cookbook 'stig', '= 0.6.0'
stig
(39) Versions
0.6.0
-
Follow10
Installs/Configures CIS STIG benchmarks
cookbook 'stig', '= 0.6.0', :supermarket
knife supermarket install stig
knife supermarket download stig
STIG Cookbook
Installs and configures the CIS CentOS Linux 6 benchmark.
These sets of recipes aim to harden the operating system in order to pass all scored CIS benchmarks and optionally all unscored CIS benchmarks.
More information about CIS benchmarks may be found at http://benchmarks.cisecurity.org
Requirements
Platforms
- CentOS 6.6
Cookbooks
- logrotate
- sysctl
Suggests
- auditd, ~> 0.1.8
[Changelog](CHANGELOG.md)
Attributes
node['stig']['grub']['hashedpassword']
= The hashed grub password to use. Ex: openssl passwd -1 ChangeMe (String (MD5 Hash))node['stig']['limits']
= A hash of items that go into /etc/security/limits.conf (Array of Hashes of Hashes)node['stig']['auditd']
= See: Auditd Configurationnode['stig']['mount_disable']['cramfs']
= Disable cramfs filesystem (Boolean)node['stig']['mount_disable']['freevxfs']
= Disable freevxfs filesystem (Boolean)node['stig']['mount_disable']['jffs2']
= Disable jffs2 filesystem (Boolean)node['stig']['mount_disable']['hfs']
= Disable hfs filesystem (Boolean)node['stig']['mount_disable']['hfsplus']
= Disable hfsplus filesystem (Boolean)node['stig']['mount_disable']['squashfs']
= Disable squashfs filesystem (Boolean)node['stig']['mount_disable']['udf']
= Disable udf filesystem (Boolean)node['stig']['mail_transfer_agent']['inet_interfaces']
= Configure Mail Transfer Agent for Local-Only Mode - If the system is intended to be a mail server, change from "localhost" (String)node['stig']['network']['zeroconf']
= Disable Avahi Server (true = disabled, false = enabled) (Boolean)node['stig']['network']['ip_forwarding']
= Disable IP Forwarding (true = enabled, false = disabled) (Boolean)node['stig']['network']['packet_redirects']
= Disable Send Packet Redirects (true = enabled, false = disabled) (Boolean)node['stig']['network']['icmp_redirect_accept']
= Disable ICMP Redirect Acceptance (true = enabled, false = disabled) (Boolean)node['stig']['network']['icmp_all_secure_redirect_accept']
= Disable Secure ICMP Redirect Acceptance (true = enabled, false = disabled) (
Boolean)node['stig']['network']['log_suspicious_packets']
= Log Suspicious Packets (true = enabled, false = disabled) (Boolean)node['stig']['network']['rfc_source_route_validation']
= Enable RFC-recommended Source Route Validation (true = enabled, false = disabled) (Boolean)node['stig']['network']['ipv6_redirect_accept']
= Disable IPv6 Redirect Acceptance (true = enabled, false = disabled) (Boolean)node['stig']['network']['hosts_allow']
= Create /etc/hosts.allow - An array of <net>/<mask> combinations or 'ALL' (Array of String)node['stig']['network']['hosts_deny']
= Create /etc/hosts.deny - An array of <net>/<mask> combinations or 'ALL' (Array of String)node['stig']['network']['disable_dcpp']
= Disable DCCP (true = disable, false = enable) (Boolean)node['stig']['network']['disable_sctp']
= Disable SCTP (true = disable, false = enable) (Boolean)node['stig']['network']['disable_rds']
= Disable RDS (true = disable, false = enable) (Boolean)node['stig']['network']['disable_tipc']
= Disable TIPC (true = disable, false = enable) (Boolean)node['stig']['network']['ipv6']
= Disable IPV6 ("no" = disable, "yes" = enable) (String)
( See https://supermarket.chef.io/cookbooks/sysctl )
- node['sysctl']['*']
= Sets configuration in sysctl config file. See default attributes.
-
node['stig']['logging']['rsyslog_rules']
= Configure /etc/rsyslog.conf - Include rules for logging in array with space separating rule with log location (Array of String) -
node['stig']['logging']['rsyslog_rules_rhel']
= Configure /etc/rsyslog.conf for RHEL - Include rules for logging in array with space separating rule with log location (Array of String) node['stig']['logging']['rsyslog_rules_debian']
= Configure /etc/rsyslog.conf for Debian - Include rules for logging in array with space separating rule with log location (Array of String)node['stig']['selinux']['enabled']
= By default, SELinux is enabled. However, there may be reasons to shut it off (Boolean)node['stig']['selinux']['status']
= Possible values: enforcing, permissive (String)node['stig']['selinux']['type']
= Possible values: targeted, mls (String)node['stig']['sshd_config']['log_level']
= SSHd log level (String)node['stig']['sshd_config']['max_auth_tries']
= SSHd Max auth tries (Integer)node['stig']['sshd_config']['ignore_rhosts']
= SSHd Ignore rhosts (Boolean)node['stig']['sshd_config']['host_based_auth']
= Set SSH HostbasedAuthentication to No (Boolean)node['stig']['sshd_config']['permit_root_login']
= Allow SSH root login (Boolean)node['stig']['sshd_config']['permit_empty_passwords']
= Allow SSH to permit empty passwords (Boolean)node['stig']['sshd_config']['allow_users_set_env_opts']
= Allow Users to Set Environment Options (Boolean)node['stig']['sshd_config']['banner_path']
= Set SSH login banner path (String)node['stig']['sshd_config']['deny_users']
= List of users to deny SSH login to (Array of String)node['stig']['system_auth']['pass_reuse_limit']
= Limit password reuse - Represents the amount of passwords the user is forced to not reuse (Integer)node['stig']['login_defs']['pass_max_days']
= Password expiration in days (Integer)node['stig']['login_defs']['pass_min_days']
= Minimum wait time, in days, before changing password (Integer)node['stig']['login_defs']['pass_warn_age']
= Number of days before password expires where system begins warning user (Integer)node['stig']['login_banner']['motd']
= Login banner (String)node['stig']['login_banner']['issue']
= Login banner (String)node['stig']['login_banner']['issue_net']
= Login banner (String)node["stig"]["mail_transfer_agent"]["inet_interfaces"]
= The address the the mail transfer agent should listen on (String)
Usage
Simply include the default recipe (stig::default) on an instance that needs to be hardened. May also want to include the auditd recipe (stig::auditd) to set a custom auditd configuration file
Authors
- Author:: Ivan Suftin (isuftin@usgs.gov)
- Author:: David Blodgett (dblodgett@usgs.gov)
License
Unless otherwise noted below, this software is in the public domain because it contains
materials that originally came from the United States Geological Survey, an agency of the
United States Department of Interior. For more information, see the official USGS
copyright policy at: http://www.usgs.gov/visual-id/credit_usgs.html#copyright
More information in license file
Dependent cookbooks
logrotate >= 0.0.0 |
sysctl >= 0.0.0 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Changelog
0.6.0
-- [steve@bigsteve.us] - fix some rubocop violations
-- [steve@bigsteve.us] - switch to using chef inspec
-- [steve@bigsteve.us] - remove Centos 6.6 and 6.8
-- [steve@bigsteve.us] - bump version to 0.6.0
-- [steve@bigsteve.us] - remove kitchen version pin.0.5.5
-- [arothian@github] - Update aide to setup crontab for ubuntu0.5.4
-- [isuftin@usgs.gov] - Fix an issue with auth-config being improperly written to for pass reuse limit0.5.3
-- [isuftin@usgs.gov] - Switch sysctl write flags0.5.2
-- [isuftin@usgs.gov] - Ignore errors on unknown sysctl keys0.5.1
-- [isuftin@usgs.gov] - Included third-party sysctl cookbook as a hard-coupled dependency by calling it in proc_hard recipe0.5.0
-- [isuftin@usgs.gov] - Switched sysctl.conf template writing out and brought in the third-party sysctl cookbook to handle writing .d config file
-- [isuftin@usgs.gov] - Updated serverspec testing0.4.3
-- [isuftin@usgs.gov] - Updated to switch out which file in /etc/pam.d/system-auth* gets symlinked0.4.2
-- [isuftin@usgs.gov] - Fix most foodcritic errors and warnings
-- [isuftin@usgs.gov] - CIS 1.6.2 (Configure ExecShield) was removed in 2.0.0 of all CIS STIG. No longer testing for it
-- [isuftin@usgs.gov] - Added updates to SSHD config to allow boolean for password authentication
-- [isuftin@usgs.gov] - Updated system auth recipe to be less destructive to /etc/pam.d/system-auth since that may be updated by authconfig
-- [isuftin@usgs.gov] - Fixed a few tests0.4.1
-- [isuftin@usgs.gov] - Updated sshd config to include approved ciphers (RHEL6 STIG 6.2.11)
-- [isuftin@usgs.gov] - Added the ability to changeChallengeResponseAuthentication
in sshd config
-- [isuftin@usgs.gov] - Added the ability to changeUsePAM
in sshd config0.4.0
-- [isuftin@usgs.gov] - Users may now add auditd rules directly as a series of attributes0.3.11
-- [isuftin@usgs.gov] - More Auditd fixes0.3.10
-- [isuftin@usgs.gov] - Fix auditd default parameters which break the build
-- [isuftin@usgs.gov] - Add documentation for new attributes0.3.9
-- [isuftin@usgs.gov] - Fully parameterized auditd configuration file
-- [isuftin@usgs.gov] - No longer calling the auditd cookbook directly from auditd.rb
-- [isuftin@usgs.gov] - Auditd cookbook is no longer a direct dependency of the STIG cookbook. Should be part of an overall runlist0.3.8
-- [isuftin@usgs.gov] - Updated STIG and Audit rules to CIS RHEL Stig 1.4.0
-- [isuftin@usgs.gov] - Added CentOS 6 ruleset 3.2 - "Remove the X Window System"
-- [isuftin@usgs.gov] - Fixed and added many Serverspec tests
-- [isuftin@usgs.gov] - Corrected a typo incheck_duplicate_gid.sh
to correct STIG control number
-- [isuftin@usgs.gov] - Removed CIS wording from audit scripts
-- [isuftin@usgs.gov] - Enforced permissions on /boot/grub/grub.conf as per STIG 1.5.2
-- [isuftin@usgs.gov] - Removed grub.conf template
-- [isuftin@usgs.gov] - Updated mounting of /dev/shm to be idempotent
Collaborator Number Metric
0.6.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Foodcritic Metric
0.6.0 passed this metric
License Metric
0.6.0 failed this metric
stig does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.
0.6.0 failed this metric
0.6.0 passed this metric
License Metric
0.6.0 failed this metric
stig does not have a valid open source license.
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.
0.6.0 failed this metric
Acceptable licenses include Apache 2.0, apachev2, MIT, mit, GNU Public License 2.0, gplv2, GNU Public License 3.0, gplv3.