Merge pull request #46 from atomic111/master

add headers and cleaning

Author: chris-rock

.kitchen.yml

@@ -53,13 +53,6 @@ platforms:
     intermediate_instructions:
       - RUN dnf -y install yum which systemd-sysv initscripts
 
-- name: ubuntu-12.04
-  driver:
-    image: ubuntu-upstart:12.04
-    pid_one_command: /sbin/init
-    intermediate_instructions:
-      - RUN /usr/bin/apt-get update
-
 - name: ubuntu-14.04
   driver:
     image: ubuntu-upstart:14.04
@@ -88,7 +81,6 @@ platforms:
     intermediate_instructions:
       - RUN zypper --non-interactive install aaa_base perl-Getopt-Long-Descriptive which
 
-
 suites:
 - name: default
   run_list:
@@ -98,4 +90,4 @@ suites:
     - recipe[nginx-hardening]
   verifier:
     inspec_tests:
-      - https://github.com/dev-sec/tests-nginx-hardening
+      - path: test/integration/default

.travis.yml

@@ -20,7 +20,6 @@ services: docker
 
 env:
   matrix:
-  - INSTANCE=default-ubuntu-1204
   - INSTANCE=default-ubuntu-1404
   - INSTANCE=default-ubuntu-1604
   - INSTANCE=default-centos-6
@@ -32,7 +31,7 @@ before_script:
   - /opt/chefdk/embedded/bin/chef --version
   - /opt/chefdk/embedded/bin/cookstyle --version
   - /opt/chefdk/embedded/bin/foodcritic --version
-  - /opt/chefdk/embedded/bin/chef gem install coveralls # needed for chefspecs
+  - /opt/chefdk/embedded/bin/chef gem install coveralls -v 0.8.19 # needed for chefspecs
 
 script: KITCHEN_LOCAL_YAML=.kitchen.docker.yml /opt/chefdk/embedded/bin/kitchen verify ${INSTANCE}
 

Gemfile

@@ -2,45 +2,38 @@
 
 source 'https://rubygems.org'
 
-gem 'berkshelf',  '~> 5.0'
-gem 'chef',       '>= 12.0'
-
-# pin dependency for Ruby 1.9.3 since bundler is not
-# detecting that net-ssh 3 does not work with 1.9.3
-if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
-  gem 'listen', '~> 3.0.0'
-  gem 'ruby_dep', '~> 1.3.0'
-  gem 'rack', '< 2.0'
-end
+gem 'berkshelf', '~> 6.1'
+gem 'chef', '~> 12.5' # chefspec builds get stucked with 13.1
 
 group :test do
   gem 'rake'
-  gem 'chefspec',   '~> 5.3'
-  gem 'foodcritic', '~> 8.0'
+  gem 'chefspec', '~> 7.1.0'
+  gem 'foodcritic', '~> 11.1'
+  gem 'thor', '~> 0.19.1'
   gem 'thor-foodcritic'
   gem 'cookstyle'
   gem 'coveralls', require: false
-  gem 'minitest', '~> 5.5'
+  gem 'minitest', '~> 5.10.2'
+  gem 'rubocop', '~> 0.49.0'
   gem 'simplecov', '~> 0.10'
 end
 
 group :development do
   gem 'guard'
   gem 'guard-rspec'
+  gem 'guard-foodcritic', '~> 3.0'
   gem 'guard-kitchen'
   gem 'guard-rubocop'
-  # gem 'guard-foodcritic' # disabled until a new release comes out that removes the pin
 end
 
 group :integration do
-  gem 'test-kitchen', '~> 1.0'
+  gem 'test-kitchen', '~> 1.16.0'
   gem 'kitchen-vagrant'
-  gem 'kitchen-inspec'
-  gem 'kitchen-sharedtests', '~> 0.2.0'
-  gem 'concurrent-ruby', '~> 0.9'
   gem 'kitchen-dokken'
+  gem 'kitchen-inspec'
+  gem 'concurrent-ruby', '~> 1.0.5'
 end
 
 group :tools do
-  gem 'github_changelog_generator', '~> 1.14.0'
+  gem 'github_changelog_generator', '~> 1.14'
 end

README.md

@@ -13,7 +13,7 @@ This cookbook provides a secure overlay for nginx configuration.
 ### Platform
 
 - Debian 7, 8
-- Ubuntu 12.04, 14.04, 16.04
+- Ubuntu 14.04, 16.04
 - CentOS 6, 7
 - OracleLinux 6.6, 6.7, 7.1
 
@@ -26,8 +26,8 @@ This cookbook provides a secure overlay for nginx configuration.
 - `['nginx']['server_tokens']` - `off` to disable disables emitting nginx version in error messages and in the "Server" response header field. Set to `on` to enable the nginx version in error messages and "Server" response header.
 - `['nginx-hardening']['source']['http_autoindex_module']` - `false` to disable the HTTP Autoindex module. Set to `true` to enable http_autoindex_module.
 - `['nginx-hardening']['source']['http_ssi_module']` - `false` to disable the HTTP SSI module. Set to `true` to enable http_ssi_module.
-- `['nginx-hardening']['options']['ssl_protocols']` - `'TLSv1 TLSv1.1 TLSv1.2'` to specify the SSL protocol which should be used.
-- `['nginx-hardening']['options']['ssl_ciphers']` - `'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'` to specify the TLS ciphers which should be used.
+- `['nginx-hardening']['options']['ssl_protocols']` - `'TLSv1.2'` to specify the SSL protocol which should be used.
+- `['nginx-hardening']['options']['ssl_ciphers']` - `'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'` to specify the TLS ciphers which should be used.
 - `['nginx-hardening']['options']['ssl_prefer_server_ciphers']` - `'on'` Specifies that server ciphers should be preferred over client ciphers when using the TLS protocols. Set to `false` to disable it.
 - `['nginx-hardening']['dh-size']` - `2048` Specifies the length of DH parameters for EDH ciphers.
 
@@ -65,15 +65,15 @@ bundle install
 bundle exec rake lint
 
 # fast test on one machine
-bundle exec kitchen test default-ubuntu-1204
+bundle exec kitchen test default-ubuntu-1404
 
 # test on all machines
 bundle exec kitchen test
 
 # for development
-bundle exec kitchen create default-ubuntu-1204
-bundle exec kitchen converge default-ubuntu-1204
-bundle exec kitchen verify default-ubuntu-1204
+bundle exec kitchen create default-ubuntu-1404
+bundle exec kitchen converge default-ubuntu-1404
+bundle exec kitchen verify default-ubuntu-1404
 ```
 
 ## Contributors + Kudos

attributes/hardening.rb

@@ -68,6 +68,12 @@
 
     # XSS filter
     'X-XSS-Protection "1; mode=block"',
+
+    # HSTS Header
+    'Strict-Transport-Security max-age=15768000',
+
+    # Content Security Header
+    'Content-Security-Policy "script-src \'self\'; object-src \'self\'"',
   ],
 
 }
@@ -87,7 +93,8 @@
 flags.push '--without-http_ssi_module'       unless node['nginx-hardening']['source']['http_ssi_module']
 
 default['nginx']['source']['default_configure_flags'] = flags
-default['nginx-hardening']['options']['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
-default['nginx-hardening']['options']['ssl_ciphers'] = "'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'"
+default['nginx-hardening']['options']['ssl_protocols'] = 'TLSv1.2'
+default['nginx-hardening']['options']['ssl_ciphers'] = "'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'"
 default['nginx-hardening']['options']['ssl_prefer_server_ciphers'] = 'on'
+default['nginx-hardening']['options']['ssl_session_tickets'] = 'off'
 default['nginx-hardening']['dh-size'] = 2048

metadata.rb

@@ -18,7 +18,7 @@
 name             'nginx-hardening'
 maintainer       'Dominik Richter'
 maintainer_email 'dominik.richter@googlemail.com'
-license          'Apache 2.0'
+license          'Apache-2.0'
 description      'Configures nginx hardening'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 

test/integration/default/controls/test.rb

@@ -0,0 +1,6 @@
+include_controls 'nginx-baseline' do
+  # skip http method control
+  skip_control 'nginx-14'
+  # skip HTTPOnly and secure cookie control
+  skip_control 'nginx-16'
+end

test/integration/default/inspec.yml

@@ -0,0 +1,4 @@
+name: nginx-hardening-integration-tests
+depends:
+  - name: nginx-baseline
+    url: https://github.com/dev-sec/nginx-baseline