os-hardening
This cookbook provides numerous security-related configurations, providing all-around base protection.
It configures:
- Configures package management e.g. allows only signed packages
- Remove packages with known issues
- Configures pam and pam_limits module
- Shadow password suite configuration
- Configures system path permissions
- Disable core dumps via soft limits
- Restrict Root Logins to System Console
- Set SUIDs
- Configures kernel parameters via sysctl
It will not:
- Update system packages
- Install security patches
Platform
- Debian 7, 8
- Ubuntu 14.04, 16.04, 18.04
- RHEL 6, 7
- CentOS 6, 7
- Oracle Linux 6, 7
- Fedora 26, 27
- OpenSuse Leap 42
- Amazon Linux 1, 2
Attributes
['os-hardening']['components'][COMPONENT_NAME]– allows the fine control over which components should be executed via default recipe. See below for more details['os-hardening']['desktop']['enable'] = falsetrue if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc['os-hardening']['network']['forwarding'] = falsetrue if this system requires packet forwarding (eg Router), false otherwise['os-hardening']['network']['ipv6']['enable'] = false['os-hardening']['network']['arp']['restricted'] = truetrue if you want the behavior of announcing and replying to ARP to be restricted, false otherwise['os-hardening']['env']['extra_user_paths'] = []add additional paths to the user’sPATHvariable (default is empty).['os-hardening']['env']['umask'] = "027"['os-hardening']['env']['root_path'] = "/"where root is mounted['os-hardening']['auth']['pw_max_age'] = 60maximum password age['os-hardening']['auth']['pw_min_age'] = 7minimum password age (before allowing any other password change)['os-hardening']['auth']['pw_warn_age'] = 7number of days before maximum password age occurs to warn of impending change- More…
Changelog v4.1.2
- CI: run the test workflow also on the release branches #295 (artem-sidorenko)
Download && Use
Author:
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
