issue #200: make auditd recipe optional

see #200
dev-sec · Feb 23, 2018 · 7c9bdab · 7c9bdab
1 parent 531eba2
commit 7c9bdab
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -128,6 +128,9 @@
 # SELinux enforcing (enforcing, permissive, unmanaged)
 default['os-hardening']['security']['selinux_mode']                      = 'unmanaged'
 
+# De-/Activate auditd recipe
+default['os-hardening']['auditd']['enabled']                             = true
+
 # SYSTEM CONFIGURATION
 # ====================
 # These are not meant to be modified by the user

diff --git a/recipes/default.rb b/recipes/default.rb
@@ -29,5 +29,5 @@
 include_recipe('os-hardening::securetty')
 include_recipe('os-hardening::suid_sgid') if node['os-hardening']['security']['suid_sgid']['enforce']
 include_recipe('os-hardening::sysctl')
-include_recipe('os-hardening::auditd')
+include_recipe('os-hardening::auditd') if node['os-hardening']['auditd']['enabled']
 include_recipe('os-hardening::selinux') if node['platform_family'] == 'rhel' || node['platform_family'] == 'fedora'
diff --git a/spec/recipes/default_spec.rb b/spec/recipes/default_spec.rb
@@ -52,4 +52,34 @@
     is_expected.to include_recipe 'os-hardening::sysctl'
     is_expected.to include_recipe 'os-hardening::auditd'
   end
+
+  context 'with disabled auditd' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['os-hardening']['auditd']['enabled'] = false
+
+        %w[
+          /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin
+        ].each do |folder|
+          stub_command(
+            "find #{folder}  -perm -go+w -type f | wc -l | egrep '^0$'"
+          ).and_return(false)
+        end
+      end.converge(described_recipe)
+    end
+
+    subject { chef_run }
+
+    it "won't include auditd" do
+      is_expected.to include_recipe 'os-hardening::packages'
+      is_expected.to include_recipe 'os-hardening::limits'
+      is_expected.to include_recipe 'os-hardening::login_defs'
+      is_expected.to include_recipe 'os-hardening::minimize_access'
+      is_expected.to include_recipe 'os-hardening::pam'
+      is_expected.to include_recipe 'os-hardening::profile'
+      is_expected.to include_recipe 'os-hardening::securetty'
+      is_expected.to include_recipe 'os-hardening::sysctl'
+      is_expected.not_to include_recipe 'os-hardening::auditd'
+    end
+  end
 end