https://dev-sec.io/ Recent content in Security + DevOps on DevSec Hardening Framework Hugo -- gohugo.io en-us Sun, 08 Nov 2020 09:00:00 +0000 https://dev-sec.io/blog/2020-10-11-ansible-collection/ Sun, 08 Nov 2020 09:00:00 +0000 https://dev-sec.io/blog/2020-10-11-ansible-collection/ In July 2020 we decided to move our existing Ansible roles for Linux, ssh, nginx and MySQL into an Ansible collection (what is a collection?). Why? Having only one repository for all roles means we don’t have to duplicate code. We have one common test-suite for all roles that works the same for every role. Also Collections are the future, as there is possibly no support for roles in the next version of Ansible Galaxy (see ansible/galaxy_ng#58). https://dev-sec.io/blog/2020-07-30-automating-releases/ Sat, 30 May 2020 09:00:00 +0000 https://dev-sec.io/blog/2020-07-30-automating-releases/ Hey friends, some time ago someone who uses our Ansible roles created an issue in our ansible-os-hardening role stating that the readme in the Ansible Galaxy diverged from the actual releases you can find on Galaxy. The reason for that is simple: Galaxy shows the from the master-branch in the Github-repository - not from the latest release that is uploaded there. That produced a discrepancy between the functions of the role and what is described in the readme. https://dev-sec.io/blog/2019-10-05-hacktoberfest/ Sat, 05 Oct 2019 09:00:00 +0000 https://dev-sec.io/blog/2019-10-05-hacktoberfest/ Dear DevSec friends, it’s Hacktoberfest 2019 and we from the DevSec project are taking part in it! And this year not only as contributors but as maintainers as well. We looked for issues in our Chef-cookbooks, Ansible-roles, Puppet-Modules and InSpec-profiles that are good candidates for your contributions to Hacktoberfest. Then we collected them in our Github-project so you have one place to find them all! So go grab a Issue, create a Pull Request and grab your Hacktoberfest-swag! https://dev-sec.io/blog/2019-05-15-baseline-releases/ Wed, 15 May 2019 12:00:00 +0000 https://dev-sec.io/blog/2019-05-15-baseline-releases/ Dear DevSec friends, today, we released many DevSec baselines. Thank you, the dev-sec community, for all the contributions to make it happen. We released: Windows Baseline 2.0.0 and 1.2.0 Linux Baseline 2.3.0 Nginx Baselinne 2.3.0 MySQL Baseline 3.1.0 Apache Baseline 2.1.0 Postgres Baseline 2.0.4 Linux Patch Baseline 0.5.0 Especially, I’d like to thank Karsten Müller from Lichtblick, Patrick Münch and Torsten Löbner TLoebner from SVA for their major contribution to our Windows baseline. https://dev-sec.io/blog/2019-02-13-communication-ways/ Wed, 13 Feb 2019 13:00:00 +0100 https://dev-sec.io/blog/2019-02-13-communication-ways/ Dear DevSec friends, Some of you maybe already noticed, we are improving the website of the project: updating the content, rebuilding and refreshing it. Besides that, we took a decision to change some of the communication ways of the project. Gitter chat was not heavily used in the past and wasn’t accepted even by some of core maintainers. As mailing lists are still a wide used communication way of many OpenSource projects, we decided to give them a try: https://dev-sec.io/blog/2018-10-15-new-homepage/ Mon, 15 Oct 2018 09:00:00 +0000 https://dev-sec.io/blog/2018-10-15-new-homepage/ Hi Security Friends, We had this update in the works for a while and the new homepage is finally here. I’ll look at some of the updates and encourage you to reach out for future improvements. We finally migrated from our old custom-built pages to Hugo and combined our frontpage, blog and documentation into one single repository. This is easier to maintain and to contribute to. Besides these technical improvements, we also worked on the user experience, a fresh front-page, and a new contributor page, and and improved baseline overview. https://dev-sec.io/blog/2017-12-21-chef-os-3.0-released/ Thu, 21 Dec 2017 18:00:00 +0000 https://dev-sec.io/blog/2017-12-21-chef-os-3.0-released/ DevSec Hardening Framework project is releasing a new major release chef-os-hardening 3.0.0 today. The major points of this release are listed below, many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: Blacklisting of filesystems (PR 169). Important: vfat is included in the default list, so be careful if you have some desktop systems. SELinux support for RHEL family distributions. SELinux is unmanaged per default and can be enabled via setting ['os-hardening']['security']['selinux_mode'] (PR 173, many thanks to AnMoeller for this contribution) Adaptation of some attributes to better RH defaults (PR 177, many thanks to strangeman for updating the baseline) New attributes and features: https://dev-sec.io/blog/2017-12-19-puppet-os-2.0-released/ Tue, 19 Dec 2017 15:00:00 +0000 https://dev-sec.io/blog/2017-12-19-puppet-os-2.0-released/ DevSec Hardening Framework project is releasing a new major release puppet-os-hardening 2.0.0 today. Since this new version is the first release after 2.5 years, the changes are way too much for a short summary. Please checkout the full changelog and README for more details. We are looking forward to get your feedback via GitHub issues or Gitter chatroom. And you can follow us on Twitter. https://dev-sec.io/blog/2017-11-24-cis-docker-benchmark-2.0.0-released/ Fri, 24 Nov 2017 11:00:00 +0000 https://dev-sec.io/blog/2017-11-24-cis-docker-benchmark-2.0.0-released/ DevSec Hardening Framework project is releasing a new major release of cis-docker-benchmark today. The major points of this release are listed below, however there are also many changes under the hood like cleanups of documentation and improvements of the InSpec Profile. Many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: Update of InSpec Profile to support the CIS Docker Benchmark 1. https://dev-sec.io/blog/2017-08-21-cis-kubernetes/ Mon, 15 May 2017 09:00:00 +0000 https://dev-sec.io/blog/2017-08-21-cis-kubernetes/ The mission of DevSec Hardening Framework is to provide users with the best content to stay secure across their infrastructure fleet. We started by providing hardening solutions written in Chef cookbooks, Puppet modules as well as Ansible modules. Beginning of this year, we started to transform our testing suite into standalone InSpec baselines. Since then we added more and more baselines like Nginx, TLS/SSL, OpenStack, MySQL or PostgreSQL. We are happy to announce that we got a major contribution by Kristian Vlaardingerbroek from Schuberg Philis. https://dev-sec.io/blog/2017-05-15-chef-windows-hardening-0.9.0-released/ Mon, 15 May 2017 09:00:00 +0000 https://dev-sec.io/blog/2017-05-15-chef-windows-hardening-0.9.0-released/ DevSec Hardening Framework project is releasing a new minor release chef-windows-hardening today. The release introduces the, always, disabling of SMB1 protocol on Windows operating systems. Note: This resource was introduced in the wake of the WannaCrypt/WannaCry ransomware worm which exploits a known vulnerability in the SMBv1 protocol Highlights and breaking changes: Enforce the disabling of SMBv1 on all versions of Windows, regardless of installation or whether the feature is enabled (e. https://dev-sec.io/blog/2017-04-23-ansible-new-releases/ Sun, 23 Apr 2017 13:00:00 +0000 https://dev-sec.io/blog/2017-04-23-ansible-new-releases/ Hey friends, We released new versions of ansible-os-hardening, ansible-ssh-hardening and ansible-mysql-hardening! These releases are important to us in multiple ways: As always, they provide new features and configuration possibilities for you to use! More on that below. Complete tests in TravisCI Furthermore we now leverage the full possibilities of TravisCI for the os-hardening, ssh-hardening and mysql-hardening roles. This means that all supported operating systems are now tested and verified online. https://dev-sec.io/blog/2017-04-13-openstack-profile/ Thu, 13 Apr 2017 09:00:00 +0000 https://dev-sec.io/blog/2017-04-13-openstack-profile/ I am happy to announce that the Chef Partners Team contributed a new OpenStack Baseline to our DevSec project. This Baseline is implementing the OpenStack Security Guide in InSpec. JJ Asghar will continue to be a core maintainer. The baseline is already covering a wide range of checks for: block-storage compute dashboard identity networking orchestration telemetry But we still have some white spots: data-processing databases messaging The baseline is designed to work hand-in-hand with multiple configuration management tools like Ansible, Chef or Puppet, which allows you to run the baseline easily against existing deployments. https://dev-sec.io/blog/2017-04-06-chef-os-2.0-released/ Thu, 06 Apr 2017 21:00:00 +0000 https://dev-sec.io/blog/2017-04-06-chef-os-2.0-released/ DevSec Hardening Framework project is releasing a new major release chef-os-hardening 2.0.0 today. The major points of this release are listed below, however there are also many changes under the hood like cleanups of documentation, improvements of the cookbook testing. Many thanks for the contributions and help we received from our users and community! Highlights and breaking changes: New attribute namespace ['os-hardening'] for the entire cookbook Removal of dependencies to the apt and yum cookbooks Usage of modern versions of sysctl dependency cookbook Cleanup and resolution of Chef deprecations - preparation for the Chef 13 release New attributes: https://dev-sec.io/blog/2017-02-06-chef-ssh-2.0-released/ Mon, 06 Feb 2017 09:00:00 +0000 https://dev-sec.io/blog/2017-02-06-chef-ssh-2.0-released/ DevSec Hardening Framework project is releasing a new major release chef-ssh-hardening 2.0.0 today. Highlights and breaking changes: On the modern chef versions (>= 12.10) autodiscovery of openssh version is used in the decision logic of crypto parameters New attribute namespace ['ssh-hardening'] for the entire cookbook Split of attributes to the server and client namespaces UsePAM is now set to yes per default (and does not break RHEL installations if set to no) Usage of different encryption algorithms based on the available openssh version Removal of DSA support Usage of strong primes for Diffie-Hellman New attributes: https://dev-sec.io/blog/2017-01-17-inspec-benchmarks/ Tue, 17 Jan 2017 09:00:00 +0000 https://dev-sec.io/blog/2017-01-17-inspec-benchmarks/ Happy New Year DevSec users, from day one of the DevSec Hardening Framework project, we used the same test suites for our Ansible, Chef and Puppet implementations. Those test suites have been implemented in [Serverspec]() and helped us to enforce the same rules for all hardening implementations. The combination with [test-kitchen]() allowed us to easily test Ansible, Chef and Puppet implementations across the multiple operating systems with the same test suites. https://dev-sec.io/blog/2016-09-20-ansible-nginx-released/ Tue, 20 Sep 2016 19:00:00 +0000 https://dev-sec.io/blog/2016-09-20-ansible-nginx-released/ The next part of server hardening with Ansible is released today: The ansible-nginx-hardening role. This role hardens your existing nginx installations (version 1.0.15 or later). This time we tried to make sure that the hardening role works with popular nginx installation roles, so if you use any of the following (great!) roles to manage your nginx, you can use our hardening role: nginxinc.nginx geerlinggux.nginx jdauphant.nginx We also tried to provide good documentation on the various settings and think that it turned out very well, but see for yourself. https://dev-sec.io/blog/2016-07-17-ansible-mysql-released/ Sun, 17 Jul 2016 18:00:00 +0000 https://dev-sec.io/blog/2016-07-17-ansible-mysql-released/ Even though the Github repository already got 17 stars at the time of writing, we never officially released the ansible-mysql-hardening role. Today we change that and release 1.0.0! The mysql-hardening role joins the other two already existing Ansible roles, ssh-hardening and os-hardening. This role hardens a MySQL server according to best practices and implements the same guidelines as our successful Chef and Puppet implementations. The main work was done by Anton Lugovoi and Sebastian Gumprich who implemented the following changes: https://dev-sec.io/blog/2016-04-15-hardening-io-movement/ Fri, 15 Apr 2016 09:00:00 +0000 https://dev-sec.io/blog/2016-04-15-hardening-io-movement/ Due to unfortunate circumstances we can’t use hardening.io domain anymore. Therefore Hardening Framework moved to a new home: http://dev-sec.io , https://github.com/dev-sec. Forwarding can’t be configured from hardening.io to the new domain. We know this leads to confusion and we are sorry for that. https://dev-sec.io/blog/2016-03-20-ansible-3.0-release/ Sun, 20 Mar 2016 18:00:00 +0000 https://dev-sec.io/blog/2016-03-20-ansible-3.0-release/ The Hardening Framework once again updates its framework’s Ansible modules, making them compatible with the new Ansible 2.0 release! But that’s not all. Next to bug-fixes and support for additional operating systems, this release focused on making the os-hardening and ssh-hardening roles more configurable. This allows you to alter them to your needs while