chef-os-hardening v4.0 releases: provides numerous security-related configurations for Linux

os-hardening

This cookbook provides numerous security-related configurations, providing all-around base protection.

os-hardening

It configures:

  • Configures package management e.g. allows only signed packages
  • Remove packages with known issues
  • Configures pam and pam_limits module
  • Shadow password suite configuration
  • Configures system path permissions
  • Disable core dumps via soft limits
  • Restrict Root Logins to System Console
  • Set SUIDs
  • Configures kernel parameters via sysctl

It will not:

  • Update system packages
  • Install security patches

Platform

  • Debian 7, 8
  • Ubuntu 14.04, 16.04, 18.04
  • RHEL 6, 7
  • CentOS 6, 7
  • Oracle Linux 6, 7
  • Fedora 26, 27
  • OpenSuse Leap 42
  • Amazon Linux 1, 2

Attributes

  • ['os-hardening']['components'][COMPONENT_NAME] – allows the fine control over which components should be executed via default recipe. See below for more details
  • ['os-hardening']['desktop']['enable'] = false true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
  • ['os-hardening']['network']['forwarding'] = false true if this system requires packet forwarding (eg Router), false otherwise
  • ['os-hardening']['network']['ipv6']['enable'] = false
  • ['os-hardening']['network']['arp']['restricted'] = true true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
  • ['os-hardening']['env']['extra_user_paths'] = [] add additional paths to the user’s PATH variable (default is empty).
  • ['os-hardening']['env']['umask'] = "027"
  • ['os-hardening']['env']['root_path'] = "/" where root is mounted
  • ['os-hardening']['auth']['pw_max_age'] = 60 maximum password age
  • ['os-hardening']['auth']['pw_min_age'] = 7 minimum password age (before allowing any other password change)
  • ['os-hardening']['auth']['pw_warn_age'] = 7 number of days before maximum password age occurs to warn of impending change
  • More

Changelog

v4.0.0 (2019-04-10)

Full Changelog

Closed issues:

  • Deprecated feature sysctl_param used #230

Merged pull requests:

Download && Use

Author:

Share