Navigation

← Previous Changeset
Next Changeset →

Changeset 117

Timestamp:

12/06/07 11:07:01 (1 year ago)

Author:

jjarrett

Message:

Adding latest version of the kickstart file.

Files:

trunk/RHEL5.1/kickstart/clip.ks (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

trunk/RHEL5.1/kickstart/clip.ks

r89	r117
1		# Kickstart installation script for clip
2
3		###################
4		# Command section #
5		###################
6
7		auth --enableshadow --enablemd5
	1	## Version .02 Feburary 2007 ##
	2	#
	3	# Date Created : 2007-02-06 #
	4	#
	5	# CHANGELOG:
	6	# - 2007-02-07: Finished Mapping existing STIG scripts to DCID 6/3
	7	# Sections. [St. Laurent]
	8	# - 2007-12-xx: Initiated updates to reflect DCID PL4 Requirements
	9	# [Tresys]
	10	#
	11	#
	12	# Profile Name: dcid-6-3-PL4-ks.1.0.txt
	13	# Profile Label: dcid-6-3-PL4-ks.1.0.txt
	14	#
	15	#Details: This KickStart file lists out DCID 6/3 Policy at the PL4
	16	# Confidentiality level. Security settings are applied and
	17	# mapped to each specific PL4 section in DCID 6/3.
	18	#
	19	# By setting these security features in a KickStart file
	20	# allows for an auditor to have a high degree of assurance
	21	# that a system is being setup meeting the security
	22	# requirements the same (correct way) every time.
	23	#
	24	# An MD5 should be set on this file to ensure the degree of
	25	# resistance to unauthorized modification.
	26	#
	27	## Version .02 Feburary 2007 ##
	28	## Version .03 December 2007 ##
	29
	30	#The "install" command tells the system to install a fresh system
	31	#rather than upgrade an existing system. You must specify the type
	32	#of installation in the form of: cdrom, harddrive, nfs, url (ftp
	33	#http installation). The "install" command and the installation
	34	#method command must be on separate lines. Examples:
	35	# url --url http://192.168.1.1/ty/h-113gLb
	36	# --url ftp://<username>:<password>@<server>/<dir>
	37	# Passwd is in CLEAR with ftp!!! Not to be used.
	38	# harddrive --partition=hda2--dir=/path/to/install-tree
	39	# nfs --server=nfsserver.example.com --dir=/path/to/install-tree
8	40	install
	41
	42	#Perform the kickstart install in Text Mode. Kickstart files are
	43	#performed in graphical mode by default.
9	44	text
10		skipx
11		rootpw password
12
13		####################
14		# Packages section #
15		####################
	45
	46
	47	#Configure network information for the system. The "network"
	48	#option configures networking information for kickstart installations
	49	#via a network as well as for the installed system. DHCP uses a DHCP
	50	#server to get the network configuration information.
	51	#network --bootproto dhcp
	52
	53	#This is for a SS install
	54	#Also need to enable network statement if using URL
	55	#url --url http://192.168.1.1/ty/h-113gLb
	56
	57	#Defaults to a CD based install - disable if using URL or someother media
	58	cdrom
	59
	60	#The "lang" command sets the language to use during installation.
	61	lang en_US
	62
	63	#The "langsupport" to install on the system. The --default switch
	64	#must be used if more than one language is specified.
	65	langsupport --default en_US en_US
	66
	67	#The "keyboard" command is required to set the system keyboard type.
	68	#The "mouse" command is required to configure the mouse for the
	69	keyboard us
	70	mouse none
	71
	72	zerombr yes
	73	clearpart --all
	74
	75
	76	#PARTITION NOTES
	77	#The following options are required under 'Disk Partition Information'
	78	#section in ks.cfg file, for creating the Logical Volume Manager (LVM)
	79	#partitions using kickstart.
	80
	81	#Disk partitioning information
	82	#part pv.<id>
	83	#volgroup <name> <partition>
	84	#logvol <mountpoint> --vgname=<volume_group_name> --size=<size> --name=<name>
	85
	86	#EXAMPLE using LVM
	87	#part /boot --fstype ext3 --size=150
	88	#part swap --size=1024
	89	#part pv.01 --size=1 --grow
	90	#volgroup vg_root pv.01
	91	#logvol / --vgname=vg_root --size=8192 --name=lv_root
	92	#logvol /var --vgname=vg_root --size=4096 --name=lv_var
	93	#logvol /tmp --vgname=vg_root --size=2048 --name=lv_tmp
	94	#logvol /spare --vgname=vg_root --size=1 --grow --name=lv_spare
	95
	96	partition /boot --fstype "ext3" --size=128
	97	partition pv.2 --size=0 --grow
	98	volgroup VolGroup00 --pesize=32768 pv.2
	99	logvol swap --fstype swap --name=swapVol --vgname=VolGroup00 --size=512
	100	logvol / --fstype ext3 --name=rootVol --vgname=VolGroup00 --size=5120
	101	logvol /var --fstype ext3 --name=varVol --vgname=VolGroup00 --size=5120
	102	logvol /home --fstype ext3 --name=homeVol --vgname=VolGroup00 --size=5120
	103	logvol /tmp --fstype ext3 --name=tmpVol --vgname=VolGroup00 --size=2048
	104
	105
	106
	107
	108	bootloader --location mbr --password Dodiis_Redhat4321
	109	timezone --utc America/New_York
	110	auth --enablemd5 --enableshadow
	111	rootpw 123)(*qweASD
	112
	113	#############################################
	114	# Set selinux into enforcing when released, #
	115	# while testing use permissive #
	116	#############################################
	117	#selinux --enforcing
	118	selinux --permissive
	119	firewall --enabled --port=22:tcp --port=161:tcp --port=1002:tcp
	120	reboot
	121	#xconfig --card "VESA driver (generic)" --videoram 8192 --hsync 31.5-37.9 --vsync 50-70 --resolution #1024x768 --depth 32 --startxonboot --defaultdesktop gnome
	122
	123
	124
	125	#Install Packages. This is site specific.
