[chef] Re: should chef be used for initial server updating/hardening?

[Joshua Timberman < >]

Ohai!

On Fri, Jan 20, 2012 at 9:10 AM, S Ahmed 
<
 >
 wrote:
> Is it good practise to use chef to update repos i.e. sugo apt-get update &&
> sudo apt-get upgrade

As mentioned, Opscode's `apt` cookbook's default recipe will perform
apt-get update. It uses the `update-notifier-common` package to
provide a timestamp to only run apt-get update if the cache is less
than a day old.

Handling package upgrades is largely up to each individual's policy on
that approach, and how resilient the applications running handle
blanket upgrade. Possible approaches:

* use the "action :upgrade" on any package resources so they will be
updated when Chef runs.
* perform "apt-get upgrade" ad hoc using `knife ssh`.

* http://community.opscode.com/cookbooks/apt

> And general server hardening like iptables etc?
>
> If yes, any good examples for ubuntu hardening that you can point me to?

Opscode publishes `firewall` and `ufw` cookbooks for maintaining
firewall rules.

* http://community.opscode.com/cookbooks/firewall
* http://community.opscode.com/cookbooks/ufw

We also have an `iptables` cookbook but it really needs an update.

* http://tickets.opscode.com/browse/COOK-652
* http://tickets.opscode.com/browse/COOK-688

Our cookbook for OSSEC may be a good start if you're using that tool.

* http://community.opscode.com/cookbooks/ossec

Finally, I maintain a cookbook for implementing the CIS benchmark
guidelines on Red Hat, which may be a useful starting point for doing
similar for Ubuntu systems.

* http://community.opscode.com/cookbooks/cis_benchmark
* http://cisecurity.org/

Hope this helps

--
Opscode, Inc.
Joshua Timberman, Technical Program Manager
IRC, Skype, Twitter, Github: jtimberman