Hi Klaus,
The changes I made included adding a question into the post part of the
kickstart script and renaming/restructuring so some of the files aren't
specific to LSPP. I also made the files vendor neutral. This involved
patching some files and moving some things around so its hard to generate
just one patch file. Attached are the patch files for the individual files
that I modified and below you'll see notes on the things I renamed.
I've applied these patches to your latest 0.18 ks sources and they seem
to work with the rc1 kit. Let me know if you have any questions or don't agree
with some of the changes. If IBM doesn't want to go vendor-neutral as far
as my change go then maybe we can make it easier to include the vendor name
without alot of changes.
The ftp location is still vendor-specific, but it probably will need to
be.
BTW, this is not in the attached patches but I took the --tries=1 argument
out of the wget line in the common-post.cfg file. It seems a recent addition
but here it causes wget to not be able to get the certification rpm. I had to
escape from the script and manually wget it. Why was it added?
-- ljk
Changed the name of the spec file to remove company and protection profile
specifics. Likewise, renamed files and directories. For example:
mv lspp-eal4-config-ibm-0.18/bin/lspp-eal4-config.in
eal4-config-0.16/bin/eal4-config.in
Updated the script to take the profile as an argument.
mv lspp-eal4-config-ibm-0.18/doc/RHEL-LSPP-EAL4-IBM-Configuration-Guide.man
eal4-config-0.16/doc/RHEL-EAL4-Configuration-Guide.man
(this will probably need to go back to being vendor-specific but shouldn't
be protection profile specific)
mv lspp-eal4-config-ibm-0.18/lspp eal4-config-0.16/eal4
And within that directory:
mv lspp-perms.conf eal4-perms.conf
mv lspp-root-only.conf eal4-root-only.conf
Updated kickstart/src/common-head.cfg with different tmp filenames. Perhaps
not necessary. (Would like to make default timezone configurable.)
Updated kickstart/src/common-pre.cfg to adjust prompts and file names.
Updated kickstart/src/common-post.cfg to adjust prompts and ask for the
protection profile.
Updated Makefile to refer to new files/directories.
--- lspp-eal4-config-ibm-0.18/kickstart/src/common-head.cfg 2007-01-23
08:11:05.000000000 -0500
+++ eal4-config-0.16/kickstart/src/common-head.cfg 2007-01-19
18:32:20.000000000 -0500
@@ -1,4 +1,4 @@
-# Kickstart file for LSPP evaluated configuration
+# Kickstart file for EAL4 evaluated configuration
# Refer to the kickstart documentation for details:
#
@@ -8,7 +8,7 @@
keyboard us
## current ks fails when using langsupport or mouse keywords
#langsupport --default=en_US.UTF-8 en_US.UTF-8
-timezone --utc America/Chicago
+timezone --utc America/New_York
firewall --enabled --port=22:tcp --port=80:tcp --port=21:tcp --port=25:tcp
#nodmraid # bugfix
#nokill # FIXME
@@ -31,7 +31,7 @@ key --skip
@@ia64@@ bootloader --location=partition ## FIXME, does this work?
# dynamically generated config from pre script
-%include /tmp/lspp-instsrc.cfg
-%include /tmp/lspp-network.cfg
-%include /tmp/lspp-disks.cfg
+%include /tmp/eal4-instsrc.cfg
+%include /tmp/eal4-network.cfg
+%include /tmp/eal4-disks.cfg
--- lspp-eal4-config-ibm-0.18/kickstart/src/common-post.cfg 2007-01-23
08:11:05.000000000 -0500
+++ eal4-config-0.16/kickstart/src/common-post.cfg 2007-02-01
17:08:20.389726192 -0500
@@ -118,12 +118,23 @@ STTY_SAVE=$(stty -g)
stty sane
reset || clear
-echo "*** Common Criteria LSPP configuration kickstart ***"
+echo "*** Common Criteria EAL4 configuration kickstart ***"
echo
+while true
+do
+ PROFILE="$(ask "Protection profile (capp or lspp)" "capp")"
+ if [ "$PROFILE" == "lspp" ] || [ "$PROFILE" == "capp" ]
+ then
+ break
+ else
+ confirm "Profile must be "capp" or "lspp" - try again?" "y" ||
die "Installation aborted."
+ fi
+done
+
/etc/init.d/network start
-RPMTMP=/root/lspp-rpms
+RPMTMP=/root/eal4-rpms
mkdir -p $RPMTMP
cd $RPMTMP
@@ -140,27 +151,35 @@ do
fi
done
-echo "Switching SELinux to MLS mode..."
-lokkit -q -n --selinuxtype=mls
-setenforce 0
-load_policy -b 2>&1 | grep -v no.longer.in.policy
-
-echo "Fixing file labels..."
-# FIXME: fixfiles ignores allegedly R/O filesystems due to bad /etc/mtab ?
-cat /proc/mounts > /etc/mtab
-fixfiles -f restore
-
-# FIXME: should not need /.autorelabel after fixfiles
-#echo "Will relabel file system on next boot."
-#echo "If booting fails, add 'enforcing=0' to the kernel command line."
-#touch /.autorelabel
+if [ "$PROFILE" == "lspp" ]
+then
+ echo "Switching SELinux to MLS mode..."
+ lokkit -q -n --selinuxtype=mls
+ setenforce 0
+ load_policy -b 2>&1 | grep -v no.longer.in.policy
+
+ echo "Fixing file labels..."
+ # FIXME: fixfiles ignores allegedly R/O filesystems due to bad
/etc/mtab ?
+ cat /proc/mounts > /etc/mtab
+ fixfiles -f restore
+
+# echo "Will relabel file system on next boot."
+# echo "If booting fails, add 'enforcing=0' to the kernel command line."
+# touch /.autorelabel
+else
+ echo "Using default SELinux configuration."
+fi
echo
echo "Please enter the password for the root account."
while ! passwd root; do :; done
-## FIXME: mcstransd doesn't work (hangs when requesting translation?)
-#/etc/init.d/mcstrans start
+if [ "$PROFILE" == "lspp" ]
+then
+ ## FIXME: mcstransd doesn't work (hangs when requesting translation?)
+ #/etc/init.d/mcstrans start
+ echo "FIXME: what's up with mcstrans?"
+fi
while true
do
@@ -174,9 +193,12 @@ do
then
while ! passwd "$Uid"; do :; done
chage -m 1 -M 60 -W 7 "$Uid"
- ## FIXME: label translation isn't working in postinstall
- #semanage login -a -s staff_u -r SystemLow-SystemHigh "$Uid"
- semanage login -a -s staff_u -r s0-s15:c0.c1023 "$Uid"
+ if [ "$PROFILE" == "lspp" ]
+ then
+ ## FIXME: label translation isn't working in postinstall
+ #semanage login -a -s staff_u -r SystemLow-SystemHigh
"$Uid"
+ semanage login -a -s staff_u -r s0-s15:c0.c1023 "$Uid"
+ fi
else
echo "Warning: adding user unsuccessful, please try again."
fi
@@ -184,7 +206,7 @@ do
confirm "Add more administrative users" "n" || break
done
-lspp-eal4-config -a
+eal4-config -a --"$PROFILE"
# restore file descriptors and TTY
stty $STTY_SAVE
--- lspp-eal4-config-ibm-0.18/Makefile 2007-01-23 08:11:05.000000000 -0500
+++ eal4-config-0.16/Makefile 2007-01-03 14:07:08.000000000 -0500
@@ -1,20 +1,20 @@
-PACKAGE=lspp-eal4-config-ibm
+PACKAGE=eal4-config
DESTDIR=
PREFIX=/usr
BINDIR=$(PREFIX)/sbin
-SCRIPT=lspp-eal4-config
+SCRIPT=eal4-config
-SHAREDIR=$(PREFIX)/share/lspp
-KSDIR=$(PREFIX)/share/lspp/kickstart
+SHAREDIR=$(PREFIX)/share/eal4
+KSDIR=$(PREFIX)/share/eal4/kickstart
VERSION=0.0
RELEASE=0
DOCDIR=$(PREFIX)/share/doc/$(PACKAGE)-$(VERSION)
-ECG=RHEL-LSPP-EAL4-IBM-Configuration-Guide
+ECG=RHEL-EAL4-Configuration-Guide
MANSECT=8
MANDIR=$(PREFIX)/share/man/man$(MANSECT)
@@ -30,7 +30,7 @@ install: all
install -d $(DESTDIR)$(MANDIR) $(DESTDIR)$(KSDIR)
perl -pe s!--BASE--!$(SHAREDIR)! < bin/$(SCRIPT).in >
$(DESTDIR)$(BINDIR)/$(SCRIPT)
chmod 555 $(DESTDIR)$(BINDIR)/$(SCRIPT)
- install `ls -d lspp/* | grep -v CVS` $(DESTDIR)$(SHAREDIR)
+ install `ls -d eal4/* | grep -v CVS` $(DESTDIR)$(SHAREDIR)
install kickstart/ks-* $(DESTDIR)$(KSDIR)
-install `ls -d doc/* | grep -v CVS` $(DESTDIR)$(DOCDIR)
-gzip < doc/$(ECG).man > $(DESTDIR)$(MANDIR)/$(ECG).$(MANSECT).gz
--- lspp-eal4-config-ibm.spec 2007-01-23 08:11:05.000000000 -0500
+++ eal4-config.spec 2007-01-03 13:54:47.000000000 -0500
@@ -1,6 +1,6 @@
-Summary: IBM LSPP/EAL4+ Certified Config
-Name: lspp-eal4-config-ibm
-Version: 0.18
+Summary: Common Criteria EAL4+ Certified Config
+Name: eal4-config
+Version: 0.19
Release: 1
License: GPL
Group: Productivity/Security
@@ -11,7 +11,8 @@ Requires: kernel >= 2.6
%description
This package contains utilities and documentation for putting a machine
-in configuration for the Labeled Security Protection Profile.
+in configuration for the Controlled Access Protection Profile or
+the Labeled Security Protection Profile.
%prep
%setup
@@ -20,29 +21,32 @@ in configuration for the Labeled Securit
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
make DESTDIR=${RPM_BUILD_ROOT} VERSION=%{version} RELEASE=%{release} install
-rm -f ${RPM_BUILD_ROOT}/%{_datadir}/doc/lspp-eal4-config-ibm-%{version}/*.man
+rm -f ${RPM_BUILD_ROOT}/%{_datadir}/doc/eal4-config-%{version}/*.man
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
-%attr(0750,root,root) %{_sbindir}/lspp-eal4-config
-%attr(0755,root,root) %dir %{_datadir}/lspp
-%attr(0755,root,root) %dir %{_datadir}/lspp/kickstart
-%attr(0644,root,root) %{_datadir}/lspp/kickstart/*
-%attr(0644,root,root) %{_datadir}/lspp/*.pam
-%attr(0644,root,root) %{_datadir}/lspp/*.xinetd
-%attr(0644,root,root) %{_datadir}/lspp/*.defs
-%attr(0644,root,root) %{_datadir}/lspp/*.conf
-%attr(0644,root,root) %{_datadir}/lspp/*.te
-%attr(0644,root,root) %{_datadir}/lspp/mime.*
-%attr(0644,root,root) %{_datadir}/lspp/sshd_config
-%attr(0755,root,root) %dir %{_datadir}/doc/lspp-eal4-config-ibm-%{version}
-%attr(0644,root,root) %{_datadir}/doc/lspp-eal4-config-ibm-%{version}/*
+%attr(0750,root,root) %{_sbindir}/eal4-config
+%attr(0755,root,root) %dir %{_datadir}/eal4
+%attr(0755,root,root) %dir %{_datadir}/eal4/kickstart
+%attr(0644,root,root) %{_datadir}/eal4/kickstart/*
+%attr(0644,root,root) %{_datadir}/eal4/*.pam
+%attr(0644,root,root) %{_datadir}/eal4/*.xinetd
+%attr(0644,root,root) %{_datadir}/eal4/*.defs
+%attr(0644,root,root) %{_datadir}/eal4/*.conf
+%attr(0644,root,root) %{_datadir}/eal4/*.te
+%attr(0644,root,root) %{_datadir}/eal4/mime.*
+%attr(0644,root,root) %{_datadir}/eal4/sshd_config
+%attr(0755,root,root) %dir %{_datadir}/doc/eal4-config-%{version}
+%attr(0644,root,root) %{_datadir}/doc/eal4-config-%{version}/*
%attr(0644,root,root) %{_mandir}/man8/*
%changelog
+* Wed Jan 3 2007 Linda Knippers <[EMAIL PROTECTED]>
+- Modified to remove protection profile and company specifics
+
* Tue Sep 26 2006 Klaus Weidner <[EMAIL PROTECTED]> 2.0-1
- Import the config RPM used for the HP RHEL4 CAPP/EAL3 evaluation:
--- lspp-eal4-config-ibm-0.18/kickstart/src/common-pre.cfg 2007-01-23
08:11:05.000000000 -0500
+++ eal4-config-0.16/kickstart/src/common-pre.cfg 2007-01-18
12:06:40.000000000 -0500
@@ -78,7 +78,7 @@ gen_instsrc () {
}
gen_partitioning () {
- echo "# Automatically generated by LSPP configuration kickstart
+ echo "# Automatically generated by EAL4 configuration kickstart
#
# Refer to the instructions for the 'part' command for more information:
#
@@ -133,7 +133,7 @@ STTY_SAVE=$(stty -g </dev/tty)
stty sane </dev/tty
reset </dev/tty >/dev/tty || clear >/dev/tty
-echo_user "*** Common Criteria LSPP configuration kickstart ***"
+echo_user "*** Common Criteria EAL4 configuration kickstart ***"
echo_user
DISK_LIST="$(list-harddrives)"
@@ -146,7 +146,7 @@ then
# use current network settings as defaults
NAME=$(hostname)
expr $NAME : localhost >/dev/null && {
- NAME="rhel5lspp.example.com"
+ NAME="rhel5.example.com"
}
IP=$(ifconfig $IFACE | sed -n 's/.*inet addr:\([^ ]*\).*/\1/p')
MASK=$(ifconfig $IFACE | sed -n 's/.*Mask:\([^ ]*\).*/\1/p')
@@ -155,7 +155,7 @@ then
else
# pick up defaults from command line args
IFACE=$(cmdline_val "ksdevice" "eth0")
- NAME=$(cmdline_val "hostname" "rhel5lspp.example.com")
+ NAME=$(cmdline_val "hostname" "rhel5.example.com")
IP=$(cmdline_val ip)
MASK=$(cmdline_val "netmask" "255.255.255.0")
GATE=$(cmdline_val "gateway")
@@ -212,16 +212,16 @@ then
DNS=$(ask "Nameserver list (comma separated)" "$DNS")
- gen_network > /tmp/lspp-network.cfg
- gen_instsrc > /tmp/lspp-instsrc.cfg
+ gen_network > /tmp/eal4-network.cfg
+ gen_instsrc > /tmp/eal4-instsrc.cfg
if ! expr "$DISK" : "manual" >/dev/null
then
- gen_partitioning > /tmp/lspp-disks.cfg
+ gen_partitioning > /tmp/eal4-disks.cfg
fi
confirm "Manually edit partitioning instructions" "n" && {
- vi /tmp/lspp-disks.cfg </dev/tty >/dev/tty 2>&1
+ vi /tmp/eal4-disks.cfg </dev/tty >/dev/tty 2>&1
DISK="manually configured partitions"
}
@@ -235,9 +235,9 @@ then
done
else
# noninteractive
- gen_network > /tmp/lspp-network.cfg
- gen_instsrc > /tmp/lspp-instsrc.cfg
- gen_partitioning > /tmp/lspp-disks.cfg
+ gen_network > /tmp/eal4-network.cfg
+ gen_instsrc > /tmp/eal4-instsrc.cfg
+ gen_partitioning > /tmp/eal4-disks.cfg
fi
# restore file descriptors and TTY
clear >/dev/tty
--- lspp-eal4-config-ibm-0.18.orig/bin/eal4-config.in 2007-02-01
17:20:40.660187976 -0500
+++ eal4-config-0.16/bin/eal4-config.in 2007-01-08 14:15:09.000000000 -0500
@@ -1,10 +1,11 @@
#!/bin/bash
#
# System hardening script for converting a RHEL5 system to the
-# LSPP/EAL4+ evaluated configuration.
