From 2a87fe380660f7741b57634795dbd55cd77e4c16 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Tue, 24 Jan 2017 18:36:06 -0500 Subject: [PATCH 1/2] Add attribute to control login.defs PASS_WARN_AGE --- README.md | 3 +++ attributes/default.rb | 1 + recipes/login_defs.rb | 1 + spec/recipes/login_defs_spec.rb | 2 ++ templates/default/login.defs.erb | 2 +- 5 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ba8d8f95..25992eeb 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,9 @@ We deprecated `sysctl` version before `0.6.0`. Future versions of this cookbook maximum password age * `['os-hardening']['auth']['pw_min_age'] = 7` minimum password age (before allowing any other password change) +* `['os-hardening']['auth']['pw_warn_age'] = 7` + number of days before maximum password age occurs to warn of impending + change * `['os-hardening']['auth']['retries'] = 5` the maximum number of authentication attempts, before the account is locked for some time * `['os-hardening']['auth']['lockout_time'] = 600` diff --git a/attributes/default.rb b/attributes/default.rb index 61f07b60..8b4ebb38 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -63,6 +63,7 @@ default['os-hardening']['env']['root_path'] = '/' default['os-hardening']['auth']['pw_max_age'] = 60 default['os-hardening']['auth']['pw_min_age'] = 7 # discourage password cycling +default['os-hardening']['auth']['pw_warn_age'] = 7 default['os-hardening']['auth']['retries'] = 5 default['os-hardening']['auth']['lockout_time'] = 600 # 10min default['os-hardening']['auth']['timeout'] = 60 diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb index 002309a6..0c230265 100644 --- a/recipes/login_defs.rb +++ b/recipes/login_defs.rb @@ -28,6 +28,7 @@ umask: node['os-hardening']['env']['umask'], password_max_age: node['os-hardening']['auth']['pw_max_age'], password_min_age: node['os-hardening']['auth']['pw_min_age'], + password_warn_age: node['os-hardening']['auth']['pw_warn_age'], login_retries: node['os-hardening']['auth']['retries'], login_timeout: node['os-hardening']['auth']['timeout'], chfn_restrict: '', # "rwh" diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb index 619150d6..5a2480eb 100644 --- a/spec/recipes/login_defs_spec.rb +++ b/spec/recipes/login_defs_spec.rb @@ -36,6 +36,7 @@ umask: '027', password_max_age: 60, password_min_age: 7, + password_warn_age: 7, login_retries: 5, login_timeout: 60, chfn_restrict: '', @@ -52,6 +53,7 @@ it 'uses uid_min and gid_min in /etc/login.defs' do expect(chef_run).to render_file('/etc/login.defs'). + with_content(/^PASS_WARN_AGE\s+7$/). with_content(/^UID_MIN\s+5000$/). with_content(/^GID_MIN\s+5000$/) end diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb index 379a2726..e34dfd2d 100644 --- a/templates/default/login.defs.erb +++ b/templates/default/login.defs.erb @@ -106,7 +106,7 @@ PASS_MAX_DAYS <%= @password_max_age.to_s %> PASS_MIN_DAYS <%= @password_min_age.to_s %> # Number of days warning given before a password expires. -PASS_WARN_AGE 7 +PASS_WARN_AGE <%= @password_warn_age.to_s %> # Min/max values for automatic uid selection in useradd UID_MIN <%= @uid_min.to_s %> From b6d70c9ff3651aa5a64123004bca70f2617caa61 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Tue, 24 Jan 2017 18:37:21 -0500 Subject: [PATCH 2/2] Update InSpec profile repository --- .kitchen.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.kitchen.yml b/.kitchen.yml index 6cbdd10f..703afe1b 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -67,4 +67,4 @@ suites: - recipe[os-hardening::default] verifier: inspec_tests: - - https://github.com/dev-sec/tests-os-hardening + - https://github.com/dev-sec/linux-baseline