Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


stig (39) Versions 1.0.2

Installs/Configures CIS STIG benchmarks

cookbook 'stig', '~> 1.0.2', :supermarket
cookbook 'stig', '~> 1.0.2'
knife supermarket install stig
knife supermarket download stig
Quality 33%

STIG Cookbook

Build Status

Installs and configures the CIS CentOS Linux 6 and 7 benchmarks.

These sets of recipes aim to harden the operating system in order to pass all
scored CIS benchmarks and optionally all unscored CIS benchmarks.

More information about CIS benchmarks may be found at



  • CentOS >= 6.6
  • CentOS >= 7.1


  • auditd ~> 2.3.4
  • logrotate ~> 2.2.0
  • rsyslog ~> 6.0.7



  • node['stig']['grub']['hashedpassword'] = The hashed grub password to use. Ex: openssl passwd -1 ChangeMe (String (MD5 Hash))

  • node['stig']['limits'] = A hash of items that go into /etc/security/limits.conf (Array of Hashes of Hashes)

  • node['stig']['aide']['config_file'] = (String) Specifies the location of the AIDE configuration file. Default: '/etc/aide.conf'

  • node['stig']['aide']['dbdir'] = (String) Defines the DBDIR macro that is used set the location of the database. Default: '/var/lib/aide'

  • node['stig']['aide']['logdir'] = (String) Defines the LOGDIR macro that is used set the location of the AIDE log file. Default: '/var/log/aide'

  • node['stig']['aide']['database'] = (String) Specifies the location of the database to read. Default: 'file:@@{DBDIR}/aide.db.gz'

  • node['stig']['aide']['database_out'] = (String) Specifies the location of the database to be created/updated. Default: 'file:@@{DBDIR}/'

  • node['stig']['aide']['gzip_dbout'] = (Boolean) Specifies whether the database is gzipped when created/updated. Default: true

  • node['stig']['aide']['verbose'] = (Integer 0-255) Specifies the level of the messages that are written out. Default: 5

  • node['stig']['aide']['report_url'] = (Array of Strings) Specifies where the output is sent. Default: [ 'file:@@{LOGDIR}/aide.log', 'stdout' ]

  • node['stig']['aide']['rules'] = (Hash) Defines additional rules to be used. The hash entry is in the form of Rule Name => definition. Default: See]

  • node['stig']['aide']['paths'] = (Hash) Defines additional paths to add to the database along with the rules to apply to that path. The hash entry is in the form of path => rule. If rule is '!', then the entry is written to aide.conf as '!path'. Default: See

  • node['stig']['auditd'] = See: Auditd Configuration

  • node['stig']['mount_disable']['cramfs'] = Disable cramfs filesystem (Boolean)

  • node['stig']['mount_disable']['freevxfs'] = Disable freevxfs filesystem (Boolean)

  • node['stig']['mount_disable']['jffs2'] = Disable jffs2 filesystem (Boolean)

  • node['stig']['mount_disable']['hfs'] = Disable hfs filesystem (Boolean)

  • node['stig']['mount_disable']['hfsplus'] = Disable hfsplus filesystem (Boolean)

  • node['stig']['mount_disable']['squashfs'] = Disable squashfs filesystem (Boolean)

  • node['stig']['mount_disable']['udf'] = Disable udf filesystem (Boolean)

  • node['stig']['mail_transfer_agent']['inet_interfaces'] = Configure Mail Transfer Agent for Local-Only Mode - If the system is intended to be a mail server, change from "localhost" (String)

  • node['stig']['network']['zeroconf'] = Disable Avahi Server (true = disabled, false = enabled) (Boolean)

  • node['stig']['network']['ip_forwarding'] = Disable IP Forwarding (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['packet_redirects'] = Disable Send Packet Redirects (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['icmp_redirect_accept'] = Disable ICMP Redirect Acceptance (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['icmp_all_secure_redirect_accept'] = Disable Secure ICMP Redirect Acceptance (true = enabled, false = disabled) (

  • node['stig']['network']['log_suspicious_packets'] = Log Suspicious Packets (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['rfc_source_route_validation'] = Enable RFC-recommended Source Route Validation (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['ipv6_redirect_accept'] = Disable IPv6 Redirect Acceptance (true = enabled, false = disabled) (Boolean)

  • node['stig']['network']['hosts_allow'] = Create /etc/hosts.allow - An array of <net>/<mask> combinations or 'ALL' (Array of String)

  • node['stig']['network']['hosts_deny'] = Create /etc/hosts.deny - An array of <net>/<mask> combinations or 'ALL' (Array of String)

  • node['stig']['network']['disable_dcpp'] = Disable DCCP (true = disable, false = enable) (Boolean)

  • node['stig']['network']['disable_sctp'] = Disable SCTP (true = disable, false = enable) (Boolean)

  • node['stig']['network']['disable_rds'] = Disable RDS (true = disable, false = enable) (Boolean)

  • node['stig']['network']['disable_tipc'] = Disable TIPC (true = disable, false = enable) (Boolean)

  • node['stig']['network']['ipv6'] = Disable IPV6 ("no" = disable, "yes" = enable) (String)

( See )
- node['sysctl']['*'] = Sets configuration in sysctl config file. See default attributes.

  • node['stig']['logging']['rsyslog_rules'] = Configure /etc/rsyslog.conf - Include rules for logging in array with space separating rule with log location (Array of String)

  • node['stig']['logging']['rsyslog_rules_rhel'] = Configure /etc/rsyslog.conf for RHEL - Include rules for logging in array with space separating rule with log location (Array of String)

  • node['stig']['logging']['rsyslog_rules_debian'] = Configure /etc/rsyslog.conf for Debian - Include rules for logging in array with space separating rule with log location (Array of String)

  • node['stig']['selinux']['enabled'] = By default, SELinux is enabled. However, there may be reasons to shut it off (Boolean)

  • node['stig']['selinux']['status'] = Possible values: enforcing, permissive (String)

  • node['stig']['selinux']['type'] = Possible values: targeted, mls (String)

  • node['stig']['sshd_config']['allow_agent_forwarding'] = (String) Specifies whether ssh-agent forwarding is permitted. Default: 'yes'

  • node['stig']['sshd_config']['allow_tcp_forwarding'] = Specifies whether TCP forwarding is permitted. Default: yes (String)

  • node['stig']['sshd_config']['allow_users_set_env_opts'] = (String) Allow Users to Set Environment Options. Default: 'no'

  • node['stig']['sshd_config']['authentication_methods'] = Specifies the authentication methods that must be successfully completed for a
    user to be granted access.This option must be followed by one or more comma-separated
    lists ofauthentication method names.Successful authentication requires completion
    of every method in at leastone of these lists.
    This option is only available for SSH protocol 2. Default: [] (Array, String)

  • node['stig']['sshd_config']['authorized_keys_command'] = Specifies a program to be used to look up the user's public keys. Default: '' (String)

  • node['stig']['sshd_config']['authorized_keys_command_user'] = Specifies the user under whose account the AuthorizedKeysCommand is run.It is recommended to use a dedicated user that has no other role on the hostthan running authorized keys commands. Default: '' (String)

  • node['stig']['sshd_config']['authorized_keys_file'] = Specifies the file that contains the public keys that can be used for user authentication. Default: '.ssh/authorized_keys' (String)

  • node['stig']['sshd_config']['authorized_keys_command_run_as'] = Specifies the user under whose account the AuthorizedKeysCommand is run. Default: '' (String)

  • node['stig']['sshd_config']['authorized_principals_file'] = Specifies a file that lists principal names that are accepted for certificate authentication. Default: 'none' (String)

  • node['stig']['sshd_config']['chroot_directory'] = Specifies the pathname of a directory to chroot to after authentication. Default: 'none' (String)

  • node['stig']['sshd_config']['client_alive_count_max'] = Sets the number of client alive messages which may besent without sshd receiving any messages back from the client. Default: '3' (String)

  • node['stig']['sshd_config']['client_alive_interval'] = Sets a timeout interval in seconds after which if no data has been received from the client. Default: '0' (String)

  • node['stig']['sshd_config']['compression'] = Specifies whether compression is allowed, or delayed untilt he user has authenticated successfully. The argument must be 'yes' 'delayed' or 'no'. Default: 'delayed' (String)

  • node['stig']['sshd_config']['force_command'] = Forces the execution of the command specified by ForceCommand ignoring any command supplied by the client and ~/.ssh/rc if present. Default: '' (String)

  • node['stig']['sshd_config']['gateway_ports'] = Specifies whether remote hosts are allowed to connect to ports forwarded for the client. (String), Default: 'no'

  • node['stig']['sshd_config']['gss_api_authentication'] = (String) Specifies whether user authentication based on GSSAPI is allowed. Note that this option applies to protocol version 2 only. Default: 'no'

  • node['stig']['sshd_config']['gss_api_key_exchange'] = (String) Allow GSSAPI user authentication using the 'gssapi-with-mic' mechanism. Default: 'no'

  • node['stig']['sshd_config']['gss_cleanup_credentials'] = (String) Specifies whether to automatically destroy the user's credentials cache on logout. Default: 'yes'

  • node['stig']['sshd_config']['gss_api_store_credentials_on_rekey'] = (String) Controls whether the user's GSSAPI credentials should be updated following a successful connection rekeying. Default: 'no'

  • node['stig']['sshd_config']['gss_api_strict_acceptor_check'] = (String) Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. Default: 'yes'

  • node['stig']['sshd_config']['host_based_auth'] = (String) Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). Default: 'no'

  • node['stig']['sshd_config']['host_based_uses_name_from_packet_only'] = (String) Specifies whether or not the server will attempt to perform a reversename lookup when matching the name in the ~/.shosts ~/.rhosts and/etc/hosts.equiv files during HostbasedAuthentication, Default: 'no'

  • node['stig']['sshd_config']['host_certificate'] = Specifies a file containing a public host certificate (String), Default: ''

  • node['stig']['sshd_config']['ignore_rhosts'] = (String) Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthenticationorHostbasedAuthentication, Default: 'yes'

  • node['stig']['sshd_config']['ignore_user_known_hosts'] = (String) Specifies whether sshd should ignore the user's ~/.ssh/known_hosts during RhostsRSAAuthenticationorHostbasedAuthentication. Default: 'no'

  • node['stig']['sshd_config']['kerberos_authentication'] = (String) Specifies whether the password provided by the user for PasswordAuthentication will be validated through the Kerberos KDC, Default: 'no'

  • node['stig']['sshd_config']['kerberos_or_local_passwd'] = (String) If set then if password authentication through Kerberos fails then the password will be validated via any additional local mechanism such as /etc/passwd, Default: 'yes'

  • node['stig']['sshd_config']['kerberos_ticket_cleanup'] = (String) Specifies whether to automatically destroy the user's ticket cache file on logout. Default: 'yes'

  • node['stig']['sshd_config']['kerberos_use_kuserok'] = (String) Specifies whether to look at .k5login file for user's aliases. Default: 'yes'

  • node['stig']['sshd_config']['key_regeneration_interval'] = In protocol version 1, the ephemeral server key is automatically regenerated after this many seconds (if it has been used). (String), Default: '3600'

  • node['stig']['sshd_config']['login_grace_time'] = The server disconnects after this time if the user has not successfully logged in. (String), Default: '120'

  • node['stig']['sshd_config']['log_level'] = Gives the verbosity level that is used when logging messages from sshd. Default: INFO (String)

  • node['stig']['sshd_config']['macs'] = Specifies the available MAC (message authentication code) algorithms. Default: 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96' (String)

  • node['stig']['sshd_config']['max_startups'] = Specifies the maximum number of concurrent unauthenticated connections to the sshd daemon. Default: '10:30:60' (String)

  • node['stig']['sshd_config']['max_auth_tries'] = SSHd Max auth tries (Integer)

  • node['stig']['sshd_config']['max_sessions'] = Specifies the maximum number of open sessions permitted per network connection (String), Default: '10'

  • node['stig']['sshd_config']['password_authentication'] = (String) Specifies whether password authentication is allowed. Default: 'yes'

  • node['stig']['sshd_config']['port'] = SSHd daemon port. Default: ['22'] (Array, String)

  • node['stig']['sshd_config']['permit_root_login'] = (String) Allow SSH root login. Default: 'no'

  • node['stig']['sshd_config']['permit_empty_passwords'] = (String) Allow SSH to permit empty passwords. Default: 'no'

  • node['stig']['sshd_config']['pid_file'] = Specifies the file that contains the process ID of the sshd daemon (String), Default: '/var/run/'

  • node['stig']['sshd_config']['print_last_log'] = (String) Specifies whether sshd should print the date and time when the user last logged in. Default: 'yes'

  • node['stig']['sshd_config']['print_motd'] = (String) Specifies whether sshd should print /etc/motd when a user logs in interactively. Default: 'yes'

  • node['stig']['sshd_config']['protocol'] = Specifies the protocol versions sshd supports. (String), Default: '2'

  • node['stig']['sshd_config']['pub_key_authentication'] = (String) Specifies whether public key authentication is allowed. Note that this option applies to protocol version 2 only. Default: 'yes'

  • node['stig']['sshd_config']['rhosts_rsa_authentication'] =(String) Specifies whether rhosts or /etc/hosts.equiv authentication. This option applies to protocol version 1 only. Default: 'no'

  • node['stig']['sshd_config']['rsa_authentication'] = (String) Specifies whether pure RSA authentication is allowed. This option applies to protocol version 1 only. Default: 'no'

  • node['stig']['sshd_config']['server_key_bits'] = Defines the number of bits in the ephemeral protocol version 1 server key. This option applies to protocol version 1 only. (String), Default: '768'

  • node['stig']['sshd_config']['show_patch_level'] = (String) Specifies whether sshd will display the patch level of the binary in the identification string This option applies to protocol version 1 only. Default: 'no'

  • node['stig']['sshd_config']['strict_modes'] = (String) Specifies whether sshd should check file modes and ownership of the user's files and home directory before accepting login. Default: 'yes'

  • node['stig']['sshd_config']['subsystem'] = Configures an external subsystem (e.g., file transfer daemon). (String), Default: 'sftp /usr/libexec/openssh/sftp-server'

  • node['stig']['sshd_config']['syslog_facility'] = Gives the facility code that is used when logging messages from sshd. (String), Default: 'AUTHPRIV'

  • node['stig']['sshd_config']['tcp_keepalive'] = (String) Specifies whether the system should send TCP keepalive messages to the other side. Default: 'yes'

  • node['stig']['sshd_config']['use_dns'] = (String) Specifies whether sshd should lookup the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. Default: 'no'

  • node['stig']['sshd_config']['use_login'] = (String) Specifies whether login is used for interactive login sessions. Default: 'no'

  • node['stig']['sshd_config']['use_privilege_separation'] = (String) Specifies whether sshd separates privileges by creating an unprivileged child process to deal with incoming network traffic. Default: 'yes'

  • node['stig']['sshd_config']['version_addendum'] = Specifies a string to append to the regular version string to identify OS- or site-specific modifications (String), Default: ''

  • node['stig']['sshd_config']['x_11_display_offset'] = Specifies the first display number available for sshd's X11 forwarding. (Integer), Default: 10

  • node['stig']['sshd_config']['x_11_forwarding'] = (String) Specifies whether X11 forwarding is permitted. Default: 'yes'

  • node['stig']['sshd_config']['x_11_use_local_host'] = (String) Specifies whether sshd should bind the X11 forwarding server to the loopback address or to the wildcard address. Default: 'yes'

  • node['stig']['sshd_config']['x_auth_location'] = Specifies the full pathname of the xauth program (String), Default: ''

  • node['stig']['sshd_config']['banner_path'] = Set SSH login banner path (String)

  • node['stig']['sshd_config']['deny_users'] = List of users to deny SSH login to (Array of String)

  • node['stig']['sshd_config']['accept_env'] = Specifies what environment variables sent by the client will be copied into the session's environ. See: (Array, String), Default: Multiple

  • node['stig']['sshd_config']['address_family'] = Specifies which address family should be used by sshd(8). Valid arguments are 'any', 'inet' (use IPv4 only), or 'inet6' (use IPv6 only). (String), Default: any

  • node['stig']['sshd_config']['listen_address'] = Specifies the local addresses sshd(8) should listen on. (Array, String), Default: ['']

  • node['stig']['sshd_config']['host_key'] = pecifies a file containing a private host key used by SSH. (Array, String), Default: [

  • node['stig']['system_auth']['pass_reuse_limit'] = Limit password reuse - Represents the amount of passwords the user is forced to not reuse (Integer)

  • node['stig']['login_defs']['pass_max_days'] = Password expiration in days (Integer)

  • node['stig']['login_defs']['pass_min_days'] = Minimum wait time, in days, before changing password (Integer)

  • node['stig']['login_defs']['pass_warn_age'] = Number of days before password expires where system begins warning user (Integer)

  • node['stig']['login_banner']['motd'] = Login banner (String)

  • node['stig']['login_banner']['issue'] = Login banner (String)

  • node['stig']['login_banner']['issue_net'] = Login banner (String)

Configure postfix - See default attributes file for longer explanation

  • node["stig"]["mail_transfer_agent"]["inet_interfaces"] = The address the the mail transfer agent should listen on (Array of String). NOTE: Deprecated. Use default['stig']['postfix']['inet_interfaces'] instead

  • node["stig"]["postfix"]["inet_interfaces"] = The inet_interfaces parameter specifies the network interface addresses that this mail system receives mail on. (Array of String). Default: ['localhost']

  • node["stig"]["postfix"]["soft_bounce"] = Mail will remain queued that would otherwise bounce (String). Default: 'no'

  • node["stig"]["postfix"]["queue_directory"] = Specifies the location of the Postfix queue (String). Default: '/var/spool/postfix'

  • node["stig"]["postfix"]["command_directory"] = The command_directory parameter specifies the location of all postXXX commands. (String). Default: '/usr/sbin'

  • node["stig"]["postfix"]["daemon_directory"] = The daemon_directory parameter specifies the location of all Postfix daemon programs. (String). Default: '/usr/libexec/postfix'

  • node["stig"]["postfix"]["data_directory"] = The data_directory parameter specifies the location of Postfix-writable data files. (String). Default: '/var/lib/postfix'

  • node["stig"]["postfix"]["mail_owner"] = The mail_owner parameter specifies the owner of the Postfix queue and of most Postfix daemon processes. (String). Default: 'postfix'

  • node["stig"]["postfix"]["default_privs"] = The default_privs parameter specifies the default rights used by the local delivery agent for delivery to external file or command. (String). Default: 'nobody'

  • node["stig"]["postfix"]["myhostname"] = The myhostname parameter specifies the internet hostname of this mail system. (Array of String). Default: []

  • node["stig"]["postfix"]["mydomain"] = The mydomain parameter specifies the local internet domain name. (String). Default: ''

  • node["stig"]["postfix"]["myorigin"] = The myorigin parameter specifies the domain that locally-posted mail appears to come from. (Array of String). Default: []

  • node["stig"]["postfix"]["inet_interfaces"] = Enable IPv4, and IPv6 if supported. (String). Default: 'ipv4'

  • node["stig"]["postfix"]["proxy_interfaces"] = The proxy_interfaces parameter specifies the network interface addresses that this mail system receives mail on by way of a proxy or network address translation unit. (Array of String). Default: []

  • node["stig"]["postfix"]["mydestination"] = The mydestination parameter specifies the list of domains that this machine considers itself the final destination for. (String). Default: '$myhostname, localhost.$mydomain, localhost'

  • node["stig"]["postfix"]["local_recipient_maps"] = The local_recipient_maps parameter specifies optional lookup tables with all names or addresses of users that are local with respect to $mydestination, $inet_interfaces or $proxy_interfaces (String). Default: ''

  • node["stig"]["postfix"]["unknown_local_recipient_reject_code"] = The unknown_local_recipient_reject_code specifies the SMTP server response code when a recipient domain matches $mydestination or {proxy,inet}_interfaces, while $local_recipient_maps is non-empty and the recipient address or address local-part is not found. (String). Default: '550'

  • node["stig"]["postfix"]["mynetworks_style"] = The mynetworks parameter specifies the list of "trusted" SMTP clients that have more privileges than "strangers". (String). Default: ''

  • node["stig"]["postfix"]["mynetworks"] = Alternatively, you can specify the mynetworks list by hand, in which case Postfix ignores the mynetworks_style setting. (String). Default: ''

  • node["stig"]["postfix"]["relay_domains"] = The relay_domains parameter restricts what destinations this system will relay mail to. (String). Default: ''

  • node["stig"]["postfix"]["relayhost"] = The relayhost parameter specifies the default host to send mail to when no entry is matched in the optional transport(5) table. (String). Default: ''

  • node["stig"]["postfix"]["relay_recipient_maps"] = The relay_recipient_maps parameter specifies optional lookup tables with all addresses in the domains that match $relay_domains. (String). Default: ''

  • node["stig"]["postfix"]["in_flow_delay"] = The in_flow_delay configuration parameter implements mail input flow control (String). Default: ''

  • node["stig"]["postfix"]["alias_maps"] = The alias_maps parameter specifies the list of alias databases used by the local delivery agent. The default list is system dependent. (String). Default: 'hash:/etc/aliases'

  • node["stig"]["postfix"]["alias_database"] = The alias_database parameter specifies the alias database(s) that are built with "newaliases" or "sendmail -bi". (String). Default: 'hash:/etc/aliases'

  • node["stig"]["postfix"]["recipient_delimiter"] = The recipient_delimiter parameter specifies the separator between user names and address extensions (user+foo). (String). Default: '+'

  • node["stig"]["postfix"]["home_mailbox"] = The home_mailbox parameter specifies the optional pathname of a mailbox file relative to a user's home directory. (String). Default: ''

  • node["stig"]["postfix"]["mail_spool_directory"] = The mail_spool_directory parameter specifies the directory where UNIX-style mailboxes are kept. (String). Default: ''

  • node["stig"]["postfix"]["mailbox_command"] = The mailbox_command parameter specifies the optional external command to use instead of mailbox delivery. (String). Default: ''

  • node["stig"]["postfix"]["mailbox_transport"] = The mailbox_transport specifies the optional transport in to use after processing aliases and .forward files. (String). Default: ''

  • node["stig"]["postfix"]["fallback_transport"] = The fallback_transport specifies the optional transport in to use for recipients that are not found in the UNIX passwd database. (String). Default: ''

  • node["stig"]["postfix"]["luser_relay"] = The luser_relay parameter specifies an optional destination address for unknown recipients. (String). Default: ''

  • node["stig"]["postfix"]["header_checks"] = The header_checks parameter specifies an optional table with patterns that each logical message header is matched against, including headers that span multiple physical lines. (String). Default: ''

  • node["stig"]["postfix"]["fast_flush_domains"] = Postfix maintains per-destination logfiles with information about deferred mail, so that mail can be flushed quickly with the SMTP "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". See the ETRN_README document for a detailed description. (String). Default: ''

  • node["stig"]["postfix"]["smtpd_banner"] = The smtpd_banner parameter specifies the text that follows the 220 code in the SMTP server's greeting banner. Some people like to see the mail version advertised. (String). Default: ''

  • node["stig"]["postfix"]["concurrency_limit"] = How many parallel deliveries to the same user or domain? With local delivery, it does not make sense to do massively parallel delivery to the same user, because mailbox updates must happen sequentially, and expensive pipelines in .forward files can cause disasters when too many are run at the same time. (Object (String, String)). Default: {} Example: { 'local' : '20', 'default' : '10' }

  • node["stig"]["postfix"]["debug_peer_list"] = The debug_peer_level parameter specifies the increment in verbose logging level when an SMTP client or server host name or address matches a pattern in the debug_peer_list parameter. (String). Default: '2'

  • node["stig"]["postfix"]["debug_peer_level"] = The debug_peer_list parameter specifies an optional list of domain or network patterns, /file/name patterns or type:name tables. (String). Default: ''

  • node["stig"]["postfix"]["debugger_command"] = The debugger_command specifies the external command that is executed when a Postfix daemon program is run with the -D option. (Array of String). Default: ['PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin','ddd $daemon_directory/$process_name $process_id & sleep 5']

  • node["stig"]["postfix"]["sendmail_path"] = The full pathname of the Postfix sendmail command. This is the Sendmail-compatible mail posting interface. (String). Default: '/usr/sbin/sendmail.postfix'

  • node["stig"]["postfix"]["newaliases_path"] = The full pathname of the Postfix newaliases command. This is the Sendmail-compatible command to build alias databases. (String). Default: '/usr/bin/newaliases.postfix'

  • node["stig"]["postfix"]["mailq_path"] = The full pathname of the Postfix mailq command. This is the Sendmail-compatible mail queue listing command. (String). Default: '/usr/bin/mailq.postfix'

  • node["stig"]["postfix"]["setgid_group"] = The group for mail submission and queue management commands. This must be a group name with a numerical group ID that is not shared with other accounts, not even with the Postfix account. (String). Default: 'postdrop'

  • node["stig"]["postfix"]["html_directory"] = The location of the Postfix HTML documentation. (String). Default: 'no'

  • node["stig"]["postfix"]["manpage_directory"] = The location of the Postfix on-line manual pages. (String). Default: '/usr/share/man'

  • node["stig"]["postfix"]["sample_directory"] = The location of the Postfix sample configuration files. (String). Default: '/usr/share/doc/postfix-2.6.6/samples'

  • node["stig"]["postfix"]["readme_directory"] = The location of the Postfix README files. (String). Default: '/usr/share/doc/postfix-2.6.6/README_FILES'


Simply include the default recipe (stig::default) on an instance that needs to be hardened. May also want to include the auditd recipe (stig::auditd) to set a custom auditd configuration file



Unless otherwise noted below, this software is in the public domain because it contains
materials that originally came from the United States Geological Survey, an agency of the
United States Department of Interior. For more information, see the official USGS
copyright policy at:

More information in license file

Dependent cookbooks

auditd >= 0.0.0
logrotate >= 0.0.0
rsyslog >= 0.0.0

Contingent cookbooks

There are no cookbooks that are contingent upon this one.


The format is based on Keep a Changelog
and this project adheres to Semantic Versioning.


[1.0.2] - 2019-12-17


-- [] - Add path strings (allow wildcard) to ignore during audits
recipe. Paths included will not be checked as orphans or world writeable permissions

[1.0.1] - 2019-12-10


-- [] - pam.d system_auth and password_auth order of module loading


-- [] - Removed a seconday run of logrotate::global in the default

[1.0.0] - 2019-10-25


-- [] - auditd cookbook in metadata.rb as a hard dependency
-- [] - PermitOpen keyword in sshd_config
-- [] - Ability to ignore errors on sysctl updates


-- [] - Third-party sysctl cookbook dependency


-- [] - Now using Chef sysctl resource instead of depending on third
party cookbook. BREAKING CHANGE - Now requires Chef 14+
-- [] - Switch to using rsyslog third party cookbook. BREAKING CHANGE
The attributes for rsyslog rules should now be default['rsyslog']['default_facility_logs']
in the fornmat specified @
This now becomes a wrapper cookbook for the third party rsyslog cookbook
-- [] - Including auditd cookbook call directly in auditd recipe
-- [] - Allow nulls into sshd attributes to keep keywords out of sshd_config
-- [] - Allowing auditd base config dir to be configurable in attributes
-- [] - Version of CentOS 7 in ChefSpec tests
-- [] - Allow not using known sshd attributes to keep them out of sshd
config file


-- [] - auditd service reloading. A temp fix until
is dealt with
-- [] - inspec and unit tests

[0.6.16] - 2019-04-22


-- [] - Changed maintainer to USGS WMA EB


-- [] - Removed aide update command as it creates error codes where
init does not

[0.6.15] - 2019-04-10


-- [] - Logic introduced as to whether aide should run init or update
based on whether or not the aide database already exists

