├── .gitignore ├── LICENSE ├── README.md ├── docs ├── chef.md ├── coding │ ├── contributing.md │ ├── headers.md │ └── linting.md ├── contrib │ └── prepare-commit-msg.hook ├── faq.md ├── index.md ├── license-headers.md ├── principles.md └── puppet.md └── mkdocs.yml /.gitignore: -------------------------------------------------------------------------------- 1 | site 2 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hardening Framework Documentation 2 | 3 | We use [MkDocs](http://www.mkdocs.org/) to document all hardening projects 4 | 5 | ## Build 6 | 7 | # build the site 8 | mkdocs build 9 | # update master branch 10 | ghp-import -b gh-pages -p site 11 | 12 | ## Author 13 | 14 | * Author:: Christoph Hartmann 15 | * Author:: Hardening Framework Team 16 | * Author:: Deutsche Telekom AG 17 | 18 | Licensed under the Apache License, Version 2.0 (the "License"); 19 | you may not use this file except in compliance with the License. 20 | You may obtain a copy of the License at 21 | 22 | http://www.apache.org/licenses/LICENSE-2.0 23 | 24 | Unless required by applicable law or agreed to in writing, software 25 | distributed under the License is distributed on an "AS IS" BASIS, 26 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 27 | See the License for the specific language governing permissions and 28 | limitations under the License. -------------------------------------------------------------------------------- /docs/chef.md: -------------------------------------------------------------------------------- 1 | # Chef overview 2 | 3 | The following modules are part of the hardening framework: 4 | 5 | Base Operating System 6 | 7 | * [chef-os-hardening](https://github.com/hardening-io/chef-os-hardening) 8 | * [chef-ssh-hardening](https://github.com/hardening-io/chef-ssh-hardening) 9 | 10 | Database 11 | 12 | * [chef-mysql-hardening](https://github.com/hardening-io/chef-mysql-hardening) 13 | * [chef-postgres-hardening](https://github.com/hardening-io/chef-postgres-hardening) 14 | 15 | Web Server 16 | 17 | * [chef-nginx-hardening](https://github.com/hardening-io/chef-nginx-hardening) 18 | * [chef-apache-hardening](https://github.com/hardening-io/chef-apache-hardening) 19 | 20 | Example 21 | 22 | * [example-chef-hardening](https://github.com/hardening-io/example-chef-hardening) 23 | 24 | 25 | ## Publishing Cookbooks 26 | 27 | ### Stove-route 28 | 29 | The easy way: 30 | 31 | gem install stove 32 | stove login --username YOURNAME --key ~/.chef/YOURKEY.pem 33 | cd chef-os-hardening 34 | stove 35 | 36 | In case of errors: Use the method below to ensure that your `metadata.rb` is configure correctly. If you cannot generate a `metadata.json`, fix this error first. 37 | 38 | ### Chef-route 39 | 40 | We will use `chef-ssh-hardening` as an example project. 41 | 42 | 1. Install chef 43 | 44 | gem install chef 45 | 46 | 2. Since development happens locally, define your ssh key in your chef config 47 | 48 | ~/.chef/knife.rb 49 | 50 | client_key "#{ENV['HOME']}/.ssh/id_rsa" 51 | cookbook_license "apachev2" 52 | cookbook_copyright "" 53 | cookbook_email "" 54 | 55 | 3. Copy to temporary cookbooks location 56 | 57 | mkdir /tmp/cookbooks 58 | cp -r . /tmp/cookbooks/ssh-hardening 59 | 60 | 4. Generate `metadata.json` 61 | 62 | knife cookbook metadata ssh-hardening -o /tmp/cookbooks 63 | 64 | 5. Generate tarball 65 | 66 | knife cookbook site share ssh-hardening "ssh-hardening" -o /tmp/cookbooks 67 | -------------------------------------------------------------------------------- /docs/coding/contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | The general steps are: 4 | 5 | - Create a ticket in Github Issues. 6 | - Fork the repository on GitHub. 7 | - Clone the repository on your local system. 8 | - Create a branch and make your changes. 9 | - Push the branch, create a pull request and [reference the issue in your pull request](https://github.com/blog/1506-closing-issues-via-pull-requests). 10 | 11 | Read on for detailed steps 12 | 13 | ## License 14 | 15 | This project is Apache 2 licensed. Every contribution must be under the Apache 2 License too. For new files we have added a section with [License Headers](/docs/license-headers). 16 | 17 | ### Sign your work 18 | 19 | In addition to the license we only accept contributions signed as your work. The sign-off is a simple line at the end of the explanation for the patch, which certifies that you wrote it or otherwise have the right to pass it on as an open-source patch. The rules are pretty simple: if you can certify the below (from [developercertificate.org](developercertificate.org)): 20 | 21 | ``` 22 | Developer Certificate of Origin 23 | Version 1.1 24 | 25 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 26 | 660 York Street, Suite 102, 27 | San Francisco, CA 94110 USA 28 | 29 | Everyone is permitted to copy and distribute verbatim copies of this 30 | license document, but changing it is not allowed. 31 | 32 | 33 | Developer's Certificate of Origin 1.1 34 | 35 | By making a contribution to this project, I certify that: 36 | 37 | (a) The contribution was created in whole or in part by me and I 38 | have the right to submit it under the open source license 39 | indicated in the file; or 40 | 41 | (b) The contribution is based upon previous work that, to the best 42 | of my knowledge, is covered under an appropriate open source 43 | license and I have the right under that license to submit that 44 | work with modifications, whether created in whole or in part 45 | by me, under the same open source license (unless I am 46 | permitted to submit under a different license), as indicated 47 | in the file; or 48 | 49 | (c) The contribution was provided directly to me by some other 50 | person who certified (a), (b) or (c) and I have not modified 51 | it. 52 | 53 | (d) I understand and agree that this project and the contribution 54 | are public and that a record of the contribution (including all 55 | personal information I submit with it, including my sign-off) is 56 | maintained indefinitely and may be redistributed consistent with 57 | this project or the open source license(s) involved. 58 | ``` 59 | 60 | then you just add a line to every git commit message: 61 | 62 | HardeningFramework-DCO-1.1-Signed-off-by: Joe Smith (github: github_handle) 63 | 64 | using your real name (sorry, no pseudonyms or anonymous contributions.) 65 | 66 | One way to automate this, is customise your get ``commit.template`` by adding 67 | a ``prepare-commit-msg`` hook to your hardening project checkout: 68 | 69 | ``` 70 | curl -o .git/hooks/prepare-commit-msg https://raw.githubusercontent.com/hardening-io/docs/master/docs/contrib/prepare-commit-msg.hook && chmod +x .git/hooks/prepare-commit-msg 71 | ``` 72 | * Note: the above script expects to find your GitHub user name in ``git config --get github.user``, set it with `git config --global github.user ` 73 | 74 | 75 | ## Contributing to the Hardening Framework Projects 76 | 77 | Below, replace "REPO" with the project that should be changed. Replace "USER" with your GitHub username. 78 | 79 | 0. Create a issue for the bug, feature or improvement you are contributing. 80 | 81 | See [Mastering Issues](https://guides.github.com/features/issues/) for details 82 | 83 | 1. Fork the repository on GitHub. 84 | 85 | HardeningFramework/REPO -> USER/REPO 86 | 87 | You can replace REPO in your fork with a name for the repository 88 | that makes it unique, if required. 89 | 90 | 2. Clone the repository locally 91 | 92 | ``` 93 | git clone git@github.com:USER/REPO.git 94 | ``` 95 | 96 | 3. Ensure the origin is your repository. 97 | 98 | ``` 99 | git config remote.origin.url git@github.com:USER/REPO.git 100 | ``` 101 | 102 | 4. Add Hardening Framework REPOs as a remote named `upstream` and track it 103 | instead of your origin. 104 | 105 | ``` 106 | git remote add upstream git://github.com/hardening-io/REPO.git 107 | git config branch.master.remote upstream 108 | ``` 109 | 110 | 5. Make sure your master branch is updated. 111 | 112 | ``` 113 | git checkout master 114 | git pull --rebase 115 | ``` 116 | 117 | 6. Create a new branch for the ticket. 118 | 119 | ``` 120 | git checkout -b ISSUE-#### 121 | ``` 122 | 123 | 7. Make your changes and push the branch to your origin. 