16	126	%packages --resolvedeps
17	127	@base
…	…
19	129	aide
20	130	sysstat
	131	####################################
	132	# Why are we removing setools? (JJ)#
	133	####################################
21	134	-setools
	135	##################################
	136	# Why are we removing audit? (JJ)#
	137	##################################
22	138	#audit
	139	################################
	140	# Why are we removing PAM? (JJ)#
	141	################################
23	142	#pam
24	143	#pam-devel
…	…
29	148	#tk
30	149	#tk-devel
31
32		############################
33		# Pre/post install section #
34		############################
35		%post
36		#!/bin/sh
37
38		out_file="installer.sh"
39		out_file_path="/root"
40
41		# DO NOT MODIFY anything below here
42		SERVICES_REQ="atd auditd crond iptables network syslog"
43
44		# Deactivate all services first
45		active=`chkconfig --list \| grep -i "3:on" \| cut -d" " -f1`
46		echo "Removing services from runlevel 3: "
47		for service in $active
48		do
49		echo $service
50		`chkconfig --level 3 $service off`
51		done
52
53		# Now activate only the required services
54		echo "Adding required services to runlevel 3: "
55		for service in $SERVICES_REQ
56		do
57		echo $service
58		`chkconfig --level 3 $service on`
59		done
60
61		# Save an installer script to root's homedir
62
63		echo "Saving an install script to root's home directory."
64		cat >> $out_file_path/$out_file <<'EOF'
65		#!/bin/sh
66		VERSION="2.0"
67		RELEASE="1"
68		UNAME="/bin/uname"
69		WGET="/usr/bin/wget"
70		SHA1SUM="/usr/bin/sha1sum"
71		ID="/usr/bin/id"
72		RPM="/bin/rpm"
73		SETENFORCE="/usr/sbin/setenforce"
74
75		RPM_OPTS1="--force -Uvh"
76		RPM_OPTS2="-ivh"
77
78		ARCH=$($UNAME -i)
79		ARCH_64="x86_64"
80		ARCH_32="i386"
81
82		URL="http://oss.tresys.com/projects/clip/chrome/site/files/rhel5"
83		LSPP_URL="http://people.redhat.com/sgrubb/files/lspp"
84		LSPP_PAM_RPM="pam-0.99.6.2-3.22.el5.$ARCH.rpm"
85		CLIP_RPM="clip-$VERSION-$RELEASE.$ARCH.rpm"
86		REFPOL_RPM="selinux-policy-clip-$VERSION-$RELEASE.noarch.rpm"
87		CLIP_SHA1="$CLIP_RPM.sha1"
88		REFPOL_SHA1="$REFPOL_RPM.sha1"
89
90		USAGE="This script will use wget to download and install \n \
91		$CLIP_RPM and\n \
92		$REFPOL_RPM\n \
93		from $URL and\n \
94		$LSPP_PAM_RPM\n \
95		from $LSPP_URL\n \
96		Internet connectivity is required. \n \
97		To install, invoke $0 with the -i option."
98
99		download() {
100		$WGET $URL/$CLIP_RPM && \
101		$WGET $URL/$CLIP_SHA1 && \
102		$WGET $URL/refpolicy/$REFPOL_RPM && \
103		$WGET $URL/refpolicy/$REFPOL_SHA1 && \
104		$WGET $LSPP_URL/$LSPP_PAM_RPM
105		if [ $? -ne 0 ]; then
106		echo "RPM download failed. Terminating."
107		exit 1
	150	#####################################
	151	# Remove tcpdump per STIG gen003865 #
	152	#####################################
	153	-tcpdump
	154
	155	#####################################
	156	# Remove Packages per Red Hat's PL3 #
	157	# Kickstart file #
	158	#####################################
	159	-xdelta
	160	-nmap
	161	-emacspeak
	162	-byacc
	163	-gimp-help
	164	-splint
	165	-perl-Crypt-SSLeay
	166	-units
	167	-perl-XML-Grove
	168	-perl-XML-LibXML-Common
	169	-perl-XML-SAX
	170	-perl-XML-Twig
	171	-valgrind
	172	-valgrind-callgrind
	173	-gimp-gap
	174	-cdecl
	175	-perl-XML-Dumper
	176	-kernel-smp-devel
	177	-blas
	178	-lapack
	179	-java-1.4.2-gcj-compat
	180	-kernel-hugemem-devel
	181	-kernel-devel
	182	-perl-XML-Encoding
	183	-gnome-games
	184	-isdn4k-utils
	185	-vnc
	186	-vnc-server
	187	#e2fsprogs
	188	#kernel-smp
	189	-tog-pegasus
	190	-tog-pegasus-devel
	191	-ethereal
	192	-ethereal-gnome
	193	-xchat
	194	-vino
	195	-gaim
	196	-gnome-pilot
	197	#@ office
	198	#@ admin-tools
	199	#@ editors
	200	#@ system-tools
	201	#@ gnome-desktop
	202	#@ dialup
	203	#@ base-x
	204	#@ printing
	205	#@ server-cfg
	206	#@ graphical-internet
	207	#kernel
	208	-python-ldap
	209	-httpd-suexec
	210	-system-config-httpd
	211	-psgml
	212	-emacs-leim
	213	-gimp-data-extras
	214	-xcdroast
	215	-perl-XML-LibXML
	216	-gimp-print-plugin
	217	-xsane-gimp
	218	-gimp
	219	#lvm2
	220	-zsh
	221	#net-snmp-utils
	222	-rhythmbox
	223	-gcc-g77
	224	#grub
	225	-texinfo
	226	-octave
	227	-dia
	228	-perl-LDAP
	229	-oprofile
	230	-emacs
	231	#system-config-printer-gui
	232	-doxygen
	233	-planner
	234	-tux
	235	-indent
	236	-cdparanoia
	237	-gcc-java
	238	-gnomemeeting
	239	#openoffice.org-i18n
	240	#openoffice.org-libs
	241	#openoffice.org
	242	#firefox
	243	-evolution
	244	-xsane
	245	-ctags
	246	-cscope
	247	-sane-frontends
	248	-perl-XML-Parser
	249	-php-mysql
	250	-rcs
	251	-perl-XML-NamespaceSupport
	252
	253
	254	%pre
	255
	256	# %post --nochroot
	257	# mkdir -p /mnt/sysimage/root/DoDIIS/errata
	258	# mkdir /tmp/dodiis-iso
	259	# mount /tmp/cdrom /tmp/dodiis-iso
	260
	261	# cp -fa /tmp/dodiis-iso/RedHat/post/* /mnt/sysimage/root/DoDIIS
	262	# cp -fa /tmp/dodiis-iso/RedHat/errata/* /mnt/sysimage/root/DoDIIS/errata
	263
	264	%post --log=/root/post-install.log
	265	# Log %post errors
	266	##########################################################################
	267	# The post section of this kickstart file takes care of the secure
	268	# configuraton of Red Hat according to DCID 6/3.
	269	#
	270	#Levels of Concern:
	271	#Confidentiality PL4
	272	#[ PL4 ]
	273	##########################################################################
	274
	275
	276	#The Red Hat provided GPG key Red Hat uses to sign all of our RPM packages
	277	rpm --import /usr/share/rhn/RPM-GPG-KEY
	278
	279	#
	280	# DCID 6/3 PL4
	281	#
	282	# 4.B.4 Protection Level 4
	283	# 4.B.4.a(1)
	284	#
	285	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	286
	287	#
	288	# 4.B.4.a(1)(a)
	289	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	290
	291	#
	292	# 4.B.4.a(1)(b)
	293	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	294
	295	#
	296	# 4.B.4.a(2)
	297	# KickStart Actions: All ext3 file systmes have been mounted with the ACL
	298	# setting to allow for a finer granualrity of DAC.
	299	# (See: getfacl and setfacl man pages).
	300	# Create ACL and other security features during
	301	# the mounting of each file system (/etc/fstab).
	302
	303	#
	304	# GEN002420
	305	echo "Locking down GEN002420"
	306
	307	FSTAB=/etc/fstab
	308	SED=/bin/sed
	309	#nosuid and acl on /home
	310	if [ $(grep " \/home " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	311	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	312	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
108	313	fi
109		}
110
111		check() {
112		$SHA1SUM $CLIP_SHA1 && \
113		$SHA1SUM $REFPOL_SHA1 && \
114		$RPM --checksig $LSPP_PAM_RPM
115		if [ $? -ne 0 ]; then
116		echo "Download verification failed. Terminating."
117		exit 1
	314
	315	#nosuid and acl on /sys
	316	if [ $(grep " \/sys " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	317	MNT_OPTS=$(grep " \/sys " ${FSTAB} \| awk '{print $4}')
	318	${SED} -i "s/$ \/sys.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
118	319	fi
119		}
120
121		inst() {
122		$SETENFORCE 0
123		for i in $LSPP_PAM_RPM $CLIP_RPM; do
124		echo "Installing $i"
125		$RPM $RPM_OPTS1 $i
126		if [ $? -ne 0 ]; then
127		echo "Installation of $i failed. Terminating."
128		exit 1
	320
	321	#nosuid and acl on /boot
	322	if [ $(grep " \/boot " ${FSTAB} \| grep -c "nosuid") -eq 0 ]; then
	323	MNT_OPTS=$(grep " \/boot " ${FSTAB} \| awk '{print $4}')
	324	${SED} -i "s/$ \/boot.*${MNT_OPTS}$/\1,nosuid,acl/" ${FSTAB}
	325	fi
	326
	327	#nodev and acl on /usr
	328	if [ $(grep " \/usr " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	329	MNT_OPTS=$(grep " \/usr " ${FSTAB} \| awk '{print $4}')
	330	${SED} -i "s/$ \/usr.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	331	fi
	332
	333	#nodev and acl on /home
	334	if [ $(grep " \/home " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	335	MNT_OPTS=$(grep " \/home " ${FSTAB} \| awk '{print $4}')
	336	${SED} -i "s/$ \/home.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	337	fi
	338
	339	#nodev and acl on /usr/local
	340	if [ $(grep " \/usr\/local " ${FSTAB} \| grep -c "nodev") -eq 0 ]; then
	341	MNT_OPTS=$(grep " \/usr\/local " ${FSTAB} \| awk '{print $4}')
	342	${SED} -i "s/$ \/usr\/local.*${MNT_OPTS}$/\1,nodev,acl/" ${FSTAB}
	343	fi
	344	echo "GEN002420 Complete"
	345	#
	346
	347	#
	348	# 4.B.4a(3)
	349	# KickStart Actions: None - CLIP policy specific
	350	#
	351	#
	352	# 4.B.4a(4)
	353	# KickStart Actions:
	354	#
	355	#
	356	# 4.B.4a(4)(a)
	357	# KickStart Actions:
	358	#
	359	# 4.B.4a(4)(b)
	360	# KickStart Actions:
	361	#
	362	# 4.B.4a(4)(c)
	363	# KickStart Actions:
	364	#
	365	# 4.B.4a(4)(d)
	366	# KickStart Actions:
	367	#
	368	# 4.B.4a(4)(e)
	369	# KickStart Actions:
	370	#
	371	# 4.B.4a(4)(e)1.
	372	# KickStart Actions:
	373	#
	374	# 4.B.4a(4)(e)2.
