1 files changed, 106 insertions, 0 deletions
diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/files/config b/dynamic-layers/meta-perl/recipes-security/bastille/files/config
new file mode 100755
index 0000000..9e5e206
--- /dev/null
+++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/config
@@ -0,0 +1,106 @@
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
+AccountSecurity.rootttylogins="Y"
+# Q:  What umask would you like to set for users on the system? [077]
+AccountSecurity.umask="077"
+# Q:  Do you want to set the default umask? [Y]
+AccountSecurity.umaskyn="Y"
+# Q:  Would you like to deactivate the Apache web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to password protect single-user mode? [Y]
+BootSecurity.passsum="Y"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
+ConfigureMiscPAM.consolelogin="Y"
+# Q:  Which accounts should be able to login at console? [root]
+ConfigureMiscPAM.consolelogin_accounts="root"
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="Y"
+# Q:  Would you like to set more restrictive permissions on the administration utilities? [N]
+FilePermissions.generalperms_1_1="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="Y"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="Y"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_s_dhcpiface=" "
+# Q:  DNS servers: [0.0.0.0/0]
+Firewall.ip_s_dns="10.184.9.1"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_s_icmpaudit=" "
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
+# Q:  Internal interfaces: [ ]
+Firewall.ip_s_internaliface=" "
+# Q:  TCP service names or port numbers to allow on private interfaces: [ ]
+Firewall.ip_s_internaltcp=" "
+# Q:  UDP service names or port numbers to allow on private interfaces: [ ]
+Firewall.ip_s_internaludp=" "
+# Q:  Masqueraded networks: [ ]
+Firewall.ip_s_ipmasq=" "
+# Q:  Kernel modules to masquerade: [ftp raudio vdolive]
+Firewall.ip_s_kernelmasq="ftp raudio vdolive"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_s_ntpsrv=" "
+# Q:  Force passive mode? [N]
+Firewall.ip_s_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_s_publiciface="eth+ ppp+ slip+"
+# Q:  TCP service names or port numbers to allow on public interfaces:[ ]
+Firewall.ip_s_publictcp=" "
+# Q:  UDP service names or port numbers to allow on public interfaces:[ ]
+Firewall.ip_s_publicudp=" "
+# Q:  Reject method: [DENY]
+Firewall.ip_s_rejectmethod="DENY"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_s_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
+# Q:  Trusted interface names: [lo]
+Firewall.ip_s_trustiface="lo"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_s_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_s_udpblock="2049 6770"
+# Q:  Would you like to add additional logging? [Y]
+Logging.morelogging="Y"
+# Q:  Would you like to set up process accounting? [N]
+Logging.pacct="N"
+# Q:  Do you have a remote logging host? [N]
+Logging.remotelog="N"
+# Q:  Would you like to disable acpid and/or apmd? [Y]
+MiscellaneousDaemons.apmd="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable printing? [N]
+Printing.printing="Y"
+# Q:  Would you like to disable printing? [N]
+Printing.printing_cups="Y"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="Y"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="Y"
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="Y"
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
+TMPDIR.tmpdir="N"

diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/files/config b/dynamic-layers/meta-perl/recipes-security/bastille/files/config new file mode 100755 index 0000000..9e5e206 --- /dev/null +++ b/dynamic-layers/meta-perl/recipes-security/bastille/files/config
@@ -0,0 +1,106 @@
	1	# Q: Would you like to enforce password aging? [Y]
	2	AccountSecurity.passwdage="Y"
	3	# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
	4	AccountSecurity.protectrhost="Y"
	5	# Q: Should we disallow root login on tty's 1-6? [N]
	6	AccountSecurity.rootttylogins="Y"
	7	# Q: What umask would you like to set for users on the system? [077]
	8	AccountSecurity.umask="077"
	9	# Q: Do you want to set the default umask? [Y]
	10	AccountSecurity.umaskyn="Y"
	11	# Q: Would you like to deactivate the Apache web server? [Y]
	12	Apache.apacheoff="Y"
	13	# Q: Would you like to password protect single-user mode? [Y]
	14	BootSecurity.passsum="Y"
	15	# Q: Should we restrict console access to a small group of user accounts? [N]
	16	ConfigureMiscPAM.consolelogin="Y"
	17	# Q: Which accounts should be able to login at console? [root]
	18	ConfigureMiscPAM.consolelogin_accounts="root"
	19	# Q: Would you like to put limits on system resource usage? [N]
	20	ConfigureMiscPAM.limitsconf="Y"
	21	# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
	22	FilePermissions.generalperms_1_1="Y"
	23	# Q: Would you like to disable SUID status for mount/umount?
