Remove unnecessary rules from RHCOS e8 profile

brett060102 · Feb 2, 2021 · 495afe3 · 495afe3
1 parent 4dd8e76
commit 495afe3
Showing 1 changed file with 2 additions and 61 deletions.
diff --git a/rhcos4/profiles/e8.profile b/rhcos4/profiles/e8.profile
@@ -19,37 +19,10 @@ description: |-
 
 selections:
 
-  ### Remove obsolete packages
-  #- package_talk_removed
-  #- package_talk-server_removed
-  #- package_xinetd_removed
-  #- service_xinetd_disabled
-  #- package_ypbind_removed
-  #- package_telnet_removed
-  #- service_telnet_disabled
-  #- package_telnet-server_removed
-  #- package_rsh_removed
-  #- package_rsh-server_removed
-  #- service_zebra_disabled
-  #- package_quagga_removed
-  #- service_avahi-daemon_disabled
-  #- package_squid_removed
-  #- service_squid_disabled
-
-  ### Software update
-  #- ensure_redhat_gpgkey_installed
-  #- ensure_gpgcheck_never_disabled
-  #- ensure_gpgcheck_local_packages
-  #- ensure_gpgcheck_globally_activated
-  #- security_patches_up_to_date
-  #- dnf-automatic_security_updates_only
-
   ### System security settings
   - sysctl_kernel_randomize_va_space
-#  - sysctl_kernel_exec_shield
   - sysctl_kernel_kptr_restrict
   - sysctl_kernel_dmesg_restrict
-  - sysctl_kernel_kexec_load_disabled
   - sysctl_kernel_yama_ptrace_scope
   - sysctl_kernel_unprivileged_bpf_disabled
   - sysctl_net_core_bpf_jit_harden
@@ -60,41 +33,13 @@ selections:
   - var_selinux_policy_name=targeted
   - selinux_policytype
 
-  ### Filesystem integrity
-  #- rpm_verify_hashes
-  #- rpm_verify_permissions
-  #- rpm_verify_ownership
-  #- file_permissions_unauthorized_sgid
-  #- file_permissions_unauthorized_suid
-  #- file_permissions_unauthorized_world_writable
-  #- dir_perms_world_writable_sticky_bits
-  #- file_permissions_library_dirs
-  #- file_ownership_binary_dirs
-  #- file_permissions_binary_dirs
-  #- file_ownership_library_dirs
-
   ### Passwords
   - no_empty_passwords
 
-  ### Partitioning
-  #- mount_option_dev_shm_nodev
-  #- mount_option_dev_shm_nosuid
-  #- mount_option_dev_shm_noexec
-
-  ### Network
-  #- package_firewalld_installed
-  #- service_firewalld_enabled
-  #- network_sniffer_disabled
-
   ### Admin privileges
   - accounts_no_uid_except_zero
-  #- sudo_remove_nopasswd
-  #- sudo_remove_no_authenticate
-  #- sudo_require_authentication
-
+
   ### Audit
-  #- package_rsyslog_installed
-  #- service_rsyslog_enabled
   - service_auditd_enabled
   - var_auditd_flush=incremental_async
   - auditd_data_retention_flush
@@ -137,10 +82,6 @@ selections:
   - sshd_enable_strictmodes
 
   # See also: https://www.cyber.gov.au/ism/guidelines-using-cryptography
-  - var_system_crypto_policy=future
+  - var_system_crypto_policy=default
   - configure_crypto_policy
   - configure_ssh_crypto_policy
-
-  ### Application whitelisting
-  #- package_fapolicyd_installed
-  #- service_fapolicyd_enabled