harden_linux

This is an internal tecRacer cookbook for hardening the most popular Linux
distributions according to official standards and best practices.

Installation

Add harden_linux to your Berksfile:

cookbook 'harden_linux'

Recipes

Add the recipes to your runlist:

• apply_updates: Only upgrade all packages to latest version, no hardening
• aws_agents: Install and configure agents for CloudWatch logs, CloudWatch metrics and SSM
• extra: See details in EXTRA.md
• install_epel: Activates EPEL repository for RHEL family of platforms
• level1: Includes all CIS Level 1 items
• level2: Includes all CIS Level 1+2 items (specifically auditd)
• level2_mac: Includes all CIS Level 1+2 items PLUS mandatory access controls (SELinux in Red Hat family and AppArmor on Debian family)
• prepare_for_ami: See separate section
• prepare_for_clean_ami: Like prepare_for_ami but also removes Chef

The default recipe applies all updates, hardens to level 1 and then integrates
the AWS agents

AMI Creation

This cookbook was initially created to automaticall deploy hardened AMIs in
customer accounts. After the specific hardening, some steps are required to
prepare creation of an AMI (basically re-enabling cloud-init and scrubbing
old files). The prepare_for_ami recipe is responsible for these tasks -
it does no hardening by itself.

Example UserData for RHEL:

URL='https://packages.chef.io/stable/el/7/chef-12.16.42-1.el7.x86_64.rpm'
BUNDLE='http://example.com/harden_linux.tgz'
RUNLIST='recipe[harden_linux],recipe[harden_linux::prepare_for_ami]'

rpm -ivh "$URL"; chef-client -z --recipe-url "$BUNDLE" -r "$RUNLIST"

Example Userdata for Ubuntu 14/16:

URL='https://packages.chef.io/stable/ubuntu/12.04/chef_12.16.42-1_amd64.deb'
BUNDLE='http://example.com/harden_linux.tgz'
RUNLIST='recipe[harden_linux],recipe[harden_linux::prepare_for_ami]'

curl -Lso /tmp/chef.deb "$URL" && dpkg -i /tmp/chef.deb && rm /tmp/chef.deb
chef-client -z --recipe-url "$BUNDLE" -r "$RUNLIST"

Example UserData for Debian 8

URL='https://packages.chef.io/stable/debian/6/chef_12.16.42-1_amd64.deb'
BUNDLE='http://example.com/harden_linux.tgz'
RUNLIST='recipe[harden_linux],recipe[harden_linux::prepare_for_ami]'

curl -Lso /tmp/chef.deb "$URL" && dpkg -i /tmp/chef.deb && rm /tmp/chef.deb
chef-client -z --recipe-url "$BUNDLE" -r "$RUNLIST"

Validation

This cookbook comes with a complete InSpec profile unifying 7 different CIS
profiles (supported distributions below and Distribution Independent v1.0.0)
with good coverage. To run the verification, run the profile and specify
the verification level (level, mac, firewall, ...)

Supported Distributions

• Amazon Linux 2016 (CIS v2.0.0)
• CentOS 7 (CIS v2.1.0)
• Debian 8 (CIS v1.0.0)
• Red Hat Enterprise Linux 7 (CIS v2.1.0)
• Ubuntu Linux 14.04 (CIS v2.0.0)
• Ubuntu Linux 16.04 (CIS v1.0.0)

Items are designated in the recipies, if an item is covered by the Distribution
Independent benchmark, the other benchmark matching numbering are omitted.
Debian is not yet in sync with the new numbering, but expected to match soon.

License and Authors

• Author: Thomas Heinen
• Copyright tecRacer GmbH, All rights reserved

All rights reserved. This book or any portion thereof may not be reproduced or
used in any manner whatsoever without the express written permission of the
publisher except for the use of brief quotations in a book review.