wip system config

README.md

@@ -1,2 +1,62 @@
-# 42_Born2beroot-CentOS
+<!-- vim: et ts=4 sw=4:
+-->
+# Born2beroot - CentOS Stream 9
 
+## Installation
+
+Make the following [kickstart](kickstart-install/Born2beroot.cfg) configuration
+file available over HTTP:
+
+```bash
+python3 -m http.server --directory kickstart-install
+```
+
+When in the installation media boot menu, add the following option to boot
+parameters: `inst.ks=http://YOUR_HOST_ADDRESS/ks.cfg` and then boot. The
+installation should start and run fully automated now.
+
+See the [kickstart](kickstart-install/Born2beroot.cfg) file for more informations on the
+system setup.
+
+## Configuration
+
+### Firewall
+
+Disable and stop CentOS default firewall:
+
+```bash
+systemctl disable firewalld
+systemctl stop firewalld
+```
+
+Install _Extra Packages for Entreprise Linux 9_ extra packages repository which
+provides ufw and install it:
+
+```bash
+dnf install epel-release
+dnf install ufw
+```
+
+Enable the firewall and configure it:
+
+```bash
+ufw enable
+# SSH
+ufw allow in 4242/tcp
+```
+
+### Remote access
+
+Disable root SSH login and change listening port adding
+[sshd_confing.d/99-Born2beroot.conf](rootfs/etc/ssh/sshd_config.d/99-Born2beroot.conf)
+configuration file.
+
+### Mandatory Access Control
+
+Install the required tools provided by package `policycoreutils-pythoni-utils`
+
+Allow sshd to listen on the non-default TCP port 4242:
+
+```bash
+semanage port --add -t ssh_port_t -p tcp 4242
+```

rootfs/etc/ssh/sshd_config.d/99-Born2beroot.conf

@@ -0,0 +1,3 @@
+# vim: et ts=4 sw=4:
+Port                4242
+PermitRootLogin     no