still providing a strong baseline security. As always, thanks for all the contributors! Notable changes for os-hardening: https://dev-sec.io/blog/2015-11-30-ansible-2.0-release/ Mon, 30 Nov 2015 18:00:00 +0000 https://dev-sec.io/blog/2015-11-30-ansible-2.0-release/ Continuously, the Hardening Framework improves its framework to cover up-to-date server hardening. Sebastian Gumprich and Anton Lugovoi did an amazing job to improve the Ansible implementation for os-hardening and ssh-hardening. Core focus of the last release was to improve and ease the installation via Ansible Galaxy. For os-hardening: Fix a bug in the passwdqc template (#51) Change directory layout so the role is easily installable from ansible-galaxy (#49) Improved travis-tests to cover more cases (#42) Fix passwdqc default options (#44) Remove duplicate “update pam” task (#46) Fix stuck in case pam files was updated before by force update (#45) Fix nologin shell path (#44) For ssh-hardening: https://dev-sec.io/blog/2015-06-23-ansible-os-released/ Mon, 13 Jul 2015 18:00:00 +0000 https://dev-sec.io/blog/2015-06-23-ansible-os-released/ After two months of development the Hardening Framework team is glad to announce that we created our second Ansible role: ansible-os-hardening. This role hardens a Linux operating system according to best practices and implements the same guidelines as our successful Chef and Puppet implementations. In these two months Sebastian Gumprich implemented with the help of Christoph Hartmann and Dominik Richter the following changes: Implement os-hardening to meet our tests Enable GPG-checking on all yum-repository files #5 Disable system accounts #6 Module-loading configuration #22 Travis support #17 As always, this role supports Debian- and Enterprise Linux-based operating systems. https://dev-sec.io/blog/2015-05-12-puppet4-support/ Tue, 12 May 2015 18:00:00 +0000 https://dev-sec.io/blog/2015-05-12-puppet4-support/ We are happy to announce Puppet 4 support for the Hardening Framework. All puppet modules have been updated and are continously tested for Puppet 4 support, now: Puppet OS Hardening Puppet SSH hardening Puppet MySql Hardening Puppet Postgres Hardening Puppet Apache Hardening Puppet Nginx Hardening In addition to Puppet 4, we still test our implementation against Puppet 2.7 & Puppet 3.6. This enables you to smoothly upgrade the Hardening Framwork. https://dev-sec.io/blog/2015-04-30-ansible-ssh-released/ Thu, 30 Apr 2015 18:00:00 +0000 https://dev-sec.io/blog/2015-04-30-ansible-ssh-released/ The Hardening Framework provides best-practice security for DevOps by implementing server hardening with DevOps tools. We are happy to announce that with help of Sebastian Gumprich we were able to implement our first Ansible role: ansible-ssh-hardening. Over the last weeks, we worked hard to release version 1.0: Implement ssh hardening to meet our tests Setup test infrastructure with kitchen-ansible Implement travis tests#7 Add handlers to restart sshd only when necessary #6 Add support for Oracle Linux #2 The module is available via Ansible Galaxy, now. https://dev-sec.io/blog/2015-04-23-manage-security-baseline/ Thu, 23 Apr 2015 21:00:00 +0000 https://dev-sec.io/blog/2015-04-23-manage-security-baseline/ Despite many advancements in the field of security, two fundamental issues have stayed at the core of many attacks over the last 20 years. They preveil despite firewalls, SIEMs, or scanners. They are: Misconfiguration and unpatched software with known vulnerabilities. Both problems have been addressed with processes and strong governance. While improving the situation considerably, failures are still unavoidable and often unmitigated. I have seen various companies with great risk and security management, that still suffer from severe configuration issues and unpatched machines. https://dev-sec.io/blog/2015-04-15-new-era/ Wed, 15 Apr 2015 21:00:00 +0000 https://dev-sec.io/blog/2015-04-15-new-era/ Next We are happy to announce, that the Hardening Framework moved to its new home. As a vendor neutral project we aim to provide best-practice system hardening for various industries. We are now actively searching for supporters to build up the next level of this project. Get in touch with us. Retrospection About a year ago the Hardening Framework has started as a small challenge to proof if server hardening can be done with configuration management tools like Puppet, Chef, SaltStack or Ansible. https://dev-sec.io/contributing/ Wed, 15 Apr 2015 21:00:00 +0000 https://dev-sec.io/contributing/ We are glad you want to contribute to DevSec! This document will help answer common questions you may have during your first contribution. This project is Apache 2 licensed. Every contribution must be under the Apache 2 License, too. For new files we have added a section with License Headers. Submitting Issues and PRs We utilize Github Issues for issue tracking and contributions. You can contribute in two ways: https://dev-sec.io/blog/2015_01_04_future_of_hardening_framework/ Thu, 01 Jan 2015 19:00:00 +0000 https://dev-sec.io/blog/2015_01_04_future_of_hardening_framework/ https://dev-sec.io/blog/2014_10_10_itsa-presentation/ Fri, 10 Oct 2014 19:00:00 +0000 https://dev-sec.io/blog/2014_10_10_itsa-presentation/ https://dev-sec.io/blog/2014_09_18_hardening_framework_intro/ Thu, 18 Sep 2014 19:00:00 +0000 https://dev-sec.io/blog/2014_09_18_hardening_framework_intro/ https://dev-sec.io/blog/2014_08_30_custom-resource-types-in-serverspec/ Sat, 30 Aug 2014 19:00:00 +0000 https://dev-sec.io/blog/2014_08_30_custom-resource-types-in-serverspec/ https://dev-sec.io/blog/2014_06_03_integration_testing_infrastructure/ Tue, 03 Jun 2014 19:00:00 +0000 https://dev-sec.io/blog/2014_06_03_integration_testing_infrastructure/ https://dev-sec.io/blog/2014-05-14_how-to-harden-a-new-server-with-chef/ Wed, 14 May 2014 19:00:00 +0000 https://dev-sec.io/blog/2014-05-14_how-to-harden-a-new-server-with-chef/ https://dev-sec.io/blog/2014_05_08_using-test-kitchen-with-puppet/ Thu, 08 May 2014 19:00:00 +0000 https://dev-sec.io/blog/2014_05_08_using-test-kitchen-with-puppet/ https://dev-sec.io/blog/2013-11-16-infrastructure-as-code-with-chef-or-puppet/ Sat, 16 Nov 2013 19:00:00 +0000 https://dev-sec.io/blog/2013-11-16-infrastructure-as-code-with-chef-or-puppet/ https://dev-sec.io/blog/2013_10_01-mythbusting-devops-and-security/ Tue, 01 Oct 2013 19:00:00 +0000 https://dev-sec.io/blog/2013_10_01-mythbusting-devops-and-security/ https://dev-sec.io/community/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/community/ Get in touch You can reach us on several ways: @DevSecIO on Twitter Mailing list for general topics: devsec@freelists.org Mailing list with release announcements (no posts are possible here): devsec-announce@freelists.org Contribute Please have a look at our contribution guide. People behind dev-sec.io Project founders Core Team Contributors https://dev-sec.io/contributors/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/contributors/ https://dev-sec.io/baselines/apache/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/apache/ https://dev-sec.io/baselines/docker/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/docker/ https://dev-sec.io/baselines/kubernetes/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/kubernetes/ https://dev-sec.io/baselines/linux/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/linux/ https://dev-sec.io/baselines/mysql/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/mysql/ https://dev-sec.io/baselines/nginx/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/nginx/ https://dev-sec.io/baselines/postgres/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/postgres/ https://dev-sec.io/project/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/project/ Challenge Running secure infrastructure is a difficult task. Although server hardening is a well-known topic with many guides out in the wild, it is still very cumbersome to apply and verify secure configuration. If you manage many server, they need to be configured properly and maintained, which is difficult and time-consuming to get right. To answer these needs for security, compliance, and maintainability, we decided to launch this project as a common ground for requirements and their fulfillment. https://dev-sec.io/baselines/ssh/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/ssh/ https://dev-sec.io/baselines/ssl/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/ssl/ https://dev-sec.io/baselines/windows/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/baselines/windows/ https://dev-sec.io/legal/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/legal/ https://dev-sec.io/videos/ Mon, 01 Jan 0001 00:00:00 +0000 https://dev-sec.io/videos/