cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,294 @@
1
+ # Please note that the parameters in this configuration file control the
2
+ # tools uses the PAM mechanism, and the utilities that use PAM (such as the
3
+ # passwd command) should therefore be configured elsewhere. Refer to
4
+ # /etc/pam.d/system-auth for more information.
5
+ #
6
+
7
+ #
8
+ # Delay in seconds before being allowed another attempt after a login failure
9
+ # Note: When PAM is used, some modules may enforce a minimum delay (e.g.
10
+ # pam_unix(8) enforces a 2s delay)
11
+ #
12
+ #FAIL_DELAY 3
13
+
14
+ # Currently FAILLOG_ENAB is not supported
15
+
16
+ #
17
+ # Enable display of unknown usernames when login(1) failures are recorded.
18
+ #
19
+ #LOG_UNKFAIL_ENAB no
20
+
21
+ # Currently LOG_OK_LOGINS is not supported
22
+
23
+ # Currently LASTLOG_ENAB is not supported
24
+
25
+ #
26
+ # Limit the highest user ID number for which the lastlog entries should
27
+ # be updated.
28
+ #
29
+ # No LASTLOG_UID_MAX means that there is no user ID limit for writing
30
+ # lastlog entries.
31
+ #
32
+ #LASTLOG_UID_MAX
33
+
34
+ # Currently MAIL_CHECK_ENAB is not supported
35
+
36
+ # Currently OBSCURE_CHECKS_ENAB is not supported
37
+
38
+ # Currently PORTTIME_CHECKS_ENAB is not supported
39
+
40
+ # Currently QUOTAS_ENAB is not supported
41
+
42
+ # Currently SYSLOG_SU_ENAB is not supported
43
+
44
+ #
45
+ # Enable "syslog" logging of newgrp(1) and sg(1) activity.
46
+ #
47
+ #SYSLOG_SG_ENAB yes
48
+
49
+ # Currently CONSOLE is not supported
50
+
51
+ # Currently SULOG_FILE is not supported
52
+
53
+ # Currently MOTD_FILE is not supported
54
+
55
+ # Currently ISSUE_FILE is not supported
56
+
57
+ # Currently TTYTYPE_FILE is not supported
58
+
59
+ # Currently FTMP_FILE is not supported
60
+
61
+ # Currently NOLOGINS_FILE is not supported
62
+
63
+ # Currently SU_NAME is not supported
64
+
65
+ # *REQUIRED*
66
+ # Directory where mailboxes reside, _or_ name of file, relative to the
67
+ # home directory. If you _do_ define both, MAIL_DIR takes precedence.
68
+ #
69
+ MAIL_DIR /var/spool/mail
70
+ #MAIL_FILE .mail
71
+
72
+ #
73
+ # If defined, file which inhibits all the usual chatter during the login
74
+ # sequence. If a full pathname, then hushed mode will be enabled if the
75
+ # user's name or shell are found in the file. If not a full pathname, then
76
+ # hushed mode will be enabled if the file exists in the user's home directory.
77
+ #
78
+ #HUSHLOGIN_FILE .hushlogin
79
+ #HUSHLOGIN_FILE /etc/hushlogins
80
+
81
+ # Currently ENV_TZ is not supported
82
+
83
+ # Currently ENV_HZ is not supported
84
+
85
+ #
86
+ # The default PATH settings, for superuser and normal users.
87
+ #
88
+ # (they are minimal, add the rest in the shell startup files)
89
+ #ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
90
+ #ENV_PATH PATH=/bin:/usr/bin
91
+
92
+ #
93
+ # Terminal permissions
94
+ #
95
+ # TTYGROUP Login tty will be assigned this group ownership.
96
+ # TTYPERM Login tty will be set to this permission.
97
+ #
98
+ # If you have a write(1) program which is "setgid" to a special group
99
+ # which owns the terminals, define TTYGROUP as the number of such group
100
+ # and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
101
+ # set TTYPERM to either 622 or 600.
102
+ #
103
+ #TTYGROUP tty
104
+ #TTYPERM 0600
105
+
106
+ # Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
107
+
108
+ # Default initial "umask" value used by login(1) on non-PAM enabled systems.
109
+ # Default "umask" value for pam_umask(8) on PAM enabled systems.
110
+ # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
111
+ # home directories if HOME_MODE is not set.
112
+ # 022 is the default value, but 027, or even 077, could be considered
113
+ # for increased privacy. There is no One True Answer here: each sysadmin
114
+ # must make up their mind.
115
+ UMASK 077
116
+
117
+ # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
118
+ # home directories.
119
+ # If HOME_MODE is not set, the value of UMASK is used to create the mode.
120
+ HOME_MODE 0700
121
+
122
+ # Password aging controls:
123
+ #
124
+ # PASS_MAX_DAYS Maximum number of days a password may be used.
125
+ # PASS_MIN_DAYS Minimum number of days allowed between password changes.
126
+ # PASS_MIN_LEN Minimum acceptable password length.
127
+ # PASS_WARN_AGE Number of days warning given before a password expires.
128
+ #
129
+ PASS_MAX_DAYS 90
130
+ PASS_MIN_DAYS 7
131
+ PASS_MIN_LEN 12
132
+ PASS_WARN_AGE 14
133
+
134
+ # Currently PASS_MIN_LEN is not supported
135
+
136
+ # Currently SU_WHEEL_ONLY is not supported
137
+
138
+ # Currently CRACKLIB_DICTPATH is not supported
139
+
140
+ #
141
+ # Min/max values for automatic uid selection in useradd(8)
142
+ #
143
+ UID_MIN 1000
144
+ UID_MAX 60000
145
+ # System accounts
146
+ SYS_UID_MIN 201
147
+ SYS_UID_MAX 999
148
+ # Extra per user uids
149
+ SUB_UID_MIN 100000
150
+ SUB_UID_MAX 600100000
151
+ SUB_UID_COUNT 65536
152
+
153
+ #
154
+ # Min/max values for automatic gid selection in groupadd(8)
155
+ #
156
+ GID_MIN 1000
157
+ GID_MAX 60000
158
+ # System accounts
159
+ SYS_GID_MIN 201
160
+ SYS_GID_MAX 999
161
+ # Extra per user group ids
162
+ SUB_GID_MIN 100000
163
+ SUB_GID_MAX 600100000
164
+ SUB_GID_COUNT 65536
165
+
166
+ #
167
+ # Max number of login(1) retries if password is bad
168
+ #
169
+ #LOGIN_RETRIES 3
170
+
171
+ #
172
+ # Max time in seconds for login(1)
173
+ #
174
+ #LOGIN_TIMEOUT 60
175
+
176
+ # Currently PASS_CHANGE_TRIES is not supported
177
