diff --git a/README.md b/README.md index c1caf83..a8a1853 100644 --- a/README.md +++ b/README.md @@ -34,16 +34,16 @@ Customize your security configuration using attributes. ## Attributes Attribute | Default Value | Description ------------------------------------------------ - | ------------- | ------------------------------------------------------ +------------------------------------------------- | ------------- | ------------------------------------------------------ `default['schannel']['event_logging']['level']` | 1 | Is the URL of the package repository. `default['schannel']['cipher_order']['secure']` | true | Define the security level -`default['schannel']['protocols']['client-side']` | true | Apply the protocol configuration at the client side. +`default['schannel']['protocols_client_side']` | true | Apply the protocol configuration at the client side. Others available attributes are used to enable/disable a protocol, cipher, hash or exchange key algorithm. Please check `defaut.rb` attribute file for more details. -You can also define your own list of ciphers. -Please check `cipher.rb` attribute file for more details. +You can also define your own list of ciphers via `default['schannel']['cipher_order']['list']` attribute. +Please check `defaut.rb` attribute file for more details. ## Run list diff --git a/attributes/ciphers.rb b/attributes/ciphers.rb deleted file mode 100644 index 86f7963..0000000 --- a/attributes/ciphers.rb +++ /dev/null @@ -1,58 +0,0 @@ -# -# Author:: pdeprey () -# Cookbook:: schannel -# Attribute:: ciphers -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# This list is based on best practices defined in Nartac IIS Cryto: -# Details at: https://www.nartac.com/Products/IISCrypto -# You can use this default attribute to set your own cipher suite. -default['schannel']['ciphers']['suites'] = %w( - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 - TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA - TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_3DES_EDE_CBC_SHA -) diff --git a/attributes/default.rb b/attributes/default.rb index ffa3f98..20fdf9d 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -23,13 +23,8 @@ # 4 Log informational and success events default['schannel']['event_logging']['level'] = 1 -# define the security cipher suite order -# 0 default (depend of windows version: https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa374757(v=vs.85).aspx -# 1 secure (best practices defined in Nartac IIS Cryto: https://www.nartac.com/Products/IISCrypto) -default['schannel']['cipher_order']['secure'] = true - # Set the secure protocols at client side -default['schannel']['protocols']['client-side'] = true +default['schannel']['protocols_client_side'] = true # Protocols secure settings default['schannel']['protocols']['mupuh']['enable'] = false # Disable Multi-Protocol Unified Hello @@ -65,3 +60,49 @@ default['schannel']['keyexch']['diffiehellman']['enable'] = true # Enable Diffie-Hellman default['schannel']['keyexch']['pkcs']['enable'] = true # Enable PKCS default['schannel']['keyexch']['ecdh']['enable'] = true # Enable Diffie-Hellman + +# define the security cipher suite order +# 0 default (depend of windows version: https://msdn.microsoft.com/fr-fr/library/windows/desktop/aa374757(v=vs.85).aspx +# 1 secure (best practices defined in Nartac IIS Cryto: https://www.nartac.com/Products/IISCrypto) +default['schannel']['cipher_order']['secure'] = true + +# This list is based on best practices defined in Nartac IIS Cryto: +# Details at: https://www.nartac.com/Products/IISCrypto +# You can use this default attribute to set your own cipher suite. +default['schannel']['cipher_order']['list'] = %w( + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 + TLS_RSA_WITH_AES_256_GCM_SHA384 + TLS_RSA_WITH_AES_128_GCM_SHA256 + TLS_RSA_WITH_AES_256_CBC_SHA256 + TLS_RSA_WITH_AES_128_CBC_SHA256 + TLS_RSA_WITH_AES_256_CBC_SHA + TLS_RSA_WITH_AES_128_CBC_SHA + TLS_RSA_WITH_3DES_EDE_CBC_SHA +) diff --git a/libraries/registry_helper.rb b/libraries/registry_helper.rb new file mode 100644 index 0000000..3da6a55 --- /dev/null +++ b/libraries/registry_helper.rb @@ -0,0 +1,54 @@ +# +# Author:: pdeprey () +# Cookbook:: schannel +# Library:: registry_helper +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# this library check the correct name of channel defined in windows registry. + +def registry_name(name) + case name + # protocols + when 'mupuh' then 'Multi-Protocol Unified Hello' + when 'pct10' then 'PCT 1.0' + when 'ssl30' then 'SSL 3.0' + when 'ssl20' then 'SSL 2.0' + when 'tls10' then 'TLS 1.0' + when 'tls11' then 'TLS 1.1' + when 'tls12' then 'TLS 1.2' + # ciphers + when 'aes_128128' then 'AES 128/128' + when 'aes_256256' then 'AES 256/256' + when '3des_168168' then 'Triple DES 168/168' + when 'rc2_40128' then 'RC2 40/128' + when 'rc2_56128' then 'RC2 56/128' + when 'rc2_128128' then 'RC2 128/128' + when 'rc4_40128' then 'RC4 40/128' + when 'rc4_56128' then 'RC4 56/128' + when 'rc4_64128' then 'RC4 64/128' + when 'rc4_128128' then 'RC4 128/128' + when 'des_5656' then 'DES 56/56' + when 'null' then 'NULL' + # hashes + when 'md5' then 'MD5' + when 'sha' then 'SHA' + when 'sha256' then 'SHA256' + when 'sha384' then 'SHA384' + when 'sha512' then 'SHA512' + # key exchange algorithms + when 'diffiehellman' then 'Diffie-Hellman' + when 'pkcs' then 'PKCS' + when 'ecdh' then 'ECDH' + end +end diff --git a/recipes/default.rb b/recipes/default.rb index 47a4841..d6ac241 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -26,7 +26,7 @@ registry_key 'HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' do action node['schannel']['cipher_order']['secure'] ? :create : :nothing recursive true - values [{ name: 'Functions', type: :string, data: node['schannel']['ciphers']['suites'].join(',') }] + values [{ name: 'Functions', type: :string, data: node['schannel']['cipher_order']['list'].join(',') }] end # event logging set level of debugging @@ -37,10 +37,10 @@ end # enable/disable the schannel protocols -sclist = node['schannel']['protocols']['client-side'] ? %w(Server Client) : %w(Server) +sclist = node['schannel']['protocols_client_side'] ? %w(Server Client) : %w(Server) sclist.each do |sc| node['schannel']['protocols'].each do |pname, pval| - registry_key "#{regdir}\\Protocols\\#{pname}\\#{sc}" do + registry_key "#{regdir}\\Protocols\\#{registry_name(pname)}\\#{sc}" do action :create recursive true values [ @@ -53,7 +53,7 @@ # enable/disable the schannel ciphers node['schannel']['ciphers'].each do |cname, cval| - registry_key "#{regdir}\\Ciphers\\#{cname}" do + registry_key "#{regdir}\\Ciphers\\#{registry_name(cname)}" do action :create recursive true values [{ name: 'Enabled', type: :dword, data: cval['enable'] ? 4_294_967_295 : 0 }] @@ -62,7 +62,7 @@ # enable/disable the schannel hashes node['schannel']['hashes'].each do |hname, hval| - registry_key "#{regdir}\\Hashes\\#{hname}" do + registry_key "#{regdir}\\Hashes\\#{registry_name(hname)}" do action :create recursive true values [{ name: 'Enabled', type: :dword, data: hval['enable'] ? 4_294_967_295 : 0 }] @@ -71,7 +71,7 @@ # enable/disable the schannel key exchange algorithms node['schannel']['keyexch'].each do |kname, kval| - registry_key "#{regdir}\\KeyExchangeAlgorithms\\#{kname}" do + registry_key "#{regdir}\\KeyExchangeAlgorithms\\#{registry_name(kname)}" do action :create recursive true values [{ name: 'Enabled', type: :dword, data: kval['enable'] ? 4_294_967_295 : 0 }]