cloud-mu 1.9.0.pre.beta
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/Berksfile +56 -0
- data/Berksfile.lock +250 -0
- data/Jenkinsfile +184 -0
- data/LICENSE.md +37 -0
- data/README.md +26 -0
- data/bin/mu-aws-setup +376 -0
- data/bin/mu-cleanup +68 -0
- data/bin/mu-configure +1133 -0
- data/bin/mu-deploy +166 -0
- data/bin/mu-firewall-allow-clients +30 -0
- data/bin/mu-gcp-setup +200 -0
- data/bin/mu-gen-docs +34 -0
- data/bin/mu-gen-env +42 -0
- data/bin/mu-load-config.rb +158 -0
- data/bin/mu-node-manage +683 -0
- data/bin/mu-self-update +228 -0
- data/bin/mu-ssh +23 -0
- data/bin/mu-tunnel-nagios +144 -0
- data/bin/mu-upload-chef-artifacts +757 -0
- data/bin/mu-user-manage +275 -0
- data/cookbooks/awscli/LICENSE +37 -0
- data/cookbooks/awscli/README.md +58 -0
- data/cookbooks/awscli/attributes/default.rb +1 -0
- data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
- data/cookbooks/awscli/metadata.rb +20 -0
- data/cookbooks/awscli/recipes/default.rb +56 -0
- data/cookbooks/awscli/templates/default/config.erb +18 -0
- data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
- data/cookbooks/mu-activedirectory/LICENSE +37 -0
- data/cookbooks/mu-activedirectory/README.md +6 -0
- data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
- data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
- data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
- data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
- data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
- data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
- data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
- data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
- data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
- data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
- data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
- data/cookbooks/mu-activedirectory/metadata.rb +17 -0
- data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
- data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
- data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
- data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
- data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
- data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
- data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
- data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
- data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
- data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
- data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
- data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
- data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
- data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
- data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
- data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
- data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
- data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
- data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
- data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
- data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
- data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
- data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
- data/cookbooks/mu-firewall/LICENSE +37 -0
- data/cookbooks/mu-firewall/README.md +5 -0
- data/cookbooks/mu-firewall/attributes/default.rb +3 -0
- data/cookbooks/mu-firewall/metadata.rb +16 -0
- data/cookbooks/mu-firewall/recipes/default.rb +10 -0
- data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
- data/cookbooks/mu-glusterfs/LICENSE +37 -0
- data/cookbooks/mu-glusterfs/README.md +5 -0
- data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
- data/cookbooks/mu-glusterfs/metadata.rb +17 -0
- data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
- data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
- data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
- data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
- data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
- data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
- data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
- data/cookbooks/mu-jenkins/LICENSE +37 -0
- data/cookbooks/mu-jenkins/README.md +105 -0
- data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
- data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
- data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
- data/cookbooks/mu-jenkins/metadata.rb +21 -0
- data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
- data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
- data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
- data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
- data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
- data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
- data/cookbooks/mu-master/CHANGELOG.md +13 -0
- data/cookbooks/mu-master/LICENSE +37 -0
- data/cookbooks/mu-master/README.md +6 -0
- data/cookbooks/mu-master/attributes/default.rb +95 -0
- data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
- data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
- data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
- data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
- data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
- data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
- data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
- data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
- data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
- data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
- data/cookbooks/mu-master/files/default/pam_sshd +18 -0
- data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
- data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
- data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
- data/cookbooks/mu-master/files/default/vimrc +19 -0
- data/cookbooks/mu-master/libraries/mu.rb +29 -0
- data/cookbooks/mu-master/metadata.rb +30 -0
- data/cookbooks/mu-master/providers/user.rb +41 -0
- data/cookbooks/mu-master/recipes/389ds.rb +164 -0
- data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
- data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
- data/cookbooks/mu-master/recipes/default.rb +451 -0
- data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
- data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
- data/cookbooks/mu-master/recipes/init.rb +542 -0
- data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
- data/cookbooks/mu-master/recipes/sssd.rb +89 -0
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
- data/cookbooks/mu-master/recipes/vault.rb +111 -0
- data/cookbooks/mu-master/resources/user.rb +19 -0
- data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
- data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
- data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
- data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
- data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
- data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
- data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
- data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
- data/cookbooks/mu-mongo/LICENSE +37 -0
- data/cookbooks/mu-mongo/README.md +5 -0
- data/cookbooks/mu-mongo/attributes/default.rb +22 -0
- data/cookbooks/mu-mongo/files/default/keyfile +16 -0
- data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
- data/cookbooks/mu-mongo/metadata.rb +17 -0
- data/cookbooks/mu-mongo/recipes/default.rb +149 -0
- data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
- data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
- data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
- data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
- data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
- data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
- data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
- data/cookbooks/mu-openvpn/LICENSE +37 -0
- data/cookbooks/mu-openvpn/README.md +6 -0
- data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
- data/cookbooks/mu-openvpn/metadata.rb +18 -0
- data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
- data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
- data/cookbooks/mu-php54/CHANGELOG.md +12 -0
- data/cookbooks/mu-php54/LICENSE +37 -0
- data/cookbooks/mu-php54/README.md +0 -0
- data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
- data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
- data/cookbooks/mu-php54/metadata.rb +21 -0
- data/cookbooks/mu-php54/recipes/default.rb +97 -0
- data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
- data/cookbooks/mu-splunk/LICENSE +37 -0
- data/cookbooks/mu-splunk/README.md +451 -0
- data/cookbooks/mu-splunk/attributes/default.rb +95 -0
- data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
- data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
- data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
- data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
- data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
- data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
- data/cookbooks/mu-splunk/metadata.json +30 -0
- data/cookbooks/mu-splunk/metadata.rb +17 -0
- data/cookbooks/mu-splunk/recipes/client.rb +143 -0
- data/cookbooks/mu-splunk/recipes/default.rb +31 -0
- data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
- data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
- data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
- data/cookbooks/mu-splunk/recipes/server.rb +53 -0
- data/cookbooks/mu-splunk/recipes/service.rb +95 -0
- data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
- data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
- data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
- data/cookbooks/mu-splunk/recipes/user.rb +34 -0
- data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
- data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
- data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
- data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
- data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
- data/cookbooks/mu-tools/CHANGELOG.md +12 -0
- data/cookbooks/mu-tools/LICENSE +37 -0
- data/cookbooks/mu-tools/README.md +188 -0
- data/cookbooks/mu-tools/attributes/default.rb +142 -0
- data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
- data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
- data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
- data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
- data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
- data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
- data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
- data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
- data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
- data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
- data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
- data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
- data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
- data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
- data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
- data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
- data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
- data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
- data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
- data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
- data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
- data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
- data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
- data/cookbooks/mu-tools/files/default/mypol.te +37 -0
- data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
- data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
- data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
- data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
- data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
- data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
- data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
- data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
- data/cookbooks/mu-tools/files/default/ntrights +0 -0
- data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
- data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
- data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
- data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
- data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
- data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
- data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
- data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
- data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
- data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
- data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
- data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
- data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
- data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
- data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
- data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
- data/cookbooks/mu-tools/libraries/helper.rb +292 -0
- data/cookbooks/mu-tools/metadata.rb +28 -0
- data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
- data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
- data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
- data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
- data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
- data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
- data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
- data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
- data/cookbooks/mu-tools/recipes/efs.rb +70 -0
- data/cookbooks/mu-tools/recipes/eks.rb +160 -0
- data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
- data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
- data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
- data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
- data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
- data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
- data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
- data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
- data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
- data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
- data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
- data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
- data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
- data/cookbooks/mu-tools/recipes/updates.rb +96 -0
- data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
- data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
- data/cookbooks/mu-tools/resources/disk.rb +88 -0
- data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
- data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
- data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
- data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
- data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
- data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
- data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
- data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
- data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
- data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
- data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
- data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
- data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
- data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
- data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
- data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
- data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
- data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
- data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
- data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
- data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
- data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
- data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
- data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
- data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
- data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
- data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
- data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
- data/cookbooks/mu-utility/CHANGELOG.md +12 -0
- data/cookbooks/mu-utility/LICENSE +37 -0
- data/cookbooks/mu-utility/README.md +6 -0
- data/cookbooks/mu-utility/attributes/default.rb +1 -0
- data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
- data/cookbooks/mu-utility/metadata.rb +16 -0
- data/cookbooks/mu-utility/recipes/apt.rb +23 -0
- data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
- data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
- data/cookbooks/mu-utility/recipes/luks.rb +18 -0
- data/cookbooks/mu-utility/recipes/nat.rb +104 -0
- data/cookbooks/mu-utility/recipes/php.rb +33 -0
- data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
- data/cookbooks/mu-utility/recipes/remi.rb +44 -0
- data/cookbooks/mu-utility/recipes/vim.rb +26 -0
- data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
- data/cookbooks/mu-utility/recipes/zip.rb +26 -0
- data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
- data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
- data/cookbooks/nagios/Berksfile +8 -0
- data/cookbooks/nagios/CHANGELOG.md +589 -0
- data/cookbooks/nagios/CONTRIBUTING.md +11 -0
- data/cookbooks/nagios/LICENSE +37 -0
- data/cookbooks/nagios/README.md +328 -0
- data/cookbooks/nagios/TESTING.md +2 -0
- data/cookbooks/nagios/attributes/config.rb +171 -0
- data/cookbooks/nagios/attributes/default.rb +228 -0
- data/cookbooks/nagios/chefignore +102 -0
- data/cookbooks/nagios/definitions/command.rb +33 -0
- data/cookbooks/nagios/definitions/contact.rb +33 -0
- data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
- data/cookbooks/nagios/definitions/host.rb +33 -0
- data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
- data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
- data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
- data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
- data/cookbooks/nagios/definitions/resource.rb +33 -0
- data/cookbooks/nagios/definitions/service.rb +33 -0
- data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
- data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
- data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
- data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
- data/cookbooks/nagios/libraries/base.rb +314 -0
- data/cookbooks/nagios/libraries/command.rb +91 -0
- data/cookbooks/nagios/libraries/contact.rb +230 -0
- data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
- data/cookbooks/nagios/libraries/custom_option.rb +36 -0
- data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
- data/cookbooks/nagios/libraries/default.rb +90 -0
- data/cookbooks/nagios/libraries/host.rb +412 -0
- data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
- data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
- data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
- data/cookbooks/nagios/libraries/nagios.rb +282 -0
- data/cookbooks/nagios/libraries/resource.rb +59 -0
- data/cookbooks/nagios/libraries/service.rb +455 -0
- data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
- data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
- data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
- data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
- data/cookbooks/nagios/libraries/users_helper.rb +54 -0
- data/cookbooks/nagios/metadata.rb +25 -0
- data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
- data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
- data/cookbooks/nagios/recipes/apache.rb +48 -0
- data/cookbooks/nagios/recipes/default.rb +204 -0
- data/cookbooks/nagios/recipes/nginx.rb +82 -0
- data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
- data/cookbooks/nagios/recipes/server_package.rb +40 -0
- data/cookbooks/nagios/recipes/server_source.rb +164 -0
- data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
- data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
- data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
- data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
- data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
- data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
- data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
- data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
- data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
- data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
- data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
- data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
- data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
- data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
- data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
- data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
- data/cookbooks/s3fs/CHANGELOG.md +13 -0
- data/cookbooks/s3fs/LICENSE +37 -0
- data/cookbooks/s3fs/README.md +6 -0
- data/cookbooks/s3fs/attributes/default.rb +15 -0
- data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
- data/cookbooks/s3fs/metadata.rb +16 -0
- data/cookbooks/s3fs/recipes/default.rb +91 -0
- data/data_bags/demo/app.json +7 -0
- data/data_bags/nagios_services/chef.json +6 -0
- data/data_bags/nagios_services/linux_diskspace.json +5 -0
- data/data_bags/nagios_services/momma_cat.json +6 -0
- data/data_bags/nagios_services/mu-master-memory.json +5 -0
- data/data_bags/nagios_services/nagios_ui.json +6 -0
- data/data_bags/nagios_services/node_ssh.json +6 -0
- data/data_bags/nagios_services/ssh.json +6 -0
- data/demo/lambda_test.yaml +29 -0
- data/environments/DEV.json +8 -0
- data/environments/PROD.json +8 -0
- data/environments/dev.json +8 -0
- data/environments/development.json +8 -0
- data/environments/prod.json +8 -0
- data/extras/README.md +1 -0
- data/extras/admin-role-binding.yaml +16 -0
- data/extras/admin-user.yaml +6 -0
- data/extras/aws-auth-cm.yaml.erb +12 -0
- data/extras/clean-stock-amis +48 -0
- data/extras/git-fix-permissions-hook +12 -0
- data/extras/gitlab-eks-helper.sh.erb +20 -0
- data/extras/image-generators/README.md +2 -0
- data/extras/image-generators/aws/centos6.yaml +18 -0
- data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
- data/extras/image-generators/aws/centos7.yaml +17 -0
- data/extras/image-generators/aws/rhel7.yaml +17 -0
- data/extras/image-generators/aws/win2k12.yaml +16 -0
- data/extras/image-generators/aws/win2k16.yaml +16 -0
- data/extras/image-generators/aws/windows.yaml +18 -0
- data/extras/image-generators/gcp/centos6.yaml +17 -0
- data/extras/lambda_waf_domain_blacklist.py +103 -0
- data/extras/platform_berksfile_base +50 -0
- data/extras/ruby_rpm/build.sh +17 -0
- data/extras/ruby_rpm/muby.spec +44 -0
- data/extras/vault_tools/README.md +6 -0
- data/extras/vault_tools/export_vaults.sh +3 -0
- data/extras/vault_tools/recreate_vaults.sh +5 -0
- data/extras/vault_tools/test_vaults.sh +5 -0
- data/install/README.md +8 -0
- data/install/cfn_create_mu_master.json +1034 -0
- data/install/chef-server.rb.erb +19 -0
- data/install/deprecated-bash-library.sh +1891 -0
- data/install/images/Usage.png +0 -0
- data/install/installer +71 -0
- data/install/jenkinskeys.rb +8 -0
- data/install/user-dot-murc.erb +14 -0
- data/modules/html.erb +19 -0
- data/modules/mommacat.ru +426 -0
- data/modules/mu/cleanup.rb +339 -0
- data/modules/mu/cloud.rb +1446 -0
- data/modules/mu/clouds/README.md +201 -0
- data/modules/mu/clouds/aws/alarm.rb +319 -0
- data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
- data/modules/mu/clouds/aws/collection.rb +373 -0
- data/modules/mu/clouds/aws/container_cluster.rb +667 -0
- data/modules/mu/clouds/aws/database.rb +1836 -0
- data/modules/mu/clouds/aws/dnszone.rb +911 -0
- data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
- data/modules/mu/clouds/aws/folder.rb +92 -0
- data/modules/mu/clouds/aws/function.rb +349 -0
- data/modules/mu/clouds/aws/group.rb +251 -0
- data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
- data/modules/mu/clouds/aws/log.rb +363 -0
- data/modules/mu/clouds/aws/msg_queue.rb +480 -0
- data/modules/mu/clouds/aws/notification.rb +139 -0
- data/modules/mu/clouds/aws/role.rb +656 -0
- data/modules/mu/clouds/aws/search_domain.rb +646 -0
- data/modules/mu/clouds/aws/server.rb +2294 -0
- data/modules/mu/clouds/aws/server_pool.rb +1388 -0
- data/modules/mu/clouds/aws/storage_pool.rb +495 -0
- data/modules/mu/clouds/aws/user.rb +382 -0
- data/modules/mu/clouds/aws/userdata/README.md +4 -0
- data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
- data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
- data/modules/mu/clouds/aws/vpc.rb +1943 -0
- data/modules/mu/clouds/aws.rb +1009 -0
- data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
- data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
- data/modules/mu/clouds/cloudformation/collection.rb +117 -0
- data/modules/mu/clouds/cloudformation/database.rb +278 -0
- data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
- data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
- data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
- data/modules/mu/clouds/cloudformation/log.rb +170 -0
- data/modules/mu/clouds/cloudformation/server.rb +370 -0
- data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
- data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
- data/modules/mu/clouds/cloudformation.rb +733 -0
- data/modules/mu/clouds/docker.rb +30 -0
- data/modules/mu/clouds/google/container_cluster.rb +290 -0
- data/modules/mu/clouds/google/database.rb +152 -0
- data/modules/mu/clouds/google/firewall_rule.rb +267 -0
- data/modules/mu/clouds/google/group.rb +164 -0
- data/modules/mu/clouds/google/loadbalancer.rb +479 -0
- data/modules/mu/clouds/google/server.rb +1510 -0
- data/modules/mu/clouds/google/server_pool.rb +274 -0
- data/modules/mu/clouds/google/user.rb +266 -0
- data/modules/mu/clouds/google/userdata/README.md +4 -0
- data/modules/mu/clouds/google/userdata/linux.erb +137 -0
- data/modules/mu/clouds/google/userdata/windows.erb +275 -0
- data/modules/mu/clouds/google/vpc.rb +890 -0
- data/modules/mu/clouds/google.rb +811 -0
- data/modules/mu/config/README.md +11 -0
- data/modules/mu/config/alarm.rb +271 -0
- data/modules/mu/config/cache_cluster.rb +172 -0
- data/modules/mu/config/collection.rb +87 -0
- data/modules/mu/config/container_cluster.rb +103 -0
- data/modules/mu/config/container_cluster.yml +36 -0
- data/modules/mu/config/database.rb +458 -0
- data/modules/mu/config/database.yml +26 -0
- data/modules/mu/config/dnszone.rb +327 -0
- data/modules/mu/config/firewall_rule.rb +118 -0
- data/modules/mu/config/folder.rb +70 -0
- data/modules/mu/config/function.rb +140 -0
- data/modules/mu/config/group.rb +64 -0
- data/modules/mu/config/loadbalancer.rb +482 -0
- data/modules/mu/config/log.rb +47 -0
- data/modules/mu/config/log.yml +6 -0
- data/modules/mu/config/msg_queue.rb +47 -0
- data/modules/mu/config/msg_queue.yml +9 -0
- data/modules/mu/config/notification.rb +44 -0
- data/modules/mu/config/project.rb +71 -0
- data/modules/mu/config/role.rb +102 -0
- data/modules/mu/config/search_domain.rb +61 -0
- data/modules/mu/config/search_domain.yml +25 -0
- data/modules/mu/config/server.rb +587 -0
- data/modules/mu/config/server.yml +8 -0
- data/modules/mu/config/server_pool.rb +216 -0
- data/modules/mu/config/server_pool.yml +71 -0
- data/modules/mu/config/storage_pool.rb +145 -0
- data/modules/mu/config/user.rb +78 -0
- data/modules/mu/config/vpc.rb +743 -0
- data/modules/mu/config/vpc.yml +6 -0
- data/modules/mu/config.rb +2000 -0
- data/modules/mu/defaults/README.md +2 -0
- data/modules/mu/defaults/amazon_images.yaml +121 -0
- data/modules/mu/defaults/google_images.yaml +16 -0
- data/modules/mu/deploy.rb +686 -0
- data/modules/mu/groomer.rb +123 -0
- data/modules/mu/groomers/README.md +58 -0
- data/modules/mu/groomers/chef.rb +1024 -0
- data/modules/mu/kittens.rb +11319 -0
- data/modules/mu/logger.rb +208 -0
- data/modules/mu/master/README.md +27 -0
- data/modules/mu/master/chef.rb +471 -0
- data/modules/mu/master/ldap.rb +1005 -0
- data/modules/mu/master.rb +415 -0
- data/modules/mu/mommacat.rb +2703 -0
- data/modules/mu-load-config.rb +1 -0
- data/modules/mu.rb +724 -0
- data/modules/scratchpad.erb +1 -0
- data/modules/tests/super_complex_bok.yml +41 -0
- data/modules/tests/super_simple_bok.yml +40 -0
- data/mu.gemspec +62 -0
- data/roles/demo-dbservice-configure.json +19 -0
- data/roles/demo-portal-configure.json +19 -0
- data/roles/mu-master-jenkins.json +24 -0
- data/roles/mu-master-nagios-only.json +13 -0
- data/roles/mu-master.json +12 -0
- data/roles/mu-node.json +19 -0
- data/roles/mu-splunk-server.json +13 -0
- data/roles/mu-splunk.json +13 -0
- data/test/clean_up.py +25 -0
- data/test/demo-test-profile/README.md +3 -0
- data/test/demo-test-profile/controls/flask.rb +84 -0
- data/test/demo-test-profile/inspec.lock +7 -0
- data/test/demo-test-profile/inspec.yml +11 -0
- data/test/etco-test-profile/README.md +3 -0
- data/test/etco-test-profile/controls/all-in-one.rb +182 -0
- data/test/etco-test-profile/inspec.lock +7 -0
- data/test/etco-test-profile/inspec.yml +11 -0
- data/test/exec_inspec.py +246 -0
- data/test/exec_mu_install.py +241 -0
- data/test/exec_retry.py +44 -0
- data/test/mu-master-test/README.md +3 -0
- data/test/mu-master-test/controls/all_in_one.rb +557 -0
- data/test/mu-master-test/inspec.lock +3 -0
- data/test/mu-master-test/inspec.yml +11 -0
- data/test/mu-tools-test/README.md +3 -0
- data/test/mu-tools-test/controls/base.rb +265 -0
- data/test/mu-tools-test/inspec.lock +3 -0
- data/test/mu-tools-test/inspec.yml +8 -0
- data/test/simple-server-php-test/README.md +3 -0
- data/test/simple-server-php-test/controls/apachephp.rb +25 -0
- data/test/simple-server-php-test/controls/example.rb +19 -0
- data/test/simple-server-php-test/inspec.lock +7 -0
- data/test/simple-server-php-test/inspec.yml +12 -0
- data/test/simple-server-rails-test/README.md +3 -0
- data/test/simple-server-rails-test/controls/rails.rb +188 -0
- data/test/simple-server-rails-test/inspec.lock +7 -0
- data/test/simple-server-rails-test/inspec.yml +11 -0
- data/test/simple-windows-test/README.md +3 -0
- data/test/simple-windows-test/controls/windows.rb +20 -0
- data/test/simple-windows-test/inspec.lock +7 -0
- data/test/simple-windows-test/inspec.yml +11 -0
- data/test/smoke_test.rb +75 -0
- data/test/wordpress-test/README.md +3 -0
- data/test/wordpress-test/controls/wordpress.rb +97 -0
- data/test/wordpress-test/inspec.lock +7 -0
- data/test/wordpress-test/inspec.yml +11 -0
- metadata +979 -0
|
@@ -0,0 +1,215 @@
|
|
|
1
|
+
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
|
2
|
+
|
|
3
|
+
# This is the sshd server system-wide configuration file. See
|
|
4
|
+
# sshd_config(5) for more information.
|
|
5
|
+
|
|
6
|
+
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
|
7
|
+
|
|
8
|
+
# The strategy used for options in the default sshd_config shipped with
|
|
9
|
+
# OpenSSH is to specify options with their default value where
|
|
10
|
+
# possible, but leave them commented. Uncommented options override the
|
|
11
|
+
# default value.
|
|
12
|
+
|
|
13
|
+
# If you want to change the port on a SELinux system, you have to tell
|
|
14
|
+
# SELinux about this change.
|
|
15
|
+
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
|
16
|
+
#
|
|
17
|
+
#Port 22
|
|
18
|
+
#AddressFamily any
|
|
19
|
+
#ListenAddress 0.0.0.0
|
|
20
|
+
#ListenAddress ::
|
|
21
|
+
|
|
22
|
+
# The default requires explicit activation of protocol 1
|
|
23
|
+
#Protocol 2
|
|
24
|
+
|
|
25
|
+
# HostKey for protocol version 1
|
|
26
|
+
#HostKey /etc/ssh/ssh_host_key
|
|
27
|
+
# HostKeys for protocol version 2
|
|
28
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
|
29
|
+
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
30
|
+
HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
31
|
+
HostKey /etc/ssh/ssh_host_ed25519_key
|
|
32
|
+
|
|
33
|
+
# Lifetime and size of ephemeral version 1 server key
|
|
34
|
+
#KeyRegenerationInterval 1h
|
|
35
|
+
#ServerKeyBits 1024
|
|
36
|
+
|
|
37
|
+
# Logging
|
|
38
|
+
# obsoletes QuietMode and FascistLogging
|
|
39
|
+
#SyslogFacility AUTH
|
|
40
|
+
SyslogFacility AUTHPRIV
|
|
41
|
+
LogLevel INFO
|
|
42
|
+
|
|
43
|
+
# Authentication:
|
|
44
|
+
|
|
45
|
+
#LoginGraceTime 2m
|
|
46
|
+
#PermitRootLogin yes
|
|
47
|
+
#StrictModes yes
|
|
48
|
+
MaxAuthTries 4
|
|
49
|
+
#MaxSessions 10
|
|
50
|
+
|
|
51
|
+
#RSAAuthentication yes
|
|
52
|
+
#PubkeyAuthentication yes
|
|
53
|
+
|
|
54
|
+
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
|
55
|
+
# but this is overridden so installations will only check .ssh/authorized_keys
|
|
56
|
+
AuthorizedKeysFile .ssh/authorized_keys
|
|
57
|
+
|
|
58
|
+
#AuthorizedPrincipalsFile none
|
|
59
|
+
|
|
60
|
+
#AuthorizedKeysCommand none
|
|
61
|
+
#AuthorizedKeysCommandUser nobody
|
|
62
|
+
|
|
63
|
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
|
64
|
+
#RhostsRSAAuthentication no
|
|
65
|
+
# similar for protocol version 2
|
|
66
|
+
HostbasedAuthentication no
|
|
67
|
+
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
|
68
|
+
# RhostsRSAAuthentication and HostbasedAuthentication
|
|
69
|
+
#IgnoreUserKnownHosts no
|
|
70
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
|
71
|
+
IgnoreRhosts yes
|
|
72
|
+
|
|
73
|
+
# To disable tunneled clear text passwords, change to no here!
|
|
74
|
+
#PasswordAuthentication yes
|
|
75
|
+
PermitEmptyPasswords no
|
|
76
|
+
<% begin
|
|
77
|
+
if node['application_attributes']['sshd_allow_password_auth'] %>
|
|
78
|
+
PasswordAuthentication yes
|
|
79
|
+
<%
|
|
80
|
+
else %>
|
|
81
|
+
PasswordAuthentication no
|
|
82
|
+
<% end
|
|
83
|
+
rescue NoMethodError %>
|
|
84
|
+
PasswordAuthentication no
|
|
85
|
+
<% end %>
|
|
86
|
+
|
|
87
|
+
|
|
88
|
+
# Change to no to disable s/key passwords
|
|
89
|
+
#ChallengeResponseAuthentication yes
|
|
90
|
+
ChallengeResponseAuthentication no
|
|
91
|
+
|
|
92
|
+
# Kerberos options
|
|
93
|
+
#KerberosAuthentication no
|
|
94
|
+
#KerberosOrLocalPasswd yes
|
|
95
|
+
#KerberosTicketCleanup yes
|
|
96
|
+
#KerberosGetAFSToken no
|
|
97
|
+
#KerberosUseKuserok yes
|
|
98
|
+
|
|
99
|
+
# GSSAPI options
|
|
100
|
+
#GSSAPIAuthentication no
|
|
101
|
+
GSSAPIAuthentication yes
|
|
102
|
+
GSSAPICleanupCredentials yes
|
|
103
|
+
#GSSAPIStrictAcceptorCheck yes
|
|
104
|
+
#GSSAPIKeyExchange no
|
|
105
|
+
#GSSAPIEnablek5users no
|
|
106
|
+
|
|
107
|
+
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
108
|
+
# and session processing. If this is enabled, PAM authentication will
|
|
109
|
+
# be allowed through the ChallengeResponseAuthentication and
|
|
110
|
+
# PasswordAuthentication. Depending on your PAM configuration,
|
|
111
|
+
# PAM authentication via ChallengeResponseAuthentication may bypass
|
|
112
|
+
# the setting of "PermitRootLogin without-password".
|
|
113
|
+
# If you just want the PAM account and session checks to run without
|
|
114
|
+
# PAM authentication, then enable this but set PasswordAuthentication
|
|
115
|
+
# and ChallengeResponseAuthentication to 'no'.
|
|
116
|
+
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
|
117
|
+
# problems.
|
|
118
|
+
UsePAM yes
|
|
119
|
+
|
|
120
|
+
# Accept locale-related environment variables
|
|
121
|
+
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
122
|
+
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
123
|
+
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
124
|
+
AcceptEnv XMODIFIERS
|
|
125
|
+
|
|
126
|
+
#AllowAgentForwarding yes
|
|
127
|
+
#AllowTcpForwarding yes
|
|
128
|
+
#GatewayPorts no
|
|
129
|
+
X11Forwarding no
|
|
130
|
+
#X11DisplayOffset 10
|
|
131
|
+
#X11UseLocalhost yes
|
|
132
|
+
#PermitTTY yes
|
|
133
|
+
#PrintMotd yes
|
|
134
|
+
#PrintLastLog yes
|
|
135
|
+
#TCPKeepAlive yes
|
|
136
|
+
#UseLogin no
|
|
137
|
+
UsePrivilegeSeparation sandbox # Default for new installations.
|
|
138
|
+
#PermitUserEnvironment no
|
|
139
|
+
#Compression delayed
|
|
140
|
+
ClientAliveInterval 300
|
|
141
|
+
ClientAliveCountMax 0
|
|
142
|
+
#ShowPatchLevel no
|
|
143
|
+
#UseDNS yes
|
|
144
|
+
#PidFile /var/run/sshd.pid
|
|
145
|
+
#MaxStartups 10:30:100
|
|
146
|
+
#PermitTunnel no
|
|
147
|
+
#ChrootDirectory none
|
|
148
|
+
#VersionAddendum none
|
|
149
|
+
|
|
150
|
+
# no default banner path
|
|
151
|
+
#Banner none
|
|
152
|
+
Banner /etc/issue.net
|
|
153
|
+
|
|
154
|
+
# override default of no subsystems
|
|
155
|
+
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
156
|
+
|
|
157
|
+
# Example of overriding settings on a per-user basis
|
|
158
|
+
#Match User anoncvs
|
|
159
|
+
# X11Forwarding no
|
|
160
|
+
# AllowTcpForwarding no
|
|
161
|
+
# PermitTTY no
|
|
162
|
+
# ForceCommand cvs server
|
|
163
|
+
PermitRootLogin without-password
|
|
164
|
+
UseDNS no
|
|
165
|
+
|
|
166
|
+
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
|
|
167
|
+
|
|
168
|
+
# If we've set AllowGroups, use that instead of restricting to centos
|
|
169
|
+
<%
|
|
170
|
+
begin
|
|
171
|
+
if !node['application_attributes']['sshd_allow_groups'].empty? %>
|
|
172
|
+
AllowGroups <%= node['application_attributes']['sshd_allow_groups'] %> root
|
|
173
|
+
<%
|
|
174
|
+
else
|
|
175
|
+
%>
|
|
176
|
+
AllowUsers centos root
|
|
177
|
+
<%
|
|
178
|
+
end
|
|
179
|
+
rescue NoMethodError %>
|
|
180
|
+
AllowUsers centos root
|
|
181
|
+
<%
|
|
182
|
+
end
|
|
183
|
+
%>
|
|
184
|
+
|
|
185
|
+
# Support SVN-only servers, while we're at it
|
|
186
|
+
<%
|
|
187
|
+
begin
|
|
188
|
+
if node['application_attributes']['svn_only_group'] %>
|
|
189
|
+
Match Group <%= node['application_attributes']['svn_only_group'] %>
|
|
190
|
+
ForceCommand /usr/bin/svnserve -t
|
|
191
|
+
<%
|
|
192
|
+
end
|
|
193
|
+
rescue NoMethodError
|
|
194
|
+
end
|
|
195
|
+
%>
|
|
196
|
+
|
|
197
|
+
# Support SFTP-only servers, while we're at it
|
|
198
|
+
<%
|
|
199
|
+
begin
|
|
200
|
+
if node['application_attributes']['sftp_only_group'] %>
|
|
201
|
+
Match Group <%= node['application_attributes']['sftp_only_group'] %>
|
|
202
|
+
ForceCommand internal-sftp
|
|
203
|
+
<% begin
|
|
204
|
+
if node['application_attributes']['sftp_chroot'] %>
|
|
205
|
+
ChrootDirectory <%= node['application_attributes']['sftp_chroot'] %>
|
|
206
|
+
<%
|
|
207
|
+
end
|
|
208
|
+
rescue NoMethodError %>
|
|
209
|
+
ChrootDirectory /home/
|
|
210
|
+
<%
|
|
211
|
+
end
|
|
212
|
+
end
|
|
213
|
+
rescue NoMethodError
|
|
214
|
+
end
|
|
215
|
+
%>
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
$LocalHostName <%= node.name %>
|
|
2
|
+
|
|
3
|
+
<% if !@syslog_server.nil? %>
|
|
4
|
+
# certificate files - just CA for a client
|
|
5
|
+
$DefaultNetstreamDriverCAFile <%= @ssl_ca_path %>
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
# set up the action
|
|
9
|
+
$DefaultNetstreamDriver gtls # use gtls netstream driver
|
|
10
|
+
$ActionSendStreamDriverMode 1 # require TLS for the connection
|
|
11
|
+
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
|
|
12
|
+
*.* @@(o)<%= @syslog_server %>:10514 # send (all) messages
|
|
13
|
+
<% end rescue NoMethodError %>
|
|
@@ -0,0 +1,137 @@
|
|
|
1
|
+
#!/bin/bash
|
|
2
|
+
#
|
|
3
|
+
##
|
|
4
|
+
# Linux Malware Detect v1.4.2
|
|
5
|
+
# (C) 2002-2013, R-fx Networks <proj@r-fx.org>
|
|
6
|
+
# (C) 2013, Ryan MacDonald <ryan@r-fx.org>
|
|
7
|
+
# inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
|
|
8
|
+
# This program may be freely redistributed under the terms of the GNU GPL v2
|
|
9
|
+
##
|
|
10
|
+
#
|
|
11
|
+
|
|
12
|
+
##
|
|
13
|
+
# [ EMAIL ALERTS ]
|
|
14
|
+
##
|
|
15
|
+
# The default email alert toggle
|
|
16
|
+
# [0 = disabled, 1 = enabled]
|
|
17
|
+
email_alert=1
|
|
18
|
+
|
|
19
|
+
# The subject line for email alerts
|
|
20
|
+
email_subj="maldet alert from $(hostname)"
|
|
21
|
+
|
|
22
|
+
# The destination addresses for email alerts
|
|
23
|
+
# [ values are comma (,) spaced ]
|
|
24
|
+
<% if !node.nil? and !node['admins'].nil? %>
|
|
25
|
+
email_addr="<%= node['admins'].join(', ') %>"
|
|
26
|
+
<% else %>
|
|
27
|
+
email_addr="root@localhost"
|
|
28
|
+
<% end rescue NoMethodError %>
|
|
29
|
+
|
|
30
|
+
# Ignore e-mail alerts for reports in which all hits have been cleaned.
|
|
31
|
+
# This is ideal on very busy servers where cleaned hits can drown out
|
|
32
|
+
# other more actionable reports.
|
|
33
|
+
email_ignore_clean=0
|
|
34
|
+
|
|
35
|
+
##
|
|
36
|
+
# [ QUARANTINE OPTIONS ]
|
|
37
|
+
##
|
|
38
|
+
# The default quarantine action for malware hits
|
|
39
|
+
# [0 = alert only, 1 = move to quarantine & alert]
|
|
40
|
+
quar_hits=0
|
|
41
|
+
|
|
42
|
+
# Try to clean string based malware injections
|
|
43
|
+
# [NOTE: quar_hits=1 required]
|
|
44
|
+
# [0 = disabled, 1 = clean]
|
|
45
|
+
quar_clean=1
|
|
46
|
+
|
|
47
|
+
# The default suspend action for users wih hits
|
|
48
|
+
# Cpanel suspend or set shell /bin/false on non-Cpanel
|
|
49
|
+
# [NOTE: quar_hits=1 required]
|
|
50
|
+
# [0 = disabled, 1 = suspend account]
|
|
51
|
+
quar_susp=0
|
|
52
|
+
# minimum userid that can be suspended
|
|
53
|
+
quar_susp_minuid=500
|
|
54
|
+
|
|
55
|
+
##
|
|
56
|
+
# [ SCAN OPTIONS ]
|
|
57
|
+
##
|
|
58
|
+
# The maximum directory depth that the scanner will search
|
|
59
|
+
# [ changing this may have an impact on scan performance ]
|
|
60
|
+
maxdepth=15
|
|
61
|
+
|
|
62
|
+
# The minimum in bytes for a file to be included in a scan
|
|
63
|
+
# [ changing this may have an impact on scan performance ]
|
|
64
|
+
minfilesize=32
|
|
65
|
+
|
|
66
|
+
# The maximum file size for a file to be included in scan
|
|
67
|
+
# search results; use man find for accepted values
|
|
68
|
+
# [ changing this may have an impact on scan performance ]
|
|
69
|
+
maxfilesize="768k"
|
|
70
|
+
|
|
71
|
+
# The maximum byte depth that the scanner will search into
|
|
72
|
+
# a files contents; default rules expect a 1024*60 depth
|
|
73
|
+
# [ changing this may have an impact on scan performance ]
|
|
74
|
+
hexdepth=61440
|
|
75
|
+
|
|
76
|
+
# Use named pipe (FIFO) for passing file contents hex data
|
|
77
|
+
# instead of stdin default; improved performance and greater
|
|
78
|
+
# scanning depth
|
|
79
|
+
# [ 0 = disabled, 1 = enabled; enabled by default ]
|
|
80
|
+
hex_fifo_scan=1
|
|
81
|
+
|
|
82
|
+
# The maximum byte depth that the scanner will search into
|
|
83
|
+
# a files contents; default rules expect a 1024*60 depth
|
|
84
|
+
# [ changing this may have an impact on scan performance ]
|
|
85
|
+
hex_fifo_depth=524288
|
|
86
|
+
|
|
87
|
+
# Attempt to detect the presence of ClamAV clamscan binary
|
|
88
|
+
# and use as default scanner engine; up to four times faster
|
|
89
|
+
# scan performance and superior hex analysis. This option
|
|
90
|
+
# only uses ClamAV as the scanner engine, LMD signatures
|
|
91
|
+
# are still the basis for detecting threats.
|
|
92
|
+
# [ 0 = disabled, 1 = enabled; enabled by default ]
|
|
93
|
+
clamav_scan=1
|
|
94
|
+
|
|
95
|
+
# Allow non-root users to perform malware scans. This must be
|
|
96
|
+
# enabled when using mod_security2 upload scanning or if you
|
|
97
|
+
# want to allow users to perform scans. When enabled, this will
|
|
98
|
+
# populate the /usr/local/maldetect/pub/ path with user owned
|
|
99
|
+
# quarantine, session and temporary paths to faciliate scans.
|
|
100
|
+
# These paths are populated through cron every 10min with the
|
|
101
|
+
# /etc/cron.d/maldet_pub cronjob.
|
|
102
|
+
public_scan=0
|
|
103
|
+
|
|
104
|
+
##
|
|
105
|
+
# [ STATISTICAL ANALYSIS ]
|
|
106
|
+
##
|
|
107
|
+
# The string length test is used to identify threats based on the
|
|
108
|
+
# length of the longest uninterrupted string within a file. This is
|
|
109
|
+
# useful as obfuscated code is often stored using encoding methods
|
|
110
|
+
# that produce very long strings without spaces (e.g: base64)
|
|
111
|
+
# [ string length in characters, default = 150000 ]
|
|
112
|
+
string_length_scan="0" # [ 0 = disabled, 1 = enabled ]
|
|
113
|
+
string_length="150000" # [ max string length ]
|
|
114
|
+
|
|
115
|
+
##
|
|
116
|
+
# [ MONITORING OPTIONS ]
|
|
117
|
+
##
|
|
118
|
+
# The base number of files that can be watched under a path
|
|
119
|
+
# [ maximum file watches = inotify_base_watches*users ]
|
|
120
|
+
inotify_base_watches=15360
|
|
121
|
+
|
|
122
|
+
# The sleep time in seconds between monitor runs to scan files
|
|
123
|
+
# that have been created/modified/moved
|
|
124
|
+
inotify_stime=30
|
|
125
|
+
|
|
126
|
+
# The minimum userid that will be added to path monitoring when
|
|
127
|
+
# the USERS option is specified
|
|
128
|
+
inotify_minuid=500
|
|
129
|
+
|
|
130
|
+
# This is the html/web root for users relative to homedir, when
|
|
131
|
+
# this option is set, users will only have the webdir monitored
|
|
132
|
+
# [ clear option to default monitor entire user homedir ]
|
|
133
|
+
inotify_webdir=public_html
|
|
134
|
+
|
|
135
|
+
# The priority that monitoring process will run as
|
|
136
|
+
# [ -19 = high prio , 19 = low prio, default = 10 ]
|
|
137
|
+
inotify_nice=10
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
::1 localhost6.localdomain6 localhost6
|
|
2
|
+
<%= @ipaddress %> <%= @hostname %>
|
|
3
|
+
127.0.0.1 localhost
|
|
4
|
+
<% if !@nodes.nil? and !@nodes.empty?
|
|
5
|
+
@nodes.each{ |n|
|
|
6
|
+
# doing only private IPs although that can be problematic
|
|
7
|
+
# if the same deploy has cross VPC or cross region resources
|
|
8
|
+
if n.name != @hostname %>
|
|
9
|
+
<%= n.ipaddress %> <%= n.name %>
|
|
10
|
+
<%
|
|
11
|
+
end
|
|
12
|
+
}
|
|
13
|
+
else
|
|
14
|
+
if !node['deployment'].nil? and !node['deployment']['servers'].nil?
|
|
15
|
+
node['deployment']['servers'].each_pair { |nodetype, sibling_struct|
|
|
16
|
+
next if !sibling_struct.is_a?(Hash)
|
|
17
|
+
sibling = sibling_struct.values.each { |sibling|
|
|
18
|
+
next if !sibling.is_a?(Hash)
|
|
19
|
+
next if sibling['nodename'] == @hostname
|
|
20
|
+
if !sibling['public_ip_address'].nil? %>
|
|
21
|
+
<%= sibling['public_ip_address'] %> <%= sibling['nodename'] %>
|
|
22
|
+
<% else %>
|
|
23
|
+
<%= sibling['private_ip_address'] %> <%= sibling['nodename'] %>
|
|
24
|
+
<%
|
|
25
|
+
end
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
%>
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
#%PAM-1.0
|
|
2
|
+
auth required pam_faillock.so preauth audit silent deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
3
|
+
auth include password-auth-ac
|
|
4
|
+
auth [default=die] pam_faillock.so authfail audit deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
5
|
+
auth sufficient pam_faillock.so authsucc audit deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
6
|
+
|
|
7
|
+
account required pam_faillock.so
|
|
8
|
+
account include password-auth-ac
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
password requisite pam_cracklib.so try_first_pass retry=<%= node['sec']['pwd']['retry'] %> minlen=<%= node['sec']['pwd']['min_length'] %> dcredit=<%= node['sec']['pwd']['numeric'] %> ucredit=<%= node['sec']['pwd']['uppercase'] %> ocredit=<%= node['sec']['pwd']['special'] %> lcredit=<%= node['sec']['pwd']['lowercase'] %>
|
|
12
|
+
password include password-auth-ac
|
|
13
|
+
|
|
14
|
+
session include password-auth-ac
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
#%PAM-1.0
|
|
2
|
+
auth required pam_faillock.so preauth audit silent deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
3
|
+
account include system-auth-ac
|
|
4
|
+
auth [default=die] pam_faillock.so authfail audit deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
5
|
+
auth sufficient pam_faillock.so authsucc audit deny=<%= node['sec']['accnt_lckout'] %> unlock_time=<%= node['sec']['accnt_lckout_duration'] %>
|
|
6
|
+
|
|
7
|
+
account required pam_faillock.so
|
|
8
|
+
account include system-auth-ac
|
|
9
|
+
|
|
10
|
+
password requisite pam_cracklib.so try_first_pass retry=<%= node['sec']['pwd']['retry'] %> minlen=<%= node['sec']['pwd']['min_length'] %> dcredit=<%= node['sec']['pwd']['numeric'] %> ucredit=<%= node['sec']['pwd']['uppercase'] %> ocredit=<%= node['sec']['pwd']['special'] %> lcredit=<%= node['sec']['pwd']['lowercase'] %>
|
|
11
|
+
account include system-auth-ac
|
|
12
|
+
password sufficient pam_unix.so remember=<%= node['sec']['pwd']['remember'] %>
|
|
13
|
+
|
|
14
|
+
session include system-auth-ac
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
apiVersion: v1
|
|
2
|
+
clusters:
|
|
3
|
+
- cluster:
|
|
4
|
+
server: <%= @endpoint %>
|
|
5
|
+
certificate-authority-data: <%= @cacert %>
|
|
6
|
+
name: kubernetes
|
|
7
|
+
contexts:
|
|
8
|
+
- context:
|
|
9
|
+
cluster: kubernetes
|
|
10
|
+
user: aws
|
|
11
|
+
name: aws
|
|
12
|
+
current-context: aws
|
|
13
|
+
kind: Config
|
|
14
|
+
preferences: {}
|
|
15
|
+
users:
|
|
16
|
+
- name: aws
|
|
17
|
+
user:
|
|
18
|
+
exec:
|
|
19
|
+
apiVersion: client.authentication.k8s.io/v1alpha1
|
|
20
|
+
command: aws-iam-authenticator
|
|
21
|
+
args:
|
|
22
|
+
- "token"
|
|
23
|
+
- "-i"
|
|
24
|
+
- "<%= @cluster %>"
|
|
25
|
+
# - "-r"
|
|
26
|
+
# - "<%= @rolearn %>"
|
|
27
|
+
# env:
|
|
28
|
+
# - name: AWS_PROFILE
|
|
29
|
+
# value: "<aws-profile>"
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
[Unit]
|
|
2
|
+
Description=Kubernetes Kubelet
|
|
3
|
+
Documentation=https://github.com/kubernetes/kubernetes
|
|
4
|
+
After=docker.service
|
|
5
|
+
Requires=docker.service
|
|
6
|
+
|
|
7
|
+
[Service]
|
|
8
|
+
ExecStart=/usr/bin/kubelet \
|
|
9
|
+
--address=0.0.0.0 \
|
|
10
|
+
--authentication-token-webhook \
|
|
11
|
+
--authorization-mode=Webhook \
|
|
12
|
+
--allow-privileged=true \
|
|
13
|
+
--cloud-provider=aws \
|
|
14
|
+
--cluster-dns=<%= @dns %> \
|
|
15
|
+
--cluster-domain=cluster.local \
|
|
16
|
+
--cni-bin-dir=/opt/cni/bin \
|
|
17
|
+
--cni-conf-dir=/etc/cni/net.d \
|
|
18
|
+
--container-runtime=docker \
|
|
19
|
+
--max-pods=10 \
|
|
20
|
+
--node-ip=<%= @node_ip %> \
|
|
21
|
+
--network-plugin=cni \
|
|
22
|
+
--pod-infra-container-image=602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/pause-amd64:3.1 \
|
|
23
|
+
--cgroup-driver=cgroupfs \
|
|
24
|
+
--register-node=true \
|
|
25
|
+
--kubeconfig=/var/lib/kubelet/kubeconfig \
|
|
26
|
+
--feature-gates=RotateKubeletServerCertificate=true \
|
|
27
|
+
--anonymous-auth=false \
|
|
28
|
+
--resolv-conf=/etc/resolv.conf \
|
|
29
|
+
--client-ca-file=/etc/kubernetes/pki/ca.crt
|
|
30
|
+
|
|
31
|
+
Restart=on-failure
|
|
32
|
+
RestartSec=5
|
|
33
|
+
|
|
34
|
+
[Install]
|
|
35
|
+
WantedBy=multi-user.target
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
#!/bin/sh
|
|
2
|
+
#
|
|
3
|
+
# A default scan wrapper for maldetect. Scans every local-looking filesystem.
|
|
4
|
+
|
|
5
|
+
for fs in `cat /etc/mtab | egrep -v ' (ext2|ext3|ext4) ' | cut -d' ' -f2`;do
|
|
6
|
+
if ! grep "^$fs$" /usr/local/maldetect/ignore_paths;then
|
|
7
|
+
echo "$fs" >> /usr/local/maldetect/ignore_paths
|
|
8
|
+
fi
|
|
9
|
+
done
|
|
10
|
+
|
|
11
|
+
if ( ps auxww | grep -v grep | grep maldet );then
|
|
12
|
+
echo "Not running maldet scan, a previous scan was already running"
|
|
13
|
+
exit 1
|
|
14
|
+
fi
|
|
15
|
+
/usr/local/maldetect/maldet -a /
|