From 944a1a2c3e3487ab475ec77df9a7081e659814bb Mon Sep 17 00:00:00 2001
From: Artem Sidorenko <artem@posteo.de>
Date: Tue, 31 Oct 2017 13:48:13 +0100
Subject: [PATCH] RH family: adapt some settings, as RH has better defaults

https://github.com/dev-sec/linux-baseline/pull/82

Signed-off-by: Artem Sidorenko <artem@posteo.de>
---
 attributes/default.rb      | 15 ++++++++++++---
 recipes/minimize_access.rb |  6 +++++-
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/attributes/default.rb b/attributes/default.rb
index 60ae09ae..2cb5a212 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -65,7 +65,6 @@
 default['os-hardening']['network']['ipv6']['enable']                   = false
 default['os-hardening']['network']['arp']['restricted']                = true
 default['os-hardening']['env']['extra_user_paths']                    = []
-default['os-hardening']['env']['umask']                               = '027'
 default['os-hardening']['env']['root_path']                           = '/'
 default['os-hardening']['auth']['pw_max_age']                         = 60
 default['os-hardening']['auth']['pw_min_age']                         = 7 # discourage password cycling
@@ -80,11 +79,21 @@
 default['os-hardening']['auth']['root_ttys']                          = %w[console tty1 tty2 tty3 tty4 tty5 tty6]
 default['os-hardening']['auth']['uid_min']                             = 1000
 default['os-hardening']['auth']['gid_min']                             = 1000
-default['os-hardening']['auth']['sys_uid_min']                         = 100
 default['os-hardening']['auth']['sys_uid_max']                         = 999
-default['os-hardening']['auth']['sys_gid_min']                         = 100
 default['os-hardening']['auth']['sys_gid_max']                         = 999
 
+# RH has a bit different defaults on some places
+case node['platform_family']
+when 'rhel', 'fedora'
+  default['os-hardening']['env']['umask'] = '077'
+  default['os-hardening']['auth']['sys_uid_min'] = 201
+  default['os-hardening']['auth']['sys_gid_min'] = 201
+else
+  default['os-hardening']['env']['umask'] = '027'
+  default['os-hardening']['auth']['sys_uid_min'] = 100
+  default['os-hardening']['auth']['sys_gid_min'] = 100
+end
+
 # may contain: change_user
 default['os-hardening']['security']['users']['allow']                  = []
 default['os-hardening']['security']['kernel']['enable_module_loading'] = true
diff --git a/recipes/minimize_access.rb b/recipes/minimize_access.rb
index 0bcae23e..bae4b889 100644
--- a/recipes/minimize_access.rb
+++ b/recipes/minimize_access.rb
@@ -33,7 +33,11 @@
 # (otherwise screensavers might break etc)
 file '/etc/shadow' do
   owner 'root'
-  if node['platform_family'] == 'debian'
+  case node['platform_family']
+  when 'rhel', 'fedora'
+    group 'root'
+    mode '0000'
+  when 'debian'
     group 'shadow'
     mode '0640'
   else