secure-kickstart.cfg

#
# From: Jim Perrin <jperrin@gmail.com>
#
############## Secure Kickstart version 1.0 ##############
##########################################################
#
# Name: secure-kickstart.cfg
# Description: Kickstart file with many of the DISA STIG
#	       changes applied via %post functionality
# Distro: CentOS 5 or RHEL 5
# 
#
#################### End User Notes ######################
#
#   There are a number of considerations to be made when 
# using this document. Partitioning space, system use, 
# and other tasks that make servers different.
#
#
####################### Usage ############################
#
# 1. Set up partitioning, or leave commented to get the 
#    anaconda partitioner. 
# 2. Review the package list. Add or remove as needed
# 3. This kickstart assumes a local mirror to install
#     from. Change this to suit your needs.

install
cdrom
#url --url http://192.168.1.1./installmedia
lang en_US.UTF-8
keyboard us
network --noipv6 --onboot=yes --bootproto=dhcp 
#text
########## !! CHANGE THIS !! ##########
#zerombr
#clearpart --all
#partition /boot --fstype "ext3" --size=128 --ondisk=sda
#partition pv.2 --size=0 --grow --ondisk=sda
#volgroup OS_VOL --pesize=32768 pv.2
#logvol swap --fstype swap --name=lvSwap --vgname=OS_VOL --size=2048
#logvol / --fstype ext3 --name=lvRoot --vgname=OS_VOL --size=10240
#logvol /var --fstype ext3 --name=lvVar --vgname=OS_VOL --size=10240
#logvol /home --fstype ext3 --name=lvHome --vgname=OS_VOL --size=10240
#logvol /tmp --fstype ext3 --name=lvTMP --vgname=OS_VOL --size=4096
#logvol /opt --fstype ext3 --name=lvopt --vgname=OS_VOL --size=10240

bootloader --location mbr --password Sekrit
authconfig --enableshadow --enablemd5
selinux --enforcing
rootpw ChangeMe
timezone --utc America/New_York
firewall --enabled --port=22:tcp  # This will be further restricted later
reboot

########## UPDATE THE PACKAGE LIST #############
%packages --resolvedeps
# For bare systems, these are the groups you need initially.
@Base
@text-internet
@editors
# For something with a gui, uncomment these
#@gnome-desktop
#@system-tools
#@base-x
#@graphics
#@printing
#@sound-and-video

# Packages added for security
aide
audit
vlock
# Packages removed because we don't need/use them
-compiz
-emacs-leim
-emacspeak
-ethereal
-ethereal-gnome
-gnome-games
-isdn4k-utils
-nmap
-octave
-oprofile
-rcs
-tcpdump
-valgrind
-zsh

%pre

%post --nochroot
mkdir /mnt/sysimage/tmp/ks-tree-copy
if [ -d /oldtmp/ks-tree-shadow ]; then
    cp -fa /oldtmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
elif [ -d /tmp/ks-tree-shadow ]; then
    cp -fa /tmp/ks-tree-shadow/* /mnt/sysimage/tmp/ks-tree-copy
fi
cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf

%post

## Log errors by creating one big subshell
(

if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
  rpm --import /usr/share/rhn/RPM-GPG-KEY 
elif [ -f /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5 ]; then
  rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
fi

############# Adding Security Enhancements ############################


################# User Login Security Changes #####################
# GEN000020 (G001)
# GEN000040 (G002)
# GEN000060 (G003)
# Require root password for single user mode
echo "Locking down GEN000020, GEN000040, GEN000060"
echo "Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "GEN000020, GEN000040,GEN000060 Complete"


## Prevent entering interactive boot
perl -npe 's/PROMPT=yes/PROMPT=no/' -i /etc/sysconfig/init
echo "Interactive Boot disabled"

# LNX00580 (L222)
echo "Locking down LNX00580"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
echo "LNX00580 Complete"


# We'll get to the updated versions once we configure pam.

# GEN000700
# Change the password expiration time from undefined to 60 days
echo "Locking down GEN000700"
perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 60/' -i /etc/login.defs
chage -M 60 root
echo "GEN000700 Complete"

# GEN000540
# Ensure that the user cannot change their password more than once a day.
echo "Locking down GEN000540"
perl -npe 's/PASS_MIN_DAYS\s+0/PASS_MIN_DAYS 1/g' -i /etc/login.defs
echo "GEN000540 Complete"

