From 4e80f64c3db5a7ff05882ca7ef2435721deb3eeb Mon Sep 17 00:00:00 2001 From: pynezz Date: Sat, 31 Jan 2026 22:52:27 +0100 Subject: [PATCH] Make git repo --- Makefile | 272 +++++++++++++++++++++++++++++ README.md | 219 +++++++++++++++++++++++ gen-kickstarts.sh | 356 ++++++++++++++++++++++++++++++++++++++ kickstarts/kiosk.ks | 72 ++++++++ kickstarts/minimal.ks | 56 ++++++ kickstarts/security.ks | 84 +++++++++ kickstarts/workstation.ks | 102 +++++++++++ 7 files changed, 1161 insertions(+) create mode 100644 Makefile create mode 100644 README.md create mode 100755 gen-kickstarts.sh create mode 100644 kickstarts/kiosk.ks create mode 100644 kickstarts/minimal.ks create mode 100644 kickstarts/security.ks create mode 100644 kickstarts/workstation.ks diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ef2926b --- /dev/null +++ b/Makefile @@ -0,0 +1,272 @@ +# Fedora 42 Custom Live ISO Builder +# Requires: lorax, lorax-lmc-novirt, anaconda (for kickstart validation) +# Must run with sudo for livemedia-creator + +SHELL := /bin/bash +.ONESHELL: +.SHELLFLAGS := -eu -o pipefail -c + +# ============================================================================ +# Configuration +# ============================================================================ + +FEDORA_VERSION := 42 +ARCH := x86_64 +VARIANT ?= minimal + +BUILD_DIR := $(CURDIR)/build +CACHE_DIR := $(CURDIR)/cache +OUTPUT_DIR := $(CURDIR)/output +KICKSTART_DIR := $(CURDIR)/kickstarts +OVERLAY_DIR := $(CURDIR)/overlays +SCRIPTS_DIR := $(CURDIR)/scripts +TMP_DIR := /var/tmp/lorax-build + +ISO_LABEL := FEDORA-CUSTOM +ISO_NAME := fedora-$(FEDORA_VERSION)-custom-$(VARIANT)-$(ARCH) +ISO_FILE := $(OUTPUT_DIR)/$(ISO_NAME).iso + +LORAX_OPTS := --nomacboot --noverifyssl + +KICKSTART ?= $(KICKSTART_DIR)/$(VARIANT).ks + +# ============================================================================ +# Colors +# ============================================================================ + +CLR_RED := \033[0;31m +CLR_GREEN := \033[0;32m +CLR_YELLOW := \033[0;33m +CLR_BLUE := \033[0;34m +CLR_RESET := \033[0m + +# ============================================================================ +# Default target +# ============================================================================ + +.PHONY: all +all: help + +# ============================================================================ +# Help +# ============================================================================ + +.PHONY: help +help: + @printf "Fedora $(FEDORA_VERSION) Custom Live ISO Builder\n" + @printf "==============================================\n\n" + @printf "Usage: sudo make [VARIANT=]\n\n" + @printf "Build targets:\n" + @printf " iso Build the live ISO (requires sudo)\n" + @printf " iso-novirt Build without KVM (slower, works in containers)\n\n" + @printf "Variants (VARIANT=):\n" + @printf " minimal Bare minimum bootable system (~400MB)\n" + @printf " kiosk Single-app kiosk/PoS system\n" + @printf " workstation Lightweight workstation with Sway\n" + @printf " security Security/forensics toolkit\n\n" + @printf "Setup targets:\n" + @printf " deps Install build dependencies\n" + @printf " init-kickstarts Generate kickstart templates\n\n" + @printf "Utility targets:\n" + @printf " validate Validate kickstart syntax\n" + @printf " test-qemu Boot ISO in QEMU\n" + @printf " checksum Generate SHA256/MD5 checksums\n" + @printf " clean Remove build artifacts\n" + @printf " distclean Remove everything including output\n\n" + @printf "Examples:\n" + @printf " make init-kickstarts\n" + @printf " sudo make iso VARIANT=minimal\n" + @printf " sudo make iso VARIANT=kiosk\n" + @printf " sudo make iso KICKSTART=./custom.ks\n" + +# ============================================================================ +# Dependencies +# ============================================================================ + +.PHONY: deps +deps: + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Installing build dependencies...\n" + @if ! command -v dnf &>/dev/null; then \ + printf "$(CLR_RED)[ERROR]$(CLR_RESET) Requires Fedora/RHEL with dnf\n"; \ + exit 1; \ + fi + dnf install -y \ + lorax \ + lorax-lmc-novirt \ + anaconda \ + pykickstart \ + qemu-kvm \ + libvirt \ + virt-install \ + syslinux \ + isomd5sum \ + squashfs-tools \ + xorriso \ + grub2-tools-extra + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Dependencies installed\n" + +# ============================================================================ +# Directory setup +# ============================================================================ + +.PHONY: dirs +dirs: + @mkdir -p $(BUILD_DIR) $(CACHE_DIR) $(OUTPUT_DIR) $(KICKSTART_DIR) $(OVERLAY_DIR) $(SCRIPTS_DIR) $(TMP_DIR) + +# ============================================================================ +# Kickstart generation (via external script) +# ============================================================================ + +.PHONY: init-kickstarts +init-kickstarts: dirs + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Generating kickstart templates...\n" + @chmod +x $(SCRIPTS_DIR)/gen-kickstarts.sh + @$(SCRIPTS_DIR)/gen-kickstarts.sh $(KICKSTART_DIR) + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Kickstarts created in $(KICKSTART_DIR)/\n" + +# ============================================================================ +# Validation +# ============================================================================ + +.PHONY: validate +validate: $(KICKSTART) + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Validating: $(KICKSTART)\n" + @ksvalidator $(KICKSTART) + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Kickstart is valid\n" + +# ============================================================================ +# Root check +# ============================================================================ + +.PHONY: check-root +check-root: + @if [ "$$(id -u)" -ne 0 ]; then \ + printf "$(CLR_RED)[ERROR]$(CLR_RESET) Must run as root (use sudo)\n"; \ + exit 1; \ + fi + +# ============================================================================ +# ISO Build +# ============================================================================ + +.PHONY: iso +iso: dirs validate check-root + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Building: $(ISO_NAME)\n" + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Kickstart: $(KICKSTART)\n" + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) This may take 10-30 minutes...\n" + @rm -rf $(BUILD_DIR)/result + livemedia-creator \ + --ks $(KICKSTART) \ + --no-virt \ + --resultdir $(BUILD_DIR)/result \ + --project "Fedora Custom" \ + --releasever $(FEDORA_VERSION) \ + --volid $(ISO_LABEL) \ + --iso-only \ + --iso-name $(ISO_NAME).iso \ + --tmp $(TMP_DIR) \ + --logfile $(BUILD_DIR)/livemedia.log \ + $(LORAX_OPTS) + @mv $(BUILD_DIR)/result/$(ISO_NAME).iso $(ISO_FILE) 2>/dev/null || \ + mv $(BUILD_DIR)/result/images/$(ISO_NAME).iso $(ISO_FILE) 2>/dev/null || \ + find $(BUILD_DIR) -name "*.iso" -exec mv {} $(ISO_FILE) \; + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) ISO created: $(ISO_FILE)\n" + @$(MAKE) -s checksum + +.PHONY: iso-novirt +iso-novirt: iso + +# ============================================================================ +# Testing +# ============================================================================ + +.PHONY: test-qemu +test-qemu: $(ISO_FILE) + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Booting ISO in QEMU...\n" + qemu-system-x86_64 \ + -enable-kvm \ + -m 2048 \ + -cpu host \ + -smp 2 \ + -cdrom $(ISO_FILE) \ + -boot d \ + -vga virtio \ + -display gtk + +.PHONY: test-qemu-serial +test-qemu-serial: $(ISO_FILE) + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Booting ISO (serial console)...\n" + qemu-system-x86_64 \ + -enable-kvm \ + -m 2048 \ + -cpu host \ + -smp 2 \ + -cdrom $(ISO_FILE) \ + -boot d \ + -nographic \ + -serial mon:stdio + +# ============================================================================ +# Checksums +# ============================================================================ + +.PHONY: checksum +checksum: $(ISO_FILE) + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Generating checksums...\n" + @cd $(OUTPUT_DIR) && sha256sum $(notdir $(ISO_FILE)) > $(notdir $(ISO_FILE)).sha256 + @cd $(OUTPUT_DIR) && md5sum $(notdir $(ISO_FILE)) > $(notdir $(ISO_FILE)).md5 + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Checksums:\n" + @cat $(ISO_FILE).sha256 + +.PHONY: implant-md5 +implant-md5: $(ISO_FILE) + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Implanting MD5 into ISO...\n" + implantisomd5 $(ISO_FILE) + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Verify with: checkisomd5 $(ISO_FILE)\n" + +# ============================================================================ +# Cleanup +# ============================================================================ + +.PHONY: clean +clean: + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Cleaning build artifacts...\n" + rm -rf $(BUILD_DIR) + rm -rf $(TMP_DIR) + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Clean complete\n" + +.PHONY: distclean +distclean: clean + @printf "$(CLR_BLUE)[INFO]$(CLR_RESET) Removing all generated files...\n" + rm -rf $(OUTPUT_DIR) + rm -rf $(CACHE_DIR) + @printf "$(CLR_GREEN)[OK]$(CLR_RESET) Distclean complete\n" + +# ============================================================================ +# Info +# ============================================================================ + +.PHONY: info +info: + @printf "Configuration:\n" + @printf " FEDORA_VERSION: $(FEDORA_VERSION)\n" + @printf " ARCH: $(ARCH)\n" + @printf " VARIANT: $(VARIANT)\n" + @printf " KICKSTART: $(KICKSTART)\n" + @printf " ISO_FILE: $(ISO_FILE)\n" + @printf " BUILD_DIR: $(BUILD_DIR)\n" + @printf " TMP_DIR: $(TMP_DIR)\n" + +.PHONY: list-isos +list-isos: + @printf "Built ISOs:\n" + @ls -lh $(OUTPUT_DIR)/*.iso 2>/dev/null || printf " (none)\n" + +# ============================================================================ +# Kickstart prerequisite +# ============================================================================ + +$(KICKSTART): + @printf "$(CLR_RED)[ERROR]$(CLR_RESET) Kickstart not found: $(KICKSTART)\n" + @printf "$(CLR_YELLOW)[HINT]$(CLR_RESET) Run: make init-kickstarts\n" + @exit 1 diff --git a/README.md b/README.md new file mode 100644 index 0000000..bfe54dd --- /dev/null +++ b/README.md @@ -0,0 +1,219 @@ +# Fedora 42 Custom Live ISO Builder + +A Makefile-based toolchain for building custom Fedora 42 live ISOs optimized for specific use cases like Point-of-Sale systems, kiosks, security workstations, and minimal servers. + +## Quick Start + +```bash +# Install dependencies (requires Fedora) +sudo make deps + +# Generate kickstart templates +make init-kickstarts + +# Build minimal ISO +sudo make iso VARIANT=minimal + +# Test in QEMU +make test-qemu +``` + +## Available Variants + +| Variant | Description | Approx Size | +| ------------- | ---------------------------------------- | ----------- | +| `minimal` | Bare minimum bootable system with SSH | ~400MB | +| `kiosk` | Single-app kiosk/PoS with Cage + Firefox | ~800MB | +| `workstation` | Lightweight GUI with Sway | ~1.2GB | +| `security` | Security/forensics toolkit | ~1.5GB | + +## Requirements + +- Fedora 42 (or compatible) host system +- Root privileges for ISO creation +- ~10GB free disk space +- KVM support recommended (or use `iso-novirt`) + +## Usage + +### Build Commands + +```bash +# Build with default (minimal) variant +sudo make iso + +# Build specific variant +sudo make iso VARIANT=kiosk +sudo make iso VARIANT=workstation +sudo make iso VARIANT=security + +# Use custom kickstart +sudo make iso KICKSTART=/path/to/custom.ks + +# Build without KVM (slower, works in containers) +sudo make iso-novirt VARIANT=minimal +``` + +### Utility Commands + +```bash +# Validate kickstart syntax +make validate KICKSTART=kickstarts/minimal.ks + +# Test ISO in QEMU +make test-qemu + +# Generate checksums +make checksum + +# Show configuration +make info + +# Clean build artifacts +make clean +sudo make distclean # Also removes output/ +``` + +## Customization + +### Modifying Kickstarts + +The kickstart files in `kickstarts/` control the entire OS configuration: + +1. **Packages**: Add/remove packages in the `%packages` section +2. **Services**: Enable/disable systemd units in `%post` +3. **Users**: Configure users and authentication +4. **Partitioning**: Customize disk layout + +### Adding Custom Files + +1. Place files in `overlays//` +2. Copy them in the `%post` section of your kickstart + +Example: + +```bash +%post +# Copy custom configs +cp -r /run/install/repo/overlays/* / +%end +``` + +### Creating New Variants + +1. Create `kickstarts/myvariant.ks` +2. Build with `sudo make iso VARIANT=myvariant` + +## Directory Structure + +``` +. +├── Makefile # Build system +├── README.md +├── kickstarts/ # Kickstart definitions +│ ├── minimal.ks +│ ├── kiosk.ks +│ ├── workstation.ks +│ └── security.ks +├── overlays/ # Files to include in ISO +├── build/ # Temporary build files +├── cache/ # Downloaded packages (preserved) +└── output/ # Final ISO files + └── fedora-42-custom-*.iso +``` + +## PoS/Kiosk Specific Notes + +For Point-of-Sale or kiosk deployments: + +### Security Hardening + +```kickstart +%post +# Disable USB storage +echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usb.conf + +# Disable Ctrl+Alt+Del reboot +systemctl mask ctrl-alt-del.target + +# Read-only root filesystem (advanced) +# Add 'ro' to kernel cmdline and use overlayfs +%end +``` + +### Auto-start Application + +The `kiosk` variant uses Cage (minimal Wayland compositor) to run Firefox in kiosk mode. Modify `/home/kiosk/.bash_profile` to launch your application: + +```bash +# For a custom app +exec cage -- /usr/local/bin/my-pos-app + +# For a web app +exec cage -- firefox --kiosk https://pos.example.com + +# For Electron apps +exec cage -- /opt/myapp/myapp --kiosk +``` + +### Network Configuration + +For static IP (common in PoS): + +```kickstart +network --bootproto=static --ip=192.168.1.100 --netmask=255.255.255.0 \ + --gateway=192.168.1.1 --nameserver=192.168.1.1 --device=link +``` + +## Troubleshooting + +### Build fails with "No space left on device" + +The build uses `/var/tmp/lorax-build` by default. Either: + +- Free space on that partition +- Change `TMP_DIR` in Makefile to a larger partition + +### "Cannot find a valid baseurl" + +Network issues or mirror problems. Try: + +```bash +# Use a specific mirror +sudo make iso LORAX_REPO=https://mirror.example.com/fedora/42/Everything/x86_64/os/ +``` + +### SELinux denials + +If building in a container or restricted environment: + +```bash +# Temporarily set permissive (not recommended for production) +sudo setenforce 0 +sudo make iso +sudo setenforce 1 +``` + +### ISO won't boot + +1. Verify checksum: `make checksum` +2. Check implanted MD5: `checkisomd5 output/*.iso` +3. Review build log: `less build/livemedia.log` + +## Advanced: Building in Containers + +For reproducible builds in CI/CD: + +```bash +podman run --rm -it --privileged \ + -v $(pwd):/build:Z \ + -v /dev:/dev \ + registry.fedoraproject.org/fedora:42 \ + bash -c "cd /build && make deps && make iso-novirt" +``` + +Note: Container builds require `--privileged` for loop devices and must use `iso-novirt`. + +## License + +MIT - Do whatever you want with this. diff --git a/gen-kickstarts.sh b/gen-kickstarts.sh new file mode 100755 index 0000000..60bab45 --- /dev/null +++ b/gen-kickstarts.sh @@ -0,0 +1,356 @@ +#!/bin/bash +# Generate kickstart templates for Fedora 42 custom ISOs +set -euo pipefail + +KICKSTART_DIR="${1:-kickstarts}" +mkdir -p "$KICKSTART_DIR" + +echo "[INFO] Generating kickstart templates in $KICKSTART_DIR" + +# ============================================================================= +# Minimal +# ============================================================================= +cat >"$KICKSTART_DIR/minimal.ks" <<'EOF' +# Fedora 42 Minimal Live ISO +# Ultra-minimal bootable system + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain --nohome + +%packages --excludedocs +@core +kernel +systemd +dnf +bash +coreutils +util-linux +NetworkManager +openssh-server +openssh-clients +vim-minimal +less +-plymouth +-plymouth-* +-firewalld +-sssd* +-abrt* +%end + +%post --erroronfail +systemctl disable dnf-makecache.timer +systemctl disable dnf-makecache.service +systemctl enable sshd +systemctl enable NetworkManager + +mkdir -p /etc/systemd/journald.conf.d +cat > /etc/systemd/journald.conf.d/size.conf << JEOF +[Journal] +SystemMaxUse=50M +RuntimeMaxUse=20M +JEOF + +dnf clean all +rm -rf /var/cache/dnf/* +%end + +reboot +EOF + +echo "[OK] Created $KICKSTART_DIR/minimal.ks" + +# ============================================================================= +# Kiosk / PoS +# ============================================================================= +cat >"$KICKSTART_DIR/kiosk.ks" <<'EOF' +# Fedora 42 Kiosk/PoS Live ISO +# Single-application kiosk system with Wayland + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=kiosk --groups=wheel --plaintext --password=kiosk + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=1 --append="quiet splash" + +clearpart --all --initlabel +autopart --type=plain --nohome + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +cage +weston +firefox +dejavu-sans-fonts +dejavu-sans-mono-fonts +pipewire +pipewire-pulseaudio +plymouth +plymouth-system-theme +-abrt* +-sssd* +%end + +%post --erroronfail +# Autologin on tty1 +mkdir -p /etc/systemd/system/getty@tty1.service.d +cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM +AEOF + +# Kiosk startup - launches Cage with Firefox +cat > /home/kiosk/.bash_profile << 'BEOF' +if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then + exec cage -- firefox --kiosk https://localhost +fi +BEOF +chown kiosk:kiosk /home/kiosk/.bash_profile + +# Lock kiosk user password +passwd -l kiosk + +# Limit virtual consoles +mkdir -p /etc/systemd/logind.conf.d +cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF +[Login] +NAutoVTs=1 +ReserveVT=0 +LEOF + +systemctl enable NetworkManager +systemctl set-default multi-user.target + +dnf clean all +%end + +reboot +EOF + +echo "[OK] Created $KICKSTART_DIR/kiosk.ks" + +# ============================================================================= +# Workstation (Sway) +# ============================================================================= +cat >"$KICKSTART_DIR/workstation.ks" <<'EOF' +# Fedora 42 Lightweight Workstation Live ISO +# Minimal GUI with Sway (Wayland) + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=user --groups=wheel --plaintext --password=user + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +sway +swaylock +swayidle +swaybg +waybar +foot +wofi +vim +htop +git +curl +wget +dejavu-sans-fonts +dejavu-sans-mono-fonts +google-noto-emoji-fonts +pipewire +pipewire-pulseaudio +wireplumber +thunar +firefox +-plymouth* +-abrt* +-sssd* +%end + +%post --erroronfail +systemctl enable NetworkManager + +mkdir -p /home/user/.config/sway +cat > /home/user/.config/sway/config << 'SEOF' +set $mod Mod4 +set $term foot +set $menu wofi --show drun + +bindsym $mod+Return exec $term +bindsym $mod+d exec $menu +bindsym $mod+Shift+q kill +bindsym $mod+Shift+e exit + +floating_modifier $mod normal +bindsym $mod+Shift+c reload + +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +bindsym $mod+1 workspace 1 +bindsym $mod+2 workspace 2 +bindsym $mod+3 workspace 3 +bindsym $mod+Shift+1 move container to workspace 1 +bindsym $mod+Shift+2 move container to workspace 2 +bindsym $mod+Shift+3 move container to workspace 3 + +bar { + position top + status_command waybar +} + +include /etc/sway/config.d/* +SEOF +chown -R user:user /home/user/.config + +cat >> /home/user/.bash_profile << 'BEOF' +if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then + exec sway +fi +BEOF + +dnf clean all +%end + +reboot +EOF + +echo "[OK] Created $KICKSTART_DIR/workstation.ks" + +# ============================================================================= +# Security toolkit +# ============================================================================= +cat >"$KICKSTART_DIR/security.ks" <<'EOF' +# Fedora 42 Security/Forensics Toolkit Live ISO + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=analyst --groups=wheel --plaintext --password=analyst + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +nmap +tcpdump +wireshark-cli +openssl +gnupg2 +aide +rkhunter +lynis +sleuthkit +testdisk +foremost +vim +tmux +htop +strace +ltrace +gdb +curl +wget +netcat +socat +bind-utils +whois +traceroute +mtr +python3 +python3-pip +bash-completion +podman +buildah +cryptsetup +-plymouth* +-abrt* +%end + +%post --erroronfail +systemctl enable NetworkManager + +# Security hardening +echo "* hard core 0" >> /etc/security/limits.conf + +cat > /etc/sysctl.d/99-security.conf << SEOF +kernel.core_pattern=|/bin/false +kernel.dmesg_restrict=1 +kernel.randomize_va_space=2 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 +SEOF + +mkdir -p /home/analyst/workspace/{captures,evidence,reports} +chown -R analyst:analyst /home/analyst/workspace + +dnf clean all +%end + +reboot +EOF + +echo "[OK] Created $KICKSTART_DIR/security.ks" + +echo "[INFO] All kickstart templates generated" diff --git a/kickstarts/kiosk.ks b/kickstarts/kiosk.ks new file mode 100644 index 0000000..3bd0b7d --- /dev/null +++ b/kickstarts/kiosk.ks @@ -0,0 +1,72 @@ +# Fedora 42 Kiosk/PoS Live ISO +# Single-application kiosk system with Wayland + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=kiosk --groups=wheel --plaintext --password=kiosk + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=1 --append="quiet splash" + +clearpart --all --initlabel +autopart --type=plain --nohome + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +cage +weston +firefox +dejavu-sans-fonts +dejavu-sans-mono-fonts +pipewire +pipewire-pulseaudio +plymouth +plymouth-system-theme +-abrt* +-sssd* +%end + +%post --erroronfail +# Autologin on tty1 +mkdir -p /etc/systemd/system/getty@tty1.service.d +cat > /etc/systemd/system/getty@tty1.service.d/autologin.conf << AEOF +[Service] +ExecStart= +ExecStart=-/sbin/agetty --autologin kiosk --noclear %I \$TERM +AEOF + +# Kiosk startup - launches Cage with Firefox +cat > /home/kiosk/.bash_profile << 'BEOF' +if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then + exec cage -- firefox --kiosk https://localhost +fi +BEOF +chown kiosk:kiosk /home/kiosk/.bash_profile + +# Lock kiosk user password +passwd -l kiosk + +# Limit virtual consoles +mkdir -p /etc/systemd/logind.conf.d +cat > /etc/systemd/logind.conf.d/kiosk.conf << LEOF +[Login] +NAutoVTs=1 +ReserveVT=0 +LEOF + +systemctl enable NetworkManager +systemctl set-default multi-user.target + +dnf clean all +%end + +reboot diff --git a/kickstarts/minimal.ks b/kickstarts/minimal.ks new file mode 100644 index 0000000..b0d18d3 --- /dev/null +++ b/kickstarts/minimal.ks @@ -0,0 +1,56 @@ +# Fedora 42 Minimal Live ISO +# Ultra-minimal bootable system + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain --nohome + +%packages --excludedocs +@core +kernel +systemd +dnf +bash +coreutils +util-linux +NetworkManager +openssh-server +openssh-clients +vim-minimal +less +-plymouth +-plymouth-* +-firewalld +-sssd* +-abrt* +%end + +%post --erroronfail +systemctl disable dnf-makecache.timer +systemctl disable dnf-makecache.service +systemctl enable sshd +systemctl enable NetworkManager + +mkdir -p /etc/systemd/journald.conf.d +cat > /etc/systemd/journald.conf.d/size.conf << JEOF +[Journal] +SystemMaxUse=50M +RuntimeMaxUse=20M +JEOF + +dnf clean all +rm -rf /var/cache/dnf/* +%end + +reboot diff --git a/kickstarts/security.ks b/kickstarts/security.ks new file mode 100644 index 0000000..8e43731 --- /dev/null +++ b/kickstarts/security.ks @@ -0,0 +1,84 @@ +# Fedora 42 Security/Forensics Toolkit Live ISO + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=analyst --groups=wheel --plaintext --password=analyst + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +nmap +tcpdump +wireshark-cli +openssl +gnupg2 +aide +rkhunter +lynis +sleuthkit +testdisk +foremost +vim +tmux +htop +strace +ltrace +gdb +curl +wget +netcat +socat +bind-utils +whois +traceroute +mtr +python3 +python3-pip +bash-completion +podman +buildah +cryptsetup +-plymouth* +-abrt* +%end + +%post --erroronfail +systemctl enable NetworkManager + +# Security hardening +echo "* hard core 0" >> /etc/security/limits.conf + +cat > /etc/sysctl.d/99-security.conf << SEOF +kernel.core_pattern=|/bin/false +kernel.dmesg_restrict=1 +kernel.randomize_va_space=2 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 +SEOF + +mkdir -p /home/analyst/workspace/{captures,evidence,reports} +chown -R analyst:analyst /home/analyst/workspace + +dnf clean all +%end + +reboot diff --git a/kickstarts/workstation.ks b/kickstarts/workstation.ks new file mode 100644 index 0000000..59e6afe --- /dev/null +++ b/kickstarts/workstation.ks @@ -0,0 +1,102 @@ +# Fedora 42 Lightweight Workstation Live ISO +# Minimal GUI with Sway (Wayland) + +url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-42&arch=x86_64 + +lang en_US.UTF-8 +keyboard us +timezone UTC --utc + +rootpw --plaintext changeme +user --name=user --groups=wheel --plaintext --password=user + +network --bootproto=dhcp --device=link --activate --onboot=yes + +bootloader --location=mbr --timeout=5 + +clearpart --all --initlabel +autopart --type=plain + +%packages --excludedocs +@core +kernel +systemd +NetworkManager +sway +swaylock +swayidle +swaybg +waybar +foot +wofi +vim +htop +git +curl +wget +dejavu-sans-fonts +dejavu-sans-mono-fonts +google-noto-emoji-fonts +pipewire +pipewire-pulseaudio +wireplumber +thunar +firefox +-plymouth* +-abrt* +-sssd* +%end + +%post --erroronfail +systemctl enable NetworkManager + +mkdir -p /home/user/.config/sway +cat > /home/user/.config/sway/config << 'SEOF' +set $mod Mod4 +set $term foot +set $menu wofi --show drun + +bindsym $mod+Return exec $term +bindsym $mod+d exec $menu +bindsym $mod+Shift+q kill +bindsym $mod+Shift+e exit + +floating_modifier $mod normal +bindsym $mod+Shift+c reload + +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +bindsym $mod+1 workspace 1 +bindsym $mod+2 workspace 2 +bindsym $mod+3 workspace 3 +bindsym $mod+Shift+1 move container to workspace 1 +bindsym $mod+Shift+2 move container to workspace 2 +bindsym $mod+Shift+3 move container to workspace 3 + +bar { + position top + status_command waybar +} + +include /etc/sway/config.d/* +SEOF +chown -R user:user /home/user/.config + +cat >> /home/user/.bash_profile << 'BEOF' +if [ -z "$DISPLAY" ] && [ "$(tty)" = "/dev/tty1" ]; then + exec sway +fi +BEOF + +dnf clean all +%end + +reboot