cookbook 'os-hardening', '= 4.0.0'
os-hardening
(22) Versions
4.0.0
-
Follow41
Installs and configures operating system hardening
cookbook 'os-hardening', '= 4.0.0', :supermarket
knife supermarket install os-hardening
knife supermarket download os-hardening
os-hardening (Chef cookbook)
Description
This cookbook provides numerous security-related configurations, providing all-round base protection.
It configures:
- Configures package management e.g. allows only signed packages
- Remove packages with known issues
- Configures
pam
andpam_limits
module - Shadow password suite configuration
- Configures system path permissions
- Disable core dumps via soft limits
- Restrict Root Logins to System Console
- Set SUIDs
- Configures kernel parameters via sysctl
It will not:
- Update system packages
- Install security patches
Requirements
- Chef >= 14.0
Platform
- Debian 9
- Ubuntu 16.04, 18.04
- RHEL 6, 7
- CentOS 6, 7
- Oracle Linux 6, 7
- Fedora 28, 29
- OpenSuse Leap 42
- Amazon Linux 1, 2
Attributes
-
['os-hardening']['components'][COMPONENT_NAME]
- allows the fine control over which components should be executed via default recipe. See below for more details -
['os-hardening']['desktop']['enable'] = false
true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc -
['os-hardening']['network']['forwarding'] = false
true if this system requires packet forwarding (eg Router), false otherwise ['os-hardening']['network']['ipv6']['enable'] = false
-
['os-hardening']['network']['arp']['restricted'] = true
true if you want the behavior of announcing and replying to ARP to be restricted, false otherwise -
['os-hardening']['env']['extra_user_paths'] = []
add additional paths to the user'sPATH
variable (default is empty). ['os-hardening']['env']['umask'] = "027"
-
['os-hardening']['env']['root_path'] = "/"
where root is mounted -
['os-hardening']['auth']['pw_max_age'] = 60
maximum password age -
['os-hardening']['auth']['pw_min_age'] = 7
minimum password age (before allowing any other password change) -
['os-hardening']['auth']['pw_warn_age'] = 7
number of days before maximum password age occurs to warn of impending change -
['os-hardening']['auth']['uid_min'] = 1000
lower bound of UIDs assigned by useradd -
['os-hardening']['auth']['uid_max'] = 60000
upper bound of UIDs assigned by useradd -
['os-hardening']['auth']['gid_min'] = 1000
lower bound of GIDs assigned by groupadd -
['os-hardening']['auth']['gid_max'] = 60000
upper bound of GIDs assigned by groupadd -
['os-hardening']['auth']['retries'] = 5
the maximum number of authentication attempts, before the account is locked for some time -
['os-hardening']['auth']['lockout_time'] = 600
time in seconds that needs to pass, if the account was locked due to too many failed authentication attempts -
['os-hardening']['auth']['timeout'] = 60
authentication timeout in seconds, so login will exit if this time passes -
['os-hardening']['auth']['allow_homeless'] = false
true if to allow users without home to login -
['os-hardening']['auth']['pam']['passwdqc']['enable'] = true
true if you want to use strong password checking in PAM using passwdqc -
['os-hardening']['auth']['pam']['passwdqc']['options'] = "min=disabled,disabled,16,12,8"
set to any option line (as a string) that you want to pass to passwdqc -
['os-hardening']['auth']['pam']['passwdqc']['template_cookbook'] = 'os-hardening'
set to the name of the cookbook from which the template is obtained for the/usr/share/pam-configs/passwdqc
file -
['os-hardening']['auth']['pam']['tally2']['template_cookbook'] = 'os-hardening'
set to the name of the cookbook from which the template is obtained for the/usr/share/pam-configs/tally2
file -
['os-hardening']['auth']['pam']['system-auth']['template_cookbook'] = 'os-hardening'
set to the name of the cookbook from which the template is obtained for the/etc/pam.d/system-auth-ac
file -
['os-hardening']['security']['users']['allow'] = []
list of things, that a user is allowed to do. May contain:change_user
