Home

Awesome

Puppet OS hardening

Puppet Forge Version Puppet Forge Downloads Puppet Forge Endorsement Build Status

Table of Contents

  1. Module Description - What the module does and why it is useful
  2. Setup - The basics of getting started with os_hardening
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module
  6. Testing - Quality gates for your changes in the code
  7. Get in touch
  8. Contributors + Kudos
  9. License and Author

Module Description

This Puppet module provides secure configuration of your base OS with hardening and is part of the DevSec Hardening Framework.

Setup

Setup Requirements

Beginning with os_hardening

After adding this module, you can use the class:

class { 'os_hardening': }

All parameters are contained within the main os_hardening class, so you just have to pass them like this:

class { 'os_hardening':
  enable_ipv4_forwarding => true,
}

Usage

IMPORTANT for Puppet Enterprise

If you are using this module in a PE environment, you have to set pe_environment = true Otherwise puppet will drop an error (duplicate resource)!

Parameters

Hiera usage

It's also possible to set the parameters in Hiera like this:

os_hardening::password_max_age:  90
os_hardening::password_min_age:  0
os_hardening::password_warn_age: 14
os_hardening::unwanted_packages: ['telnet']
os_hardening::ignore_users:      ['git','githook','ansible','apache','puppetboard']

Note about wanted/unwanted packages and disabled services

As the CIS Distribution Independent Linux Benchmark is a good starting point regarding hardening of systems, it was deemed appropriate to implement an easy way to deal with one-offs for which one doesn't want to write an entire module.

For instance, to increase CIS DIL compliance on a Debian system, one should set the following:

wanted_packages   => ['ntp'],
unwanted_packages => ['telnet'],
disabled_services => ['rsync'],

The default settings of NTP are actually pretty good for most situations, so it is not immediately necessary to implement a module. However, if you do use a module to control these services, that is of course preferred.

Limitations

This module has been tested and should run on most Linux distributions. For an extensive list of supported operating systems, see metadata.json

Development

If you want to contribute, please follow our contribution guide.

Testing

Local Testing

You should have Ruby interpreter installed on your system. It might be a good idea to use rvm for that purpose. Besides that you have to install the Puppet Development Kit PDK and Docker Community Edition, as the integration tests run in Docker containers.

For all our integration tests we use test-kitchen. If you are not familiar with test-kitchen please have a look at their guide.

PDK Tests

# Syntax & Lint tests
pdk validate

# Unit Tests
pdk test unit

Integration Tests (Docker)

Per default the integration tests will run in docker containers - unfortunately not all tests can run in container environments (e.g. sysctl settings).

# Install dependencies
gem install bundler
bundle install

# list all test instances
bundle exec kitchen list

# fast test on one machine
bundle exec kitchen test ubuntu-16-04-puppet5

# test on all machines
bundle exec kitchen test

Integration Tests (DigitalOcean)

For complete integration tests with DigitalOcean you have to get an account there and setup some environment variables:

The ssh key has to be named ~/.ssh/do_ci and added to your profile at DigitalOcean. After this you're ready to run the tests as described at Integration Tests (Docker).

If you want to run the full integration tests with Github Actions in your fork, you will have to add these environment variables in the settings of your fork:

CI testing of PRs & forks

Your patches will automatically get tested via Github Actions. The test summary is visible on Github in your PR, details can be found in the linked tests.

Get in touch

You can reach us on several ways:

Contributors + Kudos

For the original port of chef-os-hardening to puppet:

Thank you all!!

License and Author

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.