#version=DEVEL ## Locale settings keyboard --vckeymap=gb --xlayouts='gb' # Keyboard layouts lang en_GB.UTF-8 # System language timezone Europe/Berlin --utc # System timezone ## Installer settings text # Install in text mode firstboot --enable # Run the Setup Agent on first boot reboot --eject ## Disk configuration ignoredisk --only-use=sda # Ignore all other disks - AMEND THIS ACCORDINGLY, sda IS USUALLY THE FIRST DISK clearpart --all --initlabel # Partition clearing information autopart --type=lvm --encrypted --luks-version=luks2 # Auto configure the whole disk, use LVM and luks ## User config user --groups=wheel --name=USERNAME --password=ENCRYPTED_PASS --iscrypted --gecos="USERNAME" rootpw --lock # Lock the root account ## Packages to install %packages @^cinnamon-desktop-environment @c-development @container-management @desktop-accessibility @headless-management @sound-and-video @virtualization aide btop dnf-automatic %end ## Post install config %post --log=/root/ks-post.log --erroronfail # Install any security updates available now yum -y update --security # Set the default target for boot systemctl set-default graphical.target # Automatic security updates echo -e "[commands]\napply_updates=True\nupgrade_type=security" > /etc/dnf/automatic.conf systemctl enable dnf-automatic.timer # Disable kernel crash dump collection for better memory systemctl disable kdump.service systemctl mask kdump.service # Disable sssd if no remote logins systemctl disable sssd # Password requirements echo "minlen = 10" >> /etc/security/pwquality.conf echo "minclass = 4" >> /etc/security/pwquality.conf # Set a lockout timeout for failed login attempts echo -e "deny = 7\nunlock_time = 1800\neven_deny_root\nroot_unlock_time = 1800\naudit\nsilent" >> /etc/security/faillock.conf # Prevent chrony from acting as a remote server echo -e "port 0\ncmdport 0" >> /etc/chrony.conf # Harden sudo echo -e "Defaults use_pty\nDefaults timestamp_timeout=30" > /etc/sudoers.d/custom # Enforce stronger ssh algorithms echo -e "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256\nMACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config # Enforce a more secure umask sed -i 's/umask 022/umask 027/g' /etc/bashrc sed -i 's/UMASK 022/UMASK 027/g' /etc/login.defs sed -i 's/002/027/g' /etc/profile.d/ccache.sh sed -i 's/002/027/g' /etc/profile.d/ccache.csh # Prevent logins with empty passwords sed -i 's/ nullok//g' /etc/authselect/system-auth sed -i 's/ nullok//g' /etc/authselect/password-auth # Set the default firewall policy sed -i 's/DefaultZone=public/DefaultZone=drop/g' /etc/firewalld/firewalld.conf # Show system logs/output when booting the system up sed -i 's/ rhgb quiet//g' /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg dracut --regenerate-all --force # Set permissions for user init files find /home/USERNAME -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \; find /root -maxdepth 1 -type f -name '.*' -exec chmod u-s,g-wxs,o= {} \; # Initialise the AIDE DB aide --init %end