Should chef be used for initial server updating/hardening?


#1

Is it good practise to use chef to update repos i.e. sugo apt-get update &&
sudo apt-get upgrade

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me to?


#2

yup. absolutely. Not sure about ubuntu, but i have used bastille on
centos/linux. along with custom ipatbels, rokhunter and psad , just to
harden vanilla vm. And again server, app, framework level patches/security
measures (like LAMP etc)

On Fri, Jan 20, 2012 at 9:40 PM, S Ahmed sahmed1020@gmail.com wrote:

Is it good practise to use chef to update repos i.e. sugo apt-get update
&& sudo apt-get upgrade

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me to?


#3

On Friday, January 20, 2012 at 8:20 AM, Ranjib Dey wrote:

yup. absolutely. Not sure about ubuntu, but i have used bastille on centos/linux. along with custom ipatbels, rokhunter and psad , just to harden vanilla vm. And again server, app, framework level patches/security measures (like LAMP etc)

On Fri, Jan 20, 2012 at 9:40 PM, S Ahmed <sahmed1020@gmail.com (mailto:sahmed1020@gmail.com)> wrote:

Is it good practise to use chef to update repos i.e. sugo apt-get update && sudo apt-get upgrade

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me to?
The apt cookbook does what you describe:

http://community.opscode.com/cookbooks/apt

It’s actually pretty essential, since package resources may fail if apt’s cache is out of date. As for other kinds of hardening, I’m not sure what you have in mind, but Chef can automate them.


Dan DeLeo


#4

For hardening, what I’m ideally looking for is an example repo that has
general server hardening.

I realize it server hardening is scenario specific, but this is for a web
app and I was hoping to LEARN from a good hardening recipe with ‘best
practises’.

On Fri, Jan 20, 2012 at 11:23 AM, Daniel DeLeo dan@kallistec.com wrote:

On Friday, January 20, 2012 at 8:20 AM, Ranjib Dey wrote:

yup. absolutely. Not sure about ubuntu, but i have used bastille on
centos/linux. along with custom ipatbels, rokhunter and psad , just to
harden vanilla vm. And again server, app, framework level patches/security
measures (like LAMP etc)

On Fri, Jan 20, 2012 at 9:40 PM, S Ahmed <sahmed1020@gmail.com (mailto:
sahmed1020@gmail.com)> wrote:

Is it good practise to use chef to update repos i.e. sugo apt-get
update && sudo apt-get upgrade

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me
to?
The apt cookbook does what you describe:

http://community.opscode.com/cookbooks/apt

It’s actually pretty essential, since package resources may fail if apt’s
cache is out of date. As for other kinds of hardening, I’m not sure what
you have in mind, but Chef can automate them.


Dan DeLeo


#5

im not aware of any. Let me check if we can publish ours(but they are for
centos… )

On Fri, Jan 20, 2012 at 10:10 PM, S Ahmed sahmed1020@gmail.com wrote:

For hardening, what I’m ideally looking for is an example repo that has
general server hardening.

I realize it server hardening is scenario specific, but this is for a web
app and I was hoping to LEARN from a good hardening recipe with ‘best
practises’.

On Fri, Jan 20, 2012 at 11:23 AM, Daniel DeLeo dan@kallistec.com wrote:

On Friday, January 20, 2012 at 8:20 AM, Ranjib Dey wrote:

yup. absolutely. Not sure about ubuntu, but i have used bastille on
centos/linux. along with custom ipatbels, rokhunter and psad , just to
harden vanilla vm. And again server, app, framework level patches/security
measures (like LAMP etc)

On Fri, Jan 20, 2012 at 9:40 PM, S Ahmed <sahmed1020@gmail.com (mailto:
sahmed1020@gmail.com)> wrote:

Is it good practise to use chef to update repos i.e. sugo apt-get
update && sudo apt-get upgrade

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me
to?
The apt cookbook does what you describe:

http://community.opscode.com/cookbooks/apt

It’s actually pretty essential, since package resources may fail if apt’s
cache is out of date. As for other kinds of hardening, I’m not sure what
you have in mind, but Chef can automate them.


Dan DeLeo


#6

On 20/01/12 16:40, S Ahmed wrote:

For hardening, what I’m ideally looking for is an example repo that
has general server hardening.

I realize it server hardening is scenario specific, but this is for a
web app and I was hoping to LEARN from a good hardening recipe with
’best practises’.

Typically server hardening is achieved through a combined effect of many
cookbooks, and then test the applied configuration using some security
auditing tool.

I am actually working on a compliance cookbook at the moment, and I am
evaluating the following tools;

secstate
sectool
openvas http://www.openvas.org/
openSCAP http://open-scap.org/

You can download OpenSCAP OVAL and XCCDF checklists for various
platforms and run them using the OpenSCAP utils, or you can download
compliance checklists in pdf format from CIS or redhat for EAL.

The cookbook I am working on is for a client, so I can’t release any
code specific to the internal stuff, but I am going to try to release
the openSCAP-utils wrapper that configures itself using chef search node
roles:somegroup etc.


#7

On Jan 20, 2012, at 11:49 AM, Tom wrote:

Typically server hardening is achieved through a combined effect of many cookbooks, and then test the applied configuration using some security auditing tool.

I am actually working on a compliance cookbook at the moment, and I am evaluating the following tools;

If anyone is interested, I have a minimal compliance audit cookbook that we use. It’s ubuntu 10.04 only but may be helpful for one aspect of what you are looking for.

Also, I highly recommend using OSSEC as another layer.

Regards,
A


#8
On 20/01/12 16:52, Adam Garside wrote:
<blockquote cite="mid:13510E9C-2A7C-411F-B447-D2FCFAFC7EE6@gmail.com" type="cite">
On Jan 20, 2012, at 11:49 AM, Tom wrote:

Typically server hardening is achieved through a combined effect of many cookbooks, and then test the applied configuration using some security auditing tool.

I am actually working on a compliance cookbook at the moment, and I am evaluating the following tools;

If anyone is interested, I have a minimal compliance audit cookbook that we use. It's ubuntu 10.04 only but may be helpful for one aspect of what you are looking for.

https://github.com/fabulops/cookbook-compliance

That's interesting, there are a couple of projects on the fedora
repos that use puppet as a tool to "remediate" the identified
problems identified by <a href="http://www.us-cert.gov/oval.html">Oval
  test</a>s  - <a href="https://fedorahosted.org/aqueduct/wiki/RhelStigProcess#no1">Aqueduct
</a>is one and <a href="https://fedorahosted.org/secstate/">secstate</a>
is another




I was thinking of something like that for chef, and your audit
resource is similar. There are oval files for vulnerabilities in
redhat published here; - <a class="moz-txt-link-freetext" href="http://www.redhat.com/security/data/oval/">http://www.redhat.com/security/data/oval/</a> i
see that there is an OVAL interpretor in the Ubuntu repos, so I
presume that there must be OVAL test files available for it.




I am wondering if I should write some parser, to convert from oval
tests to "audit" resources in a simple manner...




Tom

            &lt;definition class="compliance" version="1"
id="oval:gov.irs.rhel5:def:129"&gt;



                  &lt;metadata&gt;



                        &lt;title&gt;The inetd package should not be
installed&lt;/title&gt;



                        &lt;affected family="unix"&gt;



                              &lt;platform&gt;Red Hat Enterprise
Linux 5&lt;/platform&gt;



                        &lt;/affected&gt;



                        &lt;reference ref_id="CCE-4023-8"
source="CCE"/&gt;



                        &lt;description&gt;The inetd package should
not be installed&lt;/description&gt;



                  &lt;/metadata&gt;



                  &lt;criteria&gt;



                        &lt;criterion
test_ref="oval:gov.irs.rhel5:tst:177" comment="The inetd package
should not be installed"/&gt;



                        &lt;extend_definition
definition_ref="oval:gov.irs.rhel5:def:10000" comment="Red Hat
Enterprise Linux 5 is installed"/&gt;



                  &lt;/criteria&gt;



            &lt;/definition&gt;

<rpminfo_test check_existence="none_exist" comment="The inetd package should not be installed" version="1" id="oval:gov.irs.rhel5:tst:177" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                  &lt;object
object_ref="oval:gov.irs.rhel5:obj:174"/&gt;



            &lt;/rpminfo_test&gt;












Someone has published further stig puppet modules here;

https://gitorious.org/puppet-rhel5-disa-stig

for compliance with CLIP- <a class="moz-txt-link-freetext" href="http://oss.tresys.com/projects/clip">http://oss.tresys.com/projects/clip</a>

#9

Ohai!

On Fri, Jan 20, 2012 at 9:10 AM, S Ahmed sahmed1020@gmail.com wrote:

Is it good practise to use chef to update repos i.e. sugo apt-get update &&
sudo apt-get upgrade

As mentioned, Opscode’s apt cookbook’s default recipe will perform
apt-get update. It uses the update-notifier-common package to
provide a timestamp to only run apt-get update if the cache is less
than a day old.

Handling package upgrades is largely up to each individual’s policy on
that approach, and how resilient the applications running handle
blanket upgrade. Possible approaches:

And general server hardening like iptables etc?

If yes, any good examples for ubuntu hardening that you can point me to?

Opscode publishes firewall and ufw cookbooks for maintaining
firewall rules.

We also have an iptables cookbook but it really needs an update.

Our cookbook for OSSEC may be a good start if you’re using that tool.

Finally, I maintain a cookbook for implementing the CIS benchmark
guidelines on Red Hat, which may be a useful starting point for doing
similar for Ubuntu systems.

Hope this helps


Opscode, Inc.
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#10

On 20/01/12 18:32, Joshua Timberman wrote:

Finally, I maintain a cookbook for implementing the CIS benchmark
guidelines on Red Hat, which may be a useful starting point for doing
similar for Ubuntu systems.

Do you have any recommendations for running a regular compliance report
for each instance, which can be exposed outside chef. eg as an email
report or similar?

Cheers
Tom


#11

On Friday, January 20, 2012 at 2:01 PM, Tom wrote:

Do you have any recommendations for running a regular compliance report
for each instance, which can be exposed outside chef. eg as an email
report or similar?

From a Chef perspective, I would use a report handler that captures the information about the run that you might care about, such as the resources that were updated, and send that information somewhere. Report handlers can send to anything, including email.

http://wiki.opscode.com/display/chef/Exception+and+Report+Handlers


Opscode, Inc.
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#12

I was also referring to tweaks when you normally setup a server like:

  1. disabling login w/o ssh
  2. disabling root login

etc.

On Fri, Jan 20, 2012 at 5:43 PM, Joshua Timberman joshua@opscode.comwrote:

On Friday, January 20, 2012 at 2:01 PM, Tom wrote:

Do you have any recommendations for running a regular compliance report
for each instance, which can be exposed outside chef. eg as an email
report or similar?

From a Chef perspective, I would use a report handler that captures the
information about the run that you might care about, such as the resources
that were updated, and send that information somewhere. Report handlers can
send to anything, including email.

http://wiki.opscode.com/display/chef/Exception+and+Report+Handlers


Opscode, Inc.
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman


#13

On Jan 24, 2012, at 4:06 PM, S Ahmed wrote:

I was also referring to tweaks when you normally setup a server like:

  1. disabling login w/o ssh
  2. disabling root login

I’ve got a small cookbook I developed to do that here. But now that I’ve been reminded, I like the idea of using the Bastille hardening scripts better.


Brad Knowles bknowles@ihiji.com
SAGE Level IV, Chef Level 0.0.1


#14

Brad,

I’ve got a small cookbook I developed to do that here.
Is that on your github by chance? :slight_smile:

On Tue, Jan 24, 2012 at 7:42 PM, Brad Knowles bknowles@ihiji.com wrote:

On Jan 24, 2012, at 4:06 PM, S Ahmed wrote:

I was also referring to tweaks when you normally setup a server like:

  1. disabling login w/o ssh
  2. disabling root login

I’ve got a small cookbook I developed to do that here. But now that I’ve
been reminded, I like the idea of using the Bastille hardening scripts
better.


Brad Knowles bknowles@ihiji.com
SAGE Level IV, Chef Level 0.0.1