cookbook 'os-hardening', '= 3.0.0'
os-hardening
(22) Versions
3.0.0
-
Follow41
Installs and configures operating system hardening
cookbook 'os-hardening', '= 3.0.0', :supermarket
knife supermarket install os-hardening
knife supermarket download os-hardening
os-hardening (Chef cookbook)
Description
This cookbook provides numerous security-related configurations, providing all-round base protection.
It configures:
- Configures package management e.g. allows only signed packages
- Remove packages with known issues
- Configures
pam
andpam_limits
module - Shadow password suite configuration
- Configures system path permissions
- Disable core dumps via soft limits
- Restrict Root Logins to System Console
- Set SUIDs
- Configures kernel parameters via sysctl
It will not:
- Update system packages
- Install security patches
Requirements
- Chef >= 12.5.1
- Cookbooks:
- Sander van Zoest sysctl
https://github.com/svanzoest-cookbooks/sysctl
- Sander van Zoest sysctl
Attributes
-
['os-hardening']['desktop']['enable'] = false
true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc -
['os-hardening']['network']['forwarding'] = false
true if this system requires packet forwarding (eg Router), false otherwise ['os-hardening']['network']['ipv6']['enable'] = false
-
['os-hardening']['network']['arp']['restricted'] = true
true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise -
['os-hardening']['env']['extra_user_paths'] = []
add additional paths to the user'sPATH
variable (default is empty). ['os-hardening']['env']['umask'] = "027"
-
['os-hardening']['env']['root_path'] = "/"
where root is mounted -
['os-hardening']['auth']['pw_max_age'] = 60
maximum password age -
['os-hardening']['auth']['pw_min_age'] = 7
minimum password age (before allowing any other password change) -
['os-hardening']['auth']['pw_warn_age'] = 7
number of days before maximum password age occurs to warn of impending change -
['os-hardening']['auth']['retries'] = 5
the maximum number of authentication attempts, before the account is locked for some time -
['os-hardening']['auth']['lockout_time'] = 600
time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts -
['os-hardening']['auth']['timeout'] = 60
authentication timeout in seconds, so login will exit if this time passes -
['os-hardening']['auth']['allow_homeless'] = false
true if to allow users without home to login -
['os-hardening']['auth']['pam']['passwdqc']['enable'] = true
true if you want to use strong password checking in PAM using passwdqc -
['os-hardening']['auth']['pam']['passwdqc']['options'] = "min=disabled,disabled,16,12,8"
set to any option line (as a string) that you want to pass to passwdqc -
['os-hardening']['security']['users']['allow'] = []
list of things, that a user is allowed to do. May contain:change_user
-
['os-hardening']['security']['kernel']['enable_module_loading'] = true
true if you want to allowed to change kernel modules once the system is running (egmodprobe
,rmmod
) -
['os-hardening']['security']['kernel']['disable_filesystems'] = ['cramfs', 'freevxfs', 'jffs2', 'hfs', 'hfsplus', 'squashfs', 'udf', 'vfat']
list of kernel file system modules, which are blacklisted for loading (e.g. they are unused and can be disabled). Set this to[]
to completely avoid this blacklisting ['os-hardening']['security']['kernel']['enable_sysrq'] = false
['os-hardening']['security']['kernel']['enable_core_dump'] = false
-
['os-hardening']['security']['suid_sgid']['enforce'] = true
true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own -
['os-hardening']['security']['suid_sgid']['blacklist'] = []
a list of paths which should have their SUID/SGID bits removed -
['os-hardening']['security']['suid_sgid']['whitelist'] = []
a list of paths which should not have their SUID/SGID bits altered -
['os-hardening']['security']['suid_sgid']['remove_from_unknown'] = false
true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in ablacklist
. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in yourwhitelist
. -
['os-hardening']['security']['suid_sgid']['dry_run_on_unknown'] = false
likeremove_from_unknown
above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configureremove_from_unknown
for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to yourwhitelist
andblacklist
. -
['os-hardening']['security']['packages']['clean'] = true
removes packages with known issues. -
['os-hardening']['security']['packages']['list'] = ['xinetd','inetd','ypserv','telnet-server','rsh-server']
list of packages to remove, by default we remove the following packages: -
['os-hardening']['security']['selinux_mode'] = 'unmanaged'
set tounmanaged
if you want to let selinux configuration as it is. Set toenforcing
to enforce orpermissive
to permissive SELinux.
Usage
Add the recipes to the run_list
, it should be last:
"recipe[os-hardening]"
Configure attributes:
"security" : {
"kernel" : {
"enable_module_loading" : true
}
},
Local Testing
Local testing
Please install chef-dk, VirtualBox or VMware Workstation and Vagrant.
Linting is checked with rubocop and foodcritic:
$ chef exec rake lint .....
Unit/spec tests are done with chefspec:
$ chef exec rake spec .....
Integration tests are done with test-kitchen and inspec:
$ chef exec rake kitchen ..... # or you can use the kitchen directly $ kitchen test
CI testing of forks
You can enable testing of your fork in Travis CI. By default you will get linting and spec tests.
Integration tests of this repository are conducted using DigitalOcean.
If you want to have integration tests for your fork, you will have to add following environment variables in the settings of your fork:
- DIGITALOCEAN_ACCESS_TOKEN
- access token for DigitalOcean
- CI_SSH_KEY
- private part of some ssh key, available on DigitalOcean for your instances, in base64 encoded form (e.g. cat id_rsa | base64 -w0 ; echo
)
- DIGITALOCEAN_SSH_KEY_IDS
- ID in DigitalOcean of CI_SSH_KEY
, see this for more information
Contributors + Kudos
- Dominik Richter arlimus
- Bernhard Weisshuhn bkw
- Christoph Hartmann chris-rock
- Edmund Haselwanter ehaselwanter
- Patrick Meier atomic111
This cookbook is mostly based on guides by:
- Arch Linux wiki, Sysctl hardening
- Ubuntu Security/Features
- NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5
- Deutsche Telekom, Group IT Security, Security Requirements (German)
Thanks to all of you!!
Contributing
See [contributor guideline](CONTRIBUTING.md).
License and Author
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Change Log
v3.0.0 (2017-12-21)
Closed issues:
- os-10 from linux-baseline is missing #167
- Removal of core dump hardening configuration if core dumps are allowed #165
- Integration testing of this cookbook in the CI #142
- Selinux enforcing support for RHEL/Centos? #106
- If I "enable" core dumps with chef-os-hardening, am I really fully enabling core dumps? #105
Merged pull requests:
- Skip auditd tests #181 (artem-sidorenko)
- Make fedora tests pass #179 (shoekstra)
- Control ownership of /var/log #178 (shoekstra)
- RH family: adapt some settings, as RH has better defaults #177 (artem-sidorenko)
- Fix for fedora: lets use generic package resource #176 (artem-sidorenko)
- Kitchen: Using the same names for platforms for different drivers #175 (artem-sidorenko)
- Enable core dumps if they are enabled via attribute #174 (artem-sidorenko)
- Selinux enforcing support for RHEL/Centos #173 (AnMoeller)
- Kitchen: Update of testing boxes/images #172 (artem-sidorenko)
- Lets disable unused filesystems per default #169 (artem-sidorenko)
v2.1.1 (2017-08-21)
Closed issues:
- Cookbook fails on CentOS Linux release 7.2.1511 - kernel.exec-shield #166
Merged pull requests:
- Fix: do not touch exec-shield on RHEL 7 #168 (artem-sidorenko)
v2.1.0 (2017-06-12)
Closed issues:
- Testing of chef 13 in the CI #155
- auditd package is not installed #145
- Procps conditional failing #48
Merged pull requests:
- CI: update to ruby 2.4.1 and gem update #164 (artem-sidorenko)
- Proper testing if kernel modules are disabled #163 (artem-sidorenko)
- Proper permissions for shadow on debian family #162 (artem-sidorenko)
- Support auditd installation on different distros #161 (artem-sidorenko)
- Docs: fix the wrong kitchen URL and add inspec #160 (artem-sidorenko)
- Chef 13 and 12 CI testing and cleanup of EOL distros #159 (artem-sidorenko)
- Install auditd package #158 (artem-sidorenko)
v2.0.1 (2017-04-11)
Fixed bugs:
- ['os-hardening']['desktop']['enable'] is missing in 2.0.0 #153
Merged pull requests:
- Default value for ['os-hardening']['desktop']['enable'] #154 (artem-sidorenko)
v2.0.0 (2017-04-06)
