Skip to content

Dan-JoeLopez/ChefConf-23

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
attributes
attributes
 
 
libraries
libraries
 
 
ohai
ohai
 
 
recipes
recipes
 
 
resources
resources
 
 
test/smoke/default
test/smoke/default
 
 
Berksfile
Berksfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
metadata.rb
metadata.rb
 
 

Repository files navigation

ChefConf23 Extensibility Example

This cookbook supplies the code that accompanies the ChefConf presentation on extending Chef infra cookbooks.

Dependencies

This cookbook has no external dependecies.

Supported OS

  • Windows Server
    • 2012ad_vulnerabilies
    • 2012 R2
    • 2016
    • 2019
  • Windows Client
    • 10

Information

This cookbook implements the baseline security standards set forth by the SAP Security team. Landscape or team specific customizations are not implimented. See below for details on excluding enforcement of policies.

In addition to enforcing policies, the cookbook will collect data with OHAI, and log information and warnings about the compliance status of the system.

The polices that have been implimented are only accurate at the time of this writing. The SAP Security team may change the guidlines at any time without warning or notification. It is the server owner's responsibility to ensure the security of their system.

BW1-00-02

Separation of duties and purposes

  • OHAI: node['hardening']['BW1-00-02']
    • compliant: bool check to see if the system is compliant with the policy
    • offenses: String explaining how the policy is being violated
    • desired_roles: Array of which special roles are to remain installed
    • undesired_roles: Array of roles/features that are to be removed

Usage

Attributes

Key Type Description Default
['litc-base-line-hardening']['production'] TrueClass, FalseClass When true, skips execution of potentially destructive changes. true
['litc-base-line-hardening']['exclusions'] StringArray Fill this string array with policies that you want to remain insecure. []

Un-Enforceable policies

Certain policies are, by their nature, not enforcable. Often because the availability of resources in different network locations vaires, we cannot predict the availability of AD domains, software repositories, etc.

Wherever possible, information about the policies complinace will be logged.

  • BW 1.00.01 Connect the system to a suitable AD
    • No resonable way to enforce the domain join. Non-compliance logs a Warning.
  • BW 1.00.02 Separation of duties and purposes
    • We cannot resonably remove server roles that are potentially serving production use-cases. Offences log a Warning.

Destructive Policies

  • BW 1.00.02 Separation of duties and purposes
    • For the purpose of the demonstration, we will be writing code that intends to remove roles/features.
    • This would be highly destructive, and not suitable for a production envronment!

Contributing

  1. Fork the repository on Github
  2. Write your test
  3. Document your proposed change
  4. Write your change
  5. Test your change
  6. Lint the cookbook
  7. Submit a Pull Request using Github, and request a code review

License and Authors

Authors

License

For SAP Internal Use ONLY, not licensed for external contribution or distribution.

Support

If you need help with this cookbook, please raise an issue on git.

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages