Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP6:Update
SLES15-SP6-SAP-Hardened-BYOS
images.sh
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File images.sh of Package SLES15-SP6-SAP-Hardened-BYOS
#!/bin/bash #================ # FILE : image.sh #---------------- # PROJECT : SUSE Public Cloud recipes # COPYRIGHT : (c) 2024 SUSE LLC. All rights reserved # : # CONTACT : Public Cloud Team public-cloud-dev@susecloud.net # : # BELONGS TO : Operating System images # : # DESCRIPTION : OS configuration script #---------------- #====================================== # Functions... #-------------------------------------- test -f /.kconfig && . /.kconfig test -f /.profile && . /.profile #====================================== # Fail build on error #-------------------------------------- set -e #====================================== # Greeting... #-------------------------------------- echo "Setup image: [$kiwi_iname]..." # keg: included from hardened-config # NOTE for disabled rules: # # rules that need running systemd do not work in chroot, disable # them until there is an upstream solution. # # rule pam_disable_automatic_configuration uses a bash input redirection # type that required /proc which is not availble in kiwi's create step. # # file_permissions_backup_etc_shadow remediation is pointless, useradd # creates new backup with standard permissions # # permissions_local_var_log requires files in /var/log to be not world # readable, which is hard to enforce. # # xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions # requires all files in user home trees to restrict access. Not enforcable. # # disable any potential sysctl rules, they do not work properly in chroot. # # disable the following rules proactively, as they were recently added # to profile upstream and will break once package is updated # # accounts_users_home_files_permissions # mount_option_dev_shm_noexec # permissions_local_var_log rules_to_disable="\ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated xccdf_org.ssgproject.content_rule_service_firewalld_enabled xccdf_org.ssgproject.content_rule_pam_disable_automatic_configuration xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec xccdf_org.ssgproject.content_rule_permissions_local_var_log xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer xccdf_org.ssgproject.content_rule_.*sysctl" ssg_file="/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml" for rule in $rules_to_disable ; do echo "disable hardening rule $rule" sed -i -e "/$rule/ s/selected=\"true\"/selected=\"false\"/" $ssg_file done # run pam_disable_automatic_configuration remediation directly, to # mitigate disabling of the rule find /etc/pam.d/ -type l -iname "common-*" -print0 | \ while IFS= read -r -d '' link; do target=$(readlink -f "$link") cp -p --remove-destination "$target" "$link" done # run sap image hardening script ssg_file="/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml" echo "run oscap --profile pcs-hardening-sap" oscap xccdf eval --remediate --profile pcs-hardening-sap $ssg_file || { echo "!!!FAILED: --profile pcs-hardening-sap" /bin/false } RULES_FROM_CIS=" \ banner_etc_issue_net \ account_disable_post_pw_expiration \ accounts_set_post_pw_existing \ file_permissions_home_directories \ rsyslog_files_permissions \ journald_forward_to_syslog \ rsyslog_remote_loghost \ package_nftables_removed \ file_at_deny_not_exist \ file_cron_deny_not_exist \ package_rpcbind_removed \ package_net-snmp_removed \ sshd_set_keepalive \ disable_host_auth \ sshd_disable_empty_passwords \ sshd_disable_rhosts \ sshd_do_not_permit_user_env \ sshd_set_max_auth_tries \ sshd_use_strong_kex \ accounts_umask_etc_login_defs" # NOTE: the following were disabled because they try to read from /proc/sys # and potentially call sysctl which does not work or make sense in chroot. # # sysctl_fs_suid_dumpable # sysctl_kernel_randomize_va_space # sysctl_net_ipv6_conf_all_accept_ra # sysctl_net_ipv6_conf_all_accept_source_route # sysctl_net_ipv6_conf_all_forwarding # sysctl_net_ipv6_conf_default_accept_ra # sysctl_net_ipv6_conf_default_accept_source_route # sysctl_net_ipv4_conf_all_log_martians # sysctl_net_ipv4_conf_all_rp_filter # sysctl_net_ipv4_conf_all_secure_redirects # sysctl_net_ipv4_conf_default_log_martians # sysctl_net_ipv4_conf_default_rp_filter # sysctl_net_ipv4_conf_default_secure_redirects # sysctl_net_ipv4_icmp_ignore_bogus_error_responses # sysctl_net_ipv4_tcp_syncookies # sysctl_net_ipv4_conf_all_send_redirects # sysctl_net_ipv4_conf_default_send_redirects # sysctl_net_ipv4_ip_forward # # NOTE: Disabled permissions_local_var_log, some log files will be created world-readable # # NOTE: Disabled mount_option_dev_shm_noexec because we cannot alter /etc/fstab in build # # NOTE: Disabled accounts_users_home_files_permissions, not really enforcable for RULE in ${RULES_FROM_CIS}; do RULE_ARGS="$RULE_ARGS --rule xccdf_org.ssgproject.content_rule_$RULE" done # remediate selected rules oscap xccdf eval --remediate $RULE_ARGS $ssg_file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor