dda5fab968
Drop CIS 5.4.1.4
CIS 5.4.1.4 should be configured in /etc/default/useradd
cis-5-4-1-4.yml attempts to configure this item in
pillar that relates to /etc/login.defs and should be removed.
Related-Prod: PROD-23600
Change-Id: Iea93a54a44df919c07001fc02e3551276ef9583c
6年前
e4ea94f1bb
Merge "Remove systemd.source prefix from logs tag"
6年前
4b7ec79d3c
Remove systemd.source prefix from logs tag
To simplify filtering in Kibana change
systemd.source prefix to record field "source".
Change-Id: I7729ae6721a1050a938370a588d35313f91f971a
Related-bug: PROD-21827 (PROD:21827)
6年前
23b0e658e5
Merge "CIS 5.4.4"
6年前
579f6df95c
CIS 5.4.4
* 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
Change-Id: Idc219e7f6e8ab4b7e3d24a36f95f8aab4eff3160
Related-Prod: PROD-18386
6年前
f1c123ca5f
Always include grub.sls
Change-Id: If1bbd97b5719c53193f6287c4a025e6ef0dafbb0
Related-Prod: PROD-18386
6年前
bf79ba4369
CIS 5.4.1.x
* CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
* CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
* CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
* CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
Related-Prod: PROD-18386
Change-Id: I42697c31823c631acb1528ca917b39c069fb72bf
6年前
47e41f45c8
Per-user password expiration parameter
The following parameters defined in /etc/login.defs can
be overridden per-user:
* PASS_MAX_DAYS
* PASS_MIN_DAYS
* PASS_WARN_DAYS
* INACTIVE
Related-Prod: PROD-18386
Change-Id: I5b182128f9dd8a043b48fb86e61febb2fd5c7e0a
6年前
83d7f9708b
Merge "Remove tralling-spaces from preferences_repo"
6年前
6e38b02c50
Merge "CIS 5.4.4, 5.4.5"
6年前
41581866f4
Remove tralling-spaces from preferences_repo
* apt tool sensetive for tralling spaces, and 2 files
aka:
cat -E mcp_saltstack
$
Package: libsodium18$
Pin: release o=SaltStack$
Pin-Priority: 50$
$
Package: *$
Pin: release o=SaltStack$
Pin-Priority: 1100$
$
# VS
cat -E mcp_saltstack
$
Package: libsodium18$
Pin: release o=SaltStack$
Pin-Priority: 50$
$
Package: *$
Pin: release o=SaltStack$
Pin-Priority: 1100$
$
Make's different logic for apt
Change-Id: Ia5fdbe319a65b0fa017c8c065905db1837f9f982
6年前
73f29d733f
Fixing dpdk disabled case for pillars with ovs_dpdk_port
Prod-Related: EME-405
Change-Id: Id9a8ebefb227c4b0a99d8cdd955c39401720bbee
6年前
173e7eb859
Merge "Implement repo.pinning logic"
6年前
5bcad94f82
Merge "Add option to disable automatic write of sysfs attributes"
6年前
4494a47bd5
Implement repo.pinning logic
* Ubuntu pinning params allow to be used
multiply times. In same time, old `list`
format now allowing to be predictable
iterated inside jinja
Related-Bug: PROD-21604 (PROD:21604)
Change-Id: If1c0f0f834a296b9a19d0af5fc7673c9229a7ac5
6年前
f317e9e0dd
Merge "CIS 1.1.21 Disable Automounting"
6年前
6285d18bac
Merge "Fix grub.cfg permissions (CIS 1.4.1)"
6年前
148e1b89ed
Add option to disable automatic write of sysfs attributes
Fixes: PROD-23149 (PROD:23149)
Change-Id: I14c68a0a519a63951571f966fae72fd01ec2e556
6年前
1b2923988d
Fix Python version for Travis CI tests
Change-Id: Ibbbb99511544ab3bb1532b71942fea15ae0f34a1
6年前
def4bdd931
CIS 1.1.21 Disable Automounting
Related-Prod: PROD-22653
Change-Id: I5b389309f0cb2890cf9a9a777348efb5a9d7d735
6年前
32b969eaa7
Fix grub.cfg permissions (CIS 1.4.1)
* CIS 1.4.1 Ensure permissions on bootloader config are configured
Related-Prod: PROD-22655
Change-Id: Ia282baae0be5c038d42b672758662aaed9aae6f5
6年前
e28c250deb
Merge "CIS compliance (packages)"
6年前
e999baaf2b
Merge "CIS compliance (modprobe.d)"
6年前
052d582b5f
Merge "Fix permissions on /etc/{at,cron}.allow"
6年前
ee7b811a62
CIS compliance (modprobe.d)
* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled
Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759
Change-Id: Ia8bf992498ef739a4a40fb108fcb449900caf6e3
6年前
e626808738
Merge "CIS compliance (/dev/shm mount options)"
6年前
48e66a3a5c
Fix permissions on /etc/{at,cron}.allow
Permissions 640 root:root doesn't allow regular user to read
/etc/{at,cron}.allow files, that changes behavior of at / crontab
commands:
* crontab command can't read /etc/cron.allow and allow any user to modify
their crontab files.
* at command can't read /etc/at.allow and deny every user.
at / crontab files have SGID bits set, so setting correct group
on /etc/{at,cron}.allow fixes the issue.
Change-Id: I4a3fc8d8e823498d6715e26307424e3065cbd6ca
6年前
ba028c3e95
CIS 5.4.4, 5.4.5
* CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
* CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored)
Related-Prod: PROD-20765
Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213
6年前
4326d345c7
CIS compliance (packages)
* CIS 1.5.4 Ensure prelink is disabled
* CIS 2.3.1 Ensure NIS Client is not installed
* CIS 2.3.2 Ensure rsh client is not installed
* CIS 2.3.3 Ensure talk client is not installed
* CIS 2.3.4 Ensure telnet client is not installed
Change-Id: I0eb11d39deaa28f238a2e618bf95cc248189197c
6年前
5f2c6ce218
Merge "Configure /etc/login.defs"
6年前
ca10ffa318
CIS compliance (/dev/shm mount options)
* CIS 1.1.14 Ensure nodev option set on /dev/shm partition (Scored)
* CIS 1.1.15 Ensure nosuid option set on /dev/shm partition (Scored)
* CIS 1.1.16 Ensure noexec option set on /dev/shm partition (Scored)
Related-Prod: PROD-22652
Change-Id: I35f371ce36bae6104e0176f63bd43a8fc4e5bad3
6年前
3ded6e4807
Merge "Set user shell even if user is system"
6年前
a0d31d18f8
Configure /etc/login.defs
Related-Prod: PROD-21969
Change-Id: I1c30189ee85605a5c68861d98f00bf5ac5e772c2
6年前
483746480a
Set user shell even if user is system
linux/system/user.sls ignores 'shell' option if a
user is system. This is quite strange behavior, and it
breaks CIS:
* 5.4.2 Ensure system accounts are non-login
Change-Id: I32dd44ac4fcc1425ea47eb4cf60acf41f6ce0887
Related-Prod: PROD-20764
6年前
11ef3737d2
CIS 6.1.2-6.1.9
CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
6年前
0f084a01ce
Manage /etc/{at,cron}.{allow,deny} files
Related-Prod: PROD-22546
Related-Prod: PROD-22664
Change-Id: I66a35ef3d2436541ef70f02e2631fa8d4d86e5e9
6年前
75a4eb54a6
Disable cis-3-3-3 rule
Change-Id: I956da1f26e500eae693827ed5dce0f7e65e291bc
Closes-Bug: PROD-22520 (PROD:22520)
6年前
ad85db09b0
Remove non-existent CIS items
Change-Id: I91bfb8e2a06fc0499addd376db9e38483a6756d0
6年前
af730f9602
CIS compliance (sysctl, limits)
* CIS 1.5.1 Ensure core dumps are restricted
* CIS 1.5.3 Ensure address space layout randomization (ASLR) is enabled
* CIS 3.1.2 Ensure packet redirect sending is disabled
* CIS 3.2.1 Ensure source routed packets are not accepted
* CIS 3.2.2 Ensure ICMP redirects are not accepted
* CIS 3.2.3 Ensure secure ICMP redirects are not accepted
* CIS 3.2.4 Ensure suspicious packets are logged
* CIS 3.2.5 Ensure broadcast ICMP requests are ignored
* CIS 3.2.6 Ensure bogus ICMP responses are ignored
* CIS 3.2.7 Ensure Reverse Path Filtering is enabled
* CIS 3.2.8 Ensure TCP SYN Cookies is enabled
All sysctls are valid for Ubuntu 14.04, Ubuntu 16.04.
Change-Id: I48f34c55d97a78c253d4810db46b2a04ff5c0c1a
6年前
cf1b5b322a
Revert "CIS compliance (modprobe.d)"
This reverts commit d87f461319
6年前
d87f461319
CIS compliance (modprobe.d)
* CIS 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
* CIS 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
* CIS 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
* CIS 1.1.1.4 Ensure mounting of hfs filesystems is disabled
* CIS 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled
* CIS 1.1.1.6 Ensure mounting of squashfs filesystems is disabled
* CIS 1.1.1.7 Ensure mounting of udf filesystems is disabled
* CIS 1.1.1.8 Ensure mounting of FAT filesystems is disabled
* CIS 3.5.1 Ensure DCCP is disabled
* CIS 3.5.2 Ensure SCTP is disabled
* CIS 3.5.3 Ensure RDS is disabled
* CIS 3.5.4 Ensure TIPC is disabled
Related-Prod: PROD-20756
Related-Prod: PROD-20757
Related-Prod: PROD-20758
Related-Prod: PROD-20759
Change-Id: I719984829978caf0401e78daaabf1adfb0d1cfdf
6年前
809834c85e
Extend modprobe files functionality
Support full set of options defined in
man modprobe.d
Change-Id: I3d30b6bc261ef308ae6afd963f13fda1e4b22c0d
6年前
4bf87625a6
Fix pillar tests
* Update run_tests.sh to the latest revision
* drop odd .kitchen.vagrant.yml
Related-Bug: PROD-20730 (PROD:20730)
Change-Id: I367800a60ad17020700a76670d1216dfdfcfe692
7年前
42b64a1f29
Misc fixes
* Add\fix __virtual__ for modules
* Remove unneded multiline for repo.sls
Change-Id: I1f8d321b68dfe6a44264b4ddcd6cd0c576938da1
6年前
081647356f
Merge "CIS 3.3.3 Ensure IPv6 is disabled"
6年前
b7c2ef4b57
Fix linux_enforce_hostname for test env
* Add TODO-proper fix for state - native salt fun.
But due bug[1] in saltstack - we can't enable
proper solution now
[1] 74599bbdfc
6年前
cc7263a275
CIS 3.3.3 Ensure IPv6 is disabled
Related-Prod: PROD-20755
Change-Id: I44cc3bdb4a0436ff17f790a828d03697b89d3520
6年前
7903ba97da
Refactor pillar repo key fetch
Change-Id: I511996de9d8abc69d6775b45482f8196c7159a1a
6年前
2828f5fcd4
README update
Change-Id: I70a28cac5c07fb3093b6038a0c448d16847a42e3
6年前
b08a9144f7
Merge branch 'master' of github.com:salt-formulas/salt-formula-linux
Change-Id: I5468d69c362cbd2e71a064bd2bc89f843fbefe7e
6年前
Dmitry Teselkin
Martin Polreich
Michal Kobus
mcp-jenkins
Vasyl Saienko
azvyagintsev
Dzmitry Stremkouski
Martin Polreich
Dennis Dmitriev
OlgaGusarenko