project-lakitu: add cos-alphabet-compliance service
This service executes the scripts for alphabet compliance.
The sections referred in the scripts are from
https://www.cisecurity.org/benchmark/distribution_independent_linux/
BUG=b/182797622
TEST=presubmit
RELEASE_NOTE=None
Change-Id: If7ec9a1d8f3025d48868dc5ab31881d06b28ae41
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/14093
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1-r1.ebuild b/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1-r1.ebuild
new file mode 120000
index 0000000..0881f05
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1-r1.ebuild
@@ -0,0 +1 @@
+cos-alphabet-compliance-0.0.1.ebuild
\ No newline at end of file
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1.ebuild b/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1.ebuild
new file mode 100644
index 0000000..f76479f
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/cos-alphabet-compliance-0.0.1.ebuild
@@ -0,0 +1,32 @@
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+EAPI=7
+
+inherit systemd
+
+DESCRIPTION="Alphabet compliance scripts"
+
+LICENSE="BSD-Google"
+SLOT="0"
+KEYWORDS="*"
+IUSE=""
+DEPEND=""
+RDEPEND="${DEPEND}
+ sys-apps/systemd
+ net-firewall/iptables
+ sys-auth/pambase
+ sys-libs/pam[audit]
+ sys-process/audit
+"
+
+S="${WORKDIR}"
+
+src_install() {
+ exeinto /usr/share/google/security
+ doexe "${FILESDIR}"/*.sh
+
+ systemd_dounit "${FILESDIR}"/cos-alphabet-compliance.service
+ systemd_enable_service multi-user.target cos-alphabet-compliance.service
+}
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/1117-disable-udf-mounting.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/1117-disable-udf-mounting.sh
new file mode 100644
index 0000000..5005429
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/1117-disable-udf-mounting.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section 1.1.1.7 Ensure mounting of udf filesystems is disabled ##
+echo "install udf /bin/true" > /etc/modprobe.d/udf.conf
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/1510-restrict-core-dumps.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/1510-restrict-core-dumps.sh
new file mode 100644
index 0000000..75e8f57
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/1510-restrict-core-dumps.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 1.5.1 Ensure core dumps are restricted ##
+echo "* hard core 0" >> /etc/security/limits.conf
+cat <<EOF >> /etc/systemd/coredump.conf
+Storage=none
+ProcessSizeMax=0
+EOF
+systemctl daemon-reload
+sysctl -w fs.suid_dumpable=0
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3110-disable-ip-forwarding.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3110-disable-ip-forwarding.sh
new file mode 100644
index 0000000..189704d
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3110-disable-ip-forwarding.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section 3.1.1 Ensure IP forwarding is disabled ##
+sysctl -w net.ipv4.ip_forward=0
+sysctl -w net.ipv6.conf.all.forwarding=0
+sysctl -w net.ipv4.route.flush=1
+sysctl -w net.ipv6.route.flush=1
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3230-disable-secure-redirects.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3230-disable-secure-redirects.sh
new file mode 100644
index 0000000..955e64c
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3230-disable-secure-redirects.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 3.2.3 Ensure secure ICMP redirects are not accepted ##
+sysctl -w net.ipv4.conf.all.secure_redirects=0
+sysctl -w net.ipv4.conf.default.secure_redirects=0
+sysctl -w net.ipv4.route.flush=1
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3240-log-suspicious-packets.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3240-log-suspicious-packets.sh
new file mode 100644
index 0000000..979d32a
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3240-log-suspicious-packets.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section 3.2.4 Ensure suspicious packets are logged ##
+sysctl -w net.ipv4.conf.all.log_martians=1
+sysctl -w net.ipv4.conf.default.log_martians=1
+sysctl -w net.ipv4.route.flush=1
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3290-diable-IPv6-router-ads.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3290-diable-IPv6-router-ads.sh
new file mode 100644
index 0000000..dc99403
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3290-diable-IPv6-router-ads.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 3.2.9 Ensure IPv6 router advertisements are not accepted ##
+sysctl -w net.ipv6.conf.all.accept_ra=0
+sysctl -w net.ipv6.route.flush=1
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3512-configure-IPv6-loopback.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3512-configure-IPv6-loopback.sh
new file mode 100644
index 0000000..a53237d
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3512-configure-IPv6-loopback.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section 3.5.1.2 Ensure IPv6 loopback traffic is configured ##
+ip6tables -A INPUT -s ::1 -j DROP
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/3522-configure-loopback.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/3522-configure-loopback.sh
new file mode 100644
index 0000000..f145421
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/3522-configure-loopback.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section 3.5.2.2 Ensure loopback traffic is configured ##
+iptables -A INPUT -s 127.0.0.0/8 -j DROP
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/4222-compress-large-log-files.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/4222-compress-large-log-files.sh
new file mode 100644
index 0000000..4f87ed5
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/4222-compress-large-log-files.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 4.2.2.2 Ensure journald is configured to compress large log files ##
+sed -i 's/^#Compress=yes/Compress=yes/' /etc/systemd/journald.conf
+systemctl force-reload systemd-journald
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/4230-set-permissions-of-log-files.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/4230-set-permissions-of-log-files.sh
new file mode 100644
index 0000000..0e9ff33
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/4230-set-permissions-of-log-files.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 4.2.3 Ensure permissions on all logfiles are configured ##
+sudo find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o \
+ -type d -exec chmod g-w,o-rwx "{}" +
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5214-configure-MAC-algorithms.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5214-configure-MAC-algorithms.sh
new file mode 100644
index 0000000..e25a201
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5214-configure-MAC-algorithms.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.14 Ensure only strong MAC algorithms are used ##
+echo "MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,\
+hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5216-configure-ssh-idle-timeout.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5216-configure-ssh-idle-timeout.sh
new file mode 100644
index 0000000..35a8b04
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5216-configure-ssh-idle-timeout.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.16 Ensure SSH Idle Timeout Interval is configured ##
+sed -i 's/^ClientAliveInterval .*$/ClientAliveInterval 300/' \
+ /etc/ssh/sshd_config
+echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5217-configure-ssh-LoginGraceTime.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5217-configure-ssh-LoginGraceTime.sh
new file mode 100644
index 0000000..6d155d3
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5217-configure-ssh-LoginGraceTime.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.17 Ensure SSH LoginGraceTime is set to one minute or less ##
+echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5219-configure-ssh-banner.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5219-configure-ssh-banner.sh
new file mode 100644
index 0000000..16e8eca
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5219-configure-ssh-banner.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.19 Ensure SSH warning banner is configured ##
+echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
+touch /etc/issue.net
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5221-disable-ssh-AllowTcpForwarding.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5221-disable-ssh-AllowTcpForwarding.sh
new file mode 100644
index 0000000..9f24435
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5221-disable-ssh-AllowTcpForwarding.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.21 Ensure SSH AllowTcpForwarding is disabled ##
+sed -i 's/^AllowTcpForwarding .*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5222-configure-ssh-MaxStartups.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5222-configure-ssh-MaxStartups.sh
new file mode 100644
index 0000000..9073aea
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5222-configure-ssh-MaxStartups.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.22 Ensure SSH MaxStartups is configured ##
+echo "maxstartups 10:30:60" >> /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5223-configure-ssh-MaxSessions.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5223-configure-ssh-MaxSessions.sh
new file mode 100644
index 0000000..fda69d4
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5223-configure-ssh-MaxSessions.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.2.23 Ensure SSH MaxSessions is set to 4 or less ##
+echo "MaxSessions 4" >> /etc/ssh/sshd_config
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5229-reload-sshconfig.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5229-reload-sshconfig.sh
new file mode 100644
index 0000000..6fa6b59
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5229-reload-sshconfig.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Reload sshd_config for changes in section 5.2.*
+systemctl force-reload sshd
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5310-configure-password-requirements.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5310-configure-password-requirements.sh
new file mode 100644
index 0000000..c4671cd
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5310-configure-password-requirements.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.3.1 Ensure password creation requirements are configured ##
+sed -i 's/^min.*$/min=disabled,disabled,disabled,disabled,14/' \
+ /etc/security/passwdqc.conf
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5330-configure-password-reuse.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5330-configure-password-reuse.sh
new file mode 100644
index 0000000..ea2f2b9
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5330-configure-password-reuse.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.3.3 Ensure password reuse is limited (Not Scored) ##
+sed -i '0,/password/s//password required pam_pwhistory.so remember=5\n&/' \
+ /etc/pam.d/system-auth
+sed -i 's/password.*pam_unix.so/& remember=5/' /etc/pam.d/system-auth
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5340-set-password-hashing-algorithm.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5340-set-password-hashing-algorithm.sh
new file mode 100644
index 0000000..2f58c75
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5340-set-password-hashing-algorithm.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.3.4 Ensure password hashing algorithm is SHA-512 (Not Scored) ##
+sed -i '/password/s/md5/sha2/' /etc/pam.d/system-auth
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5411-configure-password-expiration.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5411-configure-password-expiration.sh
new file mode 100644
index 0000000..b5ff27d
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5411-configure-password-expiration.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.1.1 Ensure password expiration is 365 days or less ##
+sed -i 's/^PASS_MAX_DAYS\t.*$/PASS_MAX_DAYS 365/' /etc/login.defs
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5412-configure-password-change-timeframe.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5412-configure-password-change-timeframe.sh
new file mode 100644
index 0000000..909302c
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5412-configure-password-change-timeframe.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.1.2 Ensure minimum days between password changes is 7 or more ##
+sed -i 's/^PASS_MIN_DAYS\t.*$/PASS_MIN_DAYS 7/' /etc/login.defs
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5414-configure-inactive-password-timeframe.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5414-configure-inactive-password-timeframe.sh
new file mode 100644
index 0000000..1a4c8b0
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5414-configure-inactive-password-timeframe.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.1.4 Ensure inactive password lock is 30 days or less ##
+useradd -D -f 30
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5420-configure-system-accounts.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5420-configure-system-accounts.sh
new file mode 100644
index 0000000..2bdedf2
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5420-configure-system-accounts.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.2 Ensure system accounts are secured ##
+usermod -s $(which nologin) chronos
+usermod -L chronos
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5440-configure-default-user-umask.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5440-configure-default-user-umask.sh
new file mode 100644
index 0000000..c0fa426
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5440-configure-default-user-umask.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.4 Ensure default user umask is 027 or more restrictive ##
+sed -i 's/^umask .*$/umask 027/' /etc/profile
+echo "umask 027" >> /etc/profile.d/*
+echo "umask 027" >> /etc/bash/bashrc
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/5450-configure-default-shell-timeout.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/5450-configure-default-shell-timeout.sh
new file mode 100644
index 0000000..527bcab
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/5450-configure-default-shell-timeout.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+## Section: 5.4.5 Ensure default user shell timeout is 900 seconds or less ##
+echo "TMOUT=900" >> /etc/profile
+echo "TMOUT=900" >> /etc/bash/bashrc
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/cos-alphabet-compliance.service b/project-lakitu/app-admin/cos-alphabet-compliance/files/cos-alphabet-compliance.service
new file mode 100644
index 0000000..46b7a19
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/cos-alphabet-compliance.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Run alphabet compliance scripts
+ConditionKernelCommandLine=cos-alphabet-compliance
+Before=sshd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/share/google/security/setup.sh
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/files/setup.sh b/project-lakitu/app-admin/cos-alphabet-compliance/files/setup.sh
new file mode 100644
index 0000000..d15501f
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/files/setup.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+# Copyright 2021 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Runs all alphabet compliance setup scripts.
+
+SECURITY_DIR=/usr/share/google/security
+
+set -e
+
+for script in $(ls -v "${SECURITY_DIR}"/[0-9][0-9][0-9][0-9]-*.sh) ; do
+ . ${script}
+done
diff --git a/project-lakitu/app-admin/cos-alphabet-compliance/sshd_config b/project-lakitu/app-admin/cos-alphabet-compliance/sshd_config
new file mode 100644
index 0000000..c242377
--- /dev/null
+++ b/project-lakitu/app-admin/cos-alphabet-compliance/sshd_config
@@ -0,0 +1,3 @@
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com, hmac-sha2-256,hmac-sha2-512
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
diff --git a/project-lakitu/virtual/target-gcp/target-gcp-1.5-r1.ebuild b/project-lakitu/virtual/target-gcp/target-gcp-1.5-r2.ebuild
similarity index 100%
rename from project-lakitu/virtual/target-gcp/target-gcp-1.5-r1.ebuild
rename to project-lakitu/virtual/target-gcp/target-gcp-1.5-r2.ebuild
diff --git a/project-lakitu/virtual/target-gcp/target-gcp-1.5.ebuild b/project-lakitu/virtual/target-gcp/target-gcp-1.5.ebuild
index 0d22067..e0c3321 100644
--- a/project-lakitu/virtual/target-gcp/target-gcp-1.5.ebuild
+++ b/project-lakitu/virtual/target-gcp/target-gcp-1.5.ebuild
@@ -22,6 +22,7 @@
RDEPEND="
stackdriver_alpha? ( app-admin/stackdriver )
+ app-admin/cos-alphabet-compliance
app-admin/google-guest-agent
app-admin/google-osconfig-agent
app-admin/oslogin
