Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 8.0.0
- ,
This module has been deprecated by its author since May 8th 2024.
The author has suggested puppetlabs-sce_linux as its replacement.
Tasks:
- audit_authselect
- audit_check_ipv6
- audit_duplicate_gid
- audit_duplicate_group_names
Documentation
cem_linux
Table of contents
cem_linux
- Table of contents
- Introducing the Compliance Enforcement Modules
- Setup
- Usage
- Find and set configuration options
- Top-level configuration options
- Benchmark configuration options
- CIS-specific configuration options
- Configuration examples
- Basic configuration example
- Advanced configuration example
- Enforce bootloader configurations
- Guidelines for enabling the authselect option
- Configure custom logrotate rules
- Configure sudo without a password
- Configure user SSH keys
- Configure SSH permissions for users and groups
- Configure the firewall type
- Rules that rely on site-specific information
- Known issues
Introducing the Compliance Enforcement Modules
The cem_linux
module is one of two Compliance Enforcement Modules (CEM). These supported Puppet modules were developed specifically to bring your Puppet Enterprise (PE) managed nodes into compliance. CEM currently supports Center for Internet Security (CIS) compliance rules.
By default, CEM enforces CIS rules for the Level 1 server profile.
This readme file provides instructions for installing CEM and customizing the configuration settings to meet your organization’s compliance requirements. For a list of available parameters, see the CEM reference.
After you have installed and configured CEM, PE will run on any classified nodes without user intervention to scan for compliance.
To manage Microsoft Windows nodes, navigate to cem_windows.
Setup
Before you install CEM, review the System requirements to ensure that CEM can be run on the operating systems in your environment. Then, contact a Puppet sales representative to purchase CEM.
System requirements
cem_linux
supports the following operating systems and CIS benchmarks:
Operating system | Framework | Level | Profile |
---|---|---|---|
Red Hat Enterprise Linux 7 | CIS Benchmarks v3.1.1 | 1, 2 | Server |
Red Hat Enterprise Linux 8 | CIS Benchmarks v2.0.0 | 1, 2 | Server |
CentOS Linux 7 | CIS Benchmarks v3.1.2 | 1, 2 | Server |
Install CEM with Code Manager
You can install CEM by using Code Manager, a code management tool. For installation instructions, see Puppet Forge Premium Content.
Upgrade CEM
To upgrade CEM, update the CEM declaration in the Puppetfile. Specify the version number to which you are upgrading CEM.
For instructions about modifying the Puppetfile, see Declare Forge modules in the Puppetfile.
For example, to upgrade the cem_linux
module to version 1.3.0, you would specify the CEM declaration as shown:
mod 'puppetlabs/cem_linux', '1.3.0'
Troubleshooting tip: Starting with v1.3.0, CEM for Linux implements a new architecture. If you upgrade CEM from v1.2.0 or earlier to v1.3.0 or later, and you encounter errors, try restarting the pe-puppetserver
service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server.
Usage
By default, CEM enforces CIS rules for the Level 1 server profile based on default acceptable values for each CIS recommendation. However, sometimes enforcing these default values can leave your nodes in an undesirable state. In these situations, you can customize how CEM enforces compliance to meet your organization's requirements.
Caution: CEM's default settings are fully CIS compliant. Too much customization can result in your configurations being noncompliant.
Find and set configuration options
Configuration options include top-level configuration options, benchmark configuration options, and CIS-specific configuration options.
You can find the configuration options for a specific control in the CEM Linux Reference. The reference is divided into sections, with each section representing a benchmark. In those benchmarks, you will see each control listed with several subsections:
- Parameters:
- Configuration options for a control, along with the data type and default value.
- Config Example:
- Snippet of Hiera that can be used to configure a control.
- Supported Levels:
- The supported levels for a CIS control.
- Supported Profiles:
- The supported profiles for a CIS control.
- Alternate Config IDs:
- The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the
control_config
hash.
- The alternate config IDs for a control. Any of these config IDs, along with the full control name, can be used as a key in the
- Resource:
- The name of the Puppet resource that enforces the control.
Alternate config IDs
You can specify controls in the control_config
hash by referencing the full control name, the control number, the normalized control name, or the normalized control number. You cannot mix and match these forms and must pick a single control ID form to use for your config. Full control names and control numbers are copied verbatim from the benchmarks and are case-sensitive. Normalized control names have lowercase letters and contain only alphanumeric characters and underscores. Normalized control numbers are always prefixed with a c
and contain only numeric characters separated by underscores.
Example of alternate config IDs:
- Full control name:
(L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
- Control number:
1.1.1
- Normalized control name:
ensure_enforce_password_history_is_set_to_24_or_more_passwords
- Normalized number:
c1_1_1
Resource data
The data that drives CEM Linux is located in directories and files with the following structure:
data/<facts.os.family>/<facts.os.name>/<facts.os.release.major>.yaml
For example:
data/RedHat/RedHat/8.yaml
These Hiera files contain definitions for each Puppet resource that enforces a control.
Caution: Do not modify the resource definitions that drive CEM Linux. If you must change the behavior of a control, configure the control by using the
control_config
hash.
Top-level configuration options
These configuration options are set at the top level of the module. In Hiera, these options are prefixed with cem_linux:
benchmark
-Enum['cis']
- the compliance framework to use. CEM supports onlycis
. Default:cis
.config
-Optional[Hash]
- the location for all non-top-level configuration options. Default:undef
.allow_on_kubernetes_node
-Boolean
- Ifcem_linux
detects that it is running on a Kubernetes cluster node or host, CEM does not enforce controls and logs a warning to inform the user. In this way, CEM helps to prevent the accidental enforcement of incorrect compliance settings that can render Kubernetes non-functional. Default:false
.regenerate_grub2_config
-Boolean
- Some configurations in CEM for Linux modify theGrub2
bootloader configuration. To regenerate theGrub2
configuration after applying a change, set this parameter totrue
. If you do not set this totrue
, you must manually regenerate theGrub2
configuration. Default:false
.set_grub2_password
-Boolean
- Set the password for the Grub2 bootloader. If you set this totrue
, you must also set thegrub2_superuser
andgrub2_superuser_password
parameters, or configure the specific bootloader password control by using thecontrol_configs
option. Default:false
.grub2_superuser
-Optional[String[1]]
- The superuser for theGrub2
bootloader if you setset_grub2_password
totrue
. Default:Undef
.grub2_superuser_password
-Optional[Sensitive[String]]
- The superuser password for theGrub2
bootloader if you setset_grub2_password
totrue
. This value is sensitive in terms of security, and should be stored in a Sensitive data type. Default:Undef
.
Hiera example
The following example configures CEM for Linux to regenerate the Grub2
bootloader
config on a node using the CIS benchmark:
cem_linux::benchmark: 'cis'
cem_linux::allow_on_kubernetes_node: false
cem_linux::regenerate_grub2_config: true
cem_linux::config:
...
Benchmark configuration options
The benchmark configuration options are available as key-value pairs within the cem_linux::config:
hash.
only:
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
) — classes specified here are included in the catalog. Takes precedence overignore:
. Default:undef
.ignore:
-Optional[Array[String]]
— takes an array of control class names (manifests/benchmarks/<benchmark>/controls/*.pp
). The classes specified here are not included in the catalog. Ifonly:
is specified, this option does nothing. Default:undef
.control_configs
-Optional[Hash]
— where all rule-specific configurations live. Default:undef
.
CIS-specific configuration options
The CIS-specific configuration options are available as key-value pairs within the cem_linux::config:
hash.
profile:
-Optional[Enum['server', 'workstation']]
— the name of the benchmark profile. The only value supported by CEM isserver
. Default:server
.level:
-Optional[Enum['1', '2']]
— the name of the profile level. The only value supported by CEM is1
. Default:1
.firewall_type:
-Optional[Enum['iptables', 'firewalld', 'unmanaged']]
— the preferred firewall provider. If set tounmanaged
, CEM will not enforce any firewall-related rules. Default:firewalld
.enable_nopasswd_sudo_prune
-Optional[Boolean]
- If set totrue
, CEM will remove theNOPASSWD
option from entries in the/etc/sudoers
file. Default:false
.enable_systemd_journal
-Optional[Boolean]
- Whether to enable thesystemd-journal
logging service. The default value isfalse
. If this option is enabled, thesystemd-journal-remote
package will be installed and thesystemd-journal-upload.service
service will be enabled. However, several configuration parameters are required to ensure thatsystemd-journal-upload.service
functions correctly:
cem_linux::config:
control_configs:
'ensure_systemd_journal_remote_is_configured':
address: '<IP address or FQDN of the remote host>'
server_key_file: '<path to the server key file>'
server_certificate_file: '<path to the server certificate file>'
trusted_certificate_file: '<path to the trusted certificate file>'
Red Hat Enterprise Linux 8-specific CIS configuration options
The authselect
utility can be used to configure user authentication on a Red Hat Enterprise Linux (RHEL) host. If you installed CEM on a RHEL 8 operating system, authselect
options are available, but should be avoided in almost all cases. The authselect
utility is disabled by default because enablement of authselect
can break authentication methods, and use of the utility requires extensive configuration.
The following authselect
options are available for RHEL 8:
use_authselect:
-Optional[Boolean]
- Whether to useauthselect
to manage most authentication options. Defaults tofalse
. For more information, see Guidelines for enabling the authselect option.authselect_profile
-Optional[String]
- If usingauthselect
, you must specify anauthselect
profile with this option. Defaults toundef
. For more information, see Guidelines for enabling the authselect option.
Configuration examples
To see what CEM looks like in production, see the following configuration examples.
Basic configuration example
When you specify a compliance framework, CEM is configured to provide rule enforcement and configuration for that framework. For example, to enforce the CIS Server Level 1 benchmark for a node, you need to classify the node with the CEM class, set the framework
parameter to cis
, and run Puppet.
In the following example, CEM enforces the CIS Level 1 server recommendations "Ensure AIDE is installed" and "Ensure filesystem integrity is regularly checked" on a CentOS 7 node.
- Add the following Hiera data to your control repository,
control repo
:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
- Classify the node with the class
cem_linux
. - Run Puppet.
Some CIS recommendations require you to run a Bolt task. To determine which task to run, review the output of the Puppet debug logs.
Advanced configuration example
Building on the basic configuration example, the following example customizes the AIDE configuration file in Hiera.
- Add the following code to the node's Hiera file:
# control-repo/data/nodes/<node name>.yaml
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
only:
- 'ensure_aide_is_installed'
- 'ensure_filesystem_integrity_is_regularly_checked'
control_configs:
ensure_aide_is_installed:
conf_rules:
- 'PERMS = p+u+g+acl+xattrs'
- 'CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs'
conf_checks:
- '/root/\..* PERMS'
- '/root/ CONTENT_EX'
-
Classify the node with the class
cem_linux
. -
Run Puppet.
-
Run the Bolt task that is specified in the
debug
log.
The AIDE configuration file now reflects the changes in Hiera.
Enforce bootloader configurations
In rare cases, it might be useful to enable automatic regeneration of the bootloader configuration, and you might want to set a bootloader password.
Caution: The only bootloader supported by CEM for Linux is grub2
.
CEM for Linux enforces various bootloader configurations as required by the selected compliance framework and benchmark. However, because changes to bootloader configurations can be potentially dangerous, a minimalistic approach to configuration changes is used by CEM for Linux.
For CIS, there are several recommendations that modify the bootloader config. If you run CEM for Linux with the full range of default settings, these changes will be applied, but the bootloader config will not be regenerated. While changes are pending on the node, bootloader operations remain the same until the configurations are regenerated. The exception to this is the bootloader password, which is not set by default. The following examples show how you can configure CEM for Linux to automatically regenerate the bootloader config and how you can set a bootloader password.
Regenerate bootloader configs automatically
To regenerate bootloader configurations automatically, locate the following file, where <node name>
specifies the name of the affected node.
Edit the file to specify the following setting:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
Set a bootloader password
You can set a bootloader password as shown in the following example:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::regenerate_grub2_config: true
cem_linux::set_grub2_password: true
cem_linux::grub2_superuser: 'root'
cem_linux::grub2_superuser_password: 'password'
lookup_options:
cem_linux::grub2_superuser_password:
convert_to: 'Sensitive'
Restriction: The cem_linux::grub2_superuser_password
key must be of type Sensitive[String]
. Setting a lookup option for that key to convert it to Sensitive is the best way to ensure that the value is a Sensitive[String]
.
Caution: Do not store plain-text passwords in Hiera. Using something like hiera-eyaml
is a better way to store secrets.
Guidelines for enabling the authselect option
The authselect
option is disabled by default because enablement of authselect
can disrupt authentication methods, and use of the option requires extensive configuration.
Caution: If a node is joined to an Active Directory domain or to Red Hat Identity Management (idM), do not enable the authselect
option. Enabling authselect
on these nodes will break your authentication configurations.
Restrictions:
- The
authselect
option is supported only on Red Hat Enterprise Linux 8. - You cannot enable the
authselect
option if you are using pluggable authentication modules (PAM) for application management.
By default, cem_linux
uses standard PAM rules to configure the authentication controls specified by CIS. However, if you are enforcing CIS compliance on Red Hat Enterprise Linux 8, CIS guidelines call for authselect
to be used. The following example configuration shows how to enable authselect
on a node by using the minimal
system default profile:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'minimal'
To enable the authselect
option:
- Set the config option
use_authselect
totrue
. - Specify an
authselect
profile with the config optionauthselect_profile
.
Both of the options must be set directly in the cem_linux::config
hash for the authselect
option to work properly.
Custom authselect profiles
If you are enforcing CIS compliance on a Red Hat Enterprise Linux 8 system and you want to enable additional features for your authselect
profile, you can create a custom profile.
To create and use a custom authselect
profile in cem_linux
, prefix the profile name in authselect_profile
with custom/
. If the custom profile does not exist on the node, the profile will be created automatically. The following example shows how to create and use a custom profile, my_custom_profile
, which is based on the system profile minimal
with additional features enabled:
# control-repo/data/nodes/<node name>.yaml
---
cem_linux::config:
use_authselect: true
authselect_profile: 'custom/my_custom_profile'
control_configs:
ensure_custom_authselect_profile_is_used:
custom_profile_base: 'minimal'
profile_features:
- with-faillock
- with-mkhomedir
Configure authselect
All authselect
configurations are managed via the control class ensure_custom_authselect_profile_is_used
, regardless of whether you use a custom profile. See the reference for all configuration options.
Configure custom logrotate rules
To help ensure that logs are pruned on a regular basis to conserve system space, you can specify logrotate
rules.
The following example creates custom logrotate
rules for the primary Puppet server's puppetserver
logs.
# control-repo/data/nodes/<your puppetserver>.yaml
---
cem_linux::config:
control_configs:
ensure_logrotate_is_configured:
rules:
puppetserver:
path:
- '/var/log/puppetlabs/puppetserver/puppetserver.log'
- '/var/log/puppetlabs/puppetserver/pcp-broker.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-access.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-daemon.log'
- '/var/log/puppetlabs/puppetserver/puppetserver-status.log'
- '/var/log/puppetlabs/puppetserver/code-manager-access.log'
- '/var/log/puppetlabs/puppetserver/file-sync-access.log'
- '/var/log/puppetlabs/puppetserver/masterhttp.log'
create_owner: 'puppet'
create_group: 'puppet'
Configure sudo without a password
You can give users and user groups the ability to run some or all commands as root without a password.
The following example configures the admins
group to grant sudo access without a password:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_sudo_is_installed:
package_ensure: 'installed'
options:
user_group:
%admins:
options:
- 'NOPASSWD:'
Configure user SSH keys
To use the Secure Shell (SSH) protocol for communication between computers, you must configure SSH keys. You can also configure SSH keys for individual users. In the following example, keys are configured for testuser1 and testuser2:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
permit_root_login: 'yes'
user_ssh_keys:
testuser1:
username: testuser1
home_dir: /home/testuser1
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
testuser2:
username: testuser2
home_dir: /home/testuser2
ssh_key: ssh-rsa A...ZcTFw== rsa-key-20201022
Configure SSH permissions for users and groups
You can configure SSH at a granular level to specify users and groups that are granted or denied permissions. The following example configures SSH to grant permissions to some users and groups and deny permissions to other users and groups:
cem_linux::benchmark: 'cis'
cem_linux::config:
control_configs:
ensure_permissions_on_etcsshsshd_config_are_configured:
allow_users:
- testuser1
- the_dude
allow_groups:
- testgroup1
- goonies
deny_users:
- testuser2
- the_emperor
deny_groups:
- testgroup2
- legion_of_doom
Configure the firewall type
The following examples configure the firewall.
Restriction: Firewalls that are based on the nftables framework are not supported. Use the firewalld
or iptables
setting instead.
firewalld
is the default setting:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'firewalld'
You can also specify a value of iptables
:
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'iptables'
You can also specify a value of unmanaged
. When you set the firewall_type
parameter to unmanaged
, CEM does not enforce a state on any firewall resource. Use unmanaged
if you do not want CEM to configure your firewalls.
cem_linux::benchmark: 'cis'
cem_linux::config:
profile: 'server'
level: '1'
firewall_type: 'unmanaged'
Rules that rely on site-specific information
Some CIS rules require information that is specific to a customer site. You can use Bolt tasks to configure these rules.
Bolt tasks in Puppet Enterprise (PE)
Using PE, you can run Bolt tasks and plans to audit or configure specific parts of a node. To run Bolt tasks, open the PE console and select the Tasks menu. Then, select cem_linux.
Run Bolt tasks from the command line
You can also run Bolt tasks from the command line.
- Install Puppet Development Kit (PDK) and Bolt.
- In the root of the CEM directory, run the
pdk bundle exec rake 'spec_prep'
command. This command downloads the required dependencies as RSpec fixtures, and then creates a symbolic link from the module directory to the fixtures directory. - Run the tasks on one or more hosts. For example:
bolt task run comply_enforcement_module::audit_unowned_files_and_directories -t $nodefqdn --modulepath spec/fixtures/modules
. You must add the--modulepath spec/fixtures/modules
option to Bolt commands. Otherwise, Bolt is not able to find the tasks and plans.
Known issues
The current release includes known issues and restrictions. In most cases, workarounds are provided.
Comply scan issues
During a Comply scan, you might see errors about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM does correctly enforce these settings.
The following Comply scan errors might be reported:
- Red Hat Enterprise Linux Benchmark v2.0.0:
- 1.4.2 - Ensure permissions on bootloader are configured
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
grub
file path. Permissions are set correctly by CEM. No action is required.
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
- 1.4.1 - Ensure bootloader password is set
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
grub
file path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Setting a bootloader password.
- On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct
- 4.1.2.3 Ensure system is disabled when audit logs are full
- This is set to
halt
by CEM. The CIS-CAT Pro Assessor shows this incorrectly as a scan failure. No action is required.
- This is set to
- 5.2.18 Ensure SSH MaxSessions is set to 10 or less
- This is set to 10 by default. The CIS-CAT Pro Assessor shows this incorrectly as a scan failure. The scanner is incorrectly looking for <=4 instead of <=10. No action is required.
- 3.3. Ensure secure ICMP redirects are not accepted.
- The parameters are set correctly by CEM. However, when scans are performed on a system monitored by Google (i.e a Google Cloud VM instance), the result is a failed scan. This happens because the system monitored by Google has a separate file that manage sysctl configs. The parameters in the file created by Google overshadowed the parameters in the file created by CEM.
- 1.4.2 - Ensure permissions on bootloader are configured
General issues and limitations
- Starting with v1.3.0, CEM for Linux implements a new architecture. If you upgrade CEM from v1.2.0 or earlier to v1.3.0 or later, and you encounter errors, try restarting the
pe-puppetserver
service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server. - You cannot use the
iolog_dir
option to specify a directory for sudo log files. If you attempt to use theiolog_dir
option in thesudoers
file to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in CEM. - CEM cannot create file system partitions. This limitation can cause certain scanner checks to fail.
- CEM cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure that
nodev,nosuid,noexec
exists in the options portion of/etc/fstab
for the partition. - Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by CEM. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that CEM cannot manage this feature.
- To comply with CIS recommendations, you must prevent root users from logging onto the system console. Because this action requires knowledge of the site, you must configure this control manually by removing entries in
/etc/securetty
for consoles that are not in secure locations. - CEM does not enforce
authselect
controls for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that you do not enforce this control. CEM includes a Bolt task,audit_authselect,
to audit these controls. - You can configure the
ensure_nodev_option_set_on_home_partition
control only if the/home
setting is mounted on its own partition. Puppet does not create a partition for/home
. - If your system is running on Red Hat Enterprise Linux 8:
- The
ensure_nis_server_is_not_installed
control is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. If you enforceensure_nis_server_is_not_installed
, you must also enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. - The
ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
control is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. If you do not enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
, you must also not enforceensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
. - The
ensure_the_running_and_on_disk_configuration_is_the_same
control is always enforced ifauditd
is managed by CEM.
- The
- The
ensure_users_must_provide_password_for_escalation
control is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removingNOPASSWD:
from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration optionenable_nopasswd_sudo_prune
to true. - If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
- The
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
control is dependent onensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
. If you enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
, you must also enforceensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
.
- The
- The
disable_wireless_interfaces
control requires that you install the NetworkManager package and that the service is running. - The
ensure_system_is_disabled_when_audit_logs_are_full
control will halt the system when the audit logs are full. If you do not want the system to halt, please configure this control's parameteradmin_space_left_action
tosyslog
.
CEM Linux Reference
Table of Contents
- CIS CentOS Linux 7 Benchmark 3.1.2
- CIS Red Hat Enterprise Linux 7 Benchmark 3.1.1
- CIS Red Hat Enterprise Linux 8 Benchmark 2.0.0
CIS CentOS Linux 7 Benchmark 3.1.2
1.1.1.1 - Ensure mounting of cramfs filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:cramfs
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of cramfs filesystems is disabled":
filesystem: "cramfs"
- Alternate Config IDs:
1.1.1.1
c1_1_1_1
ensure_mounting_of_cramfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']
1.1.1.2 - Ensure mounting of squashfs filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:squashfs
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of squashfs filesystems is disabled":
filesystem: "squashfs"
- Alternate Config IDs:
1.1.1.2
c1_1_1_2
ensure_mounting_of_squashfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']
1.1.1.3 - Ensure mounting of udf filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:udf
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure mounting of udf filesystems is disabled":
filesystem: "udf"
- Alternate Config IDs:
1.1.1.3
c1_1_1_3
ensure_mounting_of_udf_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']
1.1.3 - Ensure noexec option set on /tmp partition
- Parameters:
noexec
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure noexec option set on /tmp partition":
noexec: true
- Alternate Config IDs:
1.1.3
c1_1_3
ensure_noexec_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.4 - Ensure nodev option set on /tmp partition
- Parameters:
nodev
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nodev option set on /tmp partition":
nodev: true
- Alternate Config IDs:
1.1.4
c1_1_4
ensure_nodev_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.5 - Ensure nosuid option set on /tmp partition
- Parameters:
nosuid
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nosuid option set on /tmp partition":
nosuid: true
- Alternate Config IDs:
1.1.5
c1_1_5
ensure_nosuid_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.7 - Ensure noexec option set on /dev/shm partition
- Parameters:
noexec
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure noexec option set on /dev/shm partition":
noexec: true
- Alternate Config IDs:
1.1.7
c1_1_7
ensure_noexec_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.8 - Ensure nodev option set on /dev/shm partition
- Parameters:
nodev
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nodev option set on /dev/shm partition":
nodev: true
- Alternate Config IDs:
1.1.8
c1_1_8
ensure_nodev_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.9 - Ensure nosuid option set on /dev/shm partition
- Parameters:
nosuid
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nosuid option set on /dev/shm partition":
nosuid: true
- Alternate Config IDs:
1.1.9
c1_1_9
ensure_nosuid_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.22 - Ensure sticky bit is set on all world-writable directories
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.1.22
c1_1_22
ensure_sticky_bit_is_set_on_all_world_writable_directories
- Resource:
Class['cem_linux::utils::sticky_bit']
1.1.23 - Disable Automounting
- Parameters:
service
- [String[1]
] - Default:autofs
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable Automounting":
service: "autofs"
- Alternate Config IDs:
1.1.23
c1_1_23
disable_automounting
- Resource:
Cem_linux::Utils::Disable_service['Disable autofs']
1.1.24 - Disable USB Storage
- Parameters:
filesystem
- [String[1]
] - Default:usb-storage
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable USB Storage":
filesystem: "usb-storage"
- Alternate Config IDs:
1.1.24
c1_1_24
disable_usb_storage
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable usb storage']
1.2.3 - Ensure gpgcheck is globally activated
- Parameters:
yum_conf
- [Optional[String[1]]
] - Default:/etc/yum.conf
repo_files
- [Optional[Array[String[1]]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure gpgcheck is globally activated":
yum_conf: "/etc/yum.conf"
repo_files: <<Type Array[String[1]]>>
- Alternate Config IDs:
1.2.3
c1_2_3
ensure_gpgcheck_is_globally_activated
- Resource:
Class['cem_linux::utils::yum::enable_gpgcheck']
1.3.1 - Ensure AIDE is installed
- Parameters:
control_package
- [Optional[Boolean]
] - Default:true
package_ensure
- [Optional[String]
] - Default:present
manage_config
- [Optional[Boolean]
] - Default:true
run_scheduled
- [Optional[Boolean]
] - Default:true
scheduler
- [Optional[Enum[\systemd\, \cron\]]
] - Default:systemd
systemd_timer_schedule
- [Optional[String]
] - Default:*-*-* 00:00:00
conf_purge
- [Optional[Boolean]
] - Default:undef
conf_db_dir
- [Optional[String]
] - Default:/var/lib/aide
conf_log_dir
- [Optional[String]
] - Default:/var/log/aide
conf_verbosity
- [Optional[Integer]
] - Default:5
conf_report_urls
- [Optional[Array[String]]
] - Default:["file:@@{LOGDIR}/aide.log", "stdout"]
conf_rules
- [Optional[Array[String]]
] - Default:["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
conf_checks
- [Optional[Array[String]]
] - Default:["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure AIDE is installed":
control_package: true
package_ensure: "present"
manage_config: true
run_scheduled: true
scheduler: "systemd"
systemd_timer_schedule: "*-*-* 00:00:00"
conf_purge: <<Type Boolean>>
conf_db_dir: "/var/lib/aide"
conf_log_dir: "/var/log/aide"
conf_verbosity: 5
conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
conf_checks: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Alternate Config IDs:
1.3.1
c1_3_1
ensure_aide_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::aide']
1.4.1 - Ensure bootloader password is set
- Parameters:
superuser
- [Optional[String[1]]
] - Default:undef
superuser_password
- [Optional[Sensitive[String]]
] - Default:undef
regenerate_config
- [Boolean
]password_file
- [Stdlib::UnixPath
] - Default:/etc/grub.d/50_password
replace_password_file
- [Boolean
]hash_superuser_password
- [Boolean
] - Default:true
superuser_password_salt_length
- [Optional[Integer]
] - Default:undef
superuser_password_buffer_length
- [Optional[Integer]
] - Default:undef
superuser_password_iterations
- [Optional[Integer]
] - Default:undef
other_users
- [Optional[Array[Struct[{username=>String[1], password=>Any, salt_length=>Optional[Integer], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure bootloader password is set":
superuser: <<Type String[1]>>
superuser_password: <<Type Sensitive[String]>>
regenerate_config: false
password_file: "/etc/grub.d/50_password"
replace_password_file: false
hash_superuser_password: true
superuser_password_salt_length: <<Type Integer>>
superuser_password_buffer_length: <<Type Integer>>
superuser_password_iterations: <<Type Integer>>
other_users: <<Type Array[Struct[{username=>String[1], password=>Any, salt_length=>Optional[Integer], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>
- Alternate Config IDs:
1.4.1
c1_4_1
ensure_bootloader_password_is_set
- Resource:
Class['cem_linux::utils::bootloader::grub2::password']
1.4.2 - Ensure permissions on bootloader config are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.4.2
c1_4_2
ensure_permissions_on_bootloader_config_are_configured
- Resource:
Class['cem_linux::utils::bootloader::grub2::permissions']
1.4.3 - Ensure authentication required for single user mode
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.4.3
c1_4_3
ensure_authentication_required_for_single_user_mode
- Resource:
Class['cem_linux::utils::services::systemd::secure_rescue_service']
1.4.3 - Ensure authentication required for single user mode
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.4.3
c1_4_3
ensure_authentication_required_for_single_user_mode
- Resource:
Class['cem_linux::utils::services::systemd::secure_emergency_service']
1.5.1 - Ensure core dumps are restricted
- Parameters:
limits_file
- [Optional[String]
] - Default:10-disable_core_dumps.conf
sysctl_file
- [Optional[String]
] - Default:10-disable_core_dumps.conf
service_content
- [Optional[String]
] - Default:# THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure core dumps are restricted":
limits_file: "10-disable_core_dumps.conf"
sysctl_file: "10-disable_core_dumps.conf"
service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"
- Alternate Config IDs:
1.5.1
c1_5_1
ensure_core_dumps_are_restricted
- Resource:
Class['cem_linux::utils::disable_core_dumps']
1.5.3 - Ensure address space layout randomization (ASLR) is enabled
- Parameters:
sysctl_file
- [Optional[String]
] - Default:10-enable_aslr.conf
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure address space layout randomization (ASLR) is enabled":
sysctl_file: "10-enable_aslr.conf"
- Alternate Config IDs:
1.5.3
c1_5_3
ensure_address_space_layout_randomization_aslr_is_enabled
- Resource:
Class['cem_linux::utils::enable_aslr']
1.5.4 - Ensure prelink is not installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.5.4
c1_5_4
ensure_prelink_is_not_installed
- Resource:
Class['cem_linux::utils::disable_prelink']
1.6.1.1 - Ensure SELinux is installed
- Parameters:
manage_package
- [Optional[Boolean]
] - Default:true
package_name
- [Optional[String[1]]
] - Default:libselinux
mode
- [Optional[Enum[\permissive\, \enforcing\]]
] - Default:enforcing
type
- [Optional[Enum[\targeted\, \mls\]]
] - Default:targeted
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SELinux is installed":
manage_package: true
package_name: "libselinux"
mode: "enforcing"
type: "targeted"
- Alternate Config IDs:
1.6.1.1
c1_6_1_1
ensure_selinux_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration
- Parameters:
enable_selinux
- [Boolean
] - Default:true
selinux_mode
- [Enum["permissive", "enforcing"]
] - Default:enforcing
regenerate_config
- [Boolean
]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SELinux is not disabled in bootloader configuration":
enable_selinux: true
selinux_mode: "enforcing"
regenerate_config: false
- Alternate Config IDs:
1.6.1.2
c1_6_1_2
ensure_selinux_is_not_disabled_in_bootloader_configuration
- Resource:
Class['cem_linux::utils::bootloader::grub2::selinux']
1.6.1.3 - Ensure SELinux policy is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.6.1.3
c1_6_1_3
ensure_selinux_policy_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.4 - Ensure the SELinux mode is enforcing or permissive
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.6.1.4
c1_6_1_4
ensure_the_selinux_mode_is_enforcing_or_permissive
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.5 - Ensure the SELinux mode is enforcing
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.6.1.5
c1_6_1_5
ensure_the_selinux_mode_is_enforcing
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.7 - Ensure SETroubleshoot is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:setroubleshoot
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SETroubleshoot is not installed":
pkg_name: "setroubleshoot"
- Alternate Config IDs:
1.6.1.7
c1_6_1_7
ensure_setroubleshoot_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install setroubleshoot']
1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:mcstrans
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure the MCS Translation Service (mcstrans) is not installed":
pkg_name: "mcstrans"
- Alternate Config IDs:
1.6.1.8
c1_6_1_8
ensure_the_mcs_translation_service_mcstrans_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install mcs translation service']
1.7.1 - Ensure message of the day is configured properly
- Parameters:
dynamic_motd
- [Optional[Boolean]
] - Default:true
motd_template
- [Optional[String[1]]
] - Default:undef
motd_content
- [Optional[String]
] - Default: ``issue_content
- [Optional[String]
] - Default:This is a secure system. Unauthorized access is strictly prohibited.
issue_net_content
- [Optional[String]
] - Default:This is a secure system. Unauthorized access is strictly prohibited.
issue_template
- [Optional[String[1]]
] - Default:undef
issue_net_template
- [Optional[String[1]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure message of the day is configured properly":
dynamic_motd: true
motd_template: <<Type String[1]>>
motd_content: ""
issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_template: <<Type String[1]>>
issue_net_template: <<Type String[1]>>
- Alternate Config IDs:
1.7.1
c1_7_1
ensure_message_of_the_day_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.2 - Ensure local login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.7.2
c1_7_2
ensure_local_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.3 - Ensure remote login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.7.3
c1_7_3
ensure_remote_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.4 - Ensure permissions on /etc/motd are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.7.4
c1_7_4
ensure_permissions_on_etcmotd_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.5 - Ensure permissions on /etc/issue are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.7.5
c1_7_5
ensure_permissions_on_etcissue_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.6 - Ensure permissions on /etc/issue.net are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
1.7.6
c1_7_6
ensure_permissions_on_etcissue_net_are_configured
- Resource:
Class['cem_linux::utils::motd']
2.1.1 - Ensure xinetd is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:xinetd
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure xinetd is not installed":
pkg_name: "xinetd"
- Alternate Config IDs:
2.1.1
c2_1_1
ensure_xinetd_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install xinetd']
2.2.1.1 - Ensure time synchronization is in use
- Parameters:
preferred_package
- [Optional[Enum[\chrony\, \ntp\]]
] - Default:chrony
manage_package
- [Optional[Boolean]
] - Default:true
force_exclusivity
- [Optional[Boolean]
] - Default:true
timeservers
- [Optional[Array[String[1]]]
] - Default:undef
sysconfig_options
- [Optional[String[1]]
] - Default:undef
ntp_restricts
- [Optional[Array[String[1]]]
] - Default:["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure time synchronization is in use":
preferred_package: "chrony"
manage_package: true
force_exclusivity: true
timeservers: <<Type Array[String[1]]>>
sysconfig_options: <<Type String[1]>>
ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Alternate Config IDs:
2.2.1.1
c2_2_1_1
ensure_time_synchronization_is_in_use
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.2 - Ensure chrony is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
2.2.1.2
c2_2_1_2
ensure_chrony_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.3 - Ensure ntp is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
2.2.1.3
c2_2_1_3
ensure_ntp_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.2 - Ensure X11 Server components are not installed
- Parameters:
pkg_name
- [String[1]
] - Default:xorg-x11-server*
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure X11 Server components are not installed":
pkg_name: "xorg-x11-server*"
- Alternate Config IDs:
2.2.2
c2_2_2
ensure_x11_server_components_are_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install x11 server components']
2.2.3 - Ensure Avahi Server is not installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
2.2.3
c2_2_3
ensure_avahi_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_avahi_server']
2.2.4 - Ensure CUPS is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:cups
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure CUPS is not installed":
pkg_name: "cups"
- Alternate Config IDs:
2.2.4
c2_2_4
ensure_cups_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install CUPS']
2.2.5 - Ensure DHCP Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:dhcp
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DHCP Server is not installed":
pkg_name: "dhcp"
- Alternate Config IDs:
2.2.5
c2_2_5
ensure_dhcp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DHCP server']
2.2.6 - Ensure LDAP server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:openldap-servers
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure LDAP server is not installed":
pkg_name: "openldap-servers"
- Alternate Config IDs:
2.2.6
c2_2_6
ensure_ldap_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not LDAP server']
2.2.7 - Ensure DNS Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:bind
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DNS Server is not installed":
pkg_name: "bind"
- Alternate Config IDs:
2.2.7
c2_2_7
ensure_dns_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DNS server']
2.2.8 - Ensure FTP Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:vsftpd
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure FTP Server is not installed":
pkg_name: "vsftpd"
- Alternate Config IDs:
2.2.8
c2_2_8
ensure_ftp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use ftp server']
2.2.9 - Ensure HTTP server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:httpd
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure HTTP server is not installed":
pkg_name: "httpd"
- Alternate Config IDs:
2.2.9
c2_2_9
ensure_http_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use HTTP Server']
2.2.10 - Ensure IMAP and POP3 server is not installed
- Parameters:
mail_servers
