From bc5f156cd9bd470c1ae7681d25680d0d6ffbc21b Mon Sep 17 00:00:00 2001 From: Lukas Greve Date: Wed, 10 Dec 2025 21:29:25 +0100 Subject: [PATCH] All non-virtual dishes / recipes are meant to be shipped with sane security defaults --- dishes/desktop-hypervisor-amdcpu.cfg | 8 ++++---- dishes/desktop-hypervisor-intelcpu-intelgpu.cfg | 8 ++++---- dishes/desktop-hypervisor-intelcpu.cfg | 8 ++++---- dishes/desktop-hypervisor.cfg | 8 ++++---- dishes/desktop.cfg | 8 ++++---- dishes/live-desktop-hypervisor.cfg | 8 ++++---- dishes/live-desktop.cfg | 8 ++++---- dishes/live-server-hypervisor.cfg | 8 ++++---- dishes/live-server.cfg | 8 ++++---- recipes/desktop-hypervisor-amdcpu.cfg | 2 +- recipes/desktop-hypervisor-intelcpu-intelgpu.cfg | 2 +- recipes/desktop-hypervisor-intelcpu.cfg | 2 +- recipes/desktop-hypervisor.cfg | 2 +- recipes/desktop.cfg | 2 +- recipes/live-desktop-hypervisor.cfg | 2 +- recipes/live-desktop.cfg | 2 +- recipes/live-server-hypervisor.cfg | 2 +- recipes/live-server.cfg | 2 +- 18 files changed, 45 insertions(+), 45 deletions(-) diff --git a/dishes/desktop-hypervisor-amdcpu.cfg b/dishes/desktop-hypervisor-amdcpu.cfg index c9e0ac1..7aef326 100644 --- a/dishes/desktop-hypervisor-amdcpu.cfg +++ b/dishes/desktop-hypervisor-amdcpu.cfg @@ -3,7 +3,7 @@ # Use text mode install text # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -16,10 +16,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg b/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg index be66ab0..2c098a8 100644 --- a/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg +++ b/dishes/desktop-hypervisor-intelcpu-intelgpu.cfg @@ -3,7 +3,7 @@ # Use text mode install text # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -16,10 +16,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/desktop-hypervisor-intelcpu.cfg b/dishes/desktop-hypervisor-intelcpu.cfg index 6dd40dd..09df9f0 100644 --- a/dishes/desktop-hypervisor-intelcpu.cfg +++ b/dishes/desktop-hypervisor-intelcpu.cfg @@ -3,7 +3,7 @@ # Use text mode install text # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -16,10 +16,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/desktop-hypervisor.cfg b/dishes/desktop-hypervisor.cfg index 9f0fcea..05a7901 100644 --- a/dishes/desktop-hypervisor.cfg +++ b/dishes/desktop-hypervisor.cfg @@ -3,7 +3,7 @@ # Use text mode install text # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -16,10 +16,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/desktop.cfg b/dishes/desktop.cfg index 31279a1..47f54b1 100644 --- a/dishes/desktop.cfg +++ b/dishes/desktop.cfg @@ -3,7 +3,7 @@ # Use text mode install text # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -16,10 +16,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved" # System timezone diff --git a/dishes/live-desktop-hypervisor.cfg b/dishes/live-desktop-hypervisor.cfg index bd13b42..2c2d2b8 100644 --- a/dishes/live-desktop-hypervisor.cfg +++ b/dishes/live-desktop-hypervisor.cfg @@ -1,7 +1,7 @@ # Generated by pykickstart v3.62 #version=DEVEL # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -14,10 +14,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/live-desktop.cfg b/dishes/live-desktop.cfg index a106d8e..b0b2d94 100644 --- a/dishes/live-desktop.cfg +++ b/dishes/live-desktop.cfg @@ -1,7 +1,7 @@ # Generated by pykickstart v3.62 #version=DEVEL # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -14,10 +14,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved" # System timezone diff --git a/dishes/live-server-hypervisor.cfg b/dishes/live-server-hypervisor.cfg index 686887e..d827973 100644 --- a/dishes/live-server-hypervisor.cfg +++ b/dishes/live-server-hypervisor.cfg @@ -1,7 +1,7 @@ # Generated by pykickstart v3.62 #version=DEVEL # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -14,10 +14,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved,libvirtd" # System timezone diff --git a/dishes/live-server.cfg b/dishes/live-server.cfg index 443d499..8d3290c 100644 --- a/dishes/live-server.cfg +++ b/dishes/live-server.cfg @@ -1,7 +1,7 @@ # Generated by pykickstart v3.62 #version=DEVEL # Firewall configuration -firewall --disabled +firewall --enabled # Run the Setup Agent on first boot firstboot --reconfig # Keyboard layouts @@ -14,10 +14,10 @@ network --bootproto=dhcp --device=link --hostname=phyllome-alpha --activate shutdown repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64 -# Root password -rootpw --plaintext 1234 +#Root password +rootpw --lock # SELinux configuration -selinux --disabled +selinux --enforcing # System services services --enabled="NetworkManager,systemd-resolved" # System timezone diff --git a/recipes/desktop-hypervisor-amdcpu.cfg b/recipes/desktop-hypervisor-amdcpu.cfg index 0824be2..41b096c 100644 --- a/recipes/desktop-hypervisor-amdcpu.cfg +++ b/recipes/desktop-hypervisor-amdcpu.cfg @@ -11,7 +11,7 @@ %include ../ingredients/core-storage.cfg # Storage configuration %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg b/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg index a2c1057..20c8a2a 100644 --- a/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg +++ b/recipes/desktop-hypervisor-intelcpu-intelgpu.cfg @@ -12,7 +12,7 @@ %include ../ingredients/core-storage.cfg # ext4-based storage configuration %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/desktop-hypervisor-intelcpu.cfg b/recipes/desktop-hypervisor-intelcpu.cfg index 03c53f4..fcfc3ee 100644 --- a/recipes/desktop-hypervisor-intelcpu.cfg +++ b/recipes/desktop-hypervisor-intelcpu.cfg @@ -11,7 +11,7 @@ %include ../ingredients/core-storage.cfg # ext4-based storage configuration %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/desktop-hypervisor.cfg b/recipes/desktop-hypervisor.cfg index a8f1195..a5c1307 100644 --- a/recipes/desktop-hypervisor.cfg +++ b/recipes/desktop-hypervisor.cfg @@ -11,7 +11,7 @@ %include ../ingredients/core-storage.cfg # ext4-based storage configuration %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/desktop.cfg b/recipes/desktop.cfg index 7b74448..da84d69 100644 --- a/recipes/desktop.cfg +++ b/recipes/desktop.cfg @@ -11,7 +11,7 @@ %include ../ingredients/core-storage.cfg # ext4-based storage configuration %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/live-desktop-hypervisor.cfg b/recipes/live-desktop-hypervisor.cfg index b7648bf..0acbeac 100644 --- a/recipes/live-desktop-hypervisor.cfg +++ b/recipes/live-desktop-hypervisor.cfg @@ -11,7 +11,7 @@ %include ../ingredients/live-core-storage.cfg # For live systems only %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/live-desktop.cfg b/recipes/live-desktop.cfg index 69a79b5..3aa3d6b 100644 --- a/recipes/live-desktop.cfg +++ b/recipes/live-desktop.cfg @@ -11,7 +11,7 @@ %include ../ingredients/live-core-storage.cfg # For live systems only %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/live-server-hypervisor.cfg b/recipes/live-server-hypervisor.cfg index 5c72c71..b3c047a 100644 --- a/recipes/live-server-hypervisor.cfg +++ b/recipes/live-server-hypervisor.cfg @@ -11,7 +11,7 @@ %include ../ingredients/live-core-storage.cfg # For live systems only %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages diff --git a/recipes/live-server.cfg b/recipes/live-server.cfg index bc3175a..d19ac32 100644 --- a/recipes/live-server.cfg +++ b/recipes/live-server.cfg @@ -11,7 +11,7 @@ %include ../ingredients/live-core-storage.cfg # For live systems only %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language -%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux +%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux %include ../ingredients/core-services.cfg # Required systemd services %include ../ingredients/core-network.cfg # Network configuration %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages