File images.sh of Package SLES15-SP7-SAP-Hardened-BYOS

#!/bin/bash
#================
# FILE          : image.sh
#----------------
# PROJECT       : SUSE Public Cloud recipes
# COPYRIGHT     : (c) 2025 SUSE LLC. All rights reserved
#               : 
# CONTACT       : Public Cloud Team public-cloud-dev@susecloud.net
#               :
# BELONGS TO    : Operating System images
#               :
# DESCRIPTION   : OS configuration script
#----------------
#======================================
# Functions...
#--------------------------------------
test -f /.kconfig && . /.kconfig
test -f /.profile && . /.profile

#======================================
# Fail build on error
#--------------------------------------
set -e

#======================================
# Greeting...
#--------------------------------------
echo "Setup image: [$kiwi_iname]..."

# keg: included from hardened-config
# NOTE for disabled rules:
#
# rules that need running systemd do not work in chroot, disable
# them until there is an upstream solution.
#
# rule pam_disable_automatic_configuration uses a bash input redirection
# type that required /proc which is not availble in kiwi's create step.
#
# file_permissions_backup_etc_shadow remediation is pointless, useradd
# creates new backup with standard permissions
#
# permissions_local_var_log requires files in /var/log to be not world
# readable, which is hard to enforce.
#
# xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
# requires all files in user home trees to restrict access. Not enforcable.
#
# disable any potential sysctl rules, they do not work properly in chroot.
#
# disable the following rules proactively, as they were recently added
# to profile upstream and will break once package is updated
#
# accounts_users_home_files_permissions
# mount_option_dev_shm_noexec
# permissions_local_var_log

rules_to_disable="\
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated
xccdf_org.ssgproject.content_rule_service_firewalld_enabled
xccdf_org.ssgproject.content_rule_pam_disable_automatic_configuration
xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions
xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
xccdf_org.ssgproject.content_rule_permissions_local_var_log
xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer
xccdf_org.ssgproject.content_rule_.*sysctl"

ssg_file="/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml"

for rule in $rules_to_disable ; do
    echo "disable hardening rule $rule"
    sed -i -e "/$rule/ s/selected=\"true\"/selected=\"false\"/" $ssg_file
done

# temp fix for missing filepath in limit password reuse rule (bsc#1241615)
sed -i -e \
   '/textfilecontent54_object id="oval:ssg-object_accounts_password_pam_pwhistory_remember/{ :n N;
        /<\/ind:textfilecontent54_object>/ { /<ind:filepath\/>/ {
            s;<ind:filepath/>;<ind:filepath>/etc/pam.d/common-password</ind:filepath>; } ;b
        }; bn
    }' $ssg_file

# run pam_disable_automatic_configuration remediation directly, to
# mitigate disabling of the rule
find /etc/pam.d/ -type l -iname "common-*" -print0 | \
while IFS= read -r -d '' link; do
    target=$(readlink -f "$link")
    cp -p --remove-destination "$target" "$link"
done

# create empty /etc/security/opasswd file, otherwise mitigation for
# xccdf_org.ssgproject.content_rule_file_etc_security_opasswd will fail
touch /etc/security/opasswd
chmod 600 /etc/security/opasswd

# run sap image hardening script
ssg_file="/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml"

echo "run oscap --profile pcs-hardening-sap"
oscap xccdf eval --remediate --profile pcs-hardening-sap $ssg_file || {
    echo "!!!FAILED: --profile pcs-hardening-sap"
    /bin/false
}

RULES_FROM_CIS=" \
banner_etc_issue_net \
account_disable_post_pw_expiration \
accounts_set_post_pw_existing \
file_permissions_home_directories \
rsyslog_files_permissions \
journald_forward_to_syslog \
rsyslog_remote_loghost \
package_nftables_removed \
file_at_deny_not_exist \
file_cron_deny_not_exist \
package_rpcbind_removed \
package_net-snmp_removed \
sshd_set_keepalive \
disable_host_auth \
sshd_disable_empty_passwords \
sshd_disable_rhosts \
sshd_do_not_permit_user_env \
sshd_set_max_auth_tries \
sshd_use_strong_kex \
accounts_umask_etc_login_defs"
# NOTE: the following were disabled because they try to read from /proc/sys
# and potentially call sysctl which does not work or make sense in chroot.
#
# sysctl_fs_suid_dumpable
# sysctl_kernel_randomize_va_space
# sysctl_net_ipv6_conf_all_accept_ra
# sysctl_net_ipv6_conf_all_accept_source_route
# sysctl_net_ipv6_conf_all_forwarding
# sysctl_net_ipv6_conf_default_accept_ra
# sysctl_net_ipv6_conf_default_accept_source_route
# sysctl_net_ipv4_conf_all_log_martians
# sysctl_net_ipv4_conf_all_rp_filter
# sysctl_net_ipv4_conf_all_secure_redirects
# sysctl_net_ipv4_conf_default_log_martians
# sysctl_net_ipv4_conf_default_rp_filter
# sysctl_net_ipv4_conf_default_secure_redirects
# sysctl_net_ipv4_icmp_ignore_bogus_error_responses
# sysctl_net_ipv4_tcp_syncookies
# sysctl_net_ipv4_conf_all_send_redirects
# sysctl_net_ipv4_conf_default_send_redirects
# sysctl_net_ipv4_ip_forward
#
# NOTE: Disabled permissions_local_var_log, some log files will be created world-readable
#
# NOTE: Disabled mount_option_dev_shm_noexec because we cannot alter /etc/fstab in build
#
# NOTE: Disabled accounts_users_home_files_permissions, not really enforcable

for RULE in ${RULES_FROM_CIS}; do
    RULE_ARGS="$RULE_ARGS --rule xccdf_org.ssgproject.content_rule_$RULE"
done

# remediate selected rules
oscap xccdf eval --remediate $RULE_ARGS $ssg_file