Premium module

cem_linux

Compliance Enforcement Module for Linux

Project URL RSS Feed Report issues

Module Stats

5,365 downloads

346 latest version

Version information

released Mar 16th 2022

This version is compatible with:

Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 8.0.0
,

This module has been deprecated by its author since May 8th 2024.

The author has suggested puppetlabs-sce_linux as its replacement.

Tasks:

audit_authselect

audit_duplicate_gid

audit_duplicate_group_names

audit_duplicate_uid

audit_duplicate_user_names

audit_etcpasswd_groups

audit_pw_change_date

and 15 more. See all tasks

Tags: security, hardening, compliance, stig, cis, comply

Documentation

puppetlabs/cem_linux — version 1.1.2 Mar 16th 2022

`cem_linux`

cem_linux

Description

The cem_linux module is one of two Compliance Enforcement Modules (CEM). These are supported Puppet modules developed specifically to bring your Puppet Enterpirse (PE) managed nodes under compliance. CEM currently supports CIS (Center for Internet Security) compliance rules, and other compliance frameworks will be added to CEM in the future.

By default, CEM enforces CIS rules for the level 1 server profile.

This README walks you through installing CEM and customizing the configuration settings to suit your own compliance needs. For a list of available parameters, see the CEM reference.

To manage Windows nodes, navigate to cem_windows.

Setup

System requirements

cem_linux supports the following operating systems and CIS benchmarks:

Operating system	Framework	Level	Profile
Red Hat Enterprise Linux 7	CIS benchmarks v3.1.1	1	Server
Red Hat Enterprise Linux 8	CIS benchmarks v1.0.1	1, 2	Server
CentOS Linux 7	CIS benchmarks v3.1.1	1	Server

Install CEM with Code Manager

Puppet Forge Premium Content has specific installation instructions found here.

Usage

By default, CEM enforces CIS rules for the level 1 server profile — based on default acceptable values for each CIS recommendation. However, sometimes enforcing these values can leave your nodes in an undesirable state. In these situations, you can customize how CEM enforces the rules and tailor them to your own compliance needs.

Important: CEM's default settings are fully CIS compliant — too much customization can result in your configurations being noncompliant.

Finding and setting configuration options

You can find configuration options in the class *.pp file. For example, in the manifests/benchmarks/cis/controls/ensure_at_is_restricted_to_authorized_users.pp file below, you can can see the optional parameters in the comments:

# @api public
#
# @param [Boolean] enforced
#   If yes, the control will be enforced
# @param [Hash] config
#   Options for the control
# @option config [Boolean] purge_at_deny
# @option config [Boolean] set_at_allow_perms
# @option config [Array[String[1]]] at_allowlist
#
# @see cem_linux::utils::packages::linux::at

You can set these configuration options in Hiera using the following format:

cem_linux::benchmark: '<benchmark code>'
cem_linux::config:
  <config options>

For example, configuring the options purge_at_deny, set_at_allow_perms and at_allowlist would look like:

# control-repo/data/common.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  control_configs:
    ensure_at_is_restricted_to_authorized_users:
      purge_at_deny: true
      set_at_allow_perms: true

You can find all the configuration options in the REFERENCE.md.

Top-level configuration options

The configuration options are configured at the top-level of the module. If configuring with Hiera, these options will be prefixed with cem_linux::

benchmark - Enum['cis'] - the compliance framework to use. CEM only supports cis. Default: cis.
config - Optional[Hash] - where all non-top-level configuration options live. Default: undef.
allow_on_kubernetes_node - Boolean - If cem_linux detects that it is running on a Kubernetes cluster node or host, it will not enforce any rules. It will log a warning stating such. This is to prevent accidentally enforcing incorrect compliance settings that can render Kubernetes non-functional. Default: false.
regenerate_grub2_config - Boolean - Some configurations in CEM for Linux modify the Grub2 bootloader configuration. If you would like to regenerate the Grub2 configuration after applying a change, set this parameter to true. If you do not set this to true, you will need to manually regenerate the Grub2 configuration. Default: false.
set_grub2_password - Boolean - Set the password for the Grub2 bootloader. If you set this to true, you must also set the grub2_superuser and grub2_superuser_password parameters, or configure the specific bootloader password control via control_configs. Default: false.
grub2_superuser - Optional[String[1]] - The superuser for the Grub2 bootloader if you set set_grub2_password to true. Default: Undef
grub2_superuser_password - Optional[Sensitive[String]] - The superuser password for the Grub2 bootloader if you set set_grub2_password to true. This value is sensitive, and should be stored in a Sensitive datatype. Default: Undef.

Top-level configuration options Hiera example

The below example configures CEM for Linux to regenerate the Grub2 bootloader config on a node using the CIS benchmark.

cem_linux::benchmark: 'cis'
cem_linux::allow_on_kubernetes_node: false
cem_linux::regenerate_grub2_config: true
cem_linux::config:
  ...

General configuration options

These options are available as key-value pairs within the cem_linux::config: hash.

only: - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp) — classes specified here are included in the catalog. Takes precedence over ignore:. Default: undef.
ignore: - Optional[Array[String]] — takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are not included in the catalog. If only: is specified, this option does nothing. Default: undef.
control_configs - Optional[Hash] — where all rule-specific configurations live. Default: undef.

CIS configuration options

These options are available as key-value pairs within the cem_linux::config: hash.

profile: - Optional[Enum['server', 'workstation']] — the name of the benchmark profile. CEM only supports server. Default: server.
level: - Optional[Enum['1', '2']] — the name of the profile level. CEM only supports 1. Default: 1.
firewall_type: - Optional[Enum['iptables', 'firewalld', 'unmanaged']] — the preferred firewall provider. If set to unmanaged, CEM will not enforce any firewall-related rules. Default: firewalld.

Red Hat Enterprise Linux 8-specific CIS configuration options

use_authselect: - Optional[Boolean] - Whether to use authselect to manage most authentication options. Defaults to false. For more information, see Using authselect
authselect_profile - Optional[String] - If using authselect, you must specific an authselect profile with this option. Defaults to undef. For more information, see Using authselect

Control classes

Control classes (manifests/benchmarks/<benchmark>/controls/*.pp) are the interfaces that configure rule settings. Each control class accepts the following two parameters:

The $enforced (Boolean) parameter — this toggles whether the included code in the manifest is executed.
The $config parameter — this holds the configuration options for a control class as keys in the hash. You set the $config parameter based on values from the control_configs hash. Each top-level key is a control class name (sans path and .pp suffix) and the value of that key is a hash. The keys of the sub-hash map 1 to 1 with the configuration options available in the specific control class.

For example, the control class would look like:

class cem_linux::benchmarks::cis::controls::super_cool_class (
  Boolean $enforced => true,
  Boolean $config => {},
) {
  if $enforced {
    class { 'cem_linux::utils::super_cool_util':
      param_one => dig($config, 'param_one'),
      param_two => dig($config, 'param_two'),
    }
  }
}

And the Hiera file would look like:

cem_linux::config:
  control_configs:
    super_cool_class:
      param_one: 'Dude'
      param_two: 'Sweet'

For a list of control classes and their configuration options, see the reference.

Configuration examples

To see what CEM looks like in production, see the configuration examples below.

Basic configuration example

When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the CIS Server Level 1 benchmark for a node, you need to classify the node with the CEM class, set the framework parameter to cis, and run Puppet.

In the following example, CEM enforces the CIS level 1 server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node.

Add the following Hiera data to your control repo:

# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  only:
    - 'ensure_aide_is_installed'
    - 'ensure_filesystem_integrity_is_regularly_checked'

Classify the node with the class cem_linux.
Run Puppet.

Some CIS recommendations require you to run a Bolt task. The output of a Puppet run for the debug logs tell you which task to run.

Advanced configuration example

Building on the basic configuration example, the following example customizes the AIDE configuration file in Hiera.

Add the following code to the node's Hiera file:

# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  only:
    - 'ensure_aide_is_installed'
    - 'ensure_filesystem_integrity_is_regularly_checked'
  control_configs:
    ensure_aide_is_installed:
      conf_rules:
        - 'PERMS = p+u+g+acl+xattrs'
        - 'CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs'
      conf_checks:
        - '/root/\..* PERMS'
        - '/root/   CONTENT_EX'

Classify the node with the class cem_linux.
Run Puppet.
Run the Bolt task specified in the debug log.

The AIDE configuration file now reflects the changes in Hiera.

Enforcing bootloader configurations

Warning: The only bootloader supported by CEM for Linux is grub2.

CEM for Linux enforces various bootloader configurations as required by the selected compliance framework and benchmark. However, since changes to bootloader configurations can be potentially dangerous, CEM for Linux has opted for a light-touch by default.

For CIS, there are several recommendations that modify the bootloader config. If you run CEM for Linux with completely default settings, these changes will be applied, but the bootloader config will not be regenerated. This means that while there are pending changes on the node, nothing about how the bootloader works has actually changed until the configurations are regenerated. The exception to this is the bootloader password, which is not set by default. Below are examples of how you can have CEM for Linux automatically regenerate the bootloader config and how you can set a bootloader password.

Regenerating bootloader configs automatically

# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true

Setting a bootloader password

# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
cem_linux::set_grub2_password: true
cem_linux::grub2_superuser: 'root'
cem_linux::grub2_superuser_password: 'password'
lookup_options:
  cem_linux::grub2_superuser_password:
    convert_to: 'Sensitive'

Notice: The key cem_linux::grub2_superuser_password must be the type Sensitive[String]. Setting a lookup option for that key to convert it to Sensitive is the best way to ensure that the value is a Sensitive[String]. Warning: It IS NOT recommended to store plain-text passwords in Hiera. Using something like hiera-eyaml is a better way to store secrets.

Using authselect

Warning: You SHOULD NOT enable authselect on a node if it is already joined to an Active Directory domain or to Red Hat Identity Management (idM). Enabling authselect on these nodes will break your current authentication configurations. Notice: authselect is only supported on Red Hat Enterprise Linux 8 at this time.

By default, cem_linux uses standard PAM rules to configure the authentication controls specified by CIS. However, if you are enforcing CIS compliance on Red Hat Enterprise Linux 8, CIS prefers that authselect be used. Configuring and using authselect in cem_linux is easy, but requires a specific style of configuration. Below is an example configuration for enabling authselect on a node using the minimal system default profile:

# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
  use_authselect: true
  authselect_profile: 'minimal'

To use authselect, you must first set the config option use_authselect to true. Next, you must specify an authselect profile with the config option authselect_profile. Both of the options must be set directly in the cem_linux::config hash for authselect to work properly.

Custom authselect profiles

Creating and using custom authselect profiles is easy in cem_linux: simply prefix the profile name in authselect_profile with custom/. If the custom profile does not exist on the node, it will automatically be created for you. Below is an example of creating and using a custom profile, my_custom_profile, that is based off of the system profile minimal with some extra features enabled:

# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
  use_authselect: true
  authselect_profile: 'custom/my_custom_profile'
  control_configs:
    create_custom_authselect_profile:
      custom_profile_base: 'minimal'
      profile_features:
        - with-faillock
        - with-mkhomedir

Configuring authselect

All authselect configurations are managed via the control class create_custom_authselect_profile, whether you are using a custom profile or not. See the reference for all configuration options.

Authselect and PAM

At this time, using authselect and PAM are mutually exclusive.

Configuring custom logrotate rules

The following example creates custom logrotate rules for the primary Puppet server's puppetserver logs.

# control-repo/data/nodes/<your puppetserver>.yaml
---
cem_linux::config:
  control_configs:
    ensure_logrotate_is_configured:
      rules:
        puppetserver:
          path:
            - '/var/log/puppetlabs/puppetserver/puppetserver.log'
            - '/var/log/puppetlabs/puppetserver/pcp-broker.log'
            - '/var/log/puppetlabs/puppetserver/puppetserver-access.log'
            - '/var/log/puppetlabs/puppetserver/puppetserver-daemon.log'
            - '/var/log/puppetlabs/puppetserver/puppetserver-status.log'
            - '/var/log/puppetlabs/puppetserver/code-manager-access.log'
            - '/var/log/puppetlabs/puppetserver/file-sync-access.log'
            - '/var/log/puppetlabs/puppetserver/masterhttp.log'
          create_owner: 'puppet'
          create_group: 'puppet'

Configuring sudo without a password

The following example configures the admins group to grant sudo access without a password.

cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  control_configs:
    ensure_sudo_is_installed:
      package_ensure: 'installed'
      options:
        user_group:
          %admins:
            options:
              - 'NOPASSWD:'

Configuring user SSH keys

The following example configures SSH keys.

cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  control_configs:
    ensure_permissions_on_etcsshsshd_config_are_configured:
      permit_root_login: 'yes'
      user_ssh_keys:
        testuser1:
          username: testuser1
          home_dir: /home/testuser1
          ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
        testuser2:
          username: testuser2
          home_dir: /home/testuser2
          ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022

Configuring SSH allowed and denied users and groups

The following example configures SSH with allowed users / groups and denied users / groups.

cem_linux::benchmark: 'cis'
cem_linux::config:
  control_configs:
    ensure_permissions_on_etcsshsshd_config_are_configured:
      allow_users:
        - testuser1
        - the_dude
      allow_groups:
        - testgroup1
        - goonies
      deny_users:
        - testuser2
        - the_emperor
      deny_groups:
        - testgroup2
        - legion_of_doom

Configuring the firewall type

The following examples configure the firewall.

firewalld is default:

cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'firewalld'

You can also configure iptables:

cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'iptables'

You can also configure unmanaged. When you set firewall_type to unmanaged, CEM does not enforce state on any firewall resource. Use unmanaged if you do not want CEM to configure your firewalls.

cem_linux::benchmark: 'cis'
cem_linux::config:
  profile: 'server'
  level: '1'
  firewall_type: 'unmanaged'

Rules that rely on specific site information

There are some CIS rules that require site specific information. You can use Bolt tasks to configure these.

Bolt tasks in Puppet Enterprise (PE)

Using PE, you can run Bolt tasks and plans to audit or configure specific parts of a node. These are available under Tasks in the PE console — search the drop down menu for cem_linux tasks.

Run Bolt tasks from the command line

You can also run Bolt tasks from the command line.

Install Puppet Development Kit (PDK) and Bolt.
In the root of the CEM directory, run pdk bundle exec rake 'spec_prep'. This downloads the required dependencies as RSpec fixtures, and then symlinks the module directory into the fixtures directory.
Run the tasks on one or more hosts. For example: bolt task run comply_enforcement_module::audit_unowned_files_and_directories -t $nodefqdn --modulepath spec/fixtures/modules. Note that you need to add the --modulepath spec/fixtures/modules option to Bolt commands, otherwise Bolt is not able to find the tasks and plans.

Known issues

Comply Scan Issues

The following recommendations can be reported as failing due to bugs in the CIS-CAT Pro Assessor bundled with Comply. CEM does correctly enforce these settings.

Red Hat Enterprise Linux Benchmark v1.0.1:
- 1.5.1 - Ensure permissions on bootloader are configured
  - On EFI systems, the script ran by CIS-CAT Pro does not locate the correct grub file path. Permissions are set correctly by CEM.
- 1.5.2 - Ensure bootloader password is set
  - On EFI systems, the script ran by CIS-CAT Pro does not locate the correct grub file path. The bootloader password can be set by CEM.
- 4.1.16 - Ensure system administrator actions (sudolog) are collected
  - The sudo log path and rule are not successfully matched by the CIS CAT Pro scanner. CEM correctly enables the sudolog.

General Issues

nftables firewall is not supported. Use firewalld or iptables instead.
CEM cannot create filesystem partitions, which can cause certain scanner checks to fail.
CEM cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure nodev,nosuid,noexec exists in the options portion of /etc/fstab for the partition.
XD/NX support is dependent on the host kernel and CEM cannot configure it. Ensure you are using up-to-date kernels.
Restricting the root login to a system console requires knowledge of the site. You need to configure this control manually by removing entries in /etc/securetty for consoles that are not in secure locations.
CEM does not enforce authselect controls for CIS 1.0.0 5.3.x on RHEL8 or CentOS8. This requires site knowledge and can break network authentication. CIS recomends that you do not enforce this control. CEM includes a Bolt task audit_authselect to audit these controls.
You can only configure the ensure_nodev_option_set_on_home_partition class if the /home setting is mounted on it's own partition. Note that Puppet does not create a partition for /home.
If you are running on RHEL 8 and CentOS 8:
- The ensure_nis_server_is_not_enabled class is dependent on ensure__rpc_is_not_enabled. If you enforce ensure_nis_server_is_not_enabled, you must also enforce ensure__rpc_is_not_enabled.
- The ensure_nfs_is_not_enabled class is dependent on ensure__rpc_is_not_enabled. If you do not enforce ensure_nfs_is_not_enabled, you must also enforce ensure__rpc_is_not_enabled.
If you are running on RHEL 7 and CentOS 7:
- The ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked class is dependant on ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked. If you enforce ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked, you must also enforce ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.
The control disable_wireless_interfaces requires that you install the NetworkManager package and that the service is running.

Reference

Classes

Public Classes

cem_linux: Provides an interface for applying benchmark classes
cem_linux::benchmarks::cis: Provides an OS-independent interface for the CIS benchmark profile
cem_linux::benchmarks::cis::controls::audit_sgid_executables: CIS 3.1.1 RHEL 7/CentOS 7 6.1.14 Audit SGID executables | CIS 1.0.1 RHEL 8/CentOS 8 6.1.14 Audit SGID executables
cem_linux::benchmarks::cis::controls::audit_suid_executables: CIS 3.1.1 RHEL 7/CentOS 7 6.1.13 Audit SUID executables | CIS 1.0.1 RHEL 8/CentOS 8 6.1.13 Audit SUID executables
cem_linux::benchmarks::cis::controls::create_custom_authselect_profile: CIS 1.0.1 RHEL 8 5.3.1 Create custom authselect profile
cem_linux::benchmarks::cis::controls::disable_automounting: CIS 3.1.1 RHEL 7/CentOS 7 1.1.23 Disable Automounting | CIS 1.0.1 RHEL 8/CentOS 8 1.1.22 Disable Automounting
cem_linux::benchmarks::cis::controls::disable_ipv6: CIS 3.1.1 RHEL 7/CentOS 7 3.1.1 Disable IPv6 | CIS 1.0.1 RHEL 8/CentOS 8 3.6 Disable IPv6
cem_linux::benchmarks::cis::controls::disable_the_rhnsd_daemon: CIS 3.1.1 RHEL 7/CentOS 7 1.2.5 Disable the rhnsd Daemon | CIS 1.0.1 RHEL 8/CentOS 8 1.2.2 Disable the rhnsd Daemon
cem_linux::benchmarks::cis::controls::disable_usb_storage: CIS 3.1.1 RHEL 7/CentOS 7 1.1.24 Disable USB Storage | CIS 1.0.1 RHEL 8/CentOS 8 1.1.23 Disable USB Storage
cem_linux::benchmarks::cis::controls::ensure__rpc_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.13 Ensure RPC is not enabled
cem_linux::benchmarks::cis::controls::ensure_a_firewall_package_is_installed: CIS 1.0.1 RHEL 8/CentOS 8 3.4.1.1 Ensure a Firewall package is installed
cem_linux::benchmarks::cis::controls::ensure_access_to_the_su_command_is_restricted: CIS 3.1.1 RHEL 7/CentOS 7 5.7 Ensure access to the su command is restricted | CIS 1.0.1 RHEL 8/CentOS 8 5.7 Ensure access to the su command is restricted
cem_linux::benchmarks::cis::controls::ensure_accounts_in_etcpasswd_use_shadowed_passwords: CIS 3.1.1 RHEL 7/CentOS 7 6.2.1 Ensure accounts in etcpasswd use shadowed passwords
cem_linux::benchmarks::cis::controls::ensure_address_space_layout_randomization_aslr_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 1.5.3 Ensure address space layout randomization ASLR is enabled | CIS 1.0.1 RHEL 8/CentOS 8 1.6.2 Ensure address space layout randomization ASLR is enabled
cem_linux::benchmarks::cis::controls::ensure_aide_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.3.1 Ensure AIDE is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.4.1 Ensure AIDE is installed
cem_linux::benchmarks::cis::controls::ensure_all_groups_in_etcpasswd_exist_in_etcgroup: CIS 3.1.1 RHEL 7/CentOS 7 6.2.3 Ensure all groups in etcpasswd exist in etcgroup | CIS 1.0.1 RHEL 8/CentOS 8 6.2.14 Ensure all groups in etcpasswd exist in etcgroup
cem_linux::benchmarks::cis::controls::ensure_all_users_home_directories_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.2.11 Ensure all users home directories exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.20 Ensure all users home directories exist
cem_linux::benchmarks::cis::controls::ensure_all_users_last_password_change_date_is_in_the_past: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.5 Ensure all users last password change date is in the past | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.5 Ensure all users last password change date is in the past
cem_linux::benchmarks::cis::controls::ensure_an_nftables_table_exists: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.5 Ensure an nftables table exists | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.2 Ensure an nftables table exists
cem_linux::benchmarks::cis::controls::ensure_at_is_restricted_to_authorized_users: CIS 3.1.1 RHEL 7/CentOS 7 5.1.9 Ensure at is restricted to authorized users
cem_linux::benchmarks::cis::controls::ensure_atcron_is_restricted_to_authorized_users: CIS 1.0.1 RHEL 8/CentOS 8 5.1.8 Ensure atcron is restricted to authorized users
cem_linux::benchmarks::cis::controls::ensure_audit_backlog_limit_is_sufficient: CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.4 Ensure audit_backlog_limit is sufficient
cem_linux::benchmarks::cis::controls::ensure_audit_log_storage_size_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 4.1.2.1 Ensure audit log storage size is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.1.2.1 Ensure audit log storage size is configured
cem_linux::benchmarks::cis::controls::ensure_auditd_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.1 Ensure auditd is installed | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.1 Ensure auditd is installed
cem_linux::benchmarks::cis::controls::ensure_auditd_service_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.2 Ensure auditd service is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.2 Ensure auditd service is enabled
cem_linux::benchmarks::cis::controls::ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled | CIS 1.0.1 RHEL 8/CentOS 8 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled
cem_linux::benchmarks::cis::controls::ensure_authentication_required_for_single_user_mode: CIS 3.1.1 RHEL 7/CentOS 7 1.4.3 Ensure authentication required for single user mode | CIS 1.0.1 RHEL 8/CentOS 8 1.5.3 Ensure authentication required for single user mode
cem_linux::benchmarks::cis::controls::ensure_authselect_includes_with_faillock: CIS 1.0.1 RHEL 8 5.3.3 Ensure authselect includes with-faillock
cem_linux::benchmarks::cis::controls::ensure_avahi_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.4 Ensure Avahi Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_avahi_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.3 Ensure Avahi Server is not installed
cem_linux::benchmarks::cis::controls::ensure_bogus_icmp_responses_are_ignored: CIS 3.1.1 RHEL 7/CentOS 7 3.3.6 Ensure bogus ICMP responses are ignored | CIS 1.0.1 RHEL 8/CentOS 8 3.2.6 Ensure bogus ICMP responses are ignored
cem_linux::benchmarks::cis::controls::ensure_bootloader_password_is_set: CIS 3.1.1 RHEL 7/CentOS 7 1.4.1 Ensure bootloader password is set | CIS 1.0.1 RHEL 8/CentOS 8 1.5.2 Ensure bootloader password is set
cem_linux::benchmarks::cis::controls::ensure_broadcast_icmp_requests_are_ignored: CIS 3.1.1 RHEL 7/CentOS 7 3.3.5 Ensure broadcast ICMP requests are ignored | CIS 1.0.1 RHEL 8/CentOS 8 3.2.5 Ensure broadcast ICMP requests are ignored
cem_linux::benchmarks::cis::controls::ensure_changes_to_system_administration_scope_sudoers_is_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.14 Ensure changes to system administration scope sudoers is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.3 Ensure changes to system administration scope sudoers is collected
cem_linux::benchmarks::cis::controls::ensure_chrony_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.2 Ensure chrony is configured | CIS 1.0.1 RHEL 8/CentOS 8 2.2.1.2 Ensure chrony is configured
cem_linux::benchmarks::cis::controls::ensure_core_dumps_are_restricted: CIS 3.1.1 RHEL 7/CentOS 7 1.5.1 Ensure core dumps are restricted | CIS 1.0.1 RHEL 8/CentOS 8 1.6.1 Ensure core dumps are restricted
cem_linux::benchmarks::cis::controls::ensure_cron_daemon_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 5.1.1 Ensure cron daemon is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 5.1.1 Ensure cron daemon is enabled
cem_linux::benchmarks::cis::controls::ensure_cron_daemon_is_enabled_and_running: CIS 3.1.1 RHEL 7/CentOS 7 5.1.1 Ensure cron daemon is enabled and running
cem_linux::benchmarks::cis::controls::ensure_cron_is_restricted_to_authorized_users: CIS 3.1.1 RHEL 7/CentOS 7 5.1.8 Ensure cron is restricted to authorized users
cem_linux::benchmarks::cis::controls::ensure_cups_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.16 Ensure CUPS is not enabled
cem_linux::benchmarks::cis::controls::ensure_cups_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.4 Ensure CUPS is not installed
cem_linux::benchmarks::cis::controls::ensure_dccp_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 3.4.1 Ensure DCCP is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.3.1 Ensure DCCP is disabled
cem_linux::benchmarks::cis::controls::ensure_default_group_for_the_root_account_is_gid_0: CIS 3.1.1 RHEL 7/CentOS 7 5.5.3 Ensure default group for the root account is GID 0 | CIS 1.0.1 RHEL 8/CentOS 8 5.5.4 Ensure default group for the root account is GID 0
cem_linux::benchmarks::cis::controls::ensure_default_user_shell_timeout_is_900_seconds_or_less: CIS 1.0.1 RHEL 8/CentOS 8 5.5.3 Ensure default user shell timeout is 900 seconds or less
cem_linux::benchmarks::cis::controls::ensure_default_user_shell_timeout_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.5.4 Ensure default user shell timeout is configured
cem_linux::benchmarks::cis::controls::ensure_default_user_umask_is_027_or_more_restrictive: CIS 1.0.1 RHEL 8/CentOS 8 5.5.5 Ensure default user umask is 027 or more restrictive
cem_linux::benchmarks::cis::controls::ensure_default_user_umask_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.5.5 Ensure default user umask is configured
cem_linux::benchmarks::cis::controls::ensure_devshm_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.1.6 Ensure devshm is configured
cem_linux::benchmarks::cis::controls::ensure_dhcp_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.15 Ensure DHCP Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_dhcp_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.5 Ensure DHCP Server is not installed
cem_linux::benchmarks::cis::controls::ensure_discretionary_access_control_permission_modification_events_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.9 Ensure discretionary access control permission modification events are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.9 Ensure discretionary access control permission modification events are collected
cem_linux::benchmarks::cis::controls::ensure_dns_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.11 Ensure DNS Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_dns_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.7 Ensure DNS Server is not installed
cem_linux::benchmarks::cis::controls::ensure_etcshadow_password_fields_are_not_empty: CIS 3.1.1 RHEL 7/CentOS 7 6.2.2 Ensure etcshadow password fields are not empty
cem_linux::benchmarks::cis::controls::ensure_events_that_modify_date_and_time_information_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.3 Ensure events that modify date and time information are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.6 Ensure events that modify date and time information are collected
cem_linux::benchmarks::cis::controls::ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.6 Ensure events that modify the systems Mandatory Access Controls are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.7 Ensure events that modify the systems Mandatory Access Controls are collected
cem_linux::benchmarks::cis::controls::ensure_events_that_modify_the_systems_network_environment_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.5 Ensure events that modify the systems network environment are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.8 Ensure events that modify the systems network environment are collected
cem_linux::benchmarks::cis::controls::ensure_events_that_modify_usergroup_information_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.4 Ensure events that modify usergroup information are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.11 Ensure events that modify usergroup information are collected
cem_linux::benchmarks::cis::controls::ensure_file_deletion_events_by_users_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.13 Ensure file deletion events by users are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.14 Ensure file deletion events by users are collected
cem_linux::benchmarks::cis::controls::ensure_filesystem_integrity_is_regularly_checked: CIS 3.1.1 RHEL 7/CentOS 7 1.3.2 Ensure filesystem integrity is regularly checked | CIS 1.0.1 RHEL 8/CentOS 8 1.4.2 Ensure filesystem integrity is regularly checked
cem_linux::benchmarks::cis::controls::ensure_firewalld_default_zone_is_set: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.5 Ensure firewalld default zone is set | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.4 Ensure firewalld default zone is set
cem_linux::benchmarks::cis::controls::ensure_firewalld_drops_unnecessary_services_and_ports: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.7 Ensure firewalld drops unnecessary services and ports | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.6 Ensure firewalld drops unnecessary services and ports
cem_linux::benchmarks::cis::controls::ensure_firewalld_is_either_not_installed_or_masked_with_iptables: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.3 Ensure firewalld is either not installed or masked with iptables
cem_linux::benchmarks::cis::controls::ensure_firewalld_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.1 Ensure firewalld is installed
cem_linux::benchmarks::cis::controls::ensure_firewalld_service_enabled_and_running: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.4 Ensure firewalld service enabled and running
cem_linux::benchmarks::cis::controls::ensure_firewalld_service_is_enabled_and_running: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.1 Ensure firewalld service is enabled and running
cem_linux::benchmarks::cis::controls::ensure_ftp_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.10 Ensure FTP Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_ftp_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.8 Ensure FTP Server is not installed
cem_linux::benchmarks::cis::controls::ensure_gdm_login_banner_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.8.2 Ensure GDM login banner is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.2 Ensure GDM login banner is configured
cem_linux::benchmarks::cis::controls::ensure_gpg_keys_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.2.1 Ensure GPG keys are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.3 Ensure GPG keys are configured
cem_linux::benchmarks::cis::controls::ensure_gpgcheck_is_globally_activated: CIS 3.1.1 RHEL 7/CentOS 7 1.2.3 Ensure gpgcheck is globally activated | CIS 1.0.1 RHEL 8/CentOS 8 1.2.4 Ensure gpgcheck is globally activated
cem_linux::benchmarks::cis::controls::ensure_home_partition_includes_the_nodev_option: CIS 3.1.1 RHEL 7/CentOS 7 1.1.18 Ensure home partition includes the nodev option
cem_linux::benchmarks::cis::controls::ensure_http_proxy_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.6 Ensure HTTP Proxy Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_http_proxy_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.12 Ensure HTTP Proxy Server is not installed
cem_linux::benchmarks::cis::controls::ensure_http_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.9 Ensure HTTP server is not enabled
cem_linux::benchmarks::cis::controls::ensure_http_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.9 Ensure HTTP server is not installed
cem_linux::benchmarks::cis::controls::ensure_icmp_redirects_are_not_accepted: CIS 3.1.1 RHEL 7/CentOS 7 3.3.2 Ensure ICMP redirects are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.2 Ensure ICMP redirects are not accepted
cem_linux::benchmarks::cis::controls::ensure_imap_and_pop3_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.8 Ensure IMAP and POP3 server is not enabled
cem_linux::benchmarks::cis::controls::ensure_imap_and_pop3_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.10 Ensure IMAP and POP3 server is not installed
cem_linux::benchmarks::cis::controls::ensure_inactive_password_lock_is_30_days_or_less: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.4 Ensure inactive password lock is 30 days or less | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.4 Ensure inactive password lock is 30 days or less
cem_linux::benchmarks::cis::controls::ensure_ip6tables_default_deny_firewall_policy: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.4 Ensure ip6tables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.1 Ensure ip6tables default deny firewall policy
