Merge "Remove systemd.source prefix from logs tag"
diff --git a/README.rst b/README.rst
index 598b638..e9a9e15 100644
--- a/README.rst
+++ b/README.rst
@@ -70,6 +70,30 @@
home: '/home/elizabeth'
password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"
+Configure password expiration parameters
+----------------------------------------
+The following login.defs parameters can be overridden per-user:
+
+* PASS_MAX_DAYS
+* PASS_MIN_DAYS
+* PASS_WARN_DAYS
+* INACTIVE
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ ...
+ user:
+ jdoe:
+ name: 'jdoe'
+ enabled: true
+ ...
+ maxdays: <PASS_MAX_DAYS>
+ mindays: <PASS_MIN_DAYS>
+ warndays: <PASS_WARN_DAYS>
+ inactdays: <INACTIVE>
+
Configure sudo for users and groups under ``/etc/sudoers.d/``.
This ways ``linux.system.sudo`` pillar map to actual sudo attributes:
diff --git a/linux/system/kernel.sls b/linux/system/kernel.sls
index e6111c5..3dc3046 100644
--- a/linux/system/kernel.sls
+++ b/linux/system/kernel.sls
@@ -8,10 +8,10 @@
{%- do kernel_boot_opts.append('elevator=' ~ system.kernel.elevator) if system.kernel.elevator is defined %}
{%- do kernel_boot_opts.extend(system.kernel.boot_options) if system.kernel.boot_options is defined %}
-{%- if kernel_boot_opts %}
include:
- linux.system.grub
+{%- if kernel_boot_opts %}
/etc/default/grub.d/99-custom-settings.cfg:
file.managed:
- contents: 'GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT {{ kernel_boot_opts|join(' ') }}"'
diff --git a/linux/system/user.sls b/linux/system/user.sls
index 7a0c98b..89d2cbb 100644
--- a/linux/system/user.sls
+++ b/linux/system/user.sls
@@ -50,6 +50,18 @@
{%- if user.uid is defined and user.uid %}
- uid: {{ user.uid }}
{%- endif %}
+ {%- if user.maxdays is defined %}
+ - maxdays: {{ user.maxdays }}
+ {%- endif %}
+ {%- if user.mindays is defined %}
+ - mindays: {{ user.mindays }}
+ {%- endif %}
+ {%- if user.warndays is defined %}
+ - warndays: {{ user.warndays }}
+ {%- endif %}
+ {%- if user.inactdays is defined %}
+ - inactdays: {{ user.inactdays }}
+ {%- endif %}
- require: {{ requires|yaml }}
system_user_home_{{ user.home }}:
diff --git a/metadata/service/system/cis/cis-5-4-1-1.yml b/metadata/service/system/cis/cis-5-4-1-1.yml
new file mode 100644
index 0000000..8b82466
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-1.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.1 Ensure password expiration is 90 days or less (Scored)
+#
+# Description
+# ===========
+# The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to
+# force passwords to expire once they reach a defined age. It is recommended
+# that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days.
+#
+# Rationale
+# =========
+# The window of opportunity for an attacker to leverage compromised credentials
+# or successfully compromise credentials via an online brute force attack is
+# limited by the age of the password. Therefore, reducing the maximum age of a
+# password also reduces an attacker's window of opportunity.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MAX_DAYS is 90 or less:
+#
+# # grep PASS_MAX_DAYS /etc/login.defs
+# PASS_MAX_DAYS 90
+#
+# Verify all users with a password have their maximum days between password
+# change set to 90 or less:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Maximum number of days between password change: 90
+#
+# Remediation
+# ===========
+# Set the PASS_MAX_DAYS parameter to 90 in /etc/login.defs :
+#
+# PASS_MAX_DAYS 90
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --maxdays 90 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 90 or less for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_MAX_DAYS:
+ value: 90
+
diff --git a/metadata/service/system/cis/cis-5-4-1-2.yml b/metadata/service/system/cis/cis-5-4-1-2.yml
new file mode 100644
index 0000000..50543ca
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-2.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.2 Ensure minimum days between password changes is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to
+# prevent users from changing their password until a minimum number of days
+# have passed since the last time the user changed their password. It is
+# recommended that PASS_MIN_DAYS parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# By restricting the frequency of password changes, an administrator can
+# prevent users from repeatedly changing their password in an attempt to
+# circumvent password reuse controls.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_MIN_DAYS is 7 or more:
+#
+# # grep PASS_MIN_DAYS /etc/login.defs
+# PASS_MIN_DAYS 7
+#
+# Verify all users with a password have their minimum days between password
+# change set to 7 or more:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Minimum number of days between password change: 7
+#
+# Remediation
+# ===========
+# Set the PASS_MIN_DAYS parameter to 7 in /etc/login.defs :
+#
+# PASS_MIN_DAYS 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --mindays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 5th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_MIN_DAYS:
+ value: 7
+
diff --git a/metadata/service/system/cis/cis-5-4-1-3.yml b/metadata/service/system/cis/cis-5-4-1-3.yml
new file mode 100644
index 0000000..3567f2a
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-3.yml
@@ -0,0 +1,52 @@
+# CIS 5.4.1.3 Ensure password expiration warning days is 7 or more (Scored)
+#
+# Description
+# ===========
+# The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to
+# notify users that their password will expire in a defined number of days.
+# It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.
+#
+# Rationale
+# =========
+# Providing an advance warning that a password will be expiring gives users
+# time to think of a secure password. Users caught unaware may choose a simple
+# password or write it down where it may be discovered.
+#
+# Audit
+# =====
+# Run the following command and verify PASS_WARN_AGE is 7 or more:
+#
+# # grep PASS_WARN_AGE /etc/login.defs
+# PASS_WARN_AGE 7
+#
+# Verify all users with a password have their number of days of warning before
+# password expires set to 7 or more:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Number of days of warning before password expires: 7
+#
+# Remediation
+# ===========
+#
+# Set the PASS_WARN_AGE parameter to 7 in /etc/login.defs :
+#
+# PASS_WARN_AGE 7
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --warndays 7 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 6th field
+# should be 7 or more for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ PASS_WARN_AGE:
+ value: 7
+
diff --git a/metadata/service/system/cis/cis-5-4-1-4.yml b/metadata/service/system/cis/cis-5-4-1-4.yml
new file mode 100644
index 0000000..97a86af
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-1-4.yml
@@ -0,0 +1,51 @@
+# CIS 5.4.1.4 Ensure inactive password lock is 30 days or less (Scored)
+#
+# Description
+# ===========
+# User accounts that have been inactive for over a given period of time can be
+# automatically disabled. It is recommended that accounts that are inactive
+# for 30 days after password expiration be disabled.
+#
+# Rationale
+# =========
+# Inactive accounts pose a threat to system security since the users are not
+# logging in to notice failed login attempts or other anomalies.
+#
+# Audit
+# =====
+# Run the following command and verify INACTIVE is 30 or less:
+#
+# # useradd -D | grep INACTIVE
+# INACTIVE=30
+#
+# Verify all users with a password have Password inactive no more than 30 days
+# after password expires:
+#
+# # egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1
+# <list of users>
+# # chage --list <user>
+# Password inactive: <date>
+#
+# Remediation
+# ===========
+# Run the following command to set the default password inactivity period to
+# 30 days:
+#
+# # useradd -D -f 30
+#
+# Modify user parameters for all users with a password set to match:
+#
+# # chage --inactive 30 <user>
+#
+# Notes
+# =====
+# You can also check this setting in /etc/shadow directly. The 7th field
+# should be 30 or less for all users with a password.
+#
+parameters:
+ linux:
+ system:
+ login_defs:
+ INACTIVE:
+ value: 30
+
diff --git a/metadata/service/system/cis/cis-5-4-4.yml b/metadata/service/system/cis/cis-5-4-4.yml
new file mode 100644
index 0000000..639babc
--- /dev/null
+++ b/metadata/service/system/cis/cis-5-4-4.yml
@@ -0,0 +1,57 @@
+# CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
+#
+# Description
+# ===========
+# The default umask determines the permissions of files created by users.
+# The user creating the file has the discretion of making their files and
+# directories readable by others via the chmod command. Users who wish to
+# allow their files and directories to be readable by others by default may
+# choose a different default umask by inserting the umask command into the
+# standard shell configuration files ( .profile , .bashrc , etc.) in their
+# home directories.
+#
+# Rationale
+# =========
+# Setting a very secure default value for umask ensures that users make a
+# conscious choice about their file permissions. A default umask setting of
+# 077 causes files and directories created by users to not be readable by
+# any other user on the system. A umask of 027 would make files and
+# directories readable by users in the same Unix group, while a umask of 022
+# would make files readable by every user on the system.
+#
+# Audit
+# =====
+# Run the following commands and verify all umask lines returned are 027 or
+# more restrictive.
+#
+# # grep "^umask" /etc/bash.bashrc
+# umask 027
+# # grep "^umask" /etc/profile
+# umask 027
+#
+# Remediation
+# ===========
+# Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files
+# for any other shell supported on your system) and add or edit any umask
+# parameters as follows:
+#
+# umask 027
+#
+# Notes
+# =====
+# The audit and remediation in this recommendation apply to bash and shell.
+# If other shells are supported on the system, it is recommended that their
+# configuration files also are checked.
+#
+# Other methods of setting a default user umask exist however the shell
+# configuration files are the last run and will override other settings if
+# they exist therefore our recommendation is to configure in the shell
+# configuration files. If other methods are in use in your environment they
+# should be audited and the shell configs should be verified to not override.
+#
+parameters:
+ linux:
+ system:
+ shell:
+ umask: "027"
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index 5f27e22..26b7642 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -31,6 +31,11 @@
- service.linux.system.cis.cis-3-5-2
- service.linux.system.cis.cis-3-5-3
- service.linux.system.cis.cis-3-5-4
+- service.linux.system.cis.cis-5-4-1-1
+- service.linux.system.cis.cis-5-4-1-2
+- service.linux.system.cis.cis-5-4-1-3
+- service.linux.system.cis.cis-5-4-1-4
+- service.linux.system.cis.cis-5-4-4
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 2973677..43fc65c 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -128,6 +128,7 @@
enabled: true
home: /root
name: root
+ maxdays: 365
testuser:
enabled: true
name: testuser