diff --git a/.kitchen.yml b/.kitchen.yml index f5be32c..729fe51 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -1,44 +1,42 @@ --- - driver: name: vagrant - provisioner: name: puppet_apply - test_repo_uri: "https://github.com/TelekomLabs/tests-os-hardening.git" - + test_repo_uri: https://github.com/TelekomLabs/tests-os-hardening.git platforms: - name: ubuntu-12.04 driver_config: box: opscode-ubuntu-12.04 box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box - +- name: ubuntu-14.04 + driver_config: + box: opscode-ubuntu-14.04 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box - name: centos-6.4 driver_config: box: opscode-centos-6.4 box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box - - name: centos-6.5 driver_config: - box: opscode-centos-6.5 - box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box - + box: opscode-centos-6.5 + box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box - name: oracle-6.4 driver_config: box: oracle-6.4 - box_url: https://dl.dropbox.com/sh/yim9oyqajopoiqs/G-XIEmQJMb/oracle64-64.box - -- name: debian-squezze-6 - driver_config: - box: debian-squezze-6 - box_url: http://public.sphax3d.org/vagrant/squeeze64.box - -- name: debian-wheezy-7 - driver_config: - box: debian-wheezy-7 - box_url: https://dl.dropboxusercontent.com/s/cd583cuf0mbcix7/debian-wheezy-64-chef.box - + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box +- name: oracle-6.5 + driver_config: + box: oracle-6.5 + box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box +- name: debian-6 + driver_config: + box: debian-6 + box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-6.0.10-amd64_virtualbox.box +- name: debian-7 + driver_config: + box: debian-7 + box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box suites: - name: default manifest: site.pp - diff --git a/.rubocop.yml b/.rubocop.yml index 7e7895a..a7edf5f 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,10 +1,10 @@ +--- AllCops: Exclude: - - vendor/** - - metadata.rb - - '**/Puppetfile' - - Puppetfile - + - vendor/**/* + - test/**/* + - spec/fixtures/**/* + - Puppetfile Documentation: Enabled: false AlignParameters: @@ -15,7 +15,15 @@ HashSyntax: Enabled: false LineLength: Enabled: false +EmptyLinesAroundBlockBody: + Enabled: false MethodLength: - Max: 30 + Max: 40 NumericLiterals: MinDigits: 10 +Metrics/CyclomaticComplexity: + Max: 10 +Metrics/PerceivedComplexity: + Max: 10 +Metrics/AbcSize: + Max: 29 diff --git a/.travis.yml b/.travis.yml index a82bec6..bec2c7e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,7 @@ language: ruby bundler_args: --without development integration openstack env: - PUPPET_VERSION="~> 2.7.0" + - PUPPET_VERSION="~> 3.4.3" - PUPPET_VERSION="~> 3.5.0" - PUPPET_VERSION="~> 3.6.0" matrix: diff --git a/CHANGELOG.md b/CHANGELOG.md index 61531a5..597fd40 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,20 @@ # Changelog +## 1.1.0 + +**API-change**: renamed module to `hardening-os_hardening` + +* improvement: linting + +## 1.0.2 + +* improvement: only run 'update-pam' when needed + +## 1.0.1 + +* bugfix: add missing colon for user-defined paths in PATH env +* adjust login.defs template to not log user logins (as per Debian defaults) + ## 1.0.0 * add verified support for puppet 3.6, remove support for puppet 3.0 and 3.4 @@ -36,7 +51,7 @@ * feature: add configurable system environment * feature: remove suid/sgid bits from blacklist -* feature: remove suid/sgid bits from unkown files +* feature: remove suid/sgid bits from unknown files ## 0.1.0 diff --git a/Gemfile b/Gemfile index 157cbcc..f71d126 100644 --- a/Gemfile +++ b/Gemfile @@ -1,6 +1,9 @@ +# encoding: utf-8 + source 'https://rubygems.org' -if puppetversion = ENV['PUPPET_VERSION'] +puppetversion = ENV['PUPPET_VERSION'] +if puppetversion gem 'puppet', puppetversion, :require => false else gem 'puppet', :require => false @@ -10,9 +13,9 @@ group :test do gem 'rake' gem 'rspec-puppet' # avoid NoMethodError: private method `clone' called for # - gem 'puppetlabs_spec_helper', :git => "https://github.com/ehaselwanter/puppetlabs_spec_helper" + gem 'puppetlabs_spec_helper', :git => 'https://github.com/ehaselwanter/puppetlabs_spec_helper' gem 'puppet-lint' - gem 'rubocop', '~> 0.23' if RUBY_VERSION > "1.9.2" + gem 'rubocop', '~> 0.23' if RUBY_VERSION > '1.9.2' end group :development do @@ -22,7 +25,7 @@ end group :integration do gem 'test-kitchen' gem 'kitchen-vagrant' - gem 'kitchen-puppet', '~> 0.0.11' + gem 'kitchen-puppet' gem 'librarian-puppet' gem 'kitchen-sharedtests', '~> 0.2.0' end diff --git a/Guardfile b/Guardfile index db0b69a..866dba0 100644 --- a/Guardfile +++ b/Guardfile @@ -1,12 +1,16 @@ +# encoding: utf-8 + +# Guardfile + guard 'rake', :task => 'lint' do - watch(%r{^manifests/.*$}) - watch(%r{^templates/.*$}) + watch(/^manifests\/.*$/) + watch(/^templates\/.*$/) end guard 'rake', :task => 'spec' do watch(%r{^spec/(classes|defines)/.+_spec\.rb$}) watch('spec/spec_helper.rb') - watch(%r{^lib/.*$}) - watch(%r{^manifests/.*$}) - watch(%r{^templates/.*$}) + watch(/^lib\/.*$/) + watch(/^manifests\/.*$/) + watch(/^templates\/.*$/) end diff --git a/Modulefile b/Modulefile index 6c03910..1a15574 100644 --- a/Modulefile +++ b/Modulefile @@ -1,5 +1,5 @@ name 'hardening/os_hardening' -version '1.0.0' +version '1.1.0' source 'https://github.com/TelekomLabs/puppet-os-hardening' author 'Dominik Richter' license 'Apache License, Version 2.0' diff --git a/README.md b/README.md index 2a1dd0a..c4cfcae 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ This module provides secure configuration of your base OS with hardening. * `remove_from_unknown = false` `true` if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`. * `dry_run_on_unknown = false` - like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unkown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`. + like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`. ## Usage @@ -69,13 +69,18 @@ After adding this module, you can use the class: ## Contributors + Kudos +* Dominik Richter [arlimus](https://github.com/arlimus) * Edmund Haselwanter [ehaselwanter](https://github.com/ehaselwanter) * Christoph Hartmann [chris-rock](https://github.com/chris-rock) * Artem Sidorenko [artem-sidorenko](https://github.com/artem-sidorenko) * Patrick Meier [atomic111](https://github.com/atomic111) +* Kurt Huwig [kurthuwig](https://github.com/kurthuwig) +* Matthew Haughton [3flex](https://github.com/3flex) * Reik Keutterling [spielkind](https://github.com/spielkind) +* Daniel Dreier [danieldreier](https://github.com/danieldreier) +* [timogoebel](https://github.com/timogoebel) * Tristan Helmich [fadenb](https://github.com/fadenb) -* Kurt Huwig [kurthuwig](https://github.com/kurthuwig) +* Thomas Dütsch [a-tom](https://github.com/a-tom) For the original port of `chef-os-hardening` to puppet: diff --git a/Rakefile b/Rakefile index 8c86b70..916e41a 100644 --- a/Rakefile +++ b/Rakefile @@ -1,10 +1,12 @@ -# encoding: UTF-8 +#!/usr/bin/env rake +# encoding: utf-8 require 'puppet-lint/tasks/puppet-lint' require 'puppetlabs_spec_helper/rake_tasks' PuppetLint.configuration.send('disable_autoloader_layout') PuppetLint.configuration.send('disable_80chars') +PuppetLint.configuration.send('disable_only_variable_string') PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp'] diff --git a/lib/puppet/parser/functions/combine_sugid_lists.rb b/lib/puppet/parser/functions/combine_sugid_lists.rb index 71ca2a2..74af823 100644 --- a/lib/puppet/parser/functions/combine_sugid_lists.rb +++ b/lib/puppet/parser/functions/combine_sugid_lists.rb @@ -19,7 +19,7 @@ module Puppet module Parser module Functions newfunction(:combine_sugid_lists, :type => :rvalue) do |args| - ( args[0] - args[1] + args[2]).uniq + (args[0] - args[1] + args[2]).uniq end end end diff --git a/manifests/init.pp b/manifests/init.pp index 38c6cfb..23652da 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -77,39 +77,39 @@ allow_login_without_home => $allow_login_without_home, } class {'os_hardening::minimize_access': - allow_change_user => $allow_change_user, + allow_change_user => $allow_change_user, } class {'os_hardening::pam': - passwdqc_enabled => $passwdqc_enabled, - auth_retries => $auth_retries, - auth_lockout_time => $auth_lockout_time, - passwdqc_options => $passwdqc_options, + passwdqc_enabled => $passwdqc_enabled, + auth_retries => $auth_retries, + auth_lockout_time => $auth_lockout_time, + passwdqc_options => $passwdqc_options, } class {'os_hardening::profile': - allow_core_dumps => $allow_core_dumps, + allow_core_dumps => $allow_core_dumps, } class {'os_hardening::securetty': - root_ttys => $root_ttys, + root_ttys => $root_ttys, } class {'os_hardening::suid_sgid': - whitelist => $whitelist, - blacklist => $blacklist, - remove_from_unknown => $remove_from_unknown, - dry_run_on_unknown => $dry_run_on_unknown, + whitelist => $whitelist, + blacklist => $blacklist, + remove_from_unknown => $remove_from_unknown, + dry_run_on_unknown => $dry_run_on_unknown, } if $configure_sysctl { class {'os_hardening::sysctl': - enable_module_loading => $enable_module_loading, - load_modules => $load_modules, - cpu_vendor => $cpu_vendor, - desktop_enabled => $desktop_enabled, - enable_ipv4_forwarding => $enable_ipv4_forwarding, - enable_ipv6 => $enable_ipv6, - enable_ipv6_forwarding => $enable_ipv6_forwarding, - arp_restricted => $arp_restricted, - enable_sysrq => $enable_sysrq, - enable_core_dump => $enable_core_dump, + enable_module_loading => $enable_module_loading, + load_modules => $load_modules, + cpu_vendor => $cpu_vendor, + desktop_enabled => $desktop_enabled, + enable_ipv4_forwarding => $enable_ipv4_forwarding, + enable_ipv6 => $enable_ipv6, + enable_ipv6_forwarding => $enable_ipv6_forwarding, + arp_restricted => $arp_restricted, + enable_sysrq => $enable_sysrq, + enable_core_dump => $enable_core_dump, } } } diff --git a/manifests/minimize_access.pp b/manifests/minimize_access.pp index 135f6e3..f8a611f 100644 --- a/manifests/minimize_access.pp +++ b/manifests/minimize_access.pp @@ -26,6 +26,7 @@ # this prevents changing any system-wide command from normal users file { $folders: ensure => 'directory', + links => 'follow', mode => 'go-w', recurse => true, } diff --git a/manifests/pam.pp b/manifests/pam.pp index b2938c3..00468e7 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -67,6 +67,7 @@ owner => root, group => root, mode => '0640', + notify => Exec['update-pam'], } } else { @@ -75,6 +76,7 @@ # delete passwdqc file on ubuntu and debian file { $passwdqc_path: ensure => absent, + notify => Exec['update-pam'], } # make sure the package is not on the system, @@ -98,15 +100,18 @@ owner => root, group => root, mode => '0640', + notify => Exec['update-pam'], } } else { file { $tally2_path: ensure => absent, + notify => Exec['update-pam'], } } exec { 'update-pam': - command => '/usr/sbin/pam-auth-update --package' + command => '/usr/sbin/pam-auth-update --package', + refreshonly => true, } } diff --git a/manifests/securetty.pp b/manifests/securetty.pp index 19a2133..f93ac43 100644 --- a/manifests/securetty.pp +++ b/manifests/securetty.pp @@ -12,7 +12,7 @@ class os_hardening::securetty ( $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6'] ){ - $ttys = join( $root_ttys, '\n') + $ttys = join( $root_ttys, "\n") file { '/etc/securetty': ensure => present, content => template( 'os_hardening/securetty.erb' ), diff --git a/manifests/suid_sgid.pp b/manifests/suid_sgid.pp index 5ff7590..3f966eb 100644 --- a/manifests/suid_sgid.pp +++ b/manifests/suid_sgid.pp @@ -130,7 +130,7 @@ } -> # remove all bits - exec { 'remove SUID/SGID bits from unkown': + exec { 'remove SUID/SGID bits from unknown': command => '/usr/local/sbin/remove_suids' } } diff --git a/metadata.json b/metadata.json index ad2c448..f8f7786 100644 --- a/metadata.json +++ b/metadata.json @@ -1,13 +1,16 @@ { - "name": "hardening/os_hardening", - "version": "1.0.0", - "source": "https://github.com/TelekomLabs/puppet-os-hardening", + "name": "hardening-os_hardening", + "version": "1.1.0", "author": "Dominik Richter", - "license": "Apache License, Version 2.0", "summary": "Configures the base OS with hardening", - "description": "Configures the base OS with hardening", + "license": "Apache License, Version 2.0", + "source": "https://github.com/TelekomLabs/puppet-os-hardening", "project_page": "https://github.com/TelekomLabs/puppet-os-hardening", "issues_url": "https://github.com/TelekomLabs/puppet-os-hardening/issues", + "description": "Configures the base OS with hardening", + "types": [ + + ], "dependencies": [ { "name": "puppetlabs/stdlib" @@ -16,8 +19,5 @@ "name": "duritong/sysctl", "version_requirement": "0.0.4" } - ], - "types": [ - ] } diff --git a/templates/login.defs.erb b/templates/login.defs.erb index 5dfd8f6..8f80bbf 100644 --- a/templates/login.defs.erb +++ b/templates/login.defs.erb @@ -30,7 +30,7 @@ FAILLOG_ENAB yes LOG_UNKFAIL_ENAB no # Enable logging of successful logins -LOG_OK_LOGINS yes +LOG_OK_LOGINS no # Enable "syslog" logging of su activity - in addition to sulog file logging. SYSLOG_SU_ENAB yes @@ -56,7 +56,7 @@ HUSHLOGIN_FILE .hushlogin # *REQUIRED*: The default PATH settings, for superuser and normal users. (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin -ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin<% if not @additional_user_paths.empty? %><%= @additional_user_paths %><% end %> +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin<% if not @additional_user_paths.empty? %>:<%= @additional_user_paths %><% end %> # Terminal permissions # -------------------- @@ -87,7 +87,7 @@ KILLCHAR 025 UMASK <%= @umask %> # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name. -# If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user. +# If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user. USERGROUPS_ENAB yes