124 | 125 | ``` 126 | git push origin ISSUE-#### 127 | ``` 128 | 129 | 8. [Reference the ISSUE](https://github.com/blog/1506-closing-issues-via-pull-requests) in your [Github Pull Request](https://help.github.com/articles/using-pull-requests). We will review the issue and contribution as soon as possible. 130 | 131 | ### Some Tips 132 | 133 | In order to have your contribution accepted as quickly as possible, we have some requests for you. These make it easier to merge contributions without merge conflicts, and keep the scope on topic for a specific issue. 134 | 135 | - Please do not update the version in the metadata.rb (chef) or Modulefile/metadata.json (Puppet) files. We handle that as part of the release process. 136 | - Please do not update the CHANGELOG.md. We handle that as part of the release process. 137 | - Please do not mix style changes that are not related to the specific ticket. Create a new, separate ticket for style updates. For example, if a REPO has Foodcritic findings, create a separate ticket to handle those. See the section on linting. 138 | - Follow the current style of the code where appropriate. 139 | - Run the provided lint, spec and integration tests 140 | -------------------------------------------------------------------------------- /docs/coding/headers.md: -------------------------------------------------------------------------------- 1 | # File headers 2 | 3 | ## Ruby 4 | ```ruby 5 | # encoding: utf-8 6 | # 7 | # Copyright 2015, Hardening Framework Team 8 | # 9 | # Licensed under the Apache License, Version 2.0 (the "License"); 10 | # you may not use this file except in compliance with the License. 11 | # You may obtain a copy of the License at 12 | # 13 | # http://www.apache.org/licenses/LICENSE-2.0 14 | # 15 | # Unless required by applicable law or agreed to in writing, software 16 | # distributed under the License is distributed on an "AS IS" BASIS, 17 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 | # See the License for the specific language governing permissions and 19 | # limitations under the License. 20 | # 21 | ``` 22 | 23 | ## JavaScript 24 | ```javascript 25 | /* Copyright 2014 Hardening Framework Team 26 | * 27 | * Licensed under the Apache License, Version 2.0 (the "License"); 28 | * you may not use this file except in compliance with the License. 29 | * You may obtain a copy of the License at 30 | * 31 | * http://www.apache.org/licenses/LICENSE-2.0 32 | * 33 | * Unless required by applicable law or agreed to in writing, software 34 | * distributed under the License is distributed on an "AS IS" BASIS, 35 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 36 | * See the License for the specific language governing permissions and 37 | * limitations under the License. 38 | */ 39 | ``` 40 | 41 | ## Python 42 | 43 | ```python 44 | # Copyright 2014 Hardening Framework Team 45 | # 46 | # Licensed under the Apache License, Version 2.0 (the "License"); 47 | # you may not use this file except in compliance with the License. 48 | # You may obtain a copy of the License at 49 | # 50 | # http://www.apache.org/licenses/LICENSE-2.0 51 | # 52 | # Unless required by applicable law or agreed to in writing, software 53 | # distributed under the License is distributed on an "AS IS" BASIS, 54 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 55 | # See the License for the specific language governing permissions and 56 | # limitations under the License. 57 | ``` 58 | 59 | ## HTML 60 | 61 | ```html 62 | 77 | ``` -------------------------------------------------------------------------------- /docs/coding/linting.md: -------------------------------------------------------------------------------- 1 | # Linting 2 | 3 | We run several linting tools in our continuous integration pipeline. If you create a pull request the CI will kick in and run [Rubocop](https://github.com/bbatsov/rubocop) for every project as well as [Foodcritic](http://www.foodcritic.io) for chef repos or [puppet-lint](http://puppet-lint.com) for puppet repos. The tasks are provided as Rake Tasks ready to run an give feedback. 