This is a STIG* script that I wrote a while back because I got tired of having to spend three and a half hours per box locking it down. Traditionally, I've taken NIST's** SNAC*** guides and used that information to lock down a box.
Well, at the time, not only was there no STIG script, but there was no document for how to lock down RHEL 6. Apparently NIST hadn't gotten to writing a document for version 6 yet. There was, however, a document for RHEL 5. So, I took what was available and adapted it to RHEL 6.
I understand that there is now a lockdown script available (finally!) for RHEL/CentOS version 6. However, I also hear that you've got to have US Government affiliation to get access to it. So, here's one for the masses. I've gotten a lot of help from folks over the Internet over the years. In turn, hopefully this'll be useful for folks.
This script was originally developed on CentOS 6 and has proved to work very well on RHEL 6, as you might expect. I actually use this script mostly on RHEL 6 because people that I do work for tend to purchase the Red Hat branded version. As you might guess, I also use it for my own servers.
The script consists of two parts. The first part is the KickStart part, which sets up your partitioning, password hash algorithm, installs the basic OS, and so on according to NIST guidance. The second part is a regular ol' BASH script that does things like modify file permissions, umasks, /etc/fstab, sysctl settings, all that stuff.
You can use the KickStart file from a floppy or USB drive, or you can do it my preferred way, by hosting your installation repository and the KickStart file on a local HTTP (Web) server. Just pop your boot CD or DVD into the box, and specify the location of the KickStart file at the boot prompt. Doing it this way, I can have a box up and ready to go in 15 minutes...and I can do a bunch of them in parallel. It is also possible to do this through PXE-boot, but that requires DHCP, and on most server VLAN's that I've encountered, they don't allow DHCP because servers shouldn't be on DHCP. :-)
OK, there is one case in which I could see servers on DHCP, and that's if you set up DHCP leases. But if you're going to go through all that trouble, you might as well just assign static addresses anyway.
Anyway, here are the two parts of the STIG script.Part 1 - KickStart Script Part 2 - Post-Installation Lockdown Script
PLEASE read the script before you run it! You will need to modify the partitioning sizes for your servers. Trust me. So, please read the script before you run it!
Have fun. :-)
Please feel free to email me at microman at (the domain name for this Web site).