[SATLUG] Customized Firstboot or equivalent...

Sean I siffland at nerdshack.com
Wed Mar 25 21:12:07 CDT 2009

On Tue, Mar 24, 2009 at 10:48 AM, John Pappas <j at jvpappas.net> wrote:
> Hey all,
> I had an interesting question come up the other day, specifically, how does
> one get a custom script to run automatically immediately following a
> kickstarted install.  The POST section of the ks file only acts on the
> pre-firstboot environment, so a script that depends on a full-boot
> environment fails.  Since the `firstboot` system is not modular nor directly
> customizable (AFAIK), what is the "easiest" way to inject a custom script to
> run immediately after the firstboot?
> My inital thoughts that I sent up (You Gov't contract IT guys will recognize
> the onus for this particular need):
> So far, injecting the command into to the firstboot script would work, but
> you can't just `echo add_command >> /etc/init.d/firstboot` as the script
> ends in an exit statement.  You could `sed` through it and add the line
> right after the `esac` before the `exit`.  The other idea that I have right
> now is add a custom service, that is EXACTLY like first boot.  Modify the
> firstboot script and associated files, have your POST section of the ks file
> copy those doctored files from a customized CD/DVD that includes them, and
> run a `chkconfig --add  firstboot_STIG; chkconfig --level 35  firstboot_STIG
> on` and then at the end of your `firstboot_STIG` wrapper just run a
> `chkconfig --level 35  firstboot_STIG off;chkconfig --del  firstboot_STIG`
> to remove the service.  The other option is to leave it just like the
> firstboot and use something like an `/etc/sysconfig/reSTIG` file to que
> `firstboot_STIG` to run again.
> Any ideas would be apprciated...
> Thanks!
> jp
> --

I would just add the custom init script, you could even have the
kickstart post cat or EOF the commands into the script then add it to
the proper run level.

These are obviously government systems since you get to play with fun
and exciting stigs ( i know my quarterly run of the SRR is coming up
on all 150 of my Linux systems (automated cos i am lazy).  If all your
systems are the same you should consider using a bare metal recovery
tool.  We use storix, that way we don't have to run the stigs on all
our boxes we create the first one and stig it, then clone it with
storix and i can pop out a new cloned server in about 20 minutes.

For everyone who does not know what STIGS are or have to run Security
Readiness Reviews, consider yourself lucky...


More information about the SATLUG mailing list