From 0c4a93a08d4593b7f62e844e9edde2118f0eea4c Mon Sep 17 00:00:00 2001
From: svet-se <svetlin.boychev@suse.com>
Date: Mon, 13 Jan 2025 16:50:23 +0200
Subject: [PATCH] create public cloud hardening profile for SLE Micro5

---
 .../slmicro5/profiles/pcs-hardening.profile   | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 products/slmicro5/profiles/pcs-hardening.profile

diff --git a/products/slmicro5/profiles/pcs-hardening.profile b/products/slmicro5/profiles/pcs-hardening.profile
new file mode 100644
index 00000000000..455e80ace29
--- /dev/null
+++ b/products/slmicro5/profiles/pcs-hardening.profile
@@ -0,0 +1,52 @@
+documentation_complete: true
+
+metadata:
+    version: V1R1
+    SMEs:
+        - svet-se
+        - rumch-se
+        - teacup-on-rockingchair
+
+reference:
+
+title: 'Public Cloud Hardening for SUSE Linux Enterprise Micro (SLEM) 5'
+
+description: |-
+    This profile contains configuration checks to be used to harden
+    SUSE Linux Enterprise Micro (SLEM) 5 for use with public cloud providers.
+    
+selections:
+  - stig_slmicro5:all
+  - '!permissions_local_var_log_audit'
+  - '!ssh_private_keys_have_passcode'
+  - '!set_password_hashing_algorithm_systemauth'
+  - '!grub2_password'
+  - '!grub2_uefi_password'
+  - '!service_firewalld_enabled'
+  - '!service_autofs_disabled'
+  - '!account_emergency_admin'
+  - '!account_temp_expire_date'
+  - '!sshd_set_idle_timeout'
+  - '!encrypt_partitions'
+  - '!file_permissions_local_var_log_messages'
+  - '!permissions_local_audit_binaries'
+  - '!auditd_audispd_configure_sufficiently_large_partition'
+  - '!sudo_require_authentication'
+  - '!sudo_remove_nopasswd'
+  - '!sudo_remove_no_authenticate'
+  - '!sssd_memcache_timeout'
+  - '!sssd_offline_cred_expiration'
+  - '!is_fips_mode_enabled'
+  - '!service_systemd-journal-upload_enabled'
+  - '!package_systemd-journal-remote_installed'
+  - '!security_patches_up_to_date'
+  - '!accounts_authorized_local_users'
+  - '!partition_for_var_log_audit'
+  - '!accounts_user_home_paths_only'
+  - '!mount_option_nosuid_remote_filesystems'
+  - '!mount_option_noexec_remote_filesystems'
+  - '!pam_disable_automatic_configuration'
+  - '!gnome_gdm_disable_unattended_automatic_login'
+  - '!sysctl_net_ipv4_conf_all_accept_redirects'
+  - '!sysctl_net_ipv4_ip_forward'
+  - '!selinux_user_login_roles'