4 | 5 | Here the example output of the [chef-os-hardening project](https://github.com/hardening-io/chef-os-hardening) (kitchen-tasks stripped): 6 | 7 | ```shell 8 | ± bundle exec rake -T 9 | rake acceptance # Alias for kitchen:all 10 | rake foodcritic # Run foodcritic lint checks 11 | rake integration # Run all tests except Kitchen (default task) 12 | rake kitchen:all # Run all test instances 13 | [ ... kitchen-tasks stripped ... ] 14 | rake lint # Run linters 15 | rake rubocop # Run Rubocop lint checks 16 | rake run_all_linters # Run all linters: rubocop and foodcritic 17 | rake spec # Run chefspec tests 18 | rake test # Run all tests 19 | ``` 20 | 21 | The CI is configured to run the common task `rake run_all_linters ` in all the projects. Example of a successful run: 22 | 23 | ```shell 24 | ± bundle exec rake run_all_linters 25 | Running RuboCop... 26 | Inspecting 20 files 27 | .................... 28 | 29 | 20 files inspected, no offences detected 30 | Running Foodcritic tests... 31 | done. 32 | 33 | ± echo $? 34 | 0 35 | ``` 36 | 37 | The CI evaluates the return code of the task, which is `0` if no offences are found. 38 | 39 | The task will fail fast. Meaning we run [Rubocop](https://github.com/bbatsov/rubocop) first and the specific linter (if any) next. A failed run of rubocop looks like the following output: 40 | 41 | ``` 42 | ± bundle exec rake run_all_linters 43 | Running RuboCop... 44 | Inspecting 20 files 45 | ....C............... 46 | 47 | Offences: 48 | 49 | recipes/default.rb:22:1: C: Extra blank line detected. 50 | 51 | 20 files inspected, 1 offence detected 52 | RuboCop failed! 53 | 54 | ± echo $? 55 | 1 56 | ``` 57 | 58 | The exit code is `1` indicating that one of the linters involved found an offence. Following an example in a chef cookbook were rubocop is successful but foodcritic found an offence: 59 | 60 | ```shell 61 | ± bundle exec rake run_all_linters 62 | Running RuboCop... 63 | Inspecting 20 files 64 | .................... 65 | 66 | 20 files inspected, no offences detected 67 | Running Foodcritic tests... 68 | done. 69 | FC019: Access node attributes in a consistent manner: /.../recipes/default.rb:29 70 | rake aborted! 71 | FC019: Access node attributes in a consistent manner: /.../recipes/default.rb:29 72 | /.../.rvm/gems/ruby-2.1.1/gems/foodcritic-3.0.3/lib/foodcritic/rake_task.rb:33:in `block in define' 73 | /.../.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `eval' 74 | /.../.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `
' 75 | Tasks: TOP => run_all_linters => foodcritic 76 | (See full trace by running task with --trace) 77 | 78 | ± echo $? 79 | 1 80 | ``` 81 | 82 | ### Ruby - Rubocop 83 | 84 | [Rubocop](https://github.com/bbatsov/rubocop) catches a lot of basic syntax infractions and provides ruby best practice advise like using double quotes for strings that do not interpolate Ruby variables, or using simple if/else statements when a one-line ternary operator would be sufficient. This helps enforcing a common style guide and avoiding time consuming best practice discussions in pull requests. Have a look at [A community-driven Ruby coding style guide](https://github.com/bbatsov/ruby-style-guide) for further details. 85 | 86 | Every project has a rake task to run rubocop as well as a task where all linters for the project are run, including rubocop: 87 | 88 | ``` 89 | ± bundle exec rake -T|grep rubocop 90 | rake rubocop # Run Rubocop lint checks 91 | rake run_all_linters # Run all linters: rubocop and foodcritic 92 | ``` 93 | 94 | Rubocop honors the `.rubocop.yml` file of the project. 95 | 96 | Example successful run of rubocop: 97 | 98 | ```shell 99 | ± bundle exec rake rubocop 100 | Running RuboCop... 101 | Inspecting 6 files 102 | ...... 103 | 104 | 6 files inspected, no offences detected 105 | 106 | ± echo $? 107 | 0 108 | ``` 109 | 110 | ### Chef - Foodcritic 111 | 112 | [Foodcritic](http://www.foodcritic.io) is a special linter for chef cookbooks. The rake task is configured to fail on `any` violation. We, as a project, decided to use the single quoted string node attribute notation to honor [FC019](http://www.foodcritic.io/#FC019). 