Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lets disable unused filesystems per default #169

Merged
merged 2 commits into from
Aug 21, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ AllCops:
Metrics/AbcSize:
Max: 29
Metrics/LineLength:
Max: 100
Include:
- spec/**/*.rb
Metrics/MethodLength:
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ It will not:
list of things, that a user is allowed to do. May contain: `change_user`
* `['os-hardening']['security']['kernel']['enable_module_loading'] = true`
true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)
* `['os-hardening']['security']['kernel']['disable_filesystems'] = ['cramfs', 'freevxfs', 'jffs2', 'hfs', 'hfsplus', 'squashfs', 'udf', 'vfat']`
list of kernel file system modules, which are blacklisted for loading (e.g. they are unused and can be disabled). Set this to `[]` to completely avoid this blacklisting
* `['os-hardening']['security']['kernel']['enable_sysrq'] = false`
* `['os-hardening']['security']['kernel']['enable_core_dump'] = false`
* `['os-hardening']['security']['suid_sgid']['enforce'] = true`
Expand Down
1 change: 1 addition & 0 deletions attributes/default.rb
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@
# may contain: change_user
default['os-hardening']['security']['users']['allow'] = []
default['os-hardening']['security']['kernel']['enable_module_loading'] = true
default['os-hardening']['security']['kernel']['disable_filesystems'] = %w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat]
default['os-hardening']['security']['kernel']['enable_sysrq'] = false
default['os-hardening']['security']['kernel']['enable_core_dump'] = false
default['os-hardening']['security']['suid_sgid']['enforce'] = true
Expand Down
15 changes: 15 additions & 0 deletions recipes/sysctl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -170,3 +170,18 @@
end
end
end

# CIS requirement: disable unused filesystems
if node['os-hardening']['security']['kernel']['disable_filesystems'].empty?
file '/etc/modprobe.d/dev-sec.conf' do
action :delete
end
else
template '/etc/modprobe.d/dev-sec.conf' do
source 'filesystem_blacklisting.erb'
mode 0440
owner 'root'
group 'root'
variables filesystems: node['os-hardening']['security']['kernel']['disable_filesystems']
end
end
43 changes: 43 additions & 0 deletions spec/recipes/sysctl_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -365,4 +365,47 @@
end
end
end

describe 'filesystems' do
let(:disable_filesystems) { nil }
let(:chef_run) do
ChefSpec::SoloRunner.new do |node|
if disable_filesystems
node.normal['os-hardening']['security']['kernel']['disable_filesystems'] =
disable_filesystems
end
end.converge(described_recipe)
end

describe 'when unused filesystems are disabled with default values' do
it 'should render the proper modprobe file' do
%w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat].each do |fs|
expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf').
with_content("install #{fs} /bin/true")
end
end
end

describe 'when only some filesystems are disabled' do
let(:disable_filesystems) { %w[vfat udf] }

it 'should render the proper modprobe file' do
%w[udf vfat].each do |fs|
expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf').
with_content("install #{fs} /bin/true")
end

expect(chef_run).not_to render_file('/etc/modprobe.d/dev-sec.conf').
with_content('install cramfs /bin/true')
end
end

describe 'when unused filesystems are not disabled' do
let(:disable_filesystems) { %w[] }

it 'should delete the modprobe file' do
expect(chef_run).to delete_file('/etc/modprobe.d/dev-sec.conf')
end
end
end
end
9 changes: 9 additions & 0 deletions templates/default/filesystem_blacklisting.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
# <%= l %>
<% end %>
#
#--

<% @filesystems.each do |fs| %>
install <%= fs %> /bin/true
<% end %>