Forge Home

cis_benchmarks

module to impliment CIS benchmarks with capability to support mutiple OS and CIS versions

10,371 downloads

6,935 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 0.1.15 (latest)
  • 0.1.14
  • 0.1.13
  • 0.1.12
  • 0.1.11
  • 0.1.10 (deleted)
  • 0.1.9 (deleted)
  • 0.1.8 (deleted)
  • 0.1.7 (deleted)
  • 0.1.6 (deleted)
  • 0.1.5 (deleted)
  • 0.1.4 (deleted)
  • 0.1.3 (deleted)
  • 0.1.2 (deleted)
  • 0.1.1 (deleted)
  • 0.1.0 (deleted)
released Mar 20th 2018
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.7

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'abuxton-cis_benchmarks', '0.1.15'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add abuxton-cis_benchmarks
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install abuxton-cis_benchmarks --version 0.1.15

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

abuxton/cis_benchmarks — version 0.1.15 Mar 20th 2018

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Setup - The basics of getting started with cis_benchmarks
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

Overview

MTN implimentation of CIS module with allowance for changing versions.

Module Description

Applys configuration and tests for CIS benchmark from http://cisecurity.org/ Initially reimpliments V1.0.0 and developed to impliment V2.1.1

Supports use of Hieradata, and params.pp class. uses Added execute control functionality from bossbear/cis_benchmarks and rule_specialperms.pp (and matching rule_specialperms hash in common.yaml) where one can add any extra hashes (file/dir: permission) to enforce permissions on files or directories

CIS benchmark versions supported by OS

OS versions
redhat 1.0.0, 2.10

Setup

clone the module: git clone http://github.com/abuxton/cis_benchmarks or puppet module install abuxton-cis_benchmarks

(See Usage below for staging dependent modules)

What cis_benchmarks affects

main list of subsystems impacted:

  • sshd (and anything that requires authentication)
  • auditd
  • cron
  • grub
  • su
  • kernel parameters
  • network parameters
  • selinux

Setup Requirements OPTIONAL

Currently, this module requires 4 additional modules:

  1. puppetlabs-stdlib
  2. herculesteam-augeasproviders_core
  3. herculesteam-augeasproviders_pam
  4. fiddyspence-sysctl

Beginning with cis_benchmarks

Once you've cloned it you can run it two ways:

  1. Stage all dependent modules in fixtures and run against spec/fixtures/modules directory. Following the below steps as root:

    cd cis_benchmarks
    bundle install --path vendor/bundle
    bundle exec rake spec_prep  #this will populate spec/fixtures/modules dir.
    puppet apply -v --modulepath spec/fixtures/modules examples/init.pp
    
  2. Manually stage the dependent modules and run against /etc/puppetlabs/code/environments/production/modules directory:

    puppet module install puppetlabs-stdlib puppet module install herculesteam-augeasproviders_core puppet module install herculesteam-augeasproviders_pam puppet module install fiddyspence-sysctl cd cis_benchmarks puppet apply -v --modulepath /etc/puppetlabs/code/environments/production/modules examples/init.pp

Obviously, you can add --noop flag to run things in an audit mode.

In order to run RSpec testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake spec

In order to run beaker testing run the following commands:

cd cis_benchmarks
bundle install --path vendor/path
bundle exec rake beaker:centos-7-x86_64-docker

Usage

Strongly suggest profiling the module with trlinkin/noop

##Reference

Limitations

This module was tested using Puppet Agent 4.7 and have been tested on following systems:

  1. RedHat 7 x64
  2. CentOS 7 x64

firewall

The module will test for components and deploy certain packages but it does not enforce iptables or firewalld rules we suggest puppetlabs/firewall for those tasks

Development

Since your module is awesome, other users will want to play with it. Let them know what the ground rules for contributing are.

TODO

RHEL6 support Tidy up custom facts currently does not support changing script dir or missing scripts well

Release Notes/Contributors/Etc Optional

Based on the work: bossbear/cis_benchmarks