	24	FilePermissions.suidmount="Y"
	25	# Q: Would you like to disable SUID status for ping? [Y]
	26	FilePermissions.suidping="Y"
	27	# Q: Would you like to disable SUID status for traceroute? [Y]
	28	FilePermissions.suidtrace="Y"
	29	# Q: Do you need the advanced networking options?
	30	Firewall.ip_advnetwork="Y"
	31	# Q: Should Bastille run the firewall and enable it at boot time? [N]
	32	Firewall.ip_enable_firewall="Y"
	33	# Q: Would you like to run the packet filtering script? [N]
	34	Firewall.ip_intro="Y"
	35	# Q: Interfaces for DHCP queries: [ ]
	36	Firewall.ip_s_dhcpiface=" "
	37	# Q: DNS servers: [0.0.0.0/0]
	38	Firewall.ip_s_dns="10.184.9.1"
	39	# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
	40	Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
	41	# Q: ICMP services to audit: [ ]
	42	Firewall.ip_s_icmpaudit=" "
	43	# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
	44	Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
	45	# Q: Internal interfaces: [ ]
	46	Firewall.ip_s_internaliface=" "
	47	# Q: TCP service names or port numbers to allow on private interfaces: [ ]
	48	Firewall.ip_s_internaltcp=" "
	49	# Q: UDP service names or port numbers to allow on private interfaces: [ ]
	50	Firewall.ip_s_internaludp=" "
	51	# Q: Masqueraded networks: [ ]
	52	Firewall.ip_s_ipmasq=" "
	53	# Q: Kernel modules to masquerade: [ftp raudio vdolive]
	54	Firewall.ip_s_kernelmasq="ftp raudio vdolive"
	55	# Q: NTP servers to query: [ ]
	56	Firewall.ip_s_ntpsrv=" "
	57	# Q: Force passive mode? [N]
	58	Firewall.ip_s_passiveftp="N"
	59	# Q: Public interfaces: [eth+ ppp+ slip+]
	60	Firewall.ip_s_publiciface="eth+ ppp+ slip+"
	61	# Q: TCP service names or port numbers to allow on public interfaces:[ ]
	62	Firewall.ip_s_publictcp=" "
	63	# Q: UDP service names or port numbers to allow on public interfaces:[ ]
	64	Firewall.ip_s_publicudp=" "
	65	# Q: Reject method: [DENY]
	66	Firewall.ip_s_rejectmethod="DENY"
	67	# Q: Enable source address verification? [Y]
	68	Firewall.ip_s_srcaddr="Y"
	69	# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
	70	Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
	71	# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
	72	Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
	73	# Q: Trusted interface names: [lo]
	74	Firewall.ip_s_trustiface="lo"
	75	# Q: UDP services to audit: [31337]
	76	Firewall.ip_s_udpaudit="31337"
	77	# Q: UDP services to block: [2049 6770]
	78	Firewall.ip_s_udpblock="2049 6770"
	79	# Q: Would you like to add additional logging? [Y]
	80	Logging.morelogging="Y"
	81	# Q: Would you like to set up process accounting? [N]
	82	Logging.pacct="N"
	83	# Q: Do you have a remote logging host? [N]
	84	Logging.remotelog="N"
	85	# Q: Would you like to disable acpid and/or apmd? [Y]
	86	MiscellaneousDaemons.apmd="Y"
	87	# Q: Would you like to deactivate NFS and Samba? [Y]
	88	MiscellaneousDaemons.remotefs="Y"
	89	# Q: Would you like to disable printing? [N]
	90	Printing.printing="Y"
	91	# Q: Would you like to disable printing? [N]
	92	Printing.printing_cups="Y"
	93	# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
	94	SecureInetd.banners="Y"
	95	# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
	96	SecureInetd.deactivate_ftp="Y"
	97	# Q: Should Bastille ensure the telnet service does not run on this system? [y]
	98	SecureInetd.deactivate_telnet="Y"
	99	# Q: Who is responsible for granting authorization to use this machine?
	100	SecureInetd.owner="its owner"
	101	# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
	102	SecureInetd.tcpd_default_deny="Y"
	103	# Q: Do you want to stop sendmail from running in daemon mode? [Y]
	104	Sendmail.sendmaildaemon="Y"
	105	# Q: Would you like to install TMPDIR/TMP scripts? [N]
	106	TMPDIR.tmpdir="N"