Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/allow setting template source #196

Merged
merged 1 commit into from
Feb 22, 2018
Merged

Feature/allow setting template source #196

merged 1 commit into from
Feb 22, 2018

Conversation

eyespies
Copy link
Contributor

This update allows users to specify an alternate source cookbook for the PAM templates. I needed this because I use FreeIPA, which updates the PAM configuration. When running the dev-sec cookbook, the IPA changes are overwritten.

I had two choices when making the update

  1. add the use of arbitrary attributes and not use alternative cookbooks
  2. allow using any configuration via an alternative cookbook

I chose the second option as it involves lower risk to existing systems / settings. For unit testing, there are no tests related to these templates, so I did not add tests / make changes. I would be willing to add those if needed, however.

For integration testing, I ran the tests to confirm existing functionality remains unchanged, however I only did so on my local as I don't have a DO account to run the full gamut of tests. I'm open to alternative means of running the integration tests.

To truly run integration tests fully, I would need to add two things:

  1. a new suite that uses an alternative cookbook to run dev-sec (this would effectively double the number of tests and possibly the amount of time required depending on whether the test suites are serial or parallel)
  2. a small cookbook under test/integration that provides the alternative cookbook

I wasn't sure if the team wanted to add all those extra pieces, so I haven't done that yet, but if so desired, I could add the new suite and test cookbook.

@coveralls
Copy link

coveralls commented Feb 19, 2018

Coverage Status

Coverage remained the same at 100.0% when pulling 1abdf54 on eyespies:feature/allow_setting_template_source into 531eba2 on dev-sec:master.

@eyespies
Copy link
Contributor Author

Ok - what did I miss? All of the issues listed by Travis are in files that I haven't touched.

@eyespies
Copy link
Contributor Author

Ok, so the unit test failures are because of the version string in metadata.rb for the sysctl cookbook. Because it is using '>= 0.10.0' and because they released 1.0.x which removed the apply recipe as they mentioned in another comment, the unit tests are failing now.

I'd suggest using the rocket syntax, is there any reason (specific to this dev-sec cookbook) to use '>=' vs. '>~'?

@eyespies
Copy link
Contributor Author

I added the rocket syntax to eliminate the ChefSpec unit test issues and the tests are passing now. The integration tests fail since I don't have a DO account.

Copy link
Member

@artem-sidorenko artem-sidorenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eyespies thanks for this PR! it makes definitely sense.

Can I also ask you to add the documentation on the new attributes to the README.md?

metadata.rb Outdated
@@ -33,7 +33,7 @@
supports 'redhat', '>= 5.0'
supports 'oracle', '>= 6.4'

depends 'sysctl', '>= 0.10.0'
depends 'sysctl', '~> 0.10'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eyespies this is already fixed in master :) Could you please rebase your PR?

metadata.rb Outdated
@@ -22,7 +22,7 @@
license 'Apache-2.0'
description 'Installs and configures operating system hardening'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '3.0.0'
version '3.0.1'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please do not bump the version, this is done prior to the release by us

recipes/pam.rb Outdated
@@ -48,8 +48,14 @@
end

# configure passwdqc via central module:
template_cookbook = if node['os-hardening']['auth']['pam'].attribute?('passwdqc') &&
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if this is really a proper way to do that, we have all this attributes configured in the default level. So its safe to assume that they exist, I would suggest to avoid the checks:

template_cookbook = node['os-hardening']['auth']['pam']['passwdqc']['template_cookbook']

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Want to ask for clarification - do you want me to set the default cookbook name used for the attribute in the attributes file? Or is it sufficient to simply remove the check for the ['pam'] attribute but leave the check for the passwdqc and other attributes?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! We can specify the default cookbook name and avoid additional variables and conditions.

recipes/pam.rb Outdated
template passwdqc_path do
source 'pam_passwdqc.erb'
cookbook template_cookbook unless template_cookbook.nil?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cookbook template_cookbook if template_cookbook ?

@@ -76,6 +76,9 @@
default['os-hardening']['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8'
default['os-hardening']['auth']['pam']['cracklib']['options'] = 'try_first_pass retry=3 type='
default['os-hardening']['auth']['pam']['pwquality']['options'] = 'try_first_pass retry=3 type='
default['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-security'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use cookbook_name as a value here, e.g:

.... = cookbook_name

@eyespies
Copy link
Contributor Author

eyespies commented Feb 21, 2018

Any thoughts on the proper method to avoid FC044 when using cookbook_name? Am trying to find the correct syntax, but don't see it mentioned.

Nevermind @artem-sidorenko, cookbook_name is a method call that exists on an instance of Chef::Recipe, however the attribute files are not processed in the context of a Chef::Recipe instance, so the method call fails. Some information is available at https://discourse.chef.io/t/cookbook-name-as-an-attribute/4845/7

This was also confirmed with an integration test which shows the error happening in the context of Chef::Node::Attribute and not Chef::Recipe:

       ================================================================================
       Recipe Compile Error in /tmp/kitchen/cache/cookbooks/os-hardening/attributes/default.rb
       ================================================================================
       
       NoMethodError
       -------------
       undefined method `cookbook_name' for #<Chef::Node::Attribute:0x0000000003870ca0>
       
       Cookbook Trace:
       ---------------
         /tmp/kitchen/cache/cookbooks/os-hardening/attributes/default.rb:79:in `from_file'
       
       Relevant File Content:
       ----------------------
       /tmp/kitchen/cache/cookbooks/os-hardening/attributes/default.rb:
       
        72:  default['os-hardening']['auth']['retries']                            = 5
        73:  default['os-hardening']['auth']['lockout_time']                       = 600 # 10min
        74:  default['os-hardening']['auth']['timeout']                            = 60
        75:  default['os-hardening']['auth']['allow_homeless']                     = false
        76:  default['os-hardening']['auth']['pam']['passwdqc']['options']           = 'min=disabled,disabled,16,12,8'
        77:  default['os-hardening']['auth']['pam']['cracklib']['options']           = 'try_first_pass retry=3 type='
        78:  default['os-hardening']['auth']['pam']['pwquality']['options']          = 'try_first_pass retry=3 type='
        79>> default['os-hardening']['auth']['pam']['tally2']['template_cookbook']        = cookbook_name
        80:  default['os-hardening']['auth']['pam']['passwdqc']['template_cookbook']      = cookbook_name
        81:  default['os-hardening']['auth']['pam']['system-auth']['template_cookbook']   = cookbook_name
        82:  default['os-hardening']['auth']['root_ttys']                          = %w[console tty1 tty2 tty3 tty4 tty5 tty6]
        83:  default['os-hardening']['auth']['uid_min']                             = 1000
        84:  default['os-hardening']['auth']['gid_min']                             = 1000
        85:  default['os-hardening']['auth']['sys_uid_max']                         = 999
        86:  default['os-hardening']['auth']['sys_gid_max']                         = 999
        87:  
        88:  # RH has a bit different defaults on some places

Let me know if there are any other ways to get the cookbook name or if I should just hard code the cookbook name.

@artem-sidorenko
Copy link
Member

Thanks! I wasn’t aware of that, probably I was lucky enough to use cookbook_name only in recipes in the past. Feel free to hardcode it to os-hardening

Copy link
Member

@artem-sidorenko artem-sidorenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eyespies many thanks!

@artem-sidorenko artem-sidorenko merged commit 93dca07 into dev-sec:master Feb 22, 2018
@eyespies
Copy link
Contributor Author

General question @artem-sidorenko - when do you release a new version? Because I use Chef Server, if the version is not bumped, I have to knife delete cookbook xyzand clean out my Berkshelf cache before I can push the updated cookbook files to Chef Server.

@artem-sidorenko
Copy link
Member

@eyespies I plan to resolve/merge all other currently open MRs and then release a new minor version: auditd support, container support etc. It might take another week or so. Is it okay for you?

@eyespies
Copy link
Contributor Author

Sure, that is definitely reasonable. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants