Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

RSS

schannel (2) Versions 1.0.1

Chef cookbook to manage your windows security channels.

Policyfile
Berkshelf
Knife
cookbook 'schannel', '~> 1.0.1', :supermarket
cookbook 'schannel', '~> 1.0.1'
knife supermarket install schannel
knife supermarket download schannel
README
Dependencies
Changelog
Quality 33%

schannel Cookbook

This cookbook manage the windows security channels.

Requirements

Platforms

  • Windows 2008+

Chef

  • Chef 12.6+

Recipes

  • default: The default recipe configure the security channel.
  • unset: This recipe restore the default windows configuration.

Usage

This cookbook provides a default recipe to manage security channels on windows servers:
- Protocols (SSL, TLS)
- Ciphers (rc2, rc4, AES, DES)
- Hashes (MD5, SHA)
- Key Exchange Algorithms (PCKS,ECDH, Diffie-Hellman)

Add the schannel::default recipe in your run list to set the security best practises configuration.
Use the schannel::unset to restore the default windows configuration.
Customize your security configuration using attributes.

Attributes

Here the main attributes to manage windows schannel:

Attribute Default Value Description
default['schannel']['event_logging']['level'] 1 The level of schannel logging in Windows Event Viewer.
default['schannel']['cipher_order']['secure'] true Apply a secure list of ciphers.
default['schannel']['protocols_client_side'] true Apply the protocol configuration at the client side.

Others available attributes are used to enable/disable a protocol, cipher, hash or exchange key algorithm:

Attribute Default Value Description
default['schannel']['protocols']['mupuh']['enable'] false Enable/Disable protocol Multi-Protocol Unified Hello.
default['schannel']['protocols']['pct10']['enable'] false Enable/Disable protocol PCT 1.0.
default['schannel']['protocols']['ssl30']['enable'] false Enable/Disable protocol SSL 3.0.
default['schannel']['protocols']['ssl20']['enable'] false Enable/Disable protocol SSL 2.0.
default['schannel']['protocols']['tls10']['enable'] true Enable/Disable protocol SSL/TLS 1.0.
default['schannel']['protocols']['tls11']['enable'] true Enable/Disable protocol SSL/TLS 1.1.
default['schannel']['protocols']['tls12']['enable'] true Enable/Disable protocol SSL/TLS 1.2.
default['schannel']['ciphers']['aes_128128']['enable'] true Enable/Disable cipher AES 128/128.
default['schannel']['ciphers']['aes_256256']['enable'] true Enable/Disable cipher AES 256/256.
default['schannel']['ciphers']['3des_168168']['enable'] true Enable/Disable cipher 3DES 168/168.
default['schannel']['ciphers']['rc2_40128']['enable'] false Enable/Disable cipher RC2 40/128.
default['schannel']['ciphers']['rc2_56128']['enable'] false Enable/Disable cipher RC2 56/128.
default['schannel']['ciphers']['rc2_128128']['enable'] false Enable/Disable cipher RC2 128/128.
default['schannel']['ciphers']['rc4_40128']['enable'] false Enable/Disable cipher RC4 40/128.
default['schannel']['ciphers']['rc4_56128']['enable'] false Enable/Disable cipher RC4 56/128.
default['schannel']['ciphers']['rc4_64128']['enable'] false Enable/Disable cipher RC4 64/128.
default['schannel']['ciphers']['rc4_128128']['enable'] false Enable/Disable cipher RC4 128/128.
default['schannel']['ciphers']['des_5656']['enable'] false Enable/Disable cipher DES 56/56.
default['schannel']['ciphers']['null']['enable'] false Enable/Disable cipher NULL.
default['schannel']['hashes']['md5']['enable'] false Enable/Disable hash MD5.
default['schannel']['hashes']['sha']['enable'] true Enable/Disable hash SHA-1.
default['schannel']['hashes']['sha256']['enable'] true Enable/Disable hash SHA-256.
default['schannel']['hashes']['sha384']['enable'] true Enable/Disable hash SHA-384.
default['schannel']['hashes']['sha512']['enable'] true Enable/Disable hash SHA-512.
default['schannel']['keyexch']['diffiehellman']['enable'] true Enable Diffie-Hellman.
default['schannel']['keyexch']['pkcs']['enable'] true Enable PKCS.
default['schannel']['keyexch']['ecdh']['enable'] true Enable ECDH.

You can also define your own list of ciphers via default['schannel']['cipher_order']['list'] attribute:

default['schannel']['cipher_order']['list'] = %w(
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
  TLS_RSA_WITH_AES_256_GCM_SHA384
  TLS_RSA_WITH_AES_128_GCM_SHA256
  TLS_RSA_WITH_AES_256_CBC_SHA256
  TLS_RSA_WITH_AES_128_CBC_SHA256
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
)

Please check defaut.rb attribute file for a global view of attributes.

Run list

schannel::default

Just include schannel in your node's run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[schannel]"
  ]
}

License and Authors

Copyright:: 2016-2017, pde159

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

There are no cookbooks that are contingent upon this one.

schannel Cookbook CHANGELOG

This file is used to list changes made in each version of the schannel cookbook.

v1.0.1 (2017-04-12)

  • Add info to README.

v1.0.0 (2017-04-10)

  • Initial release of schannel cookbook.

Collaborator Number Metric
            

1.0.1 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric
            

1.0.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric
            

1.0.1 passed this metric

No Binaries Metric
            

1.0.1 passed this metric

Testing File Metric
            

1.0.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric
            

1.0.1 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number