Skip to content

Commit

Permalink
Allow for disabling of the sticky world writable and auditd cron jobs (
Browse files Browse the repository at this point in the history 
…#72)

* README: fix typos

* services: trim trailing whitespace

* services: use modern facts

This also simplifies the sshd reload exec logic.

* allow for disabling the cron jobs

---------

Co-authored-by: Thomas Krieger <[email protected]>
  • Loading branch information
@kenyon @tom-krieger
kenyon and tom-krieger authored Dec 28, 2023
1 parent 517ca95 commit c6aa68d
Show file tree
Hide file tree
Showing 6 changed files with 233 additions and 120 deletions.
25 changes: 17 additions & 8 deletions manifests/auditd_cron.pp
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
# @summary
# @summary
# Create a cron job to search privileged commands for auditd
#
# Auditd rules can monitor privileged command use. As filesystems cn be huge and searching
# the relevant commands can be time consuming this cron job will create a custom fact to
# provide the auditd rule with appriate imput.
#
# @param ensure
# Whether the cron job should be present or absent.
#
# @param dirs_to_include
# A list of directories to search
# @param start_time_minute
Expand All @@ -21,6 +24,7 @@
# @example
# include cis_security_hardening::auditd_cron
class cis_security_hardening::auditd_cron (
Enum['present', 'absent'] $ensure = 'present',
Array $dirs_to_include = ['/usr'],
Integer $start_time_minute = 37,
Integer $start_time_hour = 3,
Expand All @@ -30,27 +34,32 @@
) {
if ! empty($dirs_to_include) {
file { '/etc/cron.d/auditd_priv_commands.cron':
ensure => absent,
ensure => absent,
}

file { '/etc/cron.d/auditd_priv_commands':
ensure => file,
content => epp('cis_security_hardening/auditd_priv_cmds.cron.epp', {
ensure => stdlib::ensure($ensure, file),
content => epp("${module_name}/auditd_priv_cmds.cron.epp",
{
minute => $start_time_minute,
hour => $start_time_hour,
cron_repeat => $cron_repeat,
script => $script,
}),
},
),
owner => 'root',
group => 'root',
mode => '0644',
}

file { $script:
ensure => file,
content => epp('cis_security_hardening/auditd_priv_cmds.epp', {
ensure => stdlib::ensure($ensure, file),
content => epp("${module_name}/auditd_priv_cmds.epp",
{
output_file => $output_file,
dirs_to_include => $dirs_to_include,
}),
},
),
owner => 'root',
group => 'root',
mode => '0700',
Expand Down
22 changes: 16 additions & 6 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# @summary
# @summary
# Security baseline enforcement
#
# Define a complete security baseline and monitor the rules. The definition of the baseline can be done in Hiera.
# The purpose of the module is to give the ability to setup complete security baseline which not necessarily have to stick
# Define a complete security baseline and monitor the rules. The definition of the baseline can be done in Hiera.
# The purpose of the module is to give the ability to setup complete security baseline which not necessarily have to stick
# to an industry security guide like the CIS benchmarks.
#
# The easiest way to use the module is to put all rule data into a hiera file. For more information please coinsult the README file.
Expand All @@ -24,15 +24,21 @@
# Directories to search for privileged commands to create auditd rules.
# @param time_until_reboot
# Time to wait until system is rebooted if required. Time in seconds. For `reboot` the `puppetlabs-reboot` module is used. Please obey
# the follwing comment from this module: POSIX systems (with the exception of Solaris) only support
# specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the
# the follwing comment from this module: POSIX systems (with the exception of Solaris) only support
# specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the
# nearest minute and a warning will be issued.
# @param auto_reboot
# Reboot when necessary after `time_until_reboot` is exeeded
# @param verbose_logging
# Print various info messages
# @param remove_authconfig
# remove yuthconfig package on Redhat 7 or similar OSes
# remove authconfig package on Redhat 7 or similar OSes
#
# @param enable_sticky_world_writable_cron
# Whether to enable the sticky world writable cron job.
#
# @param enable_auditd_cron
# Whether to enable the auditd cron job.
#
# @example
# include cis_security_hardening
Expand All @@ -47,6 +53,8 @@
Boolean $auto_reboot = true,
Boolean $verbose_logging = false,
Boolean $remove_authconfig = false,
Boolean $enable_sticky_world_writable_cron = true,
Boolean $enable_auditd_cron = true,
) {
contain cis_security_hardening::reboot
contain cis_security_hardening::services
Expand All @@ -64,12 +72,14 @@
}

class { 'cis_security_hardening::sticky_world_writable_cron':
ensure => stdlib::ensure($enable_sticky_world_writable_cron),
dirs_to_exclude => $exclude_dirs_sticky_ww,
filename => "${base_dir}/data/world-writable-files.txt",
script => "${base_dir}/bin/sticy-world-writable.sh",
}

class { 'cis_security_hardening::auditd_cron':
ensure => stdlib::ensure($enable_auditd_cron),
dirs_to_include => $auditd_dirs_to_include,
output_file => "${base_dir}/data/auditd_priv_cmds.txt",
script => "${base_dir}/bin/auditd_priv_cmds.sh",
Expand Down
27 changes: 17 additions & 10 deletions manifests/sticky_world_writable_cron.pp
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
# @summary
# Create cron job for searching world writable dir3ctories with sticky bit
# @summary
# Create a cron job for the search for world writable directories with sticky bit set.
#
# Create a cron ob for the search for world writable directories with sticky bit set.
# @param ensure
# Whether the cron job should be present or absent.
#
# @param dirs_to_exclude
# Array of directories to exclude from search.
Expand All @@ -15,16 +16,19 @@
# @example
# include cis_security_hardening::sticky_world_writable_cron
class cis_security_hardening::sticky_world_writable_cron (
Enum['present', 'absent'] $ensure = 'present',
Array $dirs_to_exclude = [],
Stdlib::Absolutepath $filename = '/usr/share/cis_security_hardening/data/world-writable-files.txt',
Stdlib::Absolutepath $script = '/usr/share/cis_security_hardening/bin/sticy-world-writable.sh',
) {
file { $script:
ensure => file,
content => epp('cis_security_hardening/sticky-world-writeable.epp', {
ensure => stdlib::ensure($ensure, file),
content => epp("${module_name}/sticky-world-writeable.epp",
{
filename => $filename,
dirs_to_exclude => $dirs_to_exclude,
}),
},
),
owner => 'root',
group => 'root',
mode => '0700',
Expand All @@ -33,14 +37,17 @@
$min = fqdn_rand(60, 'ah ue65^b gdf^zrbzcê2zf^b w')

file { '/etc/cron.d/sticky-world-writebale.cron':
ensure => absent,
ensure => absent,
}

file { '/etc/cron.d/sticky-world-writebale':
ensure => file,
content => epp('cis_security_hardening/sticky-world-writeable.cron.epp', {
ensure => stdlib::ensure($ensure, file),
content => epp("${module_name}/sticky-world-writeable.cron.epp",
{
min => $min,
script => $script,
}),
},
),
owner => 'root',
group => 'root',
mode => '0644',
Expand Down
108 changes: 75 additions & 33 deletions spec/classes/auditd_cron_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,41 +6,83 @@
on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts) { os_facts }
let(:params) do
{
'dirs_to_include' => ['/usr'],
'start_time_minute' => 40,
'start_time_hour' => 4,
'cron_repeat' => '2',
'output_file' => '/usr/share/cis_security_hardening/data/auditd_priv_cmds.txt',
'script' => '/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh',
}

context 'using defaults' do
let(:params) do
{
'dirs_to_include' => ['/usr'],
'start_time_minute' => 40,
'start_time_hour' => 4,
'cron_repeat' => '2',
'output_file' => '/usr/share/cis_security_hardening/data/auditd_priv_cmds.txt',
'script' => '/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh',
}
end

it do
is_expected.to compile.with_all_deps

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands.cron')
.with(
'ensure' => 'absent',
)

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands')
.with(
'ensure' => 'file',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
)

is_expected.to contain_file('/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh')
.with(
'ensure' => 'file',
'owner' => 'root',
'group' => 'root',
'mode' => '0700',
)
end
end

it {
is_expected.to compile

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands.cron')
.with(
'ensure' => 'absent',
)