	375	# KickStart Actions:
	376	#
	377	# 4.B.4.a(5)
	378	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	379	#
	380	#
	381	# 4.B.4.a(5)(a)
	382	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	383	#
	384	#
	385	# 4.B.4.a(5)(b)
	386	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	387	#
	388	#
	389	# 4.B.4.a(5)(c)
	390	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	391
	392	#
	393	# 4.B.4.a(5)(d)
	394	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	395	#
	396	#
	397	#(FOUO)
	398	#4.B.4.a(5)(e)
	399	#KickStart Actions: None - PROCEDURAL REQUIREMENT
	400	#
	401	#
	402	# 4.B.4.a(6)
	403	# KickStart Actions: None
	404	#
	405	# 4.B.4.a(6)(a)
	406	# KickStart Actions: None
	407	#
	408	#
	409	# 4.B.4.a(6)(b)
	410	# KickStart Actions: Reset the permissions of /etc/syslog.conf to 640 and set
	411	# /var/{run,log}/{wtmp,utmp} files to 664.
	412	#
	413	# GEN005400
	414	# Reset the permissions to a DISA-blessed rw-r-----
	415	echo "Locking down GEN005400"
	416	chmod 640 /etc/syslog.conf
	417	echo "GEN005400 Complete"
	418	#
	419	# GEN001260
	420	echo "Locking down GEN001260"
	421	perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
	422	echo "GEN001260 Complete"
	423	#
	424	# 4.B.4.a(6)(c)
	425	# KickStart Actions: Log rotation to 90 days (12 weeks) and turn compression on.
	426	# This will have to up'd if system does not retain backups
	427	# for 5 years (e.g., tape backup).
	428	#
	429	for logconf in `ls -1 /etc/logrotate.conf`
	430	do
	431	perl -npe 's/rotate\s+4/rotate 12/' -i $logconf
	432	perl -npe 's/\#compress/compress/' -i $logconf
	433	done
	434	#
	435	# GEN002860 (G674)
	436	# Rotate the audit-logs on a daily basis--keep them all
	437	cat <<EOF > /etc/logrotate.d/audit
	438	/var/log/audit/audit.log
	439	{
	440	daily
	441	notifempty
	442	missingok
	443	postrotate
	444	/sbin/service auditd restart 2> /dev/null > /dev/null \|\| true
	445	endscript
	446	}
	447	EOF
	448	echo "GEN002860 Complete"
	449	#
	450	# 4.B.4.a(6)(d)
	451	# KickStart Actions: Turn on the Audit Daemon and set permissions
	452	#
	453	# GEN002660
	454	# Turn on the Audit Daemon
	455	echo "Locking down GEN002660"
	456	chkconfig auditd on
	457	echo "GEN002660 Complete"
	458	#
	459	# GEN002680 (G094)
	460	# Reset permissions on audit logs
	461	echo "Locking down GEN002680"
	462	chmod 700 /var/log/audit
	463	chmod 600 /var/log/audit/*
	464	echo "GEN002680 Complete"
	465	#
	466	#
	467	# 4.B.4.a(6)(d)(1)
	468	# KickStart Actions: None, This is met with the /var/log/wtmp and
	469	# /var/log/utmp files. Permissions have been set
	470	# correctly above.
	471	# See Section 4.B.4.a(6)(d)(2)
	472	#
	473	# 4.B.4.a(6)(d)(2)
	474	# KickStart Actions: This will require refinement.
	475	# Commented rules do not insert w/o an error.
	476	#
	477	cat <<EOF > /etc/audit.rules
	478
	479	## Remove any existing rules
	480	-D
	481	## Increase buffer size to handle the increased number of messages.
	482	## Feel free to increase this if the machine panic's
	483	-b 8192
	484	## Set failure mode to panic
	485	# -f 2
	486	#
	487	# GEN002720
	488	## Audits for failed attempts to access files and programs.
	489	echo "Locking down GEN002720"
	490
	491	-a exit,always -S mknod -F success=0
	492	-a exit,possible -S open -F success=0
	493	-a exit,possible -S pipe -F success=0
	494	-a exit,possible -S mkdir -F success=0
	495	-a exit,possible -S creat -F success=0
	496	#LEAK
	497	# MOD
	498	-a exit,possible -S truncate -F success=0
	499	-a exit,possible -S truncate64 -F success=0
	500	-a exit,possible -S ftruncate -F success=0
	501	-a exit,possible -S ftruncate64 -F success=0
	502	#
	503	echo "GEN002720 Complete"
	504	#
	505	# GEN002740
	506	## Audit for files and programs deleted by user
	507	echo "Locking down GEN002740"
	508	-a exit,possible -S unlink -F success!=0
	509	-a exit,possible -S rmdir -F success!=0
	510	-a exit,possible -w /bin/rm -F success=0 -F success!=0
	511	-a exit,possible -S rename -F success!=0
	512	#
	513	echo "GEN002740 Complete"
	514	#
	515	# GEN002760
	516	echo "Locking down GEN002760"
	517	## Audit all administrative actions
	518	# AUD_it
	519	# Backup_export
	520	# Dev_change
	521	# Dev_configure
	522	# Dev_create
	523	-a exit,possible -S chown -F success!=0
	524	-a exit,possible -S chown32 -F success!=0
	525	-a exit,possible -S fchown -F success!=0
	526	-a exit,possible -S fchown32 -F success!=0
	527	-a exit,possible -S lchown -F success!=0
	528	-a exit,possible -S lchown32 -F success!=0
	529	-a exit,always -S chroot -F success!=0
	530	-a exit,always -S mount -F success=0 -F success!=0
	531	-a exit,always -S umount -F success=0 -F success!=0
	532	-a exit,always -S umount2 -F success=0 -F success!=0
	533	-a exit,always -w /usr/sbin/pwck -F success=0 -F success!=0
	534	-a exit,always -S adjtimex -F success!=0
	535	-a exit,always -S settimeofday -F success!=0
	536	-a exit,always -S kill -F success=0 -F success!=0
	537	#
	538	#Proc_privilege
	539	-a exit,always -w /bin/chgrp -F success=0 -F success!=0