-
['os-hardening']['security']['kernel']['enable_module_loading'] = true
true if you want to allowed to change kernel modules once the system is running (egmodprobe
,rmmod
) -
['os-hardening']['security']['kernel']['disable_filesystems'] = ['cramfs', 'freevxfs', 'jffs2', 'hfs', 'hfsplus', 'squashfs', 'udf', 'vfat']
list of kernel file system modules, which are blacklisted for loading (e.g. they are unused and can be disabled). Set this to[]
to completely avoid this blacklisting ['os-hardening']['security']['kernel']['enable_sysrq'] = false
['os-hardening']['security']['kernel']['enable_core_dump'] = false
-
['os-hardening']['security']['suid_sgid']['enforce'] = true
true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own -
['os-hardening']['security']['suid_sgid']['blacklist'] = []
a list of paths which should have their SUID/SGID bits removed -
['os-hardening']['security']['suid_sgid']['whitelist'] = []
a list of paths which should not have their SUID/SGID bits altered -
['os-hardening']['security']['suid_sgid']['remove_from_unknown'] = false
true if you want to remove SUID/SGID bits from any file, that is not explicitly configured in ablacklist
. This will make every Chef run search through the mounted filesystems looking for SUID/SGID bits that are not configured in the default and user blacklist. If it finds an SUID/SGID bit, it will be removed, unless this file is in yourwhitelist
. -
['os-hardening']['security']['suid_sgid']['dry_run_on_unknown'] = false
likeremove_from_unknown
above, only that SUID/SGID bits aren't removed. It will still search the filesystems to look for SUID/SGID bits but it will only print them in your log. This option is only ever recommended, when you first configureremove_from_unknown
for SUID/SGID bits, so that you can see the files that are being changed and make adjustments to yourwhitelist
andblacklist
. -
['os-hardening']['security']['packages']['clean'] = true
removes packages with known issues. -
['os-hardening']['security']['packages']['list'] = ['xinetd','inetd','ypserv','telnet-server','rsh-server']
list of packages to remove, by default we remove the following packages: -
['os-hardening']['security']['selinux_mode'] = 'unmanaged'
set tounmanaged
if you want to let selinux configuration as it is. Set toenforcing
to enforce orpermissive
to permissive SELinux.
Controlling the included components
default.rb
includes other components based on the ohai autodetection attributes of your system. E.g. do not execute selinux on non-RHEL systems. You can override this behavior and force components to be executed or not via setting attributes in node['os-hardening']['components']
on the override level. Example
# some attribute file # do not include sysctl and auditd override['os-hardening']['components']['sysctl'] = false override['os-hardening']['components']['auditd'] = false # force selinux to be included override['os-hardening']['components']['selinux'] = true
In the current implementation different components are located in the different recipes. See the available recipes or default.rb
for possible component names.
Usage
Add the recipes to the run_list
, it should be last:
"recipe[os-hardening]"
Configure attributes:
"security" : {
"kernel" : {
"enable_module_loading" : true
}
},
Local Testing
Local testing
Please install chef-dk, VirtualBox or VMware Workstation and Vagrant.
Linting is checked with rubocop and foodcritic:
$ chef exec rake lint .....
Unit/spec tests are done with chefspec:
$ chef exec rake spec .....
Integration tests are done with test-kitchen and inspec:
$ chef exec rake kitchen ..... # or you can use the kitchen directly $ kitchen test
CI testing of forks
You can enable testing of your fork in Travis CI. By default you will get linting, spec tests and integration tests with kitchen-dokken.
Integration tests with kitchen-dokken do not cover everything as they run in the container environment.
Full integration tests can be executed using DigitalOcean.
If you want to have full integration tests for your fork, you will have to add following environment variables in the settings of your fork:
- DIGITALOCEAN_ACCESS_TOKEN
- access token for DigitalOcean
- CI_SSH_KEY
- private part of some ssh key, available on DigitalOcean for your instances, in base64 encoded form (e.g. cat id_rsa | base64 -w0 ; echo
)
- DIGITALOCEAN_SSH_KEY_IDS
- ID in DigitalOcean of CI_SSH_KEY
, see this for more information
Contributors + Kudos
- Dominik Richter arlimus
- Bernhard Weisshuhn bkw
- Christoph Hartmann chris-rock
- Edmund Haselwanter ehaselwanter
- Patrick Meier atomic111
- Artem Sidorenko artem-sidorenko
This cookbook is mostly based on guides by:
- Arch Linux wiki, Sysctl hardening
- Ubuntu Security/Features
- NSA: Guide to the Secure Configuration of Red Hat Enterprise Linux 5
- Deutsche Telekom, Group IT Security, Security Requirements (German)
Thanks to all of you!!
Contributing
See [contributor guideline](CONTRIBUTING.md).
License and Author
- Author:: Dominik Richter dominik.richter@googlemail.com
- Author:: Deutsche Telekom AG
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Change Log
v4.0.0 (2019-04-10)
Closed issues:
- Deprecated feature sysctl_param used #230
Merged pull requests:
- Update of metadata with supported distros #252 (artem-sidorenko)
- Removal of config disclaimer attribute #249 (artem-sidorenko)
- Docs: update of supported distros #247 (artem-sidorenko)
- Removal of fedora 27 as its EOL #246 (artem-sidorenko)
- Removal of Ubuntu 14.04 support #245 (artem-sidorenko)
- Removal of Debian 8 as its EOL #244 (artem-sidorenko)
- CI: improvements with handling of different chef versions #243 (artem-sidorenko)
- Updates of metadata and readme #242 (artem-sidorenko)
- Eliminating spacing for alligment #241 (artem-sidorenko)
- Update of rubocop to 0.65 #240 (artem-sidorenko)
- CI: Run unit tests on chef 14, update of some gems, small cleanup #239 (artem-sidorenko)
- Remove sysctl cookbook dependency and use new native sysctl resource #228 (josqu4red)
v3.2.1 (2019-03-07)
Fixed bugs:
- execute[update-pam] resource fails on Ubuntu 14.04 on Azure #237
- exec-shield incompatible with Oracle Linux UEK #234
Merged pull requests:
- Use full path for executing pam-auth-update #238 (sean-nixon)
- Do not apply exec-shield if running Oracle Linux with UEK - addresses #234 #235 (eyespies)
v3.2.0 (2019-01-16)
Closed issues:
- PAM config prevents launching of GDM on Fedora 27 #206
- Migration to the new major sysctl cookbook version #198
Merged pull requests:
- Update the CI settings - this fixes it again #231 (artem-sidorenko)
- Update issue templates #229 (rndmh3ro)
- Fix CI: pin cucumber 3 #227 (artem-sidorenko)
- Make the daemon umask configurable #226 (jaksi)
- Ubuntu 18.04 is supported #223 (frederikbosch)
- Fix Fedora EOL #221 (artem-sidorenko)
- Fix fedora EOL in the CI #220 (artem-sidorenko)
- Fixing debian-9 CI tests #219 (artem-sidorenko)
- Fedora 26 is EOL, replacing with 28 #218 (artem-sidorenko)
- added ability to use template cookbook for login.defs #217 (ekelson-bcove)
- allow setting uid/gid max by attribute #215 (mattlqx)
- Update kitchen config for more platforms #213 (tas50)
- Add pam_systemd.so to system-auth-ac #207 (avanier)
v3.1.0 (2018-05-16)
Fixed bugs:
- fix metadata #204 (chris-rock)
Closed issues:
- earlier version #205
- Make auditd recipe optional #200
- Dependency on pinned, old version of sysctl #192
- compat_resource deprecated #186
- Usage of azure as cloud provider for CI #183
Merged pull requests:
- Test with Foodcritic 13 #212 (tas50)
- Test on Ruby 2.4.4 #211 (tas50)
- use sysctl 1.0 #210 (dhohengassner)
- added mail_dir attribute and moved component attributes to attributes… #209 (ekelson-bcove)
- improve testing around amazon linux #202 (chris-rock)
- Container support and dokken tests in travis CI #199 (artem-sidorenko)
- Lazy pin the sysctl major version #197 (artem-sidorenko)
- Feature/allow setting template source #196 (eyespies)
- Unpin sysctl dependency #195 (artem-sidorenko)
- add basic support for amazon linux #194 (chris-rock)
- Fix fedora shadow permissions #190 (artem-sidorenko)
- Fedora 25 is EOL, replacing with 27 #189 (artem-sidorenko)
- Remove dependency on compat_resource #188 (bablakely)
v3.0.0 (2017-12-21)
Closed issues:
- os-10 from linux-baseline is missing #167
- Removal of core dump hardening configuration if core dumps are allowed #165
- Integration testing of this cookbook in the CI #142
- Selinux enforcing support for RHEL/Centos? #106
- If I "enable" core dumps with chef-os-hardening, am I really fully enabling core dumps? #105
Merged pull requests:
- Skip auditd tests #181 (artem-sidorenko)
- Make fedora tests pass #179 (shoekstra)
- Control ownership of /var/log #178 (shoekstra)
- RH family: adapt some settings, as RH has better defaults #177 (artem-sidorenko)
- Fix for fedora: lets use generic package resource #176 (artem-sidorenko)
- Kitchen: Using the same names for platforms for different drivers #175 (artem-sidorenko)
- Enable core dumps if they are enabled via attribute #174 (artem-sidorenko)
- Selinux enforcing support for RHEL/Centos #173 (AnMoeller)
- Kitchen: Update of testing boxes/images #172 (artem-sidorenko)
- Lets disable unused filesystems per default #169 (artem-sidorenko)
v2.1.1 (2017-08-21)
Closed issues:
- Cookbook fails on CentOS Linux release 7.2.1511 - kernel.exec-shield #166
Merged pull requests:
- Fix: do not touch exec-shield on RHEL 7 #168 (artem-sidorenko)
v2.1.0 (2017-06-12)
Closed issues:
- Testing of chef 13 in the CI #155
- auditd package is not installed #145
- Procps conditional failing #48
Merged pull requests:
- CI: update to ruby 2.4.1 and gem update #164 (artem-sidorenko)
- Proper testing if kernel modules are disabled #163 (artem-sidorenko)
- Proper permissions for shadow on debian family #162 (artem-sidorenko)
- Support auditd installation on different distros #161 (artem-sidorenko)
- Docs: fix the wrong kitchen URL and add inspec #160 (artem-sidorenko)
- Chef 13 and 12 CI testing and cleanup of EOL distros #159 (artem-sidorenko)
- Install auditd package #158 (artem-sidorenko)
v2.0.1 (2017-04-11)
Fixed bugs:
- ['os-hardening']['desktop']['enable'] is missing in 2.0.0 #153
Merged pull requests:
- Default value for ['os-hardening']['desktop']['enable'] #154 (artem-sidorenko)
v2.0.0 (2017-04-06)
Implemented enhancements:
- Remove dependenies to apt and yum cookbooks. #132 (artem-sidorenko)
- Using braket syntax to resolve deprecation message #131 (artem-sidorenko)
- remove old content #126 (chris-rock)
- Own attribute namespace for os-hardening #114 (joshmyers)
Closed issues:
- pam_passwdqc package install idempotence #134
- Openhub is not up to date #129
- login.defs.erb contains a non-ASCII character which causes a knife cookbook upload failure #122
- fixing the 4 rspec failure #121
- pam node attribute namespace error #118
- Use travis for integration testing #115
- attributes need to be localized to the
node\['chef-os-hardening'\]
namespace #113
Merged pull requests:
- Docs: removing obsolete sysctl hint #151 (artem-sidorenko)
- Moving the attributes with dependencies on other attributes to the recipes #150 (artem-sidorenko)