- [Array[String]
] - Default:["dovecot", "postfix"]
uninstall_options
- [Optional[Array[String[1]]]
] - Default:["--nodeps"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IMAP and POP3 server is not installed":
mail_servers: ["dovecot", "postfix"]
uninstall_options: ["--nodeps"]
- Alternate Config IDs:
2.2.10
c2_2_10
ensure_imap_and_pop3_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_imap_and_pop3']
2.2.11 - Ensure Samba is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:samba
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure Samba is not installed":
pkg_name: "samba"
- Alternate Config IDs:
2.2.11
c2_2_11
ensure_samba_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use Samba']
2.2.12 - Ensure HTTP Proxy Server is not installed
- Parameters:
proxy_packages
- [Optional[Array[String]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure HTTP Proxy Server is not installed":
proxy_packages: <<Type Array[String]>>
- Alternate Config IDs:
2.2.12
c2_2_12
ensure_http_proxy_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_http_proxy']
2.2.13 - Ensure net-snmp is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:net-snmp
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure net-snmp is not installed":
pkg_name: "net-snmp"
- Alternate Config IDs:
2.2.13
c2_2_13
ensure_net_snmp_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use net-snmp']
2.2.14 - Ensure NIS server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:ypserv
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure NIS server is not installed":
pkg_name: "ypserv"
- Alternate Config IDs:
2.2.14
c2_2_14
ensure_nis_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Disable NIS Server']
2.2.15 - Ensure telnet-server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:telnet-server
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure telnet-server is not installed":
pkg_name: "telnet-server"
- Alternate Config IDs:
2.2.15
c2_2_15
ensure_telnet_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet server']
2.2.16 - Ensure mail transfer agent is configured for local-only mode
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
2.2.16
c2_2_16
ensure_mail_transfer_agent_is_configured_for_local_only_mode
- Resource:
Class['cem_linux::utils::local_only_mta']
2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked
- Parameters:
keep_nfsutils
- [Boolean
]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure nfs-utils is not installed or the nfs-server service is masked":
keep_nfsutils: false
- Alternate Config IDs:
2.2.17
c2_2_17
ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_nfs']
2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked
- Parameters:
keep_rpcbind
- [Boolean
]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rpcbind is not installed or the rpcbind services are masked":
keep_rpcbind: false
- Alternate Config IDs:
2.2.18
c2_2_18
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rpcbind']
2.2.19 - Ensure rsync is not installed or the rsyncd service is masked
- Parameters:
keep_rsync
- [Boolean
]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsync is not installed or the rsyncd service is masked":
keep_rsync: false
- Alternate Config IDs:
2.2.19
c2_2_19
ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rsync']
2.3.1 - Ensure NIS Client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:ypbind
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure NIS Client is not installed":
pkg_name: "ypbind"
- Alternate Config IDs:
2.3.1
c2_3_1
ensure_nis_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use NIS Client']
2.3.2 - Ensure rsh client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:rsh
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsh client is not installed":
pkg_name: "rsh"
- Alternate Config IDs:
2.3.2
c2_3_2
ensure_rsh_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use rsh']
2.3.3 - Ensure talk client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:talk
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure talk client is not installed":
pkg_name: "talk"
- Alternate Config IDs:
2.3.3
c2_3_3
ensure_talk_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use talk client']
2.3.4 - Ensure telnet client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:telnet
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure telnet client is not installed":
pkg_name: "telnet"
- Alternate Config IDs:
2.3.4
c2_3_4
ensure_telnet_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet Client']
2.3.5 - Ensure LDAP client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:openldap-clients
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure LDAP client is not installed":
pkg_name: "openldap-clients"
- Alternate Config IDs:
2.3.5
c2_3_5
ensure_ldap_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove LDAP Client']
3.1.1 - Disable IPv6
- Parameters:
strategy
- [Optional[Enum[\sysctl\, \grub\]]
] - Default:sysctl
create_sysctl_file
- [Optional[Boolean]
] - Default:true
sysctl_conf
- [Optional[String]
] - Default:/etc/sysctl.conf
sysctl_d_path
- [Optional[String]
] - Default:/etc/sysctl.d
sysctl_prefix
- [Optional[String]
] - Default:10-
sysctl_comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Disable IPv6":
strategy: "sysctl"
create_sysctl_file: true
sysctl_conf: "/etc/sysctl.conf"
sysctl_d_path: "/etc/sysctl.d"
sysctl_prefix: "10-"
sysctl_comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.1.1
c3_1_1
disable_ipv6
- Resource:
Class['cem_linux::utils::network::disable_ipv6']
3.1.2 - Ensure wireless interfaces are disabled
- Parameters:
wwan
- [Boolean
] - Default:true
wifi
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure wireless interfaces are disabled":
wwan: true
wifi: true
- Alternate Config IDs:
3.1.2
c3_1_2
ensure_wireless_interfaces_are_disabled
- Resource:
Cem_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']
3.2.1 - Ensure IP forwarding is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_ip_forwarding.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IP forwarding is disabled":
target: "/etc/sysctl.d/10-disable_ip_forwarding.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.1
c3_2_1
ensure_ip_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_ip_forwarding']
3.2.2 - Ensure packet redirect sending is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_packet_redirect_sending.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure packet redirect sending is disabled":
target: "/etc/sysctl.d/10-disable_packet_redirect_sending.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.2
c3_2_2
ensure_packet_redirect_sending_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_packet_redirect_sending']
3.3.1 - Ensure source routed packets are not accepted
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_source_routes.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure source routed packets are not accepted":
target: "/etc/sysctl.d/10-disable_source_routes.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.1
c3_3_1
ensure_source_routed_packets_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_source_routes']
3.3.2 - Ensure ICMP redirects are not accepted
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_icmp_redirects.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure ICMP redirects are not accepted":
target: "/etc/sysctl.d/10-disable_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.2
c3_3_2
ensure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_icmp_redirects']
3.3.3 - Ensure secure ICMP redirects are not accepted
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_secure_icmp_redirects.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure secure ICMP redirects are not accepted":
target: "/etc/sysctl.d/10-disable_secure_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.3
c3_3_3
ensure_secure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_secure_icmp_redirects']
3.3.4 - Ensure suspicious packets are logged
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-enable_log_martians.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure suspicious packets are logged":
target: "/etc/sysctl.d/10-enable_log_martians.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.4
c3_3_4
ensure_suspicious_packets_are_logged
- Resource:
Class['cem_linux::utils::network::enable_log_martians']
3.3.5 - Ensure broadcast ICMP requests are ignored
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-ignore_icmp_broadcast.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure broadcast ICMP requests are ignored":
target: "/etc/sysctl.d/10-ignore_icmp_broadcast.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.5
c3_3_5
ensure_broadcast_icmp_requests_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_icmp_broadcast']
3.3.6 - Ensure bogus ICMP responses are ignored
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-ignore_bogus_icmp.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure bogus ICMP responses are ignored":
target: "/etc/sysctl.d/10-ignore_bogus_icmp.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.6
c3_3_6
ensure_bogus_icmp_responses_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_bogus_icmp']
3.3.7 - Ensure Reverse Path Filtering is enabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-enable_reverse_path_filtering.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure Reverse Path Filtering is enabled":
target: "/etc/sysctl.d/10-enable_reverse_path_filtering.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.7
c3_3_7
ensure_reverse_path_filtering_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_reverse_path_filtering']
3.3.8 - Ensure TCP SYN Cookies is enabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-enable_tcp_syn_cookies.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure TCP SYN Cookies is enabled":
target: "/etc/sysctl.d/10-enable_tcp_syn_cookies.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.8
c3_3_8
ensure_tcp_syn_cookies_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_tcp_syn_cookies']
3.3.9 - Ensure IPv6 router advertisements are not accepted
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/sysctl.d/10-disable_ipv6_router_advertisements.conf
persist
- [Optional[Boolean]
] - Default:true
comment
- [Optional[String]
] - Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure IPv6 router advertisements are not accepted":
target: "/etc/sysctl.d/10-disable_ipv6_router_advertisements.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.9
c3_3_9
ensure_ipv6_router_advertisements_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_ipv6_router_advertisements']
3.4.1 - Ensure DCCP is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/modprobe.d/dccp.conf
content
- [Optional[String]
] - Default:install dccp /bin/true
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure DCCP is disabled":
target: "/etc/modprobe.d/dccp.conf"
content: "install dccp /bin/true"
- Alternate Config IDs:
3.4.1
c3_4_1
ensure_dccp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_dccp']
3.4.2 - Ensure SCTP is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/modprobe.d/sctp.conf
content
- [Optional[String]
] - Default:install sctp /bin/true
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SCTP is disabled":
target: "/etc/modprobe.d/sctp.conf"
content: "install sctp /bin/true"
- Alternate Config IDs:
3.4.2
c3_4_2
ensure_sctp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_sctp']
3.5.1.1 - Ensure firewalld is installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.1.1
c3_5_1_1
ensure_firewalld_is_installed
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.2 - Ensure iptables-services not installed with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.1.2
c3_5_1_2
ensure_iptables_services_not_installed_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.3 - Ensure nftables either not installed or masked with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.1.3
c3_5_1_3
ensure_nftables_either_not_installed_or_masked_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.4 - Ensure firewalld service enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.1.4
c3_5_1_4
ensure_firewalld_service_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.5 - Ensure firewalld default zone is set
- Parameters:
default_zone
- [Optional[String[1]]
] - Default:public
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure firewalld default zone is set":
default_zone: "public"
- Alternate Config IDs:
3.5.1.5
c3_5_1_5
ensure_firewalld_default_zone_is_set
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.6 - Ensure network interfaces are assigned to appropriate zone
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.1.6
c3_5_1_6
ensure_network_interfaces_are_assigned_to_appropriate_zone
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.3.1.1 - Ensure iptables packages are installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.1.1
c3_5_3_1_1
ensure_iptables_packages_are_installed
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.2 - Ensure nftables is not installed with iptables
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.1.2
c3_5_3_1_2
ensure_nftables_is_not_installed_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.1.3
c3_5_3_1_3
ensure_firewalld_is_either_not_installed_or_masked_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.1 - Ensure iptables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.1
c3_5_3_2_1
ensure_iptables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.2 - Ensure iptables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.2
c3_5_3_2_2
ensure_iptables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.3 - Ensure iptables rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.3
c3_5_3_2_3
ensure_iptables_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.4 - Ensure iptables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.4
c3_5_3_2_4
ensure_iptables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.5 - Ensure iptables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.5
c3_5_3_2_5
ensure_iptables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.6 - Ensure iptables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.2.6
c3_5_3_2_6
ensure_iptables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.1 - Ensure ip6tables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.1
c3_5_3_3_1
ensure_ip6tables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.2
c3_5_3_3_2
ensure_ip6tables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.3
c3_5_3_3_3
ensure_ip6tables_firewall_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.4 - Ensure ip6tables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.4
c3_5_3_3_4
ensure_ip6tables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.5 - Ensure ip6tables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.5
c3_5_3_3_5
ensure_ip6tables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.6 - Ensure ip6tables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
3.5.3.3.6
c3_5_3_3_6
ensure_ip6tables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
4.1.1.1 - Ensure auditd is installed
- Parameters:
package
- [Optional[Array]
] - Default:["audit", "audit-libs"]
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditd is installed":
package: ["audit", "audit-libs"]
- Alternate Config IDs:
4.1.1.1
c4_1_1_1
ensure_auditd_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.2 - Ensure auditd service is enabled and running
- Parameters:
service
- [Optional[String]
] - Default:auditd
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditd service is enabled and running":
service: "auditd"
- Alternate Config IDs:
4.1.1.2
c4_1_1_2
ensure_auditd_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled
- Parameters:
enable_auditd
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure auditing for processes that start prior to auditd is enabled":
enable_auditd: true
- Alternate Config IDs:
4.1.1.3
c4_1_1_3
ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
- Resource:
Class['cem_linux::utils::bootloader::grub2::auditd']
4.1.2.1 - Ensure audit log storage size is configured
- Parameters:
max_log_file
- [Optional[Integer[0]]
] - Default:8
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit log storage size is configured":
max_log_file: 8
- Alternate Config IDs:
4.1.2.1
c4_1_2_1
ensure_audit_log_storage_size_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.2 - Ensure audit logs are not automatically deleted
- Parameters:
max_log_file_action
- [Optional[Enum[\keep_logs\, \rotate\, \ignore\, \syslog\, \suspend\]]
] - Default:keep_logs
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit logs are not automatically deleted":
max_log_file_action: "keep_logs"
- Alternate Config IDs:
4.1.2.2
c4_1_2_2
ensure_audit_logs_are_not_automatically_deleted
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.3 - Ensure system is disabled when audit logs are full
- Parameters:
space_left_action
- [Optional[Enum[\ignore\, \syslog\, \email\, \suspend\, \single\, \halt\]]
] - Default:email
admin_space_left_action
- [Optional[Enum[\ignore\, \syslog\, \email\, \suspend\, \single\, \halt\]]
] - Default:syslog
action_mail_acct
- [Optional[String]
] - Default:root
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure system is disabled when audit logs are full":
space_left_action: "email"
admin_space_left_action: "syslog"
action_mail_acct: "root"
- Alternate Config IDs:
4.1.2.3
c4_1_2_3
ensure_system_is_disabled_when_audit_logs_are_full
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.4 - Ensure audit_backlog_limit is sufficient
- Parameters:
audit_backlog_limit
- [Integer
] - Default:8192
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure audit_backlog_limit is sufficient":
audit_backlog_limit: 8192
- Alternate Config IDs:
4.1.2.4
c4_1_2_4
ensure_audit_backlog_limit_is_sufficient
- Resource:
Class['cem_linux::utils::bootloader::grub2::auditd']
4.1.3 - Ensure events that modify date and time information are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.3
c4_1_3
ensure_events_that_modify_date_and_time_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::time_change']
4.1.4 - Ensure events that modify user/group information are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.4
c4_1_4
ensure_events_that_modify_usergroup_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::modify_usergroup_information']
4.1.5 - Ensure events that modify the system's network environment are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.5
c4_1_5
ensure_events_that_modify_the_systems_network_environment_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::network_environment']
4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.6
c4_1_6
ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::mandatory_access_controls']
4.1.7 - Ensure login and logout events are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.7
c4_1_7
ensure_login_and_logout_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::login_logout']
4.1.8 - Ensure session initiation information is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.8
c4_1_8
ensure_session_initiation_information_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::session_initiation']
4.1.9 - Ensure discretionary access control permission modification events are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.9
c4_1_9
ensure_discretionary_access_control_permission_modification_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::discretionary_access_control']
4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.10
c4_1_10
ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::unsuccessful_unauthorized_file_access']
4.1.12 - Ensure successful file system mounts are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.12
c4_1_12
ensure_successful_file_system_mounts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::file_system_mounts']
4.1.13 - Ensure file deletion events by users are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.13
c4_1_13
ensure_file_deletion_events_by_users_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::file_deletion_events']
4.1.14 - Ensure changes to system administration scope (sudoers) is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.14
c4_1_14
ensure_changes_to_system_administration_scope_sudoers_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::sudoers']
4.1.15 - Ensure system administrator command executions (sudo) are collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.15
c4_1_15
ensure_system_administrator_command_executions_sudo_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::sudolog']
4.1.16 - Ensure kernel module loading and unloading is collected
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.16
c4_1_16
ensure_kernel_module_loading_and_unloading_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd::kernel_module_command_record']
4.1.17 - Ensure the audit configuration is immutable
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.1.17
c4_1_17
ensure_the_audit_configuration_is_immutable
- Resource:
Class['cem_linux::utils::packages::linux::auditd::audit_configuration_immutable']
4.2.1.1 - Ensure rsyslog is installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.2.1.1
c4_2_1_1
ensure_rsyslog_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.2 - Ensure rsyslog Service is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.2.1.2
c4_2_1_2
ensure_rsyslog_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.3 - Ensure rsyslog default file permissions configured
- Parameters:
filecreatemode
- [Optional[String]
] - Default:0640
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsyslog default file permissions configured":
filecreatemode: "0640"
- Alternate Config IDs:
4.2.1.3
c4_2_1_3
ensure_rsyslog_default_file_permissions_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.4 - Ensure logging is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.2.1.4
c4_2_1_4
ensure_logging_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host
- Parameters:
remote_log_host
- [Optional[Variant[Stdlib::IP::Address, String[1]]]
] - Default:undef
tcp_port
- [Optional[Integer]
] - Default:514
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure rsyslog is configured to send logs to a remote log host":
remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1]]>>
tcp_port: 514
- Alternate Config IDs:
4.2.1.5
c4_2_1_5
ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.2.1.6
c4_2_1_6
ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.2.1 - Ensure journald is configured to send logs to rsyslog
- Parameters:
forward_to_syslog
- [Optional[Variant[Boolean, Stdlib::Yes_no]]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to send logs to rsyslog":
forward_to_syslog: true
- Alternate Config IDs:
4.2.2.1
c4_2_2_1
ensure_journald_is_configured_to_send_logs_to_rsyslog
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.2 - Ensure journald is configured to compress large log files
- Parameters:
compress_large_files
- [Optional[Variant[Boolean, Stdlib::Yes_no]]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to compress large log files":
compress_large_files: true
- Alternate Config IDs:
4.2.2.2
c4_2_2_2
ensure_journald_is_configured_to_compress_large_log_files
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk
- Parameters:
persistent_storage
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure journald is configured to write logfiles to persistent disk":
persistent_storage: true
- Alternate Config IDs:
4.2.2.3
c4_2_2_3
ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.3 - Ensure permissions on all logfiles are configured
- Parameters:
mode
- [Stdlib::Filemode
] - Default:0640
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on all logfiles are configured":
mode: "0640"
- Alternate Config IDs:
4.2.3
c4_2_3
ensure_permissions_on_all_logfiles_are_configured
- Resource:
Class['cem_linux::utils::chmod_logfiles']
4.2.4 - Ensure logrotate is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
4.2.4
c4_2_4
ensure_logrotate_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::logrotate']
5.1.1 - Ensure cron daemon is enabled and running
- Parameters:
manage_package
- [Optional[Boolean]
] - Default:true
manage_service
- [Optional[Boolean]
] - Default:true
cron_allow_path
- [Optional[Stdlib::AbsolutePath]
] - Default:/etc/cron.allow
purge_cron_deny
- [Optional[Boolean]
] - Default:true
manage_cron_allow
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure cron daemon is enabled and running":
manage_package: true
manage_service: true
cron_allow_path: "/etc/cron.allow"
purge_cron_deny: true
manage_cron_allow: true
- Alternate Config IDs:
5.1.1
c5_1_1
ensure_cron_daemon_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.2 - Ensure permissions on /etc/crontab are configured
- Parameters:
set_crontab_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/crontab are configured":
set_crontab_perms: true
- Alternate Config IDs:
5.1.2
c5_1_2
ensure_permissions_on_etccrontab_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.3 - Ensure permissions on /etc/cron.hourly are configured
- Parameters:
set_hourly_cron_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.hourly are configured":
set_hourly_cron_perms: true
- Alternate Config IDs:
5.1.3
c5_1_3
ensure_permissions_on_etccron_hourly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.4 - Ensure permissions on /etc/cron.daily are configured
- Parameters:
set_daily_cron_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.daily are configured":
set_daily_cron_perms: true
- Alternate Config IDs:
5.1.4
c5_1_4
ensure_permissions_on_etccron_daily_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.5 - Ensure permissions on /etc/cron.weekly are configured
- Parameters:
set_weekly_cron_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.weekly are configured":
set_weekly_cron_perms: true
- Alternate Config IDs:
5.1.5
c5_1_5
ensure_permissions_on_etccron_weekly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.6 - Ensure permissions on /etc/cron.monthly are configured
- Parameters:
set_monthly_cron_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.monthly are configured":
set_monthly_cron_perms: true
- Alternate Config IDs:
5.1.6
c5_1_6
ensure_permissions_on_etccron_monthly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.7 - Ensure permissions on /etc/cron.d are configured
- Parameters:
set_cron_d_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.d are configured":
set_cron_d_perms: true
- Alternate Config IDs:
5.1.7
c5_1_7
ensure_permissions_on_etccron_d_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.8 - Ensure cron is restricted to authorized users
- Parameters:
cron_allowlist
- [Optional[Array[String[1]]]
] - Default:["root"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure cron is restricted to authorized users":
cron_allowlist: ["root"]
- Alternate Config IDs:
5.1.8
c5_1_8
ensure_cron_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.9 - Ensure at is restricted to authorized users
- Parameters:
at_allowlist
- [Optional[Array[String[1]]]
] - Default:["root"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure at is restricted to authorized users":
at_allowlist: ["root"]
- Alternate Config IDs:
5.1.9
c5_1_9
ensure_at_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::at']
5.2.1 - Ensure sudo is installed
- Parameters:
package_ensure
- [Optional[Enum[\installed\, \latest\, \absent\]]
] - Default:installed
package_name
- [Optional[String[1]]
] - Default:sudo
sudoers_path
- [Optional[Stdlib::UnixPath]
] - Default:/etc/sudoers
sudoers_d_path
- [Optional[Stdlib::UnixPath]
] - Default:/etc/sudoers.d
defaults
- [Optional[Hash[String[1], Optional[String]]]
] - Default:undef
drop_ins
- [Optional[Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo is installed":
package_ensure: "installed"
package_name: "sudo"
sudoers_path: "/etc/sudoers"
sudoers_d_path: "/etc/sudoers.d"
defaults: <<Type Hash[String[1], Optional[String]]>>
drop_ins: <<Type Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]>>
- Alternate Config IDs:
5.2.1
c5_2_1
ensure_sudo_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::sudo']
5.2.2 - Ensure sudo commands use pty
- Parameters:
sudoers_path
- [String[1]
] - Default:/etc/sudoers
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo commands use pty":
sudoers_path: "/etc/sudoers"
- Alternate Config IDs:
5.2.2
c5_2_2
ensure_sudo_commands_use_pty
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['use_pty']
5.2.3 - Ensure sudo log file exists
- Parameters:
sudoers_path
- [String[1]
] - Default:/etc/sudoers
value
- [Optional[String[1]]
] - Default:/var/log/sudo.log
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure sudo log file exists":
sudoers_path: "/etc/sudoers"
value: "/var/log/sudo.log"
- Alternate Config IDs:
5.2.3
c5_2_3
ensure_sudo_log_file_exists
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['logfile']
5.3.1 - Ensure permissions on /etc/ssh/sshd_config are configured
- Parameters:
enforce_sshd_config_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on /etc/ssh/sshd_config are configured":
enforce_sshd_config_perms: true
- Alternate Config IDs:
5.3.1
c5_3_1
ensure_permissions_on_etcsshsshd_config_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.2 - Ensure permissions on SSH private host key files are configured
- Parameters:
enforce_pri_host_key_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on SSH private host key files are configured":
enforce_pri_host_key_perms: true
- Alternate Config IDs:
5.3.2
c5_3_2
ensure_permissions_on_ssh_private_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.3 - Ensure permissions on SSH public host key files are configured
- Parameters:
enforce_pub_host_key_perms
- [Optional[Boolean]
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure permissions on SSH public host key files are configured":
enforce_pub_host_key_perms: true
- Alternate Config IDs:
5.3.3
c5_3_3
ensure_permissions_on_ssh_public_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.4 - Ensure SSH access is limited
- Parameters:
allow_users
- [Optional[Array[String[1]]]
] - Default:undef
allow_groups
- [Optional[Array[String[1]]]
] - Default:undef
deny_users
- [Optional[Array[String[1]]]
] - Default:undef
deny_groups
- [Optional[Array[String[1]]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH access is limited":
allow_users: <<Type Array[String[1]]>>
allow_groups: <<Type Array[String[1]]>>
deny_users: <<Type Array[String[1]]>>
deny_groups: <<Type Array[String[1]]>>
- Alternate Config IDs:
5.3.4
c5_3_4
ensure_ssh_access_is_limited
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.5 - Ensure SSH LogLevel is appropriate
- Parameters:
log_level
- [Optional[Enum[\INFO\, \VERBOSE\]]
] - Default:INFO
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH LogLevel is appropriate":
log_level: "INFO"
- Alternate Config IDs:
5.3.5
c5_3_5
ensure_ssh_loglevel_is_appropriate
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.6 - Ensure SSH X11 forwarding is disabled
- Parameters:
x11_forwarding
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
workstation
server
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH X11 forwarding is disabled":
x11_forwarding: "no"
- Alternate Config IDs:
5.3.6
c5_3_6
ensure_ssh_x11_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less
- Parameters:
max_auth_tries
- [Optional[Integer]
] - Default:4
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxAuthTries is set to 4 or less":
max_auth_tries: 4
- Alternate Config IDs:
5.3.7
c5_3_7
ensure_ssh_maxauthtries_is_set_to_4_or_less
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.8 - Ensure SSH IgnoreRhosts is enabled
- Parameters:
ignore_rhosts
- [Optional[Enum[\yes\, \no\]]
] - Default:yes
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH IgnoreRhosts is enabled":
ignore_rhosts: "yes"
- Alternate Config IDs:
5.3.8
c5_3_8
ensure_ssh_ignorerhosts_is_enabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.9 - Ensure SSH HostbasedAuthentication is disabled
- Parameters:
host_based_authentication
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH HostbasedAuthentication is disabled":
host_based_authentication: "no"
- Alternate Config IDs:
5.3.9
c5_3_9
ensure_ssh_hostbasedauthentication_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.10 - Ensure SSH root login is disabled
- Parameters:
permit_root_login
- [Optional[Enum[\yes\, \no\, \without-password\, \forced-commands-only\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH root login is disabled":
permit_root_login: "no"
- Alternate Config IDs:
5.3.10
c5_3_10
ensure_ssh_root_login_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.11 - Ensure SSH PermitEmptyPasswords is disabled
- Parameters:
permit_empty_passwords
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PermitEmptyPasswords is disabled":
permit_empty_passwords: "no"
- Alternate Config IDs:
5.3.11
c5_3_11
ensure_ssh_permitemptypasswords_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.12 - Ensure SSH PermitUserEnvironment is disabled
- Parameters:
permit_user_environment
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PermitUserEnvironment is disabled":
permit_user_environment: "no"
- Alternate Config IDs:
5.3.12
c5_3_12
ensure_ssh_permituserenvironment_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.13 - Ensure only strong Ciphers are used
- Parameters:
ciphers
- [Optional[Array[String[1]]]
] - Default:["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong Ciphers are used":
ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
- Alternate Config IDs:
5.3.13
c5_3_13
ensure_only_strong_ciphers_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.14 - Ensure only strong MAC algorithms are used
- Parameters:
macs
- [Optional[Array[String[1]]]
] - Default:["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong MAC algorithms are used":
macs: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
- Alternate Config IDs:
5.3.14
c5_3_14
ensure_only_strong_mac_algorithms_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.15 - Ensure only strong Key Exchange algorithms are used
- Parameters:
kex_algorithms
- [Optional[Array[String[1]]]
] - Default:["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure only strong Key Exchange algorithms are used":
kex_algorithms: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
- Alternate Config IDs:
5.3.15
c5_3_15
ensure_only_strong_key_exchange_algorithms_are_used
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.16 - Ensure SSH Idle Timeout Interval is configured
- Parameters:
client_alive_interval
- [Optional[Integer]
] - Default:300
client_alive_count_max
- [Optional[Integer]
] - Default:0
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH Idle Timeout Interval is configured":
client_alive_interval: 300
client_alive_count_max: 0
- Alternate Config IDs:
5.3.16
c5_3_16
ensure_ssh_idle_timeout_interval_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.17 - Ensure SSH LoginGraceTime is set to one minute or less
- Parameters:
login_grace_time
- [Optional[Integer]
] - Default:60
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH LoginGraceTime is set to one minute or less":
login_grace_time: 60
- Alternate Config IDs:
5.3.17
c5_3_17
ensure_ssh_logingracetime_is_set_to_one_minute_or_less
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.18 - Ensure SSH warning banner is configured
- Parameters:
banner
- [Optional[Stdlib::AbsolutePath]
] - Default:/etc/issue.net
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH warning banner is configured":
banner: "/etc/issue.net"
- Alternate Config IDs:
5.3.18
c5_3_18
ensure_ssh_warning_banner_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.19 - Ensure SSH PAM is enabled
- Parameters:
use_pam
- [Optional[Enum[\yes\, \no\]]
] - Default:yes
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH PAM is enabled":
use_pam: "yes"
- Alternate Config IDs:
5.3.19
c5_3_19
ensure_ssh_pam_is_enabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.20 - Ensure SSH AllowTcpForwarding is disabled
- Parameters:
allow_tcp_forwarding
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH AllowTcpForwarding is disabled":
allow_tcp_forwarding: "no"
- Alternate Config IDs:
5.3.20
c5_3_20
ensure_ssh_allowtcpforwarding_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.21 - Ensure SSH MaxStartups is configured
- Parameters:
max_startups
- [Optional[String[1]]
] - Default:10:30:60
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxStartups is configured":
max_startups: "10:30:60"
- Alternate Config IDs:
5.3.21
c5_3_21
ensure_ssh_maxstartups_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.22 - Ensure SSH MaxSessions is limited
- Parameters:
max_sessions
- [Optional[Integer]
] - Default:10
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure SSH MaxSessions is limited":
max_sessions: 10
- Alternate Config IDs:
5.3.22
c5_3_22
ensure_ssh_maxsessions_is_limited
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.4.1 - Ensure password creation requirements are configured
- Parameters:
manage_pwquality
- [Boolean
] - Default:true
manage_pam_auth
- [Boolean
] - Default:true
minlen
- [Optional[Integer]
] - Default:14
minclass
- [Optional[Integer]
] - Default:4
faillock_args
- [Optional[Array[String[1]]]
] - Default:["preauth", "silent", "audit", "deny=5", "unlock_time=900"]
pwhistory_args
- [Optional[Array[String[1]]]
] - Default:["use_authtok", "remember=5", "retry=3"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Hiera Configuration Example:
puppetlabs-cem_linux::config:
control_configs:
"Ensure password creation requirements are configured":
manage_pwquality: true
manage_pam_auth: true
minlen: 14
minclass: 4
faillock_args: ["preauth", "silent", "audit", "deny=5", "unlock_time=900"]
pwhistory_args: ["use_authtok", "remember=5", "retry=3"]
- Alternate Config IDs:
5.4.1
c5_4_1
ensure_password_creation_requirements_are_configured
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.2 - Ensure lockout for failed password attempts is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
5.4.2
c5_4_2
ensure_lockout_for_failed_password_attempts_is_configured
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.3 - Ensure password hashing algorithm is SHA-512
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
5.4.3
c5_4_3
ensure_password_hashing_algorithm_is_sha_512
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.4.4 - Ensure password reuse is limited
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
workstation
- Alternate Config IDs:
5.4.4
c5_4_4
ensure_password_reuse_is_limited
- Resource:
Class['cem_linux::utils::password_creation_requirement']
5.5.1.1 - Ensure password expiration is 365 days or less
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_authselect
Audit authselect profile for RHEL8 and CentOS8
audit_check_ipv6
Audit IPV6 for RHEL8
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_pw_change_date
Returns the last password change date for all users
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_sudo_authentication_timeout
Return the sudo authentication timeout in minutes
audit_sudo_nopasswd
Return instances of NOPASSWD: in sudo configuration files.
audit_sudo_re_authentication
Returns a list of any ungrouped sudo configuration entries that contain !authenticate.
audit_suid_executables
Returns a list of SUID executable files
audit_unconfined_services
Returns a list of all unconfined services
audit_ungrouped_files_and_directories
Returns a list of any unowned files and directories
audit_unowned_files_and_directories
Returns a list of any unowned files and directories
audit_world_writable_files
Returns a list of any world-writable files
query_gpg_keys
Queries for RPM GPG keys
query_listening_services
Queries for services with established TCP / UDP connections
query_yum_repos
Queries YUM repositories
root_path_integrity
Audits root path integrity. Must be run as root
update_bootloader
Updates and reinstall bootloader configuration
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.3.2 (2022-09-08)
Added
- The
Ensure core dump storage is disabled
andEnsure core dump backtraces are disabled
controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled
, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
- The
Ensure audit log is disabled when audit logs are full
control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntp
andchrony
classes were combined into thetimesync
class.
Fixed
- The
Disable USB Storage
control is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.d
directory are now loaded by using theaugenrules --load
command. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct
metaparameter
before
instead ofsubscribe
. - Fixed a parsing error for
chrony
that caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when
unsanitized user input was used in the
command
,onlyif
, orunless
parameters of anexec
resource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctl
feature to return a result offalse
without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mta
fact that caused errors in RHEL 6.
v1.3.1 (2022-08-18)
Fixed
- Controls that configure
journald
now properly configure thejournald.conf
file. - The
cem_coredump
fact will no longer attempt to resolve on nodes that do not supportsystemctl
. - The
cem_grub_cfg
fact will now identify the correct GRUB2 configuration file on Red Hat Enterprise Linux 7. - The CIS-specific parameters
enable_systemd_journal
andenable_nopasswd_sudo_prune
now function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
ensure_password_creation_requirements_are_configured
. - Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntp
as the time synchronization service.
v1.3.0 (2022-08-03)
Changed
- The core architecture for the module has changed. These changes should
be transparent to the user. However, using Hiera automatic parameter
lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*
namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. - For more information on the new architecture, see the readme file.
- The reference was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
- Added proper containment to the
cem_coredump
fact so it will no longer run on operating systems that do not support it. - Fixed how NTP options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0 (2022-05-24)
Added
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached
End of Life (EOL).
- CEM Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
- Fixed an issue that prevented the
coredump
configuration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4 (2022-03-25)
Changed
- Updated the
audit_user_homedir
task to prevent the task from modifying permissions on top-level directories:/boot
,/boot/
,/etc
,/lib
,/lib64
,/proc
,/proc/
,/home
,/opt
,/tmp
,/var
, and/srv/
. Theaudit_user_homedir
task can still modify permissions on subdirectories within the listed directories, except for/boot
and/proc
. - In the
audit_user_homedir
task, addedrtkit
to the list of ignored usernames. Becausertkit
is a system user, CIS states that the home directory permissions forrtkit
should not be audited.
v1.1.3 (2022-03-24)
Fixed
- Fixed a bug in the
audit_user_homedir
task to prevent the inadvertent modification of permissions on bin directories:/bin
,/sbin
,/usr/bin
, and/usr/sbin
.
v1.1.2 (2022-03-16)
Added
- Added a section to the CEM Reference about configuring
chrony/ntp
time servers.
Changed
- Expanded the range of versions in the
metadata.json
file so that users can install the latest modules to meet dependency requirements.
Fixed
- Fixed a bug in the
cem_linux::utils::timesync
configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditd
config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditd
service.
v1.1.1 (2022-01-25)
Fixed
- Fixed an issue related to non-idempotent resources when managing
permissions for the
Grub2
bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0 (2021-12-14)
Added
-
Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Server Level 2 recommendations.
-
Updates related to bootloader configurations. Configurations, including password settings, can now be managed through the CEM module on systems that use the
grub2
bootloader.- You can also opt in to automatically regenerate the bