diff --git a/Rakefile b/Rakefile index 7701e46..a860201 100755 --- a/Rakefile +++ b/Rakefile @@ -1,6 +1,4 @@ #!/usr/bin/env rake -# encoding: utf-8 - require 'foodcritic' require 'rspec/core/rake_task' require 'rubocop/rake_task' @@ -10,15 +8,15 @@ require 'chef/cookbook/metadata' # Rubocop before rspec so we don't lint vendored cookbooks desc 'Run all tests except Kitchen (default task)' -task default: %I[lint spec] +task default: %I(lint spec) # Lint the cookbook desc 'Run all linters: rubocop and foodcritic' -task lint: %I[rubocop foodcritic] +task lint: %I(rubocop foodcritic) # Run the whole shebang desc 'Run all tests' -task test: %I[lint integration spec] +task test: %I(lint integration spec) # RSpec desc 'Run chefspec tests' diff --git a/attributes/default.rb b/attributes/default.rb index dc808a2..404396c 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,6 +1,4 @@ -# encoding: utf-8 - -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Attributes:: default # set this value if you want to harden terminal services diff --git a/metadata.rb b/metadata.rb index b11d473..b3f79da 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,11 +1,10 @@ -name 'windows-hardening' -maintainer 'Joe Gardiner' -maintainer_email 'joe@chef.io' -license 'Apache 2.0' -description 'Hardening cookbook for Windows 2012 R2' -long_description 'Remediates critical issues identified by the DevSec Windows baseline' -version '0.9.1' -source_url 'https://github.com/dev-sec/chef-windows-hardening' -issues_url 'https://github.com/dev-sec/chef-windows-hardening/issues' -supports 'windows' -depends 'windows-security-policy' +name 'windows-hardening' +maintainer 'Joe Gardiner' +maintainer_email 'joe@chef.io' +license 'Apache-2.0' +description 'Hardening cookbook for Windows 2012 R2' +version '0.9.1' +source_url 'https://github.com/dev-sec/chef-windows-hardening' +issues_url 'https://github.com/dev-sec/chef-windows-hardening/issues' +supports 'windows' +depends 'windows-security-policy' diff --git a/recipes/access.rb b/recipes/access.rb index 957b2d0..3567f9f 100644 --- a/recipes/access.rb +++ b/recipes/access.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: access # -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') # Anonymous Access to Windows Shares and Named Pipes is Disallowed # windows-baseline: windows-base-102 @@ -12,7 +12,7 @@ values [{ name: 'RestrictNullSessAccess', type: :dword, - data: 1 + data: 1, }] action :create_if_missing end @@ -23,7 +23,7 @@ values [{ name: 'NullSessionShares', type: :multi_string, - data: [''] + data: [''], }] action :create_if_missing end @@ -34,7 +34,7 @@ values [{ name: 'LmCompatibilityLevel', type: :dword, - data: 4 + data: 4, }] action :create end @@ -45,7 +45,7 @@ values [{ name: 'NtlmMinClientSec', type: :dword, - data: 537_395_200 + data: 537_395_200, }] action :create end @@ -56,7 +56,7 @@ values [{ name: 'NtlmMinServerSec', type: :dword, - data: 537_395_200 + data: 537_395_200, }] action :create end @@ -66,7 +66,7 @@ values [{ name: 'SMB1', type: :dword, - data: 0 + data: 0, }] action :create_if_missing end diff --git a/recipes/audit.rb b/recipes/audit.rb index 17d459b..c075843 100644 --- a/recipes/audit.rb +++ b/recipes/audit.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: audit-logging # -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') # Configure System Event Log (Application) # windows-baseline: windows-audit-100 @@ -12,7 +12,7 @@ values [{ name: 'MaxSize', type: :dword, - data: 4_194_240 + data: 4_194_240, }] recursive true action :create @@ -24,7 +24,7 @@ values [{ name: 'MaxSize', type: :dword, - data: 4_194_240 + data: 4_194_240, }] recursive true action :create @@ -36,7 +36,7 @@ values [{ name: 'MaxSize', type: :dword, - data: 4_194_240 + data: 4_194_240, }] recursive true action :create @@ -48,7 +48,7 @@ values [{ name: 'MaxSize', type: :dword, - data: 4_194_240 + data: 4_194_240, }] recursive true action :create diff --git a/recipes/default.rb b/recipes/default.rb index d9ae29b..ab89c8a 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -1,17 +1,17 @@ -# -# Cookbook Name:: windows-hardening -# Recipe:: default -# -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. - -return unless node['platform_family'] == 'windows' - -include_recipe 'windows-hardening::password_policy' -include_recipe 'windows-hardening::security_policy' -include_recipe 'windows-hardening::user_rights' -include_recipe 'windows-hardening::audit' -include_recipe 'windows-hardening::ie' -include_recipe 'windows-hardening::rdp' -include_recipe 'windows-hardening::access' -include_recipe 'windows-hardening::privacy' -include_recipe 'windows-hardening::powershell' +# +# Cookbook:: windows-hardening +# Recipe:: default +# +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. + +return unless platform_family?('windows') + +include_recipe 'windows-hardening::password_policy' +include_recipe 'windows-hardening::security_policy' +include_recipe 'windows-hardening::user_rights' +include_recipe 'windows-hardening::audit' +include_recipe 'windows-hardening::ie' +include_recipe 'windows-hardening::rdp' +include_recipe 'windows-hardening::access' +include_recipe 'windows-hardening::privacy' +include_recipe 'windows-hardening::powershell' diff --git a/recipes/enable_winrm_access.rb b/recipes/enable_winrm_access.rb index 187cdc6..006463e 100644 --- a/recipes/enable_winrm_access.rb +++ b/recipes/enable_winrm_access.rb @@ -1,12 +1,12 @@ -# -# Cookbook Name:: windows-hardening -# Recipe:: enable_winrm_access -# -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. - -return unless node['platform_family'] == 'windows' - -# Winrm access is required for agentless verification. Add this recipe as required. -powershell_script 'Remote Management' do - code 'Set-NetFirewallRule WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress "any"' -end +# +# Cookbook:: windows-hardening +# Recipe:: enable_winrm_access +# +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. + +return unless platform_family?('windows') + +# Winrm access is required for agentless verification. Add this recipe as required. +powershell_script 'Remote Management' do + code 'Set-NetFirewallRule WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress "any"' +end diff --git a/recipes/ie.rb b/recipes/ie.rb index e1af866..f978158 100644 --- a/recipes/ie.rb +++ b/recipes/ie.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: ie # -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') # IE 64-bit tab # windows-baseline: windows-ie-101 @@ -12,7 +12,7 @@ values [{ name: 'Isolation64Bit', type: :dword, - data: 1 + data: 1, }] recursive true action :create @@ -24,7 +24,7 @@ values [{ name: '270C', type: :dword, - data: 0 + data: 0, }] recursive true action :create diff --git a/recipes/password_policy.rb b/recipes/password_policy.rb index 82cac26..65eedef 100644 --- a/recipes/password_policy.rb +++ b/recipes/password_policy.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: password_policy # -# Copyright (c) 2018 The Authors, All Rights Reserved. +# Copyright:: (c) 2018 The Authors, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') # Set Enforce password history to 24 or more passwords # cis: enforce-password-history 1.1.1 diff --git a/recipes/powershell.rb b/recipes/powershell.rb index 6a049c8..83b1ec4 100644 --- a/recipes/powershell.rb +++ b/recipes/powershell.rb @@ -1,5 +1,5 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: powershell # @@ -9,7 +9,7 @@ values [{ name: 'EnableScriptBlockLogging', type: :dword, - data: 0 + data: 0, }] action :create recursive true @@ -21,7 +21,7 @@ values [{ name: 'EnableTranscripting', type: :dword, - data: 0 + data: 0, }] action :create recursive true diff --git a/recipes/privacy.rb b/recipes/privacy.rb index dc2e204..cc251bd 100644 --- a/recipes/privacy.rb +++ b/recipes/privacy.rb @@ -3,7 +3,7 @@ values [{ name: 'value', type: :dword, - data: 0 + data: 0, }] recursive true action :create @@ -22,7 +22,7 @@ values [{ name: 'AllowIndexingEncryptedStoresOrItems', type: :dword, - data: 0 + data: 0, }] action :create recursive true diff --git a/recipes/rdp.rb b/recipes/rdp.rb index 6def518..807cb60 100644 --- a/recipes/rdp.rb +++ b/recipes/rdp.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: rdp # -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') if node['windows_hardening']['rdp']['harden'] == true # Windows Remote Desktop Configured to Always Prompt for Password @@ -13,7 +13,7 @@ values [{ name: 'fPromptForPassword', type: :dword, - data: 1 + data: 1, }] recursive true action :create @@ -25,7 +25,7 @@ values [{ name: 'MinEncryptionLevel', type: :dword, - data: 3 + data: 3, }] recursive true action :create diff --git a/recipes/security_policy.rb b/recipes/security_policy.rb index 1cd8b67..95441cb 100644 --- a/recipes/security_policy.rb +++ b/recipes/security_policy.rb @@ -1,10 +1,10 @@ # -# Cookbook Name:: windows-hardening +# Cookbook:: windows-hardening # Recipe:: account-lockout # -# Copyright (c) 2016 Joe Gardiner, All Rights Reserved. +# Copyright:: (c) 2016 Joe Gardiner, All Rights Reserved. -return unless node['platform_family'] == 'windows' +return unless platform_family?('windows') # cis: account-lockout-duration 1.2.1, # cis: reset-account-lockout 1.2.3 diff --git a/recipes/user_rights.rb b/recipes/user_rights.rb index 24c0dff..db96475 100644 --- a/recipes/user_rights.rb +++ b/recipes/user_rights.rb @@ -1 +1 @@ -# Encoding: UTF-8 +# Encoding: UTF-8 diff --git a/resources/password_policy.rb b/resources/password_policy.rb index 56e63d3..01278a7 100644 --- a/resources/password_policy.rb +++ b/resources/password_policy.rb @@ -1,5 +1,6 @@ resource_name :password_policy provides :password_policy +unified_mode true property :policy_name, String, name_property: true property :policy_command, String, required: true diff --git a/spec/unit/recipes/default_spec.rb b/spec/unit/recipes/default_spec.rb index 883deec..2912937 100644 --- a/spec/unit/recipes/default_spec.rb +++ b/spec/unit/recipes/default_spec.rb @@ -1,20 +1,20 @@ -# -# Cookbook Name:: base-win2012-hardening -# Spec:: default -# -# Copyright (c) 2016 The Authors, All Rights Reserved. - -require 'spec_helper' - -describe 'base-win2012-hardening::default' do - context 'When all attributes are default, on an unspecified platform' do - let(:chef_run) do - runner = ChefSpec::ServerRunner.new - runner.converge(described_recipe) - end - - it 'converges successfully' do - expect { chef_run }.to_not raise_error - end - end -end +# +# Cookbook:: base-win2012-hardening +# Spec:: default +# +# Copyright:: (c) 2016 The Authors, All Rights Reserved. + +require 'spec_helper' + +describe 'base-win2012-hardening::default' do + context 'When all attributes are default, on an unspecified platform' do + let(:chef_run) do + runner = ChefSpec::ServerRunner.new + runner.converge(described_recipe) + end + + it 'converges successfully' do + expect { chef_run }.to_not raise_error + end + end +end