diff --git a/products/openembedded/profiles/default.profile b/products/openembedded/profiles/default.profile index 2cf76d87719..b29f4da6897 100644 --- a/products/openembedded/profiles/default.profile +++ b/products/openembedded/profiles/default.profile @@ -83,7 +83,7 @@ selections: - package_postfix_installed - sysctl_kernel_kptr_restrict - audit_privileged_commands_poweroff - - accounts_umask_etc_profile + - accounts_umask_etc_bashrc - audit_rules_file_deletion_events_unlink - sudoers_no_root_target - auditd_write_logs diff --git a/products/openembedded/profiles/expanded.profile b/products/openembedded/profiles/expanded.profile new file mode 100644 index 00000000000..13db15a9530 --- /dev/null +++ b/products/openembedded/profiles/expanded.profile @@ -0,0 +1,215 @@ +documentation_complete: true + +title: 'Sample expanded Security Profile for OpenEmbedded Distros' + +description: |- + This profile is a sample for use in documentation and example content. + The selected rules include standard profile plus more network rules and + password aging; they should still pass quickly on most systems. + +selections: + - file_owner_etc_passwd + - file_groupowner_etc_passwd + - service_crond_enabled + - file_groupowner_crontab + - file_owner_crontab + - file_permissions_crontab + - file_groupowner_cron_hourly + - file_owner_cron_hourly + - file_permissions_cron_hourly + - file_groupowner_cron_daily + - file_owner_cron_daily + - file_permissions_cron_daily + - file_groupowner_cron_weekly + - file_owner_cron_weekly + - file_permissions_cron_weekly + - file_groupowner_cron_monthly + - file_owner_cron_monthly + - file_permissions_cron_monthly + - file_groupowner_cron_d + - file_owner_cron_d + - file_permissions_cron_d + - file_groupowner_cron_allow + - file_owner_cron_allow + - file_cron_deny_not_exist + - file_groupowner_at_allow + - file_owner_at_allow + - file_at_deny_not_exist + - file_permissions_at_allow + - file_permissions_cron_allow + - file_groupowner_sshd_config + - file_owner_sshd_config + - file_permissions_sshd_config + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key + - sshd_set_loglevel_verbose + - sshd_set_loglevel_info + - sshd_max_auth_tries_value=4 + - sshd_set_max_auth_tries + - sshd_disable_rhosts + - disable_host_auth + - sshd_disable_root_login + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + - sshd_idle_timeout_value=15_minutes + - sshd_set_idle_timeout + - sshd_set_keepalive + - var_sshd_set_keepalive=0 + - sshd_set_login_grace_time + - var_sshd_set_login_grace_time=60 + - sshd_enable_warning_banner + - sshd_enable_pam + - sshd_set_maxstartups + - var_sshd_set_maxstartups=10:30:60 + - sshd_set_max_sessions + - var_sshd_max_sessions=10 + - accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_retry + - var_password_pam_minclass=4 + - var_password_pam_minlen=14 + - accounts_password_pam_pwhistory_remember_password_auth + - accounts_password_pam_pwhistory_remember_system_auth + - var_password_pam_remember_control_flag=required + - var_password_pam_remember=5 + - set_password_hashing_algorithm_systemauth + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=365 + - accounts_password_set_max_life_existing + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + - accounts_password_set_min_life_existing + - accounts_password_warn_age_login_defs + - var_accounts_password_warn_age_login_defs=7 + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=30 + - no_shelllogin_for_systemaccounts + - accounts_tmout + - var_accounts_tmout=15_min + - accounts_root_gid_zero + - accounts_umask_etc_profile + - accounts_umask_etc_login_defs + - use_pam_wheel_for_su + - sshd_allow_only_protocol2 + - journald_forward_to_syslog + - journald_compress + - journald_storage + - service_auditd_enabled + - service_httpd_disabled + - service_vsftpd_disabled + - service_named_disabled + - service_nfs_disabled + - service_rpcbind_disabled + - service_slapd_disabled + - service_dhcpd_disabled + - service_cups_disabled + - service_ypserv_disabled + - service_rsyncd_disabled + - service_avahi-daemon_disabled + - service_snmpd_disabled + - service_squid_disabled + - service_smb_disabled + - service_dovecot_disabled + - banner_etc_motd + - motd_banner_text=cis_banners + - banner_etc_issue + - login_banner_text=cis_banners + - file_groupowner_etc_motd + - file_owner_etc_motd + - file_permissions_etc_motd + - file_groupowner_etc_issue + - file_owner_etc_issue + - file_permissions_etc_issue + - ensure_gpgcheck_globally_activated + - package_aide_installed + - aide_periodic_cron_checking + - grub2_password + - file_groupowner_grub2_cfg + - file_owner_grub2_cfg + - file_permissions_grub2_cfg + - require_singleuser_auth + - require_emergency_target_auth + - disable_users_coredumps + - configure_crypto_policy + - var_system_crypto_policy=default_policy + - dir_perms_world_writable_sticky_bits + - file_permissions_etc_passwd + - file_owner_etc_shadow + - file_groupowner_etc_shadow + - file_groupowner_etc_group + - file_owner_etc_group + - file_permissions_etc_group + - file_groupowner_etc_gshadow + - file_owner_etc_gshadow + - file_groupowner_backup_etc_passwd + - file_owner_backup_etc_passwd + - file_permissions_backup_etc_passwd + - file_groupowner_backup_etc_shadow + - file_owner_backup_etc_shadow + - file_permissions_backup_etc_shadow + - file_groupowner_backup_etc_group + - file_owner_backup_etc_group + - file_permissions_backup_etc_group + - file_groupowner_backup_etc_gshadow + - file_owner_backup_etc_gshadow + - file_permissions_unauthorized_world_writable + - file_permissions_ungroupowned + - accounts_root_path_dirs_no_write + - root_path_no_dot + - accounts_no_uid_except_zero + - file_ownership_home_directories + - file_groupownership_home_directories + - no_netrc_files + - no_rsh_trust_files + - account_unique_id + - group_unique_id + - group_unique_name + - kernel_module_sctp_disabled + - kernel_module_dccp_disabled + - wireless_disable_interfaces + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_forwarding + - sysctl_net_ipv6_conf_all_forwarding_value=disabled + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled + - sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled + - sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_log_martians_value=enabled + - sysctl_net_ipv4_conf_default_log_martians + - sysctl_net_ipv4_conf_default_log_martians_value=enabled + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled + - sysctl_net_ipv4_conf_all_rp_filter + - sysctl_net_ipv4_conf_all_rp_filter_value=enabled + - sysctl_net_ipv4_conf_default_rp_filter + - sysctl_net_ipv4_conf_default_rp_filter_value=enabled + - sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv4_tcp_syncookies_value=enabled + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_ra_value=disabled + - sysctl_net_ipv6_conf_default_accept_ra + - sysctl_net_ipv6_conf_default_accept_ra_value=disabled + - package_firewalld_installed + - service_firewalld_enabled + - package_iptables_installed diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile index 2d3a785647e..37547a454e8 100644 --- a/products/openembedded/profiles/standard.profile +++ b/products/openembedded/profiles/standard.profile @@ -83,7 +83,7 @@ selections: - accounts_tmout - var_accounts_tmout=15_min - accounts_root_gid_zero - - accounts_umask_etc_bashrc + - accounts_umask_etc_profile - use_pam_wheel_for_su - sshd_allow_only_protocol2 - journald_forward_to_syslog @@ -106,7 +106,7 @@ selections: - service_smb_disabled - service_dovecot_disabled - banner_etc_motd - - login_banner_text=cis_banners + - motd_banner_text=cis_banners - banner_etc_issue - login_banner_text=cis_banners - file_groupowner_etc_motd @@ -125,8 +125,6 @@ selections: - require_singleuser_auth - require_emergency_target_auth - disable_users_coredumps - - configure_crypto_policy - - var_system_crypto_policy=default_policy - dir_perms_world_writable_sticky_bits - file_permissions_etc_passwd - file_owner_etc_shadow diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml index add4425fffa..494b52c8ef0 100644 --- a/shared/applicability/package.yml +++ b/shared/applicability/package.yml @@ -86,6 +86,9 @@ args: {{% else %}} pkgname: shadow-utils {{% endif %}} + {{% if product in ["openembedded"] %}} + pkgname: shadow-base + {{% endif %}} {{% else %}} pkgname: login {{% endif %}}