Skip to content

Commit

Permalink
Merge pull request #11652 from VCTLabs/openembedded-fixes
Browse files Browse the repository at this point in the history 
Openembedded fixes
  • Loading branch information
@marcusburghardt
marcusburghardt authored Mar 6, 2024
2 parents 9d10937 + 9ba2d33 commit b22848d
Show file tree
Hide file tree
Showing 4 changed files with 221 additions and 5 deletions.
2 changes: 1 addition & 1 deletion products/openembedded/profiles/default.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ selections:
- package_postfix_installed
- sysctl_kernel_kptr_restrict
- audit_privileged_commands_poweroff
- accounts_umask_etc_profile
- accounts_umask_etc_bashrc
- audit_rules_file_deletion_events_unlink
- sudoers_no_root_target
- auditd_write_logs
Expand Down
215 changes: 215 additions & 0 deletions products/openembedded/profiles/expanded.profile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,215 @@
documentation_complete: true

title: 'Sample expanded Security Profile for OpenEmbedded Distros'

description: |-
This profile is a sample for use in documentation and example content.
The selected rules include standard profile plus more network rules and
password aging; they should still pass quickly on most systems.

selections:
- file_owner_etc_passwd
- file_groupowner_etc_passwd
- service_crond_enabled
- file_groupowner_crontab
- file_owner_crontab
- file_permissions_crontab
- file_groupowner_cron_hourly
- file_owner_cron_hourly
- file_permissions_cron_hourly
- file_groupowner_cron_daily
- file_owner_cron_daily
- file_permissions_cron_daily
- file_groupowner_cron_weekly
- file_owner_cron_weekly
- file_permissions_cron_weekly
- file_groupowner_cron_monthly
- file_owner_cron_monthly
- file_permissions_cron_monthly
- file_groupowner_cron_d
- file_owner_cron_d
- file_permissions_cron_d
- file_groupowner_cron_allow
- file_owner_cron_allow
- file_cron_deny_not_exist
- file_groupowner_at_allow
- file_owner_at_allow
- file_at_deny_not_exist
- file_permissions_at_allow
- file_permissions_cron_allow
- file_groupowner_sshd_config
- file_owner_sshd_config
- file_permissions_sshd_config
- file_permissions_sshd_private_key
- file_permissions_sshd_pub_key
- sshd_set_loglevel_verbose
- sshd_set_loglevel_info
- sshd_max_auth_tries_value=4
- sshd_set_max_auth_tries
- sshd_disable_rhosts
- disable_host_auth
- sshd_disable_root_login
- sshd_disable_empty_passwords
- sshd_do_not_permit_user_env
- sshd_idle_timeout_value=15_minutes
- sshd_set_idle_timeout
- sshd_set_keepalive
- var_sshd_set_keepalive=0
- sshd_set_login_grace_time
- var_sshd_set_login_grace_time=60
- sshd_enable_warning_banner
- sshd_enable_pam
- sshd_set_maxstartups
- var_sshd_set_maxstartups=10:30:60
- sshd_set_max_sessions
- var_sshd_max_sessions=10
- accounts_password_pam_minclass
- accounts_password_pam_minlen
- accounts_password_pam_retry
- var_password_pam_minclass=4
- var_password_pam_minlen=14
- accounts_password_pam_pwhistory_remember_password_auth
- accounts_password_pam_pwhistory_remember_system_auth
- var_password_pam_remember_control_flag=required
- var_password_pam_remember=5
- set_password_hashing_algorithm_systemauth
- accounts_maximum_age_login_defs
- var_accounts_maximum_age_login_defs=365
- accounts_password_set_max_life_existing
- accounts_minimum_age_login_defs
- var_accounts_minimum_age_login_defs=7
- accounts_password_set_min_life_existing
- accounts_password_warn_age_login_defs
- var_accounts_password_warn_age_login_defs=7
- account_disable_post_pw_expiration
- var_account_disable_post_pw_expiration=30
- no_shelllogin_for_systemaccounts
- accounts_tmout
- var_accounts_tmout=15_min
- accounts_root_gid_zero
- accounts_umask_etc_profile
- accounts_umask_etc_login_defs
- use_pam_wheel_for_su
- sshd_allow_only_protocol2
- journald_forward_to_syslog
- journald_compress
- journald_storage
- service_auditd_enabled
- service_httpd_disabled
- service_vsftpd_disabled
- service_named_disabled
- service_nfs_disabled
- service_rpcbind_disabled
- service_slapd_disabled
- service_dhcpd_disabled
- service_cups_disabled
- service_ypserv_disabled
- service_rsyncd_disabled
- service_avahi-daemon_disabled
- service_snmpd_disabled
- service_squid_disabled
- service_smb_disabled
- service_dovecot_disabled
- banner_etc_motd
- motd_banner_text=cis_banners
- banner_etc_issue
- login_banner_text=cis_banners
- file_groupowner_etc_motd
- file_owner_etc_motd
- file_permissions_etc_motd
- file_groupowner_etc_issue
- file_owner_etc_issue
- file_permissions_etc_issue
- ensure_gpgcheck_globally_activated
- package_aide_installed
- aide_periodic_cron_checking
- grub2_password
- file_groupowner_grub2_cfg
- file_owner_grub2_cfg
- file_permissions_grub2_cfg
- require_singleuser_auth
- require_emergency_target_auth
- disable_users_coredumps
- configure_crypto_policy
- var_system_crypto_policy=default_policy
- dir_perms_world_writable_sticky_bits
- file_permissions_etc_passwd
- file_owner_etc_shadow
- file_groupowner_etc_shadow
- file_groupowner_etc_group
- file_owner_etc_group
- file_permissions_etc_group
- file_groupowner_etc_gshadow
- file_owner_etc_gshadow
- file_groupowner_backup_etc_passwd
- file_owner_backup_etc_passwd
- file_permissions_backup_etc_passwd
- file_groupowner_backup_etc_shadow
- file_owner_backup_etc_shadow
- file_permissions_backup_etc_shadow
- file_groupowner_backup_etc_group
- file_owner_backup_etc_group
- file_permissions_backup_etc_group
- file_groupowner_backup_etc_gshadow
- file_owner_backup_etc_gshadow
- file_permissions_unauthorized_world_writable
- file_permissions_ungroupowned
- accounts_root_path_dirs_no_write
- root_path_no_dot
- accounts_no_uid_except_zero
- file_ownership_home_directories
- file_groupownership_home_directories
- no_netrc_files
- no_rsh_trust_files
- account_unique_id
- group_unique_id
- group_unique_name
- kernel_module_sctp_disabled
- kernel_module_dccp_disabled
- wireless_disable_interfaces
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_forwarding
- sysctl_net_ipv6_conf_all_forwarding_value=disabled
- sysctl_net_ipv4_conf_all_send_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_all_accept_source_route
- sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_all_accept_redirects
- sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
- sysctl_net_ipv6_conf_default_accept_redirects
- sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
- sysctl_net_ipv4_conf_all_secure_redirects
- sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
- sysctl_net_ipv4_conf_default_secure_redirects
- sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
- sysctl_net_ipv4_conf_all_log_martians
- sysctl_net_ipv4_conf_all_log_martians_value=enabled
- sysctl_net_ipv4_conf_default_log_martians
- sysctl_net_ipv4_conf_default_log_martians_value=enabled
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts
- sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_all_rp_filter_value=enabled
- sysctl_net_ipv4_conf_default_rp_filter
- sysctl_net_ipv4_conf_default_rp_filter_value=enabled
- sysctl_net_ipv4_tcp_syncookies
- sysctl_net_ipv4_tcp_syncookies_value=enabled
- sysctl_net_ipv6_conf_all_accept_ra
- sysctl_net_ipv6_conf_all_accept_ra_value=disabled
- sysctl_net_ipv6_conf_default_accept_ra
- sysctl_net_ipv6_conf_default_accept_ra_value=disabled
- package_firewalld_installed
- service_firewalld_enabled
- package_iptables_installed
6 changes: 2 additions & 4 deletions products/openembedded/profiles/standard.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ selections:
- accounts_tmout
- var_accounts_tmout=15_min
- accounts_root_gid_zero
- accounts_umask_etc_bashrc
- accounts_umask_etc_profile
- use_pam_wheel_for_su
- sshd_allow_only_protocol2
- journald_forward_to_syslog
Expand All @@ -106,7 +106,7 @@ selections:
- service_smb_disabled
- service_dovecot_disabled
- banner_etc_motd
- login_banner_text=cis_banners
- motd_banner_text=cis_banners
- banner_etc_issue
- login_banner_text=cis_banners
- file_groupowner_etc_motd
Expand All @@ -125,8 +125,6 @@ selections:
- require_singleuser_auth
- require_emergency_target_auth
- disable_users_coredumps
- configure_crypto_policy
- var_system_crypto_policy=default_policy
- dir_perms_world_writable_sticky_bits
- file_permissions_etc_passwd
- file_owner_etc_shadow
Expand Down
3 changes: 3 additions & 0 deletions shared/applicability/package.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ args:
{{% else %}}
pkgname: shadow-utils
{{% endif %}}
{{% if product in ["openembedded"] %}}
pkgname: shadow-base
{{% endif %}}
{{% else %}}
pkgname: login
{{% endif %}}
Expand Down

0 comments on commit b22848d

Please sign in to comment.