cookbook 'bastion', '= 3.1.0'
The bastion cookbook has been deprecated
Author provided reason for deprecation:
The bastion cookbook has been deprecated and is no longer being maintained by its authors. Use of the bastion cookbook is no longer recommended.
bastion (15) Versions 3.1.0 Follow1
Configures a node to be a bastion host
cookbook 'bastion', '= 3.1.0', :supermarket
knife supermarket install bastion
knife supermarket download bastion
Bastion Cookbook
A Chef cookbook for configuring a server to be used as a bastion host for
remote access to and administration of an otherwise walled-off network.
Requirements
This cookbook is written to hopefully work on, or be expandable to, other
distros, but is currently only tested against Ubuntu Linux.
As of v2.0.0, this cookbook requires Chef 12.5 or higher due to its dependency
on the docker cookbook.
Usage
Override any included attributes as needed and add bastion
to your run_list.
Recipes
default
Refreshes the APT cache and configures the firewall and remote desktop (below).
dev_tools
Installs certain base dev tools--currently Git, Ruby, and Docker.
firewall
If the firewall enabled attribute is set to true (the default), enables the
system firewall and pokes holes in it for SSH (port 22) from an
attribute-specified set of trusted networks.
If the firewall is not set to enabled, it disables it.
remote_desktop
Installs X2go, Google Chrome, and Firefox.
logging
Installs + enables + starts Auditd, using rules based on the base STIG
ruleset.
greeting
Adds a configurable MOTD-style greeting for system users that (by default)
requires a user interaction before the session will continue.
Attributes
default
default['bastion']['firewall']['enabled'] = true
Whether or not the system firewall should be enabled. This can be overridden to
false if, for example, port access is instead being handled solely in your
cloud provider's security configuration.
default['bastion']['firewall']['trusted_networks'] = %w(
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
)
The set of CIDR ranges to allow access from in the system firewall.
default['bastion']['greeting']['message'] = '...'
default['bastion']['greeting']['require_response'] = true
The greeting message can be customized as you see fit and the user interaction
requirement disabled if needed.
default['bastion']['docker']['options'] = {
'bip' => '172.17.0.1/16',
'dns' => '172.17.0.1'
}
default['dnsmasq_local']['config']['interface'] = 'docker0'
Use a local instance of dnsmasq as the DNS server for running Docker containers.
Set any additional keys+values under this attribute for them to be passed on
to the underlying docker_service
resource.
default['bastion']['docker']['images'] = {}
Override with a set of image_name => true
keys+values if you want Docker to
pull in a base set of images.
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Add tests for the new feature; ensure they pass (
rake
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create a new Pull Request
License & Authors
- Author: Jonathan Hartman jonathan.hartman@socrata.com
Copyright 2015-2016, Socrata, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
firewall ~> 2.5 |
x2go-server ~> 1.0 |
snoopy ~> 1.0 |
java ~> 1.35 |
motd ~> 0.6 |
docker ~> 2.6 |
dnsmasq-local ~> 0.4 |
Contingent cookbooks
There are no cookbooks that are contingent upon this one.
Bastion Cookbook CHANGELOG
v3.1.0 (2016-07-18)
- Use Dnsmasq dynamic binding option to avoid race conditions with Docker
- Remove direct dependency on the apt cookbook
v3.0.1 (2016-06-03)
- Make the greeting output great (and colorized) again
v3.0.0 (2016-06-03)
- Convert the MOTD into an interactive user greeting
v2.1.0 (2016-05-19)
- Offer an attribute-y means of passing in Docker options
- Install dnsmasq and use it for Docker's DNS queries
v2.0.0 (2016-05-16)
- Install Docker and optionally pull in some images
- Drop compatibility with Chef 11
- Update apt, firewall, and x2go-server dependencies
v1.1.0 (2016-05-06)
- Add a configurable MOTD
v1.0.0 (2015-10-26)
- Replace Auditd with Snoopy for logging execve calls
- Install Oracle Java with the other dev tools
v0.3.0 (2015-10-08)
- Install a limited set of dev tools--Git and Ruby
v0.2.0 (2015-09-25)
- Install auditd and log all of the things
v0.1.0 (2015-09-16)
- Initial release; Ubuntu only
v0.0.1 (2015-09-04)
- Development started
Collaborator Number Metric
3.1.0 failed this metric
Failure: Cookbook has 1 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Foodcritic Metric
3.1.0 passed this metric
3.1.0 failed this metric
3.1.0 passed this metric