From adf306ce7efedb7be3444be6e812f39710121f4f Mon Sep 17 00:00:00 2001 From: David Nelson Date: Tue, 17 Oct 2017 12:26:35 -0700 Subject: [PATCH] Final commit. --- CHANGELOG.md | 4 + Gemfile | 18 ----- README.md | 178 +++++++++++++++++++++++++++++++++++++++++-- Rakefile | 32 -------- data/os/RedHat7.yaml | 2 +- metadata.json | 10 +-- 6 files changed, 183 insertions(+), 61 deletions(-) delete mode 100644 Gemfile delete mode 100644 Rakefile diff --git a/CHANGELOG.md b/CHANGELOG.md index 477e622..c74ddb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## Release 0.3.0 +### Summary +Finished manual auditing and testing of the module. No rspec tests have been done mostly because it's insanely confusing and I don't have the time to work through the process. If you happen to be good at running these tests, drop me a line because I'd love to work with you through the process. + ## Release 0.2.0 ### Summary All critical errors from puppet runs have been corrected. Troubleshooting PAM module still needs to be happen because the config isn't laid down properly. No manual audit validation has been done yet either so there's no guarantee that everything will produce the correct desired state. diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 4f662dc..0000000 --- a/Gemfile +++ /dev/null @@ -1,18 +0,0 @@ -source ENV['GEM_SOURCE'] || 'https://rubygems.org' - -puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'] : ['>= 3.3'] -gem 'metadata-json-lint' -gem 'puppet', puppetversion -gem 'puppetlabs_spec_helper', '>= 1.0.0' -gem 'puppet-lint', '>= 1.0.0' -gem 'facter', '>= 1.7.0' -gem 'rspec-puppet' - -# rspec must be v2 for ruby 1.8.7 -if RUBY_VERSION >= '1.8.7' && RUBY_VERSION < '1.9' - gem 'rspec', '~> 2.0' - gem 'rake', '~> 10.0' -else - # rubocop requires ruby >= 1.9 - gem 'rubocop' -end diff --git a/README.md b/README.md index a59d4c0..99efadd 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ ## Module Description -This module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux. The current version of cisecurity implements v2.11 of the benchmark and provides a lot of dials and knobs to fine-tune the module to your specific needs. +This module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux. The current version of cisecurity implements v2.11 of the benchmark for Red Hat Enterprise Linux 7 and provides a lot of dials and knobs to fine-tune the module to your specific needs. More information about the benchmark and downloading a copy of it for yourself is available at the [Center for Internet Security](http://www.cisecurity.org). @@ -40,7 +40,7 @@ cisecurity touches a wide variety of system-level settings including: To use the cisecurity module with default parameters, declare the cisecurity class. ```puppet -include cisecurity +class { '::cisecurity': } ``` ## Usage @@ -62,9 +62,7 @@ All parameters for the `cisecurity` module are broken down into various classes If you modify an `Enum['enabled','disabled']` parameter to something other than the default, the module will not autocorrect the desired state of the system. You will need to go to that system and manually change the configuration to whatever you want it to be. cisecurity is designed to only enforce the controls in the benchmark and will not make assumptions of what you want a system's configuration to look like when you deviate. -**Exception:** For parameters in the `cisecurity::services` class, if you modify an `Enum['installed','uninstalled','ignored']` parameter, the module will honor the setting and attempt to start/stop and enable/disable the specified package. - -For parameters in the `cisecurity::packages` class, if you modify an `Enum['installed','uninstalled','ignored']` parameter, the module will attempt to install or purge the specified package. +For parameters in the `cisecurity::packages` class, if you modify an `Enum['installed','uninstalled','ignored']` parameter, the class will attempt to install, purge, or ignore the specified package. #### Class cisecurity::filesystem @@ -159,6 +157,7 @@ Reassigns user ownership of an unowned files and directories. * Default value: `'enabled'` * Data type: `Enum['enabled','disabled']` * Implements: Control 1.1.21 +* Related: `world_writable_dirs_ignored` Adds sticky bit to all world writable directories. @@ -166,6 +165,7 @@ Adds sticky bit to all world writable directories. * Default value: `'enabled'` * Data type: `Enum['enabled','disabled']` * Implements: Control 6.1.10 +* Related: `world_writable_files_ignored` Removes world writable permission from all world writable files. @@ -266,6 +266,22 @@ Provides mount options for /var/tmp. Set this parameter to an empty array if yo Determines if mounting vfat filesystems will be allowed. +##### `world_writable_dirs_ignored` +* Default value: `[ ]` +* Data type: `Array[String]` +* Implements: Control 1.1.21 +* Related: `remediate_world_writable_dirs` + +Provides a list of world writable directories that you don't want the sticky bit automatically set on. + +##### `world_writable_files_ignored` +* Default value: `[ '/var/lib/rsyslog/imjournal.state' ]` +* Data type: Array[String]` +* Implements: Control 6.1.10 +* Related: `remediate_world_writable_files` + +Provides a list of world writable files that you don't want permissions automatically changed. + #### Class cisecurity::network ##### `dccp` @@ -589,6 +605,158 @@ Defines what category of updates you wish applied. Determines whether to enforce `gpgcheck` on all available repositories. +#### Class cisecurity::pam + +##### `account_lockout_enforcement` +* Default value: `'enabled'` +* Data type: `Enum['enabled','disabled']` +* Implements: Control 5.3.2 +* Related: `account_lockout_attempts`, `account_lockout_time`, `inactive_account_lockout`, `inactive_account_lockout_days` + +Determines whether the system should be configured for account lockout enforcement. + +##### `account_lockout_attempts` +* Default value: `5` +* Data type: `Integer` +* Implements: Control 5.3.2 +* Related: `account_lockout_enforcement` + +Specifies the number of times a bad password may be entered before the account is automatically locked out. + +##### `account_lockout_time` +* Default value: `900` +* Data type: `Integer` +* Implements: Control 5.3.2 +* Related: `account_lockout_enforcement` + +Specifies the amount of time (in seconds) when an account will be automatically unlocked after failed password attempts. + +##### `inactive_account_lockout` +* Default value: `'enabled'` +* Data Type: `Enum['enabled','disabled']` +* Implements: Control 5.4.1.4 +* Related: `account_lockout_enforcement` + +Specifies whether inactive accounts should be locked by the system. + +##### `account_lockout_days` +* Default value: `30` +* Data Type: `Integer` +* Implements: Control 5.4.1.4 +* Related: `account_lockout_enforcement` + +Specifies the number of days when an account is considered inactive. + +##### `password_aging` +* Default value: `'enabled'` +* Data Type: `Enum['enabled','disabled']` +* Implements: Controls 5.4.1.1 - 5.4.1.3 +* Related: `password_aging_max_days`, `password_aging_min_days`, `password_aging_warn_days` + +Determines whether the system should be configured for password aging enforcement. + +##### `password_aging_max_days` +* Default value: `90` +* Data Type: `Integer` +* Implements: Control 5.4.1.1 +* Related: `password_aging` + +Specifies the maximum number of days before a password is required to be changed. + +##### `password_aging_min_days` +* Default value: `7` +* Data Type: `Integer` +* Implements: Control 5.4.1.2 +* Related: `password_aging` + +Specifies the minimum number of days before a password must be used before it can be changed. + +##### `password_aging_warn_days` +* Default value: `7` +* Data Type: `Integer` +* Implements: Control 5.4.1.3 +* Related: `password_aging` + +Specifies the number of days before a messsage is displayed at user login that their password is going to expire. + +##### `password_enforcement` +* Default value: `'enabled'` +* Data Type: `Enum['enabled','disabled']` +* Implements: Controls 5.3.1, 5.3.3 +* Related: `password_min_length`, `password_num_digits`, `password_num_lowercase`, `password_num_uppercase`, `password_num_other_chars`, `password_max_attempts`, `password_num_remembered` + +Determines whether the system should be configured for password complexity restrictions. + +##### `password_max_attempts` +* Default value: `3` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the number of times a user may specify a new password that doesn't meet complexity requirements before the attempt to change the password is rejected. + +##### `password_min_length` +* Default value: `14` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the minimum length of a valid password. + +##### `password_num_digits` +* Default value: `-1` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the number of digits required to be present in the password. + +##### `password_num_lowercase` +* Default value: `-1` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the number of lowercase characers required to be present in the password. + +##### `password_num_uppercase` +* Default value: `-1` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the number of uppercase characers required to be present in the password. + +##### `password_num_other_chars` +* Default value: `-1` +* Data Type: `Integer` +* Implements: Control 5.3.1 +* Related: `password_enforcement` + +Specifies the number of special characers required to be present in the password. + +##### `password_num_remembered` +* Default value: `5` +* Data Type: `Integer` +* Implements: Control 5.3.3 +* Related: `password_enforcement` + +Specifies the number of passwords the system will store per user to prevent them from resuing old passwords. + +##### `root_primary_group` +* Default value: `'root'` +* Data Type: `String` +* Implements: Control 5.4.3 + +Specifies the primary group that the root user should belong to. + +##### `wheel` +* Default value: `'enabled'` +* Data Type: `Enum['enabled','disabled']` +* Implements: Control 5.6 + +Specifies whether to enable the use of the `wheel` group on the system for the `su` command. + #### Class cisecurity::security ##### `aslr` diff --git a/Rakefile b/Rakefile deleted file mode 100644 index 02609e3..0000000 --- a/Rakefile +++ /dev/null @@ -1,32 +0,0 @@ -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' -require 'metadata-json-lint/rake_task' - -if RUBY_VERSION >= '1.9' - require 'rubocop/rake_task' - RuboCop::RakeTask.new -end - -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.relative = true -PuppetLint.configuration.ignore_paths = ['spec/**/*.pp', 'pkg/**/*.pp'] - -desc 'Validate manifests, templates, and ruby files' -task :validate do - Dir['manifests/**/*.pp'].each do |manifest| - sh "puppet parser validate --noop #{manifest}" - end - Dir['spec/**/*.rb', 'lib/**/*.rb'].each do |ruby_file| - sh "ruby -c #{ruby_file}" unless ruby_file =~ %r{spec/fixtures} - end - Dir['templates/**/*.erb'].each do |template| - sh "erb -P -x -T '-' #{template} | ruby -c" - end -end - -desc 'Run metadata_lint, lint, validate, and spec tests.' -task :test do - [:metadata_lint, :lint, :validate, :spec].each do |test| - Rake::Task[test].invoke - end -end diff --git a/data/os/RedHat7.yaml b/data/os/RedHat7.yaml index ca1f8f0..c8bef90 100644 --- a/data/os/RedHat7.yaml +++ b/data/os/RedHat7.yaml @@ -101,12 +101,12 @@ cisecurity::redhat7::pam::password_aging_max_days: 90 cisecurity::redhat7::pam::password_aging_min_days: 7 cisecurity::redhat7::pam::password_aging_warn_days: 7 cisecurity::redhat7::pam::password_enforcement: 'enabled' +cisecurity::redhat7::pam::password_max_attempts: 3 cisecurity::redhat7::pam::password_min_length: 14 cisecurity::redhat7::pam::password_num_digits: -1 cisecurity::redhat7::pam::password_num_lowercase: -1 cisecurity::redhat7::pam::password_num_uppercase: -1 cisecurity::redhat7::pam::password_num_other_chars: -1 -cisecurity::redhat7::pam::password_max_attempts: 3 cisecurity::redhat7::pam::password_num_remembered: 5 cisecurity::redhat7::pam::root_primary_group: 'root' cisecurity::redhat7::pam::wheel: 'enabled' diff --git a/metadata.json b/metadata.json index 1e6c144..3d69623 100644 --- a/metadata.json +++ b/metadata.json @@ -1,12 +1,12 @@ { "name": "cohdjn-cisecurity", - "version": "0.2.0", + "version": "0.3.0", "author": "David Nelson", "summary": "Configures Linux systems to Center for Internet Security Linux hardening standard.", "license": "Apache-2.0", - "source": "https://github.com/cohdjn/cohdjn-cisecurity.git", - "project_page": "https://github.com/cohdjn/cohdjn-cisecurity", - "issues_url": "https://github.com/cohdjn/cohdjn-cisecurity/issues", + "source": "https://github.com/cohdjn/cisecurity", + "project_page": "https://github.com/cohdjn/cisecurity", + "issues_url": "https://github.com/cohdjn/cisecurity/issues", "dependencies": [ { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.20.0 < 5.0.0" }, { "name": "puppetlabs/concat", "version_requirement": ">= 4.20.0 < 5.0.0" }, @@ -40,7 +40,7 @@ "requirements": [ { "name": "puppet", - "version_requirement": ">= 4.1.0 < 5.0.0" + "version_requirement": ">= 4.10.5 < 5.0.0" } ], "description": "Center for Internet Security module for RHEL 7."