diff options
Diffstat (limited to 'meta-security/recipes-security/bastille/files/config')
-rwxr-xr-x | meta-security/recipes-security/bastille/files/config | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/meta-security/recipes-security/bastille/files/config b/meta-security/recipes-security/bastille/files/config new file mode 100755 index 0000000000..9e5e206584 --- /dev/null +++ b/meta-security/recipes-security/bastille/files/config @@ -0,0 +1,106 @@ +# Q: Would you like to enforce password aging? [Y] +AccountSecurity.passwdage="Y" +# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] +AccountSecurity.protectrhost="Y" +# Q: Should we disallow root login on tty's 1-6? [N] +AccountSecurity.rootttylogins="Y" +# Q: What umask would you like to set for users on the system? [077] +AccountSecurity.umask="077" +# Q: Do you want to set the default umask? [Y] +AccountSecurity.umaskyn="Y" +# Q: Would you like to deactivate the Apache web server? [Y] +Apache.apacheoff="Y" +# Q: Would you like to password protect single-user mode? [Y] +BootSecurity.passsum="Y" +# Q: Should we restrict console access to a small group of user accounts? [N] +ConfigureMiscPAM.consolelogin="Y" +# Q: Which accounts should be able to login at console? [root] +ConfigureMiscPAM.consolelogin_accounts="root" +# Q: Would you like to put limits on system resource usage? [N] +ConfigureMiscPAM.limitsconf="Y" +# Q: Would you like to set more restrictive permissions on the administration utilities? [N] +FilePermissions.generalperms_1_1="Y" +# Q: Would you like to disable SUID status for mount/umount? +FilePermissions.suidmount="Y" +# Q: Would you like to disable SUID status for ping? [Y] +FilePermissions.suidping="Y" +# Q: Would you like to disable SUID status for traceroute? [Y] +FilePermissions.suidtrace="Y" +# Q: Do you need the advanced networking options? +Firewall.ip_advnetwork="Y" +# Q: Should Bastille run the firewall and enable it at boot time? [N] +Firewall.ip_enable_firewall="Y" +# Q: Would you like to run the packet filtering script? [N] +Firewall.ip_intro="Y" +# Q: Interfaces for DHCP queries: [ ] +Firewall.ip_s_dhcpiface=" " +# Q: DNS servers: [0.0.0.0/0] +Firewall.ip_s_dns="10.184.9.1" +# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] +Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded" +# Q: ICMP services to audit: [ ] +Firewall.ip_s_icmpaudit=" " +# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] +Firewall.ip_s_icmpout="destination-unreachable time-exceeded" +# Q: Internal interfaces: [ ] +Firewall.ip_s_internaliface=" " +# Q: TCP service names or port numbers to allow on private interfaces: [ ] +Firewall.ip_s_internaltcp=" " +# Q: UDP service names or port numbers to allow on private interfaces: [ ] +Firewall.ip_s_internaludp=" " +# Q: Masqueraded networks: [ ] +Firewall.ip_s_ipmasq=" " +# Q: Kernel modules to masquerade: [ftp raudio vdolive] +Firewall.ip_s_kernelmasq="ftp raudio vdolive" +# Q: NTP servers to query: [ ] +Firewall.ip_s_ntpsrv=" " +# Q: Force passive mode? [N] +Firewall.ip_s_passiveftp="N" +# Q: Public interfaces: [eth+ ppp+ slip+] +Firewall.ip_s_publiciface="eth+ ppp+ slip+" +# Q: TCP service names or port numbers to allow on public interfaces:[ ] +Firewall.ip_s_publictcp=" " +# Q: UDP service names or port numbers to allow on public interfaces:[ ] +Firewall.ip_s_publicudp=" " +# Q: Reject method: [DENY] +Firewall.ip_s_rejectmethod="DENY" +# Q: Enable source address verification? [Y] +Firewall.ip_s_srcaddr="Y" +# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] +Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" +# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] +Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100" +# Q: Trusted interface names: [lo] +Firewall.ip_s_trustiface="lo" +# Q: UDP services to audit: [31337] +Firewall.ip_s_udpaudit="31337" +# Q: UDP services to block: [2049 6770] +Firewall.ip_s_udpblock="2049 6770" +# Q: Would you like to add additional logging? [Y] +Logging.morelogging="Y" +# Q: Would you like to set up process accounting? [N] +Logging.pacct="N" +# Q: Do you have a remote logging host? [N] +Logging.remotelog="N" +# Q: Would you like to disable acpid and/or apmd? [Y] +MiscellaneousDaemons.apmd="Y" +# Q: Would you like to deactivate NFS and Samba? [Y] +MiscellaneousDaemons.remotefs="Y" +# Q: Would you like to disable printing? [N] +Printing.printing="Y" +# Q: Would you like to disable printing? [N] +Printing.printing_cups="Y" +# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] +SecureInetd.banners="Y" +# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] +SecureInetd.deactivate_ftp="Y" +# Q: Should Bastille ensure the telnet service does not run on this system? [y] +SecureInetd.deactivate_telnet="Y" +# Q: Who is responsible for granting authorization to use this machine? +SecureInetd.owner="its owner" +# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] +SecureInetd.tcpd_default_deny="Y" +# Q: Do you want to stop sendmail from running in daemon mode? [Y] +Sendmail.sendmaildaemon="Y" +# Q: Would you like to install TMPDIR/TMP scripts? [N] +TMPDIR.tmpdir="N" |