General discussion about Chef

[chef] Re: Re: Re: Re: Re: Re: should chef be used for initial server updating/hardening?


Chronological Thread 
  • From: Tom < >
  • To:
  • Cc: Adam Garside < >
  • Subject: [chef] Re: Re: Re: Re: Re: Re: should chef be used for initial server updating/hardening?
  • Date: Fri, 20 Jan 2012 17:34:53 +0000
On 20/01/12 16:52, Adam Garside wrote:
" type="cite"> 
On Jan 20, 2012, at 11:49 AM, Tom wrote:


Typically server hardening is achieved through a combined effect of many cookbooks, and then test the applied configuration using some security auditing tool.

I am actually working on a compliance cookbook at the moment, and I am evaluating the following tools;

If anyone is interested, I have a minimal compliance audit cookbook that we use. It's ubuntu 10.04 only but may be helpful for one aspect of what you are looking for.

https://github.com/fabulops/cookbook-compliance

That's interesting, there are a couple of projects on the fedora repos that use puppet as a tool to "remediate" the identified problems identified by Oval tests  - Aqueduct is one and secstate is another

I was thinking of something like that for chef, and your audit resource is similar. There are oval files for vulnerabilities in redhat published here; - http://www.redhat.com/security/data/oval/ i see that there is an OVAL interpretor in the Ubuntu repos, so I presume that there must be OVAL test files available for it.

I am wondering if I should write some parser, to convert from oval tests to "audit" resources in a simple manner...

Tom











            <definition class="compliance" version="1" id="oval:gov.irs.rhel5:def:129">
                  <metadata>
                        <title>The inetd package should not be installed</title>
                        <affected family="unix">
                              <platform>Red Hat Enterprise Linux 5</platform>
                        </affected>
                        <reference ref_id="CCE-4023-8" source="CCE"/>
                        <description>The inetd package should not be installed</description>
                  </metadata>
                  <criteria>
                        <criterion test_ref="oval:gov.irs.rhel5:tst:177" comment="The inetd package should not be installed"/>
                        <extend_definition definition_ref="oval:gov.irs.rhel5:def:10000" comment="Red Hat Enterprise Linux 5 is installed"/>
                  </criteria>
            </definition>
            <rpminfo_test check_existence="none_exist" comment="The inetd package should not be installed" version="1" id="oval:gov.irs.rhel5:tst:177" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
                  <object object_ref="oval:gov.irs.rhel5:obj:174"/>
            </rpminfo_test>





Someone has published further stig puppet modules here;
https://gitorious.org/puppet-rhel5-disa-stig

for compliance with CLIP- http://oss.tresys.com/projects/clip





Archive powered by MHonArc 2.6.16.

§