secure_linux_cis

pdk

This module hardens Linux servers to CIS security compliance

Project URL RSS Feed Report issues

Module Stats

28,700 downloads

642 latest version

4.7 quality score

Version information

released Nov 22nd 2022

This version is compatible with:

Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x
Puppet >= 5.0.0 < 7.0.0
AlmaLinux
,
Amazon
,
CentOS
,
Debian
,
OracleLinux
,
RedHat
,
SLES
,
Ubuntu

Plans:

secure_linux_cis

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'fervid-secure_linux_cis', '4.0.0'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add fervid-secure_linux_cis

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install fervid-secure_linux_cis --version 4.0.0

Documentation

fervid/secure_linux_cis — version 4.0.0 Nov 22nd 2022

secure_linux_cis

Description
Setup - The basics of getting started
Usage - Configuration options and additional functionality
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module

Description

This Puppet module implements security controls defined in the Center for Internet Security (CIS) benchmarks for the following operating systems and benchmark versions:

Operating System	Benchmark Version
AlmaLinux 8	2.0.0
Amazon 2	2.0.0
CentOS 7	3.1.2
Debian 10	1.0.0
Debian 11	1.0.0
Oracle 7	3.1.1
RedHat 6	3.0.0
RedHat 7	3.1.1
RedHat 8	2.0.0
Rocky 8	1.0.0
SLES 15	1.1.1
Ubuntu 18.04	2.1.0
Ubuntu 20.04	1.1.0
Ubuntu 22.04	1.0.0

CIS Benchmarks can be found here.

Setup

What secure_linux_cis affects

This module touches the:

Kernel settings
Bootloader configuration
Update settings
Firewall
TCP wrappers
File and directory permissions

These are good things. They keep you safe.

But, please run tests before slamming it into productions.

Beginning with secure_linux_cis

To start with Secure Linux and harden your server to CIS standards, declare the secure_linux_cis: class.

NOTE: you will want to open up at least one firewall port. See Opening firewall ports.

Three parameters are required:

time_sync Specify choice of 'ntp' or 'chrony'
time_servers Specify your enterprise's time server(s)
profile_type It will be workstation or server
allow_users At least one user needs to ssh in. NOT root

class {'::secure_linux_cis':
   time_servers  => ['tick.usno.navy.mil', 'tock.usno.navy.mil'],
   profile_type  => 'server',
   allow_users   => 'trusteduser',
}

Usage

Opening firewall ports

This module opens up port 22. Everythings else is shut down by default.

If using iptables (Everything but RedHat family version 8) you will need to add firewall rules.

For example we want to open up for 8080 for tomcat:

  firewall { '010 tomcat http port':
    chain  => 'INPUT',
    dport  => 8080,
    state  => 'NEW',
    action => 'accept',
    proto  => 'tcp',
    tag    => 'cis_firewall_rule',
  }

Notice the tag parameter. Include this on all firewall rules.

It ensures firewall rules are implemented in the proper order.

TCP wrappers

This module is very generous with tcp controls. It relies on firewall rules for enforecment.

You should tighten them down.

TODO: TCP wrapper example

Disabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

As of enforcement for the Redhat 7 OS, there are 223 CIS rules that are either enforced or documented. Each rule relates to a class which can be turned on or off according to the needs of the system. By default, all vulnerabilities are turned ON to ensure maximum security out-of-box. This is how you would disable enforcement of a particular recommendation using Hiera:

# hieradata/common.yaml
secure_linux_cis::rules::ensure_mounting_of_squashfs_filesystems_is_disabled::enforced: false

Enabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

Some recommendations are not enforced by default. For example, to enforce password-protected bootloader, a hash value for password must be present:

# hieradata/common.yaml
secure_linux_cis::rules::ensure_bootloader_password_is_set::enforced: true
secure_linux_cis::rules::ensure_bootloader_password_is_set::grub_username: root
secure_linux_cis::rules::ensure_bootloader_password_is_set::grub_pbkdf2_password_hash: grub.pbkdf2.sha512.10000.7D81626...ABC0123C616C3210CBA

NOTE: Don't use the example pbkdf2 string value. It needs to be a hash you've generated with the intended password.

See Limitations for a list of vulnerabilities that might not apply to certain system configurations

Any parameters that need to be explicitly defined can be done so in init.pp

Include usage examples for common use cases in the Usage section. Show your users how to use your module to solve problems, and be sure to include code examples. Include three to five examples of the most important or common tasks a user can accomplish with your module. Show users how to accomplish more complex tasks that involve different types, classes, and functions working in tandem.

No-Op Mode

It is possible to run the module in "No-Op Mode", which identifies detected Configuration Drifts without implementing any actual changes. This is useful for auditing the state of your system without making any changes.

puppet agent -t --noop

Limitations

RedHat family '8' OSes are not fully covered. Almost, but not quite.

Help getting this out the door would be appreciated. Also, we do not have acceptance testing completed for OracleLinux, Aliyun, or Amazon Linux.

Same deal. Any help appreciated.

Development

Please ensure PDK validation and unit tests pass.

Ideally make sure litmus tests pass too, but we understand this will be out of scope for some.

Reference

Classes

Public Classes

secure_linux_cis: CIS Hardening Module
secure_linux_cis::refresh_mount_options: A short summary of the purpose of this class
secure_linux_cis::rules::ensure_code_dump_backtraces_are_disabled: Ensure authentication required for single user mode (Scored)
secure_linux_cis::rules::ensure_code_dump_storage_is_disabled: Ensure authentication required for single user mode (Scored)
secure_linux_cis::rules::ensure_default_group_for_the_root_account_is_gid_0: Ensure default group for the root account is GID 0 (Scored)
secure_linux_cis::rules::ensure_events_that_modify_the_system_s_mandatory_access_controls_are_collected: Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
secure_linux_cis::rules::ensure_events_that_modify_the_system_s_network_environment_are_collected: Ensure events that modify the system's network environment are collected (Scored)
secure_linux_cis::rules::ensure_gpg_keys_are_configured: Ensure GPG keys are configured (Not Scored)
secure_linux_cis::rules::ensure_inactive_password_lock_is_30_days_or_less: Ensure inactive password lock is 30 days or less (Scored)
secure_linux_cis::rules::ensure_ip6tables_default_deny_firewall_policy: Ensure iptables is installed (Scored)
secure_linux_cis::rules::ensure_ip6tables_is_enabled_and_active: Ensure iptables is installed (Scored)
secure_linux_cis::rules::ensure_iptables_is_not_enabled: Ensure iptables is not enabled
secure_linux_cis::rules::ensure_ipv6_firewall_rules_exist_for_all_open_ports: Ensure firewall rules exist for all open ports (Scored)
secure_linux_cis::rules::ensure_ipv6_is_disabled: Ensure IPv6 is disabled (Not Scored)
secure_linux_cis::rules::ensure_ipv6_outbound_and_established_connections_are_configured: Ensure outbound and established connections are configured (Not Scored)
secure_linux_cis::rules::ensure_ipv6_redirects_are_not_accepted: Ensure IPv6 redirects are not accepted (Not Scored)
secure_linux_cis::rules::ensure_ipv6_router_advertisements_are_not_accepted: Ensure IPv6 router advertisements are not accepted (Not Scored)
secure_linux_cis::rules::ensure_logrotate_is_configured: Ensure logrotate is configured (Not Scored)
secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_7_or_more: Ensure minimum days between password changes is 7 or more (Scored)
secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled: Ensure mounting of FAT filesystems is disabled (Scored)
secure_linux_cis::rules::ensure_mounting_of_jffs2_filesystems_is_disabled: Ensure mounting of jffs2 filesystems is disabled (Scored)
secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited: Ensure mounting of FAT filesystems is disabled (Scored)
secure_linux_cis::rules::ensure_nfs_and_rpc_are_not_enabled: Ensure NFS and RPC are not enabled (Scored)
secure_linux_cis::rules::ensure_nftables_is_not_installed_with_firewalld: Ensure nftables base chains exist
secure_linux_cis::rules::ensure_outbound_and_established_connections_are_configured: Ensure outbound and established connections are configured (Not Scored)
secure_linux_cis::rules::ensure_package_manager_repositories_are_configured: Ensure package manager repositories are configured (Not Scored)
secure_linux_cis::rules::ensure_password_expiration_is_365_days_or_less: Ensure password expiration is 365 days or less (Scored)
secure_linux_cis::rules::ensure_password_expiration_warning_days_is_7_or_more: Ensure password expiration warning days is 7 or more (Scored)
secure_linux_cis::rules::ensure_permissions_on_etc_cron_tab_are_configured: Ensure permissions on /etc/cron.d are configured (Scored)
secure_linux_cis::rules::ensure_permissions_on_etc_group_dash_are_configured: Ensure permissions on /etc/group- are configured (Scored)
secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured: Ensure permissions on /etc/gshadow- are configured (Scored)
secure_linux_cis::rules::ensure_ssh_loglevel_is_set_to_info: Ensure SSH LogLevel is set to INFO (Scored)

