cis_benchmarks

module to impliment CIS benchmarks with capability to support mutiple OS and CIS versions
abuxton

abuxton

abuxton

7,706 downloads

4,935 latest version

5.0 quality score

Version information

  • 0.1.15 (latest)
  • 0.1.14
  • 0.1.13
  • 0.1.12
  • 0.1.11
  • 0.1.10
  • 0.1.9
  • 0.1.8
  • 0.1.7
  • 0.1.6
  • 0.1.5
  • 0.1.4
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Jul 3rd 2019
This version is compatible with:
  • Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7
  • RedHat

Start using this module

Documentation

abuxton/cis_benchmarks — version 0.1.15 Jul 3rd 2019

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with cis_benchmarks
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

MTN implimentation of CIS module with allowance for changing versions.

Module Description

Applys configuration and tests for CIS benchmark from http://cisecurity.org/ Initially reimpliments V1.0.0 and developed to impliment V2.1.1

Supports use of Hieradata, and params.pp class. uses Added execute control functionality from bossbear/cis_benchmarks and rule_specialperms.pp (and matching rule_specialperms hash in common.yaml) where one can add any extra hashes (file/dir: permission) to enforce permissions on files or directories

CIS benchmark versions supported by OS

OS versions
redhat 1.0.0, 2.10

Setup

clone the module: git clone http://github.com/abuxton/cis_benchmarks or puppet module install abuxton-cis_benchmarks

(See Usage below for staging dependent modules)

What cis_benchmarks affects

main list of subsystems impacted:

  • sshd (and anything that requires authentication)
  • auditd
  • cron
  • grub
  • su
  • kernel parameters
  • network parameters
  • selinux

Setup Requirements OPTIONAL

Currently, this module requires 4 additional modules:

  1. puppetlabs-stdlib
  2. herculesteam-augeasproviders_core
  3. herculesteam-augeasproviders_pam
  4. fiddyspence-sysctl

Beginning with cis_benchmarks

Once you've cloned it you can run it two ways:

  1. Stage all dependent modules in fixtures and run against spec/fixtures/modules directory. Following the below steps as root:

    cd cis_benchmarks
    bundle install --path vendor/bundle
    bundle exec rake spec_prep  #this will populate spec/fixtures/modules dir.
    puppet apply -v --modulepath spec/fixtures/modules examples/init.pp
    
  2. Manually stage the dependent modules and run against /etc/puppetlabs/code/environments/production/modules directory:

    puppet module install puppetlabs-stdlib puppet module install herculesteam-augeasproviders_core puppet module install herculesteam-augeasproviders_pam puppet module install fiddyspence-sysctl cd cis_benchmarks puppet apply -v --modulepath /etc/puppetlabs/code/environments/production/modules examples/init.pp

Obviously, you can add --noop flag to run things in an audit mode.

In order to run RSpec testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake spec

In order to run beaker testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake beaker:centos-7-x86_64-docker

Usage

Strongly suggest profiling the module with trlinkin/noop

##Reference

Limitations

This module was tested using Puppet Agent 4.7 and have been tested on following systems:

  1. RedHat 7 x64
  2. CentOS 7 x64

firewall

The module will test for components and deploy certain packages but it does not enforce iptables or firewalld rules we suggest puppetlabs/firewall for those tasks

Development

Since your module is awesome, other users will want to play with it. Let them know what the ground rules for contributing are.

TODO

RHEL6 support Tidy up custom facts currently does not support changing script dir or missing scripts well

Release Notes/Contributors/Etc Optional

Based on the work: bossbear/cis_benchmarks