Merge "CIS compliance (/dev/shm mount options)"
diff --git a/.gitignore b/.gitignore
index aa8e42a..cc3ab8e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,8 @@
.kitchen
+.bundle
+bundle/
tests/build/
*.swp
*.pyc
.ropeproject
+Gemfile*
diff --git a/README.rst b/README.rst
index 50e1b13..e4accd7 100644
--- a/README.rst
+++ b/README.rst
@@ -1629,6 +1629,23 @@
export FTP_PROXY=ftp://127.0.3.3:2121
export NO_PROXY='.local'
+
+Configure login.defs parameters
+-------------------------------
+
+.. code-block:: yaml
+
+ linux:
+ system:
+ login_defs:
+ <opt_name>:
+ enabled: true
+ value: <opt_value>
+
+<opt_name> is a configurational option defined in 'man login.defs'.
+<opt_name> is case sensitive, should be UPPERCASE only!
+
+
Linux with hosts
Parameter ``purge_hosts`` will enforce whole ``/etc/hosts file``,
diff --git a/linux/files/login.defs.jinja b/linux/files/login.defs.jinja
new file mode 100644
index 0000000..945d3cb
--- /dev/null
+++ b/linux/files/login.defs.jinja
@@ -0,0 +1,62 @@
+{%- from "linux/map.jinja" import login_defs with context -%}
+# This file is managed by Salt, do not edit
+{%- set allowed_options = [
+ 'CHFN_RESTRICT',
+ 'CONSOLE_GROUPS',
+ 'CREATE_HOME',
+ 'DEFAULT_HOME',
+ 'ENCRYPT_METHOD',
+ 'ENV_HZ',
+ 'ENV_PATH',
+ 'ENV_SUPATH',
+ 'ERASECHAR',
+ 'FAIL_DELAY',
+ 'FAKE_SHELL',
+ 'GID_MAX',
+ 'GID_MIN',
+ 'HUSHLOGIN_FILE',
+ 'KILLCHAR',
+ 'LOG_OK_LOGINS',
+ 'LOG_UNKFAIL_ENAB',
+ 'LOGIN_RETRIES',
+ 'LOGIN_TIMEOUT',
+ 'MAIL_DIR',
+ 'MAIL_FILE',
+ 'MAX_MEMBERS_PER_GROUP',
+ 'MD5_CRYPT_ENAB',
+ 'PASS_MAX_DAYS',
+ 'PASS_MIN_DAYS',
+ 'PASS_WARN_AGE',
+ 'SHA_CRYPT_MIN_ROUNDS',
+ 'SHA_CRYPT_MAX_ROUNDS',
+ 'SULOG_FILE',
+ 'SU_NAME',
+ 'SUB_GID_MIN',
+ 'SUB_GID_MAX',
+ 'SUB_GID_COUNT',
+ 'SUB_UID_MIN',
+ 'SUB_UID_MAX',
+ 'SUB_UID_COUNT',
+ 'SYS_GID_MAX',
+ 'SYS_GID_MIN',
+ 'SYS_UID_MAX',
+ 'SYS_UID_MIN',
+ 'SYSLOG_SG_ENAB',
+ 'SYSLOG_SU_ENAB',
+ 'TTYGROUP',
+ 'TTYPERM',
+ 'TTYTYPE_FILE',
+ 'UID_MAX',
+ 'UID_MIN',
+ 'UMASK',
+ 'USERDEL_CMD',
+ 'USEGROUPS_ENAB'
+] %}
+{%- for opt_name in allowed_options %}
+ {%- if opt_name in login_defs %}
+ {%- set opt_params = login_defs.get(opt_name) %}
+ {%- if opt_params.get('enabled', true) %}
+{{ opt_name.ljust(20) }} {{ opt_params.value }}
+ {%- endif %}
+ {%- endif %}
+{%- endfor %}
diff --git a/linux/map.jinja b/linux/map.jinja
index 52d0e70..4f8b5b7 100644
--- a/linux/map.jinja
+++ b/linux/map.jinja
@@ -140,6 +140,70 @@
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:auth:ldap')) %}
+{%- load_yaml as login_defs_defaults %}
+Debian:
+ CHFN_RESTRICT:
+ value: 'rwh'
+ DEFAULT_HOME:
+ value: 'yes'
+ ENCRYPT_METHOD:
+ value: 'SHA512'
+ ENV_PATH:
+ value: 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'
+ ENV_SUPATH:
+ value: 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
+ ERASECHAR:
+ value: '0177'
+ FAILLOG_ENAB:
+ value: 'yes'
+ FTMP_FILE:
+ value: '/var/log/btmp'
+ GID_MAX:
+ value: '60000'
+ GID_MIN:
+ value: '1000'
+ HUSHLOGIN_FILE:
+ value: '.hushlogin'
+ KILLCHAR:
+ value: '025'
+ LOGIN_RETRIES:
+ value: '5'
+ LOGIN_TIMEOUT:
+ value: '60'
+ LOG_OK_LOGINS:
+ value: 'no'
+ LOG_UNKFAIL_ENAB:
+ value: 'no'
+ MAIL_DIR:
+ value: '/var/mail'
+ PASS_MAX_DAYS:
+ value: '99999'
+ PASS_MIN_DAYS:
+ value: '0'
+ PASS_WARN_AGE:
+ value: '7'
+ SU_NAME:
+ value: 'su'
+ SYSLOG_SG_ENAB:
+ value: 'yes'
+ SYSLOG_SU_ENAB:
+ value: 'yes'
+ TTYGROUP:
+ value: 'tty'
+ TTYPERM:
+ value: '0600'
+ UID_MAX:
+ value: '60000'
+ UID_MIN:
+ value: '1000'
+ UMASK:
+ value: '022'
+ USERGROUPS_ENAB:
+ value: 'yes'
+{%- endload %}
+{%- set login_defs = salt['grains.filter_by'](login_defs_defaults,
+ grain='os_family', merge=salt['pillar.get']('linux:system:login_defs')) %}
+
{# 'network_name', #}
{% set interface_params = [
diff --git a/linux/system/init.sls b/linux/system/init.sls
index 4f97fa0..cec6c18 100644
--- a/linux/system/init.sls
+++ b/linux/system/init.sls
@@ -3,6 +3,9 @@
include:
- linux.system.env
- linux.system.profile
+{%- if system.login_defs is defined %}
+- linux.system.login_defs
+{%- endif %}
- linux.system.at
- linux.system.cron
{%- if system.repo|length > 0 %}
diff --git a/linux/system/login_defs.sls b/linux/system/login_defs.sls
new file mode 100644
index 0000000..f94348a
--- /dev/null
+++ b/linux/system/login_defs.sls
@@ -0,0 +1,13 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- if system.enabled %}
+ {%- if system.login_defs is defined %}
+login_defs:
+ file.managed:
+ - name: /etc/login.defs
+ - source: salt://linux/files/login.defs.jinja
+ - template: jinja
+ - user: root
+ - group: root
+ - mode: 644
+ {%- endif %}
+{%- endif %}
diff --git a/linux/system/user.sls b/linux/system/user.sls
index 7ffdae6..7a0c98b 100644
--- a/linux/system/user.sls
+++ b/linux/system/user.sls
@@ -43,6 +43,7 @@
{%- endif %}
{%- if user.system is defined and user.system %}
- system: True
+ - shell: {{ user.get('shell', '/bin/false') }}
{%- else %}
- shell: {{ user.get('shell', '/bin/bash') }}
{%- endif %}
diff --git a/metadata/service/system/cis/cis-6-1-2.yml b/metadata/service/system/cis/cis-6-1-2.yml
new file mode 100644
index 0000000..481c2df
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-2.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.2 Ensure permissions on /etc/passwd are configured
+#
+# Description
+# ===========
+# The /etc/passwd file contains user account information that is used by
+# many system utilities and therefore must be readable for these utilities
+# to operate.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/passwd file is protected from
+# unauthorized write access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 644 :
+#
+# # stat /etc/passwd
+# Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/passwd :
+#
+# # chown root:root /etc/passwd
+# # chmod 644 /etc/passwd
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/passwd:
+ user: 'root'
+ group: 'root'
+ mode: '0644'
+
diff --git a/metadata/service/system/cis/cis-6-1-3.yml b/metadata/service/system/cis/cis-6-1-3.yml
new file mode 100644
index 0000000..7bcd373
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-3.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.3 Ensure permissions on /etc/shadow are configured
+#
+# Description
+# ===========
+# The /etc/shadow file is used to store the information about user accounts
+# that is critical to the security of those accounts, such as the hashed
+# password and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/shadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/shadow file (such
+# as expiration) could also be useful to subvert the user accounts.
+#
+# Audit
+# =====
+# Run the following command and verify Uid is 0/root , Gid is <gid>/shadow ,
+# and Access is 640 or more restrictive:
+#
+# # stat /etc/shadow
+# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the one following commands to set permissions on /etc/shadow :
+#
+# # chown root:shadow /etc/shadow
+# # chmod o-rwx,g-wx /etc/shadow
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/shadow:
+ user: 'root'
+ group: 'shadow'
+ mode: '0640'
+
diff --git a/metadata/service/system/cis/cis-6-1-4.yml b/metadata/service/system/cis/cis-6-1-4.yml
new file mode 100644
index 0000000..d5b2ffd
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-4.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.4 Ensure permissions on /etc/group are configured
+#
+# Description
+# ===========
+# The /etc/group file contains a list of all the valid groups defined in the
+# system. The command below allows read/write access for root and read access
+# for everyone else.
+#
+# Rationale
+# =========
+# The /etc/group file needs to be protected from unauthorized changes by
+# non-privileged users, but needs to be readable as this information is used
+# with many non-privileged programs.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 644 :
+#
+# # stat /etc/group
+# Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group :
+#
+# # chown root:root /etc/group
+# # chmod 644 /etc/group
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/group:
+ user: 'root'
+ group: 'root'
+ mode: '0644'
+
diff --git a/metadata/service/system/cis/cis-6-1-5.yml b/metadata/service/system/cis/cis-6-1-5.yml
new file mode 100644
index 0000000..87ef05a
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-5.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.5 Ensure permissions on /etc/gshadow are configured
+#
+# Description
+# ===========
+# The /etc/gshadow file is used to store the information about groups that
+# is critical to the security of those accounts, such as the hashed password
+# and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/gshadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/gshadow file (such as
+# group administrators) could also be useful to subvert the group.
+#
+# Audit
+# =====
+# Run the following command and verify verify Uid is 0/root ,
+# Gid is <gid>/shadow , and Access is 640 or more restrictive:
+#
+# # stat /etc/gshadow
+# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the following commands to set permissions on /etc/gshadow :
+#
+# # chown root:shadow /etc/gshadow
+# # chmod o-rwx,g-rw /etc/gshadow
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/gshadow:
+ user: 'root'
+ group: 'shadow'
+ mode: '0640'
+
diff --git a/metadata/service/system/cis/cis-6-1-6.yml b/metadata/service/system/cis/cis-6-1-6.yml
new file mode 100644
index 0000000..0cd4b9f
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-6.yml
@@ -0,0 +1,36 @@
+# CIS 6.1.6 Ensure permissions on /etc/passwd- are configured
+#
+# Description
+# ===========
+# The /etc/passwd- file contains backup user account information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/passwd- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/passwd-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/passwd- :
+#
+# # chown root:root /etc/passwd-
+# # chmod 600 /etc/passwd-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/passwd-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-7.yml b/metadata/service/system/cis/cis-6-1-7.yml
new file mode 100644
index 0000000..4918e6b
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-7.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.7 Ensure permissions on /etc/shadow- are configured
+#
+# Description
+# ===========
+# The /etc/shadow- file is used to store backup information about user
+# accounts that is critical to the security of those accounts, such as the
+# hashed password and other security information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/shadow- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/shadow-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/shadow- :
+#
+# # chown root:root /etc/shadow-
+# # chmod 600 /etc/shadow-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/shadow-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-8.yml b/metadata/service/system/cis/cis-6-1-8.yml
new file mode 100644
index 0000000..eb7bb16
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-8.yml
@@ -0,0 +1,37 @@
+# CIS 6.1.8 Ensure permissions on /etc/group- are configured
+#
+# Description
+# ===========
+# The /etc/group- file contains a backup list of all the valid groups defined
+# in the system.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/group- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/group-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group- :
+#
+# # chown root:root /etc/group-
+# # chmod 600 /etc/group-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/group-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-9.yml b/metadata/service/system/cis/cis-6-1-9.yml
new file mode 100644
index 0000000..7acba2f
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-9.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured
+#
+# Description
+# ===========
+# The /etc/gshadow- file is used to store backup information about groups
+# that is critical to the security of those accounts, such as the hashed
+# password and other security information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/gshadow- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/gshadow-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/gshadow- :
+#
+# # chown root:root /etc/gshadow-
+# # chmod 600 /etc/gshadow-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/gshadow-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index c291832..a72366d 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -13,3 +13,11 @@
- service.linux.system.cis.cis-3-2-8
# Temp. disable PROD-22520
#- service.linux.system.cis.cis-3-3-3
+- service.linux.system.cis.cis-6-1-2
+- service.linux.system.cis.cis-6-1-3
+- service.linux.system.cis.cis-6-1-4
+- service.linux.system.cis.cis-6-1-5
+- service.linux.system.cis.cis-6-1-6
+- service.linux.system.cis.cis-6-1-7
+- service.linux.system.cis.cis-6-1-8
+- service.linux.system.cis.cis-6-1-9
diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index 0b792b6..aa1c7ed 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls
@@ -407,6 +407,9 @@
- .local
LANG: C
LC_ALL: C
+ login_defs:
+ PASS_MAX_DAYS:
+ value: 99
profile:
vi_flavors.sh: |
export PAGER=view