cem_linux::benchmarks::cis::controls::ensure_ip6tables_firewall_rules_exist_for_all_open_ports: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.3 Ensure ip6tables firewall rules exist for all open ports | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.4 Ensure ip6tables firewall rules exist for all open ports
cem_linux::benchmarks::cis::controls::ensure_ip6tables_is_enabled_and_active: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.5 Ensure ip6tables is enabled and active
cem_linux::benchmarks::cis::controls::ensure_ip6tables_is_enabled_and_running: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.6 Ensure ip6tables is enabled and running
cem_linux::benchmarks::cis::controls::ensure_ip6tables_loopback_traffic_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.1 Ensure ip6tables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.2 Ensure ip6tables loopback traffic is configured
cem_linux::benchmarks::cis::controls::ensure_ip6tables_outbound_and_established_connections_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.2 Ensure ip6tables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.2.3 Ensure ip6tables outbound and established connections are configured
cem_linux::benchmarks::cis::controls::ensure_ip6tables_rules_are_saved: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.3.5 Ensure ip6tables rules are saved
cem_linux::benchmarks::cis::controls::ensure_ip_forwarding_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 3.2.1 Ensure IP forwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.1.1 Ensure IP forwarding is disabled
cem_linux::benchmarks::cis::controls::ensure_iptables_are_flushed_with_nftables: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.4 Ensure iptables are flushed with nftables | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.1 Ensure iptables are flushed with nftables
cem_linux::benchmarks::cis::controls::ensure_iptables_default_deny_firewall_policy: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.4 Ensure iptables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.1 Ensure iptables default deny firewall policy
cem_linux::benchmarks::cis::controls::ensure_iptables_firewall_rules_exist_for_all_open_ports: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.4 Ensure iptables firewall rules exist for all open ports
cem_linux::benchmarks::cis::controls::ensure_iptables_is_enabled_and_active: CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.5 Ensure iptables is enabled and active
cem_linux::benchmarks::cis::controls::ensure_iptables_is_enabled_and_running: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.6 Ensure iptables is enabled and running
cem_linux::benchmarks::cis::controls::ensure_iptables_loopback_traffic_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.1 Ensure iptables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.2 Ensure iptables loopback traffic is configured
cem_linux::benchmarks::cis::controls::ensure_iptables_outbound_and_established_connections_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.2 Ensure iptables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.4.1.3 Ensure iptables outbound and established connections are configured
cem_linux::benchmarks::cis::controls::ensure_iptables_packages_are_installed: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.1 Ensure iptables packages are installed
cem_linux::benchmarks::cis::controls::ensure_iptables_rules_are_saved: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.5 Ensure iptables rules are saved
cem_linux::benchmarks::cis::controls::ensure_iptables_rules_exist_for_all_open_ports: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.2.3 Ensure iptables rules exist for all open ports
cem_linux::benchmarks::cis::controls::ensure_iptables_service_is_not_enabled_with_firewalld: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.2 Ensure iptables service is not enabled with firewalld
cem_linux::benchmarks::cis::controls::ensure_iptables_services_not_installed_with_firewalld: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.2 Ensure iptables services not installed with firewalld
cem_linux::benchmarks::cis::controls::ensure_iptables_services_not_installed_with_nftables: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.3 Ensure iptables services not installed with nftables
cem_linux::benchmarks::cis::controls::ensure_ipv6_router_advertisements_are_not_accepted: CIS 3.1.1 RHEL 7/CentOS 7 3.3.9 Ensure IPv6 router advertisements are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.9 Ensure IPv6 router advertisements are not accepted
cem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_compress_large_log_files: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.2 Ensure journald is configured to compress large log files | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.2 Ensure journald is configured to compress large log files
cem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_send_logs_to_rsyslog: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.1 Ensure journald is configured to send logs to rsyslog | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.1 Ensure journald is configured to send logs to rsyslog
cem_linux::benchmarks::cis::controls::ensure_journald_is_configured_to_write_logfiles_to_persistent_disk: CIS 3.1.1 RHEL 7/CentOS 7 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk | CIS 1.0.1 RHEL 8/CentOS 8 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk
cem_linux::benchmarks::cis::controls::ensure_kernel_module_loading_and_unloading_is_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.16 Ensure kernel module loading and unloading is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.15 Ensure kernel module loading and unloading is collected
cem_linux::benchmarks::cis::controls::ensure_ldap_client_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.3.5 Ensure LDAP client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.3 Ensure LDAP client is not installed
cem_linux::benchmarks::cis::controls::ensure_ldap_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.14 Ensure LDAP server is not enabled
cem_linux::benchmarks::cis::controls::ensure_ldap_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.6 Ensure LDAP server is not installed
cem_linux::benchmarks::cis::controls::ensure_local_login_warning_banner_is_configured_properly: CIS 3.1.1 RHEL 7/CentOS 7 1.7.2 Ensure local login warning banner is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.2 Ensure local login warning banner is configured properly
cem_linux::benchmarks::cis::controls::ensure_lockout_for_failed_password_attempts_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.4.2 Ensure lockout for failed password attempts is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.4.2 Ensure lockout for failed password attempts is configured
cem_linux::benchmarks::cis::controls::ensure_logging_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.4 Ensure logging is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.4 Ensure logging is configured
cem_linux::benchmarks::cis::controls::ensure_login_and_logout_events_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.7 Ensure login and logout events are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.4 Ensure login and logout events are collected
cem_linux::benchmarks::cis::controls::ensure_logrotate_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 4.2.4 Ensure logrotate is configured | CIS 1.0.1 RHEL 8/CentOS 8 4.3 Ensure logrotate is configured
cem_linux::benchmarks::cis::controls::ensure_mail_transfer_agent_is_configured_for_local_only_mode: CIS 3.1.1 RHEL 7/CentOS 7 2.2.16 Ensure mail transfer agent is configured for local only mode | CIS 1.0.1 RHEL 8/CentOS 8 2.2.18 Ensure mail transfer agent is configured for local only mode
cem_linux::benchmarks::cis::controls::ensure_message_of_the_day_is_configured_properly: CIS 3.1.1 RHEL 7/CentOS 7 1.7.1 Ensure message of the day is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.1 Ensure message of the day is configured properly
cem_linux::benchmarks::cis::controls::ensure_minimum_days_between_password_changes_is_7_or_more: CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.2 Ensure minimum days between password changes is 7 or more
cem_linux::benchmarks::cis::controls::ensure_minimum_days_between_password_changes_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.2 Ensure minimum days between password changes is configured
cem_linux::benchmarks::cis::controls::ensure_mounting_of_cramfs_filesystems_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.1 Ensure mounting of cramfs filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.1 Ensure mounting of cramfs filesystems is disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_fat_filesystems_is_limited
cem_linux::benchmarks::cis::controls::ensure_mounting_of_freevxfs_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_hfs_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_hfsplus_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_jffs2_filesystems_is_disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_squashfs_filesystems_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.2 Ensure mounting of squashfs filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.3 Ensure mounting of squashfs filesystems is disabled
cem_linux::benchmarks::cis::controls::ensure_mounting_of_udf_filesystems_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 1.1.1.3 Ensure mounting of udf filesystems is disabled | CIS 1.0.1 RHEL 8/CentOS 8 1.1.1.4 Ensure mounting of udf filesystems is disabled
cem_linux::benchmarks::cis::controls::ensure_net_snmp_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.13 Ensure net snmp is not installed
cem_linux::benchmarks::cis::controls::ensure_network_interfaces_are_assigned_to_appropriate_zone: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.6 Ensure network interfaces are assigned to appropriate zone | CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.5 Ensure network interfaces are assigned to appropriate zone
cem_linux::benchmarks::cis::controls::ensure_nfs_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.12 Ensure NFS is not enabled
cem_linux::benchmarks::cis::controls::ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked: CIS 3.1.1 RHEL 7/CentOS 7 2.2.17 Ensure nfs utils is not installed or the nfs server service is masked
cem_linux::benchmarks::cis::controls::ensure_nftables_base_chains_exist: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.6 Ensure nftables base chains exist | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.3 Ensure nftables base chains exist
cem_linux::benchmarks::cis::controls::ensure_nftables_default_deny_firewall_policy: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.9 Ensure nftables default deny firewall policy | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.6 Ensure nftables default deny firewall policy
cem_linux::benchmarks::cis::controls::ensure_nftables_either_not_installed_or_masked_with_firewalld: CIS 3.1.1 RHEL 7/CentOS 7 3.5.1.3 Ensure nftables either not installed or masked with firewalld
cem_linux::benchmarks::cis::controls::ensure_nftables_is_not_enabled_with_firewalld: CIS 1.0.1 RHEL 8/CentOS 8 3.4.2.3 Ensure nftables is not enabled with firewalld
cem_linux::benchmarks::cis::controls::ensure_nftables_is_not_installed_with_iptables: CIS 3.1.1 RHEL 7/CentOS 7 3.5.3.1.2 Ensure nftables is not installed with iptables
cem_linux::benchmarks::cis::controls::ensure_nftables_loopback_traffic_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.7 Ensure nftables loopback traffic is configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.4 Ensure nftables loopback traffic is configured
cem_linux::benchmarks::cis::controls::ensure_nftables_outbound_and_established_connections_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.8 Ensure nftables outbound and established connections are configured | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.5 Ensure nftables outbound and established connections are configured
cem_linux::benchmarks::cis::controls::ensure_nftables_rules_are_permanent: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.11 Ensure nftables rules are permanent | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.8 Ensure nftables rules are permanent
cem_linux::benchmarks::cis::controls::ensure_nftables_service_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 3.5.2.10 Ensure nftables service is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.4.3.7 Ensure nftables service is enabled
cem_linux::benchmarks::cis::controls::ensure_nis_client_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.3.1 Ensure NIS Client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.1 Ensure NIS Client is not installed
cem_linux::benchmarks::cis::controls::ensure_nis_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.17 Ensure NIS Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_nis_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.14 Ensure NIS server is not installed
cem_linux::benchmarks::cis::controls::ensure_no_duplicate_gids_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.2.8 Ensure no duplicate GIDs exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.16 Ensure no duplicate GIDs exist
cem_linux::benchmarks::cis::controls::ensure_no_duplicate_group_names_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.2.6 Ensure no duplicate group names exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.18 Ensure no duplicate group names exist
cem_linux::benchmarks::cis::controls::ensure_no_duplicate_uids_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.2.7 Ensure no duplicate UIDs exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.15 Ensure no duplicate UIDs exist
cem_linux::benchmarks::cis::controls::ensure_no_duplicate_user_names_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.2.5 Ensure no duplicate user names exist | CIS 1.0.1 RHEL 8/CentOS 8 6.2.17 Ensure no duplicate user names exist
cem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcgroup: CIS 1.0.1 RHEL 8/CentOS 8 6.2.5 Ensure no legacy entries exist in etcgroup
cem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcpasswd: CIS 1.0.1 RHEL 8/CentOS 8 6.2.2 Ensure no legacy entries exist in etcpasswd
cem_linux::benchmarks::cis::controls::ensure_no_legacy__entries_exist_in_etcshadow: CIS 1.0.1 RHEL 8/CentOS 8 6.2.4 Ensure no legacy entries exist in etcshadow
cem_linux::benchmarks::cis::controls::ensure_no_unconfined_daemons_exist
cem_linux::benchmarks::cis::controls::ensure_no_unowned_files_or_directories_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.1.11 Ensure no unowned files or directories exist | CIS 1.0.1 RHEL 8/CentOS 8 6.1.11 Ensure no unowned files or directories exist
cem_linux::benchmarks::cis::controls::ensure_no_users_have__forward_files
cem_linux::benchmarks::cis::controls::ensure_no_users_have__netrc_files
cem_linux::benchmarks::cis::controls::ensure_no_users_have__rhosts_files
cem_linux::benchmarks::cis::controls::ensure_no_world_writable_files_exist: CIS 3.1.1 RHEL 7/CentOS 7 6.1.10 Ensure no world writable files exist | CIS 1.0.1 RHEL 8/CentOS 8 6.1.10 Ensure no world writable files exist
cem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_devshm_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.8 Ensure nodev option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.15 Ensure nodev option set on devshm partition
cem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_home_partition: CIS 1.0.1 RHEL 8/CentOS 8 1.1.14 Ensure nodev option set on home partition
cem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_tmp_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.4 Ensure nodev option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.3 Ensure nodev option set on tmp partition
cem_linux::benchmarks::cis::controls::ensure_nodev_option_set_on_vartmp_partition: CIS 1.0.1 RHEL 8/CentOS 8 1.1.8 Ensure nodev option set on vartmp partition
cem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_devshm_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.7 Ensure noexec option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.17 Ensure noexec option set on devshm partition
cem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_tmp_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.3 Ensure noexec option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.5 Ensure noexec option set on tmp partition
cem_linux::benchmarks::cis::controls::ensure_noexec_option_set_on_vartmp_partition: CIS 1.0.1 RHEL 8/CentOS 8 1.1.10 Ensure noexec option set on vartmp partition
cem_linux::benchmarks::cis::controls::ensure_nonessential_services_are_removed_or_masked: CIS 3.1.1 RHEL 7/CentOS 7 2.4 Ensure nonessential services are removed or masked
cem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_devshm_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.9 Ensure nosuid option set on devshm partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.16 Ensure nosuid option set on devshm partition
cem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_tmp_partition: CIS 3.1.1 RHEL 7/CentOS 7 1.1.5 Ensure nosuid option set on tmp partition | CIS 1.0.1 RHEL 8/CentOS 8 1.1.4 Ensure nosuid option set on tmp partition
cem_linux::benchmarks::cis::controls::ensure_nosuid_option_set_on_vartmp_partition: CIS 1.0.1 RHEL 8/CentOS 8 1.1.9 Ensure nosuid option set on vartmp partition
cem_linux::benchmarks::cis::controls::ensure_ntp_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.3 Ensure ntp is configured
cem_linux::benchmarks::cis::controls::ensure_only_strong_ciphers_are_used: CIS 3.1.1 RHEL 7/CentOS 7 5.3.13 Ensure only strong Ciphers are used
cem_linux::benchmarks::cis::controls::ensure_only_strong_key_exchange_algorithms_are_used: CIS 3.1.1 RHEL 7/CentOS 7 5.3.15 Ensure only strong Key Exchange algorithms are used
cem_linux::benchmarks::cis::controls::ensure_only_strong_mac_algorithms_are_used: CIS 3.1.1 RHEL 7/CentOS 7 5.3.14 Ensure only strong MAC algorithms are used
cem_linux::benchmarks::cis::controls::ensure_package_manager_repositories_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.2.2 Ensure package manager repositories are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.5 Ensure package manager repositories are configured
cem_linux::benchmarks::cis::controls::ensure_packet_redirect_sending_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 3.2.2 Ensure packet redirect sending is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.1.2 Ensure packet redirect sending is disabled
cem_linux::benchmarks::cis::controls::ensure_password_creation_requirements_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.4.1 Ensure password creation requirements are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.4.1 Ensure password creation requirements are configured
cem_linux::benchmarks::cis::controls::ensure_password_expiration_is_365_days_or_less: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.1 Ensure password expiration is 365 days or less | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.1 Ensure password expiration is 365 days or less
cem_linux::benchmarks::cis::controls::ensure_password_expiration_warning_days_is_7_or_more: CIS 3.1.1 RHEL 7/CentOS 7 5.5.1.3 Ensure password expiration warning days is 7 or more | CIS 1.0.1 RHEL 8/CentOS 8 5.5.1.3 Ensure password expiration warning days is 7 or more
cem_linux::benchmarks::cis::controls::ensure_password_hashing_algorithm_is_sha_512: CIS 3.1.1 RHEL 7/CentOS 7 5.4.3 Ensure password hashing algorithm is SHA 512 | CIS 1.0.1 RHEL 8/CentOS 8 5.4.4 Ensure password hashing algorithm is SHA 512
cem_linux::benchmarks::cis::controls::ensure_password_reuse_is_limited: CIS 3.1.1 RHEL 7/CentOS 7 5.4.4 Ensure password reuse is limited | CIS 1.0.1 RHEL 8/CentOS 8 5.4.3 Ensure password reuse is limited
cem_linux::benchmarks::cis::controls::ensure_permissions_on_all_logfiles_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 4.2.3 Ensure permissions on all logfiles are configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.3 Ensure permissions on all logfiles are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_bootloader_config_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.4.2 Ensure permissions on bootloader config are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.5.1 Ensure permissions on bootloader config are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_d_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_daily_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_hourly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_monthly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccron_weekly_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etccrontab_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.1.2 Ensure permissions on etccrontab are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.1.2 Ensure permissions on etccrontab are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgroup__are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.9 Ensure permissions on etcgroup are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.9 Ensure permissions on etcgroup are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgroup_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.8 Ensure permissions on etcgroup are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.8 Ensure permissions on etcgroup are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgshadow__are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.6 Ensure permissions on etcgshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.7 Ensure permissions on etcgshadow are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcgshadow_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.7 Ensure permissions on etcgshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.6 Ensure permissions on etcgshadow are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcissue_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.7.5 Ensure permissions on etcissue are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.5 Ensure permissions on etcissue are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcissue_net_are_configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcmotd_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.7.4 Ensure permissions on etcmotd are configured | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.4 Ensure permissions on etcmotd are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcpasswd__are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.3 Ensure permissions on etcpasswd are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.3 Ensure permissions on etcpasswd are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcpasswd_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.2 Ensure permissions on etcpasswd are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.2 Ensure permissions on etcpasswd are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcshadow__are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.5 Ensure permissions on etcshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.5 Ensure permissions on etcshadow are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcshadow_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 6.1.4 Ensure permissions on etcshadow are configured | CIS 1.0.1 RHEL 8/CentOS 8 6.1.4 Ensure permissions on etcshadow are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_etcsshsshd_config_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.1 Ensure permissions on etcsshsshd config are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.1 Ensure permissions on etcsshsshd config are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_ssh_private_host_key_files_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.2 Ensure permissions on SSH private host key files are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.3 Ensure permissions on SSH private host key files are configured
cem_linux::benchmarks::cis::controls::ensure_permissions_on_ssh_public_host_key_files_are_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.3 Ensure permissions on SSH public host key files are configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.4 Ensure permissions on SSH public host key files are configured
cem_linux::benchmarks::cis::controls::ensure_prelink_is_disabled
cem_linux::benchmarks::cis::controls::ensure_prelink_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.5.4 Ensure prelink is not installed
cem_linux::benchmarks::cis::controls::ensure_rds_is_disabled: CIS 1.0.1 RHEL 8/CentOS 8 3.3.3 Ensure RDS is disabled
cem_linux::benchmarks::cis::controls::ensure_red_hat_subscription_manager_connection_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.2.4 Ensure Red Hat Subscription Manager connection is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.2.1 Ensure Red Hat Subscription Manager connection is configured
cem_linux::benchmarks::cis::controls::ensure_remote_login_warning_banner_is_configured_properly: CIS 3.1.1 RHEL 7/CentOS 7 1.7.3 Ensure remote login warning banner is configured properly | CIS 1.0.1 RHEL 8/CentOS 8 1.8.1.3 Ensure remote login warning banner is configured properly
cem_linux::benchmarks::cis::controls::ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.
cem_linux::benchmarks::cis::controls::ensure_reverse_path_filtering_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 3.3.7 Ensure Reverse Path Filtering is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.2.7 Ensure Reverse Path Filtering is enabled
cem_linux::benchmarks::cis::controls::ensure_root_is_the_only_uid_0_account: CIS 3.1.1 RHEL 7/CentOS 7 6.2.9 Ensure root is the only UID 0 account | CIS 1.0.1 RHEL 8/CentOS 8 6.2.6 Ensure root is the only UID 0 account
cem_linux::benchmarks::cis::controls::ensure_root_path_integrity: CIS 3.1.1 RHEL 7/CentOS 7 6.2.10 Ensure root PATH Integrity | CIS 1.0.1 RHEL 8/CentOS 8 6.2.3 Ensure root PATH Integrity
cem_linux::benchmarks::cis::controls::ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked: CIS 3.1.1 RHEL 7/CentOS 7 2.2.18 Ensure rpcbind is not installed or the rpcbind services are masked
cem_linux::benchmarks::cis::controls::ensure_rsh_client_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.3.2 Ensure rsh client is not installed
cem_linux::benchmarks::cis::controls::ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked: CIS 3.1.1 RHEL 7/CentOS 7 2.2.19 Ensure rsync is not installed or the rsyncd service is masked
cem_linux::benchmarks::cis::controls::ensure_rsync_service_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.3 Ensure rsync service is not enabled
cem_linux::benchmarks::cis::controls::ensure_rsyslog_default_file_permissions_configured: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.3 Ensure rsyslog default file permissions configured | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.3 Ensure rsyslog default file permissions configured
cem_linux::benchmarks::cis::controls::ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host
cem_linux::benchmarks::cis::controls::ensure_rsyslog_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.1 Ensure rsyslog is installed | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.1 Ensure rsyslog is installed
cem_linux::benchmarks::cis::controls::ensure_rsyslog_service_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.2 Ensure rsyslog Service is enabled and running | CIS 1.0.1 RHEL 8/CentOS 8 4.2.1.2 Ensure rsyslog Service is enabled
cem_linux::benchmarks::cis::controls::ensure_rsyslog_service_is_enabled_and_running: CIS 3.1.1 RHEL 7/CentOS 7 4.2.1.2 Ensure rsyslog Service is enabled and running
cem_linux::benchmarks::cis::controls::ensure_samba_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.7 Ensure Samba is not enabled
cem_linux::benchmarks::cis::controls::ensure_samba_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.11 Ensure Samba is not installed
cem_linux::benchmarks::cis::controls::ensure_sctp_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 3.4.2 Ensure SCTP is disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.3.2 Ensure SCTP is disabled
cem_linux::benchmarks::cis::controls::ensure_secure_icmp_redirects_are_not_accepted: CIS 3.1.1 RHEL 7/CentOS 7 3.3.3 Ensure secure ICMP redirects are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.3 Ensure secure ICMP redirects are not accepted
cem_linux::benchmarks::cis::controls::ensure_selinux_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.1 Ensure SELinux is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.1 Ensure SELinux is installed
cem_linux::benchmarks::cis::controls::ensure_selinux_is_not_disabled_in_bootloader_configuration: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.2 Ensure SELinux is not disabled in bootloader configuration | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration
cem_linux::benchmarks::cis::controls::ensure_selinux_policy_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.3 Ensure SELinux policy is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.3 Ensure SELinux policy is configured
cem_linux::benchmarks::cis::controls::ensure_session_initiation_information_is_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.8 Ensure session initiation information is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.5 Ensure session initiation information is collected
cem_linux::benchmarks::cis::controls::ensure_setroubleshoot_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.7 Ensure SETroubleshoot is not installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.6 Ensure SETroubleshoot is not installed
cem_linux::benchmarks::cis::controls::ensure_shadow_group_is_empty: CIS 3.1.1 RHEL 7/CentOS 7 6.2.4 Ensure shadow group is empty | CIS 1.0.1 RHEL 8/CentOS 8 6.2.19 Ensure shadow group is empty
cem_linux::benchmarks::cis::controls::ensure_snmp_server_is_not_enabled: CIS 1.0.1 RHEL 8/CentOS 8 2.2.5 Ensure SNMP Server is not enabled
cem_linux::benchmarks::cis::controls::ensure_source_routed_packets_are_not_accepted: CIS 3.1.1 RHEL 7/CentOS 7 3.3.1 Ensure source routed packets are not accepted | CIS 1.0.1 RHEL 8/CentOS 8 3.2.1 Ensure source routed packets are not accepted
cem_linux::benchmarks::cis::controls::ensure_ssh_access_is_limited: CIS 3.1.1 RHEL 7/CentOS 7 5.3.4 Ensure SSH access is limited | CIS 1.0.1 RHEL 8/CentOS 8 5.2.2 Ensure SSH access is limited
cem_linux::benchmarks::cis::controls::ensure_ssh_allowtcpforwarding_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.20 Ensure SSH AllowTcpForwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.17 Ensure SSH AllowTcpForwarding is disabled
cem_linux::benchmarks::cis::controls::ensure_ssh_hostbasedauthentication_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.9 Ensure SSH HostbasedAuthentication is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.9 Ensure SSH HostbasedAuthentication is disabled
cem_linux::benchmarks::cis::controls::ensure_ssh_idle_timeout_interval_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.16 Ensure SSH Idle Timeout Interval is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.13 Ensure SSH Idle Timeout Interval is configured
cem_linux::benchmarks::cis::controls::ensure_ssh_ignorerhosts_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.8 Ensure SSH IgnoreRhosts is enabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.8 Ensure SSH IgnoreRhosts is enabled
cem_linux::benchmarks::cis::controls::ensure_ssh_logingracetime_is_set_to_one_minute_or_less: CIS 3.1.1 RHEL 7/CentOS 7 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less | CIS 1.0.1 RHEL 8/CentOS 8 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less
cem_linux::benchmarks::cis::controls::ensure_ssh_loglevel_is_appropriate: CIS 3.1.1 RHEL 7/CentOS 7 5.3.5 Ensure SSH LogLevel is appropriate | CIS 1.0.1 RHEL 8/CentOS 8 5.2.5 Ensure SSH LogLevel is appropriate
cem_linux::benchmarks::cis::controls::ensure_ssh_maxauthtries_is_set_to_4_or_less: CIS 3.1.1 RHEL 7/CentOS 7 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less | CIS 1.0.1 RHEL 8/CentOS 8 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less
cem_linux::benchmarks::cis::controls::ensure_ssh_maxsessions_is_limited: CIS 3.1.1 RHEL 7/CentOS 7 5.3.22 Ensure SSH MaxSessions is limited
cem_linux::benchmarks::cis::controls::ensure_ssh_maxsessions_is_set_to_4_or_less: CIS 1.0.1 RHEL 8/CentOS 8 5.2.19 Ensure SSH MaxSessions is set to 4 or less
