diff --git a/attributes/default.rb b/attributes/default.rb index 7c6004be..1de49d6a 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -21,8 +21,6 @@ # rubocop:disable Metrics/BlockLength -default['config_disclaimer'] = '**Note:** This file was automatically created by dev-sec.io os-hardening configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.' - default['os-hardening'].tap do |os_hardening| # components of this cookbook %w[packages limits login_defs minimize_access pam profile securetty].each do |cp| diff --git a/templates/default/filesystem_blacklisting.erb b/templates/default/filesystem_blacklisting.erb index eae3f360..275c1bf7 100644 --- a/templates/default/filesystem_blacklisting.erb +++ b/templates/default/filesystem_blacklisting.erb @@ -1,8 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> # -#-- +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# <% @filesystems.each do |fs| %> install <%= fs %> /bin/true diff --git a/templates/default/limits.conf.erb b/templates/default/limits.conf.erb index d5947f10..8cae05ed 100644 --- a/templates/default/limits.conf.erb +++ b/templates/default/limits.conf.erb @@ -1,8 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -# -#-- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information. * hard core 0 diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb index 6b6e6337..a022f13c 100644 --- a/templates/default/login.defs.erb +++ b/templates/default/login.defs.erb @@ -1,7 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # Configuration control definitions for the login package. # diff --git a/templates/default/modules.erb b/templates/default/modules.erb index 871975c0..726f794d 100644 --- a/templates/default/modules.erb +++ b/templates/default/modules.erb @@ -1,7 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored. # diff --git a/templates/default/profile.conf.erb b/templates/default/profile.conf.erb index 2227f2d6..ecd2a30a 100644 --- a/templates/default/profile.conf.erb +++ b/templates/default/profile.conf.erb @@ -1,7 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default. ulimit -S -c 0 > /dev/null 2>&1 diff --git a/templates/default/rhel_libuser.conf.erb b/templates/default/rhel_libuser.conf.erb index 9cdf424c..3c0cdf45 100644 --- a/templates/default/rhel_libuser.conf.erb +++ b/templates/default/rhel_libuser.conf.erb @@ -1,7 +1,8 @@ -# See libuser.conf(5) for more information. - -# Do not modify the default module list if you care about unattended calls -# to programs (i.e., scripts) working! +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# [import] # Data from these files is used when libuser.conf does not define a value. @@ -85,4 +86,4 @@ LU_GROUPNAME = %n # in a particular domain. The default (all applications, all domains) is # probably correct for most installations. # appname = imap -# domain = EXAMPLE.COM \ No newline at end of file +# domain = EXAMPLE.COM diff --git a/templates/default/rhel_selinuxconfig.erb b/templates/default/rhel_selinuxconfig.erb index ac8bfe2e..57d66235 100644 --- a/templates/default/rhel_selinuxconfig.erb +++ b/templates/default/rhel_selinuxconfig.erb @@ -1,6 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: diff --git a/templates/default/rhel_sysconfig_init.erb b/templates/default/rhel_sysconfig_init.erb index d8324515..096f784f 100644 --- a/templates/default/rhel_sysconfig_init.erb +++ b/templates/default/rhel_sysconfig_init.erb @@ -1,13 +1,14 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # color => new RH6.0 bootup # verbose => old-style bootup # anything else => new style bootup without ANSI colors or positioning BOOTUP=color -# column to start "[ OK ]" label in +# column to start "[ OK ]" label in RES_COL=60 # terminal sequence to move to that column. You could change this # to something like "tput hpa ${RES_COL}" if your terminal supports it diff --git a/templates/default/rhel_system_auth.erb b/templates/default/rhel_system_auth.erb index bae0ee11..2653fb67 100644 --- a/templates/default/rhel_system_auth.erb +++ b/templates/default/rhel_system_auth.erb @@ -1,7 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# #%PAM-1.0 <% if node['os-hardening']['auth']['retries'] > 0 %> diff --git a/templates/default/securetty.erb b/templates/default/securetty.erb index b54827bc..de1924b4 100644 --- a/templates/default/securetty.erb +++ b/templates/default/securetty.erb @@ -1,7 +1,8 @@ -<% node['config_disclaimer'].to_s.split("\n").each do |l| %> -# <%= l %> -<% end %> -#--- +# +# This file is generated by Chef for <%= node['fqdn'] %> +# +# Local changes will be overwritten +# # A list of TTYs, from which root can log in # see `man securetty` for reference