	540	-a exit,always -w /usr/bin/newgrp -F success=0 -F success!=0
	541	-a exit,always -w /usr/sbin/groupadd -F success=0 -F success!=0
	542	-a exit,always -w /usr/sbin/groupmod -F success=0 -F success!=0
	543	-a exit,always -w /usr/sbin/groupdel -F success=0 -F success!=0
	544	# Restore imports
	545	#
	546	# TCBCK_delete
	547	-a exit,possible -w /usr/sbin/useradd -F success=0 -F success!=0
	548	-a exit,possible -w /usr/sbin/userdel -F success=0 -F success!=0
	549	-a exit,possible -w /usr/sbin/usermod -F success=0 -F success!=0
	550	-a exit,possible -w /usr/bin/chage -F success=0 -F success!=0
	551	-a exit,possible -S reboot -F success!=0
	552	# User_setenv
	553	#
	554	echo "GEN002760 Complete"
	555
	556	##
	557	## 4.B.4.a(6)(d)(1)
	558	#
	559	# GEN002780
	560	echo "Locking down GEN002780"
	561	## Audit all security actions
	562	-w /bin/login -p x
	563	-a exit,possible -w /bin/logout -F success!=0
	564	-a exit,possible -S init_module -F success!=0
	565	-a exit,possible -S delete_module -F success!=0
	566	-a exit,possible -w /bin/su -F success!=0
	567	#
	568	echo "GEN002780 Complete"
	569	#
	570	# GEN002800
	571	echo "Locking down GEN002800"
	572	## Audit use of privileged commands
	573	-a exit,possible -w /usr/bin/setfacl -F success=0 -F success!=0
	574	-a exit,possible -w /usr/bin/chacl -F success=0 -F success!=0
	575	-a exit,possible -S chmod -F success=0 -F success!=0
	576	-a exit,possible -S fchmod -F success=0 -F success!=0
	577	-a exit,possible -S link -F success=0 -F success!=0
	578	-a exit,possible -S symlink -F success=0 -F success!=0
	579	# Proc_realgid
	580	# Proc_setuserids
	581	#
	582	echo "GEN002800 Complete"
	583	#
	584	## ???????????
	585	## Audit application and session initiation
	586	## Proc_Delete
	587	#
	588	# ????????????
	589	EOF
	590	#
	591	# 4.B.4.a(6)(d)(3)
	592	# KickStart Actions: All authentication attemps will be monitored
	593	# in /var/log/messages.
	594	#
	595	# GEN003660
	596	echo "Locking down GEN003660"
	597	echo "auth.notice /var/log/messages" >> /etc/syslog.conf
	598	echo "GEN003660 Complete"
	599	#
	600	#
	601	# 4.B.4.a(7)
	602	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	603	#
	604	#
	605	# 4.B.4.a(8)
	606	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	607
	608	#
	609	# 4.B.4.a(8)(a)
	610	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	611
	612	#
	613	# 4.B.4.a(8)(b)
	614	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	615
	616
	617	#
	618	# 4.B.4.a(9)
	619	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	620
	621
	622
	623	# 4.B.4.a(9)(a)
	624	# KickStart Actions:
	625
	626	# 4.B.4.a(9)(b)
	627	# KickStart Actions: POLICY
	628
	629	# 4.B.4.a(9)(c)
	630	# KickStart Actions:
	631
	632	# 4.B.4.a(9)(d)
	633	# KickStart Actions:
	634
	635
	636	#
	637	#
	638	# 4.B.4.a(10)
	639	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	640	#
	641	# 4.B.4.a(10)(a)
	642	# KickStart Actions:
	643
	644	# 4.B.4.a(10)(b)
	645	# KickStart Actions:
	646
	647
	648
	649	#
	650	# 4.B.4.a(11)
	651	# KickStart Actions: None
	652
	653
	654	#
	655	# 4.B.4.a(11)(a)
	656	# KickStart Actions: None
	657
	658	#
	659	# 4.B.4.a(11)(b)
	660	# KickStart Actions: None
	661
	662	#
	663	# 4.B.4.a(11)(c)
	664	# KickStart Actions: The following item have been set to meet this policy.
	665	# Note:
	666	# Investigating using PAM for preventing 10 recent passwords- doesn't appear
	667	# to be easily done using pam_passwdqc
	668
	669	# Passwd strength
	670	cat <<EOF > /etc/pam.d/system-auth
	671	# %PAM-1.0
	672	# This file is auto-generated.
	673	# User changes will be destroyed the next time authconfig is run.
	674	auth required /lib/security/$ISA/pam_env.so
	675	auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
	676	auth required /lib/security/$ISA/pam_deny.so
	677	auth required /lib/security/pam_tally.so onerr=fail no_magic_root
	678
	679	account required /lib/security/$ISA/pam_unix.so
	680	account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
	681	account required /lib/security/$ISA/pam_permit.so
	682	account required /lib/security/pam_tally.so deny=3 reset no_magic_root
	683
	684	password required /lib/security/$ISA/pam_passwdqc.so enforce=users ask_oldauthok=update
	685	password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=10
	686	password required /lib/security/$ISA/pam_deny.so
	687
	688	session required /lib/security/$ISA/pam_limits.so
	689	session required /lib/security/$ISA/pam_unix.so
	690	EOF
	691
	692	# Password Strength Settings /etc/login.defs
	693	# GEN000
	694	echo "Locking down GEN000580"
	695	perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN 9/' -i /etc/login.defs
	696	#STIG specifies using following, but it's not a valid parameter
	697	#echo "PASSLENGTH 9" >> /etc/login.defs
	698	echo "GEN000580 Complete"
	699	#
	700	# 4.B.4.a(11)(d)
	701	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	702	#
	703	# 4.B.4.a(11)(e)
	704	# KickStart Actions: Change the password expiration time from undefined to 60 days.
	705	# Users cannot change passwords more than once a day.
	706	#
	707	# Change the password expiration time from undefined to 60 days
	708	# GEN000700
	709	echo "Locking down GEN000700"
	710	perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs
	711	chage -M 60 root
	712	echo "GEN000700 Complete"
	713	#
	714	# Ensure that the user cannot change their password more than once a day.
	715	# GEN000540
	716	echo "Locking down GEN000540"
	717	perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
	718	echo "GEN000540 Complete"
	719	#
	720	# 4.B.4.a(11)(f)
	721	# KickStart Actions: opasswd file creation in /etc/security/opasswd
	722	# for non-replication.
	723
	724	touch /etc/security/opasswd
	725	chmod 600 /etc/security/opasswd
	726
	727	#
	728	# 4.B.4.a(11)(g)
	729	# Protection of authenticators to perserve confidentiality and
	730	# integrity. Red Hat encrypts authenticators using the MD5
	731	# Message Digest.
	732	# KickStart Actions: Additional I&A Security.
	733
	734
	735	#
	736	# 4.B.4.a(12)
	737	# KickStart Actions: See 4.B.4.a(9)(c); specifically passwdqc
	738
	739	#
	740	# 4.B.4.a(13)
	741	# KickStart Actions: By default ssh uses Triple DES. This script will edit
	742	# the /etc/ssh/ssh_config file to use stronger encryption.
	743	# AES with 256-bit key Cycpher Block Chaining
	744	#
	745	perl -npe 's/\#\s+Cipher\s+3des/Ciphers aes256-cbc/' -i /etc/ssh/ssh_config
	746
	747
	748	#
	749	# 4.B.4.a(14)
	750	# KickStart Actions: None
	751
	752	# 4.B.4.a(14)(a)
	753	# KickStart Actions:
	754
	755
	756	# 4.B.4.a(14)(b)
	757	# KickStart Actions:
	758
	759
	760	#
	761	# 4.B.4.a(15)
	762	# KickStart Actions:
	763
	764	# 4.B.4.a(15)(1)
	765	# KickStart Actions:
	766
	767	# 4.B.4.a(15)(b)
	768	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	769
	770	# 4.B.4.a(15)(c)
	771	# KickStart Actions:
	772
	773	# 4.B.4.a(15)(d)
	774	# KickStart Actions:
	775
	776	# 4.B.4.a(15)(e)
	777	# KickStart Actions:
	778
	779	#
	780	#
	781	# 4.B.4.a(16)
	782	# KickStart Actions: None - PROCEDURAL REQUIREMENT
	783	#
	784	# 4.B.4.a(17)
	785	# KickStart Actions: Restrict Root Logins and Least Privilege Enhancements.
	786	#
	787	#
	788	# Further restricting root logins
	789	# GEN000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	790	#investigating by using PAM for preventing 10 recent passwords- doesn't appear
	791	# to be easily done using pam_passwdqc
	792	# Further restricting root logins
	793	echo "Locking down GEN00xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
	794	cat << EOF > /etc/pam.d/su
	795	# %PAM-1.0
	796	auth sufficient /lib/security/$ISA/pam_rootok.so
	797	# Uncomment the following line to implicitly trust users in the "wheel" group.
	798	# auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
	799	# Uncomment the following line to require a user to be in the "wheel" group.
	800	auth required /lib/security/$ISA/pam_wheel.so use_uid
	801	auth required /lib/security/$ISA/pam_stack.so service=system-auth
	802	account required /lib/security/$ISA/pam_stack.so service=system-auth
	803	password required /lib/security/$ISA/pam_stack.so service=system-auth
	804	# pam_selinux.so close must be first session rule
	805	session required /lib/security/$ISA/pam_selinux.so close
	806	session required /lib/security/$ISA/pam_stack.so service=system-auth
	807	# pam_selinux.so open and pam_xauth must be last two session rules
	808	session required /lib/security/$ISA/pam_selinux.so open multiple
	809	session optional /lib/security/$ISA/pam_xauth.so
	810	EOF
	811	echo "GEN00xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Complete"
	812	#
	813	# You have to enter a Superuser PW when booting into single user mode
	814	# GEN000020
	815	# GEN000040
	816	echo "Locking down GEN000020, GEN000040"
	817	echo "Require the root pw when booting into single user mode" >> /etc/inittab
	818	echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
	819	echo "GEN000020, GEN000040 Complete"
	820	#
	821	# 4.B.4.a(18)
	822	# KickStart Actions: None
	823	#
	824	# 4.B.4.a(19)
	825	# KickStart Actions: Centralized Time
	826
	827
	828	# GEN000240: CAT I: The SA will ensure the outside network time-server is an authoritative
	829	# U.S. DOD source for both the NIPRNet and the SIPRNet.
	830	echo "Locking down GEN000240"
	831	# Recovery and Audit need correct time stamps this was put here.
	832	# Could go in multiple places
	833	# Pick a US-based clock server. Should be set to a approved USNO NTP Network Time Server
	834	# See http://tycho.usno.navy.mil/ntp.html
	835	perl -npe 's/^server.*/server clock\.ismc\.ic\.gov/g' -i /etc/ntp.conf
	836	echo "GEN000240 Complete"
	837	#
	838	# 4.B.4.a(20)
	839	# KickStart Actions: None
	840	#
	841	# 4.B.4.a(21)
	842	# KickStart Actions: None
	843	#
	844	# 4.B.4.a(21)(a)
	845	# KickStart Actions: Interactive Shell setting here.
	846	# Gnome screen-saver line command tool --> needs to be tested.
	847	# gconftool-2 --direct \
	848	# --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
	849	# --type int \
	850	# --set /apps/gnome-screensaver/idle_delay 15
	851	#
	852	# 4.B.4.a(21)(b)
	853	# KickStart Actions: None
	854	#
	855	# 4.B.4.a(21)(c)
	856	# KickStart Actions: None
	857	#
	858	# 4.B.4.a(22)
	859	# KickStart Actions: None
	860	#
	861	# 4.B.4.a(23)
	862	# KickStart Actions: None
	863
	864	#
	865	# 4.B.4.a(23)(a)
	866	# KickStart Actions: See Section 4.B.4.a(23)(b)
	867	#
	868	# 4.B.4.a(23)(b)
	869	# KickStart Actions: Banner Settings
	870	#
	871	# GEN000400: CAT II-The SA will ensure a logon-warning banner is
	872	# displayed on all devices and sessions at the initial logon.
	873	echo "Locking down GEN000400, GEN000420"
	874	# Set the /etc/issue file to the DoD login banner. This one has no linefeeds,
	875	# so it will wrap accordingly.
	876	cat <<EOF >/etc/issue
	877	THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES (SPECIFICALLY INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED US GOVERNMENT USE. DOD COMPUTER SYSTEMS MAY BE MONITORED FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THEIR USE IS AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE
	878	PROTECTION AGAINST UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, SURVIVABILITY, AND OPERATIONAL SECURITY. MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED DOD ENTITIES TO TEST OR VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED, RECORDED, COPIED, AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, INCLUDING PERSONAL INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM, MAY BE MONITORED.
	879
	880	USE OF THIS DOD COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION. EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
	881	EOF
	882	#
	883	echo "GEN000400 Completed"
	884
	885	# This part creates the same login banner once your username and password has
	886	# been entered. This has linefeeds in it.
	887	# GEN000420: CAT II) (Previously â G011) The IAO will ensure the Legal Notice Logon
	888	# Warning Banner includes the five points outlined in the CJCSM 6510.01.
	889
	890	cat <<EOF >/etc/X11/gdm/PreSession/Default
	891
	892	# !/bin/sh
	893	#
	894	# Note that any setup should come before the sessreg command as
	895	# that must be 'exec'ed for the pid to be correct (sessreg uses the parent
	896	# pid)
	897	#
	898	# Note that output goes into the .xsession-errors file for easy debugging
	899	#
	900
	901	PATH="/usr/bin/X11:/usr/X11R6/bin:/opt/X11R6/bin:$PATH:/bin:/usr/bin"
	902
	903	/usr/bin/gdialog --yesno "THIS IS A DEPARTMENT OF DEFENSE COMPUTER SYSTEM. THIS COMPUTER
	904	SYSTEM, INCLUDING ALL RELATED EQUIPMENT, NETWORKS, AND NETWORK DEVICES (SPECIFICALLY
	905	INCLUDING INTERNET ACCESS), ARE PROVIDED ONLY FOR AUTHORIZED US GOVERNMENT USE. DOD
	906	COMPUTER SYSTEMS MAY BE MONITORED FOR ALL LAWFUL PURPOSES, INCLUDING TO ENSURE THEIR
	907	USE IS AUTHORIZED, FOR MANAGEMENT OF THE SYSTEM, TO FACILITATE PROTECTION AGAINST
	908	UNAUTHORIZED ACCESS, AND TO VERIFY SECURITY PROCEDURES, SURVIVABILITY, AND OPERATIONAL
	909	SECURITY. MONITORING INCLUDES ACTIVE ATTACKS BY AUTHORIZED DOD ENTITIES TO TEST OR
	910	VERIFY THE SECURITY OF THIS SYSTEM. DURING MONITORING, INFORMATION MAY BE EXAMINED,
	911	RECORDED, COPIED, AND USED FOR AUTHORIZED PURPOSES. ALL INFORMATION, INCLUDING PERSONAL
	912	INFORMATION, PLACED ON OR SENT OVER THIS SYSTEM, MAY BE MONITORED.
	913
	914	USE OF THIS DOD COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO
	915	MONITORING OF THIS SYSTEM. UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION.
	916	EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE,
	917	CRIMINAL, OR OTHER ADVERSE ACTION. USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING
	918	FOR THESE PURPOSES."
	919	if ( test 1 -eq \$? ); then
	920	gdialog --infobox "Logging out in 10 Seconds" 1 20 &
	921	sleep 10
	922	exit 1
	923	fi
	924
	925	gdmwhich () {
	926	COMMAND="$1"
	927	OUTPUT=
	928	IFS=:
	929	for dir in $PATH
	930	do
	931	if test -x "$dir/$COMMAND" ; then
	932	if test "x$OUTPUT" = "x" ; then
	933	OUTPUT="$dir/$COMMAND"
	934	fi
129	935	fi
130	936	done
131
132		echo "Installing $REFPOL_RPM"
133		$RPM $RPM_OPTS2 $REFPOL_RPM
134		if [ $? -ne 0 ]; then
135		echo "Installation of $REFPOL_RPM failed. Terminating."
136		exit 1
	937	unset IFS
	938	echo "$OUTPUT"
	939	}
	940
	941	XSETROOT=\`gdmwhich xsetroot\`
	942	if [ "x$XSETROOT" != "x" ] ; then
	943	# Try to snarf the BackgroundColor from the config file
	944	BACKCOLOR=`grep '^BackgroundColor' /etc/X11/gdm/gdm.conf \| sed 's/^.=$.$$/\1/'`
	945	if [ "x$BACKCOLOR" = "x" ]; then
	946	BACKCOLOR="#76848F"
137	947	fi
138		}
139
140
141
142		while [ ! -z $1 ]
143		do
144		case "$1" in
145		-i) INSTALL="TRUE";;
146		*) break::
147		esac
148		shift
149		done
150
151		if [ x$INSTALL = "xTRUE" ]; then
152		#some sanity checks:
153		if [ -z $UID ]; then
154		UID=$($ID -u)
155		fi
156
157		if [ $UID -ne 0 ]; then
158		echo "Must be root to install."
159		exit 1
160		fi
161		if [ x$ARCH != x$ARCH_32 ] && [ x$ARCH != x$ARCH_64 ]; then
162		echo "Couldn't determine machine arcitecture from $UNAME -i. Terminating."
163		exit 1
164		fi
165		download
166		check
167		inst
168		echo "$CLIP_RPM and $REFPOL_RPM successfully downloaded and installed."
169		exit 0
170		else
171		echo -e $USAGE
172		exit 0
	948	"$XSETROOT" -cursor_name left_ptr -solid "$BACKCOLOR"
173	949	fi
	950
	951	SESSREG=\`gdmwhich sessreg\`
	952	if [ "x$SESSREG" != "x" ] ; then
	953	# some output for easy debugging
	954	echo "$0: Registering your session with wtmp and utmp"
	955	echo "$0: running: $SESSREG -a -w /var/log/wtmp -u /var/run/utmp -x \"$X_SERVERS\" -h \"$REMOTE_HOST\" -l \"$DISPLAY\" \"$USER\""
	956
	957	exec "$SESSREG" -a -w /var/log/wtmp -u /var/run/utmp -x "$X_SERVERS" -h "$REMOTE_HOST" -l "$DISPLAY" "$USER"
	958	# this is not reached
	959	fi
	960	#Some output for easy debugging
	961	echo "$0: could not find the sessreg utility, cannot update wtmp and utmp"
	962	exit 0
174	963	EOF
175		chmod +x $out_file_path/$out_file
	964	echo "GEN000420 Completed"
	965	#
	966	#/etc/ssh/sshd_config banner settings
	967	#
	968	#GEN005540
	969	echo "Locking down GEN005540"
	970	perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config
	971	echo "GEN005540 Complete"
	972	#
	973	#
	974	# 4.B.4.a(24)
	975	# KickStart Actions: None
	976	#
	977	# 4.B.4.a(24)(a)
	978	# KickStart Actions: None
	979	#
	980	# 4.B.4.a(24)(b)
	981	# KickStart Actions: Set an inactive shell timeout - likely going away in March STIG
	982	#
	983	# GEN000500: CAT II â The SA will configure systems to log out interactive processes
	984	# (i.e., terminal sessions, ssh sessions, etc.,) after 15 minutes of inactivity
	985	# or ensure a password protected screen lock mechanism is used and is set to lock the screen
	986	# after 15 minutes of inactivity.
	987	echo "Locking down GEN000500"
	988	echo "TMOUT=900" >> /etc/profile
	989	echo "GEN000500 Complete"
	990	#
	991	# 4.B.4.a(24)(c)
	992	# KickStart Actions: None
	993	# GEN000460: â The SA will ensure, after three consecutive failed logon attempts for an account,
	994	# the account is locked for 15 minutes or until the SA unlocks the account.
	995	echo "Locking down GEN00460"
	996	echo "LOGIN_RETRIES 3" >> /etc/login.defs
	997	echo "GEN000460 Complete"
	998	#
	999	# GEN000480: CAT II) (Previously â G015) The SA will ensure the logon delay between logon prompts
	1000	# after a failed logon is set to at least four seconds.
	1001	echo "Locking down GEN000480"
	1002	echo "Make the user waits four seconds if they fail after LOGIN_RETRIES" >> /etc/login.defs
	1003	echo "FAIL_DELAY 4" >> /etc/login.defs
	1004	echo "GEN000480 Complete"
	1005	#
	1006	# 4.B.4.a(24)(d)
	1007	# KickStart Actions: None
	1008	#
	1009	# 4.B.4.a(25)
	1010	# KickStart Actions: None
	1011	#
	1012	# 4.B.4.a(25)(a)
	1013	# KickStart Actions: None
	1014	#
	1015	# 4.B.4.a(25)(b)
	1016	# KickStart Actions: None
	1017	#
	1018	# 4.B.4.a(25)(c)
	1019	# KickStart Actions: None
	1020	#
	1021	# 4.B.4.a(25)(d)
	1022	# KickStart Actions: None - Will need to down load an encryption package like "secret agent"
	1023
	1024	#
	1025	# 4.B.4.a(26)
	1026	# KickStart Actions: None
	1027	#
	1028	# 4.B.4.a(26)(a)
	1029	# KickStart Actions: None
	1030	#
	1031	# 4.B.4.a(26)(a)(1)
	1032	# KickStart Actions: None
	1033	#
	1034	# 4.B.4.a(26)(a)(2)
	1035	# KickStart Actions: None
	1036	#
	1037	# 4.B.4.a(26)(a)(3)
	1038	# KickStart Actions:
	1039	echo 'Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc' >> /etc/ssh/ssh_config
	1040	#
	1041	# 4.B.4.a(26)(a)(4)
	1042	# KickStart Actions: None
	1043	#
	1044	# 4.B.4.a(26)(b)
	1045	# KickStart Actions: None
	1046
	1047
	1048
	1049	#
	1050	# 4.B.4.a(27)
	1051	# KickStart Actions:
	1052
	1053
	1054
	1055
	1056	#
	1057	# DCID 6/3 PL4
	1058	# 4.B.4 Protection Level 4
	1059	# 4.B.4.b -- Requirements for system assurance at PL4
	1060	#
	1061	# KickStart Actions: None
	1062	#
	1063	# 4.B.4.b(1)
	1064	# KickStart Actions:
	1065	#
	1066	# 4.B.4.b(2)
	1067	# KickStart Actions: None
	1068	#
	1069