dev-sec · artem-sidorenko · Apr 10, 2019 · Apr 10, 2019
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -21,8 +21,6 @@
 
 # rubocop:disable Metrics/BlockLength
 
-default['config_disclaimer'] = '**Note:** This file was automatically created by dev-sec.io os-hardening configuration. If you use its automated setup, do not edit this file directly, but adjust the automation instead.'
-
 default['os-hardening'].tap do |os_hardening|
   # components of this cookbook
   %w[packages limits login_defs minimize_access pam profile securetty].each do |cp|

diff --git a/templates/default/filesystem_blacklisting.erb b/templates/default/filesystem_blacklisting.erb
@@ -1,8 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
 #
-#--
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 <% @filesystems.each do |fs| %>
 install <%= fs %> /bin/true

diff --git a/templates/default/limits.conf.erb b/templates/default/limits.conf.erb
@@ -1,8 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-# 
-#--
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information.
 * hard core 0
diff --git a/templates/default/login.defs.erb b/templates/default/login.defs.erb
@@ -1,7 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # Configuration control definitions for the login package.
 #

diff --git a/templates/default/modules.erb b/templates/default/modules.erb
@@ -1,7 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # This file contains the names of kernel modules that should be loaded at boot time, one per line. Lines beginning with "#" are ignored.
 #

diff --git a/templates/default/profile.conf.erb b/templates/default/profile.conf.erb
@@ -1,7 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # Disable core dumps via soft limits for all users. Compliance to this setting is voluntary and can be modified by users up to a hard limit. This setting is a sane default.
 ulimit -S -c 0 > /dev/null 2>&1
diff --git a/templates/default/rhel_libuser.conf.erb b/templates/default/rhel_libuser.conf.erb
@@ -1,7 +1,8 @@
-# See libuser.conf(5) for more information.
-
-# Do not modify the default module list if you care about unattended calls
-# to programs (i.e., scripts) working!
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 [import]
 # Data from these files is used when libuser.conf does not define a value.
@@ -85,4 +86,4 @@ LU_GROUPNAME = %n
 # in a particular domain.  The default (all applications, all domains) is
 # probably correct for most installations.
 # appname = imap
-# domain = EXAMPLE.COM
+# domain = EXAMPLE.COM
diff --git a/templates/default/rhel_selinuxconfig.erb b/templates/default/rhel_selinuxconfig.erb
@@ -1,6 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values:

diff --git a/templates/default/rhel_sysconfig_init.erb b/templates/default/rhel_sysconfig_init.erb
@@ -1,13 +1,14 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # color => new RH6.0 bootup
 # verbose => old-style bootup
 # anything else => new style bootup without ANSI colors or positioning
 BOOTUP=color
-# column to start "[  OK  ]" label in 
+# column to start "[  OK  ]" label in
 RES_COL=60
 # terminal sequence to move to that column. You could change this
 # to something like "tput hpa ${RES_COL}" if your terminal supports it

diff --git a/templates/default/rhel_system_auth.erb b/templates/default/rhel_system_auth.erb
@@ -1,7 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 #%PAM-1.0
 <% if node['os-hardening']['auth']['retries'] > 0 %>

diff --git a/templates/default/securetty.erb b/templates/default/securetty.erb
@@ -1,7 +1,8 @@
-<% node['config_disclaimer'].to_s.split("\n").each do |l| %>
-# <%= l %>
-<% end %>
-#---
+#
+# This file is generated by Chef for <%= node['fqdn'] %>
+#
+# Local changes will be overwritten
+#
 
 # A list of TTYs, from which root can log in
 # see `man securetty` for reference