Update readme, todo, changelog, vars

* This commit updates the readme in several ways.
* It adds a todo-list and a changelog.
* It deletes unused variables
This commit is contained in:
Sebastian Gumprich 2015-06-23 18:20:06 +00:00 committed by Christoph Hartmann
parent ac4754ff16
commit 5e1e2513c5
4 changed files with 29 additions and 28 deletions

9
CHANGELOG.md Normal file
View file

@ -0,0 +1,9 @@
# Changelog
## 1.0.0
* Implement os-hardening to meet our [tests](https://github.com/hardening-io/tests-os-hardening)
* Enable GPG-checking on all yum-repository files [#5](https://github.com/hardening-io/ansible-os-hardening/pull/5)
* Disable system accounts [#6](https://github.com/hardening-io/ansible-os-hardening/issues/6)
* Module-loading configuration [#22](https://github.com/hardening-io/ansible-os-hardening/pull/22)
* Travis support [#17](https://github.com/hardening-io/ansible-os-hardening/pull/17)

View file

@ -1,8 +1,7 @@
# os-hardening (Ansible Role)
[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][2]
[![Code Coverage](http://img.shields.io/coveralls/hardening-io/ansible-os-hardening.svg)][3]
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][5]
[![Build Status](http://img.shields.io/travis/hardening-io/ansible-os-hardening.svg)][1]
[![Gitter Chat](https://badges.gitter.im/Join%20Chat.svg)][2]
## Description
@ -31,13 +30,11 @@ It will not:
## Variables
### in main.yml
* `os_desktop_enable: false` - true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
* `os_network_ipv6_enable: false`
* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
* `os_env_extra_user_paths: []` - add additional paths to the user's `PATH` variable (default is empty).
* `os_env_umask: "027"`
* `os_env_root_path: "/"` - where root is mounted
* `os_auth_pw_max_age: 60` - maximum password age
* `os_auth_pw_min_age: 7` - minimum password age (before allowing any other password change)
* `os_auth_retries: 5` - the maximum number of authentication attempts, before the account is locked for some time
@ -53,10 +50,14 @@ It will not:
* `os_security_suid_sgid_enforce: true` - true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own
* `os_security_suid_sgid_blacklist: []` - a list of paths which should have their SUID/SGID bits removed
* `os_security_suid_sgid_whitelist: []` - a list of paths which should not have their SUID/SGID bits altered
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
* `os_security_suid_sgid_dry_run_on_unknown: false` - like `remove_from_unknown` above, only that SUID/SGID bits aren't removed.
It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configure `remove_from_unknown` for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to your `whitelist` and `blacklist`.
* `os_security_packages_clean'] = true` - removes packages with known issues. See section packages.
* `os_security_suid_sgid_remove_from_unknown: false` - true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in a `blacklist`. This will make every Ansible-run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in your `whitelist`.
* `os_security_packages_clean': true` - removes packages with known issues. See section packages.
### in sysctl.yml
* `os_network_forwarding: false` - true if this system requires packet forwarding (eg Router), false otherwise
* `os_network_ipv6_enable: false`
* `os_network_arp_restricted: true` - true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise
## Packages
@ -117,7 +118,7 @@ This role is mostly based on guides by:
* [Ubuntu Security/Features](https://wiki.ubuntu.com/Security/Features)
* [Deutsche Telekom, Group IT Security, Security Requirements (German)](http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si)
Thanks to all of you!!
Thanks to all of you!
## Contributing
See [contributor guideline](CONTRIBUTING.md).
@ -139,6 +140,5 @@ See the License for the specific language governing permissions and
limitations under the License.
[2]: http://travis-ci.org/hardening-io/ansible-os-hardening
[3]: https://coveralls.io/r/hardening-io/ansible-os-hardening
[5]: https://gitter.im/hardening-io
[1]: http://travis-ci.org/hardening-io/ansible-os-hardening
[2]: https://gitter.im/hardening-io

4
TODO.md Normal file
View file

@ -0,0 +1,4 @@
# TODO
* [Adduser consistency](https://github.com/hardening-io/chef-os-hardening/pull/73)
* [add support for limiting password re-use](https://github.com/hardening-io/puppet-os-hardening/pull/61)

View file

@ -1,14 +1,6 @@
# rhel, centos autoconf configuration
#os_authconfig_shadow_enable: true
#os_authconfig_md5_enable: true
os_desktop_enable: false
os_network_forwarding: false
os_network_ipv6_enable: false
os_network_arp_restricted: true
os_env_extra_user_paths: []
os_env_umask: '027'
os_env_root_path: '/'
os_auth_pw_max_age: 60
os_auth_pw_min_age: 7 # discourage password cycling
os_auth_retries: 5
@ -26,7 +18,6 @@ os_security_users_allow: []
# specify system accounts those login should not be disabled and password not changed
os_ignore_users: ['vagrant']
os_security_kernel_enable_module_loading: true
os_security_kernel_enable_sysrq: false
os_security_kernel_enable_core_dump: false
os_security_suid_sgid_enforce: true
# user-defined blacklist and whitelist
@ -36,15 +27,12 @@ os_security_suid_sgid_whitelist: []
os_security_suid_sgid_remove_from_unknown: false
# remove packages with known issues
os_security_packages_clean: true
os_security_packages_clean: false
# SYSTEM CONFIGURATION
# ====================
# These are not meant to be modified by the user
# misc
os_security_kernel_secure_sysrq: 4 + 16 + 32 + 64 + 128
# suid and sgid blacklists and whitelists
# ---------------------------------------
# don't change values in the system_blacklist/whitelist