Private Classes

secure_linux_cis::reboot: A short summary of the purpose of this class
secure_linux_cis::rules::disable_automounting: Disable Automounting
secure_linux_cis::rules::disable_the_rhnsd_daemon: Disable the rhnsd Daemon
secure_linux_cis::rules::disable_usb_storage: Disable USB Storage
secure_linux_cis::rules::ensure_a_nftables_table_exists: Ensure a nftables table exists
secure_linux_cis::rules::ensure_a_single_time_synchronization_daemon_is_in_use: Ensure a single time synchronization daemon is in use
secure_linux_cis::rules::ensure_a_table_exists: Ensure a table exists
secure_linux_cis::rules::ensure_a_web_server_is_not_installed: Ensure a web server is not installed
secure_linux_cis::rules::ensure_access_to_the_su_command_is_restricted: Ensure access to the su command is restricted
secure_linux_cis::rules::ensure_accounts_in_etc_passwd_use_shadowed_passwords: Ensure accounts in /etc/passwd use shadowed passwords
secure_linux_cis::rules::ensure_actions_as_another_user_are_always_logged: Ensure actions as another user are always logged
secure_linux_cis::rules::ensure_address_space_layout_randomization_aslr_is_enabled: Ensure address space layout randomization (ASLR) is   enabled
secure_linux_cis::rules::ensure_aide_is_installed: Ensure AIDE is installed
secure_linux_cis::rules::ensure_all_apparmor_profiles_are_enforcing: Ensure all AppArmor Profiles are enforcing
secure_linux_cis::rules::ensure_all_apparmor_profiles_are_in_enforce_or_complain_mode: Ensure all AppArmor Profiles are in enforce or complain mode
secure_linux_cis::rules::ensure_all_groups_in_etc_passwd_exist_in_etc_group: Ensure all groups in /etc/passwd exist in /etc/group
secure_linux_cis::rules::ensure_all_logfiles_have_appropriate_permissions_and_ownership: Ensure all logfiles have appropriate permissions and ownership
secure_linux_cis::rules::ensure_all_users_home_directories_exist: Ensure all users' home directories exist
secure_linux_cis::rules::ensure_all_users_last_password_change_date_is_in_the_past: Ensure all users last password change date is in the past
secure_linux_cis::rules::ensure_apparmor_is_enabled_in_the_bootloader_configuration: Ensure AppArmor is enabled in the bootloader configuration
secure_linux_cis::rules::ensure_apparmor_is_installed: Ensure AppArmor is installed
secure_linux_cis::rules::ensure_at_is_restricted_to_authorized_users: Ensure at is restricted to authorized users
secure_linux_cis::rules::ensure_audit_backlog_limit_is_sufficient: Ensure audit_backlog_limit is sufficient
secure_linux_cis::rules::ensure_audit_configuration_files_are_owned_by_root: Ensure audit configuration files are owned by root
secure_linux_cis::rules::ensure_audit_configuration_files_belong_to_group_root: Ensure audit configuration files belong to group root
secure_linux_cis::rules::ensure_audit_log_storage_size_is_configured: Ensure audit log storage size is configured
secure_linux_cis::rules::ensure_audit_logs_are_not_automatically_deleted: Ensure audit logs are not automatically deleted
secure_linux_cis::rules::ensure_audit_tools_are_owned_by_root: Ensure audit tools are owned by root
secure_linux_cis::rules::ensure_audit_tools_belong_to_group_root: Ensure audit tools belong to group root
secure_linux_cis::rules::ensure_auditd_is_installed: Ensure auditd is installed
secure_linux_cis::rules::ensure_auditd_service_is_enabled: Ensure auditd service is enabled
secure_linux_cis::rules::ensure_auditd_service_is_enabled_and_active: Ensure auditd service is enabled and active
secure_linux_cis::rules::ensure_auditd_service_is_enabled_and_running: Ensure auditd service is enabled and running
secure_linux_cis::rules::ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled: Ensure auditing for processes that start prior to auditd is enabled
secure_linux_cis::rules::ensure_augenrules_is_enabled: Ensure augenrules is enabled
secure_linux_cis::rules::ensure_authentication_is_required_when_booting_into_rescue_mode: Ensure authentication is required when booting into rescue mode
secure_linux_cis::rules::ensure_authentication_required_for_single_user_mode: Ensure authentication required for single user mode
secure_linux_cis::rules::ensure_authselect_includes_with_faillock: Ensure authselect includes with-faillock
secure_linux_cis::rules::ensure_automatic_error_reporting_is_not_enabled: Ensure Automatic Error Reporting is not enabled
secure_linux_cis::rules::ensure_automatic_mounting_of_removable_media_is_disabled: Ensure automatic mounting of removable media is disabled
secure_linux_cis::rules::ensure_avahi_server_is_not_installed: Ensure Avahi Server is not installed
secure_linux_cis::rules::ensure_base_chains_exist: Ensure base chains exist
secure_linux_cis::rules::ensure_bogus_icmp_responses_are_ignored: Ensure bogus ICMP responses are ignored
secure_linux_cis::rules::ensure_bootloader_password_is_set: Ensure bootloader password is set
secure_linux_cis::rules::ensure_broadcast_icmp_requests_are_ignored: Ensure broadcast ICMP requests are ignored
secure_linux_cis::rules::ensure_changes_to_system_administration_scope_sudoers_is_collected: Ensure changes to system administration scope (sudoers) is collected
secure_linux_cis::rules::ensure_chargen_services_are_not_enabled: Ensure chargen services are not enabled
secure_linux_cis::rules::ensure_chrony_is_configured: Ensure chrony is configured
secure_linux_cis::rules::ensure_chrony_is_enabled_and_running: Ensure chrony is enabled and running
secure_linux_cis::rules::ensure_chrony_is_running_as_user_chrony: Ensure chrony is running as user _chrony
secure_linux_cis::rules::ensure_core_dump_backtraces_are_disabled: Ensure core dump backtraces are disabled
secure_linux_cis::rules::ensure_core_dump_storage_is_disabled: Ensure core dump storage is disabled
secure_linux_cis::rules::ensure_core_dumps_are_restricted: Ensure core dumps are restricted
secure_linux_cis::rules::ensure_cron_daemon_is_enabled: Ensure cron daemon is enabled
secure_linux_cis::rules::ensure_cron_daemon_is_enabled_and_running: Ensure cron daemon is enabled and running
secure_linux_cis::rules::ensure_cron_is_restricted_to_authorized_users: Ensure cron is restricted to authorized users
secure_linux_cis::rules::ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools: Ensure cryptographic mechanisms are used to protect   the integrity of audit tools
secure_linux_cis::rules::ensure_cups_is_not_installed: Ensure CUPS is not installed
secure_linux_cis::rules::ensure_daytime_services_are_not_enabled: Ensure daytime services are not enabled
secure_linux_cis::rules::ensure_dccp_is_disabled: Ensure DCCP is disabled
secure_linux_cis::rules::ensure_default_deny_firewall_policy: Ensure default deny firewall policy
secure_linux_cis::rules::ensure_default_user_shell_timeout_is_configured: Ensure default user shell timeout is configured
secure_linux_cis::rules::ensure_default_user_umask_is_configured: Ensure default user umask is configured
secure_linux_cis::rules::ensure_default_zone_is_set: Ensure default zone is set
secure_linux_cis::rules::ensure_dev_shm_is_configured: Ensure /dev/shm is configured
secure_linux_cis::rules::ensure_dhcp_server_is_not_installed: Ensure DHCP Server is not installed
secure_linux_cis::rules::ensure_disable_user_list_is_enabled: Ensure disable-user-list is enabled
secure_linux_cis::rules::ensure_discard_services_are_not_enabled: Ensure discard services are not enabled
secure_linux_cis::rules::ensure_discretionary_access_control_permission_modification_events_are_collected: Ensure discretionary access control permission modification events are collected
secure_linux_cis::rules::ensure_dns_server_is_not_installed: Ensure DNS Server is not installed
secure_linux_cis::rules::ensure_echo_services_are_not_enabled: Ensure echo services are not enabled
secure_linux_cis::rules::ensure_etc_hosts_allow_is_configured: Ensure /etc/hosts.allow is configured
secure_linux_cis::rules::ensure_etc_hosts_deny_is_configured: Ensure /etc/hosts.deny is configured
secure_linux_cis::rules::ensure_etc_shadow_password_fields_are_not_empty: Ensure /etc/shadow password fields are not empty  
secure_linux_cis::rules::ensure_events_that_modify_date_and_time_information_are_collected: Ensure events that modify date and time information are collected
secure_linux_cis::rules::ensure_events_that_modify_the_sudo_log_file_are_collected: Ensure events that modify the sudo log file are collected
secure_linux_cis::rules::ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected: Ensure events that modify the system's Mandatory Access Controls are collected
secure_linux_cis::rules::ensure_events_that_modify_the_systems_network_environment_are_collected: Ensure events that modify the system's network   environment are collected
secure_linux_cis::rules::ensure_events_that_modify_user_group_information_are_collected: Ensure events that modify user/group information are collected
secure_linux_cis::rules::ensure_file_deletion_events_by_users_are_collected: Ensure file deletion events by users are collected
secure_linux_cis::rules::ensure_filesystem_integrity_is_regularly_checked: Ensure filesystem integrity is regularly checked
secure_linux_cis::rules::ensure_firewall_rules_exist_for_all_open_ports: Ensure firewall rules exist for all open ports
secure_linux_cis::rules::ensure_firewalld_is_either_not_installed_or_masked_with_iptables: Ensure firewalld is either not installed or masked with iptables
secure_linux_cis::rules::ensure_firewalld_is_installed: Ensure firewalld is installed
secure_linux_cis::rules::ensure_firewalld_is_not_installed_or_stopped_and_masked: Ensure firewalld is not installed or stopped and masked
secure_linux_cis::rules::ensure_firewalld_service_enabled_and_running: Ensure firewalld service enabled and running
secure_linux_cis::rules::ensure_firewalld_service_is_enabled_and_running: Ensure firewalld service is enabled and running
secure_linux_cis::rules::ensure_ftp_client_is_not_installed: Ensure FTP client is not installed
secure_linux_cis::rules::ensure_ftp_server_is_not_installed: Ensure FTP Server is not installed
secure_linux_cis::rules::ensure_gdm_automatic_mounting_of_removable_media_is_disabled: Ensure GDM automatic mounting of removable media is disabled
secure_linux_cis::rules::ensure_gdm_autorun_never_is_enabled: Ensure GDM autorun-never is enabled
secure_linux_cis::rules::ensure_gdm_autorun_never_is_not_overridden: Ensure GDM autorun-never is not overridden
secure_linux_cis::rules::ensure_gdm_disable_user_list_option_is_enabled: Ensure GDM disable-user-list option is enabled
secure_linux_cis::rules::ensure_gdm_disabling_automatic_mounting_of_removable_media_is_not_overridden: Ensure GDM disabling automatic mounting of removable media is not overridden
