Forge Home


Manage Linux Security Baseline according to CIS and STIG benchmarks


218 latest version

5.0 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.3.0 (latest)
  • 0.2.0
  • 0.1.0
released Apr 17th 2023
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
  • Puppet >= 5.0.0 < 8.0.0
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'enterprisemodules-linux_secured', '0.3.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add enterprisemodules-linux_secured
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install enterprisemodules-linux_secured --version 0.3.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



enterprisemodules/linux_secured — version 0.3.0 Apr 17th 2023

Enterprise Modules

Table of Contents


The linux_secured Puppet module is a powerful security solution that helps you ensure your Linux systems are compliant with the CIS benchmarks. linux_secured implements all the necessary security controls outlined in the CIS benchmark for Linux. This means that you can rest assured that your systems are adhering to the highest security standards. This module will help you:

  • Sleep better at night knowing your systems are more secure.
  • Feel confident that you're doing everything possible to protect your systems.
  • Save time on Linux system security management.
  • Face the auditor with much confidence
  • Automate the application of security best practices.
  • Easily upgrade to new versions and stay up to date with the latest security recommendations.

Whether you are an individual, a small business owner, or a large enterprise, linux_secured is the perfect solution to keep your Linux systems safe and secure. linux_secured can be used as a standalone solution with Puppet, or it can integrate seamlessly with the InControl console. This gives you the flexibility to use the product in the way that best suits your needs.

We understand that every organization has unique security requirements, and that's why we've made it easy for you to customize linux_secured to your specific needs. The module is highly configurable, allowing you to tailor it to your organization's security policies and procedures.

In addition to enforcing security configuration (what Puppet normaly does), linux_secured includes a set of classes that are designed for validating the configuration of your systems, without changing them. This powerful tool provides you with detailed information on where your systems are not adhering to the CIS benchmark. This information is critical in helping you identify and remediate any compliance issues.

We understand the importance of having a security solution that supports all major Linux versions. That is why linux_secured is designed to be compatible with all major Linux distributions, including Red Hat, OracleLinux, Ubuntu, CentOS, Debian, and SUSE. The current version of linux_secured supports Red Hat and OracleLinux. Support for other Linux distributions is planned for Q2 2023.

At this point in time it supports the following CIS benchmarks:

With linux_secured, you can rest easy knowing that your Linux systems are compliant with the highest security standards.


This is a commercially licensed module. But you can use the module on VirtualBox based development systems for FREE. When used on real systems a license is required.

You can license our modules in multiple ways. Our basic licensing model requires a subscription per node. But contact us for details.

Check the License for details.


This Puppet module contains all the Puppet code to enforce Linux CIS compliance on your systems. We have further built upon The CIS compliance baseline for Linux to provide you with a means of verifying if your systems comply with these controls. Our team has implemented mechanisms that allow you to conduct checks on your systems using our module, called linux_secured. These checks include a comprehensive set of security measures to ensure that your systems are compliant with the Linux CIS benchmark.

If the check detects non-compliance on any or all of your systems, our module includes Puppet code to address this and ensure that all of your systems comply with the Linux CIS benchmark. This feature enables you to maintain a high level of security and meet regulatory requirements with minimal effort.

Moreover, the reports generated from these checks can be obtained through the InControl Console Application. These reports provide detailed information on the checks performed and the status of compliance for each system.

We believe that our module and the InControl Console Application will enable you to maintain a secure and compliant environment for your systems.

Check the documentation here

Why use this module?

While there are other modules available on the Puppet Forge that ensure CIS compliance, we believe that this module has some unique advantages that make it worth considering. Some of these advantages include:

  • Professional support: We offer professional support for this module, ensuring that you receive optimal and efficient compliance. Our team of experts will help you every step of the way to make sure that you are fully compliant with CIS standards.
  • Control-by-control granularity: Unlike some of the other CIS modules on the Forge, our linux_secured module allows you to manage and enable individual CIS compliance controls with control-by-control granularity. This gives you the option to opt-in or opt-out of specific controls as needed, making it easier to customize your compliance needs.
  • Easy integration into existing Puppet code: Many of the other CIS modules clash with existing Puppet code, leading to duplicate resource errors. Our linux_secured module is designed to function as a security overlay on your existing Puppet code, making it much easier to integrate into large Puppet codebases. With linux_secured, you can ensure that your Puppet code is fully compliant with CIS standards without having to worry about conflicts or errors.
  • Faster: We utilize fact caching for the facts in this module, resulting in faster performance. Some of the other CIS modules available on the forge may require significant time to determine certain security facts. With linux_secured, you have the ability to customize the fact caching to meet your specific requirements.
  • Integration with InControl Console: This module integrates seamlessly with the InControl Console, allowing you to manage not only Linux compliance but all compliance, including Windows, Oracle, DB2 databases, and more, from a single point. This means that you can easily monitor and manage all of your compliance needs from one central location.

Benefits of InControl integration

What are the benefits of integrating with InControl? By providing a centralized location, the InControl console helps users manage and track compliance and vulnerability issues with ease. InControl receives reports from linux_secured and other security modules, offering an integrated view and management system for compliance and vulnerabilities not only for Linux, but also for Windows, Oracle databases, Microsoft SQLServer, Postgres, IBM DB2 databases, and cloud environments.


Overall, InControl is an essential tool for organizations seeking to maintain regulatory compliance and ensure the security and reliability of their systems and infrastructure. Its advanced algorithms, user-friendly design, and customizable alerts and notifications make it a perfect solution for organizations of all sizes and industries.



The linux_secured module requires:

  • Puppet module enterprisemodules-easy_type installed.
  • Puppet version 4.0 or higher. Can be Puppet Enterprise or Puppet Open Source
  • A valid Enterprise Modules license for usage.
  • Runs on most Linux systems.

Installing the linux_secured module

To install these modules, you can use a Puppetfile

mod 'enterprisemodules/linux_secured'               ,'x.x.x'

Then use the librarian-puppet or r10K to install the software.

You can also install the software using the puppet module command:

puppet module install enterprisemodules-linux_secured


The scope of securing your Linux database is enormous. The number of security controls in the CIS benchmark is huge. This might make you think that it is not easy to get started, but actually, it is very simple.

Enabling CIS for your system

To enable the CIS benchmark on your system, you just have to add this line to your puppet code:

linux_secured::apply_cis { 'host':
  product_version  => 'redhat_el8',
  doc_version => 'V2.0.0'

This will activate the CIS benchmark V2.0.0 for RedHat Enterprise Linux on your systems. The linux_secured puppet module takes care of checking all of the security settings in the benchmark and ensuring they are set in a secure way.

Skipping some controls

The scope of the CIS benchmark for Linux is pretty extensive. So extensive that enabling all controls, probably ensures that your application doesn't work anymore. So you need to customize the controls you want to enable.

There are four ways the linux_secured module allows you to skip controls.

  1. Add a list of controls to skip when calling the linux_secured defined type.
  2. Add linux_secured::controls::name_of_the_control: skip to your hiera data. This will skip the control on ALL databases.
  3. Add an entry with the content name_of_the_control to the array value linux_secured::skip_list in your hiera data.

Method 1 is a good way to create your own baseline based on the standard linux_secured code.

Method 2 is a perfect way to use when you need to override the applicability of control on an individual database or set of database. Just put this data in the hiera for this node or group of databases.

Method 3 is the perfect way to setup a base level. A level you want to be skipped on all of your databases.

You can combine all of these methods to fit your use case.


Here you can find some more information regarding this puppet module:


This module runs on most Linux versions. It requires a puppet version 5 or higher. The module does NOT run on windows systems.