=true REPO_RPMFUSION=true echo "url --url=https://repo.almalinux.org/almalinux/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=BaseOS --baseurl=https://repo.almalinux.org/almalinux/\$releasever/BaseOS/\$basearch/os/" >> /tmp/repo-include echo "repo --name=AppStream --baseurl=https://repo.almalinux.org/almalinux/\$releasever/AppStream/\$basearch/os/" >> /tmp/repo-include echo "repo --name=extras --baseurl=https://repo.almalinux.org/almalinux/\$releasever/extras/\$basearch/os/" >> /tmp/repo-include echo "repo --name=PowerTools --baseurl=https://repo.almalinux.org/almalinux/\$releasever/PowerTools/\$basearch/os/" >> /tmp/repo-include echo "repo --name=HighAvailability --baseurl=https://repo.almalinux.org/almalinux/\$releasever/HighAvailability/\$basearch/os/" >> /tmp/repo-include echo "repo --name=epel --baseurl=https://dl.fedoraproject.org/pub/epel/8/Everything/\$basearch/" >> /tmp/repo-include #echo "repo --name=RPMFusion-free --baseurl=https://download1.rpmfusion.org/free/el/" >> /tmp/repo-include echo "repo --name=RPMFusion-free --baseurl=https://download1.rpmfusion.org/free/el/updates/8/\$basearch/" >> /tmp/repo-include # Uniquement x86_64 # https://copr-be.cloud.fedoraproject.org/results/gsauthof/dracut-sshd/pubkey.gpg echo "repo --name=dracut-sshd --baseurl=https://download.copr.fedorainfracloud.org/results/gsauthof/dracut-sshd/epel-8-\$basearch/" >> /tmp/repo-include echo "repo --name=ELrepo-8 --baseurl=http://elrepo.org/linux/elrepo/el8/\$basearch/" >> /tmp/repo-include echo "repo --name=CERT-Forensics-Tools --baseurl=https://forensics.cert.org/centos/cert/8/\$basearch/" >> /tmp/repo-include ####################################################################### # Configuration du boot et du partitionnement ####################################################################### clean_disk() { HDD="$1" for i in $(parted /dev/$HDD print | sed -n -e '/^Num/,$p' | sed -e '1d' -e '/^$/d' | awk '{print $1}'); do parted -s /dev/$HDD rm $i done if [ -d /sys/firmware/efi ]; then parted -s /dev/$HDD mklabel gpt else parted -s /dev/$HDD mklabel msdos fi partprobe /dev/$HDD } if [ $(grep -E -c '\snopart($|\s)' /proc/cmdline) -eq 0 ]; then cat > /tmp/part-include <> /tmp/part-include if [ $(vgs | sed 1d | wc -l) -ne 0 ]; then for i in $(vgs | sed 1d | awk '{print $1}'); do vgchange -an $i; done fi for i in $(cat /proc/mdstat | grep ^md | awk '{print $1}'); do mdadm --stop /dev/$i; done set $(list-harddrives) let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 UEFI_SIZE=128 BOOT_SIZE=1024 ROOT_SIZE=5120 TMP_SIZE=1024 VAR_SIZE=3072 VARLOG_SIZE=3072 VARLOGAUDIT_SIZE=512 if $HDDCRYPT; then HDDCRYPT_OPT="--encrypted --luks-version=luks2 --cipher=aes-xts-essiv:sha256 --passphrase=Ch4ngeM3" else HDDCRYPT_OPT="" fi MDINDEX=0 DRIVES="$(for i in $(list-harddrives | cut -d\ -f1); do echo -n "$i "; done | sed 's/ $//')" DRIVES=($DRIVES) CLEARPART_TYPE="--all" # if [ "${CLEARPART_TYPE}" == "--all" ]; then # for DRIVE in "${DRIVES[@]}"; do # clean_disk "${DRIVE}" # done # CLEARPART_TYPE="--none" # fi echo -e "clearpart --drives="$(echo ${DRIVES[@]} | tr \ \,)" ${CLEARPART_TYPE}\n" >> /tmp/part-include # Partitions UEFI if $UEFI; then if [ "${CLEARPART_TYPE}" != "--linux" ]; then if [ "${#DRIVES[@]}" -gt 1 ]; then for i in `seq 1 ${#DRIVES[@]}`; do echo "part raid.$[${MDINDEX}+1]${i} --size=32 --maxsize=${UEFI_SIZE} --grow --ondisk=${DRIVES[$[${i}-1]]}" >> /tmp/part-include done echo -n "raid /boot/efi --fstype=efi --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.$[${MDINDEX}+1]${i}" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] else echo "part /boot/efi --fstype=efi --onpart=${DRIVE}1" >> /tmp/part-include fi else if [ "${#DRIVES[@]}" -gt 1 ]; then # Cas Windows trouvé et plusieurs disques echo "On ne touche pas le disque Windows" >&2 exit 1 else echo "part /boot/efi --fstype=efi --onpart=${DRIVE}$(parted /dev/${DRIVE} print | grep EFI | awk '{print $1}') --noformat" >> /tmp/part-include fi fi else UEFI_SIZE=1 fi # Partition /boot if [ "${#DRIVES[@]}" -gt 1 ]; then for i in `seq 1 ${#DRIVES[@]}`; do echo "part raid.$[${MDINDEX}+1]${i} --size=${BOOT_SIZE} --ondisk=${DRIVES[$[${i}-1]]}" >> /tmp/part-include done echo -n "raid /boot --fstype=ext4 --level=RAID1 --device=md${MDINDEX}" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " raid.$[${MDINDEX}+1]${i}" >> /tmp/part-include done echo >> /tmp/part-include MDINDEX=$[${MDINDEX}+1] else echo "part /boot --fstype=ext4 --size=${BOOT_SIZE} --ondisk=${HDD1}" >> /tmp/part-include fi # Système for i in `seq 1 ${#DRIVES[@]}`; do echo "part pv.0${i} --grow --size=1 --ondisk=${DRIVES[$i-1]} ${HDDCRYPT_OPT}" >> /tmp/part-include done echo -n "volgroup vg_sys --pesize=131072" >> /tmp/part-include for i in `seq 1 ${#DRIVES[@]}`; do echo -n " pv.0${i}" >> /tmp/part-include done echo >> /tmp/part-include cat >> /tmp/part-include < /tmp/grub-include <> /tmp/packages-include cat >> /tmp/packages-include <<'EOF' @^minimal-environment NetworkManager-config-server NetworkManager-dispatcher-routing-rules @core #@french-support NetworkManager-team NetworkManager-bluetooth NetworkManager-wifi NetworkManager-wwan kexec-tools wget rsync screen pciutils usbutils dmidecode bash-completion chrony clevis-dracut nmap-ncat #dracut-config-generic #dracut-norescue xz #deltarpm # Pas trouvé !!! firewalld postfix smartmontools #ntpdate # Pas trouvé !!! rng-tools #console-setup # Pas trouvé !!! device-mapper-event gpgme ca-certificates epel-release fail2ban fail2ban-mail fail2ban-systemd fail2ban-hostsdeny pigz pxz tcp_wrappers iscsi-initiator-utils EOF if ${REPO_CRYPTSSH}; then cat >> /tmp/packages-include <<'EOF' dracut-sshd EOF fi if $UEFI; then cat >> /tmp/packages-include <<'EOF' efivar efibootmgr grub2-efi fwupdate EOF case $ARCH in x86_64) echo shim-x64 >> /tmp/packages-include;; i386) echo shim-ia32 >> /tmp/packages-include;; *) echo shim >> /tmp/packages-include;; esac fi case "$MACHINE" in "Supermicro"|"Dell Inc.") echo ipmitool >> /tmp/packages-include ;; "Red Hat"|QEMU) echo spice-vdagent >> /tmp/packages-include echo qemu-guest-agent >> /tmp/packages-include ;; "OpenStack Foundation") echo acpid >> /tmp/packages-include echo qemu-guest-agent >> /tmp/packages-include ;; "Xen") if ${REPO_EPEL}; then echo xe-guest-utilities-latest >> /tmp/packages-include #echo xe-guest-utilities-xenstore >> /tmp/packages-include fi ;; "VMware") echo open-vm-tools >> /tmp/packages-include ;; *) echo -n >> /dev/null ;; esac echo "%end" >> /tmp/packages-include %end ####################################################################### ####################################################################### # POST ####################################################################### ####################################################################### %post --nochroot set $(list-harddrives) # $1 = 1st disk name # $2 = 1st disk size # $3 = 2nd disk name # $4 = 2nd disk size # so on let numhd=$#/2 HDD1=$1 HDD1_SIZE=$2 HDD2=$3 HDD2_SIZE=$4 HDD3=$5 HDD3_SIZE=$6 HDD4=$7 HDD4_SIZE=$8 # On met en RAID1 les volumes logiques if [ $(list-harddrives | wc -l) -gt 1 ]; then if [ "${HDD1_SIZE}" = "${HDD2_SIZE}" ]; then # lvs -a -o name,copy_percent,devices vg_sys for LV in lv_tmp lv_var lv_log lv_logaudit lv_root; do lvconvert --yes --type raid1 -m 1 vg_sys/$LV done while [ $(lvs -a | grep lv_root] | awk '{print $5}') != "100.00" ]; do sleep 5; done fi fi # On configure l'auto extend lvm parce que meta plein = FS corrompus # https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0126706 # Recovery : https://www.redhat.com/archives/linux-lvm/2014-December/msg00015.html sed -e 's/^\(\s*thin_pool_autoextend_threshold = \)[0-9]*/\180/' \ -e 's/^\(\s*thin_pool_autoextend_percent = \)[0-9]*/\110/' \ -i /mnt/sysimage/etc/lvm/lvm.conf # On compresse et autodefrag tous les systèmes de fichiers BTRFS sed -e '/btrfs/ s|\(\s*/home\s*btrfs\s*\)|\1nodev,noexec,nosuid,|' -i /mnt/sysimage/etc/fstab sed -e '/btrfs/ s|\(btrfs\s*\)|\1compress=lzo,autodefrag,|' -i /mnt/sysimage/etc/fstab mount | grep btrfs | awk '{print $3}' | while read SF; do if [ "$(mount | grep on\ "$SF"\ | awk '{print $5}')" == "btrfs" ]; then btrfs filesystem defragment -r -clzo "$SF"/ fi done %end %post #On teste la machine (VMware, HP ou Dell) #MACHINE="$(dmidecode -s system-manufacturer| cut -f 1 -d "," |cut -f 1 -d " ")" #MACHINE="$(dmidecode -s system-manufacturer)" MACHINE="$(cat /sys/class/dmi/id/sys_vendor)" case "$MACHINE" in "Supermicro") SERIAL=true SERIALNB=1 HDDCRYPT=true ;; "Red Hat"|QEMU|"OpenStack Foundation") SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Dell Inc.") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "HP") # Non testé SERIAL=true SERIALNB=0 HDDCRYPT=true ;; "Xen") SERIAL=false HDDCRYPT=true ;; *) SERIAL=false HDDCRYPT=true ;; esac passwd -d root passwd -l root ####################################################################### # Importation des clés des dépots ####################################################################### for FICHIER in $(ls /etc/pki/rpm-gpg/); do if [ -f /etc/pki/rpm-gpg/"$FICHIER" ]; then rpm --import /etc/pki/rpm-gpg/"$FICHIER" fi done ####################################################################### # Restriction d'accès root ####################################################################### touch /etc/securetty #chmod 0644 /etc/securetty # restorecond ? sed '2 iauth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so' -i /etc/pam.d/login ####################################################################### # Restriction d'accès des PID dans /proc ####################################################################### echo "proc /proc proc rw,nosuid,nodev,noexec,relatime,defaults,hidepid=2 0 0" >> /etc/fstab ####################################################################### # Restriction d'accès ssh pour root ####################################################################### # https://stribika.github.io/2015/01/04/secure-secure-shell.html sed 's/^\(#\|\)PermitRootLogin.*/PermitRootLogin without-password/' -i /etc/ssh/sshd_config sed '/^# Ciphers and keying/ aKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' -i /etc/ssh/sshd_config sed '/^KexAlgorithms/ aCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com' -i /etc/ssh/sshd_config sed '/^Ciphers/ aMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com' -i /etc/ssh/sshd_config echo "AllowUsers root adrien" >> /etc/ssh/sshd_config if [ -f /etc/ssh/moduli ]; then awk '$5 > 2000' /etc/ssh/moduli > /dev/shm/moduli if [ $(wc -l /dev/shm/moduli | cut -f1 -d\ ) -gt 0 ]; then cat /dev/shm/moduli > /etc/ssh/moduli fi #else # ssh-keygen -G /etc/ssh/moduli.all -b 4096 # ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all # mv /etc/ssh/moduli.safe /etc/ssh/moduli # rm -f /etc/ssh/moduli.all fi ####################################################################### # Restriction d'accès avec