113 | 114 | There are some edge cases were, upon discussion a violation is tolerated. This can be done with a special markup in the code itself. Following an example (taken from [chef-ssh-hardening server.rb](https://github.com/hardening-io/chef-ssh-hardening/blob/master/recipes/server.rb#L41)) 115 | 116 | ```ruby 117 | search('users', "#{field}:*").map do |v| # ~FC003 ignore footcritic violation 118 | Chef::Log.info "ssh_server: installing ssh-keys for root access of user #{v['id']}" 119 | v[field] 120 | end.flatten 121 | ``` 122 | 123 | Here we acknowledge [FC003](http://www.foodcritic.io/#FC003) as this cookbook will always need search in order to work and we use solo-search in testing. 124 | 125 | Every chef project has a rake task to run foodcritic as well as a task were all linters for the project are run, including rubocop: 126 | 127 | ``` 128 | ± bundle exec rake -T |grep foodcritic 129 | rake foodcritic # Run foodcritic lint checks 130 | rake run_all_linters # Run all linters: rubocop and foodcritic 131 | ``` 132 | 133 | Example successful run of foodcritic 134 | 135 | ``` 136 | ± bundle exec rake foodcritic 137 | Running Foodcritic tests... 138 | done. 139 | 140 | ± echo $? 141 | 0 142 | ``` 143 | 144 | ### Puppet - Puppet-Lint 145 | 146 | [Puppet-Lint](http://puppet-lint.com) is a special linter for puppet modules. The rake task is configured to fail on `any` violation. 147 | 148 | ``` 149 | ± bundle exec rake -T |grep puppet-lint 150 | rake lint # Run puppet-lint / Check puppet manifests with puppet-lint 151 | rake run_all_linters # Run all linters: rubocop and puppet-lint 152 | ``` 153 | 154 | We disabled some checks from puppet-lint 155 | 156 | ``` 157 | ± grep Lint Rakefile 158 | PuppetLint.configuration.send('disable_autoloader_layout') 159 | PuppetLint.configuration.send('disable_80chars') 160 | PuppetLint.configuration.send('disable_inherits_across_namespaces') 161 | PuppetLint.configuration.fail_on_warnings = true 162 | PuppetLint.configuration.ignore_paths = ['vendor/**/*.pp'] 163 | ``` 164 | 165 | If everything is well the exit code is 0, and no further output is displayed: 166 | 167 | ``` 168 | ± bundle exec rake lint 169 | ± echo $? 170 | 0 171 | ``` 172 | 173 | If there is an error or a warning you get some output and an exit code <> 0 174 | ``` 175 | ± bundle exec rake lint 176 | manifests/init.pp - WARNING: double quoted string containing no variables on line 10 177 | rake aborted! 178 | 179 | /.../.rvm/gems/ruby-2.1.1/gems/puppet-lint-0.3.2/lib/puppet-lint/tasks/puppet-lint.rb:25:in `block (2 levels) in initialize' 180 | /.../.rvm/gems/ruby-2.1.1/gems/puppet-lint-0.3.2/lib/puppet-lint/tasks/puppet-lint.rb:13:in `block in initialize' 181 | /.../.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `eval' 182 | /.../.rvm/gems/ruby-2.1.1/bin/ruby_executable_hooks:15:in `
' 183 | Tasks: TOP => lint 184 | (See full trace by running task with --trace) 185 | 186 | ± echo $? 187 | 1 188 | ``` 189 | -------------------------------------------------------------------------------- /docs/contrib/prepare-commit-msg.hook: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # Auto sign all commits to allow them to be used by the Hardening Framework project. 3 | # see https://github.com/hardening-io/docs/blob/master/docs/how-to-contribute.md#sign-your-work 4 | # 5 | GH_USER=$(git config --get github.user) 6 | SOB=$(git var GIT_AUTHOR_IDENT | sed -n "s/^\(.*>\).*$/HardeningFramework-DCO-1.1-Signed-off-by: \1 \(github: $GH_USER\)/p") 7 | grep -qs "^$SOB" "$1" || { 8 | echo 9 | echo "$SOB" 10 | } >> "$1" -------------------------------------------------------------------------------- /docs/faq.md: -------------------------------------------------------------------------------- 1 | # Frequently asked questions 2 | 3 | ### Is it possible to use the toolkit without internet connection 4 | 5 | Yes, it is possible to use the hardening scripts on computers without internet connection. You need to ensure two specific things: 6 | 7 | * Configured package repository access (eg. RedHat Satellite) 8 | * Manual installation of chef or puppet 9 | 10 | To run the scripts via chef without internet and chef server, do the following. 11 | 12 | 1. Download the chef package for your operating system. 13 | 14 | ```bash 15 | wget https://opscode-omnibus-packages.s3.amazonaws.com/ubuntu/13.04/x86_64/chef_11.12.8-2_amd64.deb 16 | ``` 17 | 18 | Transfer the the package and the cookbooks on your servers and start the run: 19 | 20 | ```bash 21 | echo "---> Install Chef" 22 | dpkg -i chef_11.12.8-2_amd64.deb 23 | 24 | echo "---> Start chef run in local mode" 25 | # runs chef client in local mode 26 | chef-client -z -o yourcookbook 27 | ``` 28 | 29 | More information about about chef in local mode is available at [getchef.com](http://www.getchef.com/blog/2013/10/31/chef-client-z-from-zero-to-chef-in-8-5-seconds/) 30 | 31 | ### How do I configure LDAP authentication with ssh-hardening 32 | 33 | Configure the `ssh-cookbook` with `use-pam: true`. This enables the PAM authentication via ssh. In addition you need to configure [PAM properly to work with LDAP](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Directory_Servers.html#s2-ldap-pam). The configuration of PAM for LDAP is not covered by `os-hardening` or `ssh-hardening`. -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | # Automatic server hardening 2 | 3 | Server hardening is a well-known topic with many guides out in the wild. Why this project? 4 | 5 | At Deutsche Telekom we need to manage thousands of servers for customers and ourselves. All servers need to be configured properly and maintained, which is difficult and time-consuming to get right. 6 | 7 | To answer these needs for security, compliance, and maintainability, we decided to launch this project as a common ground for requirements and their fulfillment. 8 | 9 | ## Vision / Goal 10 | 11 | Our goal is simple: Create a common layer for hardening operating systems and services easily and without interference. Even if you aren't knee-deep in configuration manuals for services or the latest security recommendations, you will be able to implement and use this framework with ease. 12 | 13 | ## Scope 14 | 15 | Since we use Chef and Puppet to automate our deployments, we decided to put them to work for system hardening. The hardening project is currently limited to Chef and Puppet, though extensions to other automation frameworks are welcome! 16 | 17 | **What is part of hardening?** 18 | 19 | * **Attack surface reduction**: Use service configurations to remove all those components, that are often activated for legacy compatibility or simplified setups. Some default configurations these days already cover good security practices. We take a step further and make sure to deactivate all application modules, which aren't usually required. This baseline changes over time. We keep track of these developments and integrate them with this project. 20 | 21 | * **Secure configuration**: It's easy enough to find a guide in a 2 minute search which will tell you to "Set this to 0 and everything will work". Without investigation, it's difficult to know what implications a few configuration lines may carry. Moreover, even a simple starting configuration can quickly make it into a production setup. To avoid these easy mistakes, we make the configuration explicit and default to a secure baseline. Many settings aren't changeable and some will yield errors and warnings with this framework. 22 | 23 | * **Core components**: Anything from the basic operating system to well known databases and web servers is part of this project. We want these common building blocks to be at their optimal configuration and avoid repeated mistakes. 24 | 25 | **What is NOT part of hardening?** 26 | 27 | * **Patch management**: We track changes and will update every piece of this project to work with current and older supported versions of operating systems and applications. However, we cannot safely automate all aspects of patch management. Nevertheless, you can easily integrate hardening into your patch management lifecycle. 28 | 29 | * **Minor components**: It's easy to set up a configuration for a service at some point of time and make it secure. It's much more difficult to maintain it over time and support it. We will focus on wide-spread services and components and support them with your and our feedback. 30 | 31 | * **Complex configurations**: This includes: Firewall configurations, web-application firewalls, AppArmor profiles or SELinux configurations, amongst others. These are incredibly important to have in your environment, however, their configuration is too dependent on specific setups to abstracted properly. We decided to focus on those components, that are able to take a generalized into their configuration. For everything else, feel free to get in touch with us. 32 | 33 | ## Lifecycle 34 | 35 | Let's take a quick look at the full lifecycle for servers and services and see where hardening fits in. 36 | 37 | ### Installation of OS 38 | 39 | We recommend to install operating systems from trusted sources. This could be an operating system vendor or a trusted third party. In virtualized environments like OpenStack, the secure generation of base images is part of our daily activity. We have automated the building of RedHat, CentOS and Oracle Linux based instances. 40 | 41 | * [packer-rhel](https://github.com/TelekomLabs/packer-rhel) 42 | 43 | ### Hardening 44 | 45 | We provide multiple cookbooks for chef and modules for puppet to cover this area. We use best-known guides like [Deutsche Telekom (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si), [BetterCrypto](https://bettercrypto.org/) and the [NSA hardening guide](http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf). For more details look into the respective `test-` repository. Checks are implemented following these guides. 46 | 47 | 48 | ### Continuous management 49 | 50 | This area includes tasks like patch management, attack monitoring, and fixing known vulnerabilities. None of these areas are covered in this hardening project. 51 | 52 | #### Patch management 53 | 54 | It is the heart of keeping your systems secure once everything is in place. So why not patch automatically on every run? We have considered this option for our hardening components but ultimately decided against it: Patches generally aren't a trivial thing to do. Even if you reduce it to security updates only, there may still be regressions which have to be weighted against benefits. Set up a patch management system of your choice. 55 | 56 | #### Attack monitoring 57 | 58 | Hardening includes a small section of compliance monitoring. Every time an attacker changes a core system configuration, you can gain insights into this through hardening. Since all of our components are tested independently, you can potentially use these tests to validate the compliance of your configuration. However, we recommend against putting too much weight on the results you get. The tests created here are written to verify hardening instructions. Attackers may still find ways to modify files in a way that gets around these checks (example: if we check `main.cfg` only, but attacker writes to `main.cfg.d/my.cfg`). Use HIDS, auditing, and monitoring systems to manage these risks. 59 | 60 | #### Vulnerability fixes 61 | 62 | A remainder of vulnerabilities may still remain after successful patch management. There are vulnerabilities that need mitigation before proper vendor fixes are released. We won't cover such vulnerabilities in this project. Many settings, however, are meant to reduce the attack surface and thus directly contribute to reducing the risks from unpatched vulnerabilities. -------------------------------------------------------------------------------- /docs/license-headers.md: -------------------------------------------------------------------------------- 1 | ## Ruby 2 | ```ruby 3 | # encoding: utf-8 4 | # 5 | # Copyright 2014, Hardening Framework Team 6 | # 7 | # Licensed under the Apache License, Version 2.0 (the "License"); 8 | # you may not use this file except in compliance with the License. 