+# CAPP/EAL4+ or LSPP/EAL4+ evaluated configuration.
#
# Copyright (C) 2004,2005,2006 Red Hat, Inc.
# Changes Copyright (C) 2006 IBM Corporation
+# Changes (c) Copyright Hewlett-Packard Development Company, L.P., 2007
#
# Licenced under the terms of the GNU Public License. See the
# file COPYING distributed with this one for a description of
@@ -51,7 +52,7 @@ AliasSU() {
cp /etc/profile /etc/profile.new
echo >> /etc/profile.new '
-# su alias, added for LSPP/EAL4+ configuration
+# su alias, added for EAL4+ configuration
alias su="echo \"Always use '\''/bin/su -'\'' (see '"$_ECG_FULL"')\"; echo
>/dev/null"
# The evaluated configuration recommends the rnano editor, you MAY change this
@@ -761,6 +762,14 @@ Main() {
_VERBOSE=
shift
;;
+ -c|--capp)
+ _PROFILE=capp
+ shift
+ ;;
+ -l|--lspp)
+ _PROFILE=lspp
+ shift
+ ;;
*) Usage
exit 1
;;
@@ -792,8 +801,21 @@ Please read the documentation before pro
Die "root filesystem must be ext3 with ACL support on. See $_ECG."
}
}
+ [ "$_PROFILE" == "" ] && {
+ if ShallI "Configure for the CAPP protection profile?"; then
+ _PROFILE=capp
+ else
+ if ShallI "Configure for the LSPP protection profile?"; then
+ _PROFILE=lspp
+ else
+ Die "Must specify either CAPP or LSPP. See $_ECG."
+ fi
+ fi
+ }
- ConfigureLsppPolicy
+ [ $_PROFILE == "lspp" ] && {
+ ConfigureLsppPolicy
+ }
HardenServiceLinks
HardenPamConfig
HardenPermissions
@@ -804,8 +826,10 @@ Please read the documentation before pro
ConfigureFTP
ConfigureAudit
ConfigurePostfix
- ConfigureCups
- ConfigurePolyinstantiation
+ [ $_PROFILE == "lspp" ] && {
+ ConfigureCups
+ ConfigurePolyinstantiation
+ }
DisableUsbfs
SetRunLevel 3
Reboot
@@ -1054,13 +1078,13 @@ UpdateFSTAB() {
readonly _ECG=ECG
readonly _ECG_FULL="Evaluated Configuration Guide"
-readonly _LOGFILE=/var/log/lspp-config.log
+readonly _LOGFILE=/var/log/eal4-config.log
# the following variable gets set by "make install"
readonly _BASE=--BASE--
-readonly _PERMSFILE=$_BASE/lspp-perms.conf
-readonly _ROOT_ONLY_FILE=$_BASE/lspp-root-only.conf
+readonly _PERMSFILE=$_BASE/eal4-perms.conf
+readonly _ROOT_ONLY_FILE=$_BASE/eal4-root-only.conf
readonly _MODULES_CONF=/etc/modules.conf
readonly _SERVICEBASE=/etc/rc.d/init.d
@@ -1107,6 +1131,7 @@ _INTERACTIVE=yes
_PRINT_ONLY=
_VERBOSE=
_TICKPID=
+_PROFILE=
: --Usage
# Print summary of supported options
@@ -1117,6 +1142,8 @@ Options:
-i|--interactive Prompt for permission before changes (default)
-a|--automated No prompts, take all default answers
-q|--quiet Be less verbose
+ -c|--capp Configure for CAPP
+ -l|--lspp Configure for LSPP
(see $_LOGFILE for detailed msgs)
Example:
$0 -a
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
