From c008653e9dfa5f4775c23271265b96b84d9b9076 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 16 Mar 2018 09:12:23 -0400
Subject: [PATCH 1/7] updated readme

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2fc939a1..b6e4558d 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ It will not:
   * Sander van Zoest sysctl `https://github.com/svanzoest-cookbooks/sysctl`
 
 ## Attributes
-
+* `['os-hardening']['package']['gpg']` - hash of package configurations to ensure gpg checked
 * `['os-hardening']['components'][COMPONENT_NAME]` - allows the fine control over which components should be executed via default recipe. See below for more details
 * `['os-hardening']['desktop']['enable'] = false`
   true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc

From 30ab2509bc6ddd39e216a42f9d643997a9434af0 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 16 Mar 2018 09:39:30 -0400
Subject: [PATCH 2/7] added default empty array for
 [os-hardening]['yum']['gpg_exclude']

---
 README.md             |  2 +-
 attributes/default.rb |  1 +
 recipes/yum.rb        | 13 ++++++++++---
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b6e4558d..51d97502 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ It will not:
   * Sander van Zoest sysctl `https://github.com/svanzoest-cookbooks/sysctl`
 
 ## Attributes
-* `['os-hardening']['package']['gpg']` - hash of package configurations to ensure gpg checked
+* `['os-hardening']['yum']['gpg_exclude'] = []` - Array of yum configuration files to exclude from gpgcheck
 * `['os-hardening']['components'][COMPONENT_NAME]` - allows the fine control over which components should be executed via default recipe. See below for more details
 * `['os-hardening']['desktop']['enable'] = false`
   true if this is a desktop system, ie Xorg, KDE/GNOME/Unity/etc
diff --git a/attributes/default.rb b/attributes/default.rb
index 857a22d3..18662cb6 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -27,6 +27,7 @@
   default['os-hardening']['packages']['pam_cracklib'] = 'pam_cracklib'
   default['os-hardening']['packages']['pam_pwquality'] = 'libpwquality'
   default['os-hardening']['packages']['auditd'] = 'audit'
+  default['os-hardening']['yum']['gpg_exclude'] = []
 
   if node['platform_version'].to_f < 7
     default['os-hardening']['auth']['pam']['passwdqc']['enable']  = true
diff --git a/recipes/yum.rb b/recipes/yum.rb
index 1b5966b9..84941ef2 100644
--- a/recipes/yum.rb
+++ b/recipes/yum.rb
@@ -26,15 +26,22 @@
   block do
     # TODO: harmonize with latter function
     config_file = '/etc/yum.conf'
-    GPGCheck.check(config_file)
+    unless node['os-hardening']['yum']['gpg_exclude'].include? config_file
+      GPGCheck.check(config_file)
+    end
 
     Dir.glob('/etc/yum.repos.d/*').each do |file|
-      GPGCheck.check(file)
+      config_file = '/etc/yum.conf'
+      unless node['os-hardening']['yum']['gpg_exclude'].include? config_file
+        GPGCheck.check(file)
+      end
     end
 
     rhn_conf = '/etc/yum/pluginconf.d/rhnplugin.conf'
     File.file?(rhn_conf) do
-      GPGCheck.check(rhn_conf)
+      unless node['os-hardening']['yum']['gpg_exclude'].include? rhn_conf
+        GPGCheck.check(rhn_conf)
+      end
     end
   end
   action :run

From 6a619ea1fe54b3e6509f42eeaf74681d7a190ae2 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 16 Mar 2018 10:01:13 -0400
Subject: [PATCH 3/7] updated repos.d file

---
 recipes/yum.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes/yum.rb b/recipes/yum.rb
index 84941ef2..0160f795 100644
--- a/recipes/yum.rb
+++ b/recipes/yum.rb
@@ -32,7 +32,7 @@
 
     Dir.glob('/etc/yum.repos.d/*').each do |file|
       config_file = '/etc/yum.conf'
-      unless node['os-hardening']['yum']['gpg_exclude'].include? config_file
+      unless node['os-hardening']['yum']['gpg_exclude'].include? file
         GPGCheck.check(file)
       end
     end

From fd6873cf57250a6e02a44e1b21df21d7299904ba Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 16 Mar 2018 10:08:57 -0400
Subject: [PATCH 4/7] update

---
 recipes/yum.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes/yum.rb b/recipes/yum.rb
index 0160f795..c295f338 100644
--- a/recipes/yum.rb
+++ b/recipes/yum.rb
@@ -32,6 +32,7 @@
 
     Dir.glob('/etc/yum.repos.d/*').each do |file|
       config_file = '/etc/yum.conf'
+      puts "file=#{file}"
       unless node['os-hardening']['yum']['gpg_exclude'].include? file
         GPGCheck.check(file)
       end

From 926643e05668b508a0b526b2ebbfbddd9ddcac19 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 16 Mar 2018 10:12:46 -0400
Subject: [PATCH 5/7] minor update

---
 recipes/yum.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/recipes/yum.rb b/recipes/yum.rb
index c295f338..c2f625bb 100644
--- a/recipes/yum.rb
+++ b/recipes/yum.rb
@@ -26,13 +26,14 @@
   block do
     # TODO: harmonize with latter function
     config_file = '/etc/yum.conf'
+    # Only check files not listed in gpg_exclude array
     unless node['os-hardening']['yum']['gpg_exclude'].include? config_file
       GPGCheck.check(config_file)
     end
 
     Dir.glob('/etc/yum.repos.d/*').each do |file|
       config_file = '/etc/yum.conf'
-      puts "file=#{file}"
+      # Only check files not listed in gpg_exclude array
       unless node['os-hardening']['yum']['gpg_exclude'].include? file
         GPGCheck.check(file)
       end
@@ -40,6 +41,7 @@
 
     rhn_conf = '/etc/yum/pluginconf.d/rhnplugin.conf'
     File.file?(rhn_conf) do
+      # Only check files not listed in gpg_exclude array
       unless node['os-hardening']['yum']['gpg_exclude'].include? rhn_conf
         GPGCheck.check(rhn_conf)
       end

From 19c08436b63625dc8ebbace3e24bd29974376c53 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 18 May 2018 10:00:09 -0400
Subject: [PATCH 6/7] updated for amazon pam

---
 recipes/pam.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes/pam.rb b/recipes/pam.rb
index dce11b2b..dc3985d8 100644
--- a/recipes/pam.rb
+++ b/recipes/pam.rb
@@ -102,7 +102,7 @@
   # therefore we edit /etc/pam.d/system-auth-ac/
   # @see http://serverfault.com/questions/292406/puppet-configuration-using-augeas-fails-if-combined-with-notify
 
-  if node['platform_version'].to_f < 7
+  if node['platform_version'].to_f < 7 && node['platform'] != 'amazon'
     # remove pam_cracklib, because it does not play nice with passwdqc in versions less than 7
     package 'pam-cracklib' do
       package_name node['os-hardening']['packages']['pam_cracklib']

From a8a82aa41c50c275e5124d175aa864dcf37a6817 Mon Sep 17 00:00:00 2001
From: Michael Hoffman <michael.hoffman@ge.com>
Date: Fri, 18 May 2018 10:21:55 -0400
Subject: [PATCH 7/7] removed amazon sysctl

---
 attributes/sysctl.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attributes/sysctl.rb b/attributes/sysctl.rb
index 508b8612..e981cd1e 100644
--- a/attributes/sysctl.rb
+++ b/attributes/sysctl.rb
@@ -95,7 +95,7 @@
 case node['platform_family']
 when 'rhel', 'fedora'
   # on RHEL 7 its enabled per default and can't be disabled
-  if node['platform_version'].to_f < 7
+  if node['platform_version'].to_f < 7 && node['platform'] != 'amazon'
     default['sysctl']['params']['kernel']['exec-shield'] = 1
   end
 end