Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moving the attributes with dependencies on other attributes to the recipes #150

Merged
merged 7 commits into from Mar 29, 2017
Merged

Moving the attributes with dependencies on other attributes to the recipes #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
19f03c1
IP Forwarding: handle dependent attrs properly
artem-sidorenko Mar 23, 2017
379eb9d
IPv6 state: handle dependent attrs properly
artem-sidorenko Mar 28, 2017
82df0a0
ARP restrictions: handle dependent attrs properly
artem-sidorenko Mar 28, 2017
bfa50d1
Module loading: handle dependent attrs properly
artem-sidorenko Mar 28, 2017
2cf94fe
Magic Sysrq: handle dependent attrs properly
artem-sidorenko Mar 28, 2017
8ea782c
Core dumps: handle dependent attrs properly
artem-sidorenko Mar 28, 2017
09054ee
Set the suid_dumpable to the safe value of 2
artem-sidorenko Mar 28, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
87 changes: 0 additions & 87 deletions attributes/sysctl.rb
View file
Open in desktop
Expand Up @@ -17,12 +17,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.

# Only enable IP traffic forwarding, if required.
default['sysctl']['params']['net']['ipv4']['ip_forward'] =
node['os-hardening']['network']['forwarding'] ? 1 : 0
default['sysctl']['params']['net']['ipv6']['conf']['all']['forwarding'] =
node['os-hardening']['network']['ipv6']['enable'] && node['os-hardening']['network']['forwarding'] ? 1 : 0

# Enable RFC-recommended source validation feature. It should not be used for
# routers on complex networks, but is helpful for end hosts and routers serving
# small networks.
Expand All @@ -44,56 +38,9 @@
# time exceed, param problem, timestamp reply, information reply
default['sysctl']['params']['net']['ipv4']['icmp_ratemask'] = 88089

# Disable or Enable IPv6 as it is needed.
default['sysctl']['params']['net']['ipv6']['conf']['all']['disable_ipv6'] =
node['os-hardening']['network']['ipv6']['enable'] ? 0 : 1

# Protect against wrapping sequence numbers at gigabit speeds:
default['sysctl']['params']['net']['ipv4']['tcp_timestamps'] = 0

# arp_announce - INTEGER
# Define different restriction levels for announcing the local source IP
# address from IP packets in ARP requests sent on interface:
#
# * **0** - (default) Use any local address, configured on any interface
# * **1** - Try to avoid local addresses that are not in the target's subnet
# for this interface. This mode is useful when target hosts reachable
# via this interface require the source IP address in ARP requests to
# be part of their logical network configured on the receiving
# interface. When we generate the request we will check all our
# subnets that include the target IP and will preserve the source
# address if it is from such subnet. If there is no such subnet we
# select source address according to the rules for level 2.
# * **2** - Always use the best local address for this target. In this mode
# we ignore the source address in the IP packet and try to select
# local address that we prefer for talks with the target host. Such
# local address is selected by looking for primary IP addresses on
# all our subnets on the outgoing interface that include the target
# IP address. If no suitable local address is found we select the
# first local address we have on the outgoing interface or on all
# other interfaces, with the hope we will receive reply for our
# request and even sometimes no matter the source IP address we
# announce.
#
default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_ignore'] =
node['os-hardening']['network']['arp']['restricted'] ? 1 : 0

# Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
#
# * **0** - (default): reply for any local target IP address, configured on
# any interface
# * **1** - reply only if the target IP address is local address configured
# on the incoming interface
# * **2** - reply only if the target IP address is local address configured
# on the incoming interface and both with the sender's IP address are
# part from same subnet on this interface
# * **3** - do not reply for local addresses configured with scope host, only
# resolutions for global and link addresses are replied
# * **4-7** - reserved
# * **8** - do not reply for all local addresses
default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_announce'] =
node['os-hardening']['network']['arp']['restricted'] ? 2 : 0

# RFC 1337 fix F1
default['sysctl']['params']['net']['ipv4']['tcp_rfc1337'] = 1

Expand Down Expand Up @@ -143,40 +90,6 @@
default['sysctl']['params']['net']['ipv6']['conf']['all']['accept_ra'] = 0
default['sysctl']['params']['net']['ipv6']['conf']['default']['accept_ra'] = 0

# System
# ------

# This settings controls how the kernel behaves towards module changes at
# runtime. Setting to 1 will disable module loading at runtime.
# Setting it to 0 is actually never supported.
unless node['os-hardening']['security']['kernel']['enable_module_loading']
default['sysctl']['params']['kernel']['modules_disabled'] = 1
end

# Magic Sysrq should be disabled, but can also be set to a safe value if so
# desired for physical machines. It can allow a safe reboot if the system hangs
# and is a 'cleaner' alternative to hitting the reset button.
# The following values are permitted:
#
# * **0** - disable sysrq
# * **1** - enable sysrq completely
# * **>1** - bitmask of enabled sysrq functions:
# * **2** - control of console logging level
# * **4** - control of keyboard (SAK, unraw)
# * **8** - debugging dumps of processes etc.
# * **16** - sync command
# * **32** - remount read-only
# * **64** - signalling of processes (term, kill, oom-kill)
# * **128** - reboot/poweroff
# * **256** - nicing of all RT tasks
default['sysctl']['params']['kernel']['sysrq'] =
node['os-hardening']['security']['kernel']['enable_sysrq'] ? node['os-hardening']['security']['kernel']['secure_sysrq'] : 0

# Prevent core dumps with SUID. These are usually only needed by developers and
# may contain sensitive information.
default['sysctl']['params']['fs']['suid_dumpable'] =
node['os-hardening']['security']['kernel']['enable_core_dump'] ? 1 : 0

# ExecShield protection against buffer overflows
# unless node['platform'] == "ubuntu" # ["nx"].include?(node['cpu'][0]['flags']) or
case node['platform_family']
Expand Down
88 changes: 88 additions & 0 deletions recipes/sysctl.rb
View file
Open in desktop
Expand Up @@ -19,6 +19,94 @@
# limitations under the License.
#

# default attributes
# We can not set this kind of defaults in the attribute files
# as we react on value of other attributes
# https://github.com/dev-sec/chef-ssh-hardening/issues/140#issuecomment-267779720

# Only enable IP traffic forwarding, if required.
node.default['sysctl']['params']['net']['ipv4']['ip_forward'] =
node['os-hardening']['network']['forwarding'] ? 1 : 0
node.default['sysctl']['params']['net']['ipv6']['conf']['all']['forwarding'] =
node['os-hardening']['network']['ipv6']['enable'] && node['os-hardening']['network']['forwarding'] ? 1 : 0

# Disable or Enable IPv6 as it is needed.
node.default['sysctl']['params']['net']['ipv6']['conf']['all']['disable_ipv6'] =
node['os-hardening']['network']['ipv6']['enable'] ? 0 : 1

# Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
#
# * **0** - (default): reply for any local target IP address, configured on
# any interface
# * **1** - reply only if the target IP address is local address configured
# on the incoming interface
# * **2** - reply only if the target IP address is local address configured
# on the incoming interface and both with the sender's IP address are
# part from same subnet on this interface
# * **3** - do not reply for local addresses configured with scope host, only
# resolutions for global and link addresses are replied
# * **4-7** - reserved
# * **8** - do not reply for all local addresses
node.default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_ignore'] =
node['os-hardening']['network']['arp']['restricted'] ? 1 : 0

# Define different restriction levels for announcing the local source IP
# address from IP packets in ARP requests sent on interface:
#
# * **0** - (default) Use any local address, configured on any interface
# * **1** - Try to avoid local addresses that are not in the target's subnet
# for this interface. This mode is useful when target hosts reachable
# via this interface require the source IP address in ARP requests to
# be part of their logical network configured on the receiving
# interface. When we generate the request we will check all our
# subnets that include the target IP and will preserve the source
# address if it is from such subnet. If there is no such subnet we
# select source address according to the rules for level 2.
# * **2** - Always use the best local address for this target. In this mode
# we ignore the source address in the IP packet and try to select
# local address that we prefer for talks with the target host. Such
# local address is selected by looking for primary IP addresses on
# all our subnets on the outgoing interface that include the target
# IP address. If no suitable local address is found we select the
# first local address we have on the outgoing interface or on all
# other interfaces, with the hope we will receive reply for our
# request and even sometimes no matter the source IP address we
# announce.
#
node.default['sysctl']['params']['net']['ipv4']['conf']['all']['arp_announce'] =
node['os-hardening']['network']['arp']['restricted'] ? 2 : 0

# This setting controls how the kernel behaves towards module changes at
# runtime. Setting to 1 will disable module loading at runtime.
# Setting it to 0 is actually never supported.
unless node['os-hardening']['security']['kernel']['enable_module_loading']
node.default['sysctl']['params']['kernel']['modules_disabled'] = 1
end

# Magic Sysrq should be disabled, but can also be set to a safe value if so
# desired for physical machines. It can allow a safe reboot if the system hangs
# and is a 'cleaner' alternative to hitting the reset button.
# The following values are permitted:
#
# * **0** - disable sysrq
# * **1** - enable sysrq completely
# * **>1** - bitmask of enabled sysrq functions:
# * **2** - control of console logging level
# * **4** - control of keyboard (SAK, unraw)
# * **8** - debugging dumps of processes etc.
# * **16** - sync command
# * **32** - remount read-only
# * **64** - signalling of processes (term, kill, oom-kill)
# * **128** - reboot/poweroff
# * **256** - nicing of all RT tasks
node.default['sysctl']['params']['kernel']['sysrq'] =
node['os-hardening']['security']['kernel']['enable_sysrq'] ? node['os-hardening']['security']['kernel']['secure_sysrq'] : 0

# Prevent core dumps with SUID. These are usually only needed by developers and
# may contain sensitive information.
node.default['sysctl']['params']['fs']['suid_dumpable'] =
node['os-hardening']['security']['kernel']['enable_core_dump'] ? 2 : 0

# include sysctl recipe and set /etc/sysctl.d/99-chef-attributes.conf
include_recipe 'sysctl::apply'

Expand Down