-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy path000-base.sh
More file actions
117 lines (96 loc) · 3.29 KB
/
Copy path000-base.sh
File metadata and controls
117 lines (96 loc) · 3.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Install wget
yum -y install wget
version=${FULL_VERSION}
# Detect primary root drive
if [ -e /dev/xvda ]; then
drive=xvda
elif [ -e /dev/vda ]; then
drive=vda
elif [ -e /dev/sda ]; then
drive=sda
fi
mkdir /boot/centos
cd /boot/centos
wget ${MIRROR_URL}/${FULL_VERSION}/os/x86_64/isolinux/vmlinuz
wget ${MIRROR_URL}/${FULL_VERSION}/os/x86_64/isolinux/initrd.img
# This kickstart file has been created to install the Core Centos7 OS and partition as per CIS CentOS Linux 7 Benchmark (v2.2.0 - 12-27-2017).
cat > /boot/centos/kickstart.ks << EOKSCONFIG
# Installation settings
text
install
firstboot --disable
eula --agreed
unsupported_hardware
skipx
lang en_GB.UTF-8
keyboard uk
auth --enableshadow --passalgo=sha512
timezone UTC --isUtc
# Repo settings
repo --name="base" --baseurl=${MIRROR_URL}${FULL_VERSION}/os/x86_64/
# Including the updates repo ensures we install the latest packages at install time
url --url="${MIRROR_URL}7/os/x86_64/"
repo --name="os" --baseurl=${MIRROR_URL}${FULL_VERSION}/os/x86_64/ --cost=100
repo --name="updates" --baseurl=${MIRROR_URL}${FULL_VERSION}/updates/x86_64/ --cost=100
repo --name="extras" --baseurl=${MIRROR_URL}${FULL_VERSION}/extras/x86_64/ --cost=100
# System settings
rootpw --iscrypted nothing
network --onboot yes --device eth0 --bootproto dhcp --ipv6=auto --activate
firewall --enabled --ssh
selinux --enforcing
services --enabled=sshd
# bootloader configuration
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --timeout=0
# Initialize (format) all disks
zerombr
clearpart --linux --initlabel
# Create primary system partitions
part /boot --fstype=xfs --size=512
part pv.00 --grow --size=1
# Create a volume group
volgroup vg00 --pesize=4096 pv.00
# Create LVM partitions as per CIS guide
logvol / --fstype="xfs" --size=2048 --name=root --vgname=vg00
logvol /tmp --fstype="xfs" --size=2048 --name=tmp --vgname=vg00 --fsoptions=nodev,noexec,nosuid
logvol /var --fstype="xfs" --size=1024 --name=var --vgname=vg00
logvol /var/tmp --fstype="xfs" --size=1024 --name=vartmp --vgname=vg00 --fsoptions=nodev,noexec,nosuid
logvol /var/log --fstype="xfs" --size=3072 --name=log --vgname=vg00
logvol /var/log/audit --fstype="xfs" --size=3072 --name=audit --vgname=vg00
logvol /home --fstype="xfs" --size=2048 --name=home --vgname=vg00 --fsoptions=nodev
# Application LV
logvol /opt --fstype="xfs" --size=4096 --name=opt --vgname=vg00
# Base Service configuration
services --enabled=sshd
# Packages selection
%packages --excludedocs
# Core only
@core
# Cloud-init is required at boot-time
cloud-init
%end
# Basic cleanup
%post
# Cleanup SSH keys
rm -f /etc/ssh/*key*
rm -rf ~/.ssh/
# Let SELinux relabel FS on next boot
touch /.autorelabel
%end
reboot --eject
EOKSCONFIG
echo "menuentry 'centosinstall' {
set root='hd0,msdos1'
linux /boot/centos/vmlinuz ip=dhcp ksdevice=eth0 ks=hd:${drive}1:/boot/centos/kickstart.ks method=${MIRROR_URL}${FULL_VERSION}/os/x86_64/ lang=en_GB.UTF-8 keymap=uk
initrd /boot/centos/initrd.img
}" >> /etc/grub.d/40_custom
echo 'GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=
GRUB_TIMEOUT=2
GRUB_RECORDFAIL_TIMEOUT=5
GRUB_CMDLINE_LINUX_DEFAULT="quiet nosplash vga=771 nomodeset"
GRUB_DISABLE_LINUX_UUID=true' > /etc/default/grub
grub2-set-default 'centosinstall'
grub2-mkconfig -o /boot/grub2/grub.cfg
rm -rf ~/.ssh/*
rm -rf /root/*
reboot