Refactored Chef

Author: Brian Pontarelli

.gitignore

@@ -1,3 +1,4 @@
 .idea/workspace.xml
 output
 bundle
+.kitchen

chef-repo/cookbooks/2016-security-guide/.kitchen.yml

@@ -1,18 +1,15 @@
 ---
 driver:
   name: vagrant
+  network:
+    - ['private_network', {ip: '192.168.34.34'}]
 
 provisioner:
   name: chef_zero
 
-# Uncomment the following verifier to leverage Inspec instead of Busser (the
-# default verifier)
-# verifier:
-#   name: inspec
-
 platforms:
-  - name: ubuntu-14.04
-  - name: centos-7.1
+  - name: ubuntu-16.04
+#  - name: centos-7.1
 
 suites:
   - name: default

chef-repo/cookbooks/2016-security-guide/attributes/default.rb

@@ -1,13 +1,46 @@
-default['security_guide'] = {
-  :users => [],
-  :sudo_group => 'sudo',
-  :monit => {
-    :email_server => 'localhost',
-    :email_port => '25',
-    :slack_url => '',
-    :slack_enabled => 'false',
-    :pushover_application => '',
-    :pushover_user => '',
-    :pushover_enabled => 'false'
-  }
-}
+# Users to create and users to delete
+default['security_guide']['users'] = []
+default['security_guide']['home_directory'] = '/home'
+default['security_guide']['default_shell'] = '/bin/bash'
+
+# The Sudo group name
+case node[:platform]
+  when "centos", "redhat", "fedora", "suse", "arch"
+    default['security_guide']['sudo_group'] = 'wheel'
+  else
+    default['security_guide']['sudo_group'] = 'sudo'
+end
+
+# SSH config
+default['security_guide']['sshd']['listen_port'] = 22
+
+# Two-factor config
+default['security_guide']['two_factor_enabled'] = true
+
+# Strong password config
+default['security_guide']['strong_passwords']['uppercase'] = 1
+default['security_guide']['strong_passwords']['lowercase'] = 2
+default['security_guide']['strong_passwords']['numbers'] = 1
+default['security_guide']['strong_passwords']['other'] = 1
+default['security_guide']['strong_passwords']['min_length'] = 10
+default['security_guide']['strong_passwords']['different_than_last_by'] = 3
+default['security_guide']['strong_passwords']['retry_attempts'] = 3
+
+# Monit configuration for emailing and Slack/Pushover integration
+default['security_guide']['monit']['email_server'] = 'localhost'
+default['security_guide']['monit']['email_port'] = '25'
+default['security_guide']['monit']['slack_url'] = ''
+default['security_guide']['monit']['slack_enabled'] = false
+default['security_guide']['monit']['pushover_application'] = ''
+default['security_guide']['monit']['pushover_user'] = ''
+default['security_guide']['monit']['pushover_user'] = ''
+default['security_guide']['monit']['pushover_enabled'] = false
+
+# IPTable config
+#  node['security_guide']['iptables']['tcp']['listen_ports'] is an array of integers that sets the listen ports
+#  node['security_guide']['iptables']['tcp']['source_ips'] is a hash that sets the source IP addresses for each listen port (if any)
+#         i.e. {22 => '192.168.32.42'}
+#  node['security_guide']['iptables']['tcp']['forward_ports'] is a hash that configures port forwarding i.e. {80 => 3000}
+default['security_guide']['iptables']['tcp']['listen_ports'] = [22, 80, 443, 3000, 3003]
+default['security_guide']['iptables']['tcp']['source_ips'] = {}
+default['security_guide']['iptables']['tcp']['forward_ports'] = {80 => 3000, 443 => 3003}

chef-repo/cookbooks/2016-security-guide/files/default/sshd

@@ -4,7 +4,7 @@
 @include common-auth
 
 #
-# 2016-SECURITY-SCRIPT ADDITION: Google Authenticator module
+# 2016-SECURITY-GUIDE ADDITION: Google Authenticator module
 #
 auth [success=done new_authtok_reqd=done default=die] pam_google_authenticator.so nullok
 

chef-repo/cookbooks/2016-security-guide/files/default/sshd_config

@@ -4,133 +4,11 @@
 #
 # Copyright (c) 2016 Inversoft, All Rights Reserved.
 
-# Validate the attributes
-if node['security_guide']['users'].length == 0 || node['security_guide']['monit'].attribute?('alert_email') == false
-  Chef::Application.fatal!('You must specify at least one user and an alert email for Monit')
-end
-
-apt_update 'Update the apt cache daily' do
-  frequency 86_400
-  action :periodic
-end
-
-# Create the ordinary users
-node['security_guide']['users'].each do |user|
-  user user.username do
-    home "/home/#{user.username}"
-    manage_home true
-    shell '/bin/bash'
-    password user.password
-  end
-
-  # Add the ordinary user to the sudo group
-  group node['security_guide']['sudo_group'] do
-    action :modify
-    members user.username
-    append true
-  end
-
-  # Setup SSH key's for the ordinary user
-  directory "/home/#{user.username}/.ssh" do
-    owner user.username
-    group user.username
-    mode '0700'
-    action :create
-  end
-  file "/home/#{user.username}/.ssh/authorized_keys" do
-    content user.public_key
-    owner user.username
-    group user.username
-    mode '0600'
-  end
-end
-
-# Disable rot user's password
-user 'root' do
-  password '!'
-  action :modify
-end
-
-# Install all the security packages
-package 'libpam-cracklib'
-package 'libpam-google-authenticator'
-package 'ntp'
-package 'monit'
-package 'ruby'
-
-# Configure the Debian answers for the iptables-persistent package
-ruby_block 'debconf-iptables-persistent' do 
-  block do
-    `echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections`
-    `echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections`
-  end
-  action :create
-end
-package 'iptables-persistent'
-
-# Install the SSH server configuration file
-cookbook_file '/etc/ssh/sshd_config' do
-  source 'sshd_config'
-  owner 'root'
-  group 'root'
-  mode '0644'
-end
-
-# Install the PAM SSH configuration file for two-factor authentication
-cookbook_file '/etc/pam.d/sshd' do
-  source 'sshd'
-  owner 'root'
-  group 'root'
-  mode '0644'
-end
-
-# Install the IPTables IPv4 configuration file
-cookbook_file '/etc/iptables/rules.v4' do
-  source 'rules.v4'
-  owner 'root'
-  group 'root'
-  mode '0644'
-end
-
-# Install the PAM password module for strong passwords
-cookbook_file '/etc/pam.d/common-password' do
-  source 'common-password'
-  owner 'root'
-  group 'root'
-  mode '0644'
-end
-
-# Install the Monit configuration for generating alerts on SSH logins
-cookbook_file '/etc/monit/conf.d/ssh-logins' do
-  source 'ssh-logins'
-  owner 'root'
-  group 'root'
-  mode '0600'
-end
-
-# Install the main Monit configuration file that sends the emails
-template '/etc/monit/monitrc' do
-  source 'monitrc.erb'
-  owner 'root'
-  group 'root'
-  mode '0600'
-end
-
-# Install the Monit script to send alerts to Slack and Pushover
-template '/etc/monit/monit-slack-pushover.rb' do
-  source 'monit-slack-pushover.rb.erb'
-  owner 'root'
-  group 'root'
-  mode '0700'
-end
-
-# Restart all the services
-service 'ssh' do
-  action :restart
-end
-service 'netfilter-persistent' do
-  action :restart
-end
-service 'monit' do
-  action :restart
-end
+include_recipe '2016_security_guide::users'
+include_recipe '2016_security_guide::strong-passwords'
+include_recipe '2016_security_guide::iptables'
+include_recipe '2016_security_guide::sshd'
+if node['security_guide']['two_factor_enabled']
+  include_recipe '2016_security_guide::two-factor'
+end
+include_recipe '2016_security_guide::monit'

chef-repo/cookbooks/2016-security-guide/recipes/default.rb

@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: 2016_security_guide
+# Recipe:: default
+#
+# Copyright (c) 2016 Inversoft, All Rights Reserved.
+
+# Configure the Debian answers for the iptables-persistent package
+ruby_block 'debconf-iptables-persistent' do 
+  block do
+    `echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections`
+    `echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections`
+  end
+  action :create
+end
+package 'iptables-persistent'
+
+# Install the IPTables IPv4 configuration file
+template '/etc/iptables/rules.v4' do
+  source 'rules.v4.erb'
+  owner 'root'
+  group 'root'
+  mode '0644'
+end
+
+# Restart the IPTables service
+service 'netfilter-persistent' do
+  action :restart
+end