# GEN000480 (G015)
echo "Locking down GEN000480"
echo "Make the user waits four seconds if they fail after LOGIN_RETRIES" >> /etc/login.defs
echo "FAIL_DELAY 4" >> /etc/login.defs
echo "GEN000480 Complete"

# GEN000820
echo "Locking down GEN000820"
perl -npe 's/PASS_MIN_LEN\s+5/PASS_MIN_LEN  9/' -i /etc/login.defs
#STIG specifies using foloowing, but it's not a valid parameter
#echo "PASSLENGTH 9" >> /etc/login.defs
echo "GEN000820 Complete"

## As of RHEL/CentOS 5.3, authconfig supports SHA password encryption
## This cannot be set by default using auth earlier in the KS, so it must be done in %post
echo "Using SHA512 for the password algorithm"
authconfig --passalgo=sha512 --update
echo "Done"

###### PAM Modifications
# These modifications apply to GEN000460, GEN000600 and GEN000620
touch /var/log/tallylog

cat << 'EOF' > /etc/pam.d/system-auth-local
#%PAM-1.0
# Auth Section
auth required pam_tally2.so unlock_time=900 onerr=fail no_magic_root
auth required pam_faildelay.so delay=5000000
auth include system-auth-ac

# Accounts Section
account required pam_tally2.so
account include system-auth-ac

# Password Section
password required pam_pwhistory.so   use_authtok remember=5 retry=3
password requisite pam_passwdqc.so min=disabled,disabled,16,12,8
password include system-auth-ac

# Session Section
## By default we're only going to log what root does
## This gets really verbose if we log more.
## If you want to log everyone, remove disable=*
session required pam_tty_audit.so disable=* enable=root
session include system-auth-ac
EOF


# Create some basic shell rules for users. 

echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=600" >> /etc/profile.d/os-security.sh
echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
chmod +x /etc/profile.d/os-security.sh

# GEN002560
# Reset the umasks for all users to 077
echo "Locking down GEN002560"
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/bashrc
perl -npe 's/umask\s+0\d2/umask 077/g' -i /etc/csh.cshrc
echo "GEN002560 Complete"


## Require GUI consoles to lock if idle longer than 10 minutes. 
if [ -f /etc/gconf/gconf.xml.mandatory ]; then 
  gconftool-2 --direct \
	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
	--type bool \
	--set /apps/gnome-screensaver/idle_activation_enabled true
  gconftool-2 --direct \
	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
	--type bool --set /apps/gnome-screensaver/lock_enabled true
  gconftool-2 --direct \
	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
	--type string \
	--set /apps/gnome-screensaver/mode blank-only
  gconftool-2 --direct \
	--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
	--type int \
	--set /apps/gnome-screensaver/idle_delay 10
fi

## No one gets to run cron or at jobs unless we say so.
echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: '{print $1}' /etc/passwd | grep -v root > /etc/at.deny



# GEN000400 (G010)
echo "Locking down GEN000400"
# Set the /etc/issue file to something scary.  This one has no linefeeds, so it will wrap accordingly.
# Change this to your own banner for organizations outside the Scary Zone

cat << 'EOF' >/etc/issue
USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM.  UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION.  EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.  USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.
EOF
echo "GEN000400 Completed"


# The banner above works great for shell logins, but won't work for gui logins. 
if [ -f /etc/gdm/PreSession/Default ]; then
# GEN000420 (G011)
# This part creates the same login banner once your username and password has been entered.  This has linefeeds in it.
# Text needs to be cleaned up a touch.
echo "Locking down GEN000420"
perl -npe 's/exit\s0/\n/' -i /etc/gdm/PreSession/Default

cat << 'EOF' >> /etc/gdm/PreSession/Default
/usr/bin/gdialog --yesno "Agree = 'OK'   Disagree = 'Cancel'

USE OF THIS COMPUTER SYSTEM, AUTHORIZED OR UNAUTHORIZED, CONSTITUTES CONSENT TO MONITORING OF THIS SYSTEM.  UNAUTHORIZED USE MAY SUBJECT YOU TO CRIMINAL PROSECUTION.  EVIDENCE OF UNAUTHORIZED USE COLLECTED DURING MONITORING MAY BE USED FOR ADMINISTRATIVE, CRIMINAL, OR OTHER ADVERSE ACTION.  USE OF THIS SYSTEM CONSTITUTES CONSENT TO MONITORING FOR THESE PURPOSES.

Agree = 'OK'   Disagree = 'Cancel'"
if ( test 1 -eq $? ); then
        /usr/bin/gdialog --infobox "Logging out in 10 Seconds" 1 20 &
        sleep 10
        exit 1
fi

exit 0
EOF
echo "GEN000420 Completed"
fi

################## File and Directory Security #########################

# Restrict mount points with noexec, nosuid, and nodev where applicable

# GEN002420
echo "Locking down GEN002420"
FSTAB=/etc/fstab
SED=/bin/sed

#nosuid on /home
if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi

# nosuid on /sys
if [ $(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/sys[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/sys.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi

## nosuid on /boot
if [ $(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | grep -c "nosuid") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/boot[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/boot.*${MNT_OPTS}\)/\1,nosuid/" ${FSTAB}
fi

# nodev on /usr
if [ $(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/usr[[:blank:]]" ${FSTAB} | awk '{print $4}')
       ${SED} -i "s/\([[:blank:]]\/usr.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi

#nodev on /home
if [ $(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/home[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/home.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi

# nodev on /usr/local
if [ $(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/usr/local[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/usr\/local.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi

# nodev and noexec on /tmp
if [ $(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
fi
# nodev and noexec on /var/tmp
if [ $(grep "[[:blank:]]\/var/tmp[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
        MNT_OPTS=$(grep "[[:blank:]]\/tmp[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/var/tmp.*${MNT_OPTS}\)/\1,nodev,noexec/" ${FSTAB}
fi

# nodev on /var
if [ $(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | grep -c "nodev") -eq 0 ]; then
       MNT_OPTS=$(grep "[[:blank:]]\/var[[:blank:]]" ${FSTAB} | awk '{print $4}')
        ${SED} -i "s/\([[:blank:]]\/var.*${MNT_OPTS}\)/\1,nodev/" ${FSTAB}
fi

echo "GEN002420 Complete"



# By default  /root has permissions of 750. Change this to 700
# GEN000920 (G023)
echo "Locking down GEN000920"
# Correct the permissions on /root to a DISA allowed 700
chmod 700 /root
echo "GEN000920 Complete"


# GEN002680 (G094)
# reset permissions on audit logs
echo "Locking down GEN002680"
chmod 700 /var/log/audit
chmod 600 /var/log/audit/*
echo "GEN002680 Complete"


# GEN003080
echo "Locking down GEN003080"
chmod 600 /etc/crontab
chmod 700 /usr/share/logwatch/scripts/logwatch.pl
echo "GEN003080 Complete"

# GEN003520 ( RHEL5 default anyway )
echo "Locking down GEN003520"
chmod 700 /var/crash
chown -R root.root /var/crash
echo "GEN003520 Complete"

# GEN006520
echo "Locking down GEN006520"
chmod 740 /etc/rc.d/init.d/iptables
chmod 740 /sbin/iptables
chmod 740 /usr/share/logwatch/scripts/services/iptables
echo "GEN006520 Complete"

# GEN001560
echo "Locking down GEN001560"
chmod -R 700 /etc/skel
echo "GEN001560 Complete"

# GEN005400 (G656)
# Reset the permissions to a DISA-blessed rw-r-----
echo "Locking down GEN005400"
chmod 640 /etc/syslog.conf
echo "GEN005400 Complete"

# LNX00440 (L046)
# Set mode to DISA-blessed rw-r------
echo "Locking down LNX00440"
chmod 640 /etc/security/access.conf
echo "LNX00440 Complete"


# GEN001260
echo "Locking down GEN001260"
perl -npe 's%chmod 0664 /var/run/utmp /var/log/wtmp%chmod 0644 /var/run/utmp /var/log/wtmp%g' -i /etc/rc.d/rc.sysinit
echo "GEN001260"

# LNX00520 (L208)
echo "Locking down LNX00520"
chmod 600 /etc/sysctl.conf
echo "LNX00520 Complete"

# Add some enhancements to sysctl
cat << 'EOF' >> /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
EOF

########## Turn off the uneeded stuff #############
# IAVA0410 (G592) and GEN003700
# Turn off unneeded services
# You may want to leave sendmail enabled but the STIG says otherwise
# I mark this as mitigated by the firewall, and not accepting outside
# connections. The NSA RHEL5 guide has a full service list 
# with recommendations
echo "Locking down IAVA0410 and GEN003700"
/sbin/chkconfig bluetooth off
/sbin/chkconfig irda off
/sbin/chkconfig lm_sensors off
/sbin/chkconfig portmap off
/sbin/chkconfig rawdevices off
/sbin/chkconfig rpcgssd off
/sbin/chkconfig rpcidmapd off
/sbin/chkconfig rpcsvcgssd off
/sbin/chkconfig sendmail off
/sbin/chkconfig xinetd off
/sbin/chkconfig kudzu off
echo "IAVA0410 and GEN003700 Complete"

######### Remove useless users ##############
# This isn't strictly needed as they have a default shell of nologin
# but we're removing them anyway to be safe.

echo "Locking down LNX0034 and GEN004840"
/usr/sbin/userdel shutdown
/usr/sbin/userdel halt
/usr/sbin/userdel games
/usr/sbin/userdel operator
/usr/sbin/userdel ftp
/usr/sbin/userdel news
/usr/sbin/userdel gopher
echo "LNX0034 and GEN004840 Complete"



############# SSH restrictions ###############
#
# Uncomment this if you have physical access to the machine.
# This will lock root out from ssh.
# GEN001120 (G500)

# We need to restrict ssh root logins; 
#echo "Locking down GEN001120"
#perl -npe 's/#PermitRootLogin yes/PermitRootLogin no/' -i /etc/ssh/sshd_config
#echo "GEN001120 Complete"

#GEN005540
echo "Locking down GEN005540"
perl -npe 's/^#Banner \/some\/path/Banner \/etc\/issue/g' -i /etc/ssh/sshd_config
echo "GEN005540 Complete"

perl -npe 's/^#ServerKeyBits 768/ServerKeyBits 2048/g' -i /etc/ssh/sshd_config
perl -npe 's/^#MaxAuthTries 6/MaxAuthTries 3/g' -i /etc/ssh/sshd_config


################ Configure a better default firewall ###############
cat << 'EOF' > /etc/sysconfig/iptables
#Drop anything we aren't explicitly allowing. All outbound traffic is okay
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Log anything on eth0 claiming it's from a local or non-routable network
# If you're using one of these local networks, remove it from the list below
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "
# Accept any established connections
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept ssh traffic. Restrict this to known ips if possible.
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Log and drop everything else
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
EOF

###### Check to see if we have network access for updates ##########
# For RHEL systems, change the profile name and key
# Documentation for activation keys can be found at 
# http://kbase.redhat.com/faq/docs/DOC-2475
2>/dev/null >/dev/tcp/google.com/80
if [ $? -eq 0 ]; then
  if [ -f /usr/share/rhn/RPM-GPG-KEY ]; then
    rhnreg_ks --profilename=secure-rhel --activationkey=xxxxxxxxxxx
  fi
  cat << 'EOF' >> /etc/yum.conf
exclude = *.i?86
EOF
  yum -y remove *.i?86
  yum -y update
else
echo "There's no network. No updates performed"
fi

############### Beef up the default ruleset for AIDE #################
# Setup AIDE off this baseline
echo "Setting up baseline AIDE configuration ...."
echo "NOTE!!! PLEASE REVIEW THIS, AND EDIT FOR YOUR SPECIFIC CONFIGURATION!"

# Write /etc/aide.conf
echo "Appending default setuid/setgid and 666 f/d to default /etc/aide.conf"
cat << 'EOF' >> /etc/aide.conf

# World-Writable files and directories
# Note: There are no ww files in the base install

# World-Writable Directories in base install

/tmp                            PERMS
/tmp/.pk11ipc1                  PERMS
/tmp/.font-unix                 PERMS
/tmp/.ICE-unix                  PERMS
/tmp/.X11-unix                  PERMS
/var/tmp                        PERMS

# set-UID and set-GID files in base install

/sbin/netreport                 PERMS
/usr/libexec/utempter/utempter  PERMS
/usr/sbin/lockdev               PERMS
/usr/sbin/sendmail.sendmail     PERMS
/usr/lib/vte/gnome-pty-helper   PERMS
/usr/bin/locate                 PERMS
/usr/bin/write                  PERMS
/usr/bin/wall                   PERMS
/usr/bin/ssh-agent              PERMS
/usr/bin/lockfile               PERMS
/usr/bin/screen                 PERMS
EOF

echo "done adding to /etc/aide.conf" 
echo ""
echo "Building a initial AIDE DB..."
/usr/sbin/aide -i
echo "Initial AIDE DB complete"
echo ""
echo "Copping initial AIDE DB to initial baseline AIDE DB..."
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
echo "done copping initital AIDE DB"
echo ""
echo ""
echo "Please review your AIDE configuration, default DB locations,"
echo "cron jobs, etc. to fit your needs"
echo ""
echo "GEN02440 and GEN2380 Complete"



) > /root/kickstart-log.txt 2>&1