Skip to content

Commit

Permalink
Merge pull request #177 from dev-sec/redhat
Browse files Browse the repository at this point in the history
RH family: adapt some settings, as RH has better defaults
  • Loading branch information
artem-sidorenko authored Nov 9, 2017
2 parents ab5a27d + 944a1a2 commit 0476764
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
15 changes: 12 additions & 3 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@
default['os-hardening']['network']['ipv6']['enable'] = false
default['os-hardening']['network']['arp']['restricted'] = true
default['os-hardening']['env']['extra_user_paths'] = []
default['os-hardening']['env']['umask'] = '027'
default['os-hardening']['env']['root_path'] = '/'
default['os-hardening']['auth']['pw_max_age'] = 60
default['os-hardening']['auth']['pw_min_age'] = 7 # discourage password cycling
Expand All @@ -80,11 +79,21 @@
default['os-hardening']['auth']['root_ttys'] = %w[console tty1 tty2 tty3 tty4 tty5 tty6]
default['os-hardening']['auth']['uid_min'] = 1000
default['os-hardening']['auth']['gid_min'] = 1000
default['os-hardening']['auth']['sys_uid_min'] = 100
default['os-hardening']['auth']['sys_uid_max'] = 999
default['os-hardening']['auth']['sys_gid_min'] = 100
default['os-hardening']['auth']['sys_gid_max'] = 999

# RH has a bit different defaults on some places
case node['platform_family']
when 'rhel', 'fedora'
default['os-hardening']['env']['umask'] = '077'
default['os-hardening']['auth']['sys_uid_min'] = 201
default['os-hardening']['auth']['sys_gid_min'] = 201
else
default['os-hardening']['env']['umask'] = '027'
default['os-hardening']['auth']['sys_uid_min'] = 100
default['os-hardening']['auth']['sys_gid_min'] = 100
end

# may contain: change_user
default['os-hardening']['security']['users']['allow'] = []
default['os-hardening']['security']['kernel']['enable_module_loading'] = true
Expand Down
6 changes: 5 additions & 1 deletion recipes/minimize_access.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,11 @@
# (otherwise screensavers might break etc)
file '/etc/shadow' do
owner 'root'
if node['platform_family'] == 'debian'
case node['platform_family']
when 'rhel', 'fedora'
group 'root'
mode '0000'
when 'debian'
group 'shadow'
mode '0640'
else
Expand Down

0 comments on commit 0476764

Please sign in to comment.