Blame - meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch - mdmillerii/openbmc

blob: 061c5f00a2cc1fdba10faa846f301214b9e8a980 [file] [log] [blame]

Patrick Williams	520786c	2023-06-25 16:20:36 -0500	[diff] [blame]	1	From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
				2	From: Armin Kuster <akuster808@gmail.com>
				3	Date: Wed, 21 Jun 2023 07:46:38 -0400
				4	Subject: [PATCH] standard.profile: expand checks
				5
				6	Upstream-Status: Pending
				7	Signed-off-by: Armin Kuster <akuster808@gmail.com>
				8
				9	Upstream-status: Pending
				10	---
				11	.../openembedded/profiles/standard.profile \| 206 ++++++++++++++++++
				12	1 file changed, 206 insertions(+)
				13
				14	diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
				15	index 44339d716c..877d1a3971 100644
				16	--- a/products/openembedded/profiles/standard.profile
				17	+++ b/products/openembedded/profiles/standard.profile
				18	@@ -9,4 +9,210 @@ description: \|-
				19	selections:
				20	- file_owner_etc_passwd
				21	- file_groupowner_etc_passwd
				22	+ - service_crond_enabled
				23	+ - file_groupowner_crontab
				24	+ - file_owner_crontab
				25	+ - file_permissions_crontab
				26	+ - file_groupowner_cron_hourly
				27	+ - file_owner_cron_hourly
				28	+ - file_permissions_cron_hourly
				29	+ - file_groupowner_cron_daily
				30	+ - file_owner_cron_daily
				31	+ - file_permissions_cron_daily
				32	+ - file_groupowner_cron_weekly
				33	+ - file_owner_cron_weekly
				34	+ - file_permissions_cron_weekly
				35	+ - file_groupowner_cron_monthly
				36	+ - file_owner_cron_monthly
				37	+ - file_permissions_cron_monthly
				38	+ - file_groupowner_cron_d
				39	+ - file_owner_cron_d
				40	+ - file_permissions_cron_d
				41	+ - file_groupowner_cron_allow
				42	+ - file_owner_cron_allow
				43	+ - file_cron_deny_not_exist
				44	+ - file_groupowner_at_allow
				45	+ - file_owner_at_allow
				46	+ - file_at_deny_not_exist
				47	+ - file_permissions_at_allow
				48	+ - file_permissions_cron_allow
				49	+ - file_groupowner_sshd_config
				50	+ - file_owner_sshd_config
				51	+ - file_permissions_sshd_config
				52	+ - file_permissions_sshd_private_key
				53	+ - file_permissions_sshd_pub_key
				54	+ - sshd_set_loglevel_verbose
				55	+ - sshd_set_loglevel_info
				56	+ - sshd_max_auth_tries_value=4
				57	+ - sshd_set_max_auth_tries
				58	+ - sshd_disable_rhosts
				59	+ - disable_host_auth
				60	+ - sshd_disable_root_login
				61	+ - sshd_disable_empty_passwords
				62	+ - sshd_do_not_permit_user_env
				63	+ - sshd_idle_timeout_value=15_minutes
				64	+ - sshd_set_idle_timeout
				65	+ - sshd_set_keepalive
				66	+ - var_sshd_set_keepalive=0
				67	+ - sshd_set_login_grace_time
				68	+ - var_sshd_set_login_grace_time=60
				69	+ - sshd_enable_warning_banner
				70	+ - sshd_enable_pam
				71	+ - sshd_set_maxstartups
				72	+ - var_sshd_set_maxstartups=10:30:60
				73	+ - sshd_set_max_sessions
				74	+ - var_sshd_max_sessions=10
				75	+ - accounts_password_pam_minclass
				76	+ - accounts_password_pam_minlen
				77	+ - accounts_password_pam_retry
				78	+ - var_password_pam_minclass=4
				79	+ - var_password_pam_minlen=14
				80	+ - locking_out_password_attempts
				81	+ - accounts_password_pam_pwhistory_remember_password_auth
				82	+ - accounts_password_pam_pwhistory_remember_system_auth
				83	+ - var_password_pam_remember_control_flag=required
				84	+ - var_password_pam_remember=5
				85	+ - set_password_hashing_algorithm_systemauth
				86	+ - accounts_maximum_age_login_defs
				87	+ - var_accounts_maximum_age_login_defs=365
				88	+ - accounts_password_set_max_life_existing
				89	+ - accounts_minimum_age_login_defs
				90	+ - var_accounts_minimum_age_login_defs=7
				91	+ - accounts_password_set_min_life_existing
				92	+ - accounts_password_warn_age_login_defs
				93	+ - var_accounts_password_warn_age_login_defs=7
				94	+ - account_disable_post_pw_expiration
				95	+ - var_account_disable_post_pw_expiration=30
				96	+ - no_shelllogin_for_systemaccounts
				97	+ - accounts_tmout
				98	+ - var_accounts_tmout=15_min
				99	+ - accounts_root_gid_zero
				100	+ - accounts_umask_etc_bashrc
				101	+ - accounts_umask_etc_login_defs
				102	+ - use_pam_wheel_for_su
				103	+ - sshd_allow_only_protocol2
				104	+ - journald_forward_to_syslog
				105	+ - journald_compress
				106	+ - journald_storage
				107	+ - service_auditd_enabled
				108	+ - service_httpd_disabled
				109	+ - service_vsftpd_disabled
				110	+ - service_named_disabled
				111	+ - service_nfs_disabled
				112	+ - service_rpcbind_disabled
				113	+ - service_slapd_disabled
				114	+ - service_dhcpd_disabled
				115	+ - service_cups_disabled
				116	+ - service_ypserv_disabled
				117	+ - service_rsyncd_disabled
				118	+ - service_avahi-daemon_disabled
				119	+ - service_snmpd_disabled
				120	+ - service_squid_disabled
				121	+ - service_smb_disabled
				122	+ - service_dovecot_disabled
				123	+ - banner_etc_motd
				124	+ - login_banner_text=cis_banners
				125	+ - banner_etc_issue
				126	+ - login_banner_text=cis_banners
				127	+ - file_groupowner_etc_motd
				128	+ - file_owner_etc_motd
				129	+ - file_permissions_etc_motd
				130	+ - file_groupowner_etc_issue
				131	+ - file_owner_etc_issue
				132	+ - file_permissions_etc_issue
				133	+ - ensure_gpgcheck_globally_activated
				134	+ - package_aide_installed
				135	+ - aide_periodic_cron_checking
				136	+ - grub2_password
				137	+ - file_groupowner_grub2_cfg
				138	+ - file_owner_grub2_cfg
				139	+ - file_permissions_grub2_cfg
				140	+ - require_singleuser_auth
				141	+ - require_emergency_target_auth
				142	+ - disable_users_coredumps
				143	+ - coredump_disable_backtraces
				144	+ - coredump_disable_storage
				145	+ - configure_crypto_policy
				146	+ - var_system_crypto_policy=default_policy
				147	+ - dir_perms_world_writable_sticky_bits
				148	- file_permissions_etc_passwd
				149	+ - file_owner_etc_shadow
				150	+ - file_groupowner_etc_shadow
				151	+ - file_groupowner_etc_group
				152	+ - file_owner_etc_group
				153	+ - file_permissions_etc_group
				154	+ - file_groupowner_etc_gshadow
				155	+ - file_owner_etc_gshadow
				156	+ - file_groupowner_backup_etc_passwd
				157	+ - file_owner_backup_etc_passwd
				158	+ - file_permissions_backup_etc_passwd
				159	+ - file_groupowner_backup_etc_shadow
				160	+ - file_owner_backup_etc_shadow
				161	+ - file_permissions_backup_etc_shadow
				162	+ - file_groupowner_backup_etc_group
				163	+ - file_owner_backup_etc_group
				164	+ - file_permissions_backup_etc_group
				165	+ - file_groupowner_backup_etc_gshadow
				166	+ - file_owner_backup_etc_gshadow
				167	+ - file_permissions_backup_etc_gshadow
				168	+ - file_permissions_unauthorized_world_writable
				169	+ - file_permissions_ungroupowned
				170	+ - accounts_root_path_dirs_no_write
				171	+ - root_path_no_dot
				172	+ - accounts_no_uid_except_zero
				173	+ - file_ownership_home_directories
				174	+ - file_groupownership_home_directories
				175	+ - no_netrc_files
				176	+ - no_rsh_trust_files
				177	+ - account_unique_id
				178	+ - group_unique_id
				179	+ - group_unique_name
				180	+ - kernel_module_sctp_disabled
				181	+ - kernel_module_dccp_disabled
				182	+ - wireless_disable_interfaces
				183	+ - sysctl_net_ipv4_ip_forward
				184	+ - sysctl_net_ipv6_conf_all_forwarding
				185	+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
				186	+ - sysctl_net_ipv4_conf_all_send_redirects
				187	+ - sysctl_net_ipv4_conf_default_send_redirects
				188	+ - sysctl_net_ipv4_conf_all_accept_source_route
				189	+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
				190	+ - sysctl_net_ipv4_conf_default_accept_source_route
				191	+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
				192	+ - sysctl_net_ipv6_conf_all_accept_source_route
				193	+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
				194	+ - sysctl_net_ipv6_conf_default_accept_source_route
				195	+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
				196	+ - sysctl_net_ipv4_conf_all_accept_redirects
				197	+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
				198	+ - sysctl_net_ipv4_conf_default_accept_redirects
				199	+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
				200	+ - sysctl_net_ipv6_conf_all_accept_redirects
				201	+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
				202	+ - sysctl_net_ipv6_conf_default_accept_redirects
				203	+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
				204	+ - sysctl_net_ipv4_conf_all_secure_redirects
				205	+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
				206	+ - sysctl_net_ipv4_conf_default_secure_redirects
				207	+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
				208	+ - sysctl_net_ipv4_conf_all_log_martians
				209	+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
				210	+ - sysctl_net_ipv4_conf_default_log_martians
				211	+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
				212	+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
				213	+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
				214	+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
				215	+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
				216	+ - sysctl_net_ipv4_conf_all_rp_filter
				217	+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
				218	+ - sysctl_net_ipv4_conf_default_rp_filter
				219	+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
				220	+ - sysctl_net_ipv4_tcp_syncookies
				221	+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
				222	+ - sysctl_net_ipv6_conf_all_accept_ra
				223	+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
				224	+ - sysctl_net_ipv6_conf_default_accept_ra
				225	+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
				226	+ - package_firewalld_installed
				227	+ - service_firewalld_enabled
				228	+ - package_iptables_installed
				229	--
				230	2.34.1
				231