9 | # You may obtain a copy of the License at 10 | # 11 | # http://www.apache.org/licenses/LICENSE-2.0 12 | # 13 | # Unless required by applicable law or agreed to in writing, software 14 | # distributed under the License is distributed on an "AS IS" BASIS, 15 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | # See the License for the specific language governing permissions and 17 | # limitations under the License. 18 | # 19 | ``` 20 | 21 | ## JavaScript 22 | ```javascript 23 | /* Copyright 2014 Hardening Framework Team 24 | * 25 | * Licensed under the Apache License, Version 2.0 (the "License"); 26 | * you may not use this file except in compliance with the License. 27 | * You may obtain a copy of the License at 28 | * 29 | * http://www.apache.org/licenses/LICENSE-2.0 30 | * 31 | * Unless required by applicable law or agreed to in writing, software 32 | * distributed under the License is distributed on an "AS IS" BASIS, 33 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 34 | * See the License for the specific language governing permissions and 35 | * limitations under the License. 36 | */ 37 | ``` 38 | 39 | ## Python 40 | 41 | ```python 42 | # Copyright 2014 Hardening Framework Team 43 | # 44 | # Licensed under the Apache License, Version 2.0 (the "License"); 45 | # you may not use this file except in compliance with the License. 46 | # You may obtain a copy of the License at 47 | # 48 | # http://www.apache.org/licenses/LICENSE-2.0 49 | # 50 | # Unless required by applicable law or agreed to in writing, software 51 | # distributed under the License is distributed on an "AS IS" BASIS, 52 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 53 | # See the License for the specific language governing permissions and 54 | # limitations under the License. 55 | ``` 56 | 57 | ## HTML 58 | 59 | ```html 60 | 75 | ``` -------------------------------------------------------------------------------- /docs/principles.md: -------------------------------------------------------------------------------- 1 | # Principles 2 | 3 | This section records decisions for all defaults and options we set. -------------------------------------------------------------------------------- /docs/puppet.md: -------------------------------------------------------------------------------- 1 | # Puppet overview 2 | 3 | The following modules are part of the hardening framework: 4 | 5 | Base Operating System 6 | 7 | * [puppet-os-hardening](https://github.com/hardening-io/puppet-os-hardening) 8 | * [puppet-ssh-hardening](https://github.com/hardening-io/puppet-ssh-hardening) 9 | 10 | Database 11 | 12 | * [puppet-mysql-hardening](https://github.com/hardening-io/puppet-mysql-hardening) 13 | * [puppet-postgres-hardening](https://github.com/hardening-io/puppet-postgres-hardening) 14 | 15 | Web Server 16 | 17 | * [puppet-nginx-hardening](https://github.com/hardening-io/puppet-nginx-hardening) 18 | * [puppet-apache-hardening](https://github.com/hardening-io/puppet-apache-hardening) 19 | 20 | Example 21 | 22 | * [example-puppet-hardening](https://github.com/hardening-io/example-puppet-hardening) 23 | 24 | ## Publishing Puppet Modules 25 | 26 | Simple enough: If you have your `Modulefile` and `metadata.json` ready, just run: 27 | 28 | cd puppet-xxx-hardening/ 29 | puppet module build . 30 | 31 | Results are in pkg. 32 | 33 | The two files may not get merged correctly, so please diff: 34 | 35 | colordiff metadata.json pkg/puppet-*-hardening/metadata.json 36 | -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: Hardening Framework 2 | site_description: DevOps and Security 3 | theme: readthedocs 4 | docs_dir: docs 5 | repo_url: https://github.com/hardening-io/docs 6 | pages: 7 | 8 | # Introduction 9 | - ['index.md', 'Introduction'] 10 | 11 | # Coding 12 | - ['coding/contributing.md', 'Coding', 'Contributing'] 13 | - ['coding/linting.md', 'Coding', 'Linting'] 14 | - ['coding/headers.md', 'Coding', 'File headers'] 15 | 16 | # Principles 17 | - ['principles.md', 'Principles'] 18 | 19 | # Chef 20 | - ['chef.md', 'Chef'] 21 | 22 | # Puppet 23 | - ['puppet.md', 'Puppet'] 24 | 25 | # Faq 26 | - ['faq.md', 'FAQ'] --------------------------------------------------------------------------------