Wednesday, Apr 15, 2015

A New Era at the Hardening Framework Project


We are happy to announce, that the Hardening Framework moved to its new home. As a vendor neutral project we aim to provide best-practice system hardening for various industries. We are now actively searching for supporters to build up the next level of this project. Get in touch with us.


About a year ago the Hardening Framework has started as a small challenge to proof if server hardening can be done with configuration management tools like Puppet, Chef, SaltStack or Ansible. As a small team started to find the answer.

Since Deutsche Telekom was the first sponsor of this open source project, it was natural to use their internal security guidelines as a starting point for our security rules. Besides their interest in security, Deutsche Telekom faced the challenge that the manual harding processes just doesn’t scale in the cloud. Especially T-Labs, Telekom Business Marketplace and the Telekom Security as well as T-Systems had great interests to find an industry-wide open source solution.

From the very beginning, the project had a few goals:

  • support for multiple configuration management tools
  • should work with existing open source modules / cookbooks
  • reuse the same test scripts
  • tests are developed first and are our baseline for the hardening implementation
  • Puppet and Chef implementations have to adapt to the common tests

Quickly, we decided for Serverspec as the best tool for our tests, because it fulfilled all our needs, had a grown community and worked very well with existing configuration management tools.

Once we decided for Serverspec tests, we focused on the actual hardening implementation. This was a difficult task, because we wanted to reuse official deployment mechanisms for e.g. PostgreSQL but still add our hardening. After some prototypes we decided for an overlay module which acts as a companion to the original modules. It ensures that everything is properly configured and specific hardening options are added.

We identified some of the widely used open source modules that require hardening for live deployment:

  • Linux OS
  • SSH
  • Apache Webserver
  • Nginx
  • PostgreSQL
  • MySQL

For every project we started an implementation for Puppet and Chef like e.g. os-hardening:

For both implementations of the os-hardening module, we use a common test environment. It combines all tests under one framework. We used test-kitchen for Puppet and Chef tests:

Next, we selected the supported Linux distributions for our first release:

  • RedHat 6.4, 6.5
  • Ubuntu 12.04, 14.04
  • CentOS 6.4, 6.5
  • Oracle Linux 6.4, 6.5
  • Debian 7

As a small team, we were required to automated the tests, otherwise this would not be manageable. We used Travis for code linting and style checks and complement it with a Jenkins environment, that spins up all supported Linux Vms in OpenStack, deploys the hardening, and runs the Serverspec tests and finally sends a report back. Those test are triggered with every Github Commit.

To get the Hardening Framework up and running easily, we have documented examples for Puppet and Chef:

The project has evolved over the last year. It has become a mature tooling and is running on thousands of production systems. A special thanks to all contributors who helped to build this amazing project:

Thank you very much! We are looking forward to continue working with you.