Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
SLES15-SP5-SAP-Hardened-BYOS
config.sh
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File config.sh of Package SLES15-SP5-SAP-Hardened-BYOS
#!/bin/bash #================ # FILE : config.sh #---------------- # PROJECT : SUSE Public Cloud recipes # COPYRIGHT : (c) 2023 SUSE LLC. All rights reserved # : # CONTACT : Public Cloud Team public-cloud-dev@susecloud.net # : # BELONGS TO : Operating System images # : # DESCRIPTION : OS configuration script # : # : # STATUS : Production # GENERATED BY : keg 1.1.0 on 2023-02-17 14:37:58 #---------------- #====================================== # Functions... #-------------------------------------- test -f /.kconfig && . /.kconfig test -f /.profile && . /.profile #====================================== # Fail build on error #-------------------------------------- set -e #====================================== # Greeting... #-------------------------------------- echo "Configure image: [$kiwi_iname]..." #====================================== # Setup the build keys #-------------------------------------- suseImportBuildKey # keg: included from common-sysconfig baseUpdateSysConfig /etc/sysconfig/keyboard COMPOSETABLE "clear latin1.add" baseUpdateSysConfig /etc/sysconfig/language INSTALLED_LANGUAGES "" baseUpdateSysConfig /etc/sysconfig/language RC_LANG "C.UTF-8" baseUpdateSysConfig /etc/sysconfig/security POLKIT_DEFAULT_PRIVS "restrictive" baseUpdateSysConfig /etc/sysconfig/windowmanager DEFAULT_WM "" baseUpdateSysConfig /etc/sysconfig/windowmanager INSTALL_DESKTOP_EXTENSIONS "no" # keg: included from common-files cat >> "/etc/profile" <<EOF # yast in Public Cloud images fix NCURSES_NO_UTF8_ACS=1 export NCURSES_NO_UTF8_ACS EOF cat >> "/etc/sysconfig/console" <<EOF CONSOLE_ENCODING="UTF-8" CONSOLE_FONT="lat9w-16.psfu" CONSOLE_SCREENMAP="trivial" EOF cat >> "/etc/zypp/locks" <<EOF type: package match_type: glob case_sensitive: on solvable_name: plymouth* EOF # keg: included from sles4sap-variant cat >> "/etc/os-release" <<EOF VARIANT_ID="sles-sap-hardened" EOF # keg: included from common-config # Start generate /etc/motd # source /etc/os-release OS_PRETTY_NAME="$PRETTY_NAME" OS_VERSION_MAJOR="${VERSION_ID%.*}" ARCH="`uname -m`" for suma_prod in /etc/products.d/SUSE-Manager-Server.prod /etc/products.d/SUSE-Manager-Proxy.prod do if [[ -f $suma_prod ]]; then SUMA_VERSION=`sed -n -r -e '/<version>/s/( *<version>)([^<]*)(.*)/\2/p' $suma_prod` break fi done test -f etc/products.d/SLES_SAP.prod && OS_PRETTY_NAME="$OS_PRETTY_NAME for SAP Applications" get_motd_includes() { if [ -d /etc/motd.d ]; then for inc in `ls /etc/motd.d` ; do echo "r /etc/motd.d/${inc}" done fi } test -f /etc/motd-caption && cap_replace="r /etc/motd-caption" motd_func="\ s/{OS_PRETTY_NAME}/$OS_PRETTY_NAME/g s/{OS_VERSION_MAJOR}/$OS_VERSION_MAJOR/g s/{ARCH}/$ARCH/g s/{SUMA_VERSION}/$SUMA_VERSION/g /{CAPTION}/{ $cap_replace d } /{INCLUDES}/{ `get_motd_includes` d }" for motd in /etc/motd* ; do test -f $motd || continue sed -i -e "$motd_func" $motd done test -d /etc/motd.d && rm -r /etc/motd.d test -f /etc/motd-caption && rm /etc/motd-caption # # End generate /etc/motd [ -x /sbin/set_polkit_default_privs ] && /sbin/set_polkit_default_privs # Generation of the iscsi config file moved to %post of the package # This implies that all instances have the same iscsi initiator name as the # file is generated during image build. We do not want this (bsc#1202540) rm -rf /etc/iscsi/initiatorname.iscsi sed -i -e 's/^root:[^:]*:/root:*:/' /etc/shadow prodfiles=(`grep -l '<codestream>' /etc/products.d/*prod`) for p in $prodfiles ; do grep -q '<flavor>extension</flavor>' $p || prodfile="$prodfile $p" done if [[ ${#prodfile[*]} -ne 1 ]]; then echo "No base product package installed or base product ambiguous." >&2 false else ln -sf `basename "${prodfile[0]}"` /etc/products.d/baseproduct fi sed -i -e 's/# download.use_deltarpm = true/download.use_deltarpm = false/' \ /etc/zypp/zypp.conf sed -i -e 's/latest,latest-1,running/latest,running/' /etc/zypp/zypp.conf # keg: included from hardened-config # run sap image hardening script HARDENING_RULES=" \ xccdf_org.ssgproject.content_rule_aide_check_audit_tools \ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking \ xccdf_org.ssgproject.content_rule_aide_verify_acls \ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes \ xccdf_org.ssgproject.content_rule_sudo_add_use_pty \ xccdf_org.ssgproject.content_rule_sudo_custom_logfile \ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated \ xccdf_org.ssgproject.content_rule_banner_etc_issue \ xccdf_org.ssgproject.content_rule_banner_etc_motd \ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue \ xccdf_org.ssgproject.content_rule_file_owner_etc_issue \ xccdf_org.ssgproject.content_rule_display_login_attempts \ xccdf_org.ssgproject.content_rule_pam_disable_automatic_configuration \ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember \ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay \ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2 \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry \ xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit \ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_commonauth \ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth \ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction \ xccdf_org.ssgproject.content_rule_smartcard_configure_ca \ xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking \ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration \ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs \ xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs \ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing \ xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing \ xccdf_org.ssgproject.content_rule_no_direct_root_logins \ xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs \ xccdf_org.ssgproject.content_rule_accounts_tmout \ xccdf_org.ssgproject.content_rule_file_permissions_home_directories \ xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing \ xccdf_org.ssgproject.content_rule_audit_rules_immutable \ xccdf_org.ssgproject.content_rule_audit_rules_mac_modification \ xccdf_org.ssgproject.content_rule_audit_rules_media_export \ xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification \ xccdf_org.ssgproject.content_rule_audit_rules_session_events \ xccdf_org.ssgproject.content_rule_audit_rules_session_events_btmp \ xccdf_org.ssgproject.content_rule_audit_rules_session_events_utmp \ xccdf_org.ssgproject.content_rule_audit_rules_session_events_wtmp \ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function \ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions \ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group \ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow \ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd \ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd \ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount \ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 \ xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl \ xccdf_org.ssgproject.content_rule_audit_rules_execution_chmod \ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl \ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon \ xccdf_org.ssgproject.content_rule_audit_rules_execution_rm \ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename \ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat \ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink \ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat2 \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink \ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat \ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete \ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit \ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init \ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock \ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog \ xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passmass \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix2_chkpwd \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd \ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod \ xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex \ xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime \ xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday \ xccdf_org.ssgproject.content_rule_audit_rules_time_stime \ xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime \ xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records \ xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action \ xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action \ xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action \ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left \ xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action \ xccdf_org.ssgproject.content_rule_journald_compress \ xccdf_org.ssgproject.content_rule_journald_storage \ xccdf_org.ssgproject.content_rule_ensure_logrotate_activated \ xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled \ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled \ xccdf_org.ssgproject.content_rule_file_etc_security_opasswd \ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow \ xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow \ xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs \ xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled \ xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled \ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled \ xccdf_org.ssgproject.content_rule_disable_users_coredumps \ xccdf_org.ssgproject.content_rule_file_permissions_cron_d \ xccdf_org.ssgproject.content_rule_file_permissions_cron_daily \ xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly \ xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly \ xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly \ xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user \ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config \ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 \ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout \ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding \ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts \ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding \ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner \ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time \ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose \ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions \ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups \ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig \ xccdf_org.ssgproject.content_rule_sshd_use_approved_macs \ xccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig \ " # remediate selected rules. for RULE in ${HARDENING_RULES}; do oscap xccdf eval --remediate --profile pcs-hardening --rule ${RULE} /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml || { echo "!!!FAILED: ${RULE}" /bin/fail } done # keg: included from common-services baseInsertService boot.device-mapper baseInsertService haveged baseInsertService sshd baseRemoveService boot.efivars baseRemoveService boot.lvm baseRemoveService boot.md baseRemoveService boot.multipath baseRemoveService display-manager baseRemoveService kbd if [[ $kiwi_profiles = Azure ]]; then # keg: included from azure-cloud-netconfig baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime" # keg: included from azure-set-hostname baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "no" # keg: included from azure-scripts # Implement password policy # Length: 6-72 characters long # Contain any combination of 3 of the following: # - a lowercase character # - an uppercase character # - a number # - a special character pwd_policy="minlen=6 dcredit=1 ucredit=1 lcredit=1 ocredit=1 minclass=3" sed -i -e "s/pam_cracklib.so/pam_cracklib.so $pwd_policy/" \ /etc/pam.d/common-password-pc sed -i -e 's/#ClientAliveInterval 0/ClientAliveInterval 180/' \ /etc/ssh/sshd_config # keg: included from azure-default-kernel-log-level # Keep the default kernel log level (bsc#1169201) sed -i -e 's/$klogConsoleLogLevel/#$klogConsoleLogLevel/' /etc/rsyslog.conf # keg: included from azure-dhclient-timeout dc=/etc/dhclient.conf if grep -qE '^timeout' $dc ; then sed -r -i 's/^timeout.*/timeout 300;/' $dc else echo 'timeout 300;' >> $dc fi # keg: included from azure-sshd-config sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \ /etc/ssh/sshd_config # keg: included from azure-waagent # Disable agent auto-update sed -i -e 's/AutoUpdate.Enabled=y/AutoUpdate.Enabled=n/' \ /etc/waagent.conf # Generate all supported SSH host key types sed -i -e 's/SshHostKeyPairType=rsa/SshHostKeyPairType=auto/' \ /etc/waagent.conf # Leave the ephemeral disk handling to cloud-init sed -i -e 's/ResourceDisk.Format=y/ResourceDisk.Format=n/' \ /etc/waagent.conf # keg: included from vm-services baseInsertService chronyd # keg: included from azure-cloud-netconfig systemctl enable cloud-netconfig.timer # keg: included from azure-services baseInsertService cloud-config baseInsertService cloud-final baseInsertService cloud-init baseInsertService cloud-init-local baseInsertService waagent # keg: included from azure-regionsrv-timer systemctl enable regionsrv-enabler-azure.timer fi if [[ $kiwi_profiles = EC2 ]]; then # keg: included from ec2-cloud-netconfig baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime" # keg: included from ec2-set-hostname baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "no" # keg: included from grub-root-label-workaround-bsc#1197616 cat >> "/etc/default/grub" <<EOF GRUB_CMDLINE_LINUX="root=LABEL=ROOT" SUSE_REMOVE_LINUX_ROOT_PARAM=true EOF # keg: included from ec2-scripts # No Xen based instance types for ARM, no need for custom config if [ "`uname -m`" = "aarch64" ]; then rm -f /etc/dracut.conf.d/07-*.conf fi sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \ /etc/ssh/sshd_config # Disable password based login via ssh sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config # keg: included from vm-services baseInsertService chronyd # keg: included from ec2-services baseInsertService cloud-config baseInsertService cloud-final baseInsertService cloud-init baseInsertService cloud-init-local # keg: included from ec2-cloud-netconfig systemctl enable cloud-netconfig.timer fi if [[ $kiwi_profiles = GCE ]]; then # keg: included from gce-sysconfig-netconfig baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime" # keg: included from gce-set-hostname baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "yes" # keg: included from gce-config cat >> "/etc/boto.cfg" <<EOF [Boto] ca_certificates_file = system EOF cat >> "/etc/boto.cfg.template" <<EOF [Boto] ca_certificates_file = system EOF cat >> "/etc/default/instance_configs.cfg.distro" <<EOF [InstanceSetup] set_boto_config = false EOF # keg: included from gce-config sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \ /etc/ssh/sshd_config # Disable password based login via ssh sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config # keg: included from vm-services baseInsertService chronyd # keg: included from gce-services baseInsertService google-guest-agent baseInsertService google-osconfig-agent systemctl enable google-oslogin-cache.timer baseInsertService google-shutdown-scripts baseInsertService google-startup-scripts baseInsertService rootgrow fi
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor