cisecurity
Version information
This version is compatible with:
- Puppet Enterprise 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
- Puppet >= 4.7.0 < 6.0.0
Start using this module
Add this module to your Puppetfile:
mod 'cohdjn-cisecurity', '0.7.2'
Learn more about managing modules with a PuppetfileDocumentation
cisecurity
Table of Contents
- Module Description
- Setup - The basics of getting started with cisecurity
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Module Description
This module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux. The current version of cisecurity implements v2.10 of the benchmark for Red Hat Enterprise Linux 6 and v2.20 for Red Hat Enterprise Linux 7. The module provides a lot of dials and knobs to fine-tune the module to your specific needs.
More information about the benchmark and downloading a copy of it for yourself is available at the Center for Internet Security.
Setup
What cisecurity affects
By default, this module implements all Level 1 and Level 2 controls and uses the defaults provided in the benchmark. Make sure to consult the module's documentation for default settings and alter as necessary. The defaults should not be intended as a one-size-fits-all solution.
cisecurity touches a wide variety of system-level settings including:
- Filesystem owners, groups, and permissions
- modprobe-enabled filesystems
- Mount point configurations
- Network subsystem
- Addition/removal of packages
- Package configurations
- PAM
- SELinux
- Grub
- User Accounts
Beginning with cisecurity
To use the cisecurity module with default parameters, declare the cisecurity class.
class { '::cisecurity': }
Usage
All parameters for the cisecurity
module are broken down into various classes based on the components being modified.
Reference
Classes
cisecurity::filesystem
: Handles the filesystem controls.cisecurity::network
: Handles the network controls.cisecurity::packages
: Handles the package and yum controls.cisecurity::pam
: Handles the PAM controls.cisecurity::security
: Handles Grub, SELinux, and other miscellaneous controls.cisecurity::services
: Handles the network controls.
Parameters
If you modify an Enum['enabled','disabled']
parameter to something other than the default, the module will not autocorrect the desired state of the system. You will need to go to that system and manually change the configuration to whatever you want it to be. cisecurity is designed to only enforce the controls in the benchmark and will not make assumptions of what you want a system's configuration to look like when you deviate.
For parameters in the cisecurity::packages
class, if you modify an Enum['installed','uninstalled','ignored']
parameter, the class will attempt to install, purge, or ignore the specified package.
Class cisecurity::filesystem
configure_umask_default
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.4.4
- Related:
umask_default
Determines if the default umask will be modified.
cramfs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.1
Determines if mounting cramfs filesystems will be allowed.
dev_shm_mount_options
- Default value:
[ 'noexec', 'nodev', 'nosuid' ]
- Data type:
Array[String]
- Implements: Control 1.1.15
Provides mount options for /dev/shm. Set this parameter to an empty array if you don't want the module to modify /dev/shm.
freevxfs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.2
Determines if mounting freevxfs filesystems will be allowed.
harden_system_file_perms
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 5.1.2 - 5.1.8, 5.2.1, 6.1.2 - 6.1.9
Secures certain system files and directories harder than the default operating system provides.
hfs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.4
Determines if mounting hfs filesystems will be allowed.
hfsplus
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.5
Determines if mounting hfsplus filesystems will be allowed.
home_mount_options
- Default value:
[ 'nodev' ]
- Data type:
Array[String]
- Implements: Controls 1.1.13 - 1.1.14
Provides mount options for /home. If /home is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don't want the module to modify /home.
jffs2
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.3
Determines if mounting hfs filesystems will be allowed.
log_file_perms_cron_start_hour
- Default value:
'*'
- Data type:
String
- Implements: Control 4.2.4
- Related:
remediate_log_file_perms
A cron-styled hour when log file permissions will be corrected.
log_file_perms_cron_start_minute
- Default value:
'37'
- Data type:
String
Implements: Control 4.2.4 - Related:
remediate_log_file_perms
A cron-styled minute when log file permissions will be corrected.
remediate_log_file_perms
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 4.2.4
- Related:
log_file_perms_cron_start_hour
,log_file_perms_cron_start_minute
Secures log files in /var/log harder than the default operating system provides.
remediate_ungrouped_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.1.12
- Related:
ungrouped_files_replacement_group
Reassigns group ownership of ungrouped files and directories.
remediate_unowned_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.1.11
- Related:
unowned_files_replacement_owner
Reassigns user ownership of an unowned files and directories.
remediate_world_writable_dirs
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.21
- Related:
world_writable_dirs_ignored
Adds sticky bit to all world writable directories.
remediate_world_writable_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.1.10
- Related:
world_writable_files_ignored
Removes world writable permission from all world writable files.
removable_media_mount_options
- Default value:
[ 'noexec', 'nodev', 'nosuid' ]
- Data type:
Array[String]
- Implements: Controls 1.1.18 - 1.1.20
- Related:
removable_media_partitions
Provides mount options for removable media partitions.
removable_media_partitions
- Default value:
[ ]
- Data type:
Array[String]
- Implements: Controls 1.1.18 - 1.1.20
- Related:
removable_media_mount_options
Lists all removable partitions that exist on the system. It is recommended you use set this on a node-by-node basis.
squashfs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.6
Determines if mounting squashfs filesystems will be allowed.
tmp_mount_options
- Default value:
[ 'mode=1777', 'astrictatime', 'noexec', 'nodev', 'nosuid' ]
- Data type:
Array[String]
- Implements: Controls 1.1.2 - 1.1.5
- Related:
removable_media_partitions
Provides mount options for /tmp. If /tmp is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don't want the module to modify /tmp.
udf
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.7
Determines if mounting udf filesystems will be allowed.
umask_default
- Default value:
'027'
- Data type:
String
- Implements: Control 5.4.4
- Related:
configure_umask_default
Value of the default umask.
ungrouped_files_replacement_group
- Default value:
'root'
- Data type:
String
- Implements: Control 6.1.12
- Related:
remediate_ungrouped_files
Value of the group to assign to ungrouped files. You may use GID or name.
unowned_files_replacement_owner
- Default value:
'root'
- Data type:
String
- Implements: Control 6.1.11
- Related:
remediate_unowned_files
Value of the user to assign to unowned files. You may use GID or name.
var_mount_options
- Default value:
[ 'defaults' ]
- Data type:
Array[String]
- Implements: Controls 1.1.6
Provides mount options for /var. If /var is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).
var_log_audit_mount_options
- Default value:
[ 'defaults' ]
- Data type:
Array[String]
- Implements: Controls 1.1.12
Provides mount options for /var/log/audit. If /var/log/audit is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).
var_log_mount_options
- Default value:
[ 'defaults' ]
- Data type:
Array[String]
- Implements: Controls 1.1.11
Provides mount options for /var/log. If /var/log is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).
var_tmp_mount_options
- Default value:
[ 'bind' ]
- Data type:
Array[String]
- Implements: Controls 1.1.6
Provides mount options for /var/tmp. Set this parameter to an empty array if you don't want the module to modify /var/tmp.
vfat
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.1.8
Determines if mounting vfat filesystems will be allowed.
world_writable_dirs_ignored
- Default value:
[ ]
- Data type:
Array[String]
- Implements: Control 1.1.21
- Related:
remediate_world_writable_dirs
Provides a list of world writable directories that you don't want the sticky bit automatically set on.
world_writable_files_ignored
- Default value:
[ '/var/lib/rsyslog/imjournal.state' ]
- Data type: Array[String]`
- Implements: Control 6.1.10
- Related:
remediate_world_writable_files
Provides a list of world writable files that you don't want permissions automatically changed.
Class cisecurity::network
dccp
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.5.1
Determines if the DCCP protocol will be allowed.
disable_wireless_interfaces
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.7
Determines if wireless interfaces should be disabled.
hosts_allow
- Default value:
'puppet:///modules/cisecurity/tcp_wrappers/hosts.allow'
- Data type:
String
- Implements: Control 3.4.2
Provides the source location for the /etc/hosts.allow file. It is recommended you use set this on a node-by-node basis.
hosts_deny
- Default value:
'puppet:///modules/cisecurity/tcp_wrappers/hosts.deny'
- Data type:
String
- Implements: Control 3.4.3
Provides the source location for the /etc/hosts.deny file. It is recommended you use set this on a node-by-node basis.
ipv4_accept_icmp_redirects
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.2
Determines if ICMP redirect messages are allowed.
ipv4_forwarding
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.1.1
Determines if forwarding (routing) is allowed.
ipv4_ignore_icmp_bogus_responses
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.6
Determines if bogus (faked) ICMP reponse messages are allowed.
ipv4_ignore_icmp_broadcasts
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.5
Determines if broadcast ICMP messages are allowed.
ipv4_log_suspicious_packets
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.4
Determines if suspicious packets (martians) will be logged.
ipv4_reverse_path_filtering
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.7
Determines if reverse path filtering of packets should happen.
ipv4_secure_redirects
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.3
Determines if secure ICMP redirect messages are allowed.
ipv4_send_redirects
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.1.2
Determines if the system can send ICMP redirect messages.
ipv4_source_routing
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.1
Determines if source routed packets are accepted.
ipv4_tcp_syncookies
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.2.8
Determines if TCP SYN cookies are allowed.
ipv6
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.3.3
Determines if the IPv6 protocol stack is allowed.
ipv6_accept_packet_redirects
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.3.2
Determines if IPv6 redirect messages are allowed.
ipv6_accept_router_advertisements
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.3.1
Determines if IPv6 router advertisements are accepted.
rds
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.5.3
Determines if the RDS protocol will be allowed.
sctp
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.5.2
Determines if the SCTP protocol will be allowed.
tipc
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 3.5.4
Determines if the TIPC protocol will be allowed.
Class cisecurity::packages
aide
- Default value:
'installed'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 1.3.1
Determines if AIDE will be installed.
aide_cron_start_hour
- Default value:
'5'
- Data type:
String
- Implements: Control 1.3.2
- Related:
aide_cron_start_minute
A cron-styled hour when AIDE will run its daily check.
aide_cron_start_minute
- Default value:
'0'
- Data type:
String
- Implements: Control 1.3.2
- Related:
aide_cron_start_hour
A cron-styled minute when AIDE will run its daily check.
firewalld
- Default value:
'installed'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 3.6.1
Determines if firewalld will be installed.
libselinux
- Default value:
'installed'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 1.6.2
Determines if libselinux will be installed.
logrotate
- Default value:
'installed'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 4.3
Determines if logrotate will be installed.
mcstrans
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 1.6.1.5
Determines if the MCS Translation Service will be installed.
openldap_clients
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.3.5
Determines if the LDAP client will be installed.
prelink
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 3.6.1
Determines if prelink will be installed.
rsh
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.2.17
Determines if the rsh server will be installed.
setroubleshoot
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 1.6.1.4
Determines if setroubleshoot will be installed.
talk
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.2.18
Determines if talk will be installed.
tcp_wrappers
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 3.4.1
Determines if the TCP Wrappers will be installed.
telnet
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.3.4
Determines if the telnet client will be installed.
xorg_x11
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.2.2
Determines if X Windows will be installed.
ypbind
- Default value:
'uninstalled'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 2.3.1
Determines if the NIS Client will be installed.
yum_auto_update
- Default value:
'installed'
- Data type:
Enum['installed','uninstalled','ignored']
- Implements: Control 1.8
- Related:
yum_auto_update_action
,yum_auto_update_email_from
,yum_auto_update_email_to
,yum_auto_update_exclude
,yum_auto_update_notify_email
,yum_auto_update_update_cmd
Determines if yum-cron will be installed and configured.
yum_auto_update_action
- Default value:
'apply'
- Data type:
Enum['check','download','apply']
- Implements: Control 1.8
- Related:
yum_auto_update
Determines how to deal with updates for the system.
check
detects the presence of updates but takes no further action.download
downloads the files and packages necessary to perform the update and takes no further action.apply
downloads and installs the updates automatically.
yum_update_email_from
- Default value:
'root'
- Data type:
String
- Implements: Control 1.8
- Related:
yum_auto_update
,yum_auto_update_notify_email
If email notifications are enabled, this parameter defines the sender's email address. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
yum_update_email_to
- Default value:
'root'
- Data type:
String
- Implements: Control 1.8
- Related:
yum_auto_update
,yum_auto_update_notify_email
If email notifications are enabled, this parameter defines who to send the notifications to. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
yum_auto_update_exclude
- Default value:
[ ]
- Data type:
Array[String]
- Implements: Control 1.8
- Related:
yum_auto_update
An array of packages to exclude when applying updates.
yum_auto_update_notify_email
- Default value:
true
- Data type:
Boolean
- Implements: Control 1.8
- Related:
yum_auto_update
,yum_auto_update_email_from
,yum_auto_update_email_to
Determines whether notifications are to be sent via email.
yum_auto_update_update_cmd
- Default value:
'default'
- Data type:
Enum['default','security','security-severity:Critical','minimal','minimal-security','minimal-security-severity:Critical']
- Implements: Control 1.8
- Related:
yum_auto_update
Defines what category of updates you wish applied.
default
provides updates all installed packages.security
provides updates with security fixes only.security-severity:Critical
provides only critical security fixes.minimal
provides updates for bugfixes.minimal-security
provides updates to packages with security errata.minimal-security-severity:Critical
provides only critical security fixes for packages with security errata.
yum_repo_enforce_gpgcheck
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.2.2
Determines whether to enforce gpgcheck
on all available repositories.
Class cisecurity::pam
account_lockout_enforcement
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.3.2
- Related:
account_lockout_attempts
,account_lockout_time
,inactive_account_lockout
,inactive_account_lockout_days
Determines whether the system should be configured for account lockout enforcement.
account_lockout_attempts
- Default value:
5
- Data type:
Integer
- Implements: Control 5.3.2
- Related:
account_lockout_enforcement
Specifies the number of times a bad password may be entered before the account is automatically locked out.
account_lockout_time
- Default value:
900
- Data type:
Integer
- Implements: Control 5.3.2
- Related:
account_lockout_enforcement
Specifies the amount of time (in seconds) when an account will be automatically unlocked after failed password attempts.
inactive_account_lockout
- Default value:
'enabled'
- Data Type:
Enum['enabled','disabled']
- Implements: Control 5.4.1.4
- Related:
account_lockout_enforcement
Specifies whether inactive accounts should be locked by the system.
inactive_account_lockout_days
- Default value:
30
- Data Type:
Integer
- Implements: Control 5.4.1.4
- Related:
account_lockout_enforcement
Specifies the number of days when an account is considered inactive.
root_user_settings
- Default value: '
{ gid => 'root' }
- Data Type:
Hash
- Implements: Control 5.4.3
Specifies settings for the root user. The minimum setting needed is for ensuring the primary group but this can be extended to include managing root passwords.
password_aging
- Default value:
'enabled'
- Data Type:
Enum['enabled','disabled']
- Implements: Controls 5.4.1.1 - 5.4.1.3
- Related:
password_aging_max_days
,password_aging_min_days
,password_aging_warn_days
Determines whether the system should be configured for password aging enforcement.
password_aging_max_days
- Default value:
90
- Data Type:
Integer
- Implements: Control 5.4.1.1
- Related:
password_aging
Specifies the maximum number of days before a password is required to be changed.
password_aging_min_days
- Default value:
7
- Data Type:
Integer
- Implements: Control 5.4.1.2
- Related:
password_aging
Specifies the minimum number of days before a password must be used before it can be changed.
password_aging_warn_days
- Default value:
7
- Data Type:
Integer
- Implements: Control 5.4.1.3
- Related:
password_aging
Specifies the number of days before a messsage is displayed at user login that their password is going to expire.
password_enforcement
- Default value:
'enabled'
- Data Type:
Enum['enabled','disabled']
- Implements: Controls 5.3.1, 5.3.3
- Related:
password_min_length
,password_num_digits
,password_num_lowercase
,password_num_uppercase
,password_num_other_chars
,password_max_attempts
,password_num_remembered
Determines whether the system should be configured for password complexity restrictions.
password_max_attempts
- Default value:
3
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the number of times a user may specify a new password that doesn't meet complexity requirements before the attempt to change the password is rejected.
password_min_length
- Default value:
14
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the minimum length of a valid password.
password_num_digits
- Default value:
-1
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the number of digits required to be present in the password.
password_num_lowercase
- Default value:
-1
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the number of lowercase characers required to be present in the password.
password_num_uppercase
- Default value:
-1
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the number of uppercase characers required to be present in the password.
password_num_other_chars
- Default value:
-1
- Data Type:
Integer
- Implements: Control 5.3.1
- Related:
password_enforcement
Specifies the number of special characers required to be present in the password.
password_num_remembered
- Default value:
5
- Data Type:
Integer
- Implements: Control 5.3.3
- Related:
password_enforcement
Specifies the number of passwords the system will store per user to prevent them from resuing old passwords.
wheel
- Default value:
'enabled'
- Data Type:
Enum['enabled','disabled']
- Implements: Control 5.6
Specifies whether to enable the use of the wheel
group on the system for the su
command.
Class cisecurity::security
aslr
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.5.3
Determines whether Address Space Layout Randomization (ASLR) will be enabled.
banner_message_text
- Default value:
'Authorized uses only. All activity may be monitored and reported.'
- Data type:
String
- Implements: Control 1.7.2
- Related:
x_windows
Banner message text to be displayed when a GNOME-based graphical login occurs.
bootloader_password
- Default value: Grub encrypted password
- Data type:
String
- Implements: Control 1.4.2
For Red Hat 7, a grub SHA512 encrypted password string used as the bootloader password. The encrypted password in RedHat7.yaml
is password
. To change the bootloader password, use grub2-mkpasswd-pbkdf2
as shown below:
$ grub2-mkpasswd-pbkdf2
Enter password: <new password>
Reenter password: <confirm new password>
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.D70F1...
Copy and paste the entire string into the parameter.
For Red Hat 6, a grub MD5 encrypted password string used as the bootloader password. The encrypted password in RedHat6.yaml
is password
. To change the bootloader password, use grub-md5-crypt
as shown below:
$ grub-md5-crypt
Password: <new password>
Retype password: <confirm new password>
$1$L.MZi/$6i6ZtU/e8WRKfujZac44t.
Copy and paste the entire string into the parameter. Be sure to precede the salted password with the --md5
moniker as the default shows.
bootloader_user
- Default value:
'rescue'
- Data type:
String
- Implements: Control 1.4.2
Specifies a username to be created with superuser privileges in grub.
configure_shell_timeout
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.4.5
- Related:
shell_timeout
Determines whether to implement shell timeouts.
configure_system_acct_nologin
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.4.2
Determines whether system accounts (UIDs less than 1000 by default) have their shell changed to /sbin/nologin
in /etc/passwd
.
home_directories_perm
- Default value:
'0750'
- Data type:
String
- Implements: Control 6.2.8 - 6.2.9
- Related:
remediate_home_directories
Defines what permission should be applied to home directories.
issue
- Default value:
'puppet:///modules/cisecurity/banners/issue'
- Data type:
String
- Implements: Controls 1.7.1.2 and 1.7.1.5
Provides the source location for /etc/issue
and sets owner, group, and permission.
issue_net
- Default value:
'puppet:///modules/cisecurity/banners/issue.net'
- Data type:
String
- Implements: Controls 1.7.1.3 and 1.7.1.6
Provides the source location for /etc/issue.net
and sets owner, group, and permission.
motd
- Default value:
'puppet:///modules/cisecurity/banners/motd'
- Data type:
String
- Implements: Controls 1.7.1.1 and 1.7.1.4
Provides the source location for /etc/motd
and sets owner, group, and permission.
remediate_blank_passwords
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.1
Determines whether accounts with blank passwords will be locked out.
remediate_home_directories_dot_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.10
Removes group and other write permissions to users' dot files.
remediate_home_directories_exist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.7
Creates users' home directories if they don't exist whether they've logged into the system or not.
remediate_home_directories_forward_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.11
Determines whether .forward
files in home directories are forcibly removed.
remediate_home_directories_netrc_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.12
Determines whether .netrc
files in home directories are forcibly removed.
remediate_home_directories_netrc_files_perms
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.13
Removes group and other write permissions to users' .netrc
files.
remediate_home_directories_owner
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.9
Changes the ownership of home directories when the directory isn't owned by the correct user.
remediate_home_directories_perms
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.8
Changes the permissions of home directories.
remediate_home_directories_rhosts_files
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: 6.2.14
Determines whether .rhosts
files in home directories are forcibly removed.
remediate_home_directories_start_hour
- Default value:
'5'
- Data type:
String
- Implements: Controls 6.2.7 - 6.2.19
A cron-styled hour when home directory checks will run.
remediate_home_directories_start_minute
- Default value:
'0'
- Data type:
String
- Implements: Controls 6.2.7 - 6.2.19
A cron-styled minute when home directory checks will run.
remediate_legacy_group_entries
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.4
Determines whether legacy entries in /etc/group
exist.
remediate_legacy_passwd_entries
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.2
Determines whether legacy entries in /etc/passwd
exist.
remediate_legacy_shadow_entries
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.3
Determines whether legacy entries in /etc/shadow
exist.
remediate_root_path
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.6
- Related:
root_path
Determines whether root's path will be managed. Besides configuring root's path in /root/.bash_profile
, the module will go through each directory in the path and ensure the directory is owned by root, group owned by root, and removes group and other write attributes.
remediate_uid_zero_accounts
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.5
Determines whether accounts with UID 0 (other than root) will be deleted.
restricted_core_dumps
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.5.1
Determines whether core dumps are allowed.
root_path
- Default value:
'[ '$PATH', '$HOME/bin' ]
- Data type:
Array[String]
- Implements: Control 6.2.6
- Related:
remediate_root_path
The path that will be configured in /root/.bash_profile
.
selinux
- Default value:
'enforcing'
- Data type:
Enum['enforcing','permissive','disabled']
- Implements: Controls 1.6.1.1, 1.6.1.2, 1.6.2
Determines how SELinux will be configured.
selinux_type
- Default value:
'targeted'
- Data type:
Enum['targeted','minimum','mls']
- Implements: Control 1.6.1.3
Determines how SELinux will be configured.
secure_terminals
- Default value:
[ 'console' ]
- Data type:
Array[String]
- Implements: Control 5.5
Provides a list of devices where root is permitted to directly log in.
single_user_authentication
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.4.3
Determines whether authentication will be required when the system runs in single-user mode.
syslog_facility
- Default value:
'auth'
- Data type:
String
- Implements: Controls 6.2.15 - 6.2.19
Provides the syslog facility that warning messages will be logged to.
syslog_severity
- Default value:
'warn'
- Data type:
String
- Implements: Controls 6.2.15 - 6.2.19
Provides the syslog severity that warning messages will be logged to.
verify_user_groups_exist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.15
Verifies all groups in /etc/passwd exist in /etc/group. If a group doesn't exist, a message is written via syslog.
verify_duplicate_gids_notexist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.17
Verifies no duplicate GIDs exist. If a duplicate GID is found, a message is written via syslog.
verify_duplicate_groupnames_notexist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.19
Verifies no duplicate group names exist. If a duplicate group name is found, a message is written via syslog.
verify_duplicate_uids_notexist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.16
Verifies no duplicate UIDs exist. If a duplicate UID is found, a message is written via syslog.
verify_duplicate_usernames_notexist
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 6.2.18
Verifies no duplicate usernames exist. If a duplicate username is found, a message is written via syslog.
Class cisecurity::services
at_allowed_users
- Default value:
[ 'root' ]
- Data type:
Array[String]
- Implements: Control 5.1.8
- Related:
configure_at_allow
Provides a list of users allowed to use at.
auditd_action_mail_root
- Default value:
'root'
- Data type:
String
- Implements: Control 4.1.1.2
- Related:
configure_auditd
If email notifications are enabled, this parameter defines who receives the notification. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
auditd_admin_space_left
- Default value:
50
- Data type:
Integer
- Implements: None.
- Related:
configure_auditd
,auditd_admin_space_left_action
Value (in megabytes) that tells the audit daemon when to perform a configurable action because the system is running low on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for auditd_space_left
.
auditd_admin_space_left_action
- Default value:
'halt'
- Data type:
Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']
- Implements: Control 4.1.1.2
- Related:
configure_auditd
,auditd_admin_space_left
Action to take when the system has detected that it is low on disk space. If set to ignore, the audit daemon does nothing. Syslog means that it will issue a warning to syslog. Email means that it will send a warning to the email account specified in auditd_action_mail_acct
as well as sending the message to syslog. Suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The single option will cause the audit daemon to put the computer system in single user mode.
auditd_configure_boot_auditing
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 4.1.3
Determines if process auditing will happen prior to auditd is enabled.
auditd_configure_rules
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 4.1.4 - 4.1.18
- Related:
configure_auditd
Determines whether the rules defined in the benchmark are applied.
auditd_max_log_file
- Default value:
8
- Data type:
Integer
- Implements: Control 4.1.1.1
- Related:
configure_auditd
Specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.
auditd_max_log_file_action
- Default value:
'keep_logs'
- Data type:
Enum['keep_logs','ignore','rotate','suspend','syslog']
- Implements: Control 4.1.1.3
- Related:
configure_auditd
,auditd_max_log_file
Action to take when the system has detected that the max file size limit has been reached. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs. It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.
auditd_num_logs
- Default value:
5
- Data type:
Integer[0,999]
- Implements: None.
- Related:
configure_auditd
Specifies the number of log files to keep if rotate is given as the auditd_max_log_file_action
. If the number is less than 2, logs are not rotated. This number must be 999 or less. The default is 0 - which means no rotation.
auditd_space_left
- Default value:
75
- Data type:
Integer
- Implements: None.
- Related:
configure_auditd
,auditd_space_left_action
Value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space.
auditd_space_left_action
- Default value:
'email'
- Data type:
Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']
- Implements: Control 4.1.1.2
- Related:
configure_auditd
,auditd_space_left
Specifies what action will be taken when the system detects that it's starting to get low on disk space.
autofs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.1.22
Enables or disables the automounter.
avahi_daemon
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.3
Enables or disables Avahi.
chargen_dgram
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.1
- Related:
inetd
Enables or disables chargen services.
chargen_stream
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.1
- Related:
inetd
Enables or disables chargen services.
configure_at_allow
- Default value:
enabled
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.1.8
- Related:
at_allowed_users
Determines whether to configure at.allow.
configure_auditd
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 4.1.1.1 - 4.1.2
- Related:
auditd_action_mail_acct
,auditd_admin_space_left_action
,auditd_configure_rules
,auditd_max_log_file
,auditd_max_log_file_action
,audit_space_left_action
Determines whether the auditing subsystem will be configured.
configure_cron_allow
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 5.1.8
- Related:
cron_allowed_users
Determines whether to configure cron.allow.
configure_postfix
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.15
Determines whether postfix will be configured to only listen on localhost interfaces.
configure_rsyslog
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 4.2.1
- Related:
rsyslog_conf
,rsyslog_remote_servers
Determines whether rsyslog will be configured.
configure_rsyslog_host
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 4.2.1.5
Determines whether rsyslog will be configured to be an rsyslog host.
configure_sshd
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 5.2.1 - 5.2.16
- Related:
sshd_banner_file
,sshd_client_alive_count_max
,sshd_client_alive_interval
,sshd_hostbased_authentication
,sshd_ignore_rhosts
,sshd_login_grace_time
,sshd_log_level
,sshd_max_auth_tries
,sshd_permit_empty_passwords
,sshd_permit_root_login
,sshd_permitted_ciphers
,sshd_permitted_macs
,sshd_permit_user_environment
,sshd_protocol
,sshd_x11_forwarding
Determines whether sshd will be configured.
configure_time
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 2.2.1.1 - 2.2.1.3
- Related:
time_server_provider
,time_service_servers
Determines whether time services (ntpd or chrony) will be configured.
cron
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.1
Enables or disables cron.
cron_allowed_users
- Default value:
[ 'root' ]
- Data type:
Array[String]
- Implements: Control 5.1.8
- Related:
configure_cron_allow
Provides a list of users allowed to use cron.
cups
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.4
Enables or disables the printing subsystem.
daytime_dgram
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.2
- Related:
inetd
Enables or disables daytime services.
daytime_stream
- Default value:
'enabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.2
- Related:
inetd
Enables or disables daytime services.
dhcpd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.5
Enables or disables DHCP services.
discard_dgram
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.3
- Related:
inetd
Enables or disables discard services.
discard_stream
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.3
- Related:
inetd
Enables or disables discard services.
dovecot
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.11
Enables or disables POP3/IMAP services.
echo_dgram
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.4
- Related:
inetd
Enables or disables echo services.
echo_stream
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.4
- Related:
inetd
Enables or disables echo services.
httpd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.10
Enables or disables web services.
inetd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.7
- Related:
chargen_dgram
,chargen_stream
,daytime_dgram
,daytime_stream
,discard_dgram
,discard_stream
,echo_dgram
,echo_stream
,time_dgram
,time_stream
,tftp_server
Enables or disables the (x)inetd super server.
named
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.8
Enables or disables DNS services.
nfs
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.7
- Related:
rpcbind
Enables or disables NFS services.
nfs_server
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.7
- Related:
rpcbind
Enabled or disables NFS Server services.
ntalk
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.18
Enables or disables talk services.
ntp_service_restrictions
- Default value:
'[ '-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery', '127.0.0.1', '-6 ::1' ]
- Data type:
Array[String]
- Implements: Control 2.2.1.2
- Related:
configure_time
Configures NTP restrict statements.
rexec
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.17
Enables or disables rexec services.
rhnsd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 1.2.5
Enables or disables Red Hat Network Services.
rlogin
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.17
Enables or disables rlogin services.
rpcbind
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.7
- Related:
nfs
,nfs_server
Enables or disables RPC portmapper service.
rsh
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.17
Enables or disables rsh services.
rsyncd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.21
Enables or disables rsync services.
rsyslog_conf
- Default value:
'puppet:///modules/cisecurity/rsyslog/rsyslog.conf'
- Data type:
String
- Implements: Control 4.2.1.2
- Related:
configure_rsyslog
Provides the source location for the /etc/rsyslog.conf file. It is recommended you reconfigure this setting to some kind of master file to be distributed to all nodes or devise another mechanism to ensure log settings are properly configured.
rsyslog_remote_servers
- Default value:
[ { 'host' => 'log.domain.com', 'port' => 514 } ]
- Data type:
Array[Hash[String, Integer]]
- Implements: Control 4.2.1.4
Configures what loghosts to send syslog messages to.
slapd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.6
Enables or disables LDAP services.
smb
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.12
Enables or disables Samba services.
snmpd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.14
Enables or disables SNMP services.
sshd_allowed_groups
- Default value:
[ ]
- Data type:
Array[String]
- Implements: Control 5.2.14
- Related:
configure_sshd
Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.
sshd_allowed_users
- Default value:
'[ ]'
- Data type:
Array[String]
- Implements: Control 5.2.14
- Related:
configure_sshd
Login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.
sshd_banner_file
- Default value:
'/etc/issue.net'
- Data type:
String
- Implements: Control 5.2.16
- Related:
configure_sshd
Provides the location where SSH will send the login banner from.
sshd_client_alive_count_max
- Default value:
'4'
- Data type:
String
- Implements: Control 5.2.13
- Related:
configure_sshd
Sets the number of client alive messages sshd will send without receiving messages back from the client.
sshd_client_alive_interval
- Default value:
'300'
- Data type:
String
- Implements: Control 5.2.13
- Related:
configure_sshd
Sets the timeout interval (in seconds) after which if no data has been received from the client will force sshd to send a message through the encrypted channel to request a response from the client.
sshd_denied_groups
- Default value:
'[ ]'
- Data type:
Array[String]
- Implements: Control 5.2.14
- Related:
configure_sshd
Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.
sshd_denied_users
- Default value:
'[ ]'
- Data type:
Array[String]
- Implements: Control 5.2.14
- Related:
configure_sshd
Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.
sshd_hostbased_authenticaton
- Default value:
'no'
- Data type:
Enum['yes','no']
- Implements: Control 5.2.7
- Related:
configure_sshd
Specifies whether rhosts
or /etc/hosts.equiv
authentication together with successful public key client host authentication is allowed.
sshd_ignore_rhosts
- Default value:
'yes'
- Data type:
Enum['yes','no'
- Implements: Control 5.2.6
- Related:
configure_sshd
Specifies that .rhosts
and .shosts
will not be used in RhostsRSAAuthentication
or HostbasedAuthentication
.
sshd_login_grace_time
- Default value:
'60'
- Data type:
String
- Implements: Control 5.2.14
- Related:
configure_sshd
Amount of time (in seconds) when the server disconnects if the user has not successfully logged in.
sshd_log_level
- Default value:
'INFO'
- Data type:
Enum['DEBUG','DEBUG1','DEBUG2','DEBUG3','ERROR','FATAL','INFO','QUIET','VERBOSE']
- Implements: Control 5.2.3
- Related:
configure_sshd
Sets the verbosity level that is used when logging messages.
sshd_max_auth_tries
- Default value:
'4'
- Data type:
String
- Implements: Control 5.2.5
- Related:
configure_sshd
Specifies the maximum number of authentication attempts permitted per connection.
sshd_permit_empty_passwords
- Default value:
'no'
- Data type:
Enum['yes','no']
- Implements: Control 5.2.9
- Related:
configure_sshd
Specifies whether the server allows login to accounts with empty password strings.
sshd_permit_root_login
- Default value:
'no'
- Data type:
Enum['yes','no']
- Implements: Control 5.2.8
- Related:
configure_sshd
Specifies whether root can log in directly with ssh.
sshd_permitted_ciphers
- Default value:
'[ 'aes256-ctr', aes192-ctr', 'aes128-ctr', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com' ]
- Data type:
Array[String]
- Implements: Control 5.2.11
- Related:
configure_sshd
,sshd_protocol
Specifies the ciphers allowed for protocol version 2.
sshd_permitted_macs
- Default value:
[ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com', 'curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256' ]
- Data type:
Array[String]
- Implements: Control 5.2.12
- Related:
configure_sshd
,sshd_protocol
Specifies the available MAC (message authentication code) algorithms allowed for protocol version 2.
sshd_permit_user_environment
- Default value:
'no'
- Data type:
Enum['yes','no']
- Implements: Control 5.2.10
- Related:
configure_sshd
Specifies whether ~/.ssh/environment
and environment=
options in ~/.ssh/authorized_keys
are processed.
sshd_protocol
- Default value:
'2'
- Data type:
String
- Implements: Control 5.2.2
- Related:
configure_sshd
Specifies the protocol versions sshd supports.
sshd_x11_forwarding
- Default value:
'no'
- Data type:
Enum['yes','no']
- Implements: Control 5.2.4
- Related:
configure_sshd
Specifies whether X11 forwarding is permitted.
squid
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.13
Enables or disables HTTP Proxy services.
telnet
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.19
Enables or disables telnet server services.
tftp
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.20
Enables or disables TFTP server services.
time_dgram
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.5
- Related:
inetd
Enables or disables time services through (x)inetd super server. Do not confuse this parameter with ntpd and chrony.
time_service_provider
- Default value:
'ntp'
- Data type:
Enum['ntp','chrony']
- Implements: Controls 2.2.1.1 - 2.2.1.3
- Related:
configure_time
Controls whether the system will use ntpd or chrony.
time_service_servers
- Default value:
'[ '0.rhel.pool.ntp.org', '1.rhel.pool.ntp.org', '2.rhel.pool.ntp.org', '3.rhel.pool.ntp.org' ]'
- Data type:
Array[String]
- Implements: Control 2.2.1.1
- Related:
configure_time
Provides a list of time servers to synchronize with.
time_stream
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.1.5
- Related:
inetd
Enables or disables time services through (x)ientd super server. Do not confuse this parameter with ntpd or chrony.
vsftpd
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Control 2.2.9
Enables or disables FTP server services.
ypserv
- Default value:
'disabled'
- Data type:
Enum['enabled','disabled']
- Implements: Controls 2.2.1.6
Enables or disables NIS server services.
Limitations
This module has been tested on RHEL 6 and 7 and it "should" work on CentOS 6 and 7 but no testing has been performed.
Development
Bugs
Please use GitHub to file an issue if you run into problems with the module.
Pull Request
If you can patch the bugs you find or want to add features and functionality, please create a pull request.
Release 0.7.2
Summary
Fixes network module not honoring ipv4_forwarding enabled.
Release 0.7.1
Summary
Contains minor bug fixes. Advice on module dependencies from Release 0.6.1 still apply.
Bug Fixes
- Fixed creating /boot/grub/grub.conf on an EFI system when none should exist.
- Added service notification from changes made to sshd_config.
- Fixed a lint issue that was causing Travis build to fail.
Release 0.7.0
Summary
Contains bug fixes and updates for new release of the CISecurity benchmarks. New and modified variables exist in Hiera so you may need to adjust your settings.
Module Dependencies
herculesteam/augeasproviders_grub
still has not been updated on the Forge from the PR they merged back in October. I recommend you continue using my GitHub site (https://github.com/cohdjn/augeasproviders_grub) in your Puppetfile or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.
Enhancements
- The awk script that has been used for external facts has been replaced with a Ruby version provided by jorhett. The manifest has been modified to delete the YAML file that was produced by the awk script so you will have to run the agent twice for the updated facts to be relevant.
- Added Travis CI to provide build verification.
- Updated compatibility to work with Puppet 5 (#4).
Hiera Changes for Red Hat 7
nfs-server
has been renamed tonfs_server
due to syntax error thrown during Puppet compile.x11_org
has been renamed toxorg_x11
due to change in the benchmark.- New variable
libselinux
added to support Control 1.6.2. - New variable
configure_rsyslog_host
added to support Control 4.2.1.5. - New variable
configure_shell_timeout
andshell_timeout
added to support Control 5.4.5.
Hiera Changes for Red Hat 6
x11_org
has been renamed toxorg_x11
due to change in the benchmark.- New variable
libselinux
added to support Control 1.6.2. - New variable
configure_shell_timeout
andshell_timeout
added to support Control 5.4.5.
Bug Fixes
- Fixed problem when trying to add multiple users to AllowUsers in sshd (#3).
- Fixed problem when using chrony and disabling ntp (#5).
- Fixed wrong permissions applied to system files when
harden_system_file_perms
is enabled. - Fixed wrong default value for
bootloader_password
on Red Hat 6.
Release 0.6.5
Summary
Contains more bug fixes. Advice on module dependencies from Release 0.6.1 still apply.
Bug Fixes
- Fixed custom facts to not try to run subscription-manager on a CentOS system.
- Fixed logic problem trying to enable services that do not exist on the system.
- Added logic to check for undef custom facts that do not exist on first run.
- Fixed bug where duplicate resources are created when remediating a file that has multiple ownership, group ownership, or world writable issues.
Release 0.6.1
Summary
Contains more bug fixes. Pay close attention to the module dependencies as they have changed!
Module Dependencies
- The
puppetlabs/stdlib
module has been updated to v4.23.0. If you followed the advice from Release 0.4.0 to use GitHub for stdlib rather than the Forge, please change your Puppetfile back to the Forge. herculesteam/augeasproviders_grub
still has not been updated on the Forge from the PR they merged back in October. I recommend you continue using my GitHub site (https://github.com/cohdjn/augeasproviders_grub) in your Puppetfile or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.
Bug Fixes
- Fixed services not adding CRLF at EOF in cron.allow and at.allow.
Release 0.6.0
Summary
Contains more bug fixes and enhancements. Advice on module dependencies from Release 0.4.0 still apply.
Bug Fixes
- Moved removal of at.deny and cron.deny to services module rather than filesystem module.
- Removed switch statement from facts.d/cisecurity to support older versions of awk/gawk.
- Added
ignored
as a valid keyword for service states to avoid duplicate resource statements during catalog compilation. You should use this parameter if you have another class or module that defines the state of a service rather than this one.
Enhancements
- Added support for RHEL 6. This also adds puppet/firewall to the list of dependencies for this module to work.
Release 0.5.0
Summary
Contains a few bug fixes and enhancements. Advice on module dependencies from Release 0.4.0 still apply.
Bug Fixes
- Fixed bad mount options for /tmp.
- Added EFI detection as an external fact which is used to override whether the vfat filesystem is enabled or disabled. EFI requires a vfat partition to exist and system will not boot without vfat support.
- Fixed bad variable substitution for root path.
- Modified external facts to purposely remove double-colons and dots from root path to help deal with root path remediation.
- Removed kemra102/bash as a dependency for cisecurity and flipped that functionality to use file_line resources instead.
Enhancements
- Added
auditd_admin_space_left
,auditd_num_logs
, andauditd_space_left
parameters to services module to provide a few additional nice to have knobs that can be turned as necessary.
Release 0.4.1
Summary
Minor bug fix. Advice on module dependencies from Release 0.4.0 still apply.
Bug Fixes
- Modified gpgcheck regex to properly account for spaces that may (or may not) already exist in the files in /etc/yum.repos.d/.
Release 0.4.0
Summary
Multiple fixes in this release. Pay close attention to the module dependencies!
Module Dependencies
- The
crayfishx/firewalld
module has been updated to v3.4.0. - I created a fork of
herculesteam-augeasproviders_grub
that corrects a problem with EFI-based nodes. I recommend you change your Puppetfile to use my GitHub site (https://github.com/cohdjn/augeasproviders_grub) or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded. - Puppet Labs has an updated version of
puppetlabs/stdlib
that corrects a problem with pattern matching infile_line
resources. I recommend you change your Puppetfile to use their GitHub site (https://github.com/puppetlabs/puppetlabs-stdlib) or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.
Bug Fixes
- Added evaluation of
osrelease
to submodules. Parameter declaration outside of Hiera breaks miserably when using EPP templates. - Fixed problem with
file_line
resources constantly appending umask to the end of file.
Enhancements
- Moved log file remediation from
exec
resource tocron
resource to prevent Puppet from always reporting intentional changes on every run. Two new parameters,log_file_perms_cron_start_hour
andlog_file_perms_cron_start_minute
have been added to schedule to your environment.
Release 0.3.3
Summary
Fixed bad argument in services.
Release 0.3.2
Summary
Fixed bad Hiera parameter for home_directories_perm.
Release 0.3.1
Summary
Minor modifications to metadata.json to better Puppet Forge score.
Release 0.3.0
Summary
Finished manual auditing and testing of the module. No rspec tests have been done mostly because it's insanely confusing and I don't have the time to work through the process. If you happen to be good at running these tests, drop me a line because I'd love to work with you through the process.
Release 0.2.0
Summary
All critical errors from puppet runs have been corrected. Troubleshooting PAM module still needs to be happen because the config isn't laid down properly. No manual audit validation has been done yet either so there's no guarantee that everything will produce the correct desired state.
Release 0.1.0
Summary
First iteration of the cisecurity module.
Dependencies
- puppetlabs/stdlib (>= 4.23.0 < 5.0.0)
- puppetlabs/concat (>= 4.1.0 < 5.0.0)
- crayfishx/firewalld (>= 3.4.0 < 4.0.0)
- herculesteam/augeasproviders_core (>= 2.1.3 < 3.0.0)
- herculesteam/augeasproviders_grub (>= 3.0.0 < 4.0.0)
- herculesteam/augeasproviders_pam (>= 2.1.0 < 3.0.0)
- herculesteam/augeasproviders_ssh (>= 2.5.3 < 3.0.0)
- herculesteam/augeasproviders_sysctl (>= 2.2.0 < 3.0.0)
- puppet/selinux (>= 1.3.0 < 2.0.0)
- aco/yum_autoupdate (>= 0.6.4 < 1.0.0)
- puppetlabs/ntp (>= 6.2.0 < 7.0.0)
- aboe/chrony (>= 0.1.1 < 1.0.0)
- camptocamp/postfix (>= 1.6.0 < 2.0.0)
- camptocamp/augeas (>= 1.6.0 < 2.0.0)
- kemra102/auditd (>= 2.2.0 < 3.0.0)
- saz/rsyslog (>= 5.0.0 < 6.0.0)
- stahnma/epel (>= 1.2.2 < 2.0.0)
- justin8/systemd (>= 0.4.0 < 1.0.0)
- warrenpnz/aide (>= 0.4.0 < 1.0.0)
- puppetlabs/firewall (>= 1.9.0 < 2.0.0)
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.