meta-security/recipes-security/bastille/files/config - mdmillerii/openbmc - Gitiles

 # Q:  Would you like to enforce password aging? [Y]
 AccountSecurity.passwdage="Y"
 # Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
 AccountSecurity.protectrhost="Y"
 # Q:  Should we disallow root login on tty's 1-6? [N]
 AccountSecurity.rootttylogins="Y"
 # Q:  What umask would you like to set for users on the system? [077]
 AccountSecurity.umask="077"
 # Q:  Do you want to set the default umask? [Y]
 AccountSecurity.umaskyn="Y"
 # Q:  Would you like to deactivate the Apache web server? [Y]
 Apache.apacheoff="Y"
 # Q:  Would you like to password protect single-user mode? [Y]
 BootSecurity.passsum="Y"
 # Q:  Should we restrict console access to a small group of user accounts? [N]
 ConfigureMiscPAM.consolelogin="Y"
 # Q:  Which accounts should be able to login at console? [root]
 ConfigureMiscPAM.consolelogin_accounts="root"
 # Q:  Would you like to put limits on system resource usage? [N]
 ConfigureMiscPAM.limitsconf="Y"
 # Q:  Would you like to set more restrictive permissions on the administration utilities? [N]
 FilePermissions.generalperms_1_1="Y"
 # Q:  Would you like to disable SUID status for mount/umount?
 FilePermissions.suidmount="Y"
 # Q:  Would you like to disable SUID status for ping? [Y]
 FilePermissions.suidping="Y"
 # Q:  Would you like to disable SUID status for traceroute? [Y]
 FilePermissions.suidtrace="Y"
 # Q:  Do you need the advanced networking options?
 Firewall.ip_advnetwork="Y"
 # Q:  Should Bastille run the firewall and enable it at boot time? [N]
 Firewall.ip_enable_firewall="Y"
 # Q:  Would you like to run the packet filtering script? [N]
 Firewall.ip_intro="Y"
 # Q:  Interfaces for DHCP queries: [ ]
 Firewall.ip_s_dhcpiface=" "
 # Q:  DNS servers: [0.0.0.0/0]
 Firewall.ip_s_dns="10.184.9.1"
 # Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
 Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
 # Q:  ICMP services to audit: [ ]
 Firewall.ip_s_icmpaudit=" "
 # Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
 Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
 # Q:  Internal interfaces: [ ]
 Firewall.ip_s_internaliface=" "
 # Q:  TCP service names or port numbers to allow on private interfaces: [ ]
 Firewall.ip_s_internaltcp=" "
 # Q:  UDP service names or port numbers to allow on private interfaces: [ ]
 Firewall.ip_s_internaludp=" "
 # Q:  Masqueraded networks: [ ]
 Firewall.ip_s_ipmasq=" "
 # Q:  Kernel modules to masquerade: [ftp raudio vdolive]
 Firewall.ip_s_kernelmasq="ftp raudio vdolive"
 # Q:  NTP servers to query: [ ]
 Firewall.ip_s_ntpsrv=" "
 # Q:  Force passive mode? [N]
 Firewall.ip_s_passiveftp="N"
 # Q:  Public interfaces: [eth+ ppp+ slip+]
 Firewall.ip_s_publiciface="eth+ ppp+ slip+"
 # Q:  TCP service names or port numbers to allow on public interfaces:[ ]
 Firewall.ip_s_publictcp=" "
 # Q:  UDP service names or port numbers to allow on public interfaces:[ ]
 Firewall.ip_s_publicudp=" "
 # Q:  Reject method: [DENY]
 Firewall.ip_s_rejectmethod="DENY"
 # Q:  Enable source address verification? [Y]
 Firewall.ip_s_srcaddr="Y"
 # Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
 Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
 # Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
 Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
 # Q:  Trusted interface names: [lo]
 Firewall.ip_s_trustiface="lo"
 # Q:  UDP services to audit: [31337]
 Firewall.ip_s_udpaudit="31337"
 # Q:  UDP services to block: [2049 6770]
 Firewall.ip_s_udpblock="2049 6770"
 # Q:  Would you like to add additional logging? [Y]
 Logging.morelogging="Y"
 # Q:  Would you like to set up process accounting? [N]
 Logging.pacct="N"
 # Q:  Do you have a remote logging host? [N]
 Logging.remotelog="N"
 # Q:  Would you like to disable acpid and/or apmd? [Y]
 MiscellaneousDaemons.apmd="Y"
 # Q:  Would you like to deactivate NFS and Samba? [Y]
 MiscellaneousDaemons.remotefs="Y"
 # Q:  Would you like to disable printing? [N]
 Printing.printing="Y"
 # Q:  Would you like to disable printing? [N]
 Printing.printing_cups="Y"
 # Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
 SecureInetd.banners="Y"
 # Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
 SecureInetd.deactivate_ftp="Y"
 # Q:  Should Bastille ensure the telnet service does not run on this system? [y]
 SecureInetd.deactivate_telnet="Y"
 # Q:  Who is responsible for granting authorization to use this machine?
 SecureInetd.owner="its owner"
 # Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
 SecureInetd.tcpd_default_deny="Y"
 # Q:  Do you want to stop sendmail from running in daemon mode? [Y]
 Sendmail.sendmaildaemon="Y"
 # Q:  Would you like to install TMPDIR/TMP scripts? [N]
 TMPDIR.tmpdir="N"
	# Q: Would you like to enforce password aging? [Y]
	AccountSecurity.passwdage="Y"
	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
	AccountSecurity.protectrhost="Y"
	# Q: Should we disallow root login on tty's 1-6? [N]
	AccountSecurity.rootttylogins="Y"
	# Q: What umask would you like to set for users on the system? [077]
	AccountSecurity.umask="077"
	# Q: Do you want to set the default umask? [Y]
	AccountSecurity.umaskyn="Y"
	# Q: Would you like to deactivate the Apache web server? [Y]
	Apache.apacheoff="Y"
	# Q: Would you like to password protect single-user mode? [Y]
	BootSecurity.passsum="Y"
	# Q: Should we restrict console access to a small group of user accounts? [N]
	ConfigureMiscPAM.consolelogin="Y"
	# Q: Which accounts should be able to login at console? [root]
	ConfigureMiscPAM.consolelogin_accounts="root"
	# Q: Would you like to put limits on system resource usage? [N]
	ConfigureMiscPAM.limitsconf="Y"
	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
	FilePermissions.generalperms_1_1="Y"
	# Q: Would you like to disable SUID status for mount/umount?
	FilePermissions.suidmount="Y"
	# Q: Would you like to disable SUID status for ping? [Y]
	FilePermissions.suidping="Y"
	# Q: Would you like to disable SUID status for traceroute? [Y]
	FilePermissions.suidtrace="Y"
	# Q: Do you need the advanced networking options?
	Firewall.ip_advnetwork="Y"
	# Q: Should Bastille run the firewall and enable it at boot time? [N]
	Firewall.ip_enable_firewall="Y"
	# Q: Would you like to run the packet filtering script? [N]
	Firewall.ip_intro="Y"
	# Q: Interfaces for DHCP queries: [ ]
	Firewall.ip_s_dhcpiface=" "
	# Q: DNS servers: [0.0.0.0/0]
	Firewall.ip_s_dns="10.184.9.1"
	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
	Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
	# Q: ICMP services to audit: [ ]
	Firewall.ip_s_icmpaudit=" "
	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
	Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
	# Q: Internal interfaces: [ ]
	Firewall.ip_s_internaliface=" "
	# Q: TCP service names or port numbers to allow on private interfaces: [ ]
	Firewall.ip_s_internaltcp=" "
	# Q: UDP service names or port numbers to allow on private interfaces: [ ]
	Firewall.ip_s_internaludp=" "
	# Q: Masqueraded networks: [ ]
	Firewall.ip_s_ipmasq=" "
	# Q: Kernel modules to masquerade: [ftp raudio vdolive]
	Firewall.ip_s_kernelmasq="ftp raudio vdolive"
	# Q: NTP servers to query: [ ]
	Firewall.ip_s_ntpsrv=" "
	# Q: Force passive mode? [N]
	Firewall.ip_s_passiveftp="N"
	# Q: Public interfaces: [eth+ ppp+ slip+]
	Firewall.ip_s_publiciface="eth+ ppp+ slip+"
	# Q: TCP service names or port numbers to allow on public interfaces:[ ]
	Firewall.ip_s_publictcp=" "
	# Q: UDP service names or port numbers to allow on public interfaces:[ ]
	Firewall.ip_s_publicudp=" "
	# Q: Reject method: [DENY]
	Firewall.ip_s_rejectmethod="DENY"
	# Q: Enable source address verification? [Y]
	Firewall.ip_s_srcaddr="Y"
	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
	Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
	Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
	# Q: Trusted interface names: [lo]
	Firewall.ip_s_trustiface="lo"
	# Q: UDP services to audit: [31337]
	Firewall.ip_s_udpaudit="31337"
	# Q: UDP services to block: [2049 6770]
	Firewall.ip_s_udpblock="2049 6770"
	# Q: Would you like to add additional logging? [Y]
	Logging.morelogging="Y"
	# Q: Would you like to set up process accounting? [N]
	Logging.pacct="N"
	# Q: Do you have a remote logging host? [N]
	Logging.remotelog="N"
	# Q: Would you like to disable acpid and/or apmd? [Y]
	MiscellaneousDaemons.apmd="Y"
	# Q: Would you like to deactivate NFS and Samba? [Y]
	MiscellaneousDaemons.remotefs="Y"
	# Q: Would you like to disable printing? [N]
	Printing.printing="Y"
	# Q: Would you like to disable printing? [N]
	Printing.printing_cups="Y"
	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
	SecureInetd.banners="Y"
	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
	SecureInetd.deactivate_ftp="Y"
	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
	SecureInetd.deactivate_telnet="Y"
	# Q: Who is responsible for granting authorization to use this machine?
	SecureInetd.owner="its owner"
	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
	SecureInetd.tcpd_default_deny="Y"
	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
	Sendmail.sendmaildaemon="Y"
	# Q: Would you like to install TMPDIR/TMP scripts? [N]
	TMPDIR.tmpdir="N"