+
178
+ # Currently PASS_ALWAYS_WARN is not supported
179
+
180
+ # Currently PASS_MAX_LEN is not supported
181
+
182
+ # Currently CHFN_AUTH is not supported
183
+
184
+ #
185
+ # Which fields may be changed by regular users using chfn(1) - use
186
+ # any combination of letters "frwh" (full name, room number, work
187
+ # phone, home phone). If not defined, no changes are allowed.
188
+ # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
189
+ #
190
+ #CHFN_RESTRICT rwh
191
+
192
+ # Currently LOGIN_STRING is not supported
193
+
194
+ # Currently MD5_CRYPT_ENAB is not supported
195
+
196
+ #
197
+ # If set to MD5, MD5-based algorithm will be used for encrypting password
198
+ # If set to SHA256, SHA256-based algorithm will be used for encrypting password
199
+ # If set to SHA512, SHA512-based algorithm will be used for encrypting password
200
+ # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
201
+ # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
202
+ # If set to DES, DES-based algorithm will be used for encrypting password (default)
203
+ #
204
+ ENCRYPT_METHOD YESCRYPT
205
+
206
+ #
207
+ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
208
+ #
209
+ # Define the number of SHA rounds.
210
+ # With a lot of rounds, it is more difficult to brute-force the password.
211
+ # However, more CPU resources will be needed to authenticate users if
212
+ # this value is increased.
213
+ #
214
+ # If not specified, the libc will choose the default number of rounds (5000).
215
+ # The values must be within the 1000-999999999 range.
216
+ #
217
+ #SHA_CRYPT_MAX_ROUNDS 5000
218
+
219
+ # Currently SHA_CRYPT_MIN_ROUNDS is not supported
220
+
221
+ #
222
+ # Only works if ENCRYPT_METHOD is set to BCRYPT.
223
+ #
224
+ # Define the number of BCRYPT rounds.
225
+ # With a lot of rounds, it is more difficult to brute-force the password.
226
+ # However, more CPU resources will be needed to authenticate users if
227
+ # this value is increased.
228
+ #
229
+ # If not specified, 13 rounds will be attempted.
230
+ # If only one of the MIN or MAX values is set, then this value will be used.
231
+ # If MIN > MAX, the highest value will be used.
232
+ #
233
+ #BCRYPT_MIN_ROUNDS 13
234
+ #BCRYPT_MAX_ROUNDS 31
235
+
236
+ #
237
+ # Only works if ENCRYPT_METHOD is set to YESCRYPT.
238
+ #
239
+ # Define the YESCRYPT cost factor.
240
+ # With a higher cost factor, it is more difficult to brute-force the password.
241
+ # However, more CPU time and more memory will be needed to authenticate users
242
+ # if this value is increased.
243
+ #
244
+ # If not specified, a cost factor of 5 will be used.
245
+ # The value must be within the 1-11 range.
246
+ #
247
+ #YESCRYPT_COST_FACTOR 5
248
+
249
+ # Currently CONSOLE_GROUPS is not supported
250
+
251
+ #
252
+ # Should login be allowed if we can't cd to the home directory?
253
+ # Default is yes.
254
+ #
255
+ #DEFAULT_HOME yes
256
+
257
+ # Currently ENVIRON_FILE is not supported
258
+
259
+ #
260
+ # If defined, this command is run when removing a user.
261
+ # It should remove any at/cron/print jobs etc. owned by
262
+ # the user to be removed (passed as the first argument).
263
+ #
264
+ #USERDEL_CMD /usr/sbin/userdel_local
265
+
266
+ #
267
+ # Enables userdel(8) to remove user groups if no members exist.
268
+ #
269
+ USERGROUPS_ENAB yes
270
+
271
+ #
272
+ # If set to a non-zero number, the shadow utilities will make sure that
273
+ # groups never have more than this number of users on one line.
274
+ # This permits to support split groups (groups split into multiple lines,
275
+ # with the same group ID, to avoid limitation of the line length in the
276
+ # group file).
277
+ #
278
+ # 0 is the default value and disables this feature.
279
+ #
280
+ #MAX_MEMBERS_PER_GROUP 0
281
+
282
+ #
283
+ # If useradd(8) should create home directories for users by default (non
284
+ # system users only).
285
+ # This option is overridden with the -M or -m flags on the useradd(8)
286
+ # command-line.
287
+ #
288
+ CREATE_HOME yes
289
+
290
+ #
291
+ # Force use shadow, even if shadow passwd & shadow group files are
292
+ # missing.
293
+ #
294
+ #FORCE_SHADOW yes
@@ -0,0 +1,35 @@
1
+ # see "man logrotate" for details
2
+ # rotate log files weekly
3
+ daily
4
+
5
+ # keep 4 weeks worth of backlogs
6
+ rotate 4
7
+
8
+ # create new (empty) log files after rotating old ones
9
+ create
10
+
11
+ # use date as a suffix of the rotated file
12
+ dateext
13
+
14
+ # uncomment this if you want your log files compressed
15
+ compress
16
+
17
+ # RPM packages drop log rotation information into this directory
18
+ include /etc/logrotate.d
19
+
20
+ # no packages own wtmp and btmp -- we'll rotate them here
21
+ /var/log/wtmp {
22
+ monthly
23
+ create 0664 root utmp
24
+ minsize 1M
25
+ rotate 1
26
+ }
27
+
28
+ /var/log/btmp {
29
+ missingok
30
+ monthly
31
+ create 0600 root utmp
32
+ rotate 1
33
+ }
34
+
35
+ # system-specific logs may be also be configured here.
@@ -16,13 +16,13 @@ module Mutools
16
16
  base_url = "http://metadata.google.internal/computeMetadata/v1"
17
17
  begin
18
18
  Timeout.timeout(2) do
19
- response = open(
19
+ response = URI.open(
20
20
  "#{base_url}/#{param}",
21
21
  "Metadata-Flavor" => "Google"
22
22
  ).read
23
23
  return response
24
24
  end
25
- rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError => e
25
+ rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENOENT, OpenSSL::SSL::SSLError => e
26
26
  # This is fairly normal, just handle it gracefully
27
27
  end
28
28
 
@@ -36,11 +36,17 @@ module Mutools
36
36
  base_url = "http://169.254.169.254/latest"
37
37
  begin
38
38
  Timeout.timeout(2) do
39
- response = open("#{base_url}/#{param}").read
39
+ response = URI.open("#{base_url}/#{param}").read
40
40
  return response
41
41
  end
42
- rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError => e
42
+ require 'aws-sdk-ec2'
43
+ require 'aws-sdk-s3'
44
+ rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENOENT => e
45
+ puts e.inspect
43
46
  # This is fairly normal, just handle it gracefully
47
+ if e.code == 401
48
+ puts "*************** Got 401 Unauthorized trying to fetch #{base_url}/#{param}. This instance may be requiring IMDSv2 requests to fetch its own metadata. ***************"
49
+ end
44
50
  end
45
51
  nil
46
52
  end
@@ -136,7 +142,7 @@ module Mutools
136
142
  @region = nil
137
143
  def set_aws_cfg_params
138
144
  begin
139
- require 'aws-sdk'
145
+ require 'aws-sdk-core'
140
146
  instance_identity = get_aws_metadata("dynamic/instance-identity/document")
141
147
  return false if instance_identity.nil? # Not in AWS, most likely
142
148
  @region = JSON.parse(instance_identity)["region"]
@@ -153,7 +159,8 @@ module Mutools
153
159
  rescue OpenURI::HTTPError, Timeout::Error, SocketError, JSON::ParserError
154
160
  Chef::Log.info("This node isn't in Amazon Web Services, skipping AWS config")
155
161
  return false
156
- rescue LoadError
162
+ rescue LoadError => e
163
+ puts e.inspect
157
164
  Chef::Log.info("aws-sdk-gem hasn't been installed yet!")
158
165
  return false
159
166
  end
@@ -257,10 +264,14 @@ module Mutools
257
264
  filename = mu_get_tag_value("MU-ID")+"-secret"
258
265
 
259
266
  if cloud == "AWS"
267
+ include_recipe "mu-tools::aws_api"
268
+ require 'aws-sdk-s3'
260
269
  resp = nil
261
270
  begin
262
271
  Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
263
- resp = s3.get_object(bucket: bucket, key: filename)
272
+ set_aws_cfg_params
273
+ @s3 ||= Aws::S3::Client.new(region: @region)
274
+ resp = @s3.get_object(bucket: bucket, key: filename)
264
275
  rescue ::Aws::S3::Errors::PermanentRedirect => e
265
276
  tmps3 = Aws::S3::Client.new(region: "us-east-1")
266
277
  resp = tmps3.get_object(bucket: bucket, key: filename)
@@ -308,6 +319,7 @@ module Mutools
308
319
  req = Net::HTTP::Post.new(uri)
309
320
  res_type = (node['deployment'].has_key?('server_pools') and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
310
321
  response = nil
322
+ retries = 0
311
323
  begin
312
324
  secret = get_deploy_secret
313
325
  if secret.nil? or secret.empty?
@@ -331,7 +343,7 @@ module Mutools
331
343
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX this sucks
332
344
  response = http.request(req)
333
345
  if response.code != "200"
334
- Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}")
346
+ Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}: #{response.body}")
335
347
  else
336
348
  if action == "add_volume" and arg and arg.is_a?(Hash) and arg[:dev]
337
349
  seen_requested = false
@@ -350,7 +362,7 @@ module Mutools
350
362
  end while retries < 5 and !seen_requested
351
363
  end
352
364
  end
353
- rescue EOFError => e
365
+ rescue EOFError, OpenSSL::SSL::SSLError => e
354
366
  # Sometimes deployment metadata is incomplete and missing a
355
367
  # server_pool entry. Try to help it out.
356
368
  # XXX find some awsmetadata way to determine that we're in an Autoscale Group before trying this
@@ -7,14 +7,14 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7
7
  source_url 'https://github.com/cloudamatic/mu'
8
8
  issues_url 'https://github.com/cloudamatic/mu/issues'
9
9
  chef_version '>= 14.0' if respond_to?(:chef_version)
10
- version '1.1.0'
10
+ version '1.1.1'
11
11
 
12
12
  %w( amazon centos redhat windows ).each do |os|
13
13
  supports os
14
14
  end
15
15
 
16
16
  depends "oracle-instantclient", '~> 1.1.0'
17
- depends "mu-nagios"
17
+ depends "nagios"
18
18
  depends "database", '~> 6.1.1'
19
19
  depends "postgresql", '~> 7.1.0'
20
20
  depends "mu-utility"
@@ -22,8 +22,8 @@ depends "java", '~> 2.2.0'
22
22
  depends "windows", '~> 5.1.1'
23
23
  depends "mu-splunk"
24
24
  depends "chef-vault", '~> 3.1.1'
25
- depends "poise-python", '~> 1.7.0'
26
- depends "yum-epel", '~> 3.2.0'
25
+ #depends "poise-python", '~> 1.7.0'
26
+ depends "yum-epel", '~> 5.0.8'
27
27
  depends "mu-firewall"
28
28
  depends "mu-activedirectory"
29
29
  depends "chocolatey"
@@ -66,7 +66,7 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
66
66
  notifies :run, "execute[enable manual auditd restarts]", :before
67
67
  end
68
68
 
69
- if node['platform_version'].to_i < 7
69
+ if !platform_family?("amazon") and node['platform_version'].to_i < 7
70
70
  cookbook_file "/etc/audit/audit.rules" do
71
71
  source "etc/audit/stig.rules"
72
72
  notifies :restart, "service[auditd]", :delayed
@@ -124,11 +124,12 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
124
124
 
125
125
 
126
126
  bash "Logging and Auditing" do
127
- code <<-EOH
128
127
  #4.1.4 Create and Set Permissions on rsyslog Log Files
129
128
  #find `awk '/^ *[^#$]/ { print $2 }' /etc/rsyslog.conf | egrep -o "/.*"` -perm /o+rwx
129
+ code <<-EOH
130
130
  chmod og-rwx /var/log/boot.log
131
131
  EOH
132
+ only_if { File.exist?("/var/log/boot.log") }
132
133
  end
133
134
 
134
135
  bash "Network Configuration and Firewalls" do
@@ -16,11 +16,29 @@
16
16
  # See the License for the specific language governing permissions and
17
17
  # limitations under the License.
18
18
 
19
- chef_gem "aws-sdk" do
20
- compile_time true
21
- version "3.0.1"
22
- action :install
23
- end
19
+ # well apparently these versions need to be pegged to whatever Chef is using
20
+ # internally (as of Chef 17.4.38, aws-sdk-core 3.119)
21
+ awsgems = {
22
+ # "aws-sdk-core" => "~> 3.119",
23
+ "aws-sdk-s3" => "3.205.0",
24
+ # "aws-sdk-ec2" => nil
25
+ }
26
+
27
+ awsgems.each_pair { |g, v|
28
+ # XXX chef_gem is, inexplicably, failing for these AWS SDK gems; logs indicate
29
+ # installation, but they're not actually there. Doing it with an execute seems
30
+ # to circumvent the problem. We then use chef_gem to load the stupid thing for
31
+ # the current Chef run.
32
+ execute "env -i /opt/chef/embedded/bin/gem install #{g} #{v.nil? ? "" : "--version '#{v}'"}" do
33
+ compile_time true
34
+ end
35
+ chef_gem g do
36
+ gem_binary "/opt/chef/embedded/bin/gem"
37
+ version v if !v.nil?
38
+ compile_time true
39
+ action :install
40
+ end
41
+ }
24
42
 
25
43
  if platform_family?("rhel") or platform_family?("amazon")
26
44
  if node['platform_version'].to_i == 6
@@ -21,11 +21,14 @@ if !node['application_attributes']['skip_recipes'].include?('base_repositories')
21
21
  case node['platform_family']
22
22
  when "rhel", "redhat", "amazon" # ~FC024
23
23
  # Workaround for EOL CentOS 5 repos
24
- if node['platform'] != "amazon" and node['platform_version'].to_i <= 6
24
+ if node['platform_family'] != "amazon" and node['platform_version'].to_i <= 6
25
25
  cookbook_file "/etc/yum.repos.d/CentOS-Base.repo" do
26
26
  source "CentOS-Base.repo"
27
27
  end
28
28
  end
29
29
  include_recipe "yum-epel"
30
30
  end
31
+ if platform_family?("amazon")
32
+ package "cronie"
33
+ end
31
34
  end
@@ -16,59 +16,59 @@
16
16
  # See the License for the specific language governing permissions and
17
17
  # limitations under the License.
18
18
 
19
- if platform_family?("rhel") or platform_family?("amazon")
20
- if node['platform_version'].to_i >= 7
21
- yum_repository "google-cloud-sdk" do
22
- description 'Google Cloud SDK'
23
- url "https://packages.cloud.google.com/yum/repos/cloud-sdk-el#{node['platform_version'].to_i}-x86_64#{node['platform_version'].to_i == 6 ? "-unstable": ""}"
24
- enabled true
25
- gpgcheck true
26
- repo_gpgcheck true
27
- gpgkey ["https://packages.cloud.google.com/yum/doc/yum-key.gpg", "https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"]
28
- end
29
- package "google-cloud-sdk"
30
- elsif node['platform_version'].to_i == 6
31
- version = "317.0.0"
32
- remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
33
- source "https://sdk.cloud.google.com"
34
- action :nothing
35
- end
36
- remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz" do
37
- source "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-#{version}-linux-x86_64.tar.gz"
38
- action :nothing
39
- end
40
- bash "install gcloud-cli" do
41
- cwd "/opt"
42
- code <<-EOH
43
- rm -rf /opt/google-cloud-sdk/
44
- tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
45
- CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
46
- EOH
47
- notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
48
- notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before
49
- not_if "/opt/google-cloud-sdk/bin/gcloud version | grep 'Google Cloud SDK #{version}'"
50
- end
51
- link "/etc/bash_completion.d/gcloud" do
52
- to "/opt/google-cloud-sdk/completion.bash.inc"
53
- end
54
- link "/etc/profile.d/gcloud.sh" do
55
- to "/opt/google-cloud-sdk/path.bash.inc"
56
- end
57
- file "/etc/profile.d/gcloud_python.sh" do
58
- content "export CLOUDSDK_PYTHON=\"`/bin/rpm -ql muthon | grep '/bin/python$'`\"\n"
59
- mode 0644
60
- end
61
- end
62
- elsif platform_family?("debian")
63
- bash "add google-cloud-sdk repo" do
64
- code <<-EOH
65
- export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
66
- echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
67
- curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
68
- sudo apt-get update
69
- EOH
70
- not_if { ::File.exist?("/etc/apt/sources.list.d/google-cloud-sdk.list") }
71
- end
72
- package "google-cloud-sdk"
73
- else
74
- end
19
+ #if platform_family?("rhel") or platform_family?("amazon")
20
+ # if node['platform_version'].to_i >= 7
21
+ # yum_repository "google-cloud-sdk" do
22
+ # description 'Google Cloud SDK'
23
+ # url "https://packages.cloud.google.com/yum/repos/cloud-sdk-el#{node['platform_version'].to_i}-x86_64#{node['platform_version'].to_i == 6 ? "-unstable": ""}"
24
+ # enabled true
25
+ # gpgcheck true
26
+ # repo_gpgcheck true
27
+ # gpgkey ["https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"]
28
+ # end
29
+ # package "google-cloud-sdk"
30
+ # elsif node['platform_version'].to_i == 6
31
+ # version = "317.0.0"
32
+ # remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
33
+ # source "https://sdk.cloud.google.com"
34
+ # action :nothing
35
+ # end
36
+ # remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz" do
37
+ # source "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-#{version}-linux-x86_64.tar.gz"
38
+ # action :nothing
39
+ # end
40
+ # bash "install gcloud-cli" do
41
+ # cwd "/opt"
42
+ # code <<-EOH
43
+ # rm -rf /opt/google-cloud-sdk/
44
+ # tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
45
+ # CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
46
+ # EOH
47
+ # notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
48
+ # notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before
49
+ # not_if "/opt/google-cloud-sdk/bin/gcloud version | grep 'Google Cloud SDK #{version}'"
50
+ # end
51
+ # link "/etc/bash_completion.d/gcloud" do
52
+ # to "/opt/google-cloud-sdk/completion.bash.inc"
53
+ # end
54
+ # link "/etc/profile.d/gcloud.sh" do
55
+ # to "/opt/google-cloud-sdk/path.bash.inc"
56
+ # end
57
+ # file "/etc/profile.d/gcloud_python.sh" do
58
+ # content "export CLOUDSDK_PYTHON=\"`/bin/rpm -ql muthon | grep '/bin/python$'`\"\n"
59
+ # mode 0644
60
+ # end
61
+ # end
62
+ #elsif platform_family?("debian")
63
+ # bash "add google-cloud-sdk repo" do
64
+ # code <<-EOH
65
+ # export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
66
+ # echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
67
+ # curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
68
+ # sudo apt-get update
69
+ # EOH
70
+ # not_if { ::File.exist?("/etc/apt/sources.list.d/google-cloud-sdk.list") }
71
+ # end
72
+ # package "google-cloud-sdk"
73
+ #else
74
+ #end
@@ -16,4 +16,4 @@
16
16
  # See the License for the specific language governing permissions and
17
17
  # limitations under the License.
18
18
 
19
- include_recipe "mu-nagios"
19
+ include_recipe "nagios"