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands')
.with(
'ensure' => 'file',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
)

is_expected.to contain_file('/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh')
.with(
'ensure' => 'file',
'owner' => 'root',
'group' => 'root',
'mode' => '0700',
)
}
context 'absent' do
let(:params) do
{
'ensure' => 'absent',
'dirs_to_include' => ['/usr'],
'start_time_minute' => 40,
'start_time_hour' => 4,
'cron_repeat' => '2',
'output_file' => '/usr/share/cis_security_hardening/data/auditd_priv_cmds.txt',
'script' => '/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh',
}
end

it do
is_expected.to compile.with_all_deps

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands.cron')
.with(
'ensure' => 'absent',
)

is_expected.to contain_file('/etc/cron.d/auditd_priv_commands')
.with(
'ensure' => 'absent',
'owner' => 'root',
'group' => 'root',
'mode' => '0644',
)

is_expected.to contain_file('/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh')
.with(
'ensure' => 'absent',
'owner' => 'root',
'group' => 'root',
'mode' => '0700',
)
end
end
end
end
end
76 changes: 41 additions & 35 deletions spec/classes/cis_security_hardening_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,43 +9,49 @@
postrun_options.each do |postrun|
context "on #{os} with postrun = #{postrun}" do
let(:facts) { os_facts }
let(:params) do
{
'level' => '2',
'update_postrun_command' => postrun,
}
end

it {
os_vers = if os_facts[:os]['name'].casecmp('ubuntu').zero?
os_facts[:os]['release']['major'].split("/\./")
else
os_facts[:os]['release']['major']
end

key = "cis_security_hardening::benchmark::#{os_facts[:os]['name']}::#{os_vers}"
# is_expected.to compile
is_expected.to compile.with_all_deps
is_expected.to contain_class('cis_security_hardening::services')
is_expected.to contain_class('cis_security_hardening::config')
is_expected.to contain_class('cis_security_hardening::auditd_cron')

unless os_facts[:os]['name'].casecmp('ubuntu').zero? ||
os_facts[:os]['name'].casecmp('debian').zero? ||
os_facts[:os]['name'].casecmp('centos').zero? ||
os_facts[:os]['name'].casecmp('redhat').zero? ||
os_facts[:os]['name'].casecmp('almalinux').zero? ||
os_facts[:os]['name'].casecmp('rocky').zero? ||
os_facts[:os]['name'].casecmp('sles').zero?

is_expected.to contain_echo('no bundles')
.with(
'message' => "No bundles found, enforcing nothing. (key = #{key})",
'loglevel' => 'warning',
'withpath' => false,
)
context 'using defaults' do
let(:params) do
{
'level' => '2',
'update_postrun_command' => postrun,
}
end
}

it do
os_vers = if os_facts[:os]['name'].casecmp('ubuntu').zero?
os_facts[:os]['release']['major'].split("/\./")
else
os_facts[:os]['release']['major']
end

key = "cis_security_hardening::benchmark::#{os_facts[:os]['name']}::#{os_vers}"
# is_expected.to compile
is_expected.to compile.with_all_deps
is_expected.to contain_class('cis_security_hardening::services')
is_expected.to contain_class('cis_security_hardening::config')
is_expected.to contain_class('cis_security_hardening::auditd_cron')

unless os_facts[:os]['name'].casecmp('ubuntu').zero? ||
os_facts[:os]['name'].casecmp('debian').zero? ||
os_facts[:os]['name'].casecmp('centos').zero? ||
os_facts[:os]['name'].casecmp('redhat').zero? ||
os_facts[:os]['name'].casecmp('almalinux').zero? ||
os_facts[:os]['name'].casecmp('rocky').zero? ||
os_facts[:os]['name'].casecmp('sles').zero?

is_expected.to contain_echo('no bundles')
.with(
'message' => "No bundles found, enforcing nothing. (key = #{key})",
'loglevel' => 'warning',
'withpath' => false,
)
end
end
end

context 'with cron jobs absent' do
end
end
end
end
Expand Down
Loading

0 comments on commit c6aa68d

Please sign in to comment.