Forge Home

almalinux_hardening

CIS OS Hardening for AlmaLinux 8 distribution

1,494 downloads

80 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.3 (latest)
  • 1.0.2 (deleted)
  • 1.0.1
  • 1.0.0 (deleted)
  • 0.2.0
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Jun 19th 2024
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.21.0 < 8.0.0

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'huglij-almalinux_hardening', '1.0.3'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add huglij-almalinux_hardening
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install huglij-almalinux_hardening --version 1.0.3

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

huglij/almalinux_hardening — version 1.0.3 Jun 19th 2024

Distribution Puppet Forge version Puppet Forge downloads GitHub issues GitHub

AlmaLinux Hardening

Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Limitations
  5. Development
  6. Credits
  7. Author
  8. License

Description

This Puppet module performs the hardening in accordance with the CIS (Center for Internet Security) benchmarks for the AlmaLinux servers. It is based on the official AlmaLinux OpenScap Guide. All the CIS rules have been tested with OpenScap.

Reports are available here.

WARNING: Do not attempt to implement any of the settings with this Puppet module without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Major Releases Supported

For the moment, there is only one major release for AlmaLinux: 8.

Setup

What is this module affecting?

This module affects a lot of parameters. The following list is not exhaustive, so it is recommanded to read both full reports before using the module:

  • Kernel settings ;
  • Packages (installations, deletions...) ;
  • Services (settings, statuses...) ;
  • Disks and partitions (options, warnings...) ;
  • Files and directories (permissions, additions, deletions...) ;
  • Network settings (deactivations, activations, firewall settings...) ;
  • Bootloader settings ;
  • Auditing ;
  • And much more...

Setup Requirements

Beginning with the module

Starting with this module is relatively easy, but it is really recommanded to read the full reports before using the module.

First, add this module. After adding it, you can use the class like the following code block.

class { '::almalinux_hardening':
  # Basic parameters
  $level                  = '1',
  $root_account           = 'root',
  $nologin_shell          = '/sbin/nologin',
  $home_device            = '/dev/mapper/vg-home',
  $tmp_device             = '/dev/mapper/vg-tmp',
  $vartmp_device          = '/dev/mapper/vg-var-tmp',
  $time_servers           = ['time.google.com'],
  $ignore_system_users    = [],
  $ignore_home_users      = [],
  $disable_repos          = '',
  $enable_repos           = '',
}

Be careful to adapt the listed parameters with your server(s).

All parameters are stored in the manifests/init.pp file. All rules are enabled by default. If you want to disable one, you can override a parameter like this:

class { 'almalinux_hardening':
  # Basic parameters
  $level                  = '1',
  $root_account           = 'root',
  $nologin_shell          = '/sbin/nologin',
  $home_device            = '/dev/mapper/vg-home',
  $tmp_device             = '/dev/mapper/vg-tmp',
  $vartmp_device          = '/dev/mapper/vg-var-tmp',
  $time_servers           = ['time.google.com'],
  $ignore_system_users    = [],
  $ignore_home_users      = [],
  $disable_repos          = '',
  $enable_repos           = '',

  # Rules
  $enable_grub2_password  = false,
}

Usage

Parameters

Level 1

To choose the level 1, the $level variable must be set to 1.

Name Description Type Default Value
profile Type of machine Enum['server'] 'server'
level Hardening Level Enum['1', '2', 'custom'] '1'
root_account Name of the root account String 'root'
nologin_shell Path of the nologin shell String '/sbin/nologin'
home_device Path of the dedicated device for /home String /dev/mapper/vg-home
tmp_device Path of the dedicated device for /tmp String /dev/mapper/vg-tmp
vartmp_device Path of the dedicated device for /var/tmp String /dev/mapper/vg-var-tmp
time_servers List of the used time server(s) Array[String] ['time.google.com']
ignore_system_users List of users who will not be affected by the module Array[String] []
ignore_home_users List of users homes who will not be affected by the module Array[String] []
disable_repos Disable repositories for the dnf command String ''
enable_repos Enable repositories for the dnf command String ''
mountoptions_vartmp_partitioned If the /var/tmp is partitioned or not Boolean true
auditd_rules_program Audit service program to use between augenrules or auditctl Enum['augenrules','auditctl'] 'augenrules'
enable_banner_issue See manifests/system/aac/banners/login.pp Boolean true
banner_issue_files Paths for issue and issue.net files Array[String] ['/etc/issue','/etc/issue.net']
enable_banner_motd See manifests/system/aac/banners/motd.pp Boolean true
enable_console_rescue See manifests/system/aac/console/single_user.pp Boolean true
enable_console_singleuser See manifests/system/aac/console/single_user.pp Boolean true
enable_console_systemd_target See manifests/system/aac/console/systemd_target.pp Boolean true
enable_pam_pwd_reuse See manifests/system/aac/pam/password_reuse.pp Boolean true
pam_pwd_reuse_remember Limit of remembered passwords used Integer 5
pam_pwd_reuse_retry Reused password retries limit Integer 3
enable_pam_pwd_hashing_algorithm See manifests/system/aac/pam/pwd_hashing_algorithm.pp Boolean true
enable_pam_pwquality See manifests/system/aac/pam/pwquality.pp Boolean true
pam_pwquality_minlen Minimum characters of passwords Integer 14
pam_pwquality_minclass Minimum different categories of passwords Integer 4
pam_pwquality_dcredit Maximum number of digits that will generate a credit Integer -1
pam_pwquality_ucredit Maximum number of uppercase characters that will generate a credit Integer -1
pam_pwquality_ocredit Maximum number of other characters that will generate a credit Intger -1
pam_pwquality_lcredit Maximum number of lowercase characters that will generate a credit Integer -1
enable_pwdlogin_expiration_inactivity See manifests/system/aac/pwd_login/account_expiration/inactivity.pp Boolean true
pwdlogin_expiration_inactivity_days Specify the number of days after a password expires Integer 30
enable_pwdlogin_expiration_unique_names See manifests/system/aac/pwd_login/account_expiration/unique_names.pp Boolean true
enable_pwdlogin_no_legacy_nis_entry See manifests/system/aac/pwd_login/password_hashes/no_legacy_nis.pp Boolean true
pwdlogin_no_legacy_nis_entry_paths Files to search Legacy NIS entries Array[String] ['/etc/group', '/etc/passwd', '/etc/shadow']
enable_pwdlogin_no_netrc See manifests/system/aac/pwd_login/password_hashes/no_netrc.pp Boolean true
enable_pwdlogin_pwd_expiration See manifests/system/aac/pwd_login/password_expiration.pp Boolean true
pwdlogin_pwd_expiration_maxdays Specify password maximum age for new accounts Integer 365
pwdlogin_pwd_expiration_mindays Specify password minimum age for new accounts Integer 7
pwdlogin_pwd_expiration_warndays Specify how many days prior to password expiration that a warning will be issued to users Integer 7
enable_pwdlogin_root_uid_exec See manifests/system/aac/pwd_login/root.pp Boolean true
enable_pwdlogin_root_nologin_exec See manifests/system/aac/pwd_login/root.pp Boolean true
enable_pwdlogin_root_su_restriction See manifests/system/aac/pwd_login/root.pp Boolean true
enable_session_env_path See manifests/system/aac/session/env_path.pp Boolean true
enable_session_interactive_timeout See manifests/system/aac/session/interactive_session_timeout.pp Boolean true
session_interactive_timeout_paths Files to apply TMOUT variable Array[String] ['/etc/bashrc','/etc/profile']
session_interactive_timeout_seconds Inactivity seconds until user sessions will be termintated Integer 900
enable_session_umask_bash See manifests/system/aac/session/umask/bash_default.pp Boolean true
enable_session_umask_login_defs See manifests/system/aac/session/umask/login_defs.pp Boolean true
enable_session_umask_profile See manifests/system/aac/session/umask/profile_default.pp Boolean true
enable_session_umask Session umask String '027'
enable_coredumps_backtraces See manifests/system/files_perm_masks/core_dumps/backtraces.pp Boolean true
enable_coredumps_storing See manifests/system/files_perm_masks/core_dumps/storing.pp Boolean true
enable_coredumps_uid_programs See manifests/system/files_perm_masks/core_dumps/suid_programs.pp Boolean true
enable_coredumps_users See manifests/system/files_perm_masks/core_dumps/users.pp Boolean true
enable_important_files_directories_unowned See manifests/system/files_perm_masks/important/no_files_directories_unowned.pp Boolean true
enable_important_worldwritable_files See manifests/system/files_perm_masks/important/no_world_writable_files.pp Boolean true
enable_important_stickybit See manifests/system/files_perm_masks/important/sticky_bit.pp Boolean true
enable_important_account_group See manifests/system/files_perm_masks/important/account_info/group.pp Boolean true
enable_important_account_group_backup See manifests/system/files_perm_masks/important/account_info/group_backup.pp Boolean true
enable_important_account_gshadow See manifests/system/files_perm_masks/important/account_info/gshadow.pp Boolean true
enable_important_account_gshadow_backup See manifests/system/files_perm_masks/important/account_info/gshadow_backup.pp Boolean true
enable_important_account_passwd See manifests/system/files_perm_masks/important/account_info/passwd.pp Boolean true
enable_important_account_passwd_backup See manifests/system/files_perm_masks/important/account_info/passwd_backup.pp Boolean true
enable_important_account_shadow See manifests/system/files_perm_masks/important/account_info/shadow.pp Boolean true
enable_important_account_shadow_backup See manifests/system/files_perm_masks/important/account_info/shadow_backup.pp Boolean true
enable_mountfs_automounter See manifests/system/files_perm_masks/mount_fs/disable_automounter.pp Boolean true
enable_mountfs_cramfs See manifests/system/files_perm_masks/mount_fs/disable_cramfs_mounting.pp Boolean true
enable_mountfs_modprobe_usb See manifests/system/files_perm_masks/mount_fs/disable_modprobe_loading_usb.pp Boolean true
enable_mountfs_squashfs See manifests/system/files_perm_masks/mount_fs/disable_squashfs_mounting.pp Boolean true
enable_mountfs_udf See manifests/system/files_perm_masks/mount_fs/disable_udf_mounting.pp Boolean true
enable_mountoptions_devshm See manifests/system/files_perm_masks/mount_options/dev_shm.pp Boolean true
enable_mountoptions_home See manifests/system/files_perm_masks/mount_options/home.pp Boolean true
enable_mountoptions_tmp See manifests/system/files_perm_masks/mount_options/tmp.pp Boolean true
enable_mountoptions_vartmp See manifests/system/files_perm_masks/mount_options/var_tmp.pp Boolean true
mountoptions_vartmp_partitioned If the /var/tmp directory is in a specific partition Boolean true
enable_execshield See manifests/system/files_perm_masks/execshield.pp Boolean true
enable_grub2_cfg_perms See manifests/system/grub2/cfg_perms.pp Boolean true
enable_grub2_password See manifests/system/grub2/password.pp Boolean true
grub2_password Grub2 password - The value must be like 'grub.pbkdf2.sha512': use grub2-mkpasswd-pbkdf2 String ''
enable_firewalld_install See manifests/system/network/firewalld/install.pp Boolean true
enable_firewalld_defaultzone See manifests/system/network/firewalld/default_zone.pp Boolean true
enable_firewalld_service See manifests/system/network/firewalld/service.pp Boolean true
enable_ipv4_icmp_redirects See manifests/system/network/ipv4/disable_icmp_redirects.pp Boolean true
enable_ipv4_ip_forwarding See manifests/system/network/ipv4/disable_ip_forwarding.pp Boolean true
ipv4_ip_forwarding If you enable the IPv4 forwarding rule, you can adjust the value. It can be useful if you have a Docker server. Integer 0
enable_ipv4_secure_redirects See manifests/system/network/ipv4/disable_secure_redirects.pp Boolean true
enable_ipv4_sending_icmp_redirects See manifests/system/network/ipv4/disable_sending_icmp_redirects.pp Boolean true
enable_ipv4_source_routed See manifests/system/network/ipv4/disable_source_routed.pp Boolean true
enable_ipv4_ignore_icmp_bogus See manifests/system/network/ipv4/enable_ignore_icmp_bogus.pp Boolean true
enable_ipv4_ignore_icmp_broadcast_echo See manifests/system/network/ipv4/enable_ignore_icmp_broadcast_echo.pp Boolean true
enable_ipv4_log_martians See manifests/system/network/ipv4/enable_log_martians.pp Boolean true
enable_ipv4_reverse_path_filtering See manifests/system/network/ipv4/enable_reverse_path_filtering.pp Boolean true
enable_ipv4_tcp_syncookies See manifests/system/network/ipv4/enable_tcp_syncookies.pp Boolean true
enable_ipv6_icmp_redirects See manifests/system/network/ipv6/disable_icmp_redirects.pp Boolean true
enable_ipv6_ip_forwarding See manifests/system/network/ipv6/disable_ip_forwarding.pp Boolean true
enable_ipv6_source_routed See manifests/system/network/ipv6/disable_source_routed.pp Boolean true
enable_ipv6_router_advertisements See manifests/system/network/ipv6/router_advertisements.pp Boolean true
enable_wireless_deactivate See manifests/system/network/wireless/software_configuration/deactivate.pp Boolean true
enable_disk_tmp See manifests/system/software/disk/tmp.pp Boolean true
enable_integrity_aide_install See manifests/system/software/integrity/aide/install.pp Boolean true
enable_integrity_aide_periodic_execution See manifests/system/software/integrity/aide/periodic_execution.pp Boolean true
integrity_aide_periodic_execution_minute AIDE cron minute field String '05'
integrity_aide_periodic_execution_hour AIDE cron hour field String '4'
integrity_aide_periodic_execution_monthday AIDE cron monthday field String '*'
integrity_aide_periodic_execution_month AIDE cron month field String '*'
integrity_aide_periodic_execution_weekday AIDE cron weekday field String '0'
enable_integrity_crypto_ssh See manifests/system/software/integrity/crypto/ssh.pp Boolean true
enable_integrity_crypto_system See manifests/system/software/integrity/crypto/system.pp Boolean true
enable_sudo_install See manifests/system/software/sudo/install.pp Boolean true
enable_sudo_logfile See manifests/system/software/sudo/logfile.pp Boolean true
sudo_logfile Logfile path String '/var/log/sudo.log'
enable_sudo_use_pty See manifests/system/software/sudo/use_pty.pp Boolean true
enable_gpgcheck See manifests/system/software/updating_software/gpgcheck.pp Boolean true
enable_syslog_install See manifests/system/syslog/install.pp Boolean true
enable_syslog_service See manifests/system/syslog/service.pp Boolean true
enable_cron_hourly See manifests/services/cron_at_daemons/cron_hourly.pp Boolean true
enable_cron_monthly See manifests/services/cron_at_daemons/cron_monthly.pp Boolean true
enable_cron_weekly See manifests/services/cron_at_daemons/cron_weekly.pp Boolean true
enable_cron_crond See manifests/services/cron_at_daemons/crond.pp Boolean true
enable_cron_crontab See manifests/services/cron_at_daemons/crontab.pp Boolean true
enable_cron_service See manifests/services/cron_at_daemons/service.pp Boolean true
enable_cron_daily See manifests/services/cron_at_daemons/cron_daily.pp Boolean true
enable_disable_cups See manifests/services/disable/cups.pp Boolean true
enable_disable_dhcp See manifests/services/disable/dhcp.pp Boolean true
enable_disable_dns See manifests/services/disable/dns.pp Boolean true
enable_disable_dovecot See manifests/services/disable/dovecot.pp Boolean true
enable_disable_ftp See manifests/services/disable/ftp.pp Boolean true
enable_disable_gui See manifests/services/disable/gui.pp Boolean true
enable_disable_nfs See manifests/services/disable/nfs.pp Boolean true
enable_disable_postfix_listening See manifests/services/disable/postfix_listening.pp Boolean true
enable_disable_rpcbind See manifests/services/disable/rpcbind.pp Boolean true
enable_disable_rsyncd See manifests/services/disable/rsyncd.pp Boolean true
enable_disable_samba See manifests/services/disable/samba.pp Boolean true
enable_disable_snmpd See manifests/services/disable/snmpd.pp Boolean true
enable_disable_squid See manifests/services/disable/squid.pp Boolean true
enable_disable_web See manifests/services/disable/web.pp Boolean true
enable_disable_avahi See manifests/services/disable/avahi.pp Boolean true
enable_ssh_permissions See manifests/services/ssh/permissions.pp Boolean true
enable_ssh_host_based_auth See manifests/services/ssh/host_based_auth.pp Boolean true
ssh_host_based_auth Enable or disable Host Based Authentication Enum['no','yes'] 'no'
enable_ssh_empty_passwords See manifests/services/ssh/empty_passwords.pp Boolean true
ssh_empty_passwords Allow or disallow empty passwords Enum['no','yes'] 'no'
enable_ssh_ignore_rhosts See manifests/services/ssh/ignore_rhosts.pp Boolean true
ssh_ignore_rhosts Ignoring or not rhosts Enum['no','yes'] 'yes'
enable_ssh_root_login See manifests/services/ssh/root_login.pp Boolean true
ssh_root_login Allow or disallow root login Enum['no','yes'] 'no'
enable_ssh_user_env See manifests/services/ssh/user_env.pp Boolean true
ssh_user_env Allow or disable overriden environment variables of SSH daemon Enum['no','yes'] 'no'
enable_ssh_alive_interval See manifests/services/ssh/alive_interval.pp Boolean true
ssh_alive_interval Set an idle timeout interval Integer 900
enable_ssh_alive_max See manifests/services/ssh/alive_max.pp Boolean true
ssh_alive_max Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client Integer 0
enable_ssh_loglevel See manifests/services/ssh/loglevel.pp Boolean true
ssh_loglevel Verbosity Level Enum['QUIET', 'FATAL', 'ERROR', 'INFO', 'VERBOSE', 'DEBUG', 'DEBUG1', 'DEBUG2', 'DEBUG3'] 'VERBOSE'
enable_ssh_max_auth_tries See manifests/services/ssh/max_auth_tries.pp Boolean true
ssh_max_auth_tries Specify the maximum number of authentication attempts permitted per connection Integer 4
enable_ssh_max_sessions See manifests/services/ssh/max_sessions.pp Boolean true
ssh_max_sessions Specify the maximum number of open sessions permitted from a given connection Integer 4
enable_ssh_max_startups See manifests/services/ssh/max_startups.pp Boolean true
ssh_max_startups Specify the maximum number of concurrent unauthenticated connections to the SSH daemon String '10:30:60'
enable_ssh_keys See manifests/services/ssh/keys.pp Boolean true
enable_uninstall_ldap_client See manifests/services/uninstall/ldap_client.pp Boolean true
enable_uninstall_nis_client See manifests/services/uninstall/nis_client.pp Boolean true
enable_uninstall_rsh See manifests/services/uninstall/rsh.pp Boolean true
enable_uninstall_telnet_client See manifests/services/uninstall/telnet_client.pp Boolean true
enable_uninstall_xinetd See manifests/services/uninstall/xinetd.pp Boolean true
enable_chrony_install See manifests/services/chrony/install.pp Boolean true
enable_chrony_service See manifests/services/chrony/service.pp Boolean true
enable_chrony_time_server See manifests/services/chrony/time_server.pp Boolean true
enable_optional_home_permissions See manifests/optional/home_permissions.pp Boolean true
enable_optional_log_permissions See manifests/optional/log_permissions.pp Boolean true

Level 2

To choose the level 2, the $level variable must be set to 2. Level 1 rules are also in level 2.

Name Description Type Default Value
enable_auditd_rules_perm_mod See manifests/system/auditd/rules/perm_mod.pp Boolean true
auditd_rules_perm_mod_actions Actions to audit Array[String] ['chmod', 'chown', 'fchmod', 'fchmodat', 'fchown', 'fchownat', 'fremovexattr', 'fsetxattr', 'lchown', 'lremovexattr', 'lsetxattr', 'removexattr', 'setxattr']
enable_auditd_rules_delete See manifests/system/auditd/rules/delete.pp Boolean true
auditd_rules_delete_actions Actions to audit Array[String] ['rename', 'renameat', 'unlink', 'unlinkat']
enable_auditd_rules_access See manifests/system/auditd/rules/access.pp Boolean true
auditd_rules_access_actions Actions to audit Array[String] ['creat', 'ftruncate', 'open', 'openat', 'truncate']
enable_auditd_rules_modules See manifests/system/auditd/rules/modules.pp Boolean true
auditd_rules_modules_actions Actions to audit Array[String] ['delete_module', 'init_module']
enable_auditd_rules_logins See manifests/system/auditd/rules/logins.pp Boolean true
auditd_rules_logins_paths Paths to audit Array[String] ['/var/run/faillock', '/var/log/lastlog']
enable_auditd_rules_time See manifests/system/auditd/rules/time.pp Boolean true
auditd_rules_time_actions Actions to audit Array[String] ['adjtimex', 'clock_settime', 'stime']
auditd_rules_time_paths Paths to audit Array[String] ['/etc/localtime']
enable_auditd_rules_mac See manifests/system/auditd/rules/mac.pp Boolean true
auditd_rules_mac_paths Paths to audit Array[String] ['/etc/selinux/']
enable_auditd_rules_export See manifests/system/auditd/rules/export.pp Boolean true
auditd_rules_export_actions Actions to audit Array[String] ['mount'],
enable_auditd_rules_net_env See manifests/system/auditd/rules/net_env.pp Boolean true
auditd_rules_net_env_actions Actions to audit Array[String] ['sethostname,setdomainname']
auditd_rules_net_env_paths Paths to audit Array[String] ['/etc/issue', '/etc/issue.net', '/etc/hosts', '/etc/sysconfig/network']
enable_auditd_rules_session See manifests/system/auditd/rules/session.pp Boolean true
auditd_rules_session_paths Paths to audit Array[String] ['/var/run/utmp', '/var/log/btmp', '/var/log/wtmp']
enable_auditd_rules_actions See manifests/system/auditd/rules/actions.pp Boolean true
auditd_rules_actions_paths Paths to audit Array[String] ['/etc/sudoers', '/etc/sudoers.d/']
enable_auditd_rules_usergroup See manifests/system/auditd/rules/usergroup.pp Boolean true
auditd_rules_usergroup_paths Paths to audit Array[String] ['/etc/group', '/etc/gshadow', '/etc/security/opasswd', '/etc/passwd', '/etc/shadow']
enable_auditd_rules_immutable See manifests/system/auditd/rules/immutable.pp Boolean true
enable_auditd_data_log See manifests/system/auditd/data/log.pp Boolean true
auditd_data_log_maxsize Max size of audit.log file Integer 6
auditd_data_log_maxsize_action Action to perform when audit.log maxsize is reached Enum['syslog', 'suspend', 'rotate', 'keep_logs'] 'keep_logs'
enable_auditd_data_space See manifests/system/auditd/data/space.pp Boolean true
auditd_data_space_adm_action Administration action to perform when space disk is low Enum['single', 'suspend', 'halt'] 'halt'
auditd_data_space_action Action to perform when space disk is low Enum['syslog', 'email', 'exec', 'suspend', 'single', 'halt'] 'email'
enable_auditd_backlog See manifests/system/auditd/backlog.pp Boolean true
auditd_backlog Audit Limit Backlog Integer 8192
enable_auditd_install See manifests/system/auditd/install.pp Boolean true
enable_auditd_service See manifests/system/auditd/service.pp Boolean true
enable_auditd_priority See manifests/system/auditd/priority.pp Boolean true
enable_selinux_libselinux See manifests/system/selinux/libselinux.pp Boolean true
enable_selinux_mcstrans See manifests/system/selinux/mcstrans.pp Boolean true
enable_selinux_setroubleshoot See manifests/system/selinux/setroubleshoot.pp/` Boolean true
enable_selinux_grub2 See manifests/system/selinux/grub2.pp Boolean true
enable_selinux_unconfined See manifests/system/selinux/unconfined.pp Boolean true
enable_selinux_policy See manifests/system/selinux/policy.pp Boolean true
enable_selinux_state See manifests/system/selinux/state.pp Boolean true
enable_network_uncommon_dccp See manifests/system/network/uncommon/dccp.pp Boolean true
enable_network_uncommon_rds See manifests/system/network/uncommon/rds.pp Boolean true
enable_network_uncommon_sctp See manifests/system/network/uncommon/sctp.pp Boolean true
enable_network_uncommon_tipc See manifests/system/network/uncommon/tipc.pp Boolean true
enable_disk_home See manifests/system/software/disk/home.pp Boolean true
enable_disk_var See manifests/system/software/disk/var.pp Boolean true
enable_disk_varlog See manifests/system/software/disk/var_log.pp Boolean true
enable_disk_varlogaudit See manifests/system/software/disk/var_log_audit.pp Boolean true
enable_disk_vartmp See manifests/system/software/disk/var_tmp.pp Boolean true
enable_ssh_tcp_forwarding See manifests/services/ssh/tcp_forwarding.pp Boolean true
ssh_tcp_forwarding Specifies whether TCP forwarding is permitted Enum['no', 'yes'] 'no'
enable_ssh_x11_forwarding See manifests/services/ssh/x11_forwarding.pp Boolean true
ssh_x11_forwarding Specifies whether X11 forwarding is permitted Enum['no', 'yes'] 'no'

Custom Level

To choose the custom level, the $level variable must be set to custom.

You can create your own rules with the dedicated script custom-rule.sh who is in the scripts directory. This script will create an entry in the data/os/AlmaLinux/version/8.yaml file, and it will create a .pp file in manifests/custom directory. When you want to execute the script, you only need to specify the name of your future custom rule like this:

# Example:
# scripts/custom-rule.sh -n custom_kernel
scripts/custom-rule.sh -n <rulename>

If you want to create a rule in a specific directory inside the custom, like manifests/custom/kernel, type this:

# Example:
# scripts/custom-rule.sh -n kernel/custom
scripts/custom-rule.sh -n <directory>/<rulename>

If you need help with the script, type scripts/custom-rule.sh -h or scripts/custom-rule.sh --help. If you want to add level 1 or 2 rules, you can edit the data/os/AlmaLinux/version/8.yaml to copy and paste rules you want.

Limitations

This module is dedicated for AlmaLinux 8 servers. It has been tested with a AlmaLinux 8.5 minimal installation.

Development

All contributions are welcome, so any help is appreciated! You can contribute on the official page: https://github.com/huglijonas/almalinux_hardening

Credits

This module is inspired by two other modules:

Author

  • Author: Jonas Hügli.

License

Puppet Module to perform AlmaLinux 8 OS Hardening with CIS benchmark.
Copyright (C) 2022  Jonas Hügli

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.