TCP Wrappers ####################################################################### echo "ALL:ALL EXCEPT 127.0.0.1:DENY" >> /etc/hosts.deny cat >> /etc/hosts.allow << 'EOF' sshd:ALL # Pour NFS #portmap:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #lockd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #mountd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #rquotad:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 #statd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour Saned #sane:172.16.0.0/255.255.255.0 # Pour ProFTPd #in.ftpd:ALL # Pour le tftp #in.tftpd:172.16.0.0/255.255.255.0 192.168.1.1 # Pour VMware #vmware-authd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 # Pour SNMP #snmpd:172.16.0.0/255.255.255.0 172.16.2.0/255.255.255.0 172.16.255.0/255.255.255.0 EOF ####################################################################### # Configuration de postfix ####################################################################### cp -a /etc/postfix/main.cf{,.orig} sed -e '/^#mydomain = domain.tld$/ amydomain = reslinger.net' -e 's/^#\(myorigin = $mydomain\)$/\1/' -e '/#relayhost = \[an.ip.add.ress\]/ arelayhost = mail.reslinger.net' -i /etc/postfix/main.cf sed 's/^#root:.*/root:\t\tadrien/' -i /etc/aliases postalias /etc/aliases ####################################################################### # Configuration de logrotate ####################################################################### sed 's/^#*\(compress\)/\1/' -i /etc/logrotate.conf ####################################################################### # Configuration de sudo ####################################################################### echo "Defaults:backup !requiretty" > /etc/sudoers.d/backup echo "backup ALL=(ALL) NOPASSWD: /usr/bin/rsync" >> /etc/sudoers.d/backup echo "adrien ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/adrien chmod 440 /etc/sudoers.d/* ####################################################################### # Configuration de fail2ban ####################################################################### touch /etc/fail2ban/paths-overrides.local cat > /etc/fail2ban/jail.local << 'EOF' [DEFAULT] # "bantime" is the number of seconds that a host is banned. bantime = 604800 ; 1 week #bantime = 172800 ; 48h # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 86400 ; 1 day #findtime = 3600 ; 1h # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. destemail = mathieu.prevel@dedipresta.com # Sender email address used solely for some actions sender = root@localhost # Select mail mta instead of sendmail mta = mail # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_mw)s EOF cat > /etc/fail2ban/jail.d/02-services.conf << 'EOF' [sshd] enabled = true EOF systemctl enable fail2ban ####################################################################### # Configuration des accès sur port série ####################################################################### if $SERIAL; then # # Possibilité de se logger en root sur le port série # # Le fichier /etc/securetty n'existe plus dans CentOS 8 # sed -e "s/ttyS0/ttyS${SERIALNB}/" -i /etc/securetty if [ $(grep -c ttyS${SERIALNB} /etc/securetty) -eq 0 ]; then echo ttyS${SERIALNB} >> /etc/securetty fi # ##systemctl enable serial-getty@ttyUSB0.service # #cp /lib/systemd/system/serial-getty@.service \ # # /etc/systemd/system/serial-getty@ttyS1.service # #sed -i "s|^ExecStart=.*$|ExecStart=-/sbin/agetty 9600 %I $TERM|g" \ # # /etc/systemd/system/serial-getty@ttyS1.service # #chmod 644 /etc/systemd/system/serial-getty@ttyS1.service # #systemctl --system daemon-reload # #systemctl start serial-getty@ttyS1.service # #systemctl enable serial-getty@ttyS1.service # #systemctl status serial-getty@ttyS1.service fi chmod 0644 /etc/securetty ####################################################################### # Configuration de IPMI ####################################################################### cat > /usr/lib/modules-load.d/ipmi.conf <<'EOF' # auto load ipmi modules during boot ipmi_msghandler ipmi_devintf ipmi_si EOF ####################################################################### # Configuration personnalisée de grub ####################################################################### # Configuration de la console de grub sur le port série if $SERIAL; then sed -e 's/^\(GRUB_TERMINAL=\).*/\1"serial console"/' -e '/^GRUB_TERMINAL=/ aGRUB_SERIAL_COMMAND="serial --speed=115200 --unit='${SERIALNB}' --word=8 --parity=no --stop=1"' -i /etc/default/grub # Ajouter "console=ttyUSB0,115200 console=tty0" à la fin de GRUB_CMDLINE_LINUX dans /etc/default/grub pour CentOS 7 ? fi # Suppression des entrée recovery sed 's/^\(GRUB_DISABLE_RECOVERY=\).*/\1"true"/' -i /etc/default/grub ####################################################################### # Mise à jour de la configuration de grub ####################################################################### # Pas de mode rescue sed 's/yes/no/' /usr/lib/dracut/dracut.conf.d/02-rescue.conf > /etc/dracut.conf.d/02-rescue.conf # chargement des modules nécessaires pour root en lvm thin provisionning et en raid echo 'add_drivers+=" dm-mod dm-snapshot dm-thin-pool dm-mirror dm-raid raid1 raid0 raid10 raid456 "' > /etc/dracut.conf.d/thin-provisionning.conf # Drivers pour KVM echo 'force_drivers+=" virtio_net "' > /etc/dracut.conf.d/virtual.conf echo 'add_drivers+=" virtio_net virtio_balloon virtio_input virtio_console virtio_scsi virtio_blk virtio-gpu "' >> /etc/dracut.conf.d/virtual.conf # Drivers pour nvme echo 'force_drivers+=" nvme "' > /etc/dracut.conf.d/nvme.conf echo 'add_drivers+=" nvme "' >> /etc/dracut.conf.d/nvme.conf cat > /usr/local/sbin/update-grub << 'EOF' #!/bin/sh . /etc/os-release if [ -d /sys/firmware/efi -a -e /boot/efi/EFI/almalinux/grub.cfg ]; then CONFDIR=/boot/efi/EFI/almalinux else CONFDIR=/boot/grub2 fi grub2-mkconfig -o "${CONFDIR}"/grub.cfg EOF chmod +x /usr/local/sbin/update-grub if ! $UEFI; then /usr/local/sbin/update-grub; fi ####################################################################### # Ajout du déchiffrement automatique ####################################################################### #curl -sfg https://tang.dedilabs.io/adv -o adv.jws #for i in $(blkid -t TYPE=crypto_LUKS -o device); do # clevis luks bind -f -k- -d $i tang '{"url":"https://tang.dedilabs.io","adv":"adv.jws"}' \ <<< "Ch4ngeM3" #done #cryptsetup luksRemoveKey /dev/nvme0n1p3 <<< "Ch4ngeM3" #cryptsetup luksRemoveKey /dev/nvme1n1p3 <<< "Ch4ngeM3" ####################################################################### # Mise à jour de l'initramfs ####################################################################### if [ -e "/usr/lib/dracut/modules.d/46sshd/sshd_config" ]; then # https://github.com/gsauthof/dracut-sshd ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N "" ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" sed '1 iPort 222\n\nKexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com\n' -i /usr/lib/dracut/modules.d/46sshd/sshd_config cp -a /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img{,.old} dracut --force /boot/initramfs-$(ls -tr /lib/modules/ | tail -n 1).img $(ls -tr /lib/modules/ | tail -n 1) fi %end %post --nochroot cp -a /tmp /mnt/sysimage/root/tmp_install %end