add hardening templating and several enhancements

2025-06-21 18:23:42 +02:00 · 2017-05-18 18:40:09 +02:00
parent 2ef500298b
commit 676b17c54f
386 changed files with 701 additions and 449 deletions
--- a/etc/conf.d/.gitignore
+++ b/etc/conf.d/.gitignore
@ -0,0 +1 @@
+*.cfg
--- a/etc/conf.d/1.1_install_updates.cfg
+++ b/etc/conf.d/1.1_install_updates.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.1.1_set_password_exp_days.cfg
+++ b/etc/conf.d/10.1.1_set_password_exp_days.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.1.2_set_password_min_days_change.cfg
+++ b/etc/conf.d/10.1.2_set_password_min_days_change.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg
+++ b/etc/conf.d/10.1.3_set_password_exp_warning_days.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.2_disable_system_accounts.cfg
+++ b/etc/conf.d/10.2_disable_system_accounts.cfg
@ -1,4 +0,0 @@
-# Configuration for script of same name
-status=disabled
-# Put here your exceptions concerning admin accounts shells separated by spaces
-EXCEPTIONS=""
--- a/etc/conf.d/10.3_default_root_group.cfg
+++ b/etc/conf.d/10.3_default_root_group.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.4_default_umask.cfg
+++ b/etc/conf.d/10.4_default_umask.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/10.5_lock_inactive_user_account.cfg
+++ b/etc/conf.d/10.5_lock_inactive_user_account.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/11.1_warning_banners.cfg
+++ b/etc/conf.d/11.1_warning_banners.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
+++ b/etc/conf.d/11.2_remove_os_info_warning_banners.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/11.3_graphical_warning_banners.cfg
+++ b/etc/conf.d/11.3_graphical_warning_banners.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.10_find_suid_files.cfg
+++ b/etc/conf.d/12.10_find_suid_files.cfg
@ -1,5 +0,0 @@
-# Configuration for script of same name
-status=disabled
-
-# Put Here your valid suid binaries so that they do not appear during the audit
-EXCEPTIONS="/bin/mount /bin/ping /bin/ping6 /bin/su /bin/umount /usr/bin/chfn /usr/bin/chsh /usr/bin/fping /usr/bin/fping6 /usr/bin/gpasswd /usr/bin/mtr /usr/bin/newgrp /usr/bin/passwd /usr/bin/sudo /usr/bin/sudoedit /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/bin/at"
--- a/etc/conf.d/12.11_find_sgid_files.cfg
+++ b/etc/conf.d/12.11_find_sgid_files.cfg
@ -1,4 +0,0 @@
-# Configuration for script of same name
-status=disabled
-# Put here valid binaries with sgid enabled separated by spaces
-EXCEPTIONS="/sbin/unix_chkpwd /usr/bin/bsd-write /usr/bin/chage /usr/bin/crontab /usr/bin/expiry /usr/bin/mutt_dotlock /usr/bin/screen /usr/bin/ssh-agent /usr/bin/wall /usr/sbin/postdrop /usr/sbin/postqueue /usr/bin/at /usr/bin/dotlockfile /usr/bin/mail-lock /usr/bin/mail-touchlock /usr/bin/mail-unlock"
--- a/etc/conf.d/12.1_etc_passwd_permissions.cfg
+++ b/etc/conf.d/12.1_etc_passwd_permissions.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.2_etc_shadow_permissions.cfg
+++ b/etc/conf.d/12.2_etc_shadow_permissions.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.3_etc_group_permissions.cfg
+++ b/etc/conf.d/12.3_etc_group_permissions.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.4_etc_passwd_ownership.cfg
+++ b/etc/conf.d/12.4_etc_passwd_ownership.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.5_etc_shadow_ownership.cfg
+++ b/etc/conf.d/12.5_etc_shadow_ownership.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.6_etc_group_ownership.cfg
+++ b/etc/conf.d/12.6_etc_group_ownership.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.7_find_world_writable_file.cfg
+++ b/etc/conf.d/12.7_find_world_writable_file.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.8_find_unowned_files.cfg
+++ b/etc/conf.d/12.8_find_unowned_files.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/12.9_find_ungrouped_files.cfg
+++ b/etc/conf.d/12.9_find_ungrouped_files.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.10_find_user_rhosts_files.cfg
+++ b/etc/conf.d/13.10_find_user_rhosts_files.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg
+++ b/etc/conf.d/13.11_find_passwd_group_inconsistencies.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.12_users_valid_homedir.cfg
+++ b/etc/conf.d/13.12_users_valid_homedir.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.13_check_user_homedir_ownership.cfg
+++ b/etc/conf.d/13.13_check_user_homedir_ownership.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.14_check_duplicate_uid.cfg
+++ b/etc/conf.d/13.14_check_duplicate_uid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.15_check_duplicate_gid.cfg
+++ b/etc/conf.d/13.15_check_duplicate_gid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.16_check_duplicate_username.cfg
+++ b/etc/conf.d/13.16_check_duplicate_username.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.17_check_duplicate_groupname.cfg
+++ b/etc/conf.d/13.17_check_duplicate_groupname.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.18_find_user_netrc_files.cfg
+++ b/etc/conf.d/13.18_find_user_netrc_files.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.19_find_user_forward_files.cfg
+++ b/etc/conf.d/13.19_find_user_forward_files.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.1_remove_empty_password_field.cfg
+++ b/etc/conf.d/13.1_remove_empty_password_field.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.20_shadow_group_empty.cfg
+++ b/etc/conf.d/13.20_shadow_group_empty.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
+++ b/etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
+++ b/etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.4_remove_legacy_group_entries.cfg
+++ b/etc/conf.d/13.4_remove_legacy_group_entries.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.5_find_0_uid_non_root_account.cfg
+++ b/etc/conf.d/13.5_find_0_uid_non_root_account.cfg
@ -1,4 +0,0 @@
-# Configuration for script of same name
-status=disabled
-# Put here valid accounts with uid 0 separated by spaces
-EXCEPTIONS=""
--- a/etc/conf.d/13.6_sanitize_root_path.cfg
+++ b/etc/conf.d/13.6_sanitize_root_path.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.7_check_user_dir_perm.cfg
+++ b/etc/conf.d/13.7_check_user_dir_perm.cfg
@ -1,4 +0,0 @@
-# Configuration for script of same name
-status=disabled
-# Put here user home directories exceptions, separated by spaces
-EXCEPTIONS=""
--- a/etc/conf.d/13.8_check_user_dot_file_perm.cfg
+++ b/etc/conf.d/13.8_check_user_dot_file_perm.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/13.9_set_perm_on_user_netrc.cfg
+++ b/etc/conf.d/13.9_set_perm_on_user_netrc.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.10_home_nodev.cfg
+++ b/etc/conf.d/2.10_home_nodev.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.11_removable_device_nodev.cfg
+++ b/etc/conf.d/2.11_removable_device_nodev.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.12_removable_device_noexec.cfg
+++ b/etc/conf.d/2.12_removable_device_noexec.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.13_removable_device_nosuid.cfg
+++ b/etc/conf.d/2.13_removable_device_nosuid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.14_run_shm_nodev.cfg
+++ b/etc/conf.d/2.14_run_shm_nodev.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.15_run_shm_nosuid.cfg
+++ b/etc/conf.d/2.15_run_shm_nosuid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.16_run_shm_noexec.cfg
+++ b/etc/conf.d/2.16_run_shm_noexec.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg
+++ b/etc/conf.d/2.17_sticky_bit_world_writable_folder.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.18_disable_cramfs.cfg
+++ b/etc/conf.d/2.18_disable_cramfs.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.19_disable_freevxfs.cfg
+++ b/etc/conf.d/2.19_disable_freevxfs.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.1_tmp_partition.cfg
+++ b/etc/conf.d/2.1_tmp_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.20_disable_jffs2.cfg
+++ b/etc/conf.d/2.20_disable_jffs2.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.21_disable_hfs.cfg
+++ b/etc/conf.d/2.21_disable_hfs.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.22_disable_hfsplus.cfg
+++ b/etc/conf.d/2.22_disable_hfsplus.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.23_disable_squashfs.cfg
+++ b/etc/conf.d/2.23_disable_squashfs.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.24_disable_udf.cfg
+++ b/etc/conf.d/2.24_disable_udf.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.25_disable_automounting.cfg
+++ b/etc/conf.d/2.25_disable_automounting.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.2_tmp_nodev.cfg
+++ b/etc/conf.d/2.2_tmp_nodev.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.3_tmp_nosuid.cfg
+++ b/etc/conf.d/2.3_tmp_nosuid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.4_tmp_noexec.cfg
+++ b/etc/conf.d/2.4_tmp_noexec.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.5_var_partition.cfg
+++ b/etc/conf.d/2.5_var_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.6.1_var_tmp_partition.cfg
+++ b/etc/conf.d/2.6.1_var_tmp_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.6.2_var_tmp_nodev.cfg
+++ b/etc/conf.d/2.6.2_var_tmp_nodev.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.6.3_var_tmp_nosuid.cfg
+++ b/etc/conf.d/2.6.3_var_tmp_nosuid.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.6.4_var_tmp_noexec.cfg
+++ b/etc/conf.d/2.6.4_var_tmp_noexec.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.7_var_log_partition.cfg
+++ b/etc/conf.d/2.7_var_log_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.8_var_log_audit_partition.cfg
+++ b/etc/conf.d/2.8_var_log_audit_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/2.9_home_partition.cfg
+++ b/etc/conf.d/2.9_home_partition.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/3.1_bootloader_ownership.cfg
+++ b/etc/conf.d/3.1_bootloader_ownership.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/3.2_bootloader_permissions.cfg
+++ b/etc/conf.d/3.2_bootloader_permissions.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/3.3_bootloader_password.cfg
+++ b/etc/conf.d/3.3_bootloader_password.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/3.4_root_password.cfg
+++ b/etc/conf.d/3.4_root_password.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/4.1_restrict_core_dumps.cfg
+++ b/etc/conf.d/4.1_restrict_core_dumps.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/4.2_enable_nx_support.cfg
+++ b/etc/conf.d/4.2_enable_nx_support.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/4.3_enable_randomized_vm_placement.cfg
+++ b/etc/conf.d/4.3_enable_randomized_vm_placement.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/4.4_disable_prelink.cfg
+++ b/etc/conf.d/4.4_disable_prelink.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/4.5_enable_apparmor.cfg
+++ b/etc/conf.d/4.5_enable_apparmor.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.1_disable_nis.cfg
+++ b/etc/conf.d/5.1.1_disable_nis.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.2_disable_rsh.cfg
+++ b/etc/conf.d/5.1.2_disable_rsh.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.3_disable_rsh_client.cfg
+++ b/etc/conf.d/5.1.3_disable_rsh_client.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.4_disable_talk.cfg
+++ b/etc/conf.d/5.1.4_disable_talk.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.5_disable_talk_client.cfg
+++ b/etc/conf.d/5.1.5_disable_talk_client.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.6_disable_telnet_server.cfg
+++ b/etc/conf.d/5.1.6_disable_telnet_server.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.7_disable_tftp_server.cfg
+++ b/etc/conf.d/5.1.7_disable_tftp_server.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.1.8_disable_inetd.cfg
+++ b/etc/conf.d/5.1.8_disable_inetd.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.2_disable_chargen.cfg
+++ b/etc/conf.d/5.2_disable_chargen.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.3_disable_daytime.cfg
+++ b/etc/conf.d/5.3_disable_daytime.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.4_disable_echo.cfg
+++ b/etc/conf.d/5.4_disable_echo.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.5_disable_discard.cfg
+++ b/etc/conf.d/5.5_disable_discard.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/5.6_disable_time.cfg
+++ b/etc/conf.d/5.6_disable_time.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.10_disable_http_server.cfg
+++ b/etc/conf.d/6.10_disable_http_server.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.11_disable_imap_pop.cfg
+++ b/etc/conf.d/6.11_disable_imap_pop.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.12_disable_samba.cfg
+++ b/etc/conf.d/6.12_disable_samba.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.13_disable_http_proxy.cfg
+++ b/etc/conf.d/6.13_disable_http_proxy.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.14_disable_snmp_server.cfg
+++ b/etc/conf.d/6.14_disable_snmp_server.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.15_mta_localhost.cfg
+++ b/etc/conf.d/6.15_mta_localhost.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/etc/conf.d/6.16_disable_rsync.cfg
+++ b/etc/conf.d/6.16_disable_rsync.cfg
@ -1,2 +0,0 @@
-# Configuration for script of same name
-status=disabled
--- a/Show More
+++ b/Show More