File config.sh of Package SLES15-SP5-SAP-Hardened-BYOS
#!/bin/bash
#================
# FILE : config.sh
#----------------
# PROJECT : SUSE Public Cloud recipes
# COPYRIGHT : (c) 2023 SUSE LLC. All rights reserved
# :
# CONTACT : Public Cloud Team public-cloud-dev@susecloud.net
# :
# BELONGS TO : Operating System images
# :
# DESCRIPTION : OS configuration script
# :
# :
# STATUS : Production
# GENERATED BY : keg 1.1.0 on 2023-02-17 14:37:58
#----------------
#======================================
# Functions...
#--------------------------------------
test -f /.kconfig && . /.kconfig
test -f /.profile && . /.profile
#======================================
# Fail build on error
#--------------------------------------
set -e
#======================================
# Greeting...
#--------------------------------------
echo "Configure image: [$kiwi_iname]..."
#======================================
# Setup the build keys
#--------------------------------------
suseImportBuildKey
# keg: included from common-sysconfig
baseUpdateSysConfig /etc/sysconfig/keyboard COMPOSETABLE "clear latin1.add"
baseUpdateSysConfig /etc/sysconfig/language INSTALLED_LANGUAGES ""
baseUpdateSysConfig /etc/sysconfig/language RC_LANG "C.UTF-8"
baseUpdateSysConfig /etc/sysconfig/security POLKIT_DEFAULT_PRIVS "restrictive"
baseUpdateSysConfig /etc/sysconfig/windowmanager DEFAULT_WM ""
baseUpdateSysConfig /etc/sysconfig/windowmanager INSTALL_DESKTOP_EXTENSIONS "no"
# keg: included from common-files
cat >> "/etc/profile" <<EOF
# yast in Public Cloud images fix
NCURSES_NO_UTF8_ACS=1
export NCURSES_NO_UTF8_ACS
EOF
cat >> "/etc/sysconfig/console" <<EOF
CONSOLE_ENCODING="UTF-8"
CONSOLE_FONT="lat9w-16.psfu"
CONSOLE_SCREENMAP="trivial"
EOF
cat >> "/etc/zypp/locks" <<EOF
type: package
match_type: glob
case_sensitive: on
solvable_name: plymouth*
EOF
# keg: included from sles4sap-variant
cat >> "/etc/os-release" <<EOF
VARIANT_ID="sles-sap-hardened"
EOF
# keg: included from common-config
# Start generate /etc/motd
#
source /etc/os-release
OS_PRETTY_NAME="$PRETTY_NAME"
OS_VERSION_MAJOR="${VERSION_ID%.*}"
ARCH="`uname -m`"
for suma_prod in /etc/products.d/SUSE-Manager-Server.prod /etc/products.d/SUSE-Manager-Proxy.prod
do
if [[ -f $suma_prod ]]; then
SUMA_VERSION=`sed -n -r -e '/<version>/s/( *<version>)([^<]*)(.*)/\2/p' $suma_prod`
break
fi
done
test -f etc/products.d/SLES_SAP.prod && OS_PRETTY_NAME="$OS_PRETTY_NAME for SAP Applications"
get_motd_includes()
{
if [ -d /etc/motd.d ]; then
for inc in `ls /etc/motd.d` ; do
echo "r /etc/motd.d/${inc}"
done
fi
}
test -f /etc/motd-caption && cap_replace="r /etc/motd-caption"
motd_func="\
s/{OS_PRETTY_NAME}/$OS_PRETTY_NAME/g
s/{OS_VERSION_MAJOR}/$OS_VERSION_MAJOR/g
s/{ARCH}/$ARCH/g
s/{SUMA_VERSION}/$SUMA_VERSION/g
/{CAPTION}/{
$cap_replace
d
}
/{INCLUDES}/{
`get_motd_includes`
d
}"
for motd in /etc/motd* ; do
test -f $motd || continue
sed -i -e "$motd_func" $motd
done
test -d /etc/motd.d && rm -r /etc/motd.d
test -f /etc/motd-caption && rm /etc/motd-caption
#
# End generate /etc/motd
[ -x /sbin/set_polkit_default_privs ] && /sbin/set_polkit_default_privs
# Generation of the iscsi config file moved to %post of the package
# This implies that all instances have the same iscsi initiator name as the
# file is generated during image build. We do not want this (bsc#1202540)
rm -rf /etc/iscsi/initiatorname.iscsi
sed -i -e 's/^root:[^:]*:/root:*:/' /etc/shadow
prodfiles=(`grep -l '<codestream>' /etc/products.d/*prod`)
for p in $prodfiles ; do
grep -q '<flavor>extension</flavor>' $p || prodfile="$prodfile $p"
done
if [[ ${#prodfile[*]} -ne 1 ]]; then
echo "No base product package installed or base product ambiguous." >&2
false
else
ln -sf `basename "${prodfile[0]}"` /etc/products.d/baseproduct
fi
sed -i -e 's/# download.use_deltarpm = true/download.use_deltarpm = false/' \
/etc/zypp/zypp.conf
sed -i -e 's/latest,latest-1,running/latest,running/' /etc/zypp/zypp.conf
# keg: included from hardened-config
# run sap image hardening script
HARDENING_RULES=" \
xccdf_org.ssgproject.content_rule_aide_check_audit_tools \
xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking \
xccdf_org.ssgproject.content_rule_aide_verify_acls \
xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes \
xccdf_org.ssgproject.content_rule_sudo_add_use_pty \
xccdf_org.ssgproject.content_rule_sudo_custom_logfile \
xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated \
xccdf_org.ssgproject.content_rule_banner_etc_issue \
xccdf_org.ssgproject.content_rule_banner_etc_motd \
xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue \
xccdf_org.ssgproject.content_rule_file_owner_etc_issue \
xccdf_org.ssgproject.content_rule_display_login_attempts \
xccdf_org.ssgproject.content_rule_pam_disable_automatic_configuration \
xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember \
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faildelay_delay \
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_tally2 \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_difok \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_lcredit \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_minlen \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ocredit \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_retry \
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_ucredit \
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_commonauth \
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth \
xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction \
xccdf_org.ssgproject.content_rule_smartcard_configure_ca \
xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking \
xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration \
xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs \
xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs \
xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing \
xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing \
xccdf_org.ssgproject.content_rule_no_direct_root_logins \
xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs \
xccdf_org.ssgproject.content_rule_accounts_tmout \
xccdf_org.ssgproject.content_rule_file_permissions_home_directories \
xccdf_org.ssgproject.content_rule_audit_rules_enable_syscall_auditing \
xccdf_org.ssgproject.content_rule_audit_rules_immutable \
xccdf_org.ssgproject.content_rule_audit_rules_mac_modification \
xccdf_org.ssgproject.content_rule_audit_rules_media_export \
xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification \
xccdf_org.ssgproject.content_rule_audit_rules_session_events \
xccdf_org.ssgproject.content_rule_audit_rules_session_events_btmp \
xccdf_org.ssgproject.content_rule_audit_rules_session_events_utmp \
xccdf_org.ssgproject.content_rule_audit_rules_session_events_wtmp \
xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function \
xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions \
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group \
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow \
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd \
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd \
xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount \
xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2 \
xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl \
xccdf_org.ssgproject.content_rule_audit_rules_execution_chmod \
xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl \
xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon \
xccdf_org.ssgproject.content_rule_audit_rules_execution_rm \
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename \
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat \
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink \
xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat2 \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink \
xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat \
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete \
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit \
xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init \
xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock \
xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog \
xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chfn \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_insmod \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_modprobe \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passmass \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_rmmod \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix2_chkpwd \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd \
xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod \
xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex \
xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime \
xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday \
xccdf_org.ssgproject.content_rule_audit_rules_time_stime \
xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime \
xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records \
xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action \
xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action \
xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action \
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left \
xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action \
xccdf_org.ssgproject.content_rule_journald_compress \
xccdf_org.ssgproject.content_rule_journald_storage \
xccdf_org.ssgproject.content_rule_ensure_logrotate_activated \
xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled \
xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled \
xccdf_org.ssgproject.content_rule_file_etc_security_opasswd \
xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow \
xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow \
xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs \
xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled \
xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled \
xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled \
xccdf_org.ssgproject.content_rule_disable_users_coredumps \
xccdf_org.ssgproject.content_rule_file_permissions_cron_d \
xccdf_org.ssgproject.content_rule_file_permissions_cron_daily \
xccdf_org.ssgproject.content_rule_file_permissions_cron_hourly \
xccdf_org.ssgproject.content_rule_file_permissions_cron_monthly \
xccdf_org.ssgproject.content_rule_file_permissions_cron_weekly \
xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user \
xccdf_org.ssgproject.content_rule_file_permissions_sshd_config \
xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 \
xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout \
xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding \
xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts \
xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding \
xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner \
xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time \
xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose \
xccdf_org.ssgproject.content_rule_sshd_set_max_sessions \
xccdf_org.ssgproject.content_rule_sshd_set_maxstartups \
xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers_ordered_stig \
xccdf_org.ssgproject.content_rule_sshd_use_approved_macs \
xccdf_org.ssgproject.content_rule_sshd_use_approved_macs_ordered_stig \
"