Implemented enhancements:
- Remove dependenies to apt and yum cookbooks. #132 (artem-sidorenko)
- Using braket syntax to resolve deprecation message #131 (artem-sidorenko)
- remove old content #126 (chris-rock)
- Own attribute namespace for os-hardening #114 (joshmyers)
Closed issues:
- pam_passwdqc package install idempotence #134
- Openhub is not up to date #129
- login.defs.erb contains a non-ASCII character which causes a knife cookbook upload failure #122
- fixing the 4 rspec failure #121
- pam node attribute namespace error #118
- Use travis for integration testing #115
- attributes need to be localized to the
node\['chef-os-hardening'\]
namespace #113
Merged pull requests:
- Docs: removing obsolete sysctl hint #151 (artem-sidorenko)
- Moving the attributes with dependencies on other attributes to the recipes #150 (artem-sidorenko)
- Cleanup of sysctl dependency #149 (artem-sidorenko)
- Disable entropy testing #146 (artem-sidorenko)
- Execute integration tests in DigitalOcean #144 (artem-sidorenko)
- Update of Gemfile #141 (artem-sidorenko)
- Remove dependenies to apt and yum cookbooks. #140 (artem-sidorenko)
- Update of kitchen vagrant file #139 (artem-sidorenko)
- Fix the version in metadata.rb #138 (artem-sidorenko)
- Cleanup, update of links in readme #137 (artem-sidorenko)
- Use caching to improve spec performance #136 (ncs-alane)
- Add attribute to control login.defs PASS_WARN_AGE #135 (ncs-alane)
- Revert "Remove dependenies to apt and yum cookbooks." #133 (artem-sidorenko)
- Update test-kitchen settings #130 (shortdudey123)
- Opscode => Chef #128 (shortdudey123)
- Update Rubocop, Foodcritic, and Chefspec coverage #127 (shortdudey123)
- Fix links to opensource tools in README #125 (netflash)
- FIX for issue #122 non-ASCII character #124 (atomic111)
- Update rhel_system_auth.erb #120 (phillym)
- [pam-attr-namespace-fix] #119 (rljohnsn)
- Use new InSpec integration tests #117 (chris-rock)
- Fix issues highlighted in #114 #116 (chris-rock)
v1.4.1 (2016-05-29)
Implemented enhancements:
- Update changelog #103 (chris-rock)
- added inspec to gemfile and inspec verifier to kitchen.yml #101 (atomic111)
Closed issues:
- pam recipe failing with chef client > 12.8.1 #112
- pam_passwdqc installation fails on CentOS 7.1 #102
- tests fail in travis #94
- Fails when used in conjunction with openldap::auth recipe #91
- packages with known issues are not actually removed on debian/ubuntu #90
- Actually log martians? #89
- Archlinux doesn't have a limits.d directory by default #84
- Support Centos 7 #79
Merged pull requests:
- Pam options and fixes #111 (foonix)
- Enable martian logging for ipv4 #109 (foonix)
- Initial support for CentOS/RHEL 5 #108 (foonix)
- Enable pam_pwquality in rhel-family > 7 #104 (boldandbusted)
- Fix bug in execute[update-pam] resource in newer version of Chef. #100 (patcon)
- Expose list of packages to remove as an attribute #99 (mikemoate)
- Fix pam_passwdqc template #98 (chris-rock)
- Berkshelf 4 Upgrade and Ruby 1.9.3 drop #96 (chris-rock)
- Remove packages with known issues on debian/ubuntu #93 (mikemoate)
- Add SINGLE and PROMPT parameters. #92 (foonix)
- update common kitchen.yml platforms #87 (chris-rock)
- Allow sys uid min/max and sys gid min/max to be configured #86 (joshgarnett)
- fixes #84 #85 (chris-rock)
v1.3.1 (2015-07-04)
Closed issues:
- 1.3.0 release on supermarket is broken #83
v1.3.0 (2015-06-29)
Closed issues:
- possible incompatibility with Chef client release 12.4 #82
- ERROR: No resource or method named
File' for
Chef::Recipe "sysctl"' #80 - update tutorial.md #67
- Installation doesnt work #66
Merged pull requests:
- Update sysctl.rb #81 (Rockstar04)
- feature: implement ipv6 router advertisement settings #78 (chris-rock)
- update common Gemfile for chef11+12 #77 (arlimus)
- common files: centos7 + rubocop #76 (arlimus)
- update common kitchen.yml platforms #75 (arlimus)
- update common readme badges #74 (arlimus)
- fix SUID/SGID bit cleaning API spelling (unkown -> unknown) #72 (dupuy)
- RHN config check should work #71 (rapenchukd)
- update tutorial #68 (chris-rock)
v1.2.0 (2015-01-08)
Fixed bugs:
- Chef::Exceptions::Exec: yum_package[xinetd] (os-hardening::yum line 50) #57
Closed issues:
- deactivate pw_max_age #58
- can't convert String into Integer for package 'pam-ccreds' #54
- Better error handling for cpu detection #42
- ChefSpec and Ohai/Fauxhai: cpu #41
Merged pull requests:
- updating common files #65 (arlimus)
- Idempotency #64 (rmoriz)
- Badges #63 (chris-rock)
- make uid_min and gid_min of login.defs configurable #62 (bkw)
- standalone installation needs ohai cookbook as dep #61 (aschmidt75)
- updating common files #59 (arlimus)
- fix chefspec depreciation warning about
should
#56 (bkw) - improve cpu detection and implement intel fallback #55 (chris-rock)
- updating common files #53 (arlimus)
- chefspec test for limites #52 (chris-rock)
- Introduce Chef Spec #51 (chris-rock)
- improvement: switch to site location in berkshelf #50 (chris-rock)
- bugfix: fix failing conditional for procps #49 (arlimus)
- Drop procps service #47 (bkw)
v1.1.2 (2014-09-08)
Closed issues:
- sysctl dependency #44
Merged pull requests:
- Sysctl update to 0.6.0 #46 (arlimus)
- Lint #43 (chris-rock)
- add more documentation about test run #40 (chris-rock)
v1.1.1 (2014-07-28)
v1.1.0 (2014-07-28)
Implemented enhancements:
- Conservative package update #10
Closed issues:
- Tagged Release #34
- passwordless users not able to log in #32
- remove ntp #19
- Tests for suid bits #15
- forwarding isnt configured #9
- properly handle sysctl again #8
- enfore security updates #7
- enable_sysrq-check is faulty #6
- Validate suid-bit removal from /bin/screen #5
Merged pull requests:
- updated kitchen images to current batch (mysql-equivalent) #39 (arlimus)
- intend fix #38 (chris-rock)
- fix wrong class definition #37 (arlimus)
- fix wrong class definition #36 (chris-rock)
- add commont lint task. fix issues #35 (ehaselwanter)
- update with common run_all_linters task #33 (ehaselwanter)
- add Gemfile.lock to ignore list and remove it from tree #31 (ehaselwanter)
- streamline .rubocop config #30 (ehaselwanter)
- bugfix: make sysctl arp restrictions apply to all #29 (arlimus)
- Lint #28 (chris-rock)
- various rubocop style fixes #27 (ehaselwanter)
- fix FC019: Access node attributes in a consistent manner, use single quotes #26 (ehaselwanter)
- make kitchen run optional, ignore shred test repo #25 (ehaselwanter)
- changed the log_martians value to 0 in attributes/sysctl.rb #24 (atomic111)
- improvement: clarify SUID/SGID options in readme #23 (arlimus)
- be more forgiving and relax rubocop #22 (ehaselwanter)
- add linting, spec, guard infrastructure as well as config files #21 (ehaselwanter)
- remove ntp #20 (arlimus)
- new gem release for sharing just the integration folder #18 (ehaselwanter)
- Use shared test-repo #17 (ehaselwanter)
- improvement: move /usr/bin/screen to SGID whitelisting #14 (arlimus)
- Packages #12 (chris-rock)
- sysctl fixes #11 (arlimus)
- Contributing guide #4 (arlimus)
- Bugfix: broken link for debian wheezy vagrant box in .kitchen.yml and also broken link for NSA RedHat security guide in README.md #3 (atomic111)
- add license and improve styling #2 (chris-rock)
- Fix: markdown fix in TUTORIAL.md #1 (atomic111)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
3.0.0 passed this metric
Contributing File Metric
3.0.0 passed this metric
Foodcritic Metric
3.0.0 passed this metric
License Metric
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric
3.0.0 passed this metric
Foodcritic Metric
3.0.0 passed this metric
License Metric
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric