Version information
released Dec 2nd 2023
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 9.0.0
- , , , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'hardening-os_hardening', '2.4.0'Learn more about managing modules with a PuppetfileDocumentation
hardening/os_hardening — version 2.4.0 Dec 2nd 2023
Puppet OS hardening
Table of Contents
- Module Description - What the module does and why it is useful
- Setup - The basics of getting started with os_hardening
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
- Testing - Quality gates for your changes in the code
- Get in touch
- Contributors + Kudos
- License and Author
Module Description
This Puppet module provides secure configuration of your base OS with hardening and is part of the DevSec Hardening Framework.
Setup
Setup Requirements
- Puppet OpenSource or Enterprise
- Module stdlib
- Module sysctl
Beginning with os_hardening
After adding this module, you can use the class:
class { 'os_hardening': }
All parameters are contained within the main os_hardening class, so you just have to pass them like this:
class { 'os_hardening':
enable_ipv4_forwarding => true,
}
Usage
IMPORTANT for Puppet Enterprise
If you are using this module in a PE environment, you have to set pe_environment = true
Otherwise puppet will drop an error (duplicate resource)!
Parameters
system_environment = 'default'define the context in which the system runs. Some options don't work fordocker/lxcpe_environment = falseset this to true if you are using Puppet Enterprise IMPORTANT - see aboveextra_user_paths = []add additional paths to the user'sPATHvariable (default is empty).umask = undefumask used for the creation of new home directories by useradd / newusers (e.g. '027')maildir = undefpath for maildir (e.g. '/var/mail')usergroups = truetrue if you want separate groups for each user, false otherwisesys_uid_min = undefandsys_gid_min = undefoverride the default setting forlogin.defspassword_max_age = 60maximum password agepassword_min_age = 7minimum password age (before allowing any other password change)password_warn_age = 7Days warning before password change is duelogin_retries = 5the maximum number of login retries if password is bad (normally overridden by PAM / auth_retries)login_timeout = 60authentication timeout in seconds, so login will exit if this time passeschfn_restrict = ''which fields may be changed by regular users using chfnallow_login_without_home = falsetrue if to allow users without home to loginallow_change_user = falseif a user may usesuto change his loginignore_users = []array of system user accounts that should not be hardened (password disabled and shell set to/usr/sbin/nologin)folders_to_restrict = ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin']folders to make sure of that group and world do not have write access to it or any of the contentsignore_max_files_warnings = falsetrue if you do not want puppet to log max_files and performance warnings on the recursion of folders with > 1000 files eg /bin /usr/binrecurselimit = 5directory depth for recursive permission checkpasswdqc_enabled = truetrue if you want to use strong password checking in PAM using passwdqcauth_retries = 5the maximum number of authentication attempts, before the account is locked for some timeauth_lockout_time = 600time in seconds that needs to pass, if the account was locked due to too many failed authentication attemptspasswdqc_options = 'min=disabled,disabled,16,12,8'set to any option line (as a string) that you want to pass to passwdqcmanage_pam_unix = falsetrue if you want pam_unix managed by this moduleenable_pw_history = truetrue if you want pam_unix to remember password history to prevent reuse of passwords (requiresmanage_pam_unix = true)pw_remember_last = 5the number of last passwords (e.g. 5 will prevent user to reuse any of her last 5 passwords)only_root_may_su = falsetrue when only root and member of the group wheel may use su, required to be true for CIS Benchmark complianceroot_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6']registered TTYs for rootwhitelist = []all files which should keep their SUID/SGID bits if set (will be combined with pre-defined whiteliste of files)blacklist = []all files which should have their SUID/SGID bits removed if set (will be combined with pre-defined blacklist of files)remove_from_unknown = falsetrueif you want to remove SUID/SGID bits from any file, that is not explicitly configured in ablacklist. This will make every Puppet run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in yourwhitelist.dry_run_on_unknown = falselikeremove_from_unknownabove, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configureremove_from_unknownfor SUID/SGID bits, so that you can see the files that are being changed and make adjustments to yourwhitelistandblacklist.enable_module_loading = truetrue if you want to allowed to change kernel modules once the system is running (egmodprobe,rmmod)load_modules = []load this modules via initramfs if enable_module_loading is falsedisable_filesystems = ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf']array of filesystems (kernel modules) that should be disabledcpu_vendor = 'intel'only required ifenable_module_loading = false: set the CPU vendor for modules to loadicmp_ratelimit = '100'default value '100', allow overwriting, needs Stringdesktop_enabled = falsetrue if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etcenable_ipv4_forwarding = falsetrue if this system requires packet forwarding in IPv4 (eg Router), false otherwisemanage_ipv6 = truetrue to harden ipv6 setup, false to ignore ipv6 completelyenable_ipv6 = falsefalse to disable ipv6 on this system, true to enableenable_ipv6_forwarding = falsetrue if this system requires packet forwarding in IPv6 (eg Router), false otherwisearp_restricted = truetrue if you want the behavior of announcing and replying to ARP to be restricted, false otherwisearp_ignore_samenet = falsetrue will drop packets that are not from the same subnet (arp_ignore = 2), false will only check the target ip (arp_ignore = 1)enable_sysrq = falsetrue to enable the magic sysrq key, false otherwiseenable_core_dump = falsefalse to prevent the creation of core dumps, true otherwiseenable_stack_protection = truefor Address Space Layout Randomization. ASLR can help defeat certain types of buffer overflow attacks. ASLR can locate the base, libraries, heap, and stack at random positions in a process's address space, which makes it difficult for an attacking program to predict the memory address of the next instruction.enable_rpfilter = truetrue to enable reverse path filtering (discard bogus packets), false otherwiserpfilter_loose = false(only ifenable_rpfilteris true) loose mode (rp_filter = 2) if true, strict mode otherwiseenable_log_martians = truetrue to enable logging on suspicious / unroutable network packets, false otherwise WARNING - this might generate huge log files!unwanted_packages = []packages that should be removed from the systemwanted_packages = []packages that should be added to the systemdisabled_services = []services that should not be enabledenable_grub_hardening = falseset to true to enable some grub hardening rulesgrub_user = 'root'the grub username that needs to be provided when changing config on the grub promptgrub_password_hash = ''a password hash created withgrub-mkpasswd-pbkdf2that is associated with the grub_userboot_without_password = truesetup Grub so it only requires a password when changing an entry, not when booting an existing entrysystem_umask = undefif this variable is set setup the umask for all user in the system (e.g. '027')manage_home_permissions = falseset to true to manage local users file and directory permissions (g-w,o-rwx)ignore_home_users = []array for users that is not to be restricted by manage_home_permissionsmanage_log_permissions = falseset to true to manage log file permissions (g-wx,o-rwx)restrict_log_dir = ['/var/log/']set main log dirignore_restrict_log_dir = []array to exclude log dirs under the main log dirignore_files_in_folder_to_restrict = []array to ignore files to hardened in dirs under the folder_to_restrict arraymanage_cron_permissions = falseset to true to manage cron file permissions (og-rwx)enable_sysctl_config = trueset to false to disable sysctl configurationmanage_system_users = trueset to false to disable managing of system users (empty password and setting nologin shell)shadow_group = undefoverride the group ownership of /etc/shadowshadow_mode = undefoverride the file permissions of /etc/shadow
Hiera usage
It's also possible to set the parameters in Hiera like this:
os_hardening::password_max_age: 90
os_hardening::password_min_age: 0
os_hardening::password_warn_age: 14
os_hardening::unwanted_packages: ['telnet']
os_hardening::ignore_users: ['git','githook','ansible','apache','puppetboard']
Note about wanted/unwanted packages and disabled services
As the CIS Distribution Independent Linux Benchmark is a good starting point regarding hardening of systems, it was deemed appropriate to implement an easy way to deal with one-offs for which one doesn't want to write an entire module.
For instance, to increase CIS DIL compliance on a Debian system, one should set the following:
wanted_packages => ['ntp'],
unwanted_packages => ['telnet'],
disabled_services => ['rsync'],
The default settings of NTP are actually pretty good for most situations, so it is not immediately necessary to implement a module. However, if you do use a module to control these services, that is of course preferred.
Limitations
This module has been tested and should run on most Linux distributions. For an extensive list of supported operating systems, see metadata.json
Development
If you want to contribute, please follow our contribution guide.
Testing
Local Testing
You should have Ruby interpreter installed on your system. It might be a good idea to use rvm for that purpose. Besides that you have to install the Puppet Development Kit PDK and Docker Community Edition, as the integration tests run in Docker containers.
For all our integration tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.
PDK Tests
# Syntax & Lint tests
pdk validate
# Unit Tests
pdk test unit
Integration Tests (Docker)
Per default the integration tests will run in docker containers - unfortunately not all tests can run in container environments (e.g. sysctl settings).
# Install dependencies
gem install bundler
bundle install
# list all test instances
bundle exec kitchen list
# fast test on one machine
bundle exec kitchen test ubuntu-16-04-puppet5
# test on all machines
bundle exec kitchen test
Integration Tests (DigitalOcean)
For complete integration tests with DigitalOcean you have to get an account there and setup some environment variables:
KITCHEN_LOCAL_YAML=kitchen.do.ymlDIGITALOCEAN_ACCESS_TOKEN- access token for DigitalOceanDIGITALOCEAN_SSH_KEY_IDS- ID in DigitalOcean of your ssh key, see this for more information
The ssh key has to be named ~/.ssh/do_ci and added to your profile at DigitalOcean.
After this you're ready to run the tests as described at Integration Tests (Docker).
If you want to run the full integration tests with Github Actions in your fork, you will have to add these environment variables in the settings of your fork:
KITCHEN_LOCAL_YAML=kitchen.do.ymlDIGITALOCEAN_ACCESS_TOKEN- access token for DigitalOceanCI_SSH_KEY- private part of a ssh key, available on DigitalOcean for your instances, in base64 encoded form (e.g.cat id_rsa | base64 -w0 ; echo)DIGITALOCEAN_SSH_KEY_IDS- ID in DigitalOcean ofCI_SSH_KEY, see this for more information
CI testing of PRs & forks
Your patches will automatically get tested via Github Actions. The test summary is visible on Github in your PR, details can be found in the linked tests.
Get in touch
You can reach us on several ways:
- @DevSecIO on Twitter
- Mailing list for questions and general discussion: devsec@freelists.org [subscribe]
- Mailing list with release announcements (no posts are possible here): devsec-announce@freelists.org [subscribe]
Contributors + Kudos
- Dominik Richter arlimus
- Edmund Haselwanter ehaselwanter
- Christoph Hartmann chris-rock
- Thomas Dütsch a-tom
- Patrick Meier atomic111
- Artem Sidorenko artem-sidorenko
- Kurt Huwig kurthuwig
- Matthew Haughton 3flex
- Reik Keutterling spielkind
- Daniel Dreier danieldreier
- Timo Goebel timogoebel
- Tristan Helmich fadenb
- Michael Geiger mcgege
- Timo Bergemann LooOOooM
For the original port of chef-os-hardening to puppet:
- Artem Sidorenko artem-sidorenko
- Frank Kloeker eumel8
Thank you all!!
License and Author
- Author:: Dominik Richter dominik.richter@gmail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Changelog
Changelog generator still broken, sorry
Changes in v2.4.0
- Compability for Puppet version 8
Changes in v2.3.3
- fix CI: use docker driver for transferring files (#290)
- Disable new check 'os-14' for automated testing (#291)
- Restore ability to override /etc/shadow file permissions and group owner (#293)
- move to CentOS 8 Stream from quay.io (#295)
- fix(pam_passwdqc): remove accidental paste from
pam_passwdqc.erb(#299)
Changes in v2.3.2
- Backwards incompatible breaking change in PR279 #284
- Backwards incompatible breaking change in PR279 (#284) #285 (earthgecko)
v2.3.2 (2021-07-22)
Implemented enhancements:
- Add Puppet 7 tests + new versions #282 (mcgege)
- Remove Puppet v5 support + tests #281 (mcgege)
- update to PDK template 2.1.1 #278 (mcgege)
- Add documentation on hiera usage (see #248) #274 (mcgege)
- Update to PDK 2.0 template #273 (mcgege)
- Fix: Dead links result in an error #271 #272 (LooOOooM)
- move to github actions #264 (schurzi)
- fixed alignment of properties and indentation #263 (hp197)
- Added manage_system_users option and formatted properties #262 (hp197)
- use new syntax for stub in rspec #259 (schurzi)
- Fix + switch for arp_ignore #256 (mcgege)
- Move from inspec to cinc #238 (mcgege)
Fixed bugs:
- Backwards incompatible breaking change in PR279 #284
- Backwards incompatible breaking change in PR279 (#284) #285 (earthgecko)
- Activate manage_cron_permissions to satisfy cron tests #269 (mcgege)
- Solve bundle problem on automated tests #268 (mcgege)
- add source for chef-utils gem (bundle confusion) #265 (mcgege)
- Revert "secure_redirects should be set to 1 (default)" #260 (mcgege)
- Switch to Inspec 4 to break bundler loop #257 (mcgege)
Merged pull requests:
- Add ignore_max_files_warnings (#279) #280 (earthgecko)
- Disable sysctl configuration #253 (Tahitibob35)
2.3.1 (2021-07-19)
Implemented enhancements:
- Add support for Puppet 7 #267
- allow defining parameters in hiera #248
- Add integration tests for current platforms #172
Closed issues:
- New warning - max_files - exceeds the default soft limit 1000 #279
- enable_log_martians to false are logged #277
- Dead links result in an error #271
- Duplicate declaration #270
- Using relative file modes can result very wrong in some cases #222
2.3.0 (2021-02-10)
Implemented enhancements:
- Use CINC (instead of InSpec 4) #212
Fixed bugs:
- Fix Travis tests #255
Closed issues:
- Fix broken tests in Travis CI #123
2.2.11 (2021-01-27)
Closed issues:
- Default $arp_restricted=true breaks Calico overlay network #254
2.2.10 (2020-12-28)
Closed issues:
- os_hardening failing on centos7 #241
2.2.9 (2020-12-03)
Implemented enhancements:
- More secure kernel settings #250 (mcgege)
- Set SHA_CRYPT_*_ROUNDS (Telekom security req linux-10) #249 (mcgege)
- Update to PDK 1.18.1 #242 (mcgege)
- Updates from pdk template 1.17.0 #236 (mcgege)
- If disabled service should also be stopped #226 (mcgege)
- Manage files /etc/anacrontab and crontab equally #225 (mcgege)
- Proxy support / SUSE fixes #217 (mcgege)
- Updates from pdk template 1.11.1 #215 (mcgege)
- Metadata / Travis fixes #211 (mcgege)
- CIS: Fix permissions on home cron and log dirs #203 (PenguinFreeDom)
- Adjust .travis.yml to PDK template #197 (mcgege)
- Integration tests with DigitalOcean (see #180) #194 (mcgege)
- Update to PDK 1.9.1 #191 (mcgege)
- Update to PDK 1.9.0 #190 (mcgege)
- Readme updates #188 (mcgege)
- Replace sysctl module #183 (mcgege)
- Add version tag on puppetforge #182 (mcgege)
- New option rpfilter_loose to enable loose mode (rp_filter = 2) #163 (mcgege)
- Easy add and remove packages, disable services #138 (timstoop)
Fixed bugs:
- Fix for integration tests (apt-transport-https missing) #237 (mcgege)
- Travis-CI fix (kitchen / faraday broken?) #228 (mcgege)
- Augeas sysctl needs explicit string value #207 (mcgege)
- Add dirs to exclude to .pdkignore #196 (mcgege)
- Add missing dependency #184 (theosotr)
Merged pull requests:
- Adapt Travis to puppetlabs standard #247 (mcgege)
- Small fixes #243 (mcgege)
- patch-cumuluslinux-support #239 (mdklapwijk)
- Update to PDK 1.15 #233 (mcgege)
- Small fix on kitchen.yml #232 (mcgege)
- CentOS 8 support #229 (mcgege)
- Updates from pdk template 1.13.0 #227 (mcgege)
- Updates from pdk template 1.12.0 #221 (mcgege)
- allow puppet-stdlib v6 #219 (mcgege)
- OpenSUSE 42.3 docker image correction #214 (mcgege)
- Kitchen fix #206 (mcgege)
- Some applications require different setting for icmp_ratelimit #204 (tuxmea)
- Update to PDK 1.10.0 #193 (mcgege)
- Replace Gitter with mailing lists #185 (mcgege)
- Bugfix script to change file + dir permissions for Puppet Forge build #176 (mcgege)
- Also works with current puppetlabs/stdlib (5.1.0 tested) #168 (mcgege)
- Do not disable vfat. Fixes #165. #166 (timstoop)
- Add support for Ubuntu 18.04 and SLES 15 in metadata.json #162 (mcgege)
- Update issue templates #158 (rndmh3ro)
- rework README #155 (mcgege)
- Create license file #154 (mcgege)
- Create license file #153 (mcgege)
- Add 'MANAGED BY PUPPET' header #150 (hdep)
- Fix missing Requirements in Readme #149 (hdep)
- Add OpenSUSE 15 to the supported distributions #148 (mcgege)
2.2.8 (2020-06-01)
Fixed bugs:
- Minimize_access to File [/usr/bin] issue #234
Closed issues:
- Conflicts with apache module #231
2.2.7 (2019-10-04)
Closed issues:
- disabled_services should be stopped too #224
- os_hardening::minimize_access should treat anacrontab the same as crontab #223
2.2.6 (2019-07-24)
Fixed bugs:
- Approve stdlib v6 + resolve librarian-puppet problem #213
Closed issues:
- Error: no implicit conversion of Integer into String #199
2.2.5 (2019-06-01)
2.2.4 (2019-05-01)
2.2.3 (2019-05-01)
2.2.2 (2019-02-28)
Fixed bugs:
- Wrong permission on module files #175
2.2.1 (2019-01-28)
2.2.0 (2019-01-27)
Implemented enhancements:
- Test / Update for Puppet 6 #156
- Convert module into "standardized PDK module" #107
- Update to verify the module against https://github.com/dev-sec/linux-baseline #79
- Update test mechanisms #169 (mcgege)
- Support os umask #152 (hdep)
Fixed bugs:
- Rhel 7 won't boot on physical server #165
Closed issues:
- Wrong permission on git project files ? #164
- module on the forge is not in sync with version of github #160
- Fix broken tests in Travis CI #123
2.1.3 (2018-11-12)
Closed issues:
- user resource conflict with puppetlabs/apache: Duplicate declaration: User[www-data] is already declared #157
- Missing comments in managed file : file managed by puppet #146
- Missing requirements in readme file #145
2.1.2 (2018-08-15)
Implemented enhancements:
- Deploy GRUB hardening #137 (timstoop)
- Only allow root and members of group wheel to use su #134 (timstoop)
- Fix permissions on /etc/gshadow, based on CIS DIL Benchmark 6.1.5. #133 (timstoop)
Merged pull requests:
2.1.1 (2018-05-17)
Implemented enhancements:
- Adding new param to specify maildir path. Updated nologin path for Re… #127 (hundredacres)
- converted module to pdk #107 #120 (enemarke)
Closed issues:
- net.ipv4.tcp_rfc1337 not a valid sysctl key #124
Merged pull requests:
- Add password_warn_age parameter for login.defs #128 (claw-real)
- CI: switch testing to DigitalOcean #126 (artem-sidorenko)
- Refactoring and new spec test #121 (enemarke)
2.1.0 (2018-01-17)
Implemented enhancements:
- Use type checking by defining data types #114 (mcgege)
- Make parameter USERGROUPS_ENAB in login.defs configurable #113 (mcgege)
Fixed bugs:
Closed issues:
- Minimize access needs a better way of removing +w on system folders #60
- login.defs for different OS #57
- Adduser consistency #49
- Cleanup headers / copyright #111
- Update some RH settings in this module #102
Merged pull requests:
- Get CI tests running on azure #115 (artem-sidorenko)
- Correct header comments in sysctl.pp #69 (Zordrak)
- Skip entropy tests and disable auditd tests #117 (artem-sidorenko)
- Making test-kitchen work again #112 (artem-sidorenko)
- Implement new RH defaults (see issue #102) #103 (mcgege)
2.0.0 (2017-12-19)
Closed issues:
- SLES and OEL errors when ipv6 is disabled #82
- Failed to generate additional resources #75
- Multiple conflicts with Puppet Enterprise #74
- Conflict with Puppet Enterprise 2016.1.1 #71
- allow_core_dump set to true still ends up setting /etc/security/limits.d/10.hardcore.conf and /etc/profile.d/pinerolo_profile.sh files #68
- IPv6 setting problem #67
- Log martian packets #66
- Merge #64 #65
- net.ipv6.conf.default.accept_ra #56
- Publish new release on Puppet Forge #104
Merged pull requests:
- Update links + contributors in README #108 (mcgege)
- Avoid picking up users retrieved from SSSD or other domain services. #101 (tprobinson)
- Implement linux-baseline os-10 #100 (mcgege)
- Style Guide corrections #98 (mcgege)
- Update module metadata #97 (mcgege)
- Baseline sysctl-17: Enable logging of martian packets #96 (mcgege)
- One single coredump parameter #95 (mcgege)
- Fix for Linux Baseline os-02 #94 (mcgege)
- Baseline os-05b: set SYS_[GU]ID_[MIN|MAX] in /etc/login.defs #92 (mcgege)
- Remove config/scripts to prevent core dumps if function is disabled… #91 (mcgege)
- DevSec Linux Baseline os-05 #90 (mcgege)
- Corrected handling of /bin/su (via allow_change_user) #89 (mcgege)
- Documentation update #88 (mcgege)
- added switch manage_ipv6, so people could disable managing of ipv6 co… #87 (STetzel)
- CentOS7 issue - revert "Remove link following in minimize_access file resource" #86 (mcgege)
- Making rubocop happy #85 (artem-sidorenko)
- Make the sysctl setting 'rp_filter' configurable #84 (mcgege)
- Quick fix for issue #71: remove '/usr/local/bin' from managed folders #83 (mcgege)
- Puppet-lint done for sysctl.pp #81 (bitvijays)
- Fix the CI #80 (artem-sidorenko)
- Adopt Puppet style guide - remove dynamic variable lookup #70 (tuxmea)
- Remove link following in minimize_access file resource #64 (rooprob)
- update common kitchen.yml platforms #63 (chris-rock)
- add support for limiting password re-use. #61 (igoraj)
- add local testing section to readme #59 (chris-rock)
- add net.ipv6.conf.default.accept_ra. closes #56 #58 (igoraj)
- Disable System Accounts #54 (igoraj)
- common files: add centos 7 #53 (arlimus)
- Prepare module for v2.0.0 #109 (mcgege)
1.1.2 (2015-05-09)
Merged pull requests:
- Update common readme badges + contributors + rubocop #52 (arlimus)
- update common travis.yml, kitchen.yml platforms #51 (arlimus)
- bugfix: use scoped resource for puppet 4 #50 (arlimus)
OLD Changelog
1.1.2
- bugfix: ruby1.8+puppet+rspec interplay
- bugfix: use scoped resource for puppet 4
1.1.1
- feature: add stack protection configuration via sysctl (enabled)
- bugfix: replace non-ascii char in login.defs
- bugfix: follow links for RHEL7 /bin and /sbin
- bugfix: fixed tty newlines
- bugfix: minor log typos
1.1.0
API-change: renamed module to hardening-os_hardening
- improvement: linting
1.0.2
- improvement: only run 'update-pam' when needed
1.0.1
- bugfix: add missing colon for user-defined paths in PATH env
- adjust login.defs template to not log user logins (as per Debian defaults)
1.0.0
- add verified support for puppet 3.6, remove support for puppet 3.0 and 3.4
- improvement: streamlined rubocop and puppet-lint
- improvement: remove stdlib fixed version dependency
- improvement: loosened thias/sysctl dependency
- bugfix: get puppet version in gemfile from ENV:
PUPPET_VERSION
0.1.3
API-change: dry_run_on_unkown is now dry_run_on_unknown
- feature: allow configuration of custom modules (if module loading is disabled)
- improvement: only remove SUID/SGID if necessary
- improvement: clarify SUID/SGID options
- improvement: use thias/sysctl to configure sysctls (also fixes previous bugs with the template)
- improvement: add spec tests for sysctl options
- improvement: puppet-lint everything
- improvement: add travis testing for lint+specs
- improvement: use file resource instead of exec for access minimization
- bugfix: fix typo dry_run_on_unkown -> dry_run_on_unknown
- bugfix: don't run update initramfs on each run, only when required
- bugfix: deactivation of kernel module loading wasn't implemented
- bugfix: ip_forwarding wasn't activated correctly
0.1.2
- feature: add additional ipv6 hardening to sysctl
- feature: add test kitchen
- improvement: remove unnecessary attributes from os_hardening::pam
- bugfix: remove cracklib if passwdqc is used
0.1.1
- feature: add configurable system environment
- feature: remove suid/sgid bits from blacklist
- feature: remove suid/sgid bits from unknown files
0.1.0
- port from chef-os-hardening and monolithic puppet implementation
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.6.0 < 8.0.0)
- herculesteam/augeasproviders_sysctl (>= 2.2.1 < 3.0.0)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.