Skip to content

Commit 273cad0

Browse files
Merge pull request #14759 from jgleissner/sle15-pubcloud-update
Update SLE15 public cloud profiles
2 parents 107a59a + 790f983 commit 273cad0

3 files changed

Lines changed: 149 additions & 6 deletions

File tree

Lines changed: 149 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,149 @@
1+
documentation_complete: true
2+
3+
metadata:
4+
version: V1
5+
SMEs:
6+
- jgleissner
7+
8+
reference:
9+
10+
title: 'Public Cloud Hardening for SUSE Linux Enterprise 15 CHOST'
11+
12+
description: |-
13+
This profile contains configuration checks to be used to harden
14+
SUSE Linux Enterprise 15 CHOST for use with public cloud providers.
15+
16+
17+
selections:
18+
- account_disable_post_pw_expiration
19+
- accounts_have_homedir_login_defs
20+
- accounts_maximum_age_login_defs
21+
- accounts_password_set_max_life_existing
22+
- accounts_password_set_min_life_existing
23+
- accounts_passwords_pam_faildelay_delay
24+
- accounts_passwords_pam_tally2
25+
- accounts_tmout
26+
- accounts_umask_etc_login_defs
27+
- aide_check_audit_tools
28+
- aide_periodic_checking_systemd_timer
29+
- aide_verify_acls
30+
- aide_verify_ext_attributes
31+
- auditd_audispd_encrypt_sent_records
32+
- auditd_data_disk_full_action
33+
- auditd_data_retention_space_left
34+
- audit_rules_dac_modification_chmod
35+
- audit_rules_dac_modification_chown
36+
- audit_rules_dac_modification_fchmod
37+
- audit_rules_dac_modification_fchmodat
38+
- audit_rules_dac_modification_fchown
39+
- audit_rules_dac_modification_fchownat
40+
- audit_rules_dac_modification_fremovexattr
41+
- audit_rules_dac_modification_fsetxattr
42+
- audit_rules_dac_modification_lchown
43+
- audit_rules_dac_modification_lremovexattr
44+
- audit_rules_dac_modification_lsetxattr
45+
- audit_rules_dac_modification_removexattr
46+
- audit_rules_dac_modification_setxattr
47+
- audit_rules_dac_modification_umount
48+
- audit_rules_dac_modification_umount2
49+
- audit_rules_enable_syscall_auditing
50+
- audit_rules_execution_chacl
51+
- audit_rules_execution_chcon
52+
- audit_rules_execution_chmod
53+
- audit_rules_execution_rm
54+
- audit_rules_execution_setfacl
55+
- audit_rules_kernel_module_loading_delete
56+
- audit_rules_kernel_module_loading_finit
57+
- audit_rules_kernel_module_loading_init
58+
- audit_rules_login_events_lastlog
59+
- audit_rules_login_events_tallylog
60+
- audit_rules_media_export
61+
- audit_rules_privileged_commands_chage
62+
- audit_rules_privileged_commands_chfn
63+
- audit_rules_privileged_commands_chsh
64+
- audit_rules_privileged_commands_crontab
65+
- audit_rules_privileged_commands_gpasswd
66+
- audit_rules_privileged_commands_insmod
67+
- audit_rules_privileged_commands_kmod
68+
- audit_rules_privileged_commands_modprobe
69+
- audit_rules_privileged_commands_newgrp
70+
- audit_rules_privileged_commands_pam_timestamp_check
71+
- audit_rules_privileged_commands_passmass
72+
- audit_rules_privileged_commands_passwd
73+
- audit_rules_privileged_commands_rmmod
74+
- audit_rules_privileged_commands_ssh_agent
75+
- audit_rules_privileged_commands_ssh_keysign
76+
- audit_rules_privileged_commands_su
77+
- audit_rules_privileged_commands_sudo
78+
- audit_rules_privileged_commands_sudoedit
79+
- audit_rules_privileged_commands_unix2_chkpwd
80+
- audit_rules_privileged_commands_unix_chkpwd
81+
- audit_rules_privileged_commands_usermod
82+
- audit_rules_session_events_btmp
83+
- audit_rules_session_events_utmp
84+
- audit_rules_session_events_wtmp
85+
- audit_rules_suid_privilege_function
86+
- audit_rules_sysadmin_actions
87+
- audit_rules_unsuccessful_file_modification_creat
88+
- audit_rules_unsuccessful_file_modification_ftruncate
89+
- audit_rules_unsuccessful_file_modification_open
90+
- audit_rules_unsuccessful_file_modification_openat
91+
- audit_rules_unsuccessful_file_modification_open_by_handle_at
92+
- audit_rules_unsuccessful_file_modification_rename
93+
- audit_rules_unsuccessful_file_modification_renameat
94+
- audit_rules_unsuccessful_file_modification_renameat2
95+
- audit_rules_unsuccessful_file_modification_truncate
96+
- audit_rules_unsuccessful_file_modification_unlink
97+
- audit_rules_unsuccessful_file_modification_unlinkat
98+
- audit_rules_usergroup_modification_group
99+
- audit_rules_usergroup_modification_gshadow
100+
- audit_rules_usergroup_modification_opasswd
101+
- audit_rules_usergroup_modification_passwd
102+
- audit_rules_usergroup_modification_shadow
103+
- banner_etc_issue
104+
- cracklib_accounts_password_pam_dcredit
105+
- cracklib_accounts_password_pam_difok
106+
- cracklib_accounts_password_pam_lcredit
107+
- cracklib_accounts_password_pam_minlen
108+
- cracklib_accounts_password_pam_ocredit
109+
- cracklib_accounts_password_pam_retry
110+
- cracklib_accounts_password_pam_ucredit
111+
- display_login_attempts
112+
- ensure_gpgcheck_globally_activated
113+
- file_groupownership_system_commands_dirs
114+
- file_permissions_home_directories
115+
- inactivity_timeout_value=15_minutes
116+
- kernel_module_usb-storage_disabled
117+
- package_aide_installed
118+
- package_audit-audispd-plugins_installed
119+
- package_audit_installed
120+
- set_password_hashing_algorithm_systemauth
121+
- sshd_disable_root_login
122+
- sshd_disable_user_known_hosts
123+
- sshd_disable_x11_forwarding
124+
- sshd_enable_warning_banner
125+
- sshd_idle_timeout_value=10_minutes
126+
- sshd_set_idle_timeout
127+
- sshd_set_keepalive_0
128+
- sshd_set_loglevel_verbose
129+
- sshd_use_approved_ciphers_ordered_stig
130+
- sshd_use_approved_macs_ordered_stig
131+
- var_account_disable_post_pw_expiration=35
132+
- var_accounts_fail_delay=4
133+
- var_accounts_max_concurrent_login_sessions=10
134+
- var_accounts_maximum_age_login_defs=60
135+
- var_accounts_minimum_age_login_defs=7
136+
- var_accounts_tmout=15_min
137+
- var_auditd_disk_full_action=syslog
138+
- var_password_pam_dcredit=1
139+
- var_password_pam_delay=4000000
140+
- var_password_pam_lcredit=1
141+
- var_password_pam_minlen=15
142+
- var_password_pam_ocredit=1
143+
- var_password_pam_ucredit=1
144+
- var_password_pam_unix_remember=5
145+
- var_removable_partition=dev_cdrom
146+
- var_sshd_set_keepalive=0
147+
- var_sssd_memcache_timeout=1_day
148+
- var_sudo_timestamp_timeout=always_prompt
149+
- var_time_service_set_maxpoll=18_hours

products/sle15/profiles/pcs-hardening-sap.profile

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,6 @@ selections:
9292
- var_accounts_user_umask=027
9393
- var_pam_wheel_group_for_su=cis
9494
# CIS L1 Rules
95-
- install_smartcard_packages
9695
- package_aide_installed
9796
- package_audit-audispd-plugins_installed
9897
- package_audit_installed
@@ -125,7 +124,6 @@ selections:
125124
- sysctl_net_ipv4_ip_forward
126125
- package_nftables_removed
127126
- permissions_local_var_log
128-
- mount_option_dev_shm_noexec
129127
- sysctl_fs_suid_dumpable
130128
- sysctl_kernel_randomize_va_space
131129
- file_at_deny_not_exist

products/sle15/profiles/pcs-hardening.profile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,12 +81,10 @@ selections:
8181
- cracklib_accounts_password_pam_ocredit
8282
- cracklib_accounts_password_pam_retry
8383
- cracklib_accounts_password_pam_ucredit
84-
- disable_ctrlaltdel_burstaction
8584
- disable_users_coredumps
8685
- display_login_attempts
8786
- ensure_gpgcheck_globally_activated
8887
#- ensure_logrotate_activated
89-
- file_etc_security_opasswd
9088
- file_groupowner_etc_issue
9189
- file_groupownership_system_commands_dirs
9290
- file_owner_etc_issue
@@ -110,8 +108,6 @@ selections:
110108
#- pam_disable_automatic_configuration
111109
- set_password_hashing_algorithm_commonauth
112110
- set_password_hashing_algorithm_systemauth
113-
- smartcard_configure_ca
114-
- smartcard_configure_cert_checking
115111
- sshd_disable_root_login
116112
- sshd_disable_tcp_forwarding
117113
- sshd_disable_user_known_hosts

0 commit comments

Comments
 (0)