control: added some actual ldv@'s settings

As noted in the comment, these include a few quite strong ones: - sshd(8) will only allow in "wheel" and "users" members by keys, no password access is allowed; - password change even by root is subject to quality checks; - su(8) is only useful to lower privileges and not gain those (so root access is available either through local console or via use of ssh keys). Don't use if frowned upon.

control: added some actual ldv@'s settings
1e39ab3a · Michael Shigorin · fd0fb5f1 · 1e39ab3a
Commit 1e39ab3a authored Jan 29, 2016 by Michael Shigorin
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

config.mk features.in/control/config.mk +15 -0

No files found.
--- a/features.in/control/config.mk
+++ b/features.in/control/config.mk
@@ -6,3 +6,18 @@ use/control:
 # some presets
 use/control/sudo-su: use/control
 	@$(call add,CONTROL,su:public sudo:public)
+
+# recommended by ldv@ ;-)
+# note that:
+# - sshd-allow-groups results in "AllowGroups wheel users"
+# - unprivileged su is used to drop privileges, not gain those
+use/control/server/ldv: use/control
+	@$(call add,CONTROL,mount:unprivileged)
+	@$(call add,CONTROL,passwdqc-enforce:everyone)
+	@$(call add,CONTROL,ping:netadmin)
+	@$(call add,CONTROL,ping6:restricted)
+	@$(call add,CONTROL,postqueue:mailadm)
+	@$(call add,CONTROL,sftp:disabled)
+	@$(call add,CONTROL,sshd-allow-groups:enabled)
+	@$(call add,CONTROL,sshd-password-auth:disabled)
+	@$(call add,CONTROL,su:restricted)