All non-virtual dishes / recipes are meant to be shipped with sane security defaults

dishes/desktop-hypervisor-amdcpu.cfg

@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -17,9 +17,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/desktop-hypervisor-intelcpu-intelgpu.cfg

@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -17,9 +17,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/desktop-hypervisor-intelcpu.cfg

@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -17,9 +17,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/desktop-hypervisor.cfg

@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -17,9 +17,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/desktop.cfg

@@ -3,7 +3,7 @@
 # Use text mode install
 text
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -17,9 +17,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone

dishes/live-desktop-hypervisor.cfg

@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -15,9 +15,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/live-desktop.cfg

@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -15,9 +15,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone

dishes/live-server-hypervisor.cfg

@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -15,9 +15,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved,libvirtd"
 # System timezone

dishes/live-server.cfg

@@ -1,7 +1,7 @@
 # Generated by pykickstart v3.62
 #version=DEVEL
 # Firewall configuration
-firewall --disabled
+firewall --enabled
 # Run the Setup Agent on first boot
 firstboot --reconfig
 # Keyboard layouts
@@ -15,9 +15,9 @@ shutdown
 repo --name="fedora" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64
 repo --name="updates" --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f43&arch=x86_64
 #Root password
-rootpw --plaintext 1234
+rootpw --lock
 # SELinux configuration
-selinux --disabled
+selinux --enforcing
 # System services
 services --enabled="NetworkManager,systemd-resolved"
 # System timezone

recipes/desktop-hypervisor-amdcpu.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # Storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/desktop-hypervisor-intelcpu-intelgpu.cfg

@@ -12,7 +12,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/desktop-hypervisor-intelcpu.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/desktop-hypervisor.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/desktop.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/core-storage.cfg # ext4-based storage configuration
 %include ../ingredients/core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/live-desktop-hypervisor.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/live-desktop.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/live-server-hypervisor.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages 

recipes/live-server.cfg

@@ -11,7 +11,7 @@
 %include ../ingredients/live-core-storage.cfg # For live systems only
 %include ../ingredients/live-core-bootloader-grub.cfg # Set bootloader to GRUB
 %include ../ingredients/core-locale.cfg # System locale set to Swiss French as keyboard layout and English as language
-%include ../ingredients/core-security-off.cfg # Lock root account, disable firewall and SELinux
+%include ../ingredients/core-security-on.cfg # Lock root account, enable firewall and SELinux
 %include ../ingredients/core-services.cfg # Required systemd services
 %include ../ingredients/core-network.cfg # Network configuration
 %include ../ingredients/core-packages-mandatory.cfg # Mandatory packages