xref: /openbmc/openbmc/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config (revision d583833a9a54248703bfc1ec48e2c98515f06899) 
1*d583833aSAndrew Geissler# Q:  Would you like to enforce password aging? [Y]
2*d583833aSAndrew GeisslerAccountSecurity.passwdage="Y"
3*d583833aSAndrew Geissler# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
4*d583833aSAndrew GeisslerAccountSecurity.protectrhost="Y"
5*d583833aSAndrew Geissler# Q:  Should we disallow root login on tty's 1-6? [N]
6*d583833aSAndrew GeisslerAccountSecurity.rootttylogins="Y"
7*d583833aSAndrew Geissler# Q:  What umask would you like to set for users on the system? [077]
8*d583833aSAndrew GeisslerAccountSecurity.umask="077"
9*d583833aSAndrew Geissler# Q:  Do you want to set the default umask? [Y]
10*d583833aSAndrew GeisslerAccountSecurity.umaskyn="Y"
11*d583833aSAndrew Geissler# Q:  Would you like to deactivate the Apache web server? [Y]
12*d583833aSAndrew GeisslerApache.apacheoff="Y"
13*d583833aSAndrew Geissler# Q:  Would you like to password protect single-user mode? [Y]
14*d583833aSAndrew GeisslerBootSecurity.passsum="Y"
15*d583833aSAndrew Geissler# Q:  Should we restrict console access to a small group of user accounts? [N]
16*d583833aSAndrew GeisslerConfigureMiscPAM.consolelogin="Y"
17*d583833aSAndrew Geissler# Q:  Which accounts should be able to login at console? [root]
18*d583833aSAndrew GeisslerConfigureMiscPAM.consolelogin_accounts="root"
19*d583833aSAndrew Geissler# Q:  Would you like to put limits on system resource usage? [N]
20*d583833aSAndrew GeisslerConfigureMiscPAM.limitsconf="Y"
21*d583833aSAndrew Geissler# Q:  Would you like to set more restrictive permissions on the administration utilities? [N]
22*d583833aSAndrew GeisslerFilePermissions.generalperms_1_1="Y"
23*d583833aSAndrew Geissler# Q:  Would you like to disable SUID status for mount/umount?
24*d583833aSAndrew GeisslerFilePermissions.suidmount="Y"
25*d583833aSAndrew Geissler# Q:  Would you like to disable SUID status for ping? [Y]
26*d583833aSAndrew GeisslerFilePermissions.suidping="Y"
27*d583833aSAndrew Geissler# Q:  Would you like to disable SUID status for traceroute? [Y]
28*d583833aSAndrew GeisslerFilePermissions.suidtrace="Y"
29*d583833aSAndrew Geissler# Q:  Do you need the advanced networking options?
30*d583833aSAndrew GeisslerFirewall.ip_advnetwork="Y"
31*d583833aSAndrew Geissler# Q:  Should Bastille run the firewall and enable it at boot time? [N]
32*d583833aSAndrew GeisslerFirewall.ip_enable_firewall="Y"
33*d583833aSAndrew Geissler# Q:  Would you like to run the packet filtering script? [N]
34*d583833aSAndrew GeisslerFirewall.ip_intro="Y"
35*d583833aSAndrew Geissler# Q:  Interfaces for DHCP queries: [ ]
36*d583833aSAndrew GeisslerFirewall.ip_s_dhcpiface=" "
37*d583833aSAndrew Geissler# Q:  DNS servers: [0.0.0.0/0]
38*d583833aSAndrew GeisslerFirewall.ip_s_dns="10.184.9.1"
39*d583833aSAndrew Geissler# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
40*d583833aSAndrew GeisslerFirewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
41*d583833aSAndrew Geissler# Q:  ICMP services to audit: [ ]
42*d583833aSAndrew GeisslerFirewall.ip_s_icmpaudit=" "
43*d583833aSAndrew Geissler# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
44*d583833aSAndrew GeisslerFirewall.ip_s_icmpout="destination-unreachable time-exceeded"
45*d583833aSAndrew Geissler# Q:  Internal interfaces: [ ]
46*d583833aSAndrew GeisslerFirewall.ip_s_internaliface=" "
47*d583833aSAndrew Geissler# Q:  TCP service names or port numbers to allow on private interfaces: [ ]
48*d583833aSAndrew GeisslerFirewall.ip_s_internaltcp=" "
49*d583833aSAndrew Geissler# Q:  UDP service names or port numbers to allow on private interfaces: [ ]
50*d583833aSAndrew GeisslerFirewall.ip_s_internaludp=" "
51*d583833aSAndrew Geissler# Q:  Masqueraded networks: [ ]
52*d583833aSAndrew GeisslerFirewall.ip_s_ipmasq=" "
53*d583833aSAndrew Geissler# Q:  Kernel modules to masquerade: [ftp raudio vdolive]
54*d583833aSAndrew GeisslerFirewall.ip_s_kernelmasq="ftp raudio vdolive"
55*d583833aSAndrew Geissler# Q:  NTP servers to query: [ ]
56*d583833aSAndrew GeisslerFirewall.ip_s_ntpsrv=" "
57*d583833aSAndrew Geissler# Q:  Force passive mode? [N]
58*d583833aSAndrew GeisslerFirewall.ip_s_passiveftp="N"
59*d583833aSAndrew Geissler# Q:  Public interfaces: [eth+ ppp+ slip+]
60*d583833aSAndrew GeisslerFirewall.ip_s_publiciface="eth+ ppp+ slip+"
61*d583833aSAndrew Geissler# Q:  TCP service names or port numbers to allow on public interfaces:[ ]
62*d583833aSAndrew GeisslerFirewall.ip_s_publictcp=" "
63*d583833aSAndrew Geissler# Q:  UDP service names or port numbers to allow on public interfaces:[ ]
64*d583833aSAndrew GeisslerFirewall.ip_s_publicudp=" "
65*d583833aSAndrew Geissler# Q:  Reject method: [DENY]
66*d583833aSAndrew GeisslerFirewall.ip_s_rejectmethod="DENY"
67*d583833aSAndrew Geissler# Q:  Enable source address verification? [Y]
68*d583833aSAndrew GeisslerFirewall.ip_s_srcaddr="Y"
69*d583833aSAndrew Geissler# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
70*d583833aSAndrew GeisslerFirewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
71*d583833aSAndrew Geissler# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
72*d583833aSAndrew GeisslerFirewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
73*d583833aSAndrew Geissler# Q:  Trusted interface names: [lo]
74*d583833aSAndrew GeisslerFirewall.ip_s_trustiface="lo"
75*d583833aSAndrew Geissler# Q:  UDP services to audit: [31337]
76*d583833aSAndrew GeisslerFirewall.ip_s_udpaudit="31337"
77*d583833aSAndrew Geissler# Q:  UDP services to block: [2049 6770]
78*d583833aSAndrew GeisslerFirewall.ip_s_udpblock="2049 6770"
79*d583833aSAndrew Geissler# Q:  Would you like to add additional logging? [Y]
80*d583833aSAndrew GeisslerLogging.morelogging="Y"
81*d583833aSAndrew Geissler# Q:  Would you like to set up process accounting? [N]
82*d583833aSAndrew GeisslerLogging.pacct="N"
83*d583833aSAndrew Geissler# Q:  Do you have a remote logging host? [N]
84*d583833aSAndrew GeisslerLogging.remotelog="N"
85*d583833aSAndrew Geissler# Q:  Would you like to disable acpid and/or apmd? [Y]
86*d583833aSAndrew GeisslerMiscellaneousDaemons.apmd="Y"
87*d583833aSAndrew Geissler# Q:  Would you like to deactivate NFS and Samba? [Y]
88*d583833aSAndrew GeisslerMiscellaneousDaemons.remotefs="Y"
89*d583833aSAndrew Geissler# Q:  Would you like to disable printing? [N]
90*d583833aSAndrew GeisslerPrinting.printing="Y"
91*d583833aSAndrew Geissler# Q:  Would you like to disable printing? [N]
92*d583833aSAndrew GeisslerPrinting.printing_cups="Y"
93*d583833aSAndrew Geissler# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
94*d583833aSAndrew GeisslerSecureInetd.banners="Y"
95*d583833aSAndrew Geissler# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
96*d583833aSAndrew GeisslerSecureInetd.deactivate_ftp="Y"
97*d583833aSAndrew Geissler# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
98*d583833aSAndrew GeisslerSecureInetd.deactivate_telnet="Y"
99*d583833aSAndrew Geissler# Q:  Who is responsible for granting authorization to use this machine?
100*d583833aSAndrew GeisslerSecureInetd.owner="its owner"
101*d583833aSAndrew Geissler# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
102*d583833aSAndrew GeisslerSecureInetd.tcpd_default_deny="Y"
103*d583833aSAndrew Geissler# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
104*d583833aSAndrew GeisslerSendmail.sendmaildaemon="Y"
105*d583833aSAndrew Geissler# Q:  Would you like to install TMPDIR/TMP scripts? [N]
106*d583833aSAndrew GeisslerTMPDIR.tmpdir="N"
107