This puppet module provides numerous security-related configurations, providing all-round base protection.
APACHE-2.0 License
This Puppet module provides secure configuration of your base OS with hardening and is part of the DevSec Hardening Framework.
After adding this module, you can use the class:
class { 'os_hardening': }
All parameters are contained within the main os_hardening
class, so you just have to pass them like this:
class { 'os_hardening':
enable_ipv4_forwarding => true,
}
If you are using this module in a PE environment, you have to set pe_environment = true
Otherwise puppet will drop an error (duplicate resource)!
system_environment = 'default'
docker
/lxc
pe_environment = false
extra_user_paths = []
PATH
variable (default is empty).umask = undef
maildir = undef
usergroups = true
sys_uid_min = undef
and sys_gid_min = undef
login.defs
password_max_age = 60
password_min_age = 7
password_warn_age = 7
login_retries = 5
login_timeout = 60
chfn_restrict = ''
allow_login_without_home = false
allow_change_user = false
su
to change his loginignore_users = []
/usr/sbin/nologin
)folders_to_restrict = ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin']
ignore_max_files_warnings = false
recurselimit = 5
passwdqc_enabled = true
auth_retries = 5
auth_lockout_time = 600
passwdqc_options = 'min=disabled,disabled,16,12,8'
manage_pam_unix = false
enable_pw_history = true
manage_pam_unix = true
)pw_remember_last = 5
only_root_may_su = false
root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6']
whitelist = []
blacklist = []
remove_from_unknown = false
true
if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a blacklist
. This will make every Puppet run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your whitelist
.dry_run_on_unknown = false
remove_from_unknown
above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure remove_from_unknown
for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your whitelist
and blacklist
.enable_module_loading = true
modprobe
, rmmod
)load_modules = []
disable_filesystems = ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf']
cpu_vendor = 'intel'
enable_module_loading = false
: set the CPU vendor for modules to loadicmp_ratelimit = '100'
desktop_enabled = false
enable_ipv4_forwarding = false
manage_ipv6 = true
enable_ipv6 = false
enable_ipv6_forwarding = false
arp_restricted = true
arp_ignore_samenet = false
enable_sysrq = false
enable_core_dump = false
enable_stack_protection = true
enable_rpfilter = true
rpfilter_loose = false
enable_rpfilter
is true) loose mode (rp_filter = 2) if true, strict mode otherwiseenable_log_martians = true
unwanted_packages = []
wanted_packages = []
disabled_services = []
enable_grub_hardening = false
grub_user = 'root'
grub_password_hash = ''
grub-mkpasswd-pbkdf2
that is associated with the grub_userboot_without_password = true
system_umask = undef
manage_home_permissions = false
ignore_home_users = []
manage_log_permissions = false
restrict_log_dir = ['/var/log/']
ignore_restrict_log_dir = []
ignore_files_in_folder_to_restrict = []
manage_cron_permissions = false
enable_sysctl_config = true
manage_system_users = true
shadow_group = undef
shadow_mode = undef
It's also possible to set the parameters in Hiera like this:
os_hardening::password_max_age: 90
os_hardening::password_min_age: 0
os_hardening::password_warn_age: 14
os_hardening::unwanted_packages: ['telnet']
os_hardening::ignore_users: ['git','githook','ansible','apache','puppetboard']
As the CIS Distribution Independent Linux Benchmark is a good starting point regarding hardening of systems, it was deemed appropriate to implement an easy way to deal with one-offs for which one doesn't want to write an entire module.
For instance, to increase CIS DIL compliance on a Debian system, one should set the following:
wanted_packages => ['ntp'],
unwanted_packages => ['telnet'],
disabled_services => ['rsync'],
The default settings of NTP are actually pretty good for most situations, so it is not immediately necessary to implement a module. However, if you do use a module to control these services, that is of course preferred.
This module has been tested and should run on most Linux distributions. For an extensive list of supported operating systems, see metadata.json
If you want to contribute, please follow our contribution guide.
You should have Ruby interpreter installed on your system. It might be a good idea to use rvm for that purpose. Besides that you have to install the Puppet Development Kit
PDK and Docker Community Edition, as the integration tests run in Docker containers.
For all our integration tests we use test-kitchen
. If you are not familiar with test-kitchen
please have a look at their guide.
# Syntax & Lint tests
pdk validate
# Unit Tests
pdk test unit
Per default the integration tests will run in docker containers - unfortunately not all tests can run in container environments (e.g. sysctl settings).
# Install dependencies
gem install bundler
bundle install
# list all test instances
bundle exec kitchen list
# fast test on one machine
bundle exec kitchen test ubuntu-16-04-puppet5
# test on all machines
bundle exec kitchen test
For complete integration tests with DigitalOcean you have to get an account there and setup some environment variables:
KITCHEN_LOCAL_YAML=kitchen.do.yml
DIGITALOCEAN_ACCESS_TOKEN
- access token for DigitalOcean
DIGITALOCEAN_SSH_KEY_IDS
- ID in DigitalOcean of your ssh key, see this for more informationThe ssh key has to be named ~/.ssh/do_ci
and added to your profile at DigitalOcean.
After this you're ready to run the tests as described at Integration Tests (Docker).
If you want to run the full integration tests with Github Actions in your fork, you will have to add these environment variables in the settings of your fork:
KITCHEN_LOCAL_YAML=kitchen.do.yml
DIGITALOCEAN_ACCESS_TOKEN
- access token for DigitalOcean
CI_SSH_KEY
- private part of a ssh key, available on DigitalOcean for your instances, in base64 encoded form (e.g. cat id_rsa | base64 -w0 ; echo
)DIGITALOCEAN_SSH_KEY_IDS
- ID in DigitalOcean of CI_SSH_KEY
, see this for more informationYour patches will automatically get tested via Github Actions. The test summary is visible on Github in your PR, details can be found in the linked tests.
You can reach us on several ways:
For the original port of chef-os-hardening
to puppet:
Thank you all!!
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.