secure_linux_cis::rules::ensure_gdm_is_removed_or_login_is_configured: Ensure GDM is removed or login is configured
secure_linux_cis::rules::ensure_gdm_login_banner_is_configured: Ensure GDM login banner is configured
secure_linux_cis::rules::ensure_gdm_screen_locks_cannot_be_overridden: Ensure GDM screen locks cannot be overridden
secure_linux_cis::rules::ensure_gdm_screen_locks_when_the_user_is_idle: Ensure GDM screen locks when the user is idle
secure_linux_cis::rules::ensure_gnome_display_manager_is_removed: Ensure GNOME Display Manager is removed
secure_linux_cis::rules::ensure_gpgcheck_is_globally_activated: Ensure gpgcheck is globally activated
secure_linux_cis::rules::ensure_grpquota_option_set_on_home_partition: Ensure grpquota option set on /home partition
secure_linux_cis::rules::ensure_home_partition_includes_the_nodev_option: Ensure /home partition includes the nodev option
secure_linux_cis::rules::ensure_http_proxy_server_is_not_installed: Ensure HTTP Proxy Server is not installed
secure_linux_cis::rules::ensure_http_server_is_not_installed: Ensure HTTP server is not installed
secure_linux_cis::rules::ensure_icmp_redirects_are_not_accepted: Ensure ICMP redirects are not accepted
secure_linux_cis::rules::ensure_imap_and_pop3_server_are_not_installed: 1 Ensure IMAP and POP3 server is not enabled (Scored)
secure_linux_cis::rules::ensure_imap_and_pop3_server_is_not_installed: 1 Ensure IMAP and POP3 server is not enabled (Scored)
secure_linux_cis::rules::ensure_interactive_boot_is_not_enabled: Ensure interactive boot is not enabled
secure_linux_cis::rules::ensure_ip_forwarding_is_disabled: Ensure IP forwarding is disabled
secure_linux_cis::rules::ensure_iptables_default_deny_firewall_policy: Ensure iptables default deny firewall policy
secure_linux_cis::rules::ensure_iptables_firewall_rules_exist_for_all_open_ports: Ensure iptables firewall rules exist for all open ports  
secure_linux_cis::rules::ensure_iptables_is_enabled_and_active: Ensure iptables is enabled and active
secure_linux_cis::rules::ensure_iptables_is_enabled_and_running: Ensure iptables is enabled and running
secure_linux_cis::rules::ensure_iptables_is_installed: Ensure iptables is installed
secure_linux_cis::rules::ensure_iptables_loopback_traffic_is_configured: Ensure iptables loopback traffic is configured
secure_linux_cis::rules::ensure_iptables_package_is_installed: Ensure iptables package is installed
secure_linux_cis::rules::ensure_iptables_packages_are_installed: Ensure iptables packages are installed
secure_linux_cis::rules::ensure_iptables_persistent_is_not_installed_with_ufw: Ensure iptables-persistent is not installed with ufw
secure_linux_cis::rules::ensure_iptables_rules_are_saved: Ensure iptables rules are saved
secure_linux_cis::rules::ensure_iptables_rules_exist_for_all_open_ports: Ensure iptables rules exist for all open ports
secure_linux_cis::rules::ensure_iptables_services_not_installed_with_firewalld: Ensure iptables-services not installed with firewalld  
secure_linux_cis::rules::ensure_ipv6_loopback_traffic_is_configured: Ensure IPv6 loopback traffic is configured (Scored)
secure_linux_cis::rules::ensure_journald_is_configured_to_compress_large_log_files: Ensure journald is configured to compress large log files
secure_linux_cis::rules::ensure_journald_is_configured_to_send_logs_to_rsyslog: Ensure journald is configured to send logs to rsyslog
secure_linux_cis::rules::ensure_journald_is_configured_to_write_logfiles_to_persistent_disk: Ensure journald is configured to write logfiles to persistent disk
secure_linux_cis::rules::ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client: Ensure journald is not configured to receive logs from a remote client
secure_linux_cis::rules::ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client: Ensure journald is not configured to recieve logs from a remote client
secure_linux_cis::rules::ensure_journald_service_is_enabled: Ensure journald service is enabled
secure_linux_cis::rules::ensure_kernel_module_loading_and_unloading_is_collected: Ensure kernel module loading and unloading is collected
secure_linux_cis::rules::ensure_kernel_module_loading_unloading_and_modification_is_collected: Ensure kernel module loading unloading and   modification is collected
secure_linux_cis::rules::ensure_last_logged_in_user_display_is_disabled: Ensure last logged in user display is disabled
secure_linux_cis::rules::ensure_ldap_client_is_not_installed: Ensure LDAP client is not installed
secure_linux_cis::rules::ensure_ldap_server_is_not_installed: Ensure LDAP server is not installed
secure_linux_cis::rules::ensure_local_interactive_user_dot_files_are_not_group_or_world_writable: Ensure local interactive user dot files are not group or  world writable
secure_linux_cis::rules::ensure_local_interactive_user_home_directories_exist: Ensure local interactive user home directories exist
secure_linux_cis::rules::ensure_local_interactive_users_own_their_home_directories: Ensure local interactive users own their home directories
secure_linux_cis::rules::ensure_local_login_warning_banner_is_configured_properly: Ensure local login warning banner is configured properly
secure_linux_cis::rules::ensure_lockout_for_failed_password_attempts_is_configured: Ensure lockout for failed password attempts is   configured
secure_linux_cis::rules::ensure_login_and_logout_events_are_collected: Ensure login and logout events are collected
secure_linux_cis::rules::ensure_logrotate_assigns_appropriate_permissions: Ensure logrotate assigns appropriate permissions
secure_linux_cis::rules::ensure_loopback_traffic_is_configured: Ensure loopback traffic is configured
secure_linux_cis::rules::ensure_mail_transfer_agent_is_configured_for_local_only_mode: Ensure mail transfer agent is configured for local-only mode
secure_linux_cis::rules::ensure_message_of_the_day_is_configured_properly: Ensure message of the day is configured properly
secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_configured: Ensure minimum days between password changes is configured
secure_linux_cis::rules::ensure_mounting_of_cramfs_filesystems_is_disabled: Ensure mounting of cramfs filesystems is disabled
secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_limited: Ensure mounting of FAT filesystems is limited
secure_linux_cis::rules::ensure_mounting_of_freevxfs_filesystems_is_disabled: Ensure mounting of freevxfs filesystems is disabled
secure_linux_cis::rules::ensure_mounting_of_hfs_filesystems_is_disabled: Ensure mounting of hfs filesystems is disabled
secure_linux_cis::rules::ensure_mounting_of_hfsplus_filesystems_is_disabled: Ensure mounting of hfsplus filesystems is disabled
secure_linux_cis::rules::ensure_mounting_of_squashfs_filesystems_is_disabled: Ensure mounting of squashfs filesystems is disabled
secure_linux_cis::rules::ensure_mounting_of_udf_filesystems_is_disabled: Ensure mounting of udf filesystems is disabled
secure_linux_cis::rules::ensure_net_snmp_is_not_installed: Ensure net-snmp is not installed
secure_linux_cis::rules::ensure_nfs_is_not_installed: Ensure NFS is not installed
secure_linux_cis::rules::ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_disabled: Ensure nfs-utils is not installed or the nfs-server service is disabled
secure_linux_cis::rules::ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked: Ensure nfs-utils is not installed or the nfs-server service is masked
secure_linux_cis::rules::ensure_nftables_base_chains_exist: Ensure nftables base chains exist
secure_linux_cis::rules::ensure_nftables_default_deny_firewall_policy: Ensure nftables default deny firewall policy
secure_linux_cis::rules::ensure_nftables_is_installed: Ensure nftables is installed
secure_linux_cis::rules::ensure_nftables_is_not_installed: Ensure nftables is not installed
secure_linux_cis::rules::ensure_nftables_is_not_installed_or_stopped_and_masked: Ensure nftables is not installed or stopped and masked
secure_linux_cis::rules::ensure_nftables_is_not_installed_with_iptables: Ensure nftables is not installed with iptables
secure_linux_cis::rules::ensure_nftables_loopback_traffic_is_configured: Ensure nftables loopback traffic is configured
secure_linux_cis::rules::ensure_nftables_rules_are_permanent: Ensure nftables rules are permanent
secure_linux_cis::rules::ensure_nftables_service_is_enabled: Ensure nftables service is enabled
secure_linux_cis::rules::ensure_nis_client_is_not_installed: Ensure NIS Client is not installed
secure_linux_cis::rules::ensure_nis_server_is_not_enabled: 6 Ensure NIS Server is not enabled (Scored)
secure_linux_cis::rules::ensure_nis_server_is_not_installed: Ensure NIS Server is not installed
secure_linux_cis::rules::ensure_no_duplicate_gids_exist: Ensure no duplicate GIDs exist
secure_linux_cis::rules::ensure_no_duplicate_group_names_exist: Ensure no duplicate group names exist
secure_linux_cis::rules::ensure_no_duplicate_uids_exist: Ensure no duplicate UIDs exist
secure_linux_cis::rules::ensure_no_duplicate_user_names_exist: Ensure no duplicate user names exist
secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_group: Ensure no legacy "+" entries exist in /etc/group
secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_passwd: Ensure no legacy "+" entries exist in /etc/passwd
secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_shadow: Ensure no legacy "+" entries exist in /etc/shadow
secure_linux_cis::rules::ensure_no_local_interactive_user_has_forward_files: Ensure no local interactive user has .forward files
secure_linux_cis::rules::ensure_no_local_interactive_user_has_netrc_files: Ensure no local interactive user has .netrc files
secure_linux_cis::rules::ensure_no_local_interactive_user_has_rhosts_files: Ensure no local interactive user has .rhosts files
secure_linux_cis::rules::ensure_no_unconfined_daemons_exist: Ensure no unconfined daemons exist
secure_linux_cis::rules::ensure_no_unconfined_services_exist: Ensure no unconfined services exist
secure_linux_cis::rules::ensure_no_ungrouped_files_or_directories_exist: Ensure no ungrouped files or directories exist
secure_linux_cis::rules::ensure_no_unowned_files_or_directories_exist: Ensure no unowned files or directories exist
secure_linux_cis::rules::ensure_no_users_have_forward_files: Ensure no users have .forward files
secure_linux_cis::rules::ensure_no_users_have_netrc_files: Ensure no users have .netrc files
secure_linux_cis::rules::ensure_no_users_have_rhosts_files: Ensure no users have .rhosts files
secure_linux_cis::rules::ensure_no_world_writable_files_exist: Ensure no world writable files exist
secure_linux_cis::rules::ensure_nodev_option_set_on_dev_shm_partition: Ensure nodev option set on /dev/shm partition
