toughen

Table of Contents

1. Description
2. Setup - The basics of getting started with toughen
   • What toughen affects
   • Beginning with toughen
3. Usage - A quick how-to
4. Reference - Parameters, classes, types, etc.
5. Limitations - OS compatibility, etc.
6. Development - Guide for contributing to the module

Description

This is a puppet module that applies various hardening controls as detailed in the documents referenced in guides.txt.

The aim of me writing my own module is to lay out the controls in a manner that I feel is readable and easy to understand, whilst also providing flexibility to the user so that they can add exceptions where necessary.

First priority for development will be CentOS 7, followed by RHEL7. Then the version 6 of both those, followed by Ubuntu and Debian. Other Linux OS's will follow in good time.

Setup

What toughen affects

A range from everything to nothing - it's server hardening. If you're unaware what that involves I strongly recommend you read the guides.

Beginning with toughen

At it's most basic, simply include toughen. However, this will apply the defaults with no consideration for any specific requirments. Good as a starting point if you're building from scratch, not so good if you're hardening an existing server. For that you'll want to apply specific sections of the module.

Usage

For more fine-grained usage, wrap sections into a profile:

class profile::security {
    include toughen::aide
    include toughen::auditing
    include toughen::banners
    include toughen::boot
    include toughen::cron
    include toughen::filesystem
    ## Skip firewall, managed elsewhere.
    # include toughen::firewall
    include toughen::init
    include toughen::legacy_services
    include toughen::mandatory_access
    include toughen::network
    include toughen::pam
    include toughen::perms_owners
    include toughen::process
    include toughen::rsyslog
    include toughen::services
    include toughen::shadow
    include toughen::ssh
    include toughen::sudo
    ## Skip updates, managed elsewhere
    include toughen::updates
    include toughen::user_env
}

You can also pass in parameters directly:

class profile::security {

    class { 'toughen::ssh':
        $port => 2222,
        $allow_users => ['shearna', 'vagrant'],
    }

}

And many other things. The full list of parameters is long and distinguished...

Reference

TODO

Here, include a complete list of your module's classes, types, providers, facts, along with the parameters for each. Users refer to this section (thus the name "Reference") to find specific details; most users don't read it per se.

Limitations

So far, supported only on Puppet 3.8 and CentOS/RedHat 7.

Still to come:

• CentOS/RedHat 6
• Ubuntu 16.04.x LTS
• Amazon Linux?

Also:

• Scan results with well-known compliance scanners (Nessus, Nexpose)

At some point it would be nice to use some of the iterators in Puppet 4, given RedHat doesn't use Puppet 4 yet, it's a ways off.

Development

Please feel free to contribute via GitHub with a pull request. If you're adding classes, please add unit tests (take a look in spec/classes/ for examples). You can get set up with:

$> bundle install
$> bundle exec rake

...which will lint, validate, and run the spec tests. Please ensure these tests still pass when you have made changes!

You can also view the compliance score against the STIG 'RHEL7 upstream' profile. On CentOS 7:

$> sudo yum install -y openscap-scanner scap-security-guide
$> sudo oscap xccdf eval \
    --profile xccdf_org.ssgproject.content_profile_stig-rhel7-server-upstream \
    --results report.xml \
    --report  report.html \
    /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

...and then open up report.html in a browser. Note that this module aims for compliance with CIS standards, not STIG, so there is some discrepancy.

Change Log

All notable changes to the project will be documented in this file. This project adheres to Semantic Versioning.

[1.0.0] - 2018-12-31

• Dropping support for Ruby 2.1
• Dropping support for Puppet 3
• Reversed toughen::services parameters - they're no longer double negatives. You'll need to flip your booleans!
• Adding inet_protocols = ipv4 to postfix so it starts when ipv6 is disabled.
• Made warning banner smaller
• Beaker tests not working yet

[0.7.0] - 2017-07-04

• Adding securetty settings
• Fixing some CI stuff

[0.6.0] - 2017-05-12

• Tried (and failed) to add an SSSD class. Needs work on a box with SSSD configured.
• Enabling the audisp syslog plugin for auditd
• Disabling zeroconf
• New class - modprobe. Unifies blacklisted modules from filesystem and network.
• Extra network parameters for sysctl
• Initializing aide
• Updating yum.conf with gpg checks etc
• Adding reasonably accurate policy for scanning with oscap tools
• Moved defined types to a folder

[0.5.2] - 2017-05-11

• Fixing filesystem mount parameters
• Splitting kernel parameters so that network ones are in network.pp
• Fixing some typos
• Making travis builds work properly again

[0.5.1] - 2017-05-05

• Logic was wrong on rpcbind fact

[0.5.0] - 2017-05-05

• Adds permission controls to /etc/shadow and similar
• Fixes #1 by detecting rpcbind properly

[0.4.0] - 2017-05-04

• Adds cron config
• Fixes some noisy service calls

[0.3.0] - 2017-05-04

• Adds SSH configuration
• Adds legacy services lock down
• Adds regular services lock down, with params to control e.g. http install.

[0.2.0] - 2017-05-03

• Adds in a custom fact that finds binaries with the setuid flag, and tracks them under auditd.
• 100% STIG compliance for Auditd, the 'Systme Accounting with auditd' section.

[0.1.2] - 2017-05-03

• Forgot to bump the metadata.json version to match the tag. Doh!

[0.1.1] - 2017-05-03

• Tweaks to auditing class to meet STIG compliance standards with oscap scanner

[0.1.0] - 2017-05-03

• Tag for initial usage

[0.0.0] - 2016-06-16

Added

• Initial bare commit