Where I work we have very few Red Hat servers, so there hasn’t been a need, so far, to deploy a Red Hat Satellite server to assist with deploying servers. What I have done, since we use VMware ESXi for our virtual environment, is create a virtual machine template with some basic configuration. Once I deploy the virtual server I use some custom shell scripts to finish the configuration. What I have for holding the post-install scripts for the new servers is a NAS with a share. Because I am often changing the post-install scripts with new security changes and such, I have a basic updatesscripts.sh on the template that looks like this:
#!/bin/bash
# Mounts NAS share to local share directory on the server template
mount -t cifs //ipaddress/scripts_share /share -o username=username
sleep 2
# Copies mount to local scripts
yes | cp -R /share/* /scripts
sleep 4
umount /share
Then, when I am ready to start the server setup, I run this script that gives menu options:
#!/bin/bash
clear
selection=
until [ "$selection" = "0" ]; do
echo ""
echo "-------------------------"
echo "* New Server Setup MENU *"
echo "-------------------------"
echo ""
echo "1 - Change network IP"
echo "2 - Change hostname"
echo "3 - Register Red Hat server with Red Hat subscription"
echo "4 - Update the server"
echo "5 - Setup Red Hat 7 server"
echo "6 - Install TrendMicro for domain1.local"
echo "7 - Install TrendMicro for domain2.local"
echo "8 - Create new user"
echo "9 - Copy standardized bashrc"
echo ""
echo "0 - exit program"
echo ""
echo -n "Enter selection: "
read selection
echo ""
case $selection in
1 ) sh /scripts/RH7_CentOS7/networkchg_RH7_CentOS7.sh ;;
2 ) sh /scripts/RH7_CentOS7/hostnamechg_RH7_CentOS7.sh ;;
3 ) sh /scripts/RHEL_subscription.sh ;;
4 ) sh /scripts/yumupdate.sh ;;
5 ) sh /scripts/RH7_CentOS7/Setup_RH7.sh ;;
6 ) sh /scripts/TM_Orlando.sh ;;
7 ) sh /scripts/TM_Peak10.sh ;;
8 ) sh /scripts/createuser_prompt-RH.sh ;;
9 ) sh /scripts/cpbashrc.sh ;;
0 ) exit ;;
* ) echo "Please enter 1 - 9 or 0"
esac
done
Here is what each of those scripts from the menu executes:
Menu 1
#!/bin/bash
clear
echo
echo "*** The current IP address is: ***"
echo "__________________________________"
ip addr
echo "__________________________________"
echo
echo "^^^ Would you like to change the network IP address? yes or no: ^^^"
read REPLY
if [ "$REPLY" == "yes" ]; then
nmtui
echo "*** Restarting the network service ***"
echo
systemctl restart network
echo
else [ "$REPLY" == "no" ]
echo
echo "*** No change ***"
echo
fi
echo "*** This is the current IP address ***"
echo "______________________________________"
ip addr
echo "______________________________________"
echo
Menu 2
#!/bin/bash
# Change hostname
clear
echo
echo "*** Confirming the static hostname is set... ***"
echo
hostnamectl status
echo
echo "^^^ The current hostname is -> `hostname` <-. Would you like to change the machine hostname? yes or no: ^^^"
read HOSTCHANGE
if [ "$HOSTCHANGE" == "yes" ]; then
echo
echo "**** Changing the hostname. What would you like to change it to? ****"
read HOSTNAME
hostnamectl set-hostname $HOSTNAME
echo
hostnamectl status
sleep 3
else [ "$HOSTCHANGE" == "no" ]
echo
echo "*** No change ***"
echo
fi
clear
Menu 3
#!/bin/bash
clear
subscription-manager register --username username --auto-attach
echo
subscription-manager attach --pool=longidstring
echo
echo "Currently assigned and consumed"
echo "_______________________________"
echo
subscription-manager list --consumed
echo "_______________________________"
clear
Menu 4
#!/bin/bash
clear
yum install -y wget vim rsync
yum -y update
echo
echo "^^^ Updates have been applied. Would you like to reboot? yes or no: ^^^"
read RESPONSE
if [ "$RESPONSE" == "yes" ]; then
echo
echo "**** Rebooting ****"
sleep 3
reboot
else [ "$RESPONSE" == "no" ]
echo
fi
clear
Menu 5
This next script runs a hardening process for PCI compliance. Basically, it’s a script that launches many scripts that hardens the server based on CIS Red Hat 7 Benchmark and OpenSCAP hardening along with some standing installs and configurations.
#!/bin/bash
clear
echo "----------------------------------------------------"
echo "@@@ OS Hardening @@@"
sleep 4
echo
echo "----------------------------------------------------"
echo "*** CIS 1-1 - Sticky bit, disbable mounting ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_1-1_fs.sh
echo
##read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 2-1 - Remove special services ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_2-2_removespecialservices.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 2-3 - Remove services ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_2-3_removeservices.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo
echo "*** CIS 3-1 - Modify Network Parameters ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_3-1_modifynetparam.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 3-3 - Disable IPv6 ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_3-3_modifyipv6.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 3-4 - Install TCP Wrappers ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_3-4_tcpwrappers.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 3-5 - Uncommon Network Protocols ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_3-5_uncommonnetwork.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 3-6 - Enable IPtables & add rules ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_3-6_confirmfirewall.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 4-1 - Configure Auditing ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_4-1_configsysacct.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 4-2 - Configure logs ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_4-2_configlogfiles.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 5-2 - Configure SSH ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_5-2_configssh.sh
echo
#read -p "Press [Enter] to continue"
#echo "----------------------------------------------------"
#echo "CIS 5-3 - Set lockout for failed password"
#echo
#sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_5-3_logout.sh
#echo
##read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 5-4 - Set password expiration, lock inactive user accounts ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_5-4_passwordexp.sh
echo
#read -p "Press [Enter] to continue"
echo "----------------------------------------------------"
echo "*** CIS 6-2 - Configure home directory, additional auditing ***"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/CIS_6-2_checkuserhome.sh
echo
echo "----------------------------------------------------"
echo "@@@ Additional hardening cont'd @@@"
echo
sh /scripts/RH7_CentOS7/PCI_scripts_RH7_CentOS7/RHEL7_PCI_harden.sh
echo
#echo "---->> Complete <<----"
echo -e "---->> \033[33;7mHardending Completed\033[0m <<----"
echo
sleep 4
clear
echo "----------------------------------------------------"
echo "@@@ Setting up SNMPv3 @@@"
sh /scripts/RH7_CentOS7/snmp_abc_RH7_CentOS7.sh
sleep 4
clear
echo "----------------------------------------------------"
echo "@@@ Installing Splunk @@@"
sh /scripts/splunk_inst.sh
sleep 4
clear
echo "----------------------------------------------------"
echo "@@@ Installing VMware Tools @@@"
sh /scripts/vmwaretools.sh
sleep 4
clear
echo "----------------------------------------------------"
echo "@@@ Configure Max Password Age for root @@@"
sh /scripts/rootmaxpass.sh
sleep 4
clear
echo -e "---->> \033[33;7mCompleted Setup\033[0m <<----"
sleep 4
clear
Menu 6 & 7
Basically, those are scripts for install TrendMicro
Menu 8
#!/bin/bash
clear
echo -n "Enter a username: "
read name
useradd -m $name
passwd $name
chage -d 0 $name
echo
echo "^^^ Would you like to add the new user to the sudoers? yes or no: ^^^"
read REPLY
if [ "$REPLY" == "yes" ]; then
echo
echo "** Adding user to the end of the file **"
echo
echo "$name ALL=(ALL) ALL" >> /etc/sudoers
echo
echo "** Here is the output confirmation **"
sleep 5
cat /etc/sudoers
sleep 3
else [ "$REPLY" == "no" ]
echo
echo "** Not adding user **"
echo
fi
sleep 3
clear
Menu 9
I have a custom bashrc. If you are interested in seeing it, just post in the comments and I will update this post with the custom file.
#!/bin/bash
clear
echo
echo "** Configure custom bashrc **"
echo
echo "** Current bashrc **"
sleep 3
clear
cat $HOME/.bashrc
sleep 5
echo
echo "** Backing up current bashrc **"
sleep 3
cp $HOME/.bashrc $HOME/.bashrc.bk
echo
echo "** Copying custom bashrc **"
cp -f /scripts/bashrc $HOME/.bashrc
echo
echo "** New bashrc **"
sleep 3
clear
cat $HOME/.bashrc
sleep 5
clear