secure_linux_cis::rules::ensure_nodev_option_set_on_home_partition: Ensure nodev option set on /home partition
secure_linux_cis::rules::ensure_nodev_option_set_on_removable_media_partitions: Ensure nodev option set on removable media partitions
secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition: Ensure nodev option set on /tmp partition
secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_audit_partition: Ensure nodev option set on /var/log/audit partition
secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_partition: Ensure nodev option set on /var/log partition
secure_linux_cis::rules::ensure_nodev_option_set_on_var_partition: Ensure nodev option set on /var partition
secure_linux_cis::rules::ensure_nodev_option_set_on_var_tmp_partition: Ensure nodev option set on /var/tmp partition
secure_linux_cis::rules::ensure_noexec_option_set_on_dev_shm_partition: Ensure noexec option set on /dev/shm partition
secure_linux_cis::rules::ensure_noexec_option_set_on_home_partition: 7 Ensure noexec option set on /home partition (Scored)
secure_linux_cis::rules::ensure_noexec_option_set_on_removable_media_partitions: 0 Ensure noexec option set on removable media partitions (Not Scored)
secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition: Ensure noexec option set on /tmp partition
secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_audit_partition: Ensure noexec option set on /var/log/audit partition
secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_partition: Ensure noexec option set on /var/log partition
secure_linux_cis::rules::ensure_noexec_option_set_on_var_partition: Ensure noexec option set on /var partition
secure_linux_cis::rules::ensure_noexec_option_set_on_var_tmp_partition: Ensure noexec option set on /var/tmp partition  
secure_linux_cis::rules::ensure_nosuid_option_set_on_dev_shm_partition: Ensure nosuid option set on /dev/shm partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_home_partition: Ensure nosuid option set on /home partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_removable_media_partitions: Ensure nosuid option set on removable media partitions
secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition: Ensure nosuid option set on /tmp partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_audit_partition: Ensure nosuid option set on /var/log/audit partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_partition: Ensure nosuid option set on /var/log partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_var_partition: Ensure nosuid option set on /var partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_var_tmp_partition: Ensure nosuid option set on /var/tmp partition
secure_linux_cis::rules::ensure_ntp_access_control_is_configured: Ensure ntp access control is configured
secure_linux_cis::rules::ensure_ntp_is_configured: Ensure ntp is configured
secure_linux_cis::rules::ensure_ntp_is_enabled_and_running: Ensure ntp is enabled and running
secure_linux_cis::rules::ensure_ntp_is_running_as_user_ntp: Ensure ntp is running as user ntp
secure_linux_cis::rules::ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files: Ensure only authorized groups are assigned ownership of audit log files
secure_linux_cis::rules::ensure_only_authorized_users_own_audit_log_files: Ensure only authorized users own audit log files
secure_linux_cis::rules::ensure_only_strong_ciphers_are_used: Ensure only strong Ciphers are used
secure_linux_cis::rules::ensure_only_strong_key_exchange_algorithms_are_used: Ensure only strong Key Exchange algorithms are used
secure_linux_cis::rules::ensure_only_strong_mac_algorithms_are_used: Ensure only strong MAC algorithms are used
secure_linux_cis::rules::ensure_packet_redirect_sending_is_disabled: Ensure packet redirect sending is disabled
secure_linux_cis::rules::ensure_password_creation_requirements_are_configured: Ensure password creation requirements are configured
secure_linux_cis::rules::ensure_password_fields_are_not_empty: Ensure password fields are not empty
secure_linux_cis::rules::ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards: Ensure password hashing algorithm is up to date with the latest standards
secure_linux_cis::rules::ensure_password_reuse_is_limited: Ensure password reuse is limited
secure_linux_cis::rules::ensure_permissions_on_all_logfiles_are_configured: Ensure permissions on all logfiles are configured
secure_linux_cis::rules::ensure_permissions_on_bootloader_config_are_configured: Ensure permissions on bootloader config are configured
secure_linux_cis::rules::ensure_permissions_on_bootloader_config_are_not_overridden: Ensure permissions on bootloader config are not overridden
secure_linux_cis::rules::ensure_permissions_on_etc_cron_d_are_configured: Ensure permissions on /etc/cron.d are configured
secure_linux_cis::rules::ensure_permissions_on_etc_cron_daily_are_configured: Ensure permissions on /etc/cron.daily are configured
secure_linux_cis::rules::ensure_permissions_on_etc_cron_hourly_are_configured: Ensure permissions on /etc/cron.hourly are configured
secure_linux_cis::rules::ensure_permissions_on_etc_cron_monthly_are_configured: Ensure permissions on /etc/cron.monthly are configured
secure_linux_cis::rules::ensure_permissions_on_etc_cron_weekly_are_configured: Ensure permissions on /etc/cron.weekly are configured
secure_linux_cis::rules::ensure_permissions_on_etc_crontab_are_configured: Ensure permissions on /etc/crontab are configured
secure_linux_cis::rules::ensure_permissions_on_etc_group_are_configured: Ensure permissions on /etc/group are configured
secure_linux_cis::rules::ensure_permissions_on_etc_gshadow_are_configured: Ensure permissions on /etc/gshadow are configured
secure_linux_cis::rules::ensure_permissions_on_etc_gshadow_dash_are_configured: Ensure permissions on /etc/gshadow- are configured
secure_linux_cis::rules::ensure_permissions_on_etc_hosts_allow_are_configured: Ensure permissions on /etc/hosts.allow are configured
secure_linux_cis::rules::ensure_permissions_on_etc_hosts_deny_are_configured: Ensure permissions on /etc/hosts.deny are configured
secure_linux_cis::rules::ensure_permissions_on_etc_issue_are_configured: Ensure permissions on /etc/issue are configured
secure_linux_cis::rules::ensure_permissions_on_etc_issue_net_are_configured: Ensure permissions on /etc/issue.net are configured  
secure_linux_cis::rules::ensure_permissions_on_etc_motd_are_configured: Ensure permissions on /etc/motd are configured
secure_linux_cis::rules::ensure_permissions_on_etc_passwd_are_configured: Ensure permissions on /etc/passwd are configured
secure_linux_cis::rules::ensure_permissions_on_etc_passwd_dash_are_configured: Ensure permissions on /etc/group- are configured
secure_linux_cis::rules::ensure_permissions_on_etc_shadow_are_configured: Ensure permissions on /etc/shadow are configured
secure_linux_cis::rules::ensure_permissions_on_etc_shadow_dash_are_configured: Ensure permissions on /etc/shadow- are configured
secure_linux_cis::rules::ensure_permissions_on_etc_ssh_sshd_config_are_configured: Ensure permissions on /etc/ssh/sshd_config are configured
secure_linux_cis::rules::ensure_permissions_on_ssh_private_host_key_files_are_configured: Ensure permissions on SSH private host key files are configured
secure_linux_cis::rules::ensure_permissions_on_ssh_public_host_key_files_are_configured: Ensure permissions on SSH public host key files are configured
secure_linux_cis::rules::ensure_prelink_is_disabled: Ensure prelink is disabled
secure_linux_cis::rules::ensure_prelink_is_not_installed: Ensure prelink is not installed
secure_linux_cis::rules::ensure_rds_is_disabled: Ensure RDS is disabled
secure_linux_cis::rules::ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally: Ensure re-authentication for privilege escalation is not disabled globally
secure_linux_cis::rules::ensure_remote_login_warning_banner_is_configured_properly: Ensure remote login warning banner is configured properly
secure_linux_cis::rules::ensure_removable_media_partitions_include_noexec_option: Ensure removable media partitions include noexec option
secure_linux_cis::rules::ensure_reverse_path_filtering_is_enabled: Ensure Reverse Path Filtering is enabled
secure_linux_cis::rules::ensure_root_path_integrity: Ensure root PATH Integrity
secure_linux_cis::rules::ensure_rpc_is_not_installed: Ensure RPC is not installed
secure_linux_cis::rules::ensure_rpcbind_is_not_installed_or_the_rpcbind_service_is_disabled: Ensure rpcbind is not installed or the rpcbind service is disabled
secure_linux_cis::rules::ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked: Ensure rpcbind is not installed or the rpcbind services are masked
secure_linux_cis::rules::ensure_rsh_client_is_not_installed: Ensure rsh client is not installed
secure_linux_cis::rules::ensure_rsh_server_is_not_enabled: Ensure rsh server is not enabled
secure_linux_cis::rules::ensure_rsync_daemon_is_not_installed_or_the_rsyncd_service_is_masked: Ensure rsync-daemon is not installed or the rsyncd service is masked
secure_linux_cis::rules::ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked: Ensure rsync is not installed or the rsyncd service is masked
secure_linux_cis::rules::ensure_rsync_service_is_either_not_installed_or_masked: Ensure rsync service is either not installed or masked
secure_linux_cis::rules::ensure_rsync_service_is_not_enabled: Ensure rsync service is not enabled
secure_linux_cis::rules::ensure_rsync_service_is_not_installed: Ensure rsync service is not installed
secure_linux_cis::rules::ensure_rsyslog_default_file_permissions_are_configured: Ensure rsyslog default file permissions are configured  
secure_linux_cis::rules::ensure_rsyslog_default_file_permissions_configured: Ensure rsyslog default file permissions configured
secure_linux_cis::rules::ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host: Ensure rsyslog is configured to send logs to a remote log   host
secure_linux_cis::rules::ensure_rsyslog_is_installed: Ensure rsyslog is installed
secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client: Ensure rsyslog is not configured to receive logs from a remote client
secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client: Ensure rsyslog is not configured to recieve logs from a remote client
secure_linux_cis::rules::ensure_rsyslog_service_is_enabled: Ensure rsyslog service is enabled
secure_linux_cis::rules::ensure_rsyslog_service_is_enabled_and_running: Ensure rsyslog Service is enabled and running
secure_linux_cis::rules::ensure_samba_is_not_installed: Ensure Samba is not installed
secure_linux_cis::rules::ensure_sctp_is_disabled: Ensure SCTP is disabled
