Update to 1.0.2

.kitchen.yml

@@ -1,44 +1,42 @@
 ---
-
 driver:
   name: vagrant
-
 provisioner:
   name: puppet_apply
-  test_repo_uri: "https://github.com/TelekomLabs/tests-os-hardening.git"
-
+  test_repo_uri: https://github.com/TelekomLabs/tests-os-hardening.git
 platforms:
 - name: ubuntu-12.04
   driver_config:
     box: opscode-ubuntu-12.04
     box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-12.04_chef-provisionerless.box
-
+- name: ubuntu-14.04
+  driver_config:
+    box: opscode-ubuntu-14.04
+    box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
 - name: centos-6.4
   driver_config:
     box: opscode-centos-6.4
     box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
-
 - name: centos-6.5
   driver_config:
-     box: opscode-centos-6.5
-     box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
-
+    box: opscode-centos-6.5
+    box_url: http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
 - name: oracle-6.4
   driver_config:
     box: oracle-6.4
-    box_url: https://dl.dropbox.com/sh/yim9oyqajopoiqs/G-XIEmQJMb/oracle64-64.box
-
-- name: debian-squezze-6
-  driver_config:
-    box: debian-squezze-6
-    box_url: http://public.sphax3d.org/vagrant/squeeze64.box
-
-- name: debian-wheezy-7
-  driver_config:
-    box: debian-wheezy-7
-    box_url: https://dl.dropboxusercontent.com/s/cd583cuf0mbcix7/debian-wheezy-64-chef.box
-
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
+- name: oracle-6.5
+  driver_config:
+    box: oracle-6.5
+    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
+- name: debian-6
+  driver_config:
+    box: debian-6
+    box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-6.0.10-amd64_virtualbox.box
+- name: debian-7
+  driver_config:
+    box: debian-7
+    box_url: https://s3.eu-central-1.amazonaws.com/ffuenf-vagrantboxes/debian/debian-7.7.0-amd64_virtualbox.box
 suites:
 - name: default
   manifest: site.pp
-

.rubocop.yml

@@ -1,10 +1,10 @@
+---
 AllCops:
   Exclude:
-    - vendor/**
-    - metadata.rb
-    - '**/Puppetfile'
-    - Puppetfile
-
+  - vendor/**/*
+  - test/**/*
+  - spec/fixtures/**/*
+  - Puppetfile
 Documentation:
   Enabled: false
 AlignParameters:
@@ -15,7 +15,15 @@ HashSyntax:
   Enabled: false
 LineLength:
   Enabled: false
+EmptyLinesAroundBlockBody:
+  Enabled: false
 MethodLength:
-  Max: 30
+  Max: 40
 NumericLiterals:
   MinDigits: 10
+Metrics/CyclomaticComplexity:
+  Max: 10
+Metrics/PerceivedComplexity:
+  Max: 10
+Metrics/AbcSize:
+  Max: 29

.travis.yml

@@ -6,6 +6,7 @@ language: ruby
 bundler_args: --without development integration openstack
 env:
   - PUPPET_VERSION="~> 2.7.0"
+  - PUPPET_VERSION="~> 3.4.3"
   - PUPPET_VERSION="~> 3.5.0"
   - PUPPET_VERSION="~> 3.6.0"
 matrix:

CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+## 1.1.0
+
+**API-change**: renamed module to `hardening-os_hardening`
+
+* improvement: linting
+
+## 1.0.2
+
+* improvement: only run 'update-pam' when needed
+
+## 1.0.1
+
+* bugfix: add missing colon for user-defined paths in PATH env
+* adjust login.defs template to not log user logins (as per Debian defaults)
+
 ## 1.0.0
 
 * add verified support for puppet 3.6, remove support for puppet 3.0 and 3.4
@@ -36,7 +51,7 @@
 
 * feature: add configurable system environment
 * feature: remove suid/sgid bits from blacklist
-* feature: remove suid/sgid bits from unkown files
+* feature: remove suid/sgid bits from unknown files
 
 ## 0.1.0
 

Gemfile

@@ -1,6 +1,9 @@
+# encoding: utf-8
+
 source 'https://rubygems.org'
 
-if puppetversion = ENV['PUPPET_VERSION']
+puppetversion = ENV['PUPPET_VERSION']
+if puppetversion
   gem 'puppet', puppetversion, :require => false
 else
   gem 'puppet', :require => false
@@ -10,9 +13,9 @@ group :test do
   gem 'rake'
   gem 'rspec-puppet'
   # avoid NoMethodError: private method `clone' called for #<RuboCop::Cop::CopStore:0x00000104e286c8>
-  gem 'puppetlabs_spec_helper', :git => "https://github.com/ehaselwanter/puppetlabs_spec_helper"
+  gem 'puppetlabs_spec_helper', :git => 'https://github.com/ehaselwanter/puppetlabs_spec_helper'
   gem 'puppet-lint'
-  gem 'rubocop',    '~> 0.23' if RUBY_VERSION > "1.9.2"
+  gem 'rubocop',    '~> 0.23' if RUBY_VERSION > '1.9.2'
 end
 
 group :development do
@@ -22,7 +25,7 @@ end
 group :integration do
   gem 'test-kitchen'
   gem 'kitchen-vagrant'
-  gem 'kitchen-puppet', '~> 0.0.11'
+  gem 'kitchen-puppet'
   gem 'librarian-puppet'
   gem 'kitchen-sharedtests', '~> 0.2.0'
 end

Guardfile

@@ -1,12 +1,16 @@
+# encoding: utf-8
+
+# Guardfile
+
 guard 'rake', :task => 'lint' do
-  watch(%r{^manifests/.*$})
-  watch(%r{^templates/.*$})
+  watch(/^manifests\/.*$/)
+  watch(/^templates\/.*$/)
 end
 
 guard 'rake', :task => 'spec' do
   watch(%r{^spec/(classes|defines)/.+_spec\.rb$})
   watch('spec/spec_helper.rb')
-  watch(%r{^lib/.*$})
-  watch(%r{^manifests/.*$})
-  watch(%r{^templates/.*$})
+  watch(/^lib\/.*$/)
+  watch(/^manifests\/.*$/)
+  watch(/^templates\/.*$/)
 end

Modulefile

@@ -1,5 +1,5 @@
 name    'hardening/os_hardening'
-version '1.0.0'
+version '1.1.0'
 source 'https://github.com/TelekomLabs/puppet-os-hardening'
 author 'Dominik Richter'
 license 'Apache License, Version 2.0'

README.md

@@ -59,7 +59,7 @@ This module provides secure configuration of your base OS with hardening.
 * `remove_from_unknown = false`
   `true` if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
 * `dry_run_on_unknown = false`
-  like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unkown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
+  like `remove_from_unknown` above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
 
 ## Usage
 
@@ -69,13 +69,18 @@ After adding this module, you can use the class:
 
 ## Contributors + Kudos
 
+* Dominik Richter [arlimus](https://github.com/arlimus)
 * Edmund Haselwanter [ehaselwanter](https://github.com/ehaselwanter)
 * Christoph Hartmann [chris-rock](https://github.com/chris-rock)
 * Artem Sidorenko [artem-sidorenko](https://github.com/artem-sidorenko)
 * Patrick Meier [atomic111](https://github.com/atomic111)
+* Kurt Huwig [kurthuwig](https://github.com/kurthuwig)
+* Matthew Haughton [3flex](https://github.com/3flex)
 * Reik Keutterling [spielkind](https://github.com/spielkind)
+* Daniel Dreier [danieldreier](https://github.com/danieldreier)
+*  [timogoebel](https://github.com/timogoebel)
 * Tristan Helmich [fadenb](https://github.com/fadenb)
-* Kurt Huwig [kurthuwig](https://github.com/kurthuwig)
+* Thomas Dütsch [a-tom](https://github.com/a-tom)
 
 For the original port of `chef-os-hardening` to puppet:
 

Rakefile

@@ -1,10 +1,12 @@
-# encoding: UTF-8
+#!/usr/bin/env rake
+# encoding: utf-8
 
 require 'puppet-lint/tasks/puppet-lint'
 require 'puppetlabs_spec_helper/rake_tasks'
 
 PuppetLint.configuration.send('disable_autoloader_layout')
 PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.send('disable_only_variable_string')
 PuppetLint.configuration.fail_on_warnings = true
 PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp']
 

lib/puppet/parser/functions/combine_sugid_lists.rb

@@ -19,7 +19,7 @@ module Puppet
   module Parser
     module Functions
       newfunction(:combine_sugid_lists, :type => :rvalue) do |args|
-        ( args[0] - args[1] + args[2]).uniq
+        (args[0] - args[1] + args[2]).uniq
       end
     end
   end

manifests/init.pp

@@ -77,39 +77,39 @@
     allow_login_without_home => $allow_login_without_home,
   }
   class {'os_hardening::minimize_access':
-    allow_change_user        => $allow_change_user,
+    allow_change_user => $allow_change_user,
   }
   class {'os_hardening::pam':
-    passwdqc_enabled         => $passwdqc_enabled,
-    auth_retries             => $auth_retries,
-    auth_lockout_time        => $auth_lockout_time,
-    passwdqc_options         => $passwdqc_options,
+    passwdqc_enabled  => $passwdqc_enabled,
+    auth_retries      => $auth_retries,
+    auth_lockout_time => $auth_lockout_time,
+    passwdqc_options  => $passwdqc_options,
   }
   class {'os_hardening::profile':
-    allow_core_dumps         => $allow_core_dumps,
+    allow_core_dumps => $allow_core_dumps,
   }
   class {'os_hardening::securetty':
-    root_ttys                => $root_ttys,
+    root_ttys => $root_ttys,
   }
   class {'os_hardening::suid_sgid':
-    whitelist                => $whitelist,
-    blacklist                => $blacklist,
-    remove_from_unknown      => $remove_from_unknown,
-    dry_run_on_unknown       => $dry_run_on_unknown,
+    whitelist           => $whitelist,
+    blacklist           => $blacklist,
+    remove_from_unknown => $remove_from_unknown,
+    dry_run_on_unknown  => $dry_run_on_unknown,
   }
 
   if $configure_sysctl {
     class {'os_hardening::sysctl':
-      enable_module_loading    => $enable_module_loading,
-      load_modules             => $load_modules,
-      cpu_vendor               => $cpu_vendor,
-      desktop_enabled          => $desktop_enabled,
-      enable_ipv4_forwarding   => $enable_ipv4_forwarding,
-      enable_ipv6              => $enable_ipv6,
-      enable_ipv6_forwarding   => $enable_ipv6_forwarding,
-      arp_restricted           => $arp_restricted,
-      enable_sysrq             => $enable_sysrq,
-      enable_core_dump         => $enable_core_dump,
+    enable_module_loading  => $enable_module_loading,
+    load_modules           => $load_modules,
+    cpu_vendor             => $cpu_vendor,
+    desktop_enabled        => $desktop_enabled,
+    enable_ipv4_forwarding => $enable_ipv4_forwarding,
+    enable_ipv6            => $enable_ipv6,
+    enable_ipv6_forwarding => $enable_ipv6_forwarding,
+    arp_restricted         => $arp_restricted,
+    enable_sysrq           => $enable_sysrq,
+    enable_core_dump       => $enable_core_dump,
     }
   }
 }

manifests/minimize_access.pp

@@ -26,6 +26,7 @@
   # this prevents changing any system-wide command from normal users
   file { $folders:
     ensure  => 'directory',
+    links   => 'follow',
     mode    => 'go-w',
     recurse => true,
   }

manifests/pam.pp

@@ -67,6 +67,7 @@
           owner   => root,
           group   => root,
           mode    => '0640',
+          notify  => Exec['update-pam'],
         }
 
       } else {
@@ -75,6 +76,7 @@
         # delete passwdqc file on ubuntu and debian
         file { $passwdqc_path:
           ensure => absent,
+          notify => Exec['update-pam'],
         }
 
         # make sure the package is not on the system,
@@ -98,15 +100,18 @@
           owner   => root,
           group   => root,
           mode    => '0640',
+          notify  => Exec['update-pam'],
         }
       } else {
         file { $tally2_path:
           ensure => absent,
+          notify => Exec['update-pam'],
         }
       }
 
       exec { 'update-pam':
-        command => '/usr/sbin/pam-auth-update --package'
+        command     => '/usr/sbin/pam-auth-update --package',
+        refreshonly => true,
       }
     }
 

manifests/securetty.pp

@@ -12,7 +12,7 @@
 class os_hardening::securetty (
   $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6']
 ){
-  $ttys = join( $root_ttys, '\n')
+  $ttys = join( $root_ttys, "\n")
   file { '/etc/securetty':
     ensure  => present,
     content => template( 'os_hardening/securetty.erb' ),

manifests/suid_sgid.pp

@@ -130,7 +130,7 @@
     }
     ->
     # remove all bits
-    exec { 'remove SUID/SGID bits from unkown':
+    exec { 'remove SUID/SGID bits from unknown':
       command => '/usr/local/sbin/remove_suids'
     }
   }