diff --git a/.kitchen.do.local.yml b/.kitchen.do.local.yml
index 28800f4b..4d6c4a5e 100644
--- a/.kitchen.do.local.yml
+++ b/.kitchen.do.local.yml
@@ -4,6 +4,7 @@
 driver:
   name: digitalocean
   size: 512mb
+  region: nyc3
 
 transport:
   ssh_key: '~/.ssh/ci_id_rsa'
diff --git a/.rubocop.yml b/.rubocop.yml
index e173ce2b..319cef7f 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -4,6 +4,7 @@ AllCops:
   Exclude:
   - vendor/**/*
   - test/**/*
+  TargetRubyVersion: 2.1 # we need this because of chef 12.5.1 support
 Metrics/AbcSize:
   Max: 29
 Metrics/LineLength:
@@ -13,13 +14,13 @@ Metrics/MethodLength:
   Max: 40
 Style/Documentation:
   Enabled: false
-Style/DotPosition:
+Layout/DotPosition:
   EnforcedStyle: trailing
   Enabled: true
 Style/Encoding:
   EnforcedStyle: always
   Enabled: true
-Style/ExtraSpacing:
+Layout/ExtraSpacing:
   Exclude:
     - attributes/default.rb
 Style/HashSyntax:
@@ -30,6 +31,11 @@ Style/NumericLiterals:
   MinDigits: 10
 Style/RegexpLiteral:
   AllowInnerSlashes: true
-Style/SpaceAroundOperators:
+Layout/SpaceAroundOperators:
   Exclude:
     - attributes/default.rb
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+Style/FrozenStringLiteralComment:
+  Enabled: false
diff --git a/.travis.yml b/.travis.yml
index 6815c51f..2b5d9f17 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,7 +5,7 @@ bundler_args: "--without development"
 dist: trusty
 cache: bundler
 
-rvm: 2.3.3
+rvm: 2.4.1
 
 before_install:
   - gem update --system # see https://github.com/bundler/bundler/issues/5357
diff --git a/Gemfile b/Gemfile
index d2b676f2..465c54ea 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,21 +2,21 @@
 
 source 'https://rubygems.org'
 
-gem 'berkshelf', '~> 5.3'
-gem 'chef', '~> 12.5'
+gem 'berkshelf', '~> 6.1'
+gem 'chef', '~> 12.5' # chefspec builds get stucked with 13.1
 
 group :test do
-  gem 'chefspec', '~> 5.3.0'
+  gem 'chefspec', '~> 7.1.0'
   gem 'coveralls', require: false
-  gem 'foodcritic', '~> 6.0'
+  gem 'foodcritic', '~> 11.1'
   gem 'rake'
-  gem 'rubocop', '~> 0.46.0'
+  gem 'rubocop', '~> 0.49.0'
   gem 'simplecov', '~> 0.10'
 end
 
 group :development do
   gem 'guard'
-  gem 'guard-foodcritic', '~>2.1'
+  gem 'guard-foodcritic', '~> 3.0'
   gem 'guard-rspec'
   gem 'guard-rubocop'
 end
@@ -29,5 +29,5 @@ group :integration do
 end
 
 group :tools do
-  gem 'github_changelog_generator', '~> 1.12.0'
+  gem 'github_changelog_generator', '~> 1.14'
 end
diff --git a/Rakefile b/Rakefile
index 2106c3c2..3a0592a6 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,6 +1,7 @@
-#!/usr/bin/env rake
 # encoding: utf-8
 
+# rubocop:disable Style/SymbolArray
+
 require 'foodcritic'
 require 'rspec/core/rake_task'
 require 'rubocop/rake_task'
diff --git a/attributes/default.rb b/attributes/default.rb
index cb5225b5..92245429 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Attributes:: default
@@ -76,7 +77,7 @@
 default['os-hardening']['auth']['pam']['passwdqc']['options']           = 'min=disabled,disabled,16,12,8'
 default['os-hardening']['auth']['pam']['cracklib']['options']           = 'try_first_pass retry=3 type='
 default['os-hardening']['auth']['pam']['pwquality']['options']          = 'try_first_pass retry=3 type='
-default['os-hardening']['auth']['root_ttys']                          = %w(console tty1 tty2 tty3 tty4 tty5 tty6)
+default['os-hardening']['auth']['root_ttys']                          = %w[console tty1 tty2 tty3 tty4 tty5 tty6]
 default['os-hardening']['auth']['uid_min']                             = 1000
 default['os-hardening']['auth']['gid_min']                             = 1000
 default['os-hardening']['auth']['sys_uid_min']                         = 100
diff --git a/attributes/sysctl.rb b/attributes/sysctl.rb
index 1f43fbac..19120f7f 100644
--- a/attributes/sysctl.rb
+++ b/attributes/sysctl.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Attributes:: sysctl
diff --git a/libraries/apt_package_extras.rb b/libraries/apt_package_extras.rb
index 1368ffde..711be659 100644
--- a/libraries/apt_package_extras.rb
+++ b/libraries/apt_package_extras.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Library:: apt_package_extras
diff --git a/libraries/cookbook_version.rb b/libraries/cookbook_version.rb
index 0ce64e30..54d127eb 100644
--- a/libraries/cookbook_version.rb
+++ b/libraries/cookbook_version.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Library:: cookbook_version
diff --git a/libraries/gpgcheck.rb b/libraries/gpgcheck.rb
index f8043f8c..2ead3115 100644
--- a/libraries/gpgcheck.rb
+++ b/libraries/gpgcheck.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Library:: gpgcheck
diff --git a/libraries/suid_sgid.rb b/libraries/suid_sgid.rb
index 55e342eb..c46de772 100644
--- a/libraries/suid_sgid.rb
+++ b/libraries/suid_sgid.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name:: os-hardening
 # Library:: suid_sgid
@@ -54,10 +55,10 @@ def self.remove_suid_sgid_from_blacklist(blacklist)
       end
 
       def self.remove_suid_sgid_from_unknown(whitelist = [], root = '/', dry_run = false)
-        all_suid_sgid_files = find_all_suid_sgid_files(root).select do |file|
+        all_suid_sgid_files = find_all_suid_sgid_files(root).reject do |file|
           in_whitelist = whitelist.include?(file)
           Chef::Log.info "suid_sgid: Whitelisted file '#{file}', not altering SUID/SGID bit" if in_whitelist && !dry_run
-          !in_whitelist
+          in_whitelist
         end
 
         all_suid_sgid_files.each do |file|
diff --git a/metadata.rb b/metadata.rb
index 256425aa..0e3f1828 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8 # ~FC061
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
@@ -18,11 +19,13 @@
 name             'os-hardening'
 maintainer       'Dominik Richter'
 maintainer_email 'dominik.richter@googlemail.com'
-license          'Apache 2.0'
+license          'Apache-2.0'
 description      'Installs and configures operating system hardening'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '2.0.1'
 
+chef_version '>= 12.5' if respond_to?(:chef_version)
+
 supports 'ubuntu', '>= 12.04'
 supports 'debian', '>= 6.0'
 supports 'centos', '>= 5.0'
diff --git a/recipes/apt.rb b/recipes/apt.rb
index f5efb5de..9c8ae4e7 100644
--- a/recipes/apt.rb
+++ b/recipes/apt.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: apt.rb
diff --git a/recipes/auditd.rb b/recipes/auditd.rb
index 7ddf91cf..34cfe29b 100644
--- a/recipes/auditd.rb
+++ b/recipes/auditd.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: auditd.rb
diff --git a/recipes/default.rb b/recipes/default.rb
index 699a998d..f9eb7cfa 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: default
diff --git a/recipes/limits.rb b/recipes/limits.rb
index 6beacd04..a067e824 100644
--- a/recipes/limits.rb
+++ b/recipes/limits.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: limits.rb
diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb
index 0c230265..50a1ddef 100644
--- a/recipes/login_defs.rb
+++ b/recipes/login_defs.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: login_defs.rb
diff --git a/recipes/minimize_access.rb b/recipes/minimize_access.rb
index 2c092ab3..0bcae23e 100644
--- a/recipes/minimize_access.rb
+++ b/recipes/minimize_access.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: minimize_access
@@ -20,7 +21,7 @@
 
 # remove write permissions from path folders ($PATH) for all regular users
 # this prevents changing any system-wide command from normal users
-paths = %w(/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin) + node['os-hardening']['env']['extra_user_paths']
+paths = %w[/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin] + node['os-hardening']['env']['extra_user_paths']
 paths.each do |folder|
   execute "remove write permission from #{folder}" do
     command "chmod go-w -R #{folder}"
diff --git a/recipes/packages.rb b/recipes/packages.rb
index 5f0ed5c6..9190d2d8 100644
--- a/recipes/packages.rb
+++ b/recipes/packages.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: packages.rb
diff --git a/recipes/pam.rb b/recipes/pam.rb
index 2e01fe43..b88b674d 100644
--- a/recipes/pam.rb
+++ b/recipes/pam.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: pam.rb
diff --git a/recipes/profile.rb b/recipes/profile.rb
index 61fd2238..56dad7ed 100644
--- a/recipes/profile.rb
+++ b/recipes/profile.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: profile.rb
diff --git a/recipes/securetty.rb b/recipes/securetty.rb
index a270556e..ed7bb417 100644
--- a/recipes/securetty.rb
+++ b/recipes/securetty.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: securetty
diff --git a/recipes/suid_sgid.rb b/recipes/suid_sgid.rb
index afe87d7b..088d2229 100644
--- a/recipes/suid_sgid.rb
+++ b/recipes/suid_sgid.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: suid_sgid
diff --git a/recipes/sysctl.rb b/recipes/sysctl.rb
index e22f5203..a83320ee 100644
--- a/recipes/sysctl.rb
+++ b/recipes/sysctl.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: sysctl
diff --git a/recipes/yum.rb b/recipes/yum.rb
index 242a6997..b4732e9d 100644
--- a/recipes/yum.rb
+++ b/recipes/yum.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Cookbook Name: os-hardening
 # Recipe: pack_yum.rb
@@ -42,7 +43,7 @@
 if node['os-hardening']['security']['packages']['clean']
 
   # remove unused repos
-  %w(CentOS-Debuginfo CentOS-Media CentOS-Vault).each do |repo|
+  %w[CentOS-Debuginfo CentOS-Media CentOS-Vault].each do |repo|
     yum_repository repo do
       action :remove
     end
diff --git a/spec/recipes/auditd_spec.rb b/spec/recipes/auditd_spec.rb
index e60e90fc..6fc873f1 100644
--- a/spec/recipes/auditd_spec.rb
+++ b/spec/recipes/auditd_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2017, Artem Sidorenko
 #
diff --git a/spec/recipes/default_spec.rb b/spec/recipes/default_spec.rb
index 9f4a4390..627a4cf3 100644
--- a/spec/recipes/default_spec.rb
+++ b/spec/recipes/default_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
@@ -26,9 +27,9 @@
       node.normal['cpu']['0']['vendor_id'] = 'GenuineIntel'
       node.normal['env']['extra_user_paths'] = []
 
-      paths = %w(
+      paths = %w[
         /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin
-      ) + node['env']['extra_user_paths']
+      ] + node['env']['extra_user_paths']
       paths.each do |folder|
         stub_command(
           "find #{folder}  -perm -go+w -type f | wc -l | egrep '^0$'"
diff --git a/spec/recipes/limits_spec.rb b/spec/recipes/limits_spec.rb
index a2f5fb32..eb3a09df 100644
--- a/spec/recipes/limits_spec.rb
+++ b/spec/recipes/limits_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb
index 5362a30a..1fe7d37c 100644
--- a/spec/recipes/login_defs_spec.rb
+++ b/spec/recipes/login_defs_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/minimize_access_spec.rb b/spec/recipes/minimize_access_spec.rb
index 742a7449..261f8230 100644
--- a/spec/recipes/minimize_access_spec.rb
+++ b/spec/recipes/minimize_access_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/pam_spec.rb b/spec/recipes/pam_spec.rb
index 5c8e2776..2a7f23f4 100644
--- a/spec/recipes/pam_spec.rb
+++ b/spec/recipes/pam_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/profile_spec.rb b/spec/recipes/profile_spec.rb
index 0c61a255..40360431 100644
--- a/spec/recipes/profile_spec.rb
+++ b/spec/recipes/profile_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/securetty_spec.rb b/spec/recipes/securetty_spec.rb
index 4a925046..bc67b07d 100644
--- a/spec/recipes/securetty_spec.rb
+++ b/spec/recipes/securetty_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/suid_sgid_spec.rb b/spec/recipes/suid_sgid_spec.rb
index 14485c2b..ac5962fd 100644
--- a/spec/recipes/suid_sgid_spec.rb
+++ b/spec/recipes/suid_sgid_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/recipes/sysctl_spec.rb b/spec/recipes/sysctl_spec.rb
index 71d6adfd..65055de5 100644
--- a/spec/recipes/sysctl_spec.rb
+++ b/spec/recipes/sysctl_spec.rb
@@ -1,4 +1,5 @@
 # encoding: UTF-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 606fb11f..d7d790a2 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 #
 # Copyright 2014, Deutsche Telekom AG
 #