Merge pull request #12 from TelekomLabs/packages

* feature: remove some dangerous packages by default (option added to make it configurable)
* udpate readme with information of package removal and internals

README.md

@@ -4,6 +4,23 @@
 
 This cookbook provides numerous security-related configurations, providing all-round base protection.
 
+It configures:
+
+ * Configures package management e.g. allows only signed packages
+ * Remove packages with known issues
+ * Configures pam and pam_limits module
+ * Shadow password suite configuration
+ * Configures system path permissions
+ * Disable core dumps via soft limits
+ * Restrict Root Logins to System Console
+ * Set SUIDs
+ * Configures kernel parameters via sysctl
+
+It will not:
+
+ * Update system packages
+ * Install security patches
+
 ## Requirements
 
 * Opscode chef
@@ -61,7 +78,19 @@ Optional: you can use berkshelf to install dependencies.
   true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a whitelist or blacklist
 * `['security']['suid_sgid']['dry_run_on_unkown'] = false`
   like `remove_from_unknown`, only that changes aren't applied but only printed
+* `['security']['packages']['clean']  = true` 
+  removes packages with known issues. See section packages.
+
+## Packages
+
+We remove the following packages:
 
+ * xinetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
+ * inetd ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.1)
+ * tftp-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.5)
+ * ypserv ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.4)
+ * telnet-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.2)
+ * rsh-server ([NSA](http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf), Chapter 3.2.3)
 
 ## Usage
 

attributes/default.rb

@@ -77,6 +77,8 @@
 default[:security][:suid_sgid][:remove_from_unkown] = false
 default[:security][:suid_sgid][:dry_run_on_unkown]  = false
 
+# remove packages with known issues
+default[:security][:packages][:clean]               = true
 
 # SYSTEM CONFIGURATION
 # ====================

recipes/yum.rb

@@ -19,13 +19,6 @@
 
 include_recipe "yum"
 
-# remove unused repos
-%w{CentOS-Debuginfo CentOS-Media CentOS-Vault}.each do |repo|
-  yum_repository repo do
-    action :remove
-  end
-end
-
 # NSA chapter: NSA 2.1.2.3.3 
 # verify package signatures
 # search /etc/yum.conf gpgcheck=1
@@ -42,25 +35,20 @@
   action :run
 end
 
+if node[:security][:packages][:clean]
 
-# remove packages
-%w{yum-cron yum-updatesd erase xinetd inetd tftp-server ypserv telnet-server rsh-server}.each do |pkg|
-  yum_package pkg do
-    action :purge
+  # remove unused repos
+  %w{CentOS-Debuginfo CentOS-Media CentOS-Vault}.each do |repo|
+    yum_repository repo do
+      action :remove
+    end
   end
-end
 
-# updates the system
-# consider https://github.com/cookbooks/yum as replacement
-execute "yum-update" do
-  command "yum -y update"
-  ignore_failure true
-  action :run
-end
+  # remove packages
+  %w{xinetd inetd ypserv telnet-server rsh-server}.each do |pkg|
+    yum_package pkg do
+      action :purge
+    end
+  end
 
-execute "yum store installed packages" do
-  command "yum list installed >> ~/installed_$(date -d 'today' +'%Y%m%d%H%M').txt"
-  ignore_failure true
-  action :run
 end
-