Version information
released Sep 8th 2022
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 8.0.0
- ,
This module has been deprecated by its author since May 8th 2024.
The author has suggested puppetlabs-sce_linux as its replacement.
Tasks:
- audit_authselect
- audit_check_ipv6
- audit_duplicate_gid
- audit_duplicate_group_names
Documentation
puppetlabs/cem_linux — version 1.3.2 Sep 8th 2022
cem_linux
Table of contents
cem_linux- Table of contents
- Introducing the Compliance Enforcement Modules
- Setup
- Usage
- Find and set configuration options
- Top-level configuration options
- Benchmark configuration options
- CIS-specific configuration options
- Configuration examples
- Basic configuration example
- Advanced configuration example
- Enforce bootloader configurations
- Guidelines for enabling the authselect option
- Configure custom logrotate rules
- Configure sudo without a password
- Configure user SSH keys
- Configure SSH permissions for users and groups
- Configure the firewall type
- Rules that rely on site-specific information
- Known issues
Introducing the Compliance Enforcement Modules
The cem_linux module is one of two Compliance Enforcement Modules (CEM). These supported Puppet modules were developed specifically to bring your Puppet Enterprise (PE) managed nodes into compliance. CEM currently supports Center for Internet Security (CIS) compliance rules.
By default, CEM enforces CIS rules for the Level 1 server profile.
This readme file provides instructions for installing CEM and customizing the configuration settings to meet your organization’s compliance requirements. For a list of available parameters, see the CEM reference.
After you have installed and configured CEM, PE will run on any classified nodes without user intervention to scan for compliance.
To manage Microsoft Windows nodes, navigate to cem_windows.
Setup
Before you install CEM, review the System requirements to ensure that CEM can be run on the operating systems in your environment. Then, contact a Puppet sales representative to purchase CEM.
System requirements
cem_linux supports the following operating systems and CIS benchmarks:
| Operating system | Framework | Level | Profile |
|---|---|---|---|
| Red Hat Enterprise Linux 7 | CIS Benchmarks v3.1.1 | 1, 2 | Server |
| Red Hat Enterprise Linux 8 | CIS Benchmarks v2.0.0 | 1, 2 | Server |
| CentOS Linux 7 | CIS Benchmarks v3.1.2 | 1, 2 | Server |
Install CEM with Code Manager
You can install CEM by using Code Manager, a code management tool. For installation instructions, see Puppet Forge Premium Content.
Upgrade CEM
To upgrade CEM, update the CEM declaration in the Puppetfile. Specify the version number to which you are upgrading CEM.
For instructions about modifying the Puppetfile, see Declare Forge modules in the Puppetfile.
For example, to upgrade the cem_linux module to version 1.3.0, you would specify the CEM declaration as shown:
mod 'puppetlabs/cem_linux', '1.3.0'
Troubleshooting tip: Starting with v1.3.0, CEM for Linux implements a new architecture. If you upgrade CEM from v1.2.0 or earlier to v1.3.0 or later, and you encounter errors, try restarting the pe-puppetserver service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server.
Usage
By default, CEM enforces CIS rules for the Level 1 server profile based on default acceptable values for each CIS recommendation. However, sometimes enforcing these default values can leave your nodes in an undesirable state. In these situations, you can customize how CEM enforces compliance to meet your organization's requirements.
Caution: CEM's default settings are fully CIS compliant. Too much customization can result in your configurations being noncompliant.
Find and set configuration options
Configuration options include top-level configuration options, benchmark configuration options, and CIS-specific configuration options.
You can find the configuration options for a specific control in the CEM Linux Reference. The reference is divided into sections, with each section representing a benchmark. In those benchmarks, you will see each control listed with several subsections:
- Parameters:
- Configuration options for a control, along with the data type and default value.
- Config Example:
- Snippet of Hiera that can be used to configure a control.
- Supported Levels:
- The supported levels for a CIS control.
- Supported Profiles:
- The supported profiles for a CIS control.
- Alternate Config IDs:
- The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the
control_confighash.
- The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the
- Resource:
- The name of the Puppet resource that enforces the control.
Alternate config IDs
You can specify controls in the control_config hash by referencing the full control name, the control number, the normalized control name, or the normalized control number. You cannot mix and match these forms and must pick a single control ID form to use for your config. Full control names and control numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized control names have lowercase letters and contain only alphanumeric characters and underscores. Normalized control numbers are always prefixed with a c and contain only numeric characters separated by underscores.
Example of alternate config IDs:
- Full control name:
(L1) Ensure 'Enforce password history' is set to '24 or more password(s)' - Control number:
1.1.1 - Normalized control name:
ensure_enforce_password_history_is_set_to_24_or_more_passwords - Normalized number:
c1_1_1
Resource data
The data that drives CEM Linux is located in directories and files with the following structure:
data/<facts.os.family>/<facts.os.name>/<facts.os.release.major>.yaml
For example:
data/RedHat/RedHat/8.yaml
These Hiera files contain definitions for each Puppet resource that enforces a control.
Caution: Do not modify the resource definitions that drive CEM Linux. If you must change the behavior of a control, configure the control by using the
control_confighash.
Top-level configuration options
These configuration options are set at the top level of the module. In Hiera, these options are prefixed with cem_linux:
benchmark-Enum['cis']- the compliance framework to use. CEM supports onlycis. Default:cis.config-Optional[Hash]- the location for all non-top-level configuration options. Default:undef.allow_on_kubernetes_node-Boolean- Ifcem_linuxdetects that it is running on a Kubernetes cluster node or host, CEM does not enforce controls and logs a warning to inform the user. In this way, CEM helps to prevent the accidental enforcement of incorrect compliance settings that can render Kubernetes non-functional. Default:false.regenerate_grub2_config-Boolean- Some configurations in CEM for Linux modify theGrub2bootloader configuration. To regenerate theGrub2configuration after applying a change, set this parameter totrue. If you do not set this totrue, you must manually regenerate theGrub2configuration. Default:false.set_grub2_password-Boolean- Set the password for the Grub2 bootloader. If you set this totrue, you must also set thegrub2_superuserandgrub2_superuser_passwordparameters, or configure the specific bootloader password control by using thecontrol_configsoption. Default:false.grub2_superuser-Optional[String[1]]- The superuser for theGrub2bootloader if you setset_grub2_passwordtotrue. Default:Undef.grub2_superuser_password-Optional[Sensitive[String]]- The superuser password for theGrub2bootloader if you setset_grub2_passwordtotrue. This value is sensitive in terms of security, and should be stored in a Sensitive data type. Default:Undef.
Hiera example
The following example configures CEM for Linux to regenerate the Grub2 bootloader
config on a node using the CIS benchmark:
cem_linux::benchmark: 'cis'
cem_linux::allow_on_kubernetes_node: false
cem_linux::regenerate_grub2_config: true
cem_linux::config:
...
Benchmark configuration options
The benchmark configuration options are available as key-value pairs within the cem_linux::config: hash.
only:-Optional[Array[String]]— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp) — classes specified here are included in the catalog. Takes precedence overignore:. Default:undef.ignore:-Optional[Array[String]]— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp). The classes specified here are not included in the catalog. Ifonly:is specified, this option does nothing. Default:undef.control_configs-Optional[Hash]— where all rule-specific configurations live. Default:undef.
CIS-specific configuration options
The CIS-specific configuration options are available as key-value pairs within the cem_linux::config: hash.
profile:-Optional[Enum['server', 'workstation']]— the name of the benchmark profile. The only value supported by CEM isserver. Default:server.level:-Optional[Enum['1', '2']]— the name of the profile level. The only value supported by CEM is1. Default:1.firewall_type:-Optional[Enum['iptables', 'firewalld', 'unmanaged']]— the preferred firewall provider. If set tounmanaged, CEM will not enforce any firewall-related rules. Default:firewalld.enable_nopasswd_sudo_prune-Optional[Boolean]- If set totrue, CEM will remove theNOPASSWDoption from entries in the/etc/sudoersfile. Default:false.enable_systemd_journal-Optional[Boolean]- Whether to enable thesystemd-journallogging service. The default value isfalse. If this option is enabled, thesystemd-journal-remotepackage will be installed and thesystemd-journal-upload.serviceservice will be enabled. However, several configuration parameters are required to ensure thatsystemd-journal-upload.servicefunctions correctly:
cem_linux::config:
control_configs:
'ensure_systemd_journal_remote_is_configured':
address: '<IP address or FQDN of the remote host>'
server_key_file: '<path to the server key file>'
server_certificate_file: '<path to the server certificate file>'
trusted_certificate_file: '<path to the trusted certificate file>'
Red Hat Enterprise Linux 8-specific CIS configuration options
The authselect utility can be used to configure user authentication on a Red Hat Enterprise Linux (RHEL) host. If you installed CEM on a RHEL 8 operating system, authselect options are available, but should be avoided in almost all cases. The authselect utility is disabled by default because enablement of authselect can break authentication methods, and use of the utility requires extensive configuration.
The following authselect options are available for RHEL 8:
use_authselect:-Optional[Boolean]- Whether to useauthselectto manage most authentication options. Defaults tofalse. For more information, see Guidelines for enabling the authselect option.authselect_profile-Optional[String]- If usingauthselect, you must specify anauthselectprofile with this option. Defaults toundef. For more information, see Guidelines for enabling the authselect option.
