recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230

From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster808@gmail.com>
Date: Wed, 21 Jun 2023 07:46:38 -0400
Subject: [PATCH] standard.profile: expand checks

Signed-off-by: Armin Kuster <akuster808@gmail.com>

Upstream-status: Pending
---
 .../openembedded/profiles/standard.profile    | 206 ++++++++++++++++++
 1 file changed, 206 insertions(+)

diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
index 44339d716c..877d1a3971 100644
--- a/products/openembedded/profiles/standard.profile
+++ b/products/openembedded/profiles/standard.profile
@@ -9,4 +9,210 @@ description: |-
 selections:
     - file_owner_etc_passwd
     - file_groupowner_etc_passwd
+    - service_crond_enabled
+    - file_groupowner_crontab
+    - file_owner_crontab
+    - file_permissions_crontab
+    - file_groupowner_cron_hourly
+    - file_owner_cron_hourly
+    - file_permissions_cron_hourly
+    - file_groupowner_cron_daily
+    - file_owner_cron_daily
+    - file_permissions_cron_daily
+    - file_groupowner_cron_weekly
+    - file_owner_cron_weekly
+    - file_permissions_cron_weekly
+    - file_groupowner_cron_monthly
+    - file_owner_cron_monthly
+    - file_permissions_cron_monthly
+    - file_groupowner_cron_d
+    - file_owner_cron_d
+    - file_permissions_cron_d
+    - file_groupowner_cron_allow
+    - file_owner_cron_allow
+    - file_cron_deny_not_exist
+    - file_groupowner_at_allow
+    - file_owner_at_allow
+    - file_at_deny_not_exist
+    - file_permissions_at_allow
+    - file_permissions_cron_allow
+    - file_groupowner_sshd_config
+    - file_owner_sshd_config
+    - file_permissions_sshd_config
+    - file_permissions_sshd_private_key
+    - file_permissions_sshd_pub_key
+    - sshd_set_loglevel_verbose
+    - sshd_set_loglevel_info
+    - sshd_max_auth_tries_value=4
+    - sshd_set_max_auth_tries
+    - sshd_disable_rhosts
+    - disable_host_auth
+    - sshd_disable_root_login
+    - sshd_disable_empty_passwords
+    - sshd_do_not_permit_user_env
+    - sshd_idle_timeout_value=15_minutes
+    - sshd_set_idle_timeout
+    - sshd_set_keepalive
+    - var_sshd_set_keepalive=0
+    - sshd_set_login_grace_time
+    - var_sshd_set_login_grace_time=60
+    - sshd_enable_warning_banner
+    - sshd_enable_pam
+    - sshd_set_maxstartups
+    - var_sshd_set_maxstartups=10:30:60
+    - sshd_set_max_sessions
+    - var_sshd_max_sessions=10
+    - accounts_password_pam_minclass
+    - accounts_password_pam_minlen
+    - accounts_password_pam_retry
+    - var_password_pam_minclass=4
+    - var_password_pam_minlen=14
+    - locking_out_password_attempts
+    - accounts_password_pam_pwhistory_remember_password_auth
+    - accounts_password_pam_pwhistory_remember_system_auth
+    - var_password_pam_remember_control_flag=required
+    - var_password_pam_remember=5
+    - set_password_hashing_algorithm_systemauth
+    - accounts_maximum_age_login_defs
+    - var_accounts_maximum_age_login_defs=365
+    - accounts_password_set_max_life_existing
+    - accounts_minimum_age_login_defs
+    - var_accounts_minimum_age_login_defs=7
+    - accounts_password_set_min_life_existing
+    - accounts_password_warn_age_login_defs
+    - var_accounts_password_warn_age_login_defs=7
+    - account_disable_post_pw_expiration
+    - var_account_disable_post_pw_expiration=30
+    - no_shelllogin_for_systemaccounts
+    - accounts_tmout
+    - var_accounts_tmout=15_min
+    - accounts_root_gid_zero
+    - accounts_umask_etc_bashrc
+    - accounts_umask_etc_login_defs
+    - use_pam_wheel_for_su
+    - sshd_allow_only_protocol2
+    - journald_forward_to_syslog
+    - journald_compress
+    - journald_storage
+    - service_auditd_enabled
+    - service_httpd_disabled
+    - service_vsftpd_disabled
+    - service_named_disabled
+    - service_nfs_disabled
+    - service_rpcbind_disabled
+    - service_slapd_disabled
+    - service_dhcpd_disabled
+    - service_cups_disabled
+    - service_ypserv_disabled
+    - service_rsyncd_disabled
+    - service_avahi-daemon_disabled
+    - service_snmpd_disabled
+    - service_squid_disabled
+    - service_smb_disabled
+    - service_dovecot_disabled
+    - banner_etc_motd
+    - login_banner_text=cis_banners
+    - banner_etc_issue
+    - login_banner_text=cis_banners
+    - file_groupowner_etc_motd
+    - file_owner_etc_motd
+    - file_permissions_etc_motd
+    - file_groupowner_etc_issue
+    - file_owner_etc_issue
+    - file_permissions_etc_issue
+    - ensure_gpgcheck_globally_activated
+    - package_aide_installed
+    - aide_periodic_cron_checking
+    - grub2_password
+    - file_groupowner_grub2_cfg
+    - file_owner_grub2_cfg
+    - file_permissions_grub2_cfg
+    - require_singleuser_auth
+    - require_emergency_target_auth
+    - disable_users_coredumps
+    - coredump_disable_backtraces
+    - coredump_disable_storage
+    - configure_crypto_policy
+    - var_system_crypto_policy=default_policy
+    - dir_perms_world_writable_sticky_bits
     - file_permissions_etc_passwd
+    - file_owner_etc_shadow
+    - file_groupowner_etc_shadow
+    - file_groupowner_etc_group
+    - file_owner_etc_group
+    - file_permissions_etc_group
+    - file_groupowner_etc_gshadow
+    - file_owner_etc_gshadow
+    - file_groupowner_backup_etc_passwd
+    - file_owner_backup_etc_passwd
+    - file_permissions_backup_etc_passwd
+    - file_groupowner_backup_etc_shadow
+    - file_owner_backup_etc_shadow
+    - file_permissions_backup_etc_shadow
+    - file_groupowner_backup_etc_group
+    - file_owner_backup_etc_group
+    - file_permissions_backup_etc_group
+    - file_groupowner_backup_etc_gshadow
+    - file_owner_backup_etc_gshadow
+    - file_permissions_backup_etc_gshadow
+    - file_permissions_unauthorized_world_writable
+    - file_permissions_ungroupowned
+    - accounts_root_path_dirs_no_write
+    - root_path_no_dot
+    - accounts_no_uid_except_zero
+    - file_ownership_home_directories
+    - file_groupownership_home_directories
+    - no_netrc_files
+    - no_rsh_trust_files
+    - account_unique_id
+    - group_unique_id
+    - group_unique_name
+    - kernel_module_sctp_disabled
+    - kernel_module_dccp_disabled
+    - wireless_disable_interfaces
+    - sysctl_net_ipv4_ip_forward
+    - sysctl_net_ipv6_conf_all_forwarding
+    - sysctl_net_ipv6_conf_all_forwarding_value=disabled
+    - sysctl_net_ipv4_conf_all_send_redirects
+    - sysctl_net_ipv4_conf_default_send_redirects
+    - sysctl_net_ipv4_conf_all_accept_source_route
+    - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
+    - sysctl_net_ipv4_conf_default_accept_source_route
+    - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
+    - sysctl_net_ipv6_conf_all_accept_source_route
+    - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
+    - sysctl_net_ipv6_conf_default_accept_source_route
+    - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
+    - sysctl_net_ipv4_conf_all_accept_redirects
+    - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
+    - sysctl_net_ipv4_conf_default_accept_redirects
+    - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
+    - sysctl_net_ipv6_conf_all_accept_redirects
+    - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
+    - sysctl_net_ipv6_conf_default_accept_redirects
+    - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
+    - sysctl_net_ipv4_conf_all_secure_redirects
+    - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
+    - sysctl_net_ipv4_conf_default_secure_redirects
+    - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
+    - sysctl_net_ipv4_conf_all_log_martians
+    - sysctl_net_ipv4_conf_all_log_martians_value=enabled
+    - sysctl_net_ipv4_conf_default_log_martians
+    - sysctl_net_ipv4_conf_default_log_martians_value=enabled
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
+    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
+    - sysctl_net_ipv4_conf_all_rp_filter
+    - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
+    - sysctl_net_ipv4_conf_default_rp_filter
+    - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
+    - sysctl_net_ipv4_tcp_syncookies
+    - sysctl_net_ipv4_tcp_syncookies_value=enabled
+    - sysctl_net_ipv6_conf_all_accept_ra
+    - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
+    - sysctl_net_ipv6_conf_default_accept_ra
+    - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
+    - package_firewalld_installed
+    - service_firewalld_enabled
+    - package_iptables_installed
-- 
2.34.1