From fc550ae623bcb02ee0e31c801f90a33b00593ace Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 18:42:21 +0100 Subject: [PATCH 1/6] exclude Berksfile from rubocop --- .rubocop.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.rubocop.yml b/.rubocop.yml index 3532b710..7321e2a4 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -1,6 +1,7 @@ --- AllCops: Exclude: + - Berksfile - vendor/**/* - test/**/* - metadata.rb From eecb2eed52d93087f08d0677aedb51e1cc79e79e Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 18:42:35 +0100 Subject: [PATCH 2/6] fix indenting cops --- libraries/suid_sgid.rb | 10 +++++----- recipes/sysctl.rb | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libraries/suid_sgid.rb b/libraries/suid_sgid.rb index a241896a..bb6ad259 100644 --- a/libraries/suid_sgid.rb +++ b/libraries/suid_sgid.rb @@ -45,11 +45,11 @@ def self.find_all_suid_sgid_files(start_at = '/') def self.remove_suid_sgid_from_blacklist(blacklist) blacklist - .select { |file| File.exist?(file) } - .each do|file| - Chef::Log.info "suid_sgid: Blacklist SUID/SGID for '#{file}', removing bit..." - remove_suid_sgid_from(file) - end + .select { |file| File.exist?(file) } + .each do|file| + Chef::Log.info "suid_sgid: Blacklist SUID/SGID for '#{file}', removing bit..." + remove_suid_sgid_from(file) + end end def self.remove_suid_sgid_from_unkown(whitelist = [], root = '/', dry_run = false) diff --git a/recipes/sysctl.rb b/recipes/sysctl.rb index e9ff9ce4..db60cc83 100644 --- a/recipes/sysctl.rb +++ b/recipes/sysctl.rb @@ -33,8 +33,8 @@ # try to determine the real cpu vendor begin cpu_vendor = node['cpu']['0']['vendor_id'] - .sub(/^.*GenuineIntel.*$/, 'intel') - .sub(/^.*AuthenticAMD.*$/, 'amd') + .sub(/^.*GenuineIntel.*$/, 'intel') + .sub(/^.*AuthenticAMD.*$/, 'amd') node.default['security']['cpu_vendor'] = cpu_vendor rescue log 'WARNING: Could not properly determine the cpu vendor. Fallback to intel cpu.' do From 251d6541ea7f1d93a198f9c43cf15c8311ce3618 Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 19:08:48 +0100 Subject: [PATCH 3/6] update chefspec to 4.1.1 --- Gemfile | 2 +- spec/recipes/default_spec.rb | 2 +- spec/recipes/limits_spec.rb | 2 +- spec/recipes/securetty_spec.rb | 2 +- spec/recipes/sysctl_spec.rb | 6 +++--- spec/spec_helper.rb | 1 - 6 files changed, 7 insertions(+), 8 deletions(-) diff --git a/Gemfile b/Gemfile index 059117b9..8951bf90 100644 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,7 @@ gem 'chef', '~> 11.12' group :test do gem 'rake' - gem 'chefspec', '~> 4.0' + gem 'chefspec', '~> 4.1.1' gem 'foodcritic', '~> 3.0' gem 'thor-foodcritic' gem 'rubocop', '~> 0.23' diff --git a/spec/recipes/default_spec.rb b/spec/recipes/default_spec.rb index 8ae1278f..dfab1abb 100644 --- a/spec/recipes/default_spec.rb +++ b/spec/recipes/default_spec.rb @@ -21,7 +21,7 @@ # converge let(:chef_run) do - ChefSpec::Runner.new do |node| + ChefSpec::ServerRunner.new do |node| # sysctl/attributes/default.rb will set the config dir # on rhel and debian, but apply requires it for notification # therefore we set it manually here diff --git a/spec/recipes/limits_spec.rb b/spec/recipes/limits_spec.rb index 71ed82ea..188016a8 100644 --- a/spec/recipes/limits_spec.rb +++ b/spec/recipes/limits_spec.rb @@ -20,7 +20,7 @@ describe 'os-hardening::limits' do let(:chef_run) do - ChefSpec::Runner.new.converge(described_recipe) + ChefSpec::ServerRunner.new.converge(described_recipe) end it 'creates /etc/sysconfig/init' do diff --git a/spec/recipes/securetty_spec.rb b/spec/recipes/securetty_spec.rb index 7a729952..ce9fbc76 100644 --- a/spec/recipes/securetty_spec.rb +++ b/spec/recipes/securetty_spec.rb @@ -20,7 +20,7 @@ describe 'os-hardening::securetty' do let(:chef_run) do - ChefSpec::Runner.new.converge(described_recipe) + ChefSpec::ServerRunner.new.converge(described_recipe) end it 'creates /etc/securetty' do diff --git a/spec/recipes/sysctl_spec.rb b/spec/recipes/sysctl_spec.rb index 433070f8..85228e0f 100644 --- a/spec/recipes/sysctl_spec.rb +++ b/spec/recipes/sysctl_spec.rb @@ -22,7 +22,7 @@ context 'intel' do let(:intel_run) do - ChefSpec::Runner.new do |node| + ChefSpec::ServerRunner.new do |node| node.set['sysctl']['conf_dir'] = '/etc/sysctl.d' node.set['cpu']['0']['vendor_id'] = 'GenuineIntel' end @@ -38,7 +38,7 @@ context 'amd' do let(:amd_run) do - ChefSpec::Runner.new do |node| + ChefSpec::ServerRunner.new do |node| node.set['sysctl']['conf_dir'] = '/etc/sysctl.d' node.set['cpu']['0']['vendor_id'] = 'AuthenticAMD' end @@ -53,7 +53,7 @@ context 'fallback' do let(:fallback_run) do - ChefSpec::Runner.new do |node| + ChefSpec::ServerRunner.new do |node| node.set['sysctl']['conf_dir'] = '/etc/sysctl.d' end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 4fc0df5a..f033a68e 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -17,7 +17,6 @@ require 'chefspec' require 'chefspec/berkshelf' -require 'chefspec/server' # coverage report ChefSpec::Coverage.start! From 33d8717869e86ec696d0a0095cf1afd220175a85 Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 19:09:17 +0100 Subject: [PATCH 4/6] quote mode specification of login_defs --- recipes/login_defs.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb index 8ed1bb58..a9e7ead0 100644 --- a/recipes/login_defs.rb +++ b/recipes/login_defs.rb @@ -20,7 +20,7 @@ template '/etc/login.defs' do source 'login.defs.erb' - mode 0444 + mode '0444' owner 'root' group 'root' variables( From 00bd5c56182c01f433a82c3291052e11ecf98c6e Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 19:09:29 +0100 Subject: [PATCH 5/6] add spec for login_defs --- spec/recipes/login_defs_spec.rb | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 spec/recipes/login_defs_spec.rb diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb new file mode 100644 index 00000000..c203b175 --- /dev/null +++ b/spec/recipes/login_defs_spec.rb @@ -0,0 +1,32 @@ +# encoding: UTF-8 +# +# Copyright 2014, Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative '../spec_helper' + +describe 'os-hardening::login_defs' do + + let(:chef_run) do + ChefSpec::ServerRunner.new.converge(described_recipe) + end + + it 'creates /etc/login.defs' do + expect(chef_run).to create_template('/etc/login.defs') + .with(mode: '0444') + .with(owner: 'root') + .with(group: 'root') + end +end From 17b7dd86cefcb65517aad80bcf66963b69d37493 Mon Sep 17 00:00:00 2001 From: "Bernhard K. Weisshuhn" Date: Fri, 28 Nov 2014 18:42:10 +0100 Subject: [PATCH 6/6] make UID_MIN and GID_MIN in login.defs configurable via attributes --- attributes/default.rb | 2 ++ recipes/login_defs.rb | 4 +++- spec/recipes/login_defs_spec.rb | 11 ++++++++++- templates/default/login.defs.erb | 4 ++-- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 77cc4131..f351e477 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -62,6 +62,8 @@ default['auth']['pam']['passwdqc']['enable'] = true default['auth']['pam']['passwdqc']['options'] = 'min=disabled,disabled,16,12,8' default['auth']['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6) +default['auth']['uid_min'] = 1000 +default['auth']['gid_min'] = 1000 # may contain: change_user default['security']['users']['allow'] = [] default['security']['kernel']['enable_module_loading'] = true diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb index a9e7ead0..a75c6d89 100644 --- a/recipes/login_defs.rb +++ b/recipes/login_defs.rb @@ -31,6 +31,8 @@ login_retries: node['auth']['retries'], login_timeout: node['auth']['timeout'], chfn_restrict: '', # "rwh" - allow_login_without_home: node['auth']['allow_homeless'] + allow_login_without_home: node['auth']['allow_homeless'], + uid_min: node['auth']['uid_min'], + gid_min: node['auth']['gid_min'] ) end diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb index c203b175..4a1cf231 100644 --- a/spec/recipes/login_defs_spec.rb +++ b/spec/recipes/login_defs_spec.rb @@ -20,7 +20,10 @@ describe 'os-hardening::login_defs' do let(:chef_run) do - ChefSpec::ServerRunner.new.converge(described_recipe) + ChefSpec::ServerRunner.new do |node| + node.set['auth']['uid_min'] = 5000 + node.set['auth']['gid_min'] = 5000 + end.converge(described_recipe) end it 'creates /etc/login.defs' do @@ -29,4 +32,10 @@ .with(owner: 'root') .with(group: 'root') end + + it 'uses uid_min and gid_min in /etc/login.defs' do + expect(chef_run).to render_file('/etc/login.defs') + .with_content(/^UID_MIN\s+5000$/) + .with_content(/^GID_MIN\s+5000$/) + end end diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb index f46b6aa7..1b05004c 100644 --- a/templates/default/login.defs.erb +++ b/templates/default/login.defs.erb @@ -109,14 +109,14 @@ PASS_MIN_DAYS <%= @password_min_age.to_s %> PASS_WARN_AGE 7 # Min/max values for automatic uid selection in useradd -UID_MIN 1000 +UID_MIN <%= @uid_min.to_s %> UID_MAX 60000 # System accounts #SYS_UID_MIN 100 #SYS_UID_MAX 999 # Min/max values for automatic gid selection in groupadd -GID_MIN 1000 +GID_MIN <%= @gid_min.to_s %> GID_MAX 60000 # System accounts #SYS_GID_MIN 100