- Cleanup of sysctl dependency #149 (artem-sidorenko)
- Disable entropy testing #146 (artem-sidorenko)
- Execute integration tests in DigitalOcean #144 (artem-sidorenko)
- Update of Gemfile #141 (artem-sidorenko)
- Remove dependenies to apt and yum cookbooks. #140 (artem-sidorenko)
- Update of kitchen vagrant file #139 (artem-sidorenko)
- Fix the version in metadata.rb #138 (artem-sidorenko)
- Cleanup, update of links in readme #137 (artem-sidorenko)
- Use caching to improve spec performance #136 (ncs-alane)
- Add attribute to control login.defs PASS_WARN_AGE #135 (ncs-alane)
- Revert "Remove dependenies to apt and yum cookbooks." #133 (artem-sidorenko)
- Update test-kitchen settings #130 (shortdudey123)
- Opscode => Chef #128 (shortdudey123)
- Update Rubocop, Foodcritic, and Chefspec coverage #127 (shortdudey123)
- Fix links to opensource tools in README #125 (netflash)
- FIX for issue #122 non-ASCII character #124 (atomic111)
- Update rhel_system_auth.erb #120 (phillym)
- [pam-attr-namespace-fix] #119 (rljohnsn)
- Use new InSpec integration tests #117 (chris-rock)
- Fix issues highlighted in #114 #116 (chris-rock)
v1.4.1 (2016-05-29)
Implemented enhancements:
- Update changelog #103 (chris-rock)
- added inspec to gemfile and inspec verifier to kitchen.yml #101 (atomic111)
Closed issues:
- pam recipe failing with chef client > 12.8.1 #112
- pam_passwdqc installation fails on CentOS 7.1 #102
- tests fail in travis #94
- Fails when used in conjunction with openldap::auth recipe #91
- packages with known issues are not actually removed on debian/ubuntu #90
- Actually log martians? #89
- Archlinux doesn't have a limits.d directory by default #84
- Support Centos 7 #79
Merged pull requests:
- Pam options and fixes #111 (foonix)
- Enable martian logging for ipv4 #109 (foonix)
- Initial support for CentOS/RHEL 5 #108 (foonix)
- Enable pam_pwquality in rhel-family > 7 #104 (boldandbusted)
- Fix bug in execute[update-pam] resource in newer version of Chef. #100 (patcon)
- Expose list of packages to remove as an attribute #99 (mikemoate)
- Fix pam_passwdqc template #98 (chris-rock)
- Berkshelf 4 Upgrade and Ruby 1.9.3 drop #96 (chris-rock)
- Remove packages with known issues on debian/ubuntu #93 (mikemoate)
- Add SINGLE and PROMPT parameters. #92 (foonix)
- update common kitchen.yml platforms #87 (chris-rock)
- Allow sys uid min/max and sys gid min/max to be configured #86 (joshgarnett)
- fixes #84 #85 (chris-rock)
v1.3.1 (2015-07-04)
Closed issues:
- 1.3.0 release on supermarket is broken #83
v1.3.0 (2015-06-29)
Closed issues:
- possible incompatibility with Chef client release 12.4 #82
- ERROR: No resource or method named
File' for
Chef::Recipe "sysctl"' #80 - update tutorial.md #67
- Installation doesnt work #66
Merged pull requests:
- Update sysctl.rb #81 (Rockstar04)
- feature: implement ipv6 router advertisement settings #78 (chris-rock)
- update common Gemfile for chef11+12 #77 (arlimus)
- common files: centos7 + rubocop #76 (arlimus)
- update common kitchen.yml platforms #75 (arlimus)
- update common readme badges #74 (arlimus)
- fix SUID/SGID bit cleaning API spelling (unkown -> unknown) #72 (dupuy)
- RHN config check should work #71 (rapenchukd)
- update tutorial #68 (chris-rock)
v1.2.0 (2015-01-08)
Fixed bugs:
- Chef::Exceptions::Exec: yum_package[xinetd] (os-hardening::yum line 50) #57
Closed issues:
- deactivate pw_max_age #58
- can't convert String into Integer for package 'pam-ccreds' #54
- Better error handling for cpu detection #42
- ChefSpec and Ohai/Fauxhai: cpu #41
Merged pull requests:
- updating common files #65 (arlimus)
- Idempotency #64 (rmoriz)
- Badges #63 (chris-rock)
- make uid_min and gid_min of login.defs configurable #62 (bkw)
- standalone installation needs ohai cookbook as dep #61 (aschmidt75)
- updating common files #59 (arlimus)
- fix chefspec depreciation warning about
should
#56 (bkw) - improve cpu detection and implement intel fallback #55 (chris-rock)
- updating common files #53 (arlimus)
- chefspec test for limites #52 (chris-rock)
- Introduce Chef Spec #51 (chris-rock)
- improvement: switch to site location in berkshelf #50 (chris-rock)
- bugfix: fix failing conditional for procps #49 (arlimus)
- Drop procps service #47 (bkw)
v1.1.2 (2014-09-08)
Closed issues:
- sysctl dependency #44
Merged pull requests:
- Sysctl update to 0.6.0 #46 (arlimus)
- Lint #43 (chris-rock)
- add more documentation about test run #40 (chris-rock)
v1.1.1 (2014-07-28)
v1.1.0 (2014-07-28)
Implemented enhancements:
- Conservative package update #10
Closed issues:
- Tagged Release #34
- passwordless users not able to log in #32
- remove ntp #19
- Tests for suid bits #15
- forwarding isnt configured #9
- properly handle sysctl again #8
- enfore security updates #7
- enable_sysrq-check is faulty #6
- Validate suid-bit removal from /bin/screen #5
Merged pull requests:
- updated kitchen images to current batch (mysql-equivalent) #39 (arlimus)
- intend fix #38 (chris-rock)
- fix wrong class definition #37 (arlimus)
- fix wrong class definition #36 (chris-rock)
- add commont lint task. fix issues #35 (ehaselwanter)
- update with common run_all_linters task #33 (ehaselwanter)
- add Gemfile.lock to ignore list and remove it from tree #31 (ehaselwanter)
- streamline .rubocop config #30 (ehaselwanter)
- bugfix: make sysctl arp restrictions apply to all #29 (arlimus)
- Lint #28 (chris-rock)
- various rubocop style fixes #27 (ehaselwanter)
- fix FC019: Access node attributes in a consistent manner, use single quotes #26 (ehaselwanter)
- make kitchen run optional, ignore shred test repo #25 (ehaselwanter)
- changed the log_martians value to 0 in attributes/sysctl.rb #24 (atomic111)
- improvement: clarify SUID/SGID options in readme #23 (arlimus)
- be more forgiving and relax rubocop #22 (ehaselwanter)
- add linting, spec, guard infrastructure as well as config files #21 (ehaselwanter)
- remove ntp #20 (arlimus)
- new gem release for sharing just the integration folder #18 (ehaselwanter)
- Use shared test-repo #17 (ehaselwanter)
- improvement: move /usr/bin/screen to SGID whitelisting #14 (arlimus)
- Packages #12 (chris-rock)
- sysctl fixes #11 (arlimus)
- Contributing guide #4 (arlimus)
- Bugfix: broken link for debian wheezy vagrant box in .kitchen.yml and also broken link for NSA RedHat security guide in README.md #3 (atomic111)
- add license and improve styling #2 (chris-rock)
- Fix: markdown fix in TUTORIAL.md #1 (atomic111)
* This Change Log was automatically generated by github_changelog_generator
Collaborator Number Metric
4.0.0 passed this metric
Contributing File Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
4.0.0 passed this metric
No Binaries Metric
4.0.0 passed this metric
Testing File Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
4.0.0 passed this metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
4.0.0 passed this metric
No Binaries Metric
4.0.0 passed this metric
Testing File Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
4.0.0 passed this metric
4.0.0 passed this metric
Testing File Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
4.0.0 failed this metric
4.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number