# remediate selected rules.
for RULE in ${HARDENING_RULES}; do
oscap xccdf eval --remediate --profile pcs-hardening --rule ${RULE} /usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml || {
echo "!!!FAILED: ${RULE}"
/bin/fail
}
done
# keg: included from common-services
baseInsertService boot.device-mapper
baseInsertService haveged
baseInsertService sshd
baseRemoveService boot.efivars
baseRemoveService boot.lvm
baseRemoveService boot.md
baseRemoveService boot.multipath
baseRemoveService display-manager
baseRemoveService kbd
if [[ $kiwi_profiles = Azure ]]; then
# keg: included from azure-cloud-netconfig
baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"
# keg: included from azure-set-hostname
baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "no"
# keg: included from azure-scripts
# Implement password policy
# Length: 6-72 characters long
# Contain any combination of 3 of the following:
# - a lowercase character
# - an uppercase character
# - a number
# - a special character
pwd_policy="minlen=6 dcredit=1 ucredit=1 lcredit=1 ocredit=1 minclass=3"
sed -i -e "s/pam_cracklib.so/pam_cracklib.so $pwd_policy/" \
/etc/pam.d/common-password-pc
sed -i -e 's/#ClientAliveInterval 0/ClientAliveInterval 180/' \
/etc/ssh/sshd_config
# keg: included from azure-default-kernel-log-level
# Keep the default kernel log level (bsc#1169201)
sed -i -e 's/$klogConsoleLogLevel/#$klogConsoleLogLevel/' /etc/rsyslog.conf
# keg: included from azure-dhclient-timeout
dc=/etc/dhclient.conf
if grep -qE '^timeout' $dc ; then
sed -r -i 's/^timeout.*/timeout 300;/' $dc
else
echo 'timeout 300;' >> $dc
fi
# keg: included from azure-sshd-config
sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \
/etc/ssh/sshd_config
# keg: included from azure-waagent
# Disable agent auto-update
sed -i -e 's/AutoUpdate.Enabled=y/AutoUpdate.Enabled=n/' \
/etc/waagent.conf
# Generate all supported SSH host key types
sed -i -e 's/SshHostKeyPairType=rsa/SshHostKeyPairType=auto/' \
/etc/waagent.conf
# Leave the ephemeral disk handling to cloud-init
sed -i -e 's/ResourceDisk.Format=y/ResourceDisk.Format=n/' \
/etc/waagent.conf
# keg: included from vm-services
baseInsertService chronyd
# keg: included from azure-cloud-netconfig
systemctl enable cloud-netconfig.timer
# keg: included from azure-services
baseInsertService cloud-config
baseInsertService cloud-final
baseInsertService cloud-init
baseInsertService cloud-init-local
baseInsertService waagent
# keg: included from azure-regionsrv-timer
systemctl enable regionsrv-enabler-azure.timer
fi
if [[ $kiwi_profiles = EC2 ]]; then
# keg: included from ec2-cloud-netconfig
baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"
# keg: included from ec2-set-hostname
baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "no"
# keg: included from grub-root-label-workaround-bsc#1197616
cat >> "/etc/default/grub" <<EOF
GRUB_CMDLINE_LINUX="root=LABEL=ROOT"
SUSE_REMOVE_LINUX_ROOT_PARAM=true
EOF
# keg: included from ec2-scripts
# No Xen based instance types for ARM, no need for custom config
if [ "`uname -m`" = "aarch64" ]; then
rm -f /etc/dracut.conf.d/07-*.conf
fi
sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \
/etc/ssh/sshd_config
# Disable password based login via ssh
sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
/etc/ssh/sshd_config
# keg: included from vm-services
baseInsertService chronyd
# keg: included from ec2-services
baseInsertService cloud-config
baseInsertService cloud-final
baseInsertService cloud-init
baseInsertService cloud-init-local
# keg: included from ec2-cloud-netconfig
systemctl enable cloud-netconfig.timer
fi
if [[ $kiwi_profiles = GCE ]]; then
# keg: included from gce-sysconfig-netconfig
baseUpdateSysConfig /etc/sysconfig/network/config NETCONFIG_MODULES_ORDER "cloud-netconfig dns-resolver dns-bind dns-dnsmasq nis ntp-runtime"
# keg: included from gce-set-hostname
baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME "yes"
# keg: included from gce-config
cat >> "/etc/boto.cfg" <<EOF
[Boto]
ca_certificates_file = system
EOF
cat >> "/etc/boto.cfg.template" <<EOF
[Boto]
ca_certificates_file = system
EOF
cat >> "/etc/default/instance_configs.cfg.distro" <<EOF
[InstanceSetup]
set_boto_config = false
EOF
# keg: included from gce-config
sed -i -e "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" \
/etc/ssh/sshd_config
# Disable password based login via ssh
sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' \
/etc/ssh/sshd_config
# keg: included from vm-services
baseInsertService chronyd
# keg: included from gce-services
baseInsertService google-guest-agent
baseInsertService google-osconfig-agent
systemctl enable google-oslogin-cache.timer
baseInsertService google-shutdown-scripts
baseInsertService google-startup-scripts
baseInsertService rootgrow
fi
