Forge Home


module to impliment CIS benchmarks with capability to support mutiple OS and CIS versions


6,825 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.1.15 (latest)
  • 0.1.14
  • 0.1.13
  • 0.1.12
  • 0.1.11
  • 0.1.10 (deleted)
  • 0.1.9 (deleted)
  • 0.1.8 (deleted)
  • 0.1.7 (deleted)
  • 0.1.6 (deleted)
  • 0.1.5 (deleted)
  • 0.1.4 (deleted)
  • 0.1.3 (deleted)
  • 0.1.2 (deleted)
  • 0.1.1 (deleted)
  • 0.1.0 (deleted)
released Mar 20th 2018
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'abuxton-cis_benchmarks', '0.1.15'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add abuxton-cis_benchmarks
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install abuxton-cis_benchmarks --version 0.1.15

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



abuxton/cis_benchmarks — version 0.1.15 Mar 20th 2018

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with cis_benchmarks
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module


MTN implimentation of CIS module with allowance for changing versions.

Module Description

Applys configuration and tests for CIS benchmark from Initially reimpliments V1.0.0 and developed to impliment V2.1.1

Supports use of Hieradata, and params.pp class. uses Added execute control functionality from bossbear/cis_benchmarks and rule_specialperms.pp (and matching rule_specialperms hash in common.yaml) where one can add any extra hashes (file/dir: permission) to enforce permissions on files or directories

CIS benchmark versions supported by OS

OS versions
redhat 1.0.0, 2.10


clone the module: git clone or puppet module install abuxton-cis_benchmarks

(See Usage below for staging dependent modules)

What cis_benchmarks affects

main list of subsystems impacted:

  • sshd (and anything that requires authentication)
  • auditd
  • cron
  • grub
  • su
  • kernel parameters
  • network parameters
  • selinux

Setup Requirements OPTIONAL

Currently, this module requires 4 additional modules:

  1. puppetlabs-stdlib
  2. herculesteam-augeasproviders_core
  3. herculesteam-augeasproviders_pam
  4. fiddyspence-sysctl

Beginning with cis_benchmarks

Once you've cloned it you can run it two ways:

  1. Stage all dependent modules in fixtures and run against spec/fixtures/modules directory. Following the below steps as root:

    cd cis_benchmarks
    bundle install --path vendor/bundle
    bundle exec rake spec_prep  #this will populate spec/fixtures/modules dir.
    puppet apply -v --modulepath spec/fixtures/modules examples/init.pp
  2. Manually stage the dependent modules and run against /etc/puppetlabs/code/environments/production/modules directory:

    puppet module install puppetlabs-stdlib puppet module install herculesteam-augeasproviders_core puppet module install herculesteam-augeasproviders_pam puppet module install fiddyspence-sysctl cd cis_benchmarks puppet apply -v --modulepath /etc/puppetlabs/code/environments/production/modules examples/init.pp

Obviously, you can add --noop flag to run things in an audit mode.

In order to run RSpec testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake spec

In order to run beaker testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake beaker:centos-7-x86_64-docker


Strongly suggest profiling the module with trlinkin/noop



This module was tested using Puppet Agent 4.7 and have been tested on following systems:

  1. RedHat 7 x64
  2. CentOS 7 x64


The module will test for components and deploy certain packages but it does not enforce iptables or firewalld rules we suggest puppetlabs/firewall for those tasks


Since your module is awesome, other users will want to play with it. Let them know what the ground rules for contributing are.


RHEL6 support Tidy up custom facts currently does not support changing script dir or missing scripts well

Release Notes/Contributors/Etc Optional

Based on the work: bossbear/cis_benchmarks