[0.6.14] - 2018-12-07


-- [] - add timeout on init_aide resource in aide.rb
-- [] - add timeout on 'find user and group orphaned files and directories' resource in audits.rb
-- [] - add ignore_readdir_race flag to commands in 'find user and group orphaned files and directories' resource in audits.rb

[0.6.13] - 2018-09-28


-- [] - audits recipe is not tolerant of spaces in file paths

[0.6.12] - 2018-06-08


-- [] - No longer passing output database location to aide init
command. Let aide get that from the conf file
-- [] - Use proper output database location during aide init
-- [] - Make sure to copy new aide database to old database location
-- [] - Sticking to major version of CentOS in Test Kitchen
-- [] - STIG 6.1.6 - File permissions for /etc/passwd-
-- [] - Added default["stig"]["mount_disable"]["disable_usb_storage"] to disable USB Storage. RHEL-06-000503 - CCI-001250
-- [] - Added default['stig']['postfix']['smtpd_client_restrictions_rhel'] for use in
templates/default/etc_man.cf_rhel.erb to disable mail relaying. RHEL-07-040480 - CCI-000366
-- [] - Added template for /etc/inittab - CCE-4241-6
-- [] - Added default['stig']['login_defs']['pass_min_length'],
default['stig']['login_defs']['umask'], default['stig']['login_defs']['inactive_days'], default['stig']['login_defs']['fail_delay'] for use in templates/default/etc_default_useradd.erb and templates/default/logon_defs.erb
-- [] - Added local_users recipe to remove users and folders that do not belong. Set shells for various service accounts.


-- [] - STIG 6.2.7 - Update script to check for users having a home dir
-- [] - Narrowed down sshd MACs config to what works for EL6 and EL7
-- [] - STIG 6.2.2-6.2.4 - Updated grep testing criteria for audit script
-- [] - STIG 5.2.12 - Updated ClientAliveInterval to 300 and ClientAliveCountMax to 0
-- [] - STIG 5.1.3 - 5.1.7 - Change permissions for cron files from 0600 to 0700
-- [] - STIG 4.1.9 - Update audit.rules for /vat/log/wtmp and
/var/log/btmp from session to logins
-- [] - STIG 4.1.7 - Update audit.rules with expanded MAC-policy check
-- [] - STIG 2.2.15 - Change inet_interfaces from localhost to loopback_only
-- [] - Removed -e flag from proc_hard recipe's sysctl resource
since I do not want errors from that guard ignored
-- [] - Fixed ChefSpec test for updated functionality in proc_hard
-- [] - Fixed node concatenation in rsyslog recipe. Now no longer directly manipulating node attributes
-- [] - Updated deprecated fauxhai CnetOS 6 version from 6.7 to 6.9
-- [] - proc_hard recipe now calls on the sysctl cookbook's
sysctl_param resource instead of any recipe. This allows the this cookbook to use
sysctl cookbook version >= 1.0.0
-- [] - Removed version constraint from Berksfile for sysctl
-- [] - Updated Chefspec test to remove test for sysctl::apply recipe
-- [] - Add guard to sysctl call in order to work around bug
-- [] - Switched Changelog format
-- [] - Fixed styling for Rubocop 0.55.0
-- [] - Added SSH private host key file permission to recipe/sshd_config.rb
-- [] - updated system_auth to manage /etc/pam.d/postlogin-ac


-- [] - Bugfix in stig/recipes/mail_transfer_agent.rb to use platform_family versus platform
-- [] - Bugfix in stig/attributes/default.rb - Errors out and sshd dies (bricking machine) on RH 7
when FIPS Mode is enabled. Non-FIPS compliant MACs were specified. FIPS MODE is required to be enabled - RHEL-07-021350 - CCI-002476
Old Line: default['stig']['sshd_config']['macs'] = 'hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96'
Replaced with: default['stig']['sshd_config']['macs'] = 'hmac-sha2-512,hmac-sha2-256,,'
- [] - Added "install fat /bin/true" to stig/templates/etc_modprobe.d_CIS.conf.erb. This will fully disable vfat.



-- [] - Due to a change in the Chef client @ 13.7.16, the aide
recipe needed to be updated. Also updated Rubocop, Chefspec and Foodcritic issues



-- [] - Added template for /etc/aide.conf and it updates the aide database
-- [] - Added default attributes for Centos 6 & 7 for /etc/aide.conf
-- [] - Added inspec and unit tests for /etc/aide.conf


-- [] - Corrected inspec tests centos7 to run aide tests for redhat platforms



-- [] - Updated more audit not included in the last version
-- [] - Combined two audit steps into one to save time/processing



-- [] - Updated audit scripts to not double-check file mounts that
may appear twice in df output



-- [] - Updated defaults for audit.rules to avoid 32/64 bit syscall mismatch warning
-- [] - Updated unit tests to work around errors
-- [] - Updated style tests for later version of foodcritic/rubocop


-- [] - Removed "redhat" from the test for purging the avahi-daemon package



-- [] - Updating the cookbook to work properly with CentOS 7
-- [] - Added disabling vfat and ipv6 to modprobe
-- [] - Update avahi daemon recipe for CentOS 7 (chkconfig vs sysctl)
-- [] - Update ipv6 recipe for CentOS 7
-- [] - Fixed idempotency issue in ipv6 recipe for CentOS 6
-- [] - Update dhcp recipe for CentOS 7
-- [] - Update rsyslog.conf default attributes to the latest CIS recommendations
-- [] - Update sshd_config template to put logic on keywords that may or may not exist in sshd
-- [] - Switched system_auth recipe to use templates instead of very touchy sed/grep
-- [] - Changed default PASS_MIN_DAYS in login_defs to 7 as per stig
-- [] - Updated file_permissions recipe to not branch on ubuntu/rhel
-- [] - Split InSpec tests into CentOS 6 and CentOS 7
-- [] - Updated Gemfile to require a minimal inspec gem version



-- [] - Leaving sysctl attribute mutation solely to the sysctl cookbook.
-- [] - Removing STIG cookbook attributes for sysctl. Using only sysctl cookbook attributes



-- [] - Update mail transfer agent recipe to fully parameterize the CentOS template for



-- [] - Update the system_auth recipe to respect pre-existing symlinks
-- [] - Fix boot_settings recipe to catch if selinux is disabled and move on



-- [] - More testing
-- [] - Updated auditd ruleset to include more rules
-- [] - Created ChefSpec testing for auditd_rules recipe
-- [] - Updated ServerSpec testing for all default auditd rules



-- [] - More rubocop fixes
-- [] - Rework of sshd_config recipe to allow more customization
-- [] - Updated templates to point to proper GitHub URL
-- [] - Updated dependency version for sysctl cookbook in Berksfile
-- [] - Fixed kitchen converge warnings



-- [] - fix some rubocop violations
-- [] - switch to using chef inspec
-- [] - remove Centos 6.6 and 6.8

-- [] - bump version to 0.6.0
-- [] - remove kitchen version pin.



-- [arothian@github] - Update aide to setup crontab for ubuntu



-- [] - Fix an issue with auth-config being improperly written to for pass reuse limit



-- [] - Switch sysctl write flags



-- [] - Ignore errors on unknown sysctl keys



-- [] - Included third-party sysctl cookbook as a hard-coupled dependency by calling it in proc_hard recipe



-- [] - Switched sysctl.conf template writing out and brought in the third-party sysctl cookbook to handle writing .d config file
-- [] - Updated serverspec testing



-- [] - Updated to switch out which file in /etc/pam.d/system-auth* gets symlinked



-- [] - Fix most foodcritic errors and warnings
-- [] - CIS 1.6.2 (Configure ExecShield) was removed in 2.0.0 of all CIS STIG. No longer testing for it
-- [] - Added updates to SSHD config to allow boolean for password authentication
-- [] - Updated system auth recipe to be less destructive to /etc/pam.d/system-auth since that may be updated by authconfig
-- [] - Fixed a few tests



-- [] - Updated sshd config to include approved ciphers (RHEL6 STIG 6.2.11)
-- [] - Added the ability to change ChallengeResponseAuthentication in sshd config
-- [] - Added the ability to change UsePAM in sshd config



-- [] - Users may now add auditd rules directly as a series of attributes



-- [] - More Auditd fixes



-- [] - Fix auditd default parameters which break the build
-- [] - Add documentation for new attributes



-- [] - Fully parameterized auditd configuration file
-- [] - No longer calling the auditd cookbook directly from auditd.rb
-- [] - Auditd cookbook is no longer a direct dependency of the STIG cookbook. Should be part of an overall runlist



-- [] - Updated STIG and Audit rules to CIS RHEL Stig 1.4.0
-- [] - Added CentOS 6 ruleset 3.2 - "Remove the X Window System"
-- [] - Fixed and added many Serverspec tests
-- [] - Corrected a typo in to correct STIG control number
-- [] - Removed CIS wording from audit scripts
-- [] - Enforced permissions on /boot/grub/grub.conf as per STIG 1.5.2
-- [] - Removed grub.conf template
-- [] - Updated mounting of /dev/shm to be idempotent

Collaborator Number Metric

1.0.2 failed this metric

Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric

1.0.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Foodcritic Metric

1.0.2 passed this metric

No Binaries Metric

1.0.2 passed this metric

Testing File Metric

1.0.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must contain a file

Version Tag Metric

1.0.2 failed this metric

Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of, and your repo must include a tag that matches this cookbook version number