Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 8.0.0
- ,
This module has been deprecated by its author since May 8th 2024.
The author has suggested puppetlabs-sce_linux as its replacement.
Tasks:
- audit_authselect
- audit_duplicate_gid
- audit_duplicate_group_names
- audit_duplicate_uid
Documentation
cem_linux
Table of Contents
cem_linux
- Table of Contents
- Description
- Setup
- Usage
- Finding and setting configuration options
- Top-level configuration options
- General configuration options
- CIS configuration options
- Control classes
- Configuration examples
- Rules that rely on specific site information
- Known issues
Description
The cem_linux
module is one of two Compliance Enforcement Modules (CEM). These are supported Puppet modules developed specifically to bring your Puppet Enterpirse (PE) managed nodes under compliance. CEM currently supports CIS (Center for Internet Security) compliance rules, and other compliance frameworks will be added to CEM in the future.
By default, CEM enforces CIS rules for the level 1 server profile.
This README walks you through installing CEM and customizing the configuration settings to suit your own compliance needs. For a list of available parameters, see the CEM reference.
To manage Windows nodes, navigate to cem_windows.
Setup
System requirements
cem_linux
supports the following operating systems and CIS benchmarks:
Operating system | Framework | Level | Profile |
---|---|---|---|
Red Hat Enterprise Linux 7 | CIS benchmarks v3.1.1 | 1 | Server |
Red Hat Enterprise Linux 8 | CIS benchmarks v1.0.1 | 1 | Server |
CentOS Linux 7 | CIS benchmarks v3.1.1 | 1 | Server |
Install CEM with Code Manager
Puppet Forge Premium Content has specific installation instructions found here.
Usage
By default, CEM enforces CIS rules for the level 1 server profile — based on default acceptable values for each CIS recommendation. However, sometimes enforcing these values can leave your nodes in an undesirable state. In these situations, you can customize how CEM enforces the rules and tailor them to your own compliance needs.
Important: CEM's default settings are fully CIS compliant — too much customization can result in your configurations being noncompliant.
Finding and setting configuration options
You can find configuration options in the class *.pp
file. For example, in the manifests/benchmarks/cis/controls/ensure_at_is_restricted_to_authorized_users.pp
file below, you can can see the optional parameters in the comments:
# @api public
#
# @param [Boolean] enforced
# If yes, the control will be enforced
# @param [Hash] config
# Options for the control
# @option config [Boolean] purge_at_deny
# @option config [Boolean] set_at_allow_perms
# @option config [Array[String[1]]] at_allowlist
#
# @see cem_linux::utils::packages::linux::at
You can set these configuration options in Hiera using the following format:
cem_linux::benchmark: '<benchmark code>'
cem_linux::config:
<config options>
For example, configuring the options purge_at_deny
, set_at_allow_perms
and at_allowlist
would look like:
# control-repo/data/common.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_at_is_restricted_to_authorized_users:
purge_at_deny: true
set_at_allow_perms: true
You can find all the configuration options in the REFERENCE.md.
Top-level configuration options
The configuration options are configured at the top-level of the module. If configuring with Hiera, these options will be prefixed with cem_linux::
benchmark
-Enum['cis']
- the compliance framework to use. CEM only supportscis
. Default:cis
.config
-Optional[Hash]
- where all non-top-level configuration options live. Default:undef
.allow_on_kubernetes_node
-Boolean
- Ifcem_linux
detects that it is running on a Kubernetes cluster node or host, it will not enforce any rules. It will log a warning stating such. This is to prevent accidentally enforcing incorrect compliance settings that can render Kubernetes non-functional. Default:true
.
General configuration options
These options are available as key-value pairs within the cem_linux::config:
hash.
only:
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
) — classes specified here are included in the catalog. Takes precedence overignore:
. Default:undef
.ignore:
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
). The classes specified here are not included in the catalog. Ifonly:
is specified, this option does nothing. Default:undef
.control_configs
-Optional[Hash]
— where all rule-specific configurations live. Default:undef
.
CIS configuration options
These options are available as key-value pairs within the cem_linux::config:
hash.
profile:
-Optional[Enum['server', 'workstation']]
— the name of the benchmark profile. CEM only supportsserver
. Default:server
.level:
-Optional[Enum['1', '2']]
— the name of the profile level. CEM only supports1
. Default:1
.firewall_type:
-Optional[Enum['iptables', 'firewalld', 'unmanaged']]
— the preferred firewall provider. If set tounmanaged
, CEM will not enforce any firewall-related rules. Default:firewalld
.
Red Hat Enterprise Linux 8-specific CIS configuration options
use_authselect:
-Optional[Boolean]
- Whether to use authselect to manage most authentication options. Defaults tofalse
. For more information, see Using authselectauthselect_profile
-Optional[String]
- If using authselect, you must specific an authselect profile with this option. Defaults toundef
. For more information, see Using authselect
Control classes
Control classes (manifests/benchmarks/<benchmark>/controls/*.pp
) are the interfaces that configure rule settings. Each control class accepts the following two parameters:
- The
$enforced
(Boolean
) parameter — this toggles whether the included code in the manifest is executed. - The
$config
parameter — this holds the configuration options for a control class as keys in the hash. You set the$config
parameter based on values from thecontrol_configs
hash. Each top-level key is a control class name (sans path and.pp
suffix) and the value of that key is a hash. The keys of the sub-hash map 1 to 1 with the configuration options available in the specific control class.
For example, the control class would look like:
class cem_linux::benchmarks::cis::controls::super_cool_class (
Boolean $enforced => true,
Boolean $config => {},
) {
if $enforced {
class { 'cem_linux::utils::super_cool_util':
param_one => dig($config, 'param_one'),
param_two => dig($config, 'param_two'),
}
}
}
And the Hiera file would look like:
cem_linux::config:
control_configs:
super_cool_class:
param_one: 'Dude'
param_two: 'Sweet'
For a list of control classes and their configuration options, see the reference.
Configuration examples
To see what CEM looks like in production, see the configuration examples below.
Basic configuration example
When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the CIS Server Level 1 benchmark for a node, you need to classify the node with the CEM class, set the framework
parameter to cis
, and run Puppet.
In the following example, CEM enforces the CIS level 1 server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node.
- Add the following Hiera data to your control repo:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
- Classify the node with the class
cem_linux
. - Run Puppet.
Some CIS recommendations require you to run a Bolt task. The output of a Puppet run for the debug
logs tell you which task to run.
Advanced configuration example
Building on the basic configuration example, the following example customizes the AIDE configuration file in Hiera.
- Add the following code to the node's Hiera file:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
control_configs:
ensure_aide_is_installed:
conf_rules:
- 'PERMS = p+u+g+acl+xattrs'
- 'CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs'
conf_checks:
- '/root/\..* PERMS'
- '/root/ CONTENT_EX'
-
Classify the node with the class
cem_linux
. -
Run Puppet.
-
Run the Bolt task specified in the
debug
log.
The AIDE configuration file now reflects the changes in Hiera.
Enforcing bootloader configurations
Warning: The only bootloader supported by CEM for Linux is grub2
.
CEM for Linux enforces various bootloader configurations as required by the selected compliance framework and benchmark. However, since changes to bootloader configurations can be potentially dangerous, CEM for Linux has opted for a light-touch by default.
For CIS, there are several recommendations that modify the bootloader config. If you run CEM for Linux with completely default settings, these changes will be applied, but the bootloader config will not be regenerated. This means that while there are pending changes on the node, nothing about how the bootloader works has actually changed until the configurations are regenerated. The exception to this is the bootloader password, which is not set by default. Below are examples of how you can have CEM for Linux automatically regenerate the bootloader config and how you can set a bootloader password.
Regenerating bootloader configs automatically
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
Setting a bootloader password
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
cem_linux::set_grub2_password: true
cem_linux::grub2_superuser: 'root'
cem_linux::grub2_superuser_password: 'password'
lookup_options:
cem_linux::grub2_superuser_password:
convert_to: 'Sensitive'
Notice: The key cem_linux::grub2_superuser_password
must be the type Sensitive[String]
. Setting a lookup option for that key to convert it to Sensitive is the best way to ensure that the value is a Sensitive[String]
.
Warning: It IS NOT recommended to store plain-text passwords in Hiera. Using something like hiera-eyaml
is a better way to store secrets.
Using authselect
Warning: You SHOULD NOT enable authselect on a node if it is already joined to an Active Directory domain or to Red Hat Identity Management (idM). Enabling authselect on these nodes will break your current authentication configurations. Notice: authselect is only supported on Red Hat Enterprise Linux 8 at this time.
By default, cem_linux
uses standard PAM rules to configure the authentication controls specified by CIS. However, if you are enforcing CIS compliance on Red Hat Enterprise Linux 8, CIS prefers that authselect be used. Configuring and using authselect in cem_linux
is easy, but requires a specific style of configuration. Below is an example configuration for enabling authselect on a node using the minimal
system default profile:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'minimal'
To use authselect, you must first set the config option use_authselect
to true
. Next, you must specify an authselect profile with the config option authselect_profile
. Both of the options must be set directly in the cem_linux::config
hash for authselect to work properly.
Custom authselect profiles
Creating and using custom authselect profiles is easy in cem_linux
: simply prefix the profile name in authselect_profile
with custom/
. If the custom profile does not exist on the node, it will automatically be created for you. Below is an example of creating and using a custom profile, my_custom_profile
, that is based off of the system profile minimal
with some extra features enabled:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'custom/my_custom_profile'
control_configs:
create_custom_authselect_profile:
custom_profile_base: 'minimal'
profile_features:
- with-faillock
- with-mkhomedir
Configuring authselect
All authselect configurations are managed via the control class create_custom_authselect_profile
, whether you are using a custom profile or not. See the reference for all configuration options.
Authselect and PAM
At this time, using authselect and PAM are mutually exclusive.
Configuring custom logrotate rules
The following example creates custom logrotate
rules for the primary Puppet server's puppetserver
logs.
# control-repo/data/nodes/<your puppetserver>.yaml
---
cem_linux::config:
control_configs:
ensure_logrotate_is_configured:
rules:
puppetserver:
path:
- '/var/log/puppetlabs/puppetserver/puppetserver.log'
- '/var/log/puppetlabs/puppetserver/pcp-broker.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-access.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-daemon.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-status.log'
- '/var/log/puppetlabs/puppetserver/code-manager-access.log'
- '/var/log/puppetlabs/puppetserver/file-sync-access.log'
- '/var/log/puppetlabs/puppetserver/masterhttp.log'
create_owner: 'puppet'
create_group: 'puppet'
Configuring sudo without a password
The following example configures the admins
group to grant sudo access without a password.
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_sudo_is_installed:
package_ensure: 'installed'
options:
user_group:
%admins:
options:
- 'NOPASSWD:'
Configuring user SSH keys
The following example configures SSH keys.
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
permit_root_login: 'yes'
user_ssh_keys:
testuser1:
username: testuser1
home_dir: /home/testuser1
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
testuser2:
username: testuser2
home_dir: /home/testuser2
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
Configuring SSH allowed and denied users and groups
The following example configures SSH with allowed users / groups and denied users / groups.
cem_linux::benchmark: 'cis'
cem_linux::config:
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
allow_users:
- testuser1
- the_dude
allow_groups:
- testgroup1
- goonies
deny_users:
- testuser2
- the_emperor
deny_groups:
- testgroup2
- legion_of_doom
Configuring the firewall type
The following examples configure the firewall.
firewalld
is default:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'firewalld'
You can also configure iptables
:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'iptables'
You can also configure unmanaged
. When you set firewall_type
to unmanaged
, CEM does not enforce state on any firewall resource. Use unmanaged
if you do not want CEM to configure your firewalls.
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'unmanaged'
Rules that rely on specific site information
There are some CIS rules that require site specific information. You can use Bolt tasks to configure these.
Bolt tasks in Puppet Enterprise (PE)
Using PE, you can run Bolt tasks and plans to audit or configure specific parts of a node. These are available under Tasks in the PE console — search the drop down menu for cem_linux
tasks.
Run Bolt tasks from the command line
You can also run Bolt tasks from the command line.
- Install Puppet Development Kit (PDK) and Bolt.
- In the root of the CEM directory, run
pdk bundle exec rake 'spec_prep'
. This downloads the required dependencies as RSpec fixtures, and then symlinks the module directory into the fixtures directory. - Run the tasks on one or more hosts. For example:
bolt task run comply_enforcement_module::audit_unowned_files_and_directories -t $nodefqdn --modulepath spec/fixtures/modules
. Note that you need to add the--modulepath spec/fixtures/modules
option to Bolt commands, otherwise Bolt is not able to find the tasks and plans.
Known issues
Comply Scan Issues
The following recommendations can be reported as failing due to bugs in the CIS-CAT Pro Assessor bundled with Comply. CEM does correctly enforce these settings.
- Red Hat Enterprise Linux Benchmark v1.0.1:
- 1.5.1 - Ensure permissions on bootloader are configured
- On EFI systems, the script ran by CIS-CAT Pro does not locate the correct grub file path. Permissions are set correctly by CEM.
- 1.5.2 - Ensure bootloader password is set
- On EFI systems, the script ran by CIS-CAT Pro does not locate the correct grub file path. The bootloader password can be set by CEM.
- 4.1.16 - Ensure system administrator actions (sudolog) are collected
- The sudo log path and rule are not successfully matched by the CIS CAT Pro scanner. CEM correctly enables the sudolog.
- 1.5.1 - Ensure permissions on bootloader are configured
General Issues
nftables
firewall is not supported. Usefirewalld
oriptables
instead.- CEM cannot create filesystem partitions, which can cause certain scanner checks to fail.
- CEM cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure
nodev,nosuid,noexec
exists in the options portion of/etc/fstab
for the partition. - XD/NX support is dependent on the host kernel and CEM cannot configure it. Ensure you are using up-to-date kernels.
- Restricting the root login to a system console requires knowledge of the site. You need to configure this control manually by removing entries in
/etc/securetty
for consoles that are not in secure locations. - CEM does not enforce authselect controls for CIS 1.0.0 5.3.x on RHEL8 or CentOS8. This requires site knowledge and can break network authentication. CIS recomends that you do not enforce this control. CEM includes a Bolt task
audit_authselect
to audit these controls. - You can only configure the
ensure_nodev_option_set_on_home_partition
class if the/home
setting is mounted on it's own partition. Note that Puppet does not create a partition for/home
. - If you are running on RHEL 8 and CentOS 8:
- The
ensure_nis_server_is_not_enabled
class is dependent onensure__rpc_is_not_enabled
. If you enforceensure_nis_server_is_not_enabled
, you must also enforceensure__rpc_is_not_enabled
. - The
ensure_nfs_is_not_enabled
class is dependent onensure__rpc_is_not_enabled
. If you do not enforceensure_nfs_is_not_enabled
, you must also enforceensure__rpc_is_not_enabled
.
- The
- If you are running on RHEL 7 and CentOS 7:
- The
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
class is dependant onensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
. If you enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
, you must also enforceensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
.
- The
- The control
disable_wireless_interfaces
requires that you install the NetworkManager package and that the service is running.
Reference
Table of Contents
Classes
Public Classes
cem_linux
: Provides an interface for applying benchmark classescem_linux::benchmarks::cis
: Provides an OS-independent interface for the CIS benchmark profilecem_linux::benchmarks::cis::controls::audit_sgid_executables
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.14 Audit SGID executables | CIS 1.0.1 RHEL 8/CentOS 8 6.1.14 Audit SGID executablescem_linux::benchmarks::cis::controls::audit_suid_executables
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.13 Audit SUID executables | CIS 1.0.1 RHEL 8/CentOS 8 6.1.13 Audit SUID executablescem_linux::benchmarks::cis::controls::create_custom_authselect_profile
: CIS 1.0.1 RHEL 8 5.3.1 Create custom authselect profilecem_linux::benchmarks::cis::controls::disable_automounting
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.23 Disable Automounting | CIS 1.0.1 RHEL 8/CentOS 8 1.1.22 Disable Automountingcem_linux::benchmarks::cis::controls::disable_ipv6
: CIS 3.1.1 RHEL 7/CentOS 7 3.1.1 Disable IPv6 | CIS 1.0.1 RHEL 8/CentOS 8 3.6 Disable IPv6cem_linux::benchmarks::cis::controls::disable_the_rhnsd_daemon
: CIS 3.1.1 RHEL 7/CentOS 7 1.2.5 Disable the rhnsd Daemon | CIS 1.0.1 RHEL 8/CentOS 8 1.2.2 Disable the rhnsd Daemoncem_linux::benchmarks::cis::controls::disable_usb_storage
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.24 Disable USB Storage | CIS 1.0.1 RHEL 8/CentOS 8 1.1.23 Disable USB Storagecem_linux::benchmarks::cis::controls::ensure__rpc_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.13 Ensure RPC is not enabledcem_linux::benchmarks::cis::controls::ensure_a_firewall_package_is_installed
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.1.1 Ensure a Firewall package is installedcem_linux::benchmarks::cis::controls::ensure_access_to_the_su_command_is_restricted
: CIS 3.1.1 RHEL 7/CentOS 7 5.7 Ensure access to the su command is restricted | CIS 1.0.1 RHEL 8/CentOS 8 5.7 Ensure access to the su command is restrictedcem_linux::benchmarks::cis::controls::ensure_accounts_in_etcpasswd_use_shadowed_passwords
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.1 Ensure accounts in etcpasswd use shadowed passwordscem_linux::benchmarks::cis::controls::ensure_address_space_layout_randomization_aslr_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 1.5.3 Ensure address space layout randomization ASLR is enabled | CIS 1.0.1 RHEL 8/CentOS 8 1.6.2 Ensure address space layout randomization ASLR is enabledcem_linux::benchmarks::cis::controls::ensure_aide_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.3.1 Ensure AIDE is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.4.1 Ensure AIDE is installedcem_linux::benchmarks::cis::controls::ensure_all_groups_in_etcpasswd_exist_in_etcgroup
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.3 Ensure all groups in etcpasswd exist in etcgroup | CIS 1.0.1 RHEL 8/CentOS 8 6.2.14 Ensure all groups in etcpasswd exist in etcgroupcem_linux::benchmarks::cis::controls::ensure_all_users_home_directories_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.11 Ensure all users home directories exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.20 Ensure all users home directories existcem_linux::benchmarks::cis::controls::ensure_all_users_last_password_change_date_is_in_the_past
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.5 Ensure all users last password change date is in the past | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.5 Ensure all users last password change date is in the pastcem_linux::benchmarks::cis::controls::ensure_an_nftables_table_exists
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.5 Ensure an nftables table exists | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.2 Ensure an nftables table existscem_linux::benchmarks::cis::controls::ensure_at_is_restricted_to_authorized_users
: CIS 3.1.1 RHEL 7/CentOS 7 5.1.9 Ensure at is restricted to authorized userscem_linux::benchmarks::cis::controls::ensure_atcron_is_restricted_to_authorized_users
: CIS 1.0.1 RHEL 8/CentOS 8 5.1.8 Ensure atcron is restricted to authorized userscem_linux::benchmarks::cis::controls::ensure_audit_backlog_limit_is_sufficient
: CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.4 Ensure audit_backlog_limit is sufficientcem_linux::benchmarks::cis::controls::ensure_audit_log_storage_size_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.2.1 Ensure audit log storage size is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.1.2.1 Ensure audit log storage size is configuredcem_linux::benchmarks::cis::controls::ensure_auditd_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.1 Ensure auditd is installed | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.1 Ensure auditd is installedcem_linux::benchmarks::cis::controls::ensure_auditd_service_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.2 Ensure auditd service is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.2 Ensure auditd service is enabledcem_linux::benchmarks::cis::controls::ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabledcem_linux::benchmarks::cis::controls::ensure_authentication_required_for_single_user_mode
: CIS 3.1.1 RHEL 7/CentOS 7 1.4.3 Ensure authentication required for single user mode | CIS 1.0.1 RHEL 8/CentOS 8 1.5.3 Ensure authentication required for single user modecem_linux::benchmarks::cis::controls::ensure_authselect_includes_with_faillock
: CIS 1.0.1 RHEL 8 5.3.3 Ensure authselect includes with-faillockcem_linux::benchmarks::cis::controls::ensure_avahi_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.4 Ensure Avahi Server is not enabledcem_linux::benchmarks::cis::controls::ensure_avahi_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.3 Ensure Avahi Server is not installedcem_linux::benchmarks::cis::controls::ensure_bogus_icmp_responses_are_ignored
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.6 Ensure bogus ICMP responses are ignored | CIS 1.0.1 RHEL 8/CentOS 8 3.2.6 Ensure bogus ICMP responses are ignoredcem_linux::benchmarks::cis::controls::ensure_bootloader_password_is_set
: CIS 3.1.1 RHEL 7/CentOS 7 1.4.1 Ensure bootloader password is set | CIS 1.0.1 RHEL 8/CentOS 8 1.5.2 Ensure bootloader password is setcem_linux::benchmarks::cis::controls::ensure_broadcast_icmp_requests_are_ignored
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.5 Ensure broadcast ICMP requests are ignored | CIS 1.0.1 RHEL 8/CentOS 8 3.2.5 Ensure broadcast ICMP requests are ignoredcem_linux::benchmarks::cis::controls::ensure_changes_to_system_administration_scope_sudoers_is_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.14 Ensure changes to system administration scope sudoers is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.3 Ensure changes to system administration scope sudoers is collectedcem_linux::benchmarks::cis::controls::ensure_chrony_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.2 Ensure chrony is configured | CIS 1.0.1 RHEL 8/CentOS 8 2.2.1.2 Ensure chrony is configuredcem_linux::benchmarks::cis::controls::ensure_core_dumps_are_restricted
: CIS 3.1.1 RHEL 7/CentOS 7 1.5.1 Ensure core dumps are restricted | CIS 1.0.1 RHEL 8/CentOS 8 1.6.1 Ensure core dumps are restrictedcem_linux::benchmarks::cis::controls::ensure_cron_daemon_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.1.1 Ensure cron daemon is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 5.1.1 Ensure cron daemon is enabledcem_linux::benchmarks::cis::controls::ensure_cron_daemon_is_enabled_and_running
: CIS 3.1.1 RHEL 7/CentOS 7 5.1.1 Ensure cron daemon is enabled and runningcem_linux::benchmarks::cis::controls::ensure_cron_is_restricted_to_authorized_users
: CIS 3.1.1 RHEL 7/CentOS 7 5.1.8 Ensure cron is restricted to authorized userscem_linux::benchmarks::cis::controls::ensure_cups_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.16 Ensure CUPS is not enabledcem_linux::benchmarks::cis::controls::ensure_cups_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.4 Ensure CUPS is not installedcem_linux::benchmarks::cis::controls::ensure_dccp_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.4.1 Ensure DCCP is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.3.1 Ensure DCCP is disabledcem_linux::benchmarks::cis::controls::ensure_default_group_for_the_root_account_is_gid_0
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.3 Ensure default group for the root account is GID 0 | CIS 1.0.1 RHEL 8/CentOS 8 5.5.4 Ensure default group for the root account is GID 0cem_linux::benchmarks::cis::controls::ensure_default_user_shell_timeout_is_900_seconds_or_less
: CIS 1.0.1 RHEL 8/CentOS 8 5.5.3 Ensure default user shell timeout is 900 seconds or lesscem_linux::benchmarks::cis::controls::ensure_default_user_shell_timeout_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.4 Ensure default user shell timeout is configuredcem_linux::benchmarks::cis::controls::ensure_default_user_umask_is_027_or_more_restrictive
: CIS 1.0.1 RHEL 8/CentOS 8 5.5.5 Ensure default user umask is 027 or more restrictivecem_linux::benchmarks::cis::controls::ensure_default_user_umask_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.5 Ensure default user umask is configuredcem_linux::benchmarks::cis::controls::ensure_devshm_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.6 Ensure devshm is configuredcem_linux::benchmarks::cis::controls::ensure_dhcp_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.15 Ensure DHCP Server is not enabledcem_linux::benchmarks::cis::controls::ensure_dhcp_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.5 Ensure DHCP Server is not installedcem_linux::benchmarks::cis::controls::ensure_discretionary_access_control_permission_modification_events_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.9 Ensure discretionary access control permission modification events are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.9 Ensure discretionary access control permission modification events are collectedcem_linux::benchmarks::cis::controls::ensure_dns_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.11 Ensure DNS Server is not enabledcem_linux::benchmarks::cis::controls::ensure_dns_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.7 Ensure DNS Server is not installedcem_linux::benchmarks::cis::controls::ensure_etcshadow_password_fields_are_not_empty
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.2 Ensure etcshadow password fields are not emptycem_linux::benchmarks::cis::controls::ensure_events_that_modify_date_and_time_information_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.3 Ensure events that modify date and time information are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.6 Ensure events that modify date and time information are collectedcem_linux::benchmarks::cis::controls::ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.6 Ensure events that modify the systems Mandatory Access Controls are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.7 Ensure events that modify the systems Mandatory Access Controls are collectedcem_linux::benchmarks::cis::controls::ensure_events_that_modify_the_systems_network_environment_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.5 Ensure events that modify the systems network environment are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.8 Ensure events that modify the systems network environment are collectedcem_linux::benchmarks::cis::controls::ensure_events_that_modify_usergroup_information_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.4 Ensure events that modify usergroup information are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.11 Ensure events that modify usergroup information are collectedcem_linux::benchmarks::cis::controls::ensure_file_deletion_events_by_users_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.13 Ensure file deletion events by users are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.14 Ensure file deletion events by users are collectedcem_linux::benchmarks::cis::controls::ensure_filesystem_integrity_is_regularly_checked
: CIS 3.1.1 RHEL 7/CentOS 7 1.3.2 Ensure filesystem integrity is regularly checked | CIS 1.0.1 RHEL 8/CentOS 8 1.4.2 Ensure filesystem integrity is regularly checkedcem_linux::benchmarks::cis::controls::ensure_firewalld_default_zone_is_set
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.5 Ensure firewalld default zone is set | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.4 Ensure firewalld default zone is setcem_linux::benchmarks::cis::controls::ensure_firewalld_drops_unnecessary_services_and_ports
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.7 Ensure firewalld drops unnecessary services and ports | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.6 Ensure firewalld drops unnecessary services and portscem_linux::benchmarks::cis::controls::ensure_firewalld_is_either_not_installed_or_masked_with_iptables
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.3 Ensure firewalld is either not installed or masked with iptablescem_linux::benchmarks::cis::controls::ensure_firewalld_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.1 Ensure firewalld is installedcem_linux::benchmarks::cis::controls::ensure_firewalld_service_enabled_and_running
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.4 Ensure firewalld service enabled and runningcem_linux::benchmarks::cis::controls::ensure_firewalld_service_is_enabled_and_running
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.1 Ensure firewalld service is enabled and runningcem_linux::benchmarks::cis::controls::ensure_ftp_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.10 Ensure FTP Server is not enabledcem_linux::benchmarks::cis::controls::ensure_ftp_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.8 Ensure FTP Server is not installedcem_linux::benchmarks::cis::controls::ensure_gdm_login_banner_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.8.2 Ensure GDM login banner is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.2 Ensure GDM login banner is configuredcem_linux::benchmarks::cis::controls::ensure_gpg_keys_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.2.1 Ensure GPG keys are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.3 Ensure GPG keys are configuredcem_linux::benchmarks::cis::controls::ensure_gpgcheck_is_globally_activated
: CIS 3.1.1 RHEL 7/CentOS 7 1.2.3 Ensure gpgcheck is globally activated | CIS 1.0.1 RHEL 8/CentOS 8 1.2.4 Ensure gpgcheck is globally activatedcem_linux::benchmarks::cis::controls::ensure_home_partition_includes_the_nodev_option
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.18 Ensure home partition includes the nodev optioncem_linux::benchmarks::cis::controls::ensure_http_proxy_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.6 Ensure HTTP Proxy Server is not enabledcem_linux::benchmarks::cis::controls::ensure_http_proxy_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.12 Ensure HTTP Proxy Server is not installedcem_linux::benchmarks::cis::controls::ensure_http_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.9 Ensure HTTP server is not enabledcem_linux::benchmarks::cis::controls::ensure_http_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.9 Ensure HTTP server is not installedcem_linux::benchmarks::cis::controls::ensure_icmp_redirects_are_not_accepted
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.2 Ensure ICMP redirects are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.2 Ensure ICMP redirects are not acceptedcem_linux::benchmarks::cis::controls::ensure_imap_and_pop3_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.8 Ensure IMAP and POP3 server is not enabledcem_linux::benchmarks::cis::controls::ensure_imap_and_pop3_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.10 Ensure IMAP and POP3 server is not installedcem_linux::benchmarks::cis::controls::ensure_inactive_password_lock_is_30_days_or_less
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.4 Ensure inactive password lock is 30 days or less | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.4 Ensure inactive password lock is 30 days or lesscem_linux::benchmarks::cis::controls::ensure_ip6tables_default_deny_firewall_policy
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.4 Ensure ip6tables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.1 Ensure ip6tables default deny firewall policycem_linux::benchmarks::cis::controls::ensure_ip6tables_firewall_rules_exist_for_all_open_ports
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.4 Ensure ip6tables firewall rules exist for all open portscem_linux::benchmarks::cis::controls::ensure_ip6tables_is_enabled_and_active
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.5 Ensure ip6tables is enabled and activecem_linux::benchmarks::cis::controls::ensure_ip6tables_is_enabled_and_running
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.6 Ensure ip6tables is enabled and runningcem_linux::benchmarks::cis::controls::ensure_ip6tables_loopback_traffic_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.1 Ensure ip6tables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.2 Ensure ip6tables loopback traffic is configuredcem_linux::benchmarks::cis::controls::ensure_ip6tables_outbound_and_established_connections_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.3 Ensure ip6tables outbound and established connections are configuredcem_linux::benchmarks::cis::controls::ensure_ip6tables_rules_are_saved
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.5 Ensure ip6tables rules are savedcem_linux::benchmarks::cis::controls::ensure_ip_forwarding_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.2.1 Ensure IP forwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.1.1 Ensure IP forwarding is disabledcem_linux::benchmarks::cis::controls::ensure_iptables_are_flushed_with_nftables
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.4 Ensure iptables are flushed with nftables | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.1 Ensure iptables are flushed with nftablescem_linux::benchmarks::cis::controls::ensure_iptables_default_deny_firewall_policy
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.4 Ensure iptables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.1 Ensure iptables default deny firewall policycem_linux::benchmarks::cis::controls::ensure_iptables_firewall_rules_exist_for_all_open_ports
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.4 Ensure iptables firewall rules exist for all open portscem_linux::benchmarks::cis::controls::ensure_iptables_is_enabled_and_active
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.5 Ensure iptables is enabled and activecem_linux::benchmarks::cis::controls::ensure_iptables_is_enabled_and_running
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.6 Ensure iptables is enabled and runningcem_linux::benchmarks::cis::controls::ensure_iptables_loopback_traffic_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.1 Ensure iptables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.2 Ensure iptables loopback traffic is configuredcem_linux::benchmarks::cis::controls::ensure_iptables_outbound_and_established_connections_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.2 Ensure iptables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.3 Ensure iptables outbound and established connections are configuredcem_linux::benchmarks::cis::controls::ensure_iptables_packages_are_installed
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.1 Ensure iptables packages are installedcem_linux::benchmarks::cis::controls::ensure_iptables_rules_are_saved
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.5 Ensure iptables rules are savedcem_linux::benchmarks::cis::controls::ensure_iptables_rules_exist_for_all_open_ports
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.3 Ensure iptables rules exist for all open portscem_linux::benchmarks::cis::controls::ensure_iptables_service_is_not_enabled_with_firewalld
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.2 Ensure iptables service is not enabled with firewalldcem_linux::benchmarks::cis::controls::ensure_iptables_services_not_installed_with_firewalld
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.2 Ensure iptables services not installed with firewalldcem_linux::benchmarks::cis::controls::ensure_iptables_services_not_installed_with_nftables
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.3 Ensure iptables services not installed with nftablescem_linux::benchmarks::cis::controls::ensure_ipv6_router_advertisements_are_not_accepted
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.9 Ensure IPv6 router advertisements are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.9 Ensure IPv6 router advertisements are not acceptedcem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_compress_large_log_files
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.2 Ensure journald is configured to compress large log files | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.2 Ensure journald is configured to compress large log filescem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_send_logs_to_rsyslog
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.1 Ensure journald is configured to send logs to rsyslog | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.1 Ensure journald is configured to send logs to rsyslogcem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.3 Ensure journald is configured to write logfiles to persistent diskcem_linux::benchmarks::cis::controls::ensure_kernel_module_loading_and_unloading_is_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.16 Ensure kernel module loading and unloading is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.15 Ensure kernel module loading and unloading is collectedcem_linux::benchmarks::cis::controls::ensure_ldap_client_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.3.5 Ensure LDAP client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.3 Ensure LDAP client is not installedcem_linux::benchmarks::cis::controls::ensure_ldap_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.14 Ensure LDAP server is not enabledcem_linux::benchmarks::cis::controls::ensure_ldap_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.6 Ensure LDAP server is not installedcem_linux::benchmarks::cis::controls::ensure_local_login_warning_banner_is_configured_properly
: CIS 3.1.1 RHEL 7/CentOS 7 1.7.2 Ensure local login warning banner is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.2 Ensure local login warning banner is configured properlycem_linux::benchmarks::cis::controls::ensure_lockout_for_failed_password_attempts_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.4.2 Ensure lockout for failed password attempts is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.4.2 Ensure lockout for failed password attempts is configuredcem_linux::benchmarks::cis::controls::ensure_logging_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.4 Ensure logging is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.4 Ensure logging is configuredcem_linux::benchmarks::cis::controls::ensure_login_and_logout_events_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.7 Ensure login and logout events are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.4 Ensure login and logout events are collectedcem_linux::benchmarks::cis::controls::ensure_logrotate_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.4 Ensure logrotate is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.3 Ensure logrotate is configuredcem_linux::benchmarks::cis::controls::ensure_mail_transfer_agent_is_configured_for_local_only_mode
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.16 Ensure mail transfer agent is configured for local only mode | CIS 1.0.1 RHEL 8/CentOS 8 2.2.18 Ensure mail transfer agent is configured for local only modecem_linux::benchmarks::cis::controls::ensure_message_of_the_day_is_configured_properly
: CIS 3.1.1 RHEL 7/CentOS 7 1.7.1 Ensure message of the day is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.1 Ensure message of the day is configured properlycem_linux::benchmarks::cis::controls::ensure_minimum_days_between_password_changes_is_7_or_more
: CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.2 Ensure minimum days between password changes is 7 or morecem_linux::benchmarks::cis::controls::ensure_minimum_days_between_password_changes_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.2 Ensure minimum days between password changes is configuredcem_linux::benchmarks::cis::controls::ensure_mounting_of_cramfs_filesystems_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.1 Ensure mounting of cramfs filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.1 Ensure mounting of cramfs filesystems is disabledcem_linux::benchmarks::cis::controls::ensure_mounting_of_fat_filesystems_is_limited
cem_linux::benchmarks::cis::controls::ensure_mounting_of_freevxfs_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_hfs_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_hfsplus_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_jffs2_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_squashfs_filesystems_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.2 Ensure mounting of squashfs filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.3 Ensure mounting of squashfs filesystems is disabledcem_linux::benchmarks::cis::controls::ensure_mounting_of_udf_filesystems_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.3 Ensure mounting of udf filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.4 Ensure mounting of udf filesystems is disabledcem_linux::benchmarks::cis::controls::ensure_net_snmp_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.13 Ensure net snmp is not installedcem_linux::benchmarks::cis::controls::ensure_network_interfaces_are_assigned_to_appropriate_zone
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.6 Ensure network interfaces are assigned to appropriate zone | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.5 Ensure network interfaces are assigned to appropriate zonecem_linux::benchmarks::cis::controls::ensure_nfs_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.12 Ensure NFS is not enabledcem_linux::benchmarks::cis::controls::ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.17 Ensure nfs utils is not installed or the nfs server service is maskedcem_linux::benchmarks::cis::controls::ensure_nftables_base_chains_exist
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.6 Ensure nftables base chains exist | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.3 Ensure nftables base chains existcem_linux::benchmarks::cis::controls::ensure_nftables_default_deny_firewall_policy
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.9 Ensure nftables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.6 Ensure nftables default deny firewall policycem_linux::benchmarks::cis::controls::ensure_nftables_either_not_installed_or_masked_with_firewalld
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.3 Ensure nftables either not installed or masked with firewalldcem_linux::benchmarks::cis::controls::ensure_nftables_is_not_enabled_with_firewalld
: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.3 Ensure nftables is not enabled with firewalldcem_linux::benchmarks::cis::controls::ensure_nftables_is_not_installed_with_iptables
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.2 Ensure nftables is not installed with iptablescem_linux::benchmarks::cis::controls::ensure_nftables_loopback_traffic_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.7 Ensure nftables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.4 Ensure nftables loopback traffic is configuredcem_linux::benchmarks::cis::controls::ensure_nftables_outbound_and_established_connections_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.8 Ensure nftables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.5 Ensure nftables outbound and established connections are configuredcem_linux::benchmarks::cis::controls::ensure_nftables_rules_are_permanent
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.11 Ensure nftables rules are permanent | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.8 Ensure nftables rules are permanentcem_linux::benchmarks::cis::controls::ensure_nftables_service_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.10 Ensure nftables service is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.7 Ensure nftables service is enabledcem_linux::benchmarks::cis::controls::ensure_nis_client_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.3.1 Ensure NIS Client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.1 Ensure NIS Client is not installedcem_linux::benchmarks::cis::controls::ensure_nis_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.17 Ensure NIS Server is not enabledcem_linux::benchmarks::cis::controls::ensure_nis_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.14 Ensure NIS server is not installedcem_linux::benchmarks::cis::controls::ensure_no_duplicate_gids_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.8 Ensure no duplicate GIDs exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.16 Ensure no duplicate GIDs existcem_linux::benchmarks::cis::controls::ensure_no_duplicate_group_names_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.6 Ensure no duplicate group names exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.18 Ensure no duplicate group names existcem_linux::benchmarks::cis::controls::ensure_no_duplicate_uids_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.7 Ensure no duplicate UIDs exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.15 Ensure no duplicate UIDs existcem_linux::benchmarks::cis::controls::ensure_no_duplicate_user_names_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.5 Ensure no duplicate user names exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.17 Ensure no duplicate user names existcem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcgroup
: CIS 1.0.1 RHEL 8/CentOS 8 6.2.5 Ensure no legacy entries exist in etcgroupcem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcpasswd
: CIS 1.0.1 RHEL 8/CentOS 8 6.2.2 Ensure no legacy entries exist in etcpasswdcem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcshadow
: CIS 1.0.1 RHEL 8/CentOS 8 6.2.4 Ensure no legacy entries exist in etcshadowcem_linux::benchmarks::cis::controls::ensure_no_unconfined_daemons_exist
cem_linux::benchmarks::cis::controls::ensure_no_unowned_files_or_directories_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.11 Ensure no unowned files or directories exist | CIS 1.0.1 RHEL 8/CentOS 8 6.1.11 Ensure no unowned files or directories existcem_linux::benchmarks::cis::controls::ensure_no_users_have__forward_files
cem_linux::benchmarks::cis::controls::ensure_no_users_have__netrc_files
cem_linux::benchmarks::cis::controls::ensure_no_users_have__rhosts_files
cem_linux::benchmarks::cis::controls::ensure_no_world_writable_files_exist
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.10 Ensure no world writable files exist | CIS 1.0.1 RHEL 8/CentOS 8 6.1.10 Ensure no world writable files existcem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_devshm_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.8 Ensure nodev option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.15 Ensure nodev option set on devshm partitioncem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_home_partition
: CIS 1.0.1 RHEL 8/CentOS 8 1.1.14 Ensure nodev option set on home partitioncem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_tmp_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.4 Ensure nodev option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.3 Ensure nodev option set on tmp partitioncem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_vartmp_partition
: CIS 1.0.1 RHEL 8/CentOS 8 1.1.8 Ensure nodev option set on vartmp partitioncem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_devshm_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.7 Ensure noexec option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.17 Ensure noexec option set on devshm partitioncem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_tmp_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.3 Ensure noexec option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.5 Ensure noexec option set on tmp partitioncem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_vartmp_partition
: CIS 1.0.1 RHEL 8/CentOS 8 1.1.10 Ensure noexec option set on vartmp partitioncem_linux::benchmarks::cis::controls::ensure_nonessential_services_are_removed_or_masked
: CIS 3.1.1 RHEL 7/CentOS 7 2.4 Ensure nonessential services are removed or maskedcem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_devshm_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.9 Ensure nosuid option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.16 Ensure nosuid option set on devshm partitioncem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_tmp_partition
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.5 Ensure nosuid option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.4 Ensure nosuid option set on tmp partitioncem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_vartmp_partition
: CIS 1.0.1 RHEL 8/CentOS 8 1.1.9 Ensure nosuid option set on vartmp partitioncem_linux::benchmarks::cis::controls::ensure_ntp_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.3 Ensure ntp is configuredcem_linux::benchmarks::cis::controls::ensure_only_strong_ciphers_are_used
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.13 Ensure only strong Ciphers are usedcem_linux::benchmarks::cis::controls::ensure_only_strong_key_exchange_algorithms_are_used
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.15 Ensure only strong Key Exchange algorithms are usedcem_linux::benchmarks::cis::controls::ensure_only_strong_mac_algorithms_are_used
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.14 Ensure only strong MAC algorithms are usedcem_linux::benchmarks::cis::controls::ensure_package_manager_repositories_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.2.2 Ensure package manager repositories are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.5 Ensure package manager repositories are configuredcem_linux::benchmarks::cis::controls::ensure_packet_redirect_sending_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.2.2 Ensure packet redirect sending is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.1.2 Ensure packet redirect sending is disabledcem_linux::benchmarks::cis::controls::ensure_password_creation_requirements_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.4.1 Ensure password creation requirements are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.4.1 Ensure password creation requirements are configuredcem_linux::benchmarks::cis::controls::ensure_password_expiration_is_365_days_or_less
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.1 Ensure password expiration is 365 days or less | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.1 Ensure password expiration is 365 days or lesscem_linux::benchmarks::cis::controls::ensure_password_expiration_warning_days_is_7_or_more
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.3 Ensure password expiration warning days is 7 or more | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.3 Ensure password expiration warning days is 7 or morecem_linux::benchmarks::cis::controls::ensure_password_hashing_algorithm_is_sha_512
: CIS 3.1.1 RHEL 7/CentOS 7 5.4.3 Ensure password hashing algorithm is SHA 512 | CIS 1.0.1 RHEL 8/CentOS 8 5.4.4 Ensure password hashing algorithm is SHA 512cem_linux::benchmarks::cis::controls::ensure_password_reuse_is_limited
: CIS 3.1.1 RHEL 7/CentOS 7 5.4.4 Ensure password reuse is limited | CIS 1.0.1 RHEL 8/CentOS 8 5.4.3 Ensure password reuse is limitedcem_linux::benchmarks::cis::controls::ensure_permissions_on_all_logfiles_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.3 Ensure permissions on all logfiles are configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.3 Ensure permissions on all logfiles are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_bootloader_config_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.4.2 Ensure permissions on bootloader config are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.5.1 Ensure permissions on bootloader config are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_d_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_daily_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_hourly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_monthly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_weekly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccrontab_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.1.2 Ensure permissions on etccrontab are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.1.2 Ensure permissions on etccrontab are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgroup__are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.9 Ensure permissions on etcgroup are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.9 Ensure permissions on etcgroup are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgroup_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.8 Ensure permissions on etcgroup are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.8 Ensure permissions on etcgroup are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgshadow__are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.6 Ensure permissions on etcgshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.7 Ensure permissions on etcgshadow are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgshadow_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.7 Ensure permissions on etcgshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.6 Ensure permissions on etcgshadow are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcissue_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.7.5 Ensure permissions on etcissue are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.5 Ensure permissions on etcissue are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcissue_net_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcmotd_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.7.4 Ensure permissions on etcmotd are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.4 Ensure permissions on etcmotd are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcpasswd__are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.3 Ensure permissions on etcpasswd are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.3 Ensure permissions on etcpasswd are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcpasswd_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.2 Ensure permissions on etcpasswd are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.2 Ensure permissions on etcpasswd are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcshadow__are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.5 Ensure permissions on etcshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.5 Ensure permissions on etcshadow are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcshadow_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 6.1.4 Ensure permissions on etcshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.4 Ensure permissions on etcshadow are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_etcsshsshd_config_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.1 Ensure permissions on etcsshsshd config are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.1 Ensure permissions on etcsshsshd config are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_ssh_private_host_key_files_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.2 Ensure permissions on SSH private host key files are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.3 Ensure permissions on SSH private host key files are configuredcem_linux::benchmarks::cis::controls::ensure_permissions_on_ssh_public_host_key_files_are_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.3 Ensure permissions on SSH public host key files are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.4 Ensure permissions on SSH public host key files are configuredcem_linux::benchmarks::cis::controls::ensure_prelink_is_disabled
cem_linux::benchmarks::cis::controls::ensure_prelink_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.5.4 Ensure prelink is not installedcem_linux::benchmarks::cis::controls::ensure_rds_is_disabled
: CIS 1.0.1 RHEL 8/CentOS 8 3.3.3 Ensure RDS is disabledcem_linux::benchmarks::cis::controls::ensure_red_hat_subscription_manager_connection_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.2.4 Ensure Red Hat Subscription Manager connection is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.1 Ensure Red Hat Subscription Manager connection is configuredcem_linux::benchmarks::cis::controls::ensure_remote_login_warning_banner_is_configured_properly
: CIS 3.1.1 RHEL 7/CentOS 7 1.7.3 Ensure remote login warning banner is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.3 Ensure remote login warning banner is configured properlycem_linux::benchmarks::cis::controls::ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.cem_linux::benchmarks::cis::controls::ensure_reverse_path_filtering_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.7 Ensure Reverse Path Filtering is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.2.7 Ensure Reverse Path Filtering is enabledcem_linux::benchmarks::cis::controls::ensure_root_is_the_only_uid_0_account
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.9 Ensure root is the only UID 0 account | CIS 1.0.1 RHEL 8/CentOS 8 6.2.6 Ensure root is the only UID 0 accountcem_linux::benchmarks::cis::controls::ensure_root_path_integrity
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.10 Ensure root PATH Integrity | CIS 1.0.1 RHEL 8/CentOS 8 6.2.3 Ensure root PATH Integritycem_linux::benchmarks::cis::controls::ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.18 Ensure rpcbind is not installed or the rpcbind services are maskedcem_linux::benchmarks::cis::controls::ensure_rsh_client_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.3.2 Ensure rsh client is not installedcem_linux::benchmarks::cis::controls::ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.19 Ensure rsync is not installed or the rsyncd service is maskedcem_linux::benchmarks::cis::controls::ensure_rsync_service_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.3 Ensure rsync service is not enabledcem_linux::benchmarks::cis::controls::ensure_rsyslog_default_file_permissions_configured
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.3 Ensure rsyslog default file permissions configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.3 Ensure rsyslog default file permissions configuredcem_linux::benchmarks::cis::controls::ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log hostcem_linux::benchmarks::cis::controls::ensure_rsyslog_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.1 Ensure rsyslog is installed | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.1 Ensure rsyslog is installedcem_linux::benchmarks::cis::controls::ensure_rsyslog_service_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.2 Ensure rsyslog Service is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.2 Ensure rsyslog Service is enabledcem_linux::benchmarks::cis::controls::ensure_rsyslog_service_is_enabled_and_running
: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.2 Ensure rsyslog Service is enabled and runningcem_linux::benchmarks::cis::controls::ensure_samba_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.7 Ensure Samba is not enabledcem_linux::benchmarks::cis::controls::ensure_samba_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.11 Ensure Samba is not installedcem_linux::benchmarks::cis::controls::ensure_sctp_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.4.2 Ensure SCTP is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.3.2 Ensure SCTP is disabledcem_linux::benchmarks::cis::controls::ensure_secure_icmp_redirects_are_not_accepted
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.3 Ensure secure ICMP redirects are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.3 Ensure secure ICMP redirects are not acceptedcem_linux::benchmarks::cis::controls::ensure_selinux_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.1 Ensure SELinux is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.1 Ensure SELinux is installedcem_linux::benchmarks::cis::controls::ensure_selinux_is_not_disabled_in_bootloader_configuration
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.2 Ensure SELinux is not disabled in bootloader configurationcem_linux::benchmarks::cis::controls::ensure_selinux_policy_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.3 Ensure SELinux policy is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.3 Ensure SELinux policy is configuredcem_linux::benchmarks::cis::controls::ensure_session_initiation_information_is_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.8 Ensure session initiation information is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.5 Ensure session initiation information is collectedcem_linux::benchmarks::cis::controls::ensure_setroubleshoot_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.7 Ensure SETroubleshoot is not installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.6 Ensure SETroubleshoot is not installedcem_linux::benchmarks::cis::controls::ensure_shadow_group_is_empty
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.4 Ensure shadow group is empty | CIS 1.0.1 RHEL 8/CentOS 8 6.2.19 Ensure shadow group is emptycem_linux::benchmarks::cis::controls::ensure_snmp_server_is_not_enabled
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.5 Ensure SNMP Server is not enabledcem_linux::benchmarks::cis::controls::ensure_source_routed_packets_are_not_accepted
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.1 Ensure source routed packets are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.1 Ensure source routed packets are not acceptedcem_linux::benchmarks::cis::controls::ensure_ssh_access_is_limited
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.4 Ensure SSH access is limited | CIS 1.0.1 RHEL 8/CentOS 8 5.2.2 Ensure SSH access is limitedcem_linux::benchmarks::cis::controls::ensure_ssh_allowtcpforwarding_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.20 Ensure SSH AllowTcpForwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.17 Ensure SSH AllowTcpForwarding is disabledcem_linux::benchmarks::cis::controls::ensure_ssh_hostbasedauthentication_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.9 Ensure SSH HostbasedAuthentication is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.9 Ensure SSH HostbasedAuthentication is disabledcem_linux::benchmarks::cis::controls::ensure_ssh_idle_timeout_interval_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.16 Ensure SSH Idle Timeout Interval is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.13 Ensure SSH Idle Timeout Interval is configuredcem_linux::benchmarks::cis::controls::ensure_ssh_ignorerhosts_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.8 Ensure SSH IgnoreRhosts is enabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.8 Ensure SSH IgnoreRhosts is enabledcem_linux::benchmarks::cis::controls::ensure_ssh_logingracetime_is_set_to_one_minute_or_less
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less | CIS 1.0.1 RHEL 8/CentOS 8 5.2.14 Ensure SSH LoginGraceTime is set to one minute or lesscem_linux::benchmarks::cis::controls::ensure_ssh_loglevel_is_appropriate
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.5 Ensure SSH LogLevel is appropriate | CIS 1.0.1 RHEL 8/CentOS 8 5.2.5 Ensure SSH LogLevel is appropriatecem_linux::benchmarks::cis::controls::ensure_ssh_maxauthtries_is_set_to_4_or_less
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less | CIS 1.0.1 RHEL 8/CentOS 8 5.2.7 Ensure SSH MaxAuthTries is set to 4 or lesscem_linux::benchmarks::cis::controls::ensure_ssh_maxsessions_is_limited
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.22 Ensure SSH MaxSessions is limitedcem_linux::benchmarks::cis::controls::ensure_ssh_maxsessions_is_set_to_4_or_less
: CIS 1.0.1 RHEL 8/CentOS 8 5.2.19 Ensure SSH MaxSessions is set to 4 or lesscem_linux::benchmarks::cis::controls::ensure_ssh_maxstartups_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.21 Ensure SSH MaxStartups is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.18 Ensure SSH MaxStartups is configuredcem_linux::benchmarks::cis::controls::ensure_ssh_pam_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.19 Ensure SSH PAM is enabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.16 Ensure SSH PAM is enabledcem_linux::benchmarks::cis::controls::ensure_ssh_permitemptypasswords_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.11 Ensure SSH PermitEmptyPasswords is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.11 Ensure SSH PermitEmptyPasswords is disabledcem_linux::benchmarks::cis::controls::ensure_ssh_permituserenvironment_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.12 Ensure SSH PermitUserEnvironment is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.12 Ensure SSH PermitUserEnvironment is disabledcem_linux::benchmarks::cis::controls::ensure_ssh_root_login_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.10 Ensure SSH root login is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.10 Ensure SSH root login is disabledcem_linux::benchmarks::cis::controls::ensure_ssh_warning_banner_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.18 Ensure SSH warning banner is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.15 Ensure SSH warning banner is configuredcem_linux::benchmarks::cis::controls::ensure_ssh_x11_forwarding_is_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 5.3.6 Ensure SSH X11 forwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.6 Ensure SSH X11 forwarding is disabledcem_linux::benchmarks::cis::controls::ensure_sticky_bit_is_set_on_all_world_writable_directories
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.22 Ensure sticky bit is set on all world writable directories | CIS 1.0.1 RHEL 8/CentOS 8 1.1.21 Ensure sticky bit is set on all world writable directoriescem_linux::benchmarks::cis::controls::ensure_successful_file_system_mounts_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.12 Ensure successful file system mounts are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.12 Ensure successful file system mounts are collectedcem_linux::benchmarks::cis::controls::ensure_sudo_commands_use_pty
: CIS 3.1.1 RHEL 7/CentOS 7 5.2.2 Ensure sudo commands use pty | CIS 1.0.1 RHEL 8/CentOS 8 1.3.2 Ensure sudo commands use ptycem_linux::benchmarks::cis::controls::ensure_sudo_is_installed
: CIS 3.1.1 RHEL 7/CentOS 7 5.2.1 Ensure sudo is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.3.1 Ensure sudo is installedcem_linux::benchmarks::cis::controls::ensure_sudo_log_file_exists
: CIS 3.1.1 RHEL 7/CentOS 7 5.2.3 Ensure sudo log file exists | CIS 1.0.1 RHEL 8/CentOS 8 1.3.3 Ensure sudo log file existscem_linux::benchmarks::cis::controls::ensure_suspicious_packets_are_logged
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.4 Ensure suspicious packets are logged | CIS 1.0.1 RHEL 8/CentOS 8 3.2.4 Ensure suspicious packets are loggedcem_linux::benchmarks::cis::controls::ensure_system_accounts_are_secured
: CIS 3.1.1 RHEL 7/CentOS 7 5.5.2 Ensure system accounts are secured | CIS 1.0.1 RHEL 8/CentOS 8 5.5.2 Ensure system accounts are securedcem_linux::benchmarks::cis::controls::ensure_system_administrator_actions_sudolog_are_collected
: CIS 1.0.1 RHEL 8/CentOS 8 4.1.16 Ensure system administrator actions sudolog are collectedcem_linux::benchmarks::cis::controls::ensure_system_is_disabled_when_audit_logs_are_full
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.2.3 Ensure system is disabled when audit logs are full | CIS 1.0.1 RHEL 8/CentOS 8 4.1.2.3 Ensure system is disabled when audit logs are fullcem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_future_or_fips
: CIS 1.0.1 RHEL 8/CentOS 8 1.11 Ensure system wide crypto policy is FUTURE or FIPScem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_not_legacy
: CIS 1.0.1 RHEL 8/CentOS 8 1.10 Ensure system wide crypto policy is not legacycem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_not_over_ridden
: CIS 1.0.1 RHEL 8/CentOS 8 5.2.20 Ensure system wide crypto policy is not over riddencem_linux::benchmarks::cis::controls::ensure_talk_client_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.3.3 Ensure talk client is not installedcem_linux::benchmarks::cis::controls::ensure_tcp_syn_cookies_is_enabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.3.8 Ensure TCP SYN Cookies is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.2.8 Ensure TCP SYN Cookies is enabledcem_linux::benchmarks::cis::controls::ensure_telnet_client_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.3.4 Ensure telnet client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.2 Ensure telnet client is not installedcem_linux::benchmarks::cis::controls::ensure_telnet_server_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.15 Ensure telnet server is not installedcem_linux::benchmarks::cis::controls::ensure_the_audit_configuration_is_immutable
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.17 Ensure the audit configuration is immutable | CIS 1.0.1 RHEL 8/CentOS 8 4.1.17 Ensure the audit configuration is immutablecem_linux::benchmarks::cis::controls::ensure_the_mcs_translation_service_mcstrans_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.8 Ensure the MCS Translation Service mcstrans is not installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.7 Ensure the MCS Translation Service mcstrans is not installedcem_linux::benchmarks::cis::controls::ensure_the_selinux_mode_is_enforcing_or_permissive
: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.4 Ensure the SELinux mode is enforcing or permissivecem_linux::benchmarks::cis::controls::ensure_the_selinux_policy_is_configured
cem_linux::benchmarks::cis::controls::ensure_the_selinux_state_is_enforcing
: CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.4 Ensure the SELinux state is enforcingcem_linux::benchmarks::cis::controls::ensure_time_synchronization_is_in_use
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.1 Ensure time synchronization is in use | CIS 1.0.1 RHEL 8/CentOS 8 2.2.1.1 Ensure time synchronization is in usecem_linux::benchmarks::cis::controls::ensure_tipc_is_disabled
: CIS 1.0.1 RHEL 8/CentOS 8 3.3.4 Ensure TIPC is disabledcem_linux::benchmarks::cis::controls::ensure_tmp_is_configured
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.2 Ensure tmp is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.1.2 Ensure tmp is configuredcem_linux::benchmarks::cis::controls::ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.10 Ensure unsuccessful unauthorized file access attempts are collectedcem_linux::benchmarks::cis::controls::ensure_updates_patches_and_additional_security_software_are_installed
: CIS 3.1.1 RHEL 7/CentOS 7 1.9 Ensure updates patches and additional security software are installed | CIS 1.0.1 RHEL 8/CentOS 8 1.9 Ensure updates patches and additional security software are installedcem_linux::benchmarks::cis::controls::ensure_use_of_privileged_commands_is_collected
: CIS 3.1.1 RHEL 7/CentOS 7 4.1.11 Ensure use of privileged commands is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.13 Ensure use of privileged commands is collectedcem_linux::benchmarks::cis::controls::ensure_users__netrc_files_are_not_group_or_world_accessible
cem_linux::benchmarks::cis::controls::ensure_users_dot_files_are_not_group_or_world_writable
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.14 Ensure users dot files are not group or world writable | CIS 1.0.1 RHEL 8/CentOS 8 6.2.9 Ensure users dot files are not group or world writablecem_linux::benchmarks::cis::controls::ensure_users_home_directories_permissions_are_750_or_more_restrictive
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.13 Ensure users home directories permissions are 750 or more restrictive | CIS 1.0.1 RHEL 8/CentOS 8 6.2.7 Ensure users home directories permissions are 750 or more restrictivecem_linux::benchmarks::cis::controls::ensure_users_own_their_home_directories
: CIS 3.1.1 RHEL 7/CentOS 7 6.2.12 Ensure users own their home directories | CIS 1.0.1 RHEL 8/CentOS 8 6.2.8 Ensure users own their home directoriescem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_nodev_option
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.13 Ensure vartmp partition includes the nodev optioncem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_noexec_option
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.12 Ensure vartmp partition includes the noexec optioncem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_nosuid_option
: CIS 3.1.1 RHEL 7/CentOS 7 1.1.14 Ensure vartmp partition includes the nosuid optioncem_linux::benchmarks::cis::controls::ensure_wireless_interfaces_are_disabled
: CIS 3.1.1 RHEL 7/CentOS 7 3.1.2 Ensure wireless interfaces are disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.5 Ensure wireless interfaces are disabledcem_linux::benchmarks::cis::controls::ensure_x11_server_components_are_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.2.2 Ensure X11 Server components are not installedcem_linux::benchmarks::cis::controls::ensure_x_window_system_is_not_installed
: CIS 1.0.1 RHEL 8/CentOS 8 2.2.2 Ensure X Window System is not installedcem_linux::benchmarks::cis::controls::ensure_xinetd_is_not_installed
: CIS 3.1.1 RHEL 7/CentOS 7 2.1.1 Ensure xinetd is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.1.1 Ensure xinetd is not installedcem_linux::benchmarks::cis::controls::select_authselect_profile
: CIS 1.0.1 RHEL 8 5.3.2 Select authselect profilecem_linux::benchmarks::cis::controls::unmanaged_firewall
: This class is only ever included in the catalog if you set the firewall_type config option to unmanaged. This class does nothing other than lcem_linux::utils::account_hardening
: Account hardeningcem_linux::utils::bootloader::grub2
: Configure and manage the grub2 bootloadercem_linux::utils::bootloader::grub2::auditd
: Ensures auditd is not disabled in the grub2 boot commandcem_linux::utils::bootloader::grub2::selinux
: Ensures SELinux is not disabled in the grub2 boot commandcem_linux::utils::chmod_logfiles
: This class manages the permissions of log files in /var/log/cem_linux::utils::default_umask
: Default umaskcem_linux::utils::disable_core_dumps
: Disable core dumps.cem_linux::utils::disable_prelink
: A short summary of the purpose of this classcem_linux::utils::enable_aslr
: Enable address space layout randomization (ASLR)cem_linux::utils::firewall::firewalld
: Configures Firewalld on the hostcem_linux::utils::firewall::iptables
: Configures iptables as a firewall on the hostcem_linux::utils::firewall::iptables::post
cem_linux::utils::firewall::iptables::pre
cem_linux::utils::firewall::nftables
: nftables utility classcem_linux::utils::local_only_mta
: Configures MTAs to only process local mailcem_linux::utils::logindefs
: Manages password max age, min age, and warn agecem_linux::utils::motd
: This class configures a system message of the day on a wide variety of systems.cem_linux::utils::network::disable_dccp
: Disables dccpcem_linux::utils::network::disable_icmp_redirects
: Disables the host from accepting ICMP redirect messagescem_linux::utils::network::disable_ip_forwarding
: Disables IP forwarding for IPv4 and IPv6cem_linux::utils::network::disable_ipv6
: Disables IPv6 via sysctl or grubcem_linux::utils::network::disable_ipv6_router_advertisements
: Disables accepting IPv6 router advertisementscem_linux::utils::network::disable_packet_redirect_sending
: Disables ICMP redirects on the systemcem_linux::utils::network::disable_rds
: Disables rdscem_linux::utils::network::disable_sctp
: Disables sctpcem_linux::utils::network::disable_secure_icmp_redirects
: Disables the host from accepting secure ICMP redirect messagescem_linux::utils::network::disable_source_routes
: Disables source routing on hostcem_linux::utils::network::disable_tipc
: Disables tipccem_linux::utils::network::enable_log_martians
: Enables logging of suspicious packets (martians)cem_linux::utils::network::enable_reverse_path_filtering
: Enables reverse path filteringcem_linux::utils::network::enable_tcp_syn_cookies
: Configures host to enable tcp syn cookiescem_linux::utils::network::ignore_bogus_icmp
: Configures host to ignore logging non-RFC compliant ICMP responsescem_linux::utils::network::ignore_icmp_broadcast
: Configures host to ignore certain ICMP requests on broadcast and multicast addressescem_linux::utils::packages::linux::aide
: This class installs and configures AIDEcem_linux::utils::packages::linux::aide::config
: Controls the AIDE config filecem_linux::utils::packages::linux::aide::cron
: Sets up scheduled AIDE scans via croncem_linux::utils::packages::linux::aide::package
: Installs the AIDE packagecem_linux::utils::packages::linux::aide::service
: Controls the AIDE systemd timer servicecem_linux::utils::packages::linux::at
: Manages at.allow and at.deny filescem_linux::utils::packages::linux::auditd
: Manages auditd for auditingcem_linux::utils::packages::linux::auditd::audit_configuration_immutable
: Unesures the auditd configuretion is immutable.cem_linux::utils::packages::linux::auditd::discretionary_access_control
: A short summary of the purpose of this classcem_linux::utils::packages::linux::auditd::file_deletion_events
: Ensure file deletion events are logged.cem_linux::utils::packages::linux::auditd::file_system_mounts
: Ensure successful filesystem mount events are logged.cem_linux::utils::packages::linux::auditd::kernel_module_loading
: Ensure kernel module loading and unloading is logged.cem_linux::utils::packages::linux::auditd::login_logout
: Ensure login and logout events are loggedcem_linux::utils::packages::linux::auditd::mandatory_access_controls
: Sets mandatory access control policy rules.cem_linux::utils::packages::linux::auditd::modify_usergroup_information
: Ensure events that modify usergroup information are logged.cem_linux::utils::packages::linux::auditd::network_environment
: Ensure network environment modifications are logged.cem_linux::utils::packages::linux::auditd::privileged_commands
: Ensure privileged commands are logged.cem_linux::utils::packages::linux::auditd::session_initiation
: Ensure network session initiation inforation is logged.cem_linux::utils::packages::linux::auditd::sudoers
: Ensure changes to system admin scope is logged.cem_linux::utils::packages::linux::auditd::sudolog
: Ensure sudo actions are logged.cem_linux::utils::packages::linux::auditd::time_change
: Ensure events that modify time and date information are logged.cem_linux::utils::packages::linux::auditd::unsuccessful_unauthorized_file_access
: Configure auditd to log unsuccessful unauthorized file access.cem_linux::utils::packages::linux::authselect
: This class manages Authselect on the system.cem_linux::utils::packages::linux::chrony
: A short summary of the purpose of this classcem_linux::utils::packages::linux::cron
: Configures permissions and allowlist for croncem_linux::utils::packages::linux::gdm
: Manages the Gnome desktop environmentcem_linux::utils::packages::linux::logrotate
: Installs and configures logrotatecem_linux::utils::packages::linux::ntp
: Install and configure NTPcem_linux::utils::packages::linux::rsyslog
: Manages rsyslog for basic compliance needscem_linux::utils::packages::linux::selinux
: Mange SELINUXcem_linux::utils::packages::linux::selinux::bootloader
: A short summary of the purpose of this classcem_linux::utils::packages::linux::ssh
: Configures SSH in a secure mannercem_linux::utils::packages::linux::sudo
: Manages sudo package and configurationcem_linux::utils::pam_auth
: Configures PAM password-auth and system-authcem_linux::utils::pwquality
: Configures password quality rulescem_linux::utils::restrict_su
: Restrict sucem_linux::utils::services::inetd::disable
: Disables unwanted (x)inetd servicescem_linux::utils::services::systemd::journald
: Configures Journald with basic compliance settingscem_linux::utils::services::systemd::secure_emergency_service
: Secures ExecStart in emergency.servicecem_linux::utils::services::systemd::secure_rescue_service
: Secures ExecStart in rescue.servicecem_linux::utils::services::systemd::tmp_mount
: Enables and configures the tmp.mount servicecem_linux::utils::sticky_bit
: A short summary of the purpose of this classcem_linux::utils::system_crypto_policy
: A short summary of the purpose of this defined type.cem_linux::utils::timesync
: Setup system timesync servicecem_linux::utils::tmout
: Set idle login timeout.cem_linux::utils::yum::enable_gpgcheck
: Enables the gpgcheck option for all YUM repos
Private Classes
cem_linux::utils::bootloader::grub2::password
: Creates and manages a grub2 password file.cem_linux::utils::bootloader::grub2::permissions
: Ensures proper permissions are set on grub2 bootloader
Defined types
cem_linux::utils::disable_fs_mounting
: Disables filesystem mounting in Linuxcem_linux::utils::disable_service
: Disable a service.cem_linux::utils::file_permissions
: Manages permissions on a filecem_linux::utils::fstab_entry
: Creates modifies, or deletes and entry in /etc/fstabcem_linux::utils::limits
: Creates a limits conf filecem_linux::utils::modprobe_conf
: Creates a new modprobe config filecem_linux::utils::multi_sysctl
: Sets multiple sysctl settings with the same valuecem_linux::utils::network::disable_wireless_interfaces
: Disables wifi, wwan and bluetooth interfacescem_linux::utils::packages::absenter
: Removes system packagescem_linux::utils::packages::linux::auditd::rule
: Creates an auditd rules filecem_linux::utils::packages::linux::sudo::sudoers_default
: Creates a Defaults entry in a given sudoers filecem_linux::utils::packages::linux::sudo::user_group
: Creates drop-in files to manage sudoer users and groupscem_linux::utils::remount_fs
: Helper type for remounting filesystems with new optionscem_linux::utils::remove_nis_entries
: Remove legacy NIS entries from password and group filescem_linux::utils::sysconfig
: Define that allows changing settings for config files in /etc/syscofig/*
Resource types
cem_augeasprovider
: Dumb Augeas provider typecem_authselect_manage_profile
: Sets the active authselect profile. Autorequires: If Puppet is managing the packagesauthselect
,sssd
,realm
,sssd-ad
, `winbinddcem_file_perms
: Manages only the permissions of files. This is useful for managing permissions of files that are not managed by a Puppet file resource, suchcem_grub_config
: Manages global GRUB configuration parameterscem_grub_menuentry
: Manages menu entries in the GRUB and GRUB2 systems. NOTE: This may not cover all possible options and some options may apply to eithercem_grub_user
: Manages GRUB2 Users - Does not apply to GRUB Legacy Note: This type compares against the active GRUB configuration. The contents of the macem_kernel_parameter
: Manages kernel parameters stored in bootloaders.cem_mounttab
: Manages entries in the filesystem table. This is usually, but not necessarily, used in conjunction with the mountpoint type to manage both thcem_pam
: Manages settings in an PAM service files. The resource name is a descriptive string only due to the non-uniqueness of any single paramter.cem_shellvar
: Manages variables in simple shell scripts.cem_ssh_config
: Manages settings in an OpenSSH ssh_config file. The resource name is used for the setting name, but if thehost
is given, then the name cacem_sshd_config
: Manages settings in an OpenSSH sshd_config file. The resource name is used for the setting name, but if thecondition
is given, then the ncem_sshd_config_match
: Manages Match groups in an OpenSSH sshd_config file.cem_sshd_config_subsystem
: Manages Subsystem settings in an OpenSSH sshd_config file.cem_sshkey
: Installs and manages ssh host keys. By default, this type will install keys into/etc/ssh/ssh_known_hosts
. To manage ssh keys in a differecem_sysctl
: Manages entries in /etc/sysctl.conf.cem_systemwide_crypto_policy
: Sets the system-wide crypto policy.inetd_service
: a inetd_service type
Functions
Public Functions
combine_arrays
: combine_arrays.rb Combines arrays into a one new array. Exposes options for uniqueness and flatness.conditional_array
: conditional_array.rb Builds an array based on conditional assignment. Each argument should be an 2 item array where the first item is a boolegrub_mkpasswd_pbkdf2
: This function mimics the (grub|grub2)-mkpasswd-pbkdf2 command to generate passwords used with the grub bootloader.has_class
: has_class.rb Determines whether a class manifest exists in the current module.is_mutex
: is_mutex.rb Returns true if values passed in are mutually exclusive, meaning the other values are Undef (nil). Returns false otherwise.process_firewall_exclusions
: process_firewall_exclusions.rb Takes an array of strings and a conditionals hash, usually from a Hiera lookup, and processes the conditionalrequire_one
: require_one.rb Returns true is there at least on value passed in is not nil. Returns false otherwise.undef_default
: undef_default.rb Takes two params, one is a Puppet class param and the other is a default value. If the Puppet class param is Undef, the defa
Private Functions
cem_linux::acpt_test_should_run
: This function is only used for Litmus acceptance tests of cem_linux.
Tasks
audit_authselect
: Audit authselect profile for RHEL8 and CentOS8audit_duplicate_gid
: Finds and returns duplicate GIDs in /etc/groupaudit_duplicate_group_names
: Finds and returns duplicate group names in /etc/group.audit_duplicate_uid
: Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use itaudit_duplicate_user_names
: Finds and returns duplicate user names in /etc/passwd.audit_etcpasswd_groups
: Finds groups that exist in /etc/passwd but do not exist in /etc/groupaudit_pw_change_date
: Returns the last password change date for all usersaudit_sgid_executables
: A short description of this taskaudit_shadow_group
: Finds and returns any users in the shadow groupaudit_suid_executables
: Returns a list of SUID executable filesaudit_unconfined_services
: Returns a list of all unconfined servicesaudit_unowned_files_and_directories
: Returns a list of any unowned files and directoriesaudit_user_homedir
: Audits user homedirs on the hostaudit_world_writable_files
: Returns a list of any world-writable filesenforce_user_passwords
: Checks for users with blank passwords in /etc/shadow and sets the passwords to the defaultlitmus_get_acpt_test_data
: Finds local module acceptance tests and returns stuctured data about themlitmus_provision_el7
: Litmus provisioning EL7litmus_provision_el8
: Litmus provisioning EL8query_gpg_keys
: Queries for RPM GPG keysquery_listening_services
: Queries for services with established TCP / UDP connectionsquery_yum_repos
: Queries YUM repositoriesredhat_subscription_manager
: Register a system with RedHat subscription managerroot_path_integrity
: Audits root path integrity. Must be run as rootroot_uid
: A short description of this taskupdate_bootloader
: Updates and reinstall bootloader configuration
Plans
Public Plans
cem_linux::linux_users_and_groups
: This plan enfoces user and group security policies.
Private Plans
cem_linux::provision_machines
: This plan provisions machines used for Litmus acceptance testing
Classes
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_authselect
Audit authselect profile for RHEL8 and CentOS8
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_pw_change_date
Returns the last password change date for all users
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_suid_executables
Returns a list of SUID executable files
audit_unconfined_services
Returns a list of all unconfined services
audit_unowned_files_and_directories
Returns a list of any unowned files and directories
audit_world_writable_files
Returns a list of any world-writable files
query_gpg_keys
Queries for RPM GPG keys
query_listening_services
Queries for services with established TCP / UDP connections
query_yum_repos
Queries YUM repositories
root_path_integrity
Audits root path integrity. Must be run as root
update_bootloader
Updates and reinstall bootloader configuration
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.1.0 (2021-12-14)
Added
- Enforcement for CIS Red Hat Enterprise Linux 8 server level 2 recommendations.
- Bootloader configuration, including setting a bootloader password, can now be managed through the module on systems that use the
grub2
bootloader.- You can also opt-in to automatically regenerating the bootloader config files after changes are made to them.
- See the docs for more details
- Permissions management for logfiles in
/var/log
is now available in the module.- Because this is now supported natively, the Bolt task
cem_linux::logfile_permissions
has been removed.
- Because this is now supported natively, the Bolt task
- New fact
cem_grub_cfg
.
Changed
- Replaced
camptocamp-systemd
with the supportedpuppet-systemd
. This will require you to update your Puppetfile to usepuppet-systemd
with a minimum version ofv3.5.0
- The fact
cem_uefi_boot
has been changed tocem_efi
. Additionally, more information has been added to this fact.
Fixed
- Several minor bugfixes.
Notes
- Currently, when scanning a node with Comply after applying CEM, some recommendations that are enforced by CEM may show up as failed on the scan. This is due to bugs in the CIS CAT Pro scanner used by Comply. More information is available in the docs.
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 7.0.0)
- puppetlabs/concat (>= 6.4.0 < 7.0.0)
- puppetlabs/puppet_agent (>= 4.0.0 < 5.0.0)
- puppetlabs/inifile (>= 1.6.0 < 5.0.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 2.8.1 < 3.0.0)
- puppet/firewalld (>= 4.4.0 < 5.0.0)
- puppet/logrotate (>= 5.0.0 < 6.0.0)
- puppet/selinux (>= 3.2.0 < 4.0.0)
- puppet/systemd (>= 3.5.0 < 4.0.0)