Configuration examples
To see what CEM looks like in production, see the following configuration examples.
Basic configuration example
When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the CIS Server Level 1 benchmark for a node, you need to classify the node with the CEM class, set the framework parameter to cis, and run Puppet.
In the following example, CEM enforces the CIS Level 1 server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node.
- Add the following Hiera data to your control repository,
control repo:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
- Classify the node with the class
cem_linux. - Run Puppet.
Some CIS recommendations require you to run a Bolt task. To determine which task to run, review the output of the Puppet debug logs.
Advanced configuration example
Building on the basic configuration example, the following example customizes the AIDE configuration file in Hiera.
- Add the following code to the node's Hiera file:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
control_configs:
ensure_aide_is_installed:
conf_rules:
- 'PERMS = p+u+g+acl+xattrs'
- 'CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs'
conf_checks:
- '/root/\..* PERMS'
- '/root/ CONTENT_EX'
-
Classify the node with the class
cem_linux. -
Run Puppet.
-
Run the Bolt task that is specified in the
debuglog.
The AIDE configuration file now reflects the changes in Hiera.
Enforce bootloader configurations
In rare cases, it might be useful to enable automatic regeneration of the bootloader configuration, and you might want to set a bootloader password.
Caution: The only bootloader supported by CEM for Linux is grub2.
CEM for Linux enforces various bootloader configurations as required by the selected compliance framework and benchmark. However, because changes to bootloader configurations can be potentially dangerous, a minimalistic approach to configuration changes is used by CEM for Linux.
For CIS, there are several recommendations that modify the bootloader config. If you run CEM for Linux with the full range of default settings, these changes will be applied, but the bootloader config will not be regenerated. While changes are pending on the node, bootloader operations remain the same until the configurations are regenerated. The exception to this is the bootloader password, which is not set by default. The following examples show how you can configure CEM for Linux to automatically regenerate the bootloader config and how you can set a bootloader password.
Regenerate bootloader configs automatically
To regenerate bootloader configurations automatically, locate the following file, where <node name> specifies the name of the affected node.
Edit the file to specify the following setting:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
Set a bootloader password
You can set a bootloader password as shown in the following example:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
cem_linux::set_grub2_password: true
cem_linux::grub2_superuser: 'root'
cem_linux::grub2_superuser_password: 'password'
lookup_options:
cem_linux::grub2_superuser_password:
convert_to: 'Sensitive'
Restriction: The cem_linux::grub2_superuser_password key must be of type Sensitive[String]. Setting a lookup option for that key to convert it to Sensitive is the best way to ensure that the value is a Sensitive[String].
Caution: Do not store plain-text passwords in Hiera. Using something like hiera-eyaml is a better way to store secrets.
Guidelines for enabling the authselect option
The authselect option is disabled by default because enablement of authselect can disrupt authentication methods, and use of the option requires extensive configuration.
Caution: If a node is joined to an Active Directory domain or to Red Hat Identity Management (idM), do not enable the authselect option. Enabling authselect on these nodes will break your authentication configurations.
Restrictions:
- The
authselectoption is supported only on Red Hat Enterprise Linux 8. - You cannot enable the
authselectoption if you are using pluggable authentication modules (PAM) for application management.
By default, cem_linux uses standard PAM rules to configure the authentication controls specified by CIS. However, if you are enforcing CIS compliance on Red Hat Enterprise Linux 8, CIS guidelines call for authselect to be used. The following example configuration shows how to enable authselect on a node by using the minimal system default profile:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'minimal'
To enable the authselect option:
- Set the config option
use_authselecttotrue. - Specify an
authselectprofile with the config optionauthselect_profile.
Both of the options must be set directly in the cem_linux::config hash for the authselect option to work properly.
Custom authselect profiles
If you are enforcing CIS compliance on a Red Hat Enterprise Linux 8 system and you want to enable additional features for your authselect profile, you can create a custom profile.
To create and use a custom authselect profile in cem_linux, prefix the profile name in authselect_profile with custom/. If the custom profile does not exist on the node, the profile will be created automatically. The following example shows how to create and use a custom profile, my_custom_profile, which is based on the system profile minimal with additional features enabled:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'custom/my_custom_profile'
control_configs:
ensure_custom_authselect_profile_is_used:
custom_profile_base: 'minimal'
profile_features:
- with-faillock
- with-mkhomedir
Configure authselect
All authselect configurations are managed via the control class ensure_custom_authselect_profile_is_used, regardless of whether you use a custom profile. See the reference for all configuration options.
Configure custom logrotate rules
To help ensure that logs are pruned on a regular basis to conserve system space, you can specify logrotate rules.
The following example creates custom logrotate rules for the primary Puppet server's puppetserver logs.
# control-repo/data/nodes/<your puppetserver>.yaml
---
cem_linux::config:
control_configs:
ensure_logrotate_is_configured:
rules:
puppetserver:
path:
- '/var/log/puppetlabs/puppetserver/puppetserver.log'
- '/var/log/puppetlabs/puppetserver/pcp-broker.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-access.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-daemon.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-status.log'
- '/var/log/puppetlabs/puppetserver/code-manager-access.log'
- '/var/log/puppetlabs/puppetserver/file-sync-access.log'
- '/var/log/puppetlabs/puppetserver/masterhttp.log'
create_owner: 'puppet'
create_group: 'puppet'
Configure sudo without a password
You can give users and user groups the ability to run some or all commands as root without a password.
The following example configures the admins group to grant sudo access without a password:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_sudo_is_installed:
package_ensure: 'installed'
options:
user_group:
%admins:
options:
- 'NOPASSWD:'
Configure user SSH keys
To use the Secure Shell (SSH) protocol for communication between computers, you must configure SSH keys. You can also configure SSH keys for individual users. In the following example, keys are configured for testuser1 and testuser2:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
permit_root_login: 'yes'
user_ssh_keys:
testuser1:
username: testuser1
home_dir: /home/testuser1
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
testuser2:
username: testuser2
home_dir: /home/testuser2
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
Configure SSH permissions for users and groups
You can configure SSH at a granular level to specify users and groups that are granted or denied permissions. The following example configures SSH to grant permissions to some users and groups and deny permissions to other users and groups:
cem_linux::benchmark: 'cis'
cem_linux::config:
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
allow_users:
- testuser1
- the_dude
allow_groups:
- testgroup1
- goonies
deny_users:
- testuser2
- the_emperor
deny_groups:
- testgroup2
- legion_of_doom
Configure the firewall type
The following examples configure the firewall.
Restriction: Firewalls that are based on the nftables framework are not supported. Use the firewalld or iptables setting instead.
firewalld is the default setting:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'firewalld'
You can also specify a value of iptables:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'iptables'
You can also specify a value of unmanaged. When you set the firewall_type parameter to unmanaged, CEM does not enforce a state on any firewall resource. Use unmanaged if you do not want CEM to configure your firewalls.
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'unmanaged'
Rules that rely on site-specific information
Some CIS rules require information that is specific to a customer site. You can use Bolt tasks to configure these rules.
Bolt tasks in Puppet Enterprise (PE)
Using PE, you can run Bolt tasks and plans to audit or configure specific parts of a node. To run Bolt tasks, open the PE console and select the Tasks menu. Then, select cem_linux.
Run Bolt tasks from the command line
You can also run Bolt tasks from the command line.
- Install Puppet Development Kit (PDK) and Bolt.
- In the root of the CEM directory, run the
pdk bundle exec rake 'spec_prep'command. This command downloads the required dependencies as RSpec fixtures, and then creates a symbolic link from the module directory to the fixtures directory. - Run the tasks on one or more hosts. For example:
bolt task run comply_enforcement_module::audit_unowned_files_and_directories -t $nodefqdn --modulepath spec/fixtures/modules. You must add the--modulepath spec/fixtures/modulesoption to Bolt commands. Otherwise, Bolt is not able to find the tasks and plans.
Known issues
The current release includes known issues and restrictions. In most cases, workarounds are provided.
Comply scan issues
During a Comply scan, you might see errors about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM does correctly enforce these settings.
The following Comply scan errors might be reported:
- Red Hat Enterprise Linux Benchmark v2.0.0:
- 1.4.2 - Ensure permissions on bootloader are configured
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
grubfile path. Permissions are set correctly by CEM. No action is required.
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
- 1.4.1 - Ensure bootloader password is set
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
grubfile path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Setting a bootloader password.
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
- 4.1.2.3 Ensure system is disabled when audit logs are full
- This is set to
haltby CEM. The CIS-CAT Pro Assessor shows this incorrectly as a scan failure. No action is required.
- This is set to
- 5.2.18 Ensure SSH MaxSessions is set to 10 or less
- This is set to 10 by default. The CIS-CAT Pro Assessor shows this incorrectly as a scan failure. The scanner is incorrectly looking for <=4 instead of <=10. No action is required.
- 3.3. Ensure secure ICMP redirects are not accepted.
- The parameters are set correctly by CEM. However, when scans are performed on a system monitored by Google (i.e a Google Cloud VM instance), the result is a failed scan. This happens because the system monitored by Google has a separate file that manage sysctl configs. The parameters in the file created by Google overshadowed the parameters in the file created by CEM.
- 1.4.2 - Ensure permissions on bootloader are configured
General issues and limitations
- Starting with v1.3.0, CEM for Linux implements a new architecture. If you upgrade CEM from v1.2.0 or earlier to v1.3.0 or later, and you encounter errors, try restarting the
pe-puppetserverservice or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server. - You cannot use the
iolog_diroption to specify a directory for sudo log files. If you attempt to use theiolog_diroption in thesudoersfile to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in CEM. - CEM cannot create file system partitions. This limitation can cause certain scanner checks to fail.
- CEM cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure that
nodev,nosuid,noexecexists in the options portion of/etc/fstabfor the partition. - Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by CEM. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that CEM cannot manage this feature.
- To comply with CIS recommendations, you must prevent root users from logging onto the system console. Because this action requires knowledge of the site, you must configure this control manually by removing entries in
/etc/securettyfor consoles that are not in secure locations. - CEM does not enforce
authselectcontrols for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that you do not enforce this control. CEM includes a Bolt task,audit_authselect,to audit these controls. - You can configure the
ensure_nodev_option_set_on_home_partitioncontrol only if the/homesetting is mounted on its own partition. Puppet does not create a partition for/home. - If your system is running on Red Hat Enterprise Linux 8:
- The
ensure_nis_server_is_not_installedcontrol is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked. If you enforceensure_nis_server_is_not_installed, you must also enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked. - The
ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_maskedcontrol is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked. If you do not enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked, you must also not enforceensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked. - The
ensure_the_running_and_on_disk_configuration_is_the_samecontrol is always enforced ifauditdis managed by CEM.
- The
- The
ensure_users_must_provide_password_for_escalationcontrol is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removingNOPASSWD:from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration optionenable_nopasswd_sudo_pruneto true. - If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
- The
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_maskedcontrol is dependent onensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked. If you enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked, you must also enforceensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.
- The
- The
disable_wireless_interfacescontrol requires that you install the NetworkManager package and that the service is running. - The
ensure_system_is_disabled_when_audit_logs_are_fullcontrol will halt the system when the audit logs are full. If you do not want the system to halt, please configure this control's parameteradmin_space_left_actiontosyslog.
CEM Linux Reference
Table of Contents
- CIS CentOS Linux 7 Benchmark 3.1.2
- CIS Red Hat Enterprise Linux 7 Benchmark 3.1.1
- CIS Red Hat Enterprise Linux 8 Benchmark 2.0.0
CIS CentOS Linux 7 Benchmark 3.1.2
1.1.1.1 - Ensure mounting of cramfs filesystems is disabled
- Parameters:
filesystem- [String[1]] - Default:cramfs
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of cramfs filesystems is disabled":
filesystem: "cramfs"
- Alternate Config IDs:
1.1.1.1c1_1_1_1ensure_mounting_of_cramfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']
1.1.1.2 - Ensure mounting of squashfs filesystems is disabled
- Parameters:
filesystem- [String[1]] - Default:squashfs
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of squashfs filesystems is disabled":
filesystem: "squashfs"
- Alternate Config IDs:
1.1.1.2c1_1_1_2ensure_mounting_of_squashfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']
1.1.1.3 - Ensure mounting of udf filesystems is disabled
- Parameters:
filesystem- [String[1]] - Default:udf
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of udf filesystems is disabled":
filesystem: "udf"
- Alternate Config IDs:
1.1.1.3c1_1_1_3ensure_mounting_of_udf_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']
1.1.3 - Ensure noexec option set on /tmp partition
- Parameters:
noexec- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure noexec option set on /tmp partition":
noexec: true
- Alternate Config IDs:
1.1.3c1_1_3ensure_noexec_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.4 - Ensure nodev option set on /tmp partition
- Parameters:
nodev- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nodev option set on /tmp partition":
nodev: true
- Alternate Config IDs:
1.1.4c1_1_4ensure_nodev_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.5 - Ensure nosuid option set on /tmp partition
- Parameters:
nosuid- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nosuid option set on /tmp partition":
nosuid: true
- Alternate Config IDs:
1.1.5c1_1_5ensure_nosuid_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.7 - Ensure noexec option set on /dev/shm partition
- Parameters:
noexec- [Boolean] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure noexec option set on /dev/shm partition":
noexec: true
- Alternate Config IDs:
1.1.7c1_1_7ensure_noexec_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.8 - Ensure nodev option set on /dev/shm partition
- Parameters:
nodev- [Boolean] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nodev option set on /dev/shm partition":
nodev: true
- Alternate Config IDs:
1.1.8c1_1_8ensure_nodev_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.9 - Ensure nosuid option set on /dev/shm partition
- Parameters:
nosuid- [Boolean] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nosuid option set on /dev/shm partition":
nosuid: true
- Alternate Config IDs:
1.1.9c1_1_9ensure_nosuid_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.22 - Ensure sticky bit is set on all world-writable directories
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.1.22c1_1_22ensure_sticky_bit_is_set_on_all_world_writable_directories
- Resource:
Class['cem_linux::utils::sticky_bit']
1.1.23 - Disable Automounting
- Parameters:
service- [String[1]] - Default:autofs
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable Automounting":
service: "autofs"
- Alternate Config IDs:
1.1.23c1_1_23disable_automounting
- Resource:
Cem_linux::Utils::Disable_service['Disable autofs']
1.1.24 - Disable USB Storage
- Parameters:
filesystem- [String[1]] - Default:usb-storage
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable USB Storage":
filesystem: "usb-storage"
- Alternate Config IDs:
1.1.24c1_1_24disable_usb_storage
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable usb storage']
1.2.3 - Ensure gpgcheck is globally activated
- Parameters:
yum_conf- [Optional[String[1]]] - Default:/etc/yum.confrepo_files- [Optional[Array[String[1]]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure gpgcheck is globally activated":
yum_conf: "/etc/yum.conf"
repo_files: <<Type Array[String[1]]>>
- Alternate Config IDs:
1.2.3c1_2_3ensure_gpgcheck_is_globally_activated
- Resource:
Class['cem_linux::utils::yum::enable_gpgcheck']
1.3.1 - Ensure AIDE is installed
- Parameters:
control_package- [Optional[Boolean]] - Default:truepackage_ensure- [Optional[String]] - Default:presentmanage_config- [Optional[Boolean]] - Default:truerun_scheduled- [Optional[Boolean]] - Default:truescheduler- [Optional[Enum[\systemd\, \cron\]]] - Default:systemdsystemd_timer_schedule- [Optional[String]] - Default:*-*-* 00:00:00conf_purge- [Optional[Boolean]] - Default:undefconf_db_dir- [Optional[String]] - Default:/var/lib/aideconf_log_dir- [Optional[String]] - Default:/var/log/aideconf_verbosity- [Optional[Integer]] - Default:5conf_report_urls- [Optional[Array[String]]] - Default:["file:@@{LOGDIR}/aide.log", "stdout"]conf_rules- [Optional[Array[String]]] - Default:["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]conf_checks- [Optional[Array[String]]] - Default:["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure AIDE is installed":
control_package: true
package_ensure: "present"
manage_config: true
run_scheduled: true
scheduler: "systemd"
systemd_timer_schedule: "*-*-* 00:00:00"
conf_purge: <<Type Boolean>>
conf_db_dir: "/var/lib/aide"
conf_log_dir: "/var/log/aide"
conf_verbosity: 5
conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
conf_checks: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Alternate Config IDs:
1.3.1c1_3_1ensure_aide_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::aide']
1.4.1 - Ensure bootloader password is set
- Parameters:
superuser- [Optional[String[1]]] - Default:undefsuperuser_password- [Optional[Sensitive[String]]] - Default:undefregenerate_config- [Boolean]password_file- [Stdlib::UnixPath] - Default:/etc/grub.d/50_passwordreplace_password_file- [Boolean]hash_superuser_password- [Boolean] - Default:truesuperuser_password_salt_length- [Optional[Integer]] - Default:undefsuperuser_password_buffer_length- [Optional[Integer]] - Default:undefsuperuser_password_iterations- [Optional[Integer]] - Default:undefother_users- [Optional[Array[Struct[{username=>String[1], password=>Any, salt_length=>Optional[Integer], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure bootloader password is set":
superuser: <<Type String[1]>>
superuser_password: <<Type Sensitive[String]>>
regenerate_config: false
password_file: "/etc/grub.d/50_password"
replace_password_file: false
hash_superuser_password: true
superuser_password_salt_length: <<Type Integer>>
superuser_password_buffer_length: <<Type Integer>>
superuser_password_iterations: <<Type Integer>>
other_users: <<Type Array[Struct[{username=>String[1], password=>Any, salt_length=>Optional[Integer], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>
- Alternate Config IDs:
1.4.1c1_4_1ensure_bootloader_password_is_set
- Resource:
Class['cem_linux::utils::bootloader::grub2::password']
1.4.2 - Ensure permissions on bootloader config are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.4.2c1_4_2ensure_permissions_on_bootloader_config_are_configured
- Resource:
Class['cem_linux::utils::bootloader::grub2::permissions']
1.4.3 - Ensure authentication required for single user mode
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.4.3c1_4_3ensure_authentication_required_for_single_user_mode
- Resource:
Class['cem_linux::utils::services::systemd::secure_rescue_service']
1.4.3 - Ensure authentication required for single user mode
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.4.3c1_4_3ensure_authentication_required_for_single_user_mode
- Resource:
Class['cem_linux::utils::services::systemd::secure_emergency_service']
1.5.1 - Ensure core dumps are restricted
- Parameters:
limits_file- [Optional[String]] - Default:10-disable_core_dumps.confsysctl_file- [Optional[String]] - Default:10-disable_core_dumps.confservice_content- [Optional[String]] - Default:# THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure core dumps are restricted":
limits_file: "10-disable_core_dumps.conf"
sysctl_file: "10-disable_core_dumps.conf"
service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"
- Alternate Config IDs:
1.5.1c1_5_1ensure_core_dumps_are_restricted
- Resource:
Class['cem_linux::utils::disable_core_dumps']
1.5.3 - Ensure address space layout randomization (ASLR) is enabled
- Parameters:
sysctl_file- [Optional[String]] - Default:10-enable_aslr.conf
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure address space layout randomization (ASLR) is enabled":
sysctl_file: "10-enable_aslr.conf"
- Alternate Config IDs:
1.5.3c1_5_3ensure_address_space_layout_randomization_aslr_is_enabled
- Resource:
Class['cem_linux::utils::enable_aslr']
1.5.4 - Ensure prelink is not installed
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.5.4c1_5_4ensure_prelink_is_not_installed
- Resource:
Class['cem_linux::utils::disable_prelink']
1.6.1.1 - Ensure SELinux is installed
- Parameters:
manage_package- [Optional[Boolean]] - Default:truepackage_name- [Optional[String[1]]] - Default:libselinuxmode- [Optional[Enum[\permissive\, \enforcing\]]] - Default:enforcingtype- [Optional[Enum[\targeted\, \mls\]]] - Default:targeted
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SELinux is installed":
manage_package: true
package_name: "libselinux"
mode: "enforcing"
type: "targeted"
- Alternate Config IDs:
1.6.1.1c1_6_1_1ensure_selinux_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration
- Parameters:
enable_selinux- [Boolean] - Default:trueselinux_mode- [Enum["permissive", "enforcing"]] - Default:enforcingregenerate_config- [Boolean]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SELinux is not disabled in bootloader configuration":
enable_selinux: true
selinux_mode: "enforcing"
regenerate_config: false
- Alternate Config IDs:
1.6.1.2c1_6_1_2ensure_selinux_is_not_disabled_in_bootloader_configuration
- Resource:
Class['cem_linux::utils::bootloader::grub2::selinux']
1.6.1.3 - Ensure SELinux policy is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.6.1.3c1_6_1_3ensure_selinux_policy_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.4 - Ensure the SELinux mode is enforcing or permissive
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.6.1.4c1_6_1_4ensure_the_selinux_mode_is_enforcing_or_permissive
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.5 - Ensure the SELinux mode is enforcing
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.6.1.5c1_6_1_5ensure_the_selinux_mode_is_enforcing
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.7 - Ensure SETroubleshoot is not installed
- Parameters:
pkg_name- [String[1]] - Default:setroubleshoot
- Supported Levels:
level_1level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SETroubleshoot is not installed":
pkg_name: "setroubleshoot"
- Alternate Config IDs:
1.6.1.7c1_6_1_7ensure_setroubleshoot_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install setroubleshoot']
1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed
- Parameters:
pkg_name- [String[1]] - Default:mcstrans
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure the MCS Translation Service (mcstrans) is not installed":
pkg_name: "mcstrans"
- Alternate Config IDs:
1.6.1.8c1_6_1_8ensure_the_mcs_translation_service_mcstrans_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install mcs translation service']
1.7.1 - Ensure message of the day is configured properly
- Parameters:
dynamic_motd- [Optional[Boolean]] - Default:truemotd_template- [Optional[String[1]]] - Default:undefmotd_content- [Optional[String]] - Default: ``issue_content- [Optional[String]] - Default:This is a secure system. Unauthorized access is strictly prohibited.issue_net_content- [Optional[String]] - Default:This is a secure system. Unauthorized access is strictly prohibited.issue_template- [Optional[String[1]]] - Default:undefissue_net_template- [Optional[String[1]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure message of the day is configured properly":
dynamic_motd: true
motd_template: <<Type String[1]>>
motd_content: ""
issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_template: <<Type String[1]>>
issue_net_template: <<Type String[1]>>
- Alternate Config IDs:
1.7.1c1_7_1ensure_message_of_the_day_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.2 - Ensure local login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.7.2c1_7_2ensure_local_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.3 - Ensure remote login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.7.3c1_7_3ensure_remote_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.4 - Ensure permissions on /etc/motd are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.7.4c1_7_4ensure_permissions_on_etcmotd_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.5 - Ensure permissions on /etc/issue are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.7.5c1_7_5ensure_permissions_on_etcissue_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.6 - Ensure permissions on /etc/issue.net are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
1.7.6c1_7_6ensure_permissions_on_etcissue_net_are_configured
- Resource:
Class['cem_linux::utils::motd']
2.1.1 - Ensure xinetd is not installed
- Parameters:
pkg_name- [String[1]] - Default:xinetd
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure xinetd is not installed":
pkg_name: "xinetd"
- Alternate Config IDs:
2.1.1c2_1_1ensure_xinetd_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install xinetd']
2.2.1.1 - Ensure time synchronization is in use
- Parameters:
preferred_package- [Optional[Enum[\chrony\, \ntp\]]] - Default:chronymanage_package- [Optional[Boolean]] - Default:trueforce_exclusivity- [Optional[Boolean]] - Default:truetimeservers- [Optional[Array[String[1]]]] - Default:undefsysconfig_options- [Optional[String[1]]] - Default:undefntp_restricts- [Optional[Array[String[1]]]] - Default:["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure time synchronization is in use":
preferred_package: "chrony"
manage_package: true
force_exclusivity: true
timeservers: <<Type Array[String[1]]>>
sysconfig_options: <<Type String[1]>>
ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Alternate Config IDs:
2.2.1.1c2_2_1_1ensure_time_synchronization_is_in_use
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.2 - Ensure chrony is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
2.2.1.2c2_2_1_2ensure_chrony_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.3 - Ensure ntp is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
2.2.1.3c2_2_1_3ensure_ntp_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.2 - Ensure X11 Server components are not installed
- Parameters:
pkg_name- [String[1]] - Default:xorg-x11-server*
- Supported Levels:
level_1level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure X11 Server components are not installed":
pkg_name: "xorg-x11-server*"
- Alternate Config IDs:
2.2.2c2_2_2ensure_x11_server_components_are_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install x11 server components']
2.2.3 - Ensure Avahi Server is not installed
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
2.2.3c2_2_3ensure_avahi_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_avahi_server']
2.2.4 - Ensure CUPS is not installed
- Parameters:
pkg_name- [String[1]] - Default:cups
- Supported Levels:
level_1level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure CUPS is not installed":
pkg_name: "cups"
- Alternate Config IDs:
2.2.4c2_2_4ensure_cups_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install CUPS']
2.2.5 - Ensure DHCP Server is not installed
- Parameters:
pkg_name- [String[1]] - Default:dhcp
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DHCP Server is not installed":
pkg_name: "dhcp"
- Alternate Config IDs:
2.2.5c2_2_5ensure_dhcp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DHCP server']
2.2.6 - Ensure LDAP server is not installed
- Parameters:
pkg_name- [String[1]] - Default:openldap-servers
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure LDAP server is not installed":
pkg_name: "openldap-servers"
- Alternate Config IDs:
2.2.6c2_2_6ensure_ldap_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not LDAP server']
2.2.7 - Ensure DNS Server is not installed
- Parameters:
pkg_name- [String[1]] - Default:bind
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DNS Server is not installed":
pkg_name: "bind"
- Alternate Config IDs:
2.2.7c2_2_7ensure_dns_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DNS server']
2.2.8 - Ensure FTP Server is not installed
- Parameters:
pkg_name- [String[1]] - Default:vsftpd
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure FTP Server is not installed":
pkg_name: "vsftpd"
- Alternate Config IDs:
2.2.8c2_2_8ensure_ftp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use ftp server']
2.2.9 - Ensure HTTP server is not installed
- Parameters:
pkg_name- [String[1]] - Default:httpd
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure HTTP server is not installed":
pkg_name: "httpd"
- Alternate Config IDs:
2.2.9c2_2_9ensure_http_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use HTTP Server']
2.2.10 - Ensure IMAP and POP3 server is not installed
- Parameters:
mail_servers- [Array[String]] - Default:["dovecot", "postfix"]uninstall_options- [Optional[Array[String[1]]]] - Default:["--nodeps"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IMAP and POP3 server is not installed":
mail_servers: ["dovecot", "postfix"]
uninstall_options: ["--nodeps"]
- Alternate Config IDs:
2.2.10c2_2_10ensure_imap_and_pop3_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_imap_and_pop3']
2.2.11 - Ensure Samba is not installed
- Parameters:
pkg_name- [String[1]] - Default:samba
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure Samba is not installed":
pkg_name: "samba"
- Alternate Config IDs:
2.2.11c2_2_11ensure_samba_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use Samba']
2.2.12 - Ensure HTTP Proxy Server is not installed
- Parameters:
proxy_packages- [Optional[Array[String]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure HTTP Proxy Server is not installed":
proxy_packages: <<Type Array[String]>>
- Alternate Config IDs:
2.2.12c2_2_12ensure_http_proxy_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_http_proxy']
2.2.13 - Ensure net-snmp is not installed
- Parameters:
pkg_name- [String[1]] - Default:net-snmp
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure net-snmp is not installed":
pkg_name: "net-snmp"
- Alternate Config IDs:
2.2.13c2_2_13ensure_net_snmp_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use net-snmp']
2.2.14 - Ensure NIS server is not installed
- Parameters:
pkg_name- [String[1]] - Default:ypserv
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure NIS server is not installed":
pkg_name: "ypserv"
- Alternate Config IDs:
2.2.14c2_2_14ensure_nis_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Disable NIS Server']
2.2.15 - Ensure telnet-server is not installed
- Parameters:
pkg_name- [String[1]] - Default:telnet-server
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure telnet-server is not installed":
pkg_name: "telnet-server"
- Alternate Config IDs:
2.2.15c2_2_15ensure_telnet_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet server']
2.2.16 - Ensure mail transfer agent is configured for local-only mode
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
2.2.16c2_2_16ensure_mail_transfer_agent_is_configured_for_local_only_mode
- Resource:
Class['cem_linux::utils::local_only_mta']
2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked
- Parameters:
keep_nfsutils- [Boolean]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nfs-utils is not installed or the nfs-server service is masked":
keep_nfsutils: false
- Alternate Config IDs:
2.2.17c2_2_17ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_nfs']
2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked
- Parameters:
keep_rpcbind- [Boolean]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rpcbind is not installed or the rpcbind services are masked":
keep_rpcbind: false
- Alternate Config IDs:
2.2.18c2_2_18ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rpcbind']
2.2.19 - Ensure rsync is not installed or the rsyncd service is masked
- Parameters:
keep_rsync- [Boolean]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsync is not installed or the rsyncd service is masked":
keep_rsync: false
- Alternate Config IDs:
2.2.19c2_2_19ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rsync']
2.3.1 - Ensure NIS Client is not installed
- Parameters:
pkg_name- [String[1]] - Default:ypbind
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure NIS Client is not installed":
pkg_name: "ypbind"
- Alternate Config IDs:
2.3.1c2_3_1ensure_nis_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use NIS Client']
2.3.2 - Ensure rsh client is not installed
- Parameters:
pkg_name- [String[1]] - Default:rsh
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsh client is not installed":
pkg_name: "rsh"
- Alternate Config IDs:
2.3.2c2_3_2ensure_rsh_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use rsh']
2.3.3 - Ensure talk client is not installed
- Parameters:
pkg_name- [String[1]] - Default:talk
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure talk client is not installed":
pkg_name: "talk"
- Alternate Config IDs:
2.3.3c2_3_3ensure_talk_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use talk client']
2.3.4 - Ensure telnet client is not installed
- Parameters:
pkg_name- [String[1]] - Default:telnet
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure telnet client is not installed":
pkg_name: "telnet"
- Alternate Config IDs:
2.3.4c2_3_4ensure_telnet_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet Client']
2.3.5 - Ensure LDAP client is not installed
- Parameters:
pkg_name- [String[1]] - Default:openldap-clients
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure LDAP client is not installed":
pkg_name: "openldap-clients"
- Alternate Config IDs:
2.3.5c2_3_5ensure_ldap_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove LDAP Client']
3.1.1 - Disable IPv6
- Parameters:
strategy- [Optional[Enum[\sysctl\, \grub\]]] - Default:sysctlcreate_sysctl_file- [Optional[Boolean]] - Default:truesysctl_conf- [Optional[String]] - Default:/etc/sysctl.confsysctl_d_path- [Optional[String]] - Default:/etc/sysctl.dsysctl_prefix- [Optional[String]] - Default:10-sysctl_comment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable IPv6":
strategy: "sysctl"
create_sysctl_file: true
sysctl_conf: "/etc/sysctl.conf"
sysctl_d_path: "/etc/sysctl.d"
sysctl_prefix: "10-"
sysctl_comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.1.1c3_1_1disable_ipv6
- Resource:
Class['cem_linux::utils::network::disable_ipv6']
3.1.2 - Ensure wireless interfaces are disabled
- Parameters:
wwan- [Boolean] - Default:truewifi- [Boolean] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure wireless interfaces are disabled":
wwan: true
wifi: true
- Alternate Config IDs:
3.1.2c3_1_2ensure_wireless_interfaces_are_disabled
- Resource:
Cem_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']
3.2.1 - Ensure IP forwarding is disabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_ip_forwarding.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IP forwarding is disabled":
target: "/etc/sysctl.d/10-disable_ip_forwarding.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.1c3_2_1ensure_ip_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_ip_forwarding']
3.2.2 - Ensure packet redirect sending is disabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_packet_redirect_sending.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure packet redirect sending is disabled":
target: "/etc/sysctl.d/10-disable_packet_redirect_sending.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.2c3_2_2ensure_packet_redirect_sending_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_packet_redirect_sending']
3.3.1 - Ensure source routed packets are not accepted
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_source_routes.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure source routed packets are not accepted":
target: "/etc/sysctl.d/10-disable_source_routes.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.1c3_3_1ensure_source_routed_packets_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_source_routes']
3.3.2 - Ensure ICMP redirects are not accepted
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_icmp_redirects.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure ICMP redirects are not accepted":
target: "/etc/sysctl.d/10-disable_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.2c3_3_2ensure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_icmp_redirects']
3.3.3 - Ensure secure ICMP redirects are not accepted
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_secure_icmp_redirects.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure secure ICMP redirects are not accepted":
target: "/etc/sysctl.d/10-disable_secure_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.3c3_3_3ensure_secure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_secure_icmp_redirects']
3.3.4 - Ensure suspicious packets are logged
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-enable_log_martians.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure suspicious packets are logged":
target: "/etc/sysctl.d/10-enable_log_martians.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.4c3_3_4ensure_suspicious_packets_are_logged
- Resource:
Class['cem_linux::utils::network::enable_log_martians']
3.3.5 - Ensure broadcast ICMP requests are ignored
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-ignore_icmp_broadcast.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure broadcast ICMP requests are ignored":
target: "/etc/sysctl.d/10-ignore_icmp_broadcast.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.5c3_3_5ensure_broadcast_icmp_requests_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_icmp_broadcast']
3.3.6 - Ensure bogus ICMP responses are ignored
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-ignore_bogus_icmp.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure bogus ICMP responses are ignored":
target: "/etc/sysctl.d/10-ignore_bogus_icmp.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.6c3_3_6ensure_bogus_icmp_responses_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_bogus_icmp']
3.3.7 - Ensure Reverse Path Filtering is enabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-enable_reverse_path_filtering.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure Reverse Path Filtering is enabled":
target: "/etc/sysctl.d/10-enable_reverse_path_filtering.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.7c3_3_7ensure_reverse_path_filtering_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_reverse_path_filtering']
3.3.8 - Ensure TCP SYN Cookies is enabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-enable_tcp_syn_cookies.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure TCP SYN Cookies is enabled":
target: "/etc/sysctl.d/10-enable_tcp_syn_cookies.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.8c3_3_8ensure_tcp_syn_cookies_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_tcp_syn_cookies']
3.3.9 - Ensure IPv6 router advertisements are not accepted
- Parameters:
target- [Optional[String[1]]] - Default:/etc/sysctl.d/10-disable_ipv6_router_advertisements.confpersist- [Optional[Boolean]] - Default:truecomment- [Optional[String]] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IPv6 router advertisements are not accepted":
target: "/etc/sysctl.d/10-disable_ipv6_router_advertisements.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.9c3_3_9ensure_ipv6_router_advertisements_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_ipv6_router_advertisements']
3.4.1 - Ensure DCCP is disabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/modprobe.d/dccp.confcontent- [Optional[String]] - Default:install dccp /bin/true
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DCCP is disabled":
target: "/etc/modprobe.d/dccp.conf"
content: "install dccp /bin/true"
- Alternate Config IDs:
3.4.1c3_4_1ensure_dccp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_dccp']
3.4.2 - Ensure SCTP is disabled
- Parameters:
target- [Optional[String[1]]] - Default:/etc/modprobe.d/sctp.confcontent- [Optional[String]] - Default:install sctp /bin/true
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SCTP is disabled":
target: "/etc/modprobe.d/sctp.conf"
content: "install sctp /bin/true"
- Alternate Config IDs:
3.4.2c3_4_2ensure_sctp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_sctp']
3.5.1.1 - Ensure firewalld is installed
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.1.1c3_5_1_1ensure_firewalld_is_installed
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.2 - Ensure iptables-services not installed with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.1.2c3_5_1_2ensure_iptables_services_not_installed_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.3 - Ensure nftables either not installed or masked with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.1.3c3_5_1_3ensure_nftables_either_not_installed_or_masked_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.4 - Ensure firewalld service enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.1.4c3_5_1_4ensure_firewalld_service_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.5 - Ensure firewalld default zone is set
- Parameters:
default_zone- [Optional[String[1]]] - Default:public
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure firewalld default zone is set":
default_zone: "public"
- Alternate Config IDs:
3.5.1.5c3_5_1_5ensure_firewalld_default_zone_is_set
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.6 - Ensure network interfaces are assigned to appropriate zone
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.1.6c3_5_1_6ensure_network_interfaces_are_assigned_to_appropriate_zone
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.3.1.1 - Ensure iptables packages are installed
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.1.1c3_5_3_1_1ensure_iptables_packages_are_installed
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.2 - Ensure nftables is not installed with iptables
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.1.2c3_5_3_1_2ensure_nftables_is_not_installed_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.1.3c3_5_3_1_3ensure_firewalld_is_either_not_installed_or_masked_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.1 - Ensure iptables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.1c3_5_3_2_1ensure_iptables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.2 - Ensure iptables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.2c3_5_3_2_2ensure_iptables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.3 - Ensure iptables rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.3c3_5_3_2_3ensure_iptables_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.4 - Ensure iptables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.4c3_5_3_2_4ensure_iptables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.5 - Ensure iptables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.5c3_5_3_2_5ensure_iptables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.6 - Ensure iptables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.2.6c3_5_3_2_6ensure_iptables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.1 - Ensure ip6tables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.1c3_5_3_3_1ensure_ip6tables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.2c3_5_3_3_2ensure_ip6tables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.3c3_5_3_3_3ensure_ip6tables_firewall_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.4 - Ensure ip6tables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.4c3_5_3_3_4ensure_ip6tables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.5 - Ensure ip6tables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.5c3_5_3_3_5ensure_ip6tables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.6 - Ensure ip6tables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
3.5.3.3.6c3_5_3_3_6ensure_ip6tables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
4.1.1.1 - Ensure auditd is installed
- Parameters:
package- [Optional[Array]] - Default:["audit", "audit-libs"]
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditd is installed":
package: ["audit", "audit-libs"]
- Alternate Config IDs:
4.1.1.1c4_1_1_1ensure_auditd_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.2 - Ensure auditd service is enabled and running
- Parameters:
service- [Optional[String]] - Default:auditd
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditd service is enabled and running":
service: "auditd"
- Alternate Config IDs:
4.1.1.2c4_1_1_2ensure_auditd_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled
- Parameters:
enable_auditd- [Boolean] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditing for processes that start prior to auditd is enabled":
enable_auditd: true
- Alternate Config IDs:
4.1.1.3c4_1_1_3ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
- Resource:
Class['cem_linux::utils::bootloader::grub2::auditd']
4.1.2.1 - Ensure audit log storage size is configured
- Parameters:
max_log_file- [Optional[Integer[0]]] - Default:8
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit log storage size is configured":
max_log_file: 8
- Alternate Config IDs:
4.1.2.1c4_1_2_1ensure_audit_log_storage_size_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.2 - Ensure audit logs are not automatically deleted
- Parameters:
max_log_file_action- [Optional[Enum[\keep_logs\, \rotate\, \ignore\, \syslog\, \suspend\]]] - Default:keep_logs
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit logs are not automatically deleted":
max_log_file_action: "keep_logs"
- Alternate Config IDs:
4.1.2.2c4_1_2_2ensure_audit_logs_are_not_automatically_deleted
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.3 - Ensure system is disabled when audit logs are full
- Parameters:
space_left_action- [Optional[Enum[\ignore\, \syslog\, \email\, \suspend\, \single\, \halt\]]] - Default:emailadmin_space_left_action- [Optional[Enum[\ignore\, \syslog\, \email\, \suspend\, \single\, \halt\]]] - Default:syslogaction_mail_acct- [Optional[String]] - Default:root
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure system is disabled when audit logs are full":
space_left_action: "email"
admin_space_left_action: "syslog"
action_mail_acct: "root"
- Alternate Config IDs:
4.1.2.3c4_1_2_3ensure_system_is_disabled_when_audit_logs_are_full
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.4 - Ensure audit_backlog_limit is sufficient
- Parameters:
audit_backlog_limit- [Integer] - Default:8192
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit_backlog_limit is sufficient":
audit_backlog_limit: 8192
- Alternate Config IDs:
4.1.2.4c4_1_2_4ensure_audit_backlog_limit_is_sufficient
- Resource:
Class['cem_linux::utils::bootloader::grub2::auditd']
4.1.3 - Ensure events that modify date and time information are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.3c4_1_3ensure_events_that_modify_date_and_time_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::time_change']
4.1.4 - Ensure events that modify user/group information are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.4c4_1_4ensure_events_that_modify_usergroup_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::modify_usergroup_information']
4.1.5 - Ensure events that modify the system's network environment are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.5c4_1_5ensure_events_that_modify_the_systems_network_environment_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::network_environment']
4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.6c4_1_6ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::mandatory_access_controls']
4.1.7 - Ensure login and logout events are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.7c4_1_7ensure_login_and_logout_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::login_logout']
4.1.8 - Ensure session initiation information is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.8c4_1_8ensure_session_initiation_information_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::session_initiation']
4.1.9 - Ensure discretionary access control permission modification events are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.9c4_1_9ensure_discretionary_access_control_permission_modification_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::discretionary_access_control']
4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.10c4_1_10ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::unsuccessful_unauthorized_file_access']
4.1.12 - Ensure successful file system mounts are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.12c4_1_12ensure_successful_file_system_mounts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::file_system_mounts']
4.1.13 - Ensure file deletion events by users are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.13c4_1_13ensure_file_deletion_events_by_users_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::file_deletion_events']
4.1.14 - Ensure changes to system administration scope (sudoers) is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.14c4_1_14ensure_changes_to_system_administration_scope_sudoers_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::sudoers']
4.1.15 - Ensure system administrator command executions (sudo) are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.15c4_1_15ensure_system_administrator_command_executions_sudo_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::sudolog']
4.1.16 - Ensure kernel module loading and unloading is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.16c4_1_16ensure_kernel_module_loading_and_unloading_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::kernel_module_command_record']
4.1.17 - Ensure the audit configuration is immutable
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.1.17c4_1_17ensure_the_audit_configuration_is_immutable
- Resource:
Class['cem_linux::utils::packages::linux::auditd::audit_configuration_immutable']
4.2.1.1 - Ensure rsyslog is installed
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.2.1.1c4_2_1_1ensure_rsyslog_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.2 - Ensure rsyslog Service is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.2.1.2c4_2_1_2ensure_rsyslog_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.3 - Ensure rsyslog default file permissions configured
- Parameters:
filecreatemode- [Optional[String]] - Default:0640
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsyslog default file permissions configured":
filecreatemode: "0640"
- Alternate Config IDs:
4.2.1.3c4_2_1_3ensure_rsyslog_default_file_permissions_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.4 - Ensure logging is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.2.1.4c4_2_1_4ensure_logging_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host
- Parameters:
remote_log_host- [Optional[Variant[Stdlib::IP::Address, String[1]]]] - Default:undeftcp_port- [Optional[Integer]] - Default:514
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsyslog is configured to send logs to a remote log host":
remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1]]>>
tcp_port: 514
- Alternate Config IDs:
4.2.1.5c4_2_1_5ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.2.1.6c4_2_1_6ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.2.1 - Ensure journald is configured to send logs to rsyslog
- Parameters:
forward_to_syslog- [Optional[Variant[Boolean, Stdlib::Yes_no]]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to send logs to rsyslog":
forward_to_syslog: true
- Alternate Config IDs:
4.2.2.1c4_2_2_1ensure_journald_is_configured_to_send_logs_to_rsyslog
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.2 - Ensure journald is configured to compress large log files
- Parameters:
compress_large_files- [Optional[Variant[Boolean, Stdlib::Yes_no]]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to compress large log files":
compress_large_files: true
- Alternate Config IDs:
4.2.2.2c4_2_2_2ensure_journald_is_configured_to_compress_large_log_files
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk
- Parameters:
persistent_storage- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to write logfiles to persistent disk":
persistent_storage: true
- Alternate Config IDs:
4.2.2.3c4_2_2_3ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.3 - Ensure permissions on all logfiles are configured
- Parameters:
mode- [Stdlib::Filemode] - Default:0640
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on all logfiles are configured":
mode: "0640"
- Alternate Config IDs:
4.2.3c4_2_3ensure_permissions_on_all_logfiles_are_configured
- Resource:
Class['cem_linux::utils::chmod_logfiles']
4.2.4 - Ensure logrotate is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
4.2.4c4_2_4ensure_logrotate_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::logrotate']
5.1.1 - Ensure cron daemon is enabled and running
- Parameters:
manage_package- [Optional[Boolean]] - Default:truemanage_service- [Optional[Boolean]] - Default:truecron_allow_path- [Optional[Stdlib::AbsolutePath]] - Default:/etc/cron.allowpurge_cron_deny- [Optional[Boolean]] - Default:truemanage_cron_allow- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure cron daemon is enabled and running":
manage_package: true
manage_service: true
cron_allow_path: "/etc/cron.allow"
purge_cron_deny: true
manage_cron_allow: true
- Alternate Config IDs:
5.1.1c5_1_1ensure_cron_daemon_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.2 - Ensure permissions on /etc/crontab are configured
- Parameters:
set_crontab_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/crontab are configured":
set_crontab_perms: true
- Alternate Config IDs:
5.1.2c5_1_2ensure_permissions_on_etccrontab_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.3 - Ensure permissions on /etc/cron.hourly are configured
- Parameters:
set_hourly_cron_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.hourly are configured":
set_hourly_cron_perms: true
- Alternate Config IDs:
5.1.3c5_1_3ensure_permissions_on_etccron_hourly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.4 - Ensure permissions on /etc/cron.daily are configured
- Parameters:
set_daily_cron_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.daily are configured":
set_daily_cron_perms: true
- Alternate Config IDs:
5.1.4c5_1_4ensure_permissions_on_etccron_daily_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.5 - Ensure permissions on /etc/cron.weekly are configured
- Parameters:
set_weekly_cron_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.weekly are configured":
set_weekly_cron_perms: true
- Alternate Config IDs:
5.1.5c5_1_5ensure_permissions_on_etccron_weekly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.6 - Ensure permissions on /etc/cron.monthly are configured
- Parameters:
set_monthly_cron_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.monthly are configured":
set_monthly_cron_perms: true
- Alternate Config IDs:
5.1.6c5_1_6ensure_permissions_on_etccron_monthly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.7 - Ensure permissions on /etc/cron.d are configured
- Parameters:
set_cron_d_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.d are configured":
set_cron_d_perms: true
- Alternate Config IDs:
5.1.7c5_1_7ensure_permissions_on_etccron_d_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.8 - Ensure cron is restricted to authorized users
- Parameters:
cron_allowlist- [Optional[Array[String[1]]]] - Default:["root"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure cron is restricted to authorized users":
cron_allowlist: ["root"]
- Alternate Config IDs:
5.1.8c5_1_8ensure_cron_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.9 - Ensure at is restricted to authorized users
- Parameters:
at_allowlist- [Optional[Array[String[1]]]] - Default:["root"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure at is restricted to authorized users":
at_allowlist: ["root"]
- Alternate Config IDs:
5.1.9c5_1_9ensure_at_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::at']
5.2.1 - Ensure sudo is installed
- Parameters:
package_ensure- [Optional[Enum[\installed\, \latest\, \absent\]]] - Default:installedpackage_name- [Optional[String[1]]] - Default:sudosudoers_path- [Optional[Stdlib::UnixPath]] - Default:/etc/sudoerssudoers_d_path- [Optional[Stdlib::UnixPath]] - Default:/etc/sudoers.ddefaults- [Optional[Hash[String[1], Optional[String]]]] - Default:undefdrop_ins- [Optional[Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo is installed":
package_ensure: "installed"
package_name: "sudo"
sudoers_path: "/etc/sudoers"
sudoers_d_path: "/etc/sudoers.d"
defaults: <<Type Hash[String[1], Optional[String]]>>
drop_ins: <<Type Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]>>
- Alternate Config IDs:
5.2.1c5_2_1ensure_sudo_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::sudo']
5.2.2 - Ensure sudo commands use pty
- Parameters:
sudoers_path- [String[1]] - Default:/etc/sudoers
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo commands use pty":
sudoers_path: "/etc/sudoers"
- Alternate Config IDs:
5.2.2c5_2_2ensure_sudo_commands_use_pty
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['use_pty']
5.2.3 - Ensure sudo log file exists
- Parameters:
sudoers_path- [String[1]] - Default:/etc/sudoersvalue- [Optional[String[1]]] - Default:/var/log/sudo.log
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo log file exists":
sudoers_path: "/etc/sudoers"
value: "/var/log/sudo.log"
- Alternate Config IDs:
5.2.3c5_2_3ensure_sudo_log_file_exists
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['logfile']
5.3.1 - Ensure permissions on /etc/ssh/sshd_config are configured
- Parameters:
enforce_sshd_config_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/ssh/sshd_config are configured":
enforce_sshd_config_perms: true
- Alternate Config IDs:
5.3.1c5_3_1ensure_permissions_on_etcsshsshd_config_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.2 - Ensure permissions on SSH private host key files are configured
- Parameters:
enforce_pri_host_key_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on SSH private host key files are configured":
enforce_pri_host_key_perms: true
- Alternate Config IDs:
5.3.2c5_3_2ensure_permissions_on_ssh_private_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.3 - Ensure permissions on SSH public host key files are configured
- Parameters:
enforce_pub_host_key_perms- [Optional[Boolean]] - Default:true
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on SSH public host key files are configured":
enforce_pub_host_key_perms: true
- Alternate Config IDs:
5.3.3c5_3_3ensure_permissions_on_ssh_public_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.4 - Ensure SSH access is limited
- Parameters:
allow_users- [Optional[Array[String[1]]]] - Default:undefallow_groups- [Optional[Array[String[1]]]] - Default:undefdeny_users- [Optional[Array[String[1]]]] - Default:undefdeny_groups- [Optional[Array[String[1]]]] - Default:undef
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH access is limited":
allow_users: <<Type Array[String[1]]>>
allow_groups: <<Type Array[String[1]]>>
deny_users: <<Type Array[String[1]]>>
deny_groups: <<Type Array[String[1]]>>
- Alternate Config IDs:
5.3.4c5_3_4ensure_ssh_access_is_limited
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.5 - Ensure SSH LogLevel is appropriate
- Parameters:
log_level- [Optional[Enum[\INFO\, \VERBOSE\]]] - Default:INFO
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH LogLevel is appropriate":
log_level: "INFO"
- Alternate Config IDs:
5.3.5c5_3_5ensure_ssh_loglevel_is_appropriate
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.6 - Ensure SSH X11 forwarding is disabled
- Parameters:
x11_forwarding- [Optional[Enum[\yes\, \no\]]] - Default:no
- Supported Levels:
level_1level_2
- Supported Profiles:
workstationserver
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH X11 forwarding is disabled":
x11_forwarding: "no"
- Alternate Config IDs:
5.3.6c5_3_6ensure_ssh_x11_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less
- Parameters:
max_auth_tries- [Optional[Integer]] - Default:4
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxAuthTries is set to 4 or less":
max_auth_tries: 4
- Alternate Config IDs:
5.3.7c5_3_7ensure_ssh_maxauthtries_is_set_to_4_or_less
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.8 - Ensure SSH IgnoreRhosts is enabled
- Parameters:
ignore_rhosts- [Optional[Enum[\yes\, \no\]]] - Default:yes
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH IgnoreRhosts is enabled":
ignore_rhosts: "yes"
- Alternate Config IDs:
5.3.8c5_3_8ensure_ssh_ignorerhosts_is_enabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.9 - Ensure SSH HostbasedAuthentication is disabled
- Parameters:
host_based_authentication- [Optional[Enum[\yes\, \no\]]] - Default:no
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH HostbasedAuthentication is disabled":
host_based_authentication: "no"
- Alternate Config IDs:
5.3.9c5_3_9ensure_ssh_hostbasedauthentication_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.10 - Ensure SSH root login is disabled
- Parameters:
permit_root_login- [Optional[Enum[\yes\, \no\, \without-password\, \forced-commands-only\]]] - Default:no
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH root login is disabled":
permit_root_login: "no"
- Alternate Config IDs:
5.3.10c5_3_10ensure_ssh_root_login_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.11 - Ensure SSH PermitEmptyPasswords is disabled
- Parameters:
permit_empty_passwords- [Optional[Enum[\yes\, \no\]]] - Default:no
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PermitEmptyPasswords is disabled":
permit_empty_passwords: "no"
- Alternate Config IDs:
5.3.11c5_3_11ensure_ssh_permitemptypasswords_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.12 - Ensure SSH PermitUserEnvironment is disabled
- Parameters:
permit_user_environment- [Optional[Enum[\yes\, \no\]]] - Default:no
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PermitUserEnvironment is disabled":
permit_user_environment: "no"
- Alternate Config IDs:
5.3.12c5_3_12ensure_ssh_permituserenvironment_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.13 - Ensure only strong Ciphers are used
- Parameters:
ciphers- [Optional[Array[String[1]]]] - Default:["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong Ciphers are used":
ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
- Alternate Config IDs:
5.3.13c5_3_13ensure_only_strong_ciphers_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.14 - Ensure only strong MAC algorithms are used
- Parameters:
macs- [Optional[Array[String[1]]]] - Default:["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong MAC algorithms are used":
macs: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
- Alternate Config IDs:
5.3.14c5_3_14ensure_only_strong_mac_algorithms_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.15 - Ensure only strong Key Exchange algorithms are used
- Parameters:
kex_algorithms- [Optional[Array[String[1]]]] - Default:["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong Key Exchange algorithms are used":
kex_algorithms: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
- Alternate Config IDs:
5.3.15c5_3_15ensure_only_strong_key_exchange_algorithms_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.16 - Ensure SSH Idle Timeout Interval is configured
- Parameters:
client_alive_interval- [Optional[Integer]] - Default:300client_alive_count_max- [Optional[Integer]] - Default:0
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH Idle Timeout Interval is configured":
client_alive_interval: 300
client_alive_count_max: 0
- Alternate Config IDs:
5.3.16c5_3_16ensure_ssh_idle_timeout_interval_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.17 - Ensure SSH LoginGraceTime is set to one minute or less
- Parameters:
login_grace_time- [Optional[Integer]] - Default:60
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH LoginGraceTime is set to one minute or less":
login_grace_time: 60
- Alternate Config IDs:
5.3.17c5_3_17ensure_ssh_logingracetime_is_set_to_one_minute_or_less
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.18 - Ensure SSH warning banner is configured
- Parameters:
banner- [Optional[Stdlib::AbsolutePath]] - Default:/etc/issue.net
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH warning banner is configured":
banner: "/etc/issue.net"
- Alternate Config IDs:
5.3.18c5_3_18ensure_ssh_warning_banner_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.19 - Ensure SSH PAM is enabled
- Parameters:
use_pam- [Optional[Enum[\yes\, \no\]]] - Default:yes
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PAM is enabled":
use_pam: "yes"
- Alternate Config IDs:
5.3.19c5_3_19ensure_ssh_pam_is_enabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.20 - Ensure SSH AllowTcpForwarding is disabled
- Parameters:
allow_tcp_forwarding- [Optional[Enum[\yes\, \no\]]] - Default:no
- Supported Levels:
level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH AllowTcpForwarding is disabled":
allow_tcp_forwarding: "no"
- Alternate Config IDs:
5.3.20c5_3_20ensure_ssh_allowtcpforwarding_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.21 - Ensure SSH MaxStartups is configured
- Parameters:
max_startups- [Optional[String[1]]] - Default:10:30:60
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxStartups is configured":
max_startups: "10:30:60"
- Alternate Config IDs:
5.3.21c5_3_21ensure_ssh_maxstartups_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.22 - Ensure SSH MaxSessions is limited
- Parameters:
max_sessions- [Optional[Integer]] - Default:10
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxSessions is limited":
max_sessions: 10
- Alternate Config IDs:
5.3.22c5_3_22ensure_ssh_maxsessions_is_limited
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.4.1 - Ensure password creation requirements are configured
- Parameters:
manage_pwquality- [Boolean] - Default:truemanage_pam_auth- [Boolean] - Default:trueminlen- [Optional[Integer]] - Default:14minclass- [Optional[Integer]] - Default:4faillock_args- [Optional[Array[String[1]]]] - Default:["preauth", "silent", "audit", "deny=5", "unlock_time=900"]pwhistory_args- [Optional[Array[String[1]]]] - Default:["use_authtok", "remember=5", "retry=3"]
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure password creation requirements are configured":
manage_pwquality: true
manage_pam_auth: true
minlen: 14
minclass: 4
faillock_args: ["preauth", "silent", "audit", "deny=5", "unlock_time=900"]
pwhistory_args: ["use_authtok", "remember=5", "retry=3"]
- Alternate Config IDs:
5.4.1c5_4_1ensure_password_creation_requirements_are_configured
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.2 - Ensure lockout for failed password attempts is configured
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
5.4.2c5_4_2ensure_lockout_for_failed_password_attempts_is_configured
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.3 - Ensure password hashing algorithm is SHA-512
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
5.4.3c5_4_3ensure_password_hashing_algorithm_is_sha_512
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.4 - Ensure password reuse is limited
- Parameters:
No parameters
- Supported Levels:
level_1level_2
- Supported Profiles:
serverworkstation
- Alternate Config IDs:
5.4.4c5_4_4ensure_password_reuse_is_limited
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.5.1.1 - Ensure password expiration is 365 days or less
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_authselect
Audit authselect profile for RHEL8 and CentOS8
audit_check_ipv6
Audit IPV6 for RHEL8
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_pw_change_date
Returns the last password change date for all users
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_sudo_authentication_timeout
Return the sudo authentication timeout in minutes
audit_sudo_nopasswd
Return instances of NOPASSWD: in sudo configuration files.
audit_sudo_re_authentication
Returns a list of any ungrouped sudo configuration entries that contain !authenticate.
audit_suid_executables
Returns a list of SUID executable files
audit_unconfined_services
Returns a list of all unconfined services
audit_ungrouped_files_and_directories
Returns a list of any unowned files and directories
audit_unowned_files_and_directories
Returns a list of any unowned files and directories
audit_world_writable_files
Returns a list of any world-writable files
query_gpg_keys
Queries for RPM GPG keys
query_listening_services
Queries for services with established TCP / UDP connections
query_yum_repos
Queries YUM repositories
root_path_integrity
Audits root path integrity. Must be run as root
update_bootloader
Updates and reinstall bootloader configuration
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.3.2 (2022-09-08)
Added
- The
Ensure core dump storage is disabledandEnsure core dump backtraces are disabledcontrols are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
- The
Ensure audit log is disabled when audit logs are fullcontrol is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntpandchronyclasses were combined into thetimesyncclass.
Fixed
- The
Disable USB Storagecontrol is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.ddirectory are now loaded by using theaugenrules --loadcommand. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct
metaparameter
beforeinstead ofsubscribe. - Fixed a parsing error for
chronythat caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when
unsanitized user input was used in the
command,onlyif, orunlessparameters of anexecresource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctlfeature to return a result offalsewithout error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mtafact that caused errors in RHEL 6.
v1.3.1 (2022-08-18)
Fixed
- Controls that configure
journaldnow properly configure thejournald.conffile. - The
cem_coredumpfact will no longer attempt to resolve on nodes that do not supportsystemctl. - The
cem_grub_cfgfact will now identify the correct GRUB2 configuration file on Red Hat Enterprise Linux 7. - The CIS-specific parameters
enable_systemd_journalandenable_nopasswd_sudo_prunenow function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
ensure_password_creation_requirements_are_configured. - Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntpas the time synchronization service.
v1.3.0 (2022-08-03)
Changed
- The core architecture for the module has changed. These changes should
be transparent to the user. However, using Hiera automatic parameter
lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. - For more information on the new architecture, see the readme file.
- The reference was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
- Added proper containment to the
cem_coredumpfact so it will no longer run on operating systems that do not support it. - Fixed how NTP options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0 (2022-05-24)
Added
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached
End of Life (EOL).
- CEM Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
- Fixed an issue that prevented the
coredumpconfiguration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4 (2022-03-25)
Changed
- Updated the
audit_user_homedirtask to prevent the task from modifying permissions on top-level directories:/boot,/boot/,/etc,/lib,/lib64,/proc,/proc/,/home,/opt,/tmp,/var, and/srv/. Theaudit_user_homedirtask can still modify permissions on subdirectories within the listed directories, except for/bootand/proc. - In the
audit_user_homedirtask, addedrtkitto the list of ignored usernames. Becausertkitis a system user, CIS states that the home directory permissions forrtkitshould not be audited.
v1.1.3 (2022-03-24)
Fixed
- Fixed a bug in the
audit_user_homedirtask to prevent the inadvertent modification of permissions on bin directories:/bin,/sbin,/usr/bin, and/usr/sbin.
v1.1.2 (2022-03-16)
Added
- Added a section to the CEM Reference about configuring
chrony/ntptime servers.
Changed
- Expanded the range of versions in the
metadata.jsonfile so that users can install the latest modules to meet dependency requirements.
Fixed
- Fixed a bug in the
cem_linux::utils::timesyncconfiguration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditdconfig template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditdservice.
v1.1.1 (2022-01-25)
Fixed
- Fixed an issue related to non-idempotent resources when managing
permissions for the
Grub2bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0 (2021-12-14)
Added
-
Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Server Level 2 recommendations.
-
Updates related to bootloader configurations. Configurations, including password settings, can now be managed through the CEM module on systems that use the
grub2bootloader.- You can also opt in to automatically regenerate the bootloader config files after changes are made.
- For details, see the CEM for Linux readme file.
-
Permissions management for log files in the
/var/log directoryis now available in the module. Previously, you had to run a Bolt task to manage permissions for log files.- Because this feature is now supported natively, the Bolt task
cem_linux::logfile_permissionswas removed.
- Because this feature is now supported natively, the Bolt task
-
Added a new fact,
cem_grub_cfg. This fact contains information related to generalgrubconfiguration on the machine.
Changed
- Replaced the
camptocamp-systemdmodule with the supportedpuppet-systemdmodule. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemdmodule v3.5.0 or later. - The
cem_uefi_bootfact was changed tocem_efiand more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.
v1.0.0 (2021-09-28)
- This is the initial public release of CEM for Linux.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 9.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/puppet_agent (>= 4.0.0 < 5.0.0)
- puppetlabs/inifile (>= 1.6.0 < 6.0.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 2.8.1 < 4.0.0)
- puppet/firewalld (>= 4.4.0 < 5.0.0)
- puppet/logrotate (>= 5.0.0 < 7.0.0)
- puppet/selinux (>= 3.2.0 < 4.0.0)
- puppet/systemd (>= 3.5.0 < 4.0.0)