cem_linux::benchmarks::cis::controls::ensure_ssh_maxstartups_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.21 Ensure SSH MaxStartups is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.18 Ensure SSH MaxStartups is configured
cem_linux::benchmarks::cis::controls::ensure_ssh_pam_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.19 Ensure SSH PAM is enabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.16 Ensure SSH PAM is enabled
cem_linux::benchmarks::cis::controls::ensure_ssh_permitemptypasswords_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.11 Ensure SSH PermitEmptyPasswords is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.11 Ensure SSH PermitEmptyPasswords is disabled
cem_linux::benchmarks::cis::controls::ensure_ssh_permituserenvironment_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.12 Ensure SSH PermitUserEnvironment is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.12 Ensure SSH PermitUserEnvironment is disabled
cem_linux::benchmarks::cis::controls::ensure_ssh_root_login_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.10 Ensure SSH root login is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.10 Ensure SSH root login is disabled
cem_linux::benchmarks::cis::controls::ensure_ssh_warning_banner_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 5.3.18 Ensure SSH warning banner is configured | CIS 1.0.1 RHEL 8/CentOS 8 5.2.15 Ensure SSH warning banner is configured
cem_linux::benchmarks::cis::controls::ensure_ssh_x11_forwarding_is_disabled: CIS 3.1.1 RHEL 7/CentOS 7 5.3.6 Ensure SSH X11 forwarding is disabled | CIS 1.0.1 RHEL 8/CentOS 8 5.2.6 Ensure SSH X11 forwarding is disabled
cem_linux::benchmarks::cis::controls::ensure_sticky_bit_is_set_on_all_world_writable_directories: CIS 3.1.1 RHEL 7/CentOS 7 1.1.22 Ensure sticky bit is set on all world writable directories | CIS 1.0.1 RHEL 8/CentOS 8 1.1.21 Ensure sticky bit is set on all world writable directories
cem_linux::benchmarks::cis::controls::ensure_successful_file_system_mounts_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.12 Ensure successful file system mounts are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.12 Ensure successful file system mounts are collected
cem_linux::benchmarks::cis::controls::ensure_sudo_commands_use_pty: CIS 3.1.1 RHEL 7/CentOS 7 5.2.2 Ensure sudo commands use pty | CIS 1.0.1 RHEL 8/CentOS 8 1.3.2 Ensure sudo commands use pty
cem_linux::benchmarks::cis::controls::ensure_sudo_is_installed: CIS 3.1.1 RHEL 7/CentOS 7 5.2.1 Ensure sudo is installed | CIS 1.0.1 RHEL 8/CentOS 8 1.3.1 Ensure sudo is installed
cem_linux::benchmarks::cis::controls::ensure_sudo_log_file_exists: CIS 3.1.1 RHEL 7/CentOS 7 5.2.3 Ensure sudo log file exists | CIS 1.0.1 RHEL 8/CentOS 8 1.3.3 Ensure sudo log file exists
cem_linux::benchmarks::cis::controls::ensure_suspicious_packets_are_logged: CIS 3.1.1 RHEL 7/CentOS 7 3.3.4 Ensure suspicious packets are logged | CIS 1.0.1 RHEL 8/CentOS 8 3.2.4 Ensure suspicious packets are logged
cem_linux::benchmarks::cis::controls::ensure_system_accounts_are_secured: CIS 3.1.1 RHEL 7/CentOS 7 5.5.2 Ensure system accounts are secured | CIS 1.0.1 RHEL 8/CentOS 8 5.5.2 Ensure system accounts are secured
cem_linux::benchmarks::cis::controls::ensure_system_administrator_actions_sudolog_are_collected: CIS 1.0.1 RHEL 8/CentOS 8 4.1.16 Ensure system administrator actions sudolog are collected
cem_linux::benchmarks::cis::controls::ensure_system_is_disabled_when_audit_logs_are_full: CIS 3.1.1 RHEL 7/CentOS 7 4.1.2.3 Ensure system is disabled when audit logs are full | CIS 1.0.1 RHEL 8/CentOS 8 4.1.2.3 Ensure system is disabled when audit logs are full
cem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_future_or_fips: CIS 1.0.1 RHEL 8/CentOS 8 1.11 Ensure system wide crypto policy is FUTURE or FIPS
cem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_not_legacy: CIS 1.0.1 RHEL 8/CentOS 8 1.10 Ensure system wide crypto policy is not legacy
cem_linux::benchmarks::cis::controls::ensure_system_wide_crypto_policy_is_not_over_ridden: CIS 1.0.1 RHEL 8/CentOS 8 5.2.20 Ensure system wide crypto policy is not over ridden
cem_linux::benchmarks::cis::controls::ensure_talk_client_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.3.3 Ensure talk client is not installed
cem_linux::benchmarks::cis::controls::ensure_tcp_syn_cookies_is_enabled: CIS 3.1.1 RHEL 7/CentOS 7 3.3.8 Ensure TCP SYN Cookies is enabled | CIS 1.0.1 RHEL 8/CentOS 8 3.2.8 Ensure TCP SYN Cookies is enabled
cem_linux::benchmarks::cis::controls::ensure_telnet_client_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.3.4 Ensure telnet client is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.3.2 Ensure telnet client is not installed
cem_linux::benchmarks::cis::controls::ensure_telnet_server_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.15 Ensure telnet server is not installed
cem_linux::benchmarks::cis::controls::ensure_the_audit_configuration_is_immutable: CIS 3.1.1 RHEL 7/CentOS 7 4.1.17 Ensure the audit configuration is immutable | CIS 1.0.1 RHEL 8/CentOS 8 4.1.17 Ensure the audit configuration is immutable
cem_linux::benchmarks::cis::controls::ensure_the_mcs_translation_service_mcstrans_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.8 Ensure the MCS Translation Service mcstrans is not installed | CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.7 Ensure the MCS Translation Service mcstrans is not installed
cem_linux::benchmarks::cis::controls::ensure_the_selinux_mode_is_enforcing_or_permissive: CIS 3.1.1 RHEL 7/CentOS 7 1.6.1.4 Ensure the SELinux mode is enforcing or permissive
cem_linux::benchmarks::cis::controls::ensure_the_selinux_policy_is_configured
cem_linux::benchmarks::cis::controls::ensure_the_selinux_state_is_enforcing: CIS 1.0.1 RHEL 8/CentOS 8 1.7.1.4 Ensure the SELinux state is enforcing
cem_linux::benchmarks::cis::controls::ensure_time_synchronization_is_in_use: CIS 3.1.1 RHEL 7/CentOS 7 2.2.1.1 Ensure time synchronization is in use | CIS 1.0.1 RHEL 8/CentOS 8 2.2.1.1 Ensure time synchronization is in use
cem_linux::benchmarks::cis::controls::ensure_tipc_is_disabled: CIS 1.0.1 RHEL 8/CentOS 8 3.3.4 Ensure TIPC is disabled
cem_linux::benchmarks::cis::controls::ensure_tmp_is_configured: CIS 3.1.1 RHEL 7/CentOS 7 1.1.2 Ensure tmp is configured | CIS 1.0.1 RHEL 8/CentOS 8 1.1.2 Ensure tmp is configured
cem_linux::benchmarks::cis::controls::ensure_unsuccessful_unauthorized_file_access_attempts_are_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected
cem_linux::benchmarks::cis::controls::ensure_updates_patches_and_additional_security_software_are_installed: CIS 3.1.1 RHEL 7/CentOS 7 1.9 Ensure updates patches and additional security software are installed | CIS 1.0.1 RHEL 8/CentOS 8 1.9 Ensure updates patches and additional security software are installed
cem_linux::benchmarks::cis::controls::ensure_use_of_privileged_commands_is_collected: CIS 3.1.1 RHEL 7/CentOS 7 4.1.11 Ensure use of privileged commands is collected | CIS 1.0.1 RHEL 8/CentOS 8 4.1.13 Ensure use of privileged commands is collected
cem_linux::benchmarks::cis::controls::ensure_users__netrc_files_are_not_group_or_world_accessible
cem_linux::benchmarks::cis::controls::ensure_users_dot_files_are_not_group_or_world_writable: CIS 3.1.1 RHEL 7/CentOS 7 6.2.14 Ensure users dot files are not group or world writable | CIS 1.0.1 RHEL 8/CentOS 8 6.2.9 Ensure users dot files are not group or world writable
cem_linux::benchmarks::cis::controls::ensure_users_home_directories_permissions_are_750_or_more_restrictive: CIS 3.1.1 RHEL 7/CentOS 7 6.2.13 Ensure users home directories permissions are 750 or more restrictive | CIS 1.0.1 RHEL 8/CentOS 8 6.2.7 Ensure users home directories permissions are 750 or more restrictive
cem_linux::benchmarks::cis::controls::ensure_users_own_their_home_directories: CIS 3.1.1 RHEL 7/CentOS 7 6.2.12 Ensure users own their home directories | CIS 1.0.1 RHEL 8/CentOS 8 6.2.8 Ensure users own their home directories
cem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_nodev_option: CIS 3.1.1 RHEL 7/CentOS 7 1.1.13 Ensure vartmp partition includes the nodev option
cem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_noexec_option: CIS 3.1.1 RHEL 7/CentOS 7 1.1.12 Ensure vartmp partition includes the noexec option
cem_linux::benchmarks::cis::controls::ensure_vartmp_partition_includes_the_nosuid_option: CIS 3.1.1 RHEL 7/CentOS 7 1.1.14 Ensure vartmp partition includes the nosuid option
cem_linux::benchmarks::cis::controls::ensure_wireless_interfaces_are_disabled: CIS 3.1.1 RHEL 7/CentOS 7 3.1.2 Ensure wireless interfaces are disabled | CIS 1.0.1 RHEL 8/CentOS 8 3.5 Ensure wireless interfaces are disabled
cem_linux::benchmarks::cis::controls::ensure_x11_server_components_are_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.2.2 Ensure X11 Server components are not installed
cem_linux::benchmarks::cis::controls::ensure_x_window_system_is_not_installed: CIS 1.0.1 RHEL 8/CentOS 8 2.2.2 Ensure X Window System is not installed
cem_linux::benchmarks::cis::controls::ensure_xinetd_is_not_installed: CIS 3.1.1 RHEL 7/CentOS 7 2.1.1 Ensure xinetd is not installed | CIS 1.0.1 RHEL 8/CentOS 8 2.1.1 Ensure xinetd is not installed
cem_linux::benchmarks::cis::controls::select_authselect_profile: CIS 1.0.1 RHEL 8 5.3.2 Select authselect profile
cem_linux::benchmarks::cis::controls::unmanaged_firewall: This class is only ever included in the catalog if you set the firewall_type config option to unmanaged. This class does nothing other than l
cem_linux::utils::account_hardening: Account hardening
cem_linux::utils::bootloader::grub2: Configure and manage the grub2 bootloader
cem_linux::utils::bootloader::grub2::auditd: Ensures auditd is not disabled in the grub2 boot command
cem_linux::utils::bootloader::grub2::selinux: Ensures SELinux is not disabled in the grub2 boot command
cem_linux::utils::chmod_logfiles: This class manages the permissions of log files in /var/log/
cem_linux::utils::default_umask: Default umask
cem_linux::utils::disable_core_dumps: Disable core dumps.
cem_linux::utils::disable_prelink: A short summary of the purpose of this class
cem_linux::utils::enable_aslr: Enable address space layout randomization (ASLR)
cem_linux::utils::firewall::firewalld: Configures Firewalld on the host
cem_linux::utils::firewall::iptables: Configures iptables as a firewall on the host
cem_linux::utils::firewall::iptables::post
cem_linux::utils::firewall::iptables::pre
cem_linux::utils::firewall::nftables: nftables utility class
cem_linux::utils::local_only_mta: Configures MTAs to only process local mail
cem_linux::utils::logindefs: Manages password max age, min age, and warn age
cem_linux::utils::motd: This class configures a system message of the day on a wide variety of systems.
cem_linux::utils::network::disable_dccp: Disables dccp
cem_linux::utils::network::disable_icmp_redirects: Disables the host from accepting ICMP redirect messages
cem_linux::utils::network::disable_ip_forwarding: Disables IP forwarding for IPv4 and IPv6
cem_linux::utils::network::disable_ipv6: Disables IPv6 via sysctl or grub
cem_linux::utils::network::disable_ipv6_router_advertisements: Disables accepting IPv6 router advertisements
cem_linux::utils::network::disable_packet_redirect_sending: Disables ICMP redirects on the system
cem_linux::utils::network::disable_rds: Disables rds
cem_linux::utils::network::disable_sctp: Disables sctp
cem_linux::utils::network::disable_secure_icmp_redirects: Disables the host from accepting secure ICMP redirect messages
cem_linux::utils::network::disable_source_routes: Disables source routing on host
cem_linux::utils::network::disable_tipc: Disables tipc
cem_linux::utils::network::enable_log_martians: Enables logging of suspicious packets (martians)
cem_linux::utils::network::enable_reverse_path_filtering: Enables reverse path filtering
cem_linux::utils::network::enable_tcp_syn_cookies: Configures host to enable tcp syn cookies
cem_linux::utils::network::ignore_bogus_icmp: Configures host to ignore logging non-RFC compliant ICMP responses
cem_linux::utils::network::ignore_icmp_broadcast: Configures host to ignore certain ICMP requests on broadcast and multicast addresses
cem_linux::utils::packages::linux::aide: This class installs and configures AIDE
cem_linux::utils::packages::linux::aide::config: Controls the AIDE config file
cem_linux::utils::packages::linux::aide::cron: Sets up scheduled AIDE scans via cron
cem_linux::utils::packages::linux::aide::package: Installs the AIDE package
cem_linux::utils::packages::linux::aide::service: Controls the AIDE systemd timer service
cem_linux::utils::packages::linux::at: Manages at.allow and at.deny files
cem_linux::utils::packages::linux::auditd: Manages auditd for auditing
cem_linux::utils::packages::linux::auditd::audit_configuration_immutable: Unesures the auditd configuretion is immutable.
cem_linux::utils::packages::linux::auditd::discretionary_access_control: A short summary of the purpose of this class
cem_linux::utils::packages::linux::auditd::file_deletion_events: Ensure file deletion events are logged.
cem_linux::utils::packages::linux::auditd::file_system_mounts: Ensure successful filesystem mount events are logged.
cem_linux::utils::packages::linux::auditd::kernel_module_loading: Ensure kernel module loading and unloading is logged.
cem_linux::utils::packages::linux::auditd::login_logout: Ensure login and logout events are logged
cem_linux::utils::packages::linux::auditd::mandatory_access_controls: Sets mandatory access control policy rules.
cem_linux::utils::packages::linux::auditd::modify_usergroup_information: Ensure events that modify usergroup information are logged.
cem_linux::utils::packages::linux::auditd::network_environment: Ensure network environment modifications are logged.
cem_linux::utils::packages::linux::auditd::privileged_commands: Ensure privileged commands are logged.
cem_linux::utils::packages::linux::auditd::session_initiation: Ensure network session initiation inforation is logged.
cem_linux::utils::packages::linux::auditd::sudoers: Ensure changes to system admin scope is logged.
cem_linux::utils::packages::linux::auditd::sudolog: Ensure sudo actions are logged.
cem_linux::utils::packages::linux::auditd::time_change: Ensure events that modify time and date information are logged.
cem_linux::utils::packages::linux::auditd::unsuccessful_unauthorized_file_access: Configure auditd to log unsuccessful unauthorized file access.
cem_linux::utils::packages::linux::authselect: This class manages Authselect on the system.
cem_linux::utils::packages::linux::chrony: A short summary of the purpose of this class
cem_linux::utils::packages::linux::cron: Configures permissions and allowlist for cron
cem_linux::utils::packages::linux::gdm: Manages the Gnome desktop environment
cem_linux::utils::packages::linux::logrotate: Installs and configures logrotate
cem_linux::utils::packages::linux::ntp: Install and configure NTP
cem_linux::utils::packages::linux::rsyslog: Manages rsyslog for basic compliance needs
cem_linux::utils::packages::linux::selinux: Mange SELINUX
cem_linux::utils::packages::linux::selinux::bootloader: A short summary of the purpose of this class
cem_linux::utils::packages::linux::ssh: Configures SSH in a secure manner
cem_linux::utils::packages::linux::sudo: Manages sudo package and configuration
cem_linux::utils::pam_auth: Configures PAM password-auth and system-auth
cem_linux::utils::pwquality: Configures password quality rules
cem_linux::utils::restrict_su: Restrict su
cem_linux::utils::services::inetd::disable: Disables unwanted (x)inetd services
cem_linux::utils::services::systemd::journald: Configures Journald with basic compliance settings
cem_linux::utils::services::systemd::secure_emergency_service: Secures ExecStart in emergency.service
cem_linux::utils::services::systemd::secure_rescue_service: Secures ExecStart in rescue.service
cem_linux::utils::services::systemd::tmp_mount: Enables and configures the tmp.mount service
cem_linux::utils::sticky_bit: A short summary of the purpose of this class
cem_linux::utils::system_crypto_policy: A short summary of the purpose of this defined type.
cem_linux::utils::timesync: Setup system timesync service
cem_linux::utils::tmout: Set idle login timeout.
cem_linux::utils::yum::enable_gpgcheck: Enables the gpgcheck option for all YUM repos

Private Classes

cem_linux::utils::bootloader::grub2::password: Creates and manages a grub2 password file.
cem_linux::utils::bootloader::grub2::permissions: Ensures proper permissions are set on grub2 bootloader

Defined types

cem_linux::utils::disable_fs_mounting: Disables filesystem mounting in Linux
cem_linux::utils::disable_service: Disable a service.
cem_linux::utils::file_permissions: Manages permissions on a file
cem_linux::utils::fstab_entry: Creates modifies, or deletes and entry in /etc/fstab
cem_linux::utils::limits: Creates a limits conf file
cem_linux::utils::modprobe_conf: Creates a new modprobe config file
cem_linux::utils::multi_sysctl: Sets multiple sysctl settings with the same value
cem_linux::utils::network::disable_wireless_interfaces: Disables wifi, wwan and bluetooth interfaces
cem_linux::utils::packages::absenter: Removes system packages
cem_linux::utils::packages::linux::auditd::rule: Creates an auditd rules file
cem_linux::utils::packages::linux::sudo::sudoers_default: Creates a Defaults entry in a given sudoers file
cem_linux::utils::packages::linux::sudo::user_group: Creates drop-in files to manage sudoer users and groups
cem_linux::utils::remount_fs: Helper type for remounting filesystems with new options
cem_linux::utils::remove_nis_entries: Remove legacy NIS entries from password and group files
cem_linux::utils::sysconfig: Define that allows changing settings for config files in /etc/syscofig/*

Resource types

cem_augeasprovider: Dumb Augeas provider type
cem_authselect_manage_profile: Sets the active authselect profile. Autorequires: If Puppet is managing the packages authselect, sssd, realm, sssd-ad, `winbindd
cem_file_perms: Manages only the permissions of files. This is useful for managing permissions of files that are not managed by a Puppet file resource, such
cem_grub_config: Manages global GRUB configuration parameters
cem_grub_menuentry: Manages menu entries in the GRUB and GRUB2 systems. NOTE: This may not cover all possible options and some options may apply to either
cem_grub_user: Manages GRUB2 Users - Does not apply to GRUB Legacy Note: This type compares against the active GRUB configuration. The contents of the ma
cem_kernel_parameter: Manages kernel parameters stored in bootloaders.
cem_mounttab: Manages entries in the filesystem table. This is usually, but not necessarily, used in conjunction with the mountpoint type to manage both th
cem_pam: Manages settings in an PAM service files. The resource name is a descriptive string only due to the non-uniqueness of any single paramter.
cem_shellvar: Manages variables in simple shell scripts.
cem_ssh_config: Manages settings in an OpenSSH ssh_config file. The resource name is used for the setting name, but if the host is given, then the name ca
cem_sshd_config: Manages settings in an OpenSSH sshd_config file. The resource name is used for the setting name, but if the condition is given, then the n
cem_sshd_config_match: Manages Match groups in an OpenSSH sshd_config file.
cem_sshd_config_subsystem: Manages Subsystem settings in an OpenSSH sshd_config file.
cem_sshkey: Installs and manages ssh host keys. By default, this type will install keys into /etc/ssh/ssh_known_hosts. To manage ssh keys in a differe
cem_sysctl: Manages entries in /etc/sysctl.conf.
cem_systemwide_crypto_policy: Sets the system-wide crypto policy.
inetd_service: a inetd_service type

Functions

Public Functions

combine_arrays: combine_arrays.rb Combines arrays into a one new array. Exposes options for uniqueness and flatness.
conditional_array: conditional_array.rb Builds an array based on conditional assignment. Each argument should be an 2 item array where the first item is a boole
grub_mkpasswd_pbkdf2: This function mimics the (grub|grub2)-mkpasswd-pbkdf2 command to generate passwords used with the grub bootloader.
has_class: has_class.rb Determines whether a class manifest exists in the current module.
is_mutex: is_mutex.rb Returns true if values passed in are mutually exclusive, meaning the other values are Undef (nil). Returns false otherwise.
process_firewall_exclusions: process_firewall_exclusions.rb Takes an array of strings and a conditionals hash, usually from a Hiera lookup, and processes the conditional
require_one: require_one.rb Returns true is there at least on value passed in is not nil. Returns false otherwise.
undef_default: undef_default.rb Takes two params, one is a Puppet class param and the other is a default value. If the Puppet class param is Undef, the defa

Private Functions

cem_linux::acpt_test_should_run: This function is only used for Litmus acceptance tests of cem_linux.

Tasks

audit_authselect: Audit authselect profile for RHEL8 and CentOS8
audit_duplicate_gid: Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names: Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid: Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names: Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups: Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_pw_change_date: Returns the last password change date for all users
audit_sgid_executables: A short description of this task
audit_shadow_group: Finds and returns any users in the shadow group
audit_suid_executables: Returns a list of SUID executable files
audit_unconfined_services: Returns a list of all unconfined services
audit_unowned_files_and_directories: Returns a list of any unowned files and directories
audit_user_homedir: Audits user homedirs on the host
audit_world_writable_files: Returns a list of any world-writable files
enforce_user_passwords: Checks for users with blank passwords in /etc/shadow and sets the passwords to the default
litmus_get_acpt_test_data: Finds local module acceptance tests and returns stuctured data about them
litmus_provision_el7: Litmus provisioning EL7
litmus_provision_el8: Litmus provisioning EL8
query_gpg_keys: Queries for RPM GPG keys
query_listening_services: Queries for services with established TCP / UDP connections
query_yum_repos: Queries YUM repositories
redhat_subscription_manager: Register a system with RedHat subscription manager
root_path_integrity: Audits root path integrity. Must be run as root
root_uid: A short description of this task
update_bootloader: Updates and reinstall bootloader configuration

Plans

Public Plans

cem_linux::linux_users_and_groups: This plan enfoces user and group security policies.

Private Plans

cem_linux::provision_machines: This plan provisions machines used for Litmus acceptance testing

Classes

What are tasks?

Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.

Tasks in this module release

audit_authselect

Audit authselect profile for RHEL8 and CentOS8

audit_duplicate_gid

Finds and returns duplicate GIDs in /etc/group

audit_duplicate_group_names

Finds and returns duplicate group names in /etc/group.

audit_duplicate_uid

Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it

audit_duplicate_user_names

Finds and returns duplicate user names in /etc/passwd.

audit_etcpasswd_groups

Finds groups that exist in /etc/passwd but do not exist in /etc/group

audit_pw_change_date

Returns the last password change date for all users

audit_sgid_executables

A short description of this task

audit_shadow_group

Finds and returns any users in the shadow group

audit_suid_executables

Returns a list of SUID executable files

audit_unconfined_services

Returns a list of all unconfined services

audit_unowned_files_and_directories

Returns a list of any unowned files and directories

audit_user_homedir

Audits user homedirs on the host

Parameters
create_user_homedir	Whether or not a user should have a homedir created for them if they don't have one `Boolean`
enforce_user_dotfile_mode	Whether or not to chmod dotfiles if they are world or group writable `Boolean`
enforce_user_homedir_mode	Whether or not to chmod homedir if it's world or group writable `Boolean`
enforce_user_homedir_ownership	Whether or not to chown homedir if not owned by user `Boolean`
enforce_user_netrc_mode	If not purged, whether or not to chmod .netrc files if they are group or world writable `Boolean`
purge_user_forward_files	Whether or not to purge .forward files `Boolean`
purge_user_netrc_files	Whether or not to purge .netrc files `Boolean`
purge_user_rhosts_files	Whether or not to purge .rhosts files `Boolean`
user_dotfile_mode	The mode to set dotfiles to `String[1]`
user_homedir_mode	The mode to set a user's homedir to `String[1]`
user_netrc_mode	The mode to set netrc files to `String[1]`

Input method

stdin

audit_world_writable_files

Returns a list of any world-writable files

enforce_user_passwords

Checks for users with blank passwords in /etc/shadow and sets the passwords to the default

Parameters
default_password	A default password to set for accounts found to have no password `String[1]`

query_gpg_keys

Queries for RPM GPG keys

query_listening_services

Queries for services with established TCP / UDP connections

query_yum_repos

Queries YUM repositories

redhat_subscription_manager

Parameters
activationkey	comma-separated list of product keys to redeem `Optional[String]`
auto_attach	automatically attaches the best-matched, compatible subscriptions to this system `Optional[Boolean]`
baseurl	the name of the content delivery service to configure the yum service to pull down packages `Optional[String]`
consumerid	existing system inventory id to re-register the system `Optional[String]`
environment	registers the system to an environment within an organization `Optional[String]`
force	registers the system even if it is already registered `Optional[Boolean]`
name	hostname to register `Optional[String]`
org	registers the system to an organization `Optional[String]`
password	user account password `Optional[String]`
proxy	registers the system via a proxy server `Optional[String]`
proxypass	password for the proxy user `Optional[String]`
proxyuser	If using proxy, the username to use with the proxy `Optional[String]`
serverurl	Another host to register with instead of subscription.rhn.redhat.com `Optional[String]`
servicelevel	sets the service level (standard, premium, self-support) to use with subscriptions `Optional[Enum[standard, premium, self-support]]`
username	Username for account which is registering the system `Optional[String]`

Input method

stdin

root_path_integrity

Audits root path integrity. Must be run as root

root_uid

A short description of this task

Parameters
duplicate_uid_strategy	Strategy for how to deal with other accounts that have UID 0 `Enum[new_uid, remove, report]`

update_bootloader

Updates and reinstall bootloader configuration

Change log

All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

v1.1.2 (2022-03-16)

Fixed

Fixed a bug in cem_linux::utils::timesync that caused Puppet run failures when NTP was selected as the time service
Fixed bug that caused a Puppet run failure when attempting to use a template to provide the Message of the Day (MOTD)
Fixed a bug relating to unsupported options in the auditd config template on RHEL 7 causing the auditd service to fail to start
Various other minor fixes

Changed

Added section to README about configuring chrony/ntp
Expanded valid dependency version ranges in metadata.json. The new ranges allow for the use of the latest versions of dependencies.

v1.1.1 (2022-01-25)

Fixed

Fixed non-idempotent resource when managing Grub2 permissions on RHEL systems not using EFI

v1.1.0 (2021-12-14)

Added

Enforcement for CIS Red Hat Enterprise Linux 8 server level 2 recommendations.
Bootloader configuration, including setting a bootloader password, can now be managed through the module on systems that use the grub2 bootloader.
- You can also opt-in to automatically regenerating the bootloader config files after changes are made to them.
- See the docs for more details
Permissions management for logfiles in /var/log is now available in the module.
- Because this is now supported natively, the Bolt task cem_linux::logfile_permissions has been removed.
New fact cem_grub_cfg.

Changed

Replaced camptocamp-systemd with the supported puppet-systemd. This will require you to update your Puppetfile to use puppet-systemd with a minimum version of v3.5.0
The fact cem_uefi_boot has been changed to cem_efi. Additionally, more information has been added to this fact.

Fixed

Several minor bugfixes.

Notes

Currently, when scanning a node with Comply after applying CEM, some recommendations that are enforced by CEM may show up as failed on the scan. This is due to bugs in the CIS CAT Pro scanner used by Comply. More information is available in the docs.

v1.0.0 (2021-09-28

Intial public release

* This Changelog was automatically generated by github_changelog_generator

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started

cem_linux

Version information

This version is compatible with:

This module has been deprecated by its author since May 8th 2024.

Tasks:

Documentation

cem_linux

Table of Contents

Description

Setup

System requirements

Install CEM with Code Manager

Usage

Finding and setting configuration options

Top-level configuration options

Top-level configuration options Hiera example

General configuration options

CIS configuration options

Red Hat Enterprise Linux 8-specific CIS configuration options

Control classes

Configuration examples

Basic configuration example

Advanced configuration example

Enforcing bootloader configurations

Regenerating bootloader configs automatically

Setting a bootloader password

Using authselect

Custom authselect profiles

Configuring authselect

Authselect and PAM

Configuring custom logrotate rules

Configuring sudo without a password

Configuring user SSH keys

Configuring SSH allowed and denied users and groups

Configuring the firewall type

Rules that rely on specific site information

Bolt tasks in Puppet Enterprise (PE)

Run Bolt tasks from the command line

Known issues

Comply Scan Issues

General Issues

Reference

Table of Contents

Classes

Public Classes

Private Classes

Defined types

Resource types

Functions

Public Functions

Private Functions

Tasks

Plans

Public Plans

Private Plans

Classes

What are tasks?

Tasks in this module release

audit_authselect

audit_duplicate_gid

audit_duplicate_group_names

audit_duplicate_uid

audit_duplicate_user_names

audit_etcpasswd_groups

audit_pw_change_date

audit_sgid_executables

audit_shadow_group

audit_suid_executables

audit_unconfined_services

audit_unowned_files_and_directories

audit_user_homedir

`cem_linux`