secure_linux_cis::rules::ensure_secure_icmp_redirects_are_not_accepted: Ensure secure ICMP redirects are not accepted
secure_linux_cis::rules::ensure_selinux_is_installed: Ensure SELinux is installed
secure_linux_cis::rules::ensure_selinux_is_not_disabled_in_bootloader_configuration: Ensure SELinux is not disabled in bootloader configuration
secure_linux_cis::rules::ensure_selinux_policy_is_configured: Ensure SELinux policy is configured
secure_linux_cis::rules::ensure_separate_partition_exists_for_home: Ensure separate partition exists for /home
secure_linux_cis::rules::ensure_separate_partition_exists_for_var: Ensure separate partition exists for /var
secure_linux_cis::rules::ensure_separate_partition_exists_for_var_log: Ensure separate partition exists for /var/log
secure_linux_cis::rules::ensure_separate_partition_exists_for_var_log_audit: Ensure separate partition exists for /var/log/audit
secure_linux_cis::rules::ensure_separate_partition_exists_for_var_tmp: Ensure separate partition exists for /var/tmp
secure_linux_cis::rules::ensure_session_initiation_information_is_collected: Ensure session initiation information is collected
secure_linux_cis::rules::ensure_setroubleshoot_is_not_installed: Ensure SETroubleshoot is not installed
secure_linux_cis::rules::ensure_shadow_group_is_empty: Ensure shadow group is empty
secure_linux_cis::rules::ensure_snmp_server_is_not_installed: Ensure SNMP Server is not installed
secure_linux_cis::rules::ensure_source_routed_packets_are_not_accepted: Ensure source routed packets are not accepted
secure_linux_cis::rules::ensure_ssh_access_is_limited: Ensure SSH access is limited
secure_linux_cis::rules::ensure_ssh_allowtcpforwarding_is_disabled: Ensure SSH AllowTcpForwarding is disabled
secure_linux_cis::rules::ensure_ssh_hostbasedauthentication_is_disabled: Ensure SSH HostbasedAuthentication is disabled
secure_linux_cis::rules::ensure_ssh_idle_timeout_interval_is_configured: Ensure SSH Idle Timeout Interval is configured
secure_linux_cis::rules::ensure_ssh_ignorerhosts_is_enabled: Ensure SSH IgnoreRhosts is enabled
secure_linux_cis::rules::ensure_ssh_logingracetime_is_set_to_one_minute_or_less: Ensure SSH LoginGraceTime is set to one minute or less
secure_linux_cis::rules::ensure_ssh_loglevel_is_appropriate: Ensure SSH LogLevel is appropriate
secure_linux_cis::rules::ensure_ssh_maxsessions_is_limited: Ensure SSH MaxSessions is limited
secure_linux_cis::rules::ensure_ssh_maxstartups_is_configured: Ensure SSH MaxStartups is configured
secure_linux_cis::rules::ensure_ssh_pam_is_enabled: Ensure SSH PAM is enabled
secure_linux_cis::rules::ensure_ssh_permitemptypasswords_is_disabled: Ensure SSH PermitEmptyPasswords is disabled
secure_linux_cis::rules::ensure_ssh_permituserenvironment_is_disabled: Ensure SSH PermitUserEnvironment is disabled
secure_linux_cis::rules::ensure_ssh_root_login_is_disabled: Ensure SSH root login is disabled
secure_linux_cis::rules::ensure_ssh_warning_banner_is_configured: Ensure SSH warning banner is configured
secure_linux_cis::rules::ensure_sticky_bit_is_set_on_all_world_writable_directories: Ensure sticky bit is set on all world-writable directories
secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded: Ensure successful and unsuccessful attempts to use the chacl command are recorded
secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded: Ensure successful and unsuccessful attempts to use the chcon command are recorded
secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded: Ensure successful and unsuccessful attempts to use the usermod command are recorded
secure_linux_cis::rules::ensure_successful_file_system_mounts_are_collected: Ensure successful file system mounts are collected
secure_linux_cis::rules::ensure_sudo_authentication_timeout_is_configured_correctly: Ensure sudo authentication timeout is configured correctly
secure_linux_cis::rules::ensure_sudo_commands_use_pty: Ensure sudo commands use pty
secure_linux_cis::rules::ensure_sudo_is_installed: Ensure sudo is installed
secure_linux_cis::rules::ensure_sudo_log_file_exists: Ensure sudo log file exists
secure_linux_cis::rules::ensure_suspicious_packets_are_logged: Ensure suspicious packets are logged
secure_linux_cis::rules::ensure_system_accounts_are_secured: Ensure system accounts are secured
secure_linux_cis::rules::ensure_system_administrator_actions_sudolog_are_collected: Ensure system administrator actions (sudolog) are collected
secure_linux_cis::rules::ensure_system_administrator_command_executions_sudo_are_collected: Ensure system administrator command executions (sudo) are collected
secure_linux_cis::rules::ensure_system_is_disabled_when_audit_logs_are_full: Ensure system is disabled when audit logs are full
secure_linux_cis::rules::ensure_system_wide_crypto_policy_is_not_legacy: Ensure system-wide crypto policy is not legacy
secure_linux_cis::rules::ensure_system_wide_crypto_policy_is_not_over_ridden: Ensure system-wide crypto policy is not over-ridden
secure_linux_cis::rules::ensure_systemd_journal_remote_is_installed: Ensure systemd-journal-remote is installed
secure_linux_cis::rules::ensure_systemd_timesyncd_is_configured: Ensure systemd-timesyncd is configured
secure_linux_cis::rules::ensure_systemd_timesyncd_is_enabled_and_running: Ensure systemd-timesyncd is enabled and running
secure_linux_cis::rules::ensure_talk_client_is_not_installed: Ensure talk client is not installed
secure_linux_cis::rules::ensure_talk_server_is_not_enabled: Ensure talk server is not enabled
secure_linux_cis::rules::ensure_tcp_syn_cookies_is_enabled: Ensure TCP SYN Cookies is enabled
secure_linux_cis::rules::ensure_tcp_wrappers_is_installed: Ensure TCP Wrappers is installed (deprecated)
secure_linux_cis::rules::ensure_telnet_client_is_not_installed: Ensure telnet client is not installed
secure_linux_cis::rules::ensure_telnet_server_is_not_installed: Ensure telnet-server is not installed
secure_linux_cis::rules::ensure_tftp_client_is_not_installed: Ensure TFTP client is not installed
secure_linux_cis::rules::ensure_tftp_server_is_not_enabled: Ensure tftp server is not enabled
secure_linux_cis::rules::ensure_tftp_server_is_not_installed: Ensure TFTP Server is not installed
secure_linux_cis::rules::ensure_the_audit_configuration_is_immutable: Ensure the audit configuration is immutable
secure_linux_cis::rules::ensure_the_mcs_translation_service_mcstrans_is_not_installed: Ensure the MCS Translation Service (mcstrans) is not installed
secure_linux_cis::rules::ensure_the_selinux_mode_is_enforcing: Ensure the SELinux mode is enforcing
secure_linux_cis::rules::ensure_the_selinux_mode_is_enforcing_or_permissive: Ensure the SELinux mode is enforcing or permissive
secure_linux_cis::rules::ensure_the_selinux_mode_is_not_disabled: Ensure the SELinux mode is not disabled
secure_linux_cis::rules::ensure_time_services_are_not_enabled: Ensure time services are not enabled
secure_linux_cis::rules::ensure_time_synchronization_is_in_use: Ensure time synchronization is in use
secure_linux_cis::rules::ensure_tipc_is_disabled: Ensure TIPC is disabled
secure_linux_cis::rules::ensure_tmp_is_a_separate_partition: Ensure /tmp is a separate partition
secure_linux_cis::rules::ensure_tmp_is_configured: Ensure /tmp is configured
secure_linux_cis::rules::ensure_ufw_default_deny_firewall_policy: Ensure ufw default deny firewall policy
secure_linux_cis::rules::ensure_ufw_firewall_rules_exist_for_all_open_ports: Ensure ufw firewall rules exist for all open ports
secure_linux_cis::rules::ensure_ufw_is_installed: Ensure ufw is installed
secure_linux_cis::rules::ensure_ufw_is_uninstalled_or_disabled_with_iptables: Ensure ufw is uninstalled or disabled with iptables
secure_linux_cis::rules::ensure_ufw_is_uninstalled_or_disabled_with_nftables: Ensure ufw is uninstalled or disabled with nftables
secure_linux_cis::rules::ensure_ufw_loopback_traffic_is_configured: Ensure ufw loopback traffic is configured
secure_linux_cis::rules::ensure_ufw_service_is_enabled: Ensure ufw service is enabled
secure_linux_cis::rules::ensure_unsuccessful_file_access_attempts_are_collected: Ensure unsuccessful file access attempts are collected
secure_linux_cis::rules::ensure_unsuccessful_unauthorized_file_access_attempts_are_collected: Ensure unsuccessful unauthorized file access attempts are collected
secure_linux_cis::rules::ensure_updates_patches_and_additional_security_software_are_installed: Ensure updates, patches, and additional security software are installed
secure_linux_cis::rules::ensure_use_of_privileged_commands_are_collected: Ensure use of privileged commands are collected
secure_linux_cis::rules::ensure_use_of_privileged_commands_is_collected: Ensure use of privileged commands is collected
secure_linux_cis::rules::ensure_users_dot_files_are_not_group_or_world_writable: Ensure users' dot files are not group or world writable
secure_linux_cis::rules::ensure_users_must_provide_password_for_escalation: Ensure users must provide password for escalation
secure_linux_cis::rules::ensure_users_must_provide_password_for_privilege_escalation: Ensure users must provide password for privilege escalation
secure_linux_cis::rules::ensure_users_netrc_files_are_not_group_or_world_accessible: Ensure users' .netrc Files are not group or world accessible
secure_linux_cis::rules::ensure_users_own_their_home_directories: Ensure users own their home directories
secure_linux_cis::rules::ensure_usrquota_option_set_on_home_partition: Ensure usrquota option set on /home partition
secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_nodev_option: Ensure /var/tmp partition includes the nodev option
secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_noexec_option: Ensure /var/tmp partition includes the noexec option
secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_nosuid_option: Ensure /var/tmp partition includes the nosuid option
secure_linux_cis::rules::ensure_vsftp_server_is_not_installed: Ensure VSFTP Server is not installed
secure_linux_cis::rules::ensure_wireless_interfaces_are_disabled: Ensure wireless interfaces are disabled
secure_linux_cis::rules::ensure_x_window_system_is_not_installed: Ensure X Window System is not installed
secure_linux_cis::rules::ensure_xd_nx_support_is_enabled: Ensure XD/NX support is enabled
secure_linux_cis::rules::ensure_xdcmp_is_not_enabled: Ensure XDCMP is not enabled
secure_linux_cis::rules::ensure_xdmcp_is_not_enabled: Ensure XDMCP is not enabled
secure_linux_cis::rules::ensure_xinetd_is_not_enabled: Ensure xinetd is not enabled
secure_linux_cis::rules::ensure_xinetd_is_not_installed: Ensure xinetd is not installed
secure_linux_cis::sshd_service: Helper class for reloading various services when needed

Defined types

Public Defined types

Private Defined types

secure_linux_cis::mount_options: Check and fix a mount with a single option

Plans

secure_linux_cis

Classes

`secure_linux_cis`

CIS Hardening Module

Parameters

The following parameters are available in the secure_linux_cis class:

include_rules
exclude_rules
exclude_x_window_packages
grub_config_files
su_group
time_servers
host_allow_rules
host_deny_rules
logging_host
exclude_logs
is_logging_host
max_log_file
max_auth_tries
max_sessions
max_startups
time_sync
mta
mac
ipv6_enabled
approved_ciphers
approved_kex
approved_mac_algorithms
client_alive_interval
client_alive_count_max
login_grace_time
allow_users
update_command
allow_groups
deny_users
deny_groups
minlen
dcredit
ucredit
ocredit
lcredit
attempts
lockout_time
past_passwords
pass_max_days
pass_min_days
pass_warn_days
pass_inactive_days
cron_service
timeout
banner
motd
auto_restart
workstation_level_1
workstation_level_2
server_level_1
server_level_2
profile_type
enforcement_level
auditd_package
selinux_mode
default_firewalld_zone

`include_rules`

Data type: Array[String]

Which rules to include

`exclude_rules`

Data type: Array[String]

Which rules to exclude

`exclude_x_window_packages`

Data type: Array[String]

Which X window packages to exclude from removal

`grub_config_files`

Data type: Array[String]

Grub configuration

`su_group`

Data type: String

The default group for sudo rights

`time_servers`

Data type: Array[Stdlib::Host]

Array of valid NTP Time servers

`host_allow_rules`

Data type: Array[String]

Specifies which IP addresses are permitted to connect to the host

`host_deny_rules`

Data type: Array[String]

Specifies which IP addresses are not permitted to connect to the host

`logging_host`

Data type: String

Which host should logging be sent to

`exclude_logs`

Data type: Array[Stdlib::Unixpath]

What logs files to exclude from management

`is_logging_host`

Data type: Boolean

Is this host a logging host

`max_log_file`

Data type: Integer

Maximum log file

`max_auth_tries`

Data type: Integer[1,4]

How many authorization attempts to allow

`max_sessions`

Data type: Integer[1,10]

How many SSH sessions to allow

`max_startups`

Data type: String

How many SSH startups to allow

`time_sync`

Data type: Enum['ntp', 'chrony', 'systemd-timesuncd']

Which NTP program to use

`mta`

Data type: Enum['postfix', 'exim', 'none']

Which Mail Transfer program to use

`mac`

Data type: Enum['selinux', 'apparmor', 'none']

Which Mandatory Access Control to use

`ipv6_enabled`

Data type: Boolean

Should ipv6 be enabled

`approved_ciphers`

Data type: Array[String]

Which SSH Ciphers are approved for use

`approved_kex`

Data type: Array[String]

Which SSH Key Exchange algorithms are approved for use.

`approved_mac_algorithms`

Data type: Array[String]

Which SSH MAC algorigthms are approved for use

`client_alive_interval`

Data type: Integer

Client alive interval to use

`client_alive_count_max`

Data type: Integer[0,3]

Maximum specificed client alive count

`login_grace_time`

Data type: Integer

`allow_users`

Data type: Array[String]

Which users to allow

`update_command`

Data type: String

Command used to update OS packages

`allow_groups`

Data type: Array[String]

Which groups to allow

`deny_users`

Data type: Array[String]

Which users to deny

`deny_groups`

Data type: Array[String]

Which groups to deny

`minlen`

Data type: Integer

Minimum length

`dcredit`

Data type: Integer

D Credit

`ucredit`

Data type: Integer

U Credit

`ocredit`

Data type: Integer

O Credit

`lcredit`

Data type: Integer

L Credit

`attempts`

Data type: Integer

Number of attempts

`lockout_time`

Data type: Integer

Amount of time for lockout

`past_passwords`

Data type: Integer

Number of previous passwords

`pass_max_days`

Data type: Integer

Password maximum days

`pass_min_days`

Data type: Integer

Password minimum days

`pass_warn_days`

Data type: Integer

Password warning days

`pass_inactive_days`

Data type: Integer

Password inactive days

`cron_service`

Data type: Enum['cron', 'crond']

Should this system use cron or crond

`timeout`

Data type: Integer

Number of seconds of inactivity after which a shell terminates.

`banner`

Data type: String

String to be content of /etc/issue, /etc/issue.net (and /etc/motd if $motd not defined)

`motd`

Data type: String

String to be content of /etc/motd. If $banner is defined and $motd is not, $banner becomes content of /etc/motd

`auto_restart`

Data type: Boolean

If an automatic restart should occur when defined classes require a reboot to take effect

`workstation_level_1`

Data type: Array[String]

Workstation level 1 rules for this node

`workstation_level_2`

Data type: Array[String]

Workstation level 2 rules for this node

`server_level_1`

Data type: Array[String]

Server level 1 rules for this node

`server_level_2`

Data type: Array[String]

Server level 2 rules for this node

`profile_type`

Data type: Enum['workstation', 'server']

Is this node a server or workstation

`enforcement_level`

Data type: Integer[1, 2]

Enforce level 1 or level 2 rules

`auditd_package`

Data type: String

Auditd package

`selinux_mode`

Data type: Enum['enforcing', 'permissive']

SElinux mode enforcing or permissive. Defaults to enforcing.

`default_firewalld_zone`

Data type: Enum['drop', 'block', 'public', 'external', 'dmz', 'work', 'home', 'internal', 'trusted']

Firewalld zone to default o. Defaults to drop.

`secure_linux_cis::refresh_mount_options`

A description of what this class does

Examples

include secure_linux_cis::refresh_mount_options

`secure_linux_cis::rules::ensure_code_dump_backtraces_are_disabled`

Description: ingle user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

`secure_linux_cis::rules::ensure_code_dump_storage_is_disabled`

Description: ingle user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

`secure_linux_cis::rules::ensure_default_group_for_the_root_account_is_gid_0`

Description: The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.

`secure_linux_cis::rules::ensure_events_that_modify_the_system_s_mandatory_access_controls_are_collected`

Description: Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory.

Rationale: Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

`secure_linux_cis::rules::ensure_events_that_modify_the_system_s_network_environment_are_collected`

Description: Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations).

Rationale: Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."

`secure_linux_cis::rules::ensure_gpg_keys_are_configured`

Description: The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

`secure_linux_cis::rules::ensure_inactive_password_lock_is_30_days_or_less`

Description: User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled.

Rationale: Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

`secure_linux_cis::rules::ensure_ip6tables_default_deny_firewall_policy`

Description: iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.

Rationale: iptables is required for firewall management and configuration.

`secure_linux_cis::rules::ensure_ip6tables_is_enabled_and_active`

Description: iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.

Rationale: iptables is required for firewall management and configuration.

`secure_linux_cis::rules::ensure_iptables_is_not_enabled`

Description: IPtables is an application that allows a system administrator to configure the IPv4 and IPv6 tables, chains and rules provided by the Linux kernel firewall. IPtables is installed as a dependency with firewalld.

Rationale: Running firewalld and IPtables concurrently may lead to conflict, therefore IPtables should be stopped and masked when using firewalld.

`secure_linux_cis::rules::ensure_ipv6_firewall_rules_exist_for_all_open_ports`

Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

`secure_linux_cis::rules::ensure_ipv6_is_disabled`

Description: Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6.

Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system.

`secure_linux_cis::rules::ensure_ipv6_outbound_and_established_connections_are_configured`

Description: Configure the firewall rules for new outbound, and established connections.

Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.

`secure_linux_cis::rules::ensure_ipv6_redirects_are_not_accepted`

Description: This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.

Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

`secure_linux_cis::rules::ensure_ipv6_router_advertisements_are_not_accepted`

Description: This setting disables the system's ability to accept IPv6 router advertisements.

Rationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

`secure_linux_cis::rules::ensure_logrotate_is_configured`

Description: The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/syslog is the configuration file used to rotate log files created by syslog or rsyslog.

Rationale: By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files.

`secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_7_or_more`

Description: The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days.

Rationale: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.

`secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled`

Description: The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

`secure_linux_cis::rules::ensure_mounting_of_jffs2_filesystems_is_disabled`

Description: The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

`secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited`

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

`secure_linux_cis::rules::ensure_nfs_and_rpc_are_not_enabled`

Description: The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.

Rationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface.

`secure_linux_cis::rules::ensure_nftables_is_not_installed_with_firewalld`

Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.

Rationale: If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.

`secure_linux_cis::rules::ensure_outbound_and_established_connections_are_configured`

Description: Configure the firewall rules for new outbound, and established connections.

Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.

`secure_linux_cis::rules::ensure_package_manager_repositories_are_configured`

Description: Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.

`secure_linux_cis::rules::ensure_password_expiration_is_365_days_or_less`

Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days.

Rationale: The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.

`secure_linux_cis::rules::ensure_password_expiration_warning_days_is_7_or_more`

Description: The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.

Rationale: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

`secure_linux_cis::rules::ensure_permissions_on_etc_cron_tab_are_configured`

Description: The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

`secure_linux_cis::rules::ensure_permissions_on_etc_group_dash_are_configured`

Description: The /etc/group- file contains a backup list of all the valid groups defined in the system.

`secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured`

Description: The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information.

Parameters

The following parameters are available in the secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured class:

enforced

`enforced`

Data type: Boolean

Default value: true

`secure_linux_cis::rules::ensure_ssh_loglevel_is_set_to_info`

Description: The INFO parameter specifies that login and logout activity will be logged.

Rationale: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

Defined types

Plans

`secure_linux_cis`

The secure_linux_cis class.

Parameters

The following parameters are available in the secure_linux_cis plan:

targets
time_servers
profile_type

`targets`

Data type: TargetSpec

`time_servers`

Data type: Array[Stdlib::Host]

Default value: ['time.google.com']

`profile_type`

Data type: Enum['workstation', 'server']

Default value: 'server'

What are plans?

Modules can contain plans that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.

Changelog

Release 4.0.0

Simplified main API
Added back include and exclude rules

Release 3.2.1

Slowly becoming usable again
Remove old classes
Remove unsupported OS versions
Simplify documentation
Add AlmaLinux

Release 3.2.0

Add missing checks
Remove some facts
Limit firewall to iptables
Remove unused hardening schedule

Release 3.1.0

Moved multiple code to execs instead of using facts.
Fixed home nodev selection fact
Formatting changes

Release 2.0.18

Ensure grub2 password is super user

Release 2.0.17

Strengthened ciphers. Thanks to Tom Parker @tparkercbn.

Release 2.0.14

Cleaned up and fixed the way /var/log directory is secured.

Release 2.0.13

Important fixes

Release 2.0.12

Fix for su command is restricted bug

Release 2.0.11

Add whitelist for non-nologin shells
Make TMOUT variable configurable
Support for Debian10
Add file test for tcp6 to pevent warning if tcp6 disabled

Release 2.0.10

New updated documentation
Apache license
Litmus acceptance testing

Release 2.0.5 Release Candidate

Added plan to harden OS's
Separated Centos 7 and RHEL 7 into server / workstation profiles

Release 2.0.0 Release Candidate

Major release adding Linux releases and refactoring
Module level hiera now used with (optional) exclude_rules subtracted from include_rules
Not all OS's supported as yet

Release 1.0.17

Fix issue with logic in cis_1_7_2
Correct syntax in rootpw fact
Fix logic in cis_1_2_1
Fix type for cis_6_2_6 in centos.pp

Release 1.0.16

Add file_line management of /etc/default/useradd INACTIVE entry in cis_5_4_1_4 to meet Nessus scan requirement
Expand puppetlabs/firewall version range to >= 1.15.0 < 3.0.0 as many other modules still have < 2.0.0 and this module will fail to install
Added support for CIS 4.1.12
Add newlines to the end of /etc/hosts.{allow,deny} in cis_3_4_2 and cis_3_4_3
cis_5_4_1_4 now also covers the default setting

Release 1.0.15

Activate use of cis_1_1_3, cis 1_1_4 and cis_1_1_5 to manage /tmp partition options in centos7.pp
Change management of /dev/shm to use mount resource in cis_1_1_15 as not listed in /etc/fstab and mount_options.pp fails
Move TMOUT setting from cis_5_4_4 to cis 5_4_5, add export and readonly lines to /etc/bashrc
Add oboe/chrony to dependencies in metadata to allow time_sync to work with chrony
Add puppetlabs/mount_core to metadata to maintain compliance with puppet 6
Raise minimum version requirements for dependencies in metadata
Raise Puppet version requirement to >= 5.0.0 < 7.0.0

Release 1.0.14

Thanks to Bart-Jan Vrielink for fixing our spec test.

Release 1.0.13

Added AIDE database renaming to cis_1_3_1 as 'aide --init' command creates a new temporary file requiring renaming
Change cis_1_6_11 to use kernel_parameter instead of file_line to set 'quiet' in grub.cfg, to avoid entire line being overwritten in /etc/default/grub.cfg
Add optional $motd parameter to be sole content of /etc/motd in cis_1_7_1_4. If not defined and $banner is defined, $banner becomes content of /etc/motd
Restore sysctl resources when disabling ipv6 in cis_3_3_1, cis_3_3_2 and cis_3_3_3, remove kernel_parameter from cis_3_3_3 as problematic when using sysctl to disable and check ipv6, add /etc/sysconfig/network entries
Update cis_3_3_3 and cis_3_6_2 to allow ip6_tables to drop undefined traffic
Fix typo in cis_5_3_1 of try_first_path instead of try_first_pass
Remove nullok and add shadow to /etc/pam.d system-auth and password-auth in cis_5_3_3
Remove all use of pkill, add rsyslog and rsyslog-ng classes to array of classes that trigger an opt-in reboot, as rsyslog can be (outside of this module) configured to halt system or boot into single mode if terminated
Fix various custom fact scripts issues with missing .sh, false positives when home dir absent, reduce script file and directory permissions to 0700
Update local_users custom fact to allow for users whose password needs to be changed
Move location of custom fact scripts directory from /tmp/cis_scripts to /usr/share/cis_scripts as fail to execute if /tmp mounted noexec as per recommendations!
Remove subscription_manager from dependencies as appears unused

Release 1.0.12

Fix cis_5_2_14 ssh DenyGroups typo
Refactor remaining bash scripts using Shellcheck and test functions
Replace sysctl resources with file_line in cis_3_3_1, cis_3_3_2 and cis_3_3_3 as sysctl fails to write to /proc/sys/net/ipv6 when kernel_parameter ipv6.disable=1 in effect and system has been rebooted. Kernel_parameter requires a reboot to have effect.
Add shared resources block to end of centos7.pp and redhat7.pp to invoke service/system reload or restart only when notified
Add parameter for auto_restart when defined classes make changes that require a reboot to take effect (defaults to false)
Add optional parameter for banner which becomes the sole content of /etc/issue, /etc/issue.net and /etc/motd

Release 1.0.11

Create resource collector override to disable ip6tables in class cis_3_3_3 when ipv6 disabled
Change default of ip6_enabled to false (ipv6 is now now opt-in)
Increase max_log_file default size from 8 to 32Mb to satisfy Nessus scan

Release 1.0.10

Fix multiple line issue with cis 5.2.10

Release 1.0.9

Multiple cleanup
Grub fixes
Started plan

Release 1.0.8

Refactoring by CanIHaveThisOne
Change audit.rules entries to /etc/audit/rules.d/audit.rules so persistent across reboots
Add '-e 2' to audit.rules to make immutable (activate class cis_4_1_18)
Refactor and expand local_users fact and classes cis_5_4_1_1 to cis_5_4_1_5
Reinstate confining facts to RedHat
Re-fix typo in auditd rule cis_4_1_4

Release 1.0.7

Added multiple enhancements by Dan Wittenberg
Move to PDK 12

Release 1.0.5

Confined facts to RedHat family

Release 1.0.1

Added selinux test and check by Patrick Picard (patpicos).

Made changes for Puppet 6.

Features

Bugfixes

Known Issues

                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/

   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

   1. Definitions.

      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.

      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.

      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.

      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.

      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.

      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.

      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).

      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.

      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."

      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.

   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.

   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.

   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:

      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and

      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and

      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and

      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.

      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.

   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.

   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.

   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.

   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.

   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.

   END OF TERMS AND CONDITIONS

   APPENDIX: How to apply the Apache License to your work.

      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

   Copyright [yyyy] [name of copyright owner]

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.

secure_linux_cis

Version information

This version is compatible with:

Plans:

Start using this module

Documentation

secure_linux_cis

Table of Contents

Description

Setup

What secure_linux_cis affects

Beginning with secure_linux_cis

Usage

Opening firewall ports

TCP wrappers

Disabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

Enabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

No-Op Mode

Limitations

Development

Reference

Table of Contents

Classes

Public Classes

Private Classes

Defined types

Public Defined types

Private Defined types

Plans

Classes

secure_linux_cis

Parameters

include_rules

exclude_rules

exclude_x_window_packages

grub_config_files

su_group

time_servers

host_allow_rules

host_deny_rules

logging_host

exclude_logs

is_logging_host

max_log_file

max_auth_tries

max_sessions

max_startups

time_sync

mta

mac

ipv6_enabled

approved_ciphers

approved_kex

approved_mac_algorithms

client_alive_interval

client_alive_count_max

login_grace_time

allow_users

update_command

allow_groups

deny_users

deny_groups

minlen

dcredit

ucredit

ocredit

lcredit

attempts

lockout_time

past_passwords

pass_max_days

pass_min_days

pass_warn_days

pass_inactive_days

cron_service

timeout

banner

motd

auto_restart

workstation_level_1

`secure_linux_cis`

`include_rules`

`exclude_rules`

`exclude_x_window_packages`

`grub_config_files`

`su_group`

`time_servers`

`host_allow_rules`

`host_deny_rules`

`logging_host`

`exclude_logs`

`is_logging_host`

`max_log_file`

`max_auth_tries`

`max_sessions`

`max_startups`

`time_sync`

`mta`

`mac`

`ipv6_enabled`

`approved_ciphers`

`approved_kex`

`approved_mac_algorithms`

`client_alive_interval`

`client_alive_count_max`

`login_grace_time`

`allow_users`

`update_command`

`allow_groups`

`deny_users`

`deny_groups`

`minlen`

`dcredit`

`ucredit`

`ocredit`

`lcredit`

`attempts`

`lockout_time`

`past_passwords`

`pass_max_days`

`pass_min_days`

`pass_warn_days`

`pass_inactive_days`

`cron_service`

`timeout`

`banner`

`motd`

`auto_restart`

`workstation_level_1`

`workstation_level_2`

`server_level_1`

`server_level_2`

`profile_type`

`enforcement_level`

`auditd_package`

`selinux_mode`

`default_firewalld_zone`

`secure_linux_cis::refresh_mount_options`

`secure_linux_cis::rules::ensure_code_dump_backtraces_are_disabled`

`secure_linux_cis::rules::ensure_code_dump_storage_is_disabled`

`secure_linux_cis::rules::ensure_default_group_for_the_root_account_is_gid_0`

`secure_linux_cis::rules::ensure_events_that_modify_the_system_s_mandatory_access_controls_are_collected`

`secure_linux_cis::rules::ensure_events_that_modify_the_system_s_network_environment_are_collected`

`secure_linux_cis::rules::ensure_gpg_keys_are_configured`

`secure_linux_cis::rules::ensure_inactive_password_lock_is_30_days_or_less`

`secure_linux_cis::rules::ensure_ip6tables_default_deny_firewall_policy`

`secure_linux_cis::rules::ensure_ip6tables_is_enabled_and_active`

`secure_linux_cis::rules::ensure_iptables_is_not_enabled`

`secure_linux_cis::rules::ensure_ipv6_firewall_rules_exist_for_all_open_ports`

`secure_linux_cis::rules::ensure_ipv6_is_disabled`

`secure_linux_cis::rules::ensure_ipv6_outbound_and_established_connections_are_configured`

`secure_linux_cis::rules::ensure_ipv6_redirects_are_not_accepted`

`secure_linux_cis::rules::ensure_ipv6_router_advertisements_are_not_accepted`

`secure_linux_cis::rules::ensure_logrotate_is_configured`

`secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_7_or_more`

`secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled`

`secure_linux_cis::rules::ensure_mounting_of_jffs2_filesystems_is_disabled`

`secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited`

`secure_linux_cis::rules::ensure_nfs_and_rpc_are_not_enabled`

`secure_linux_cis::rules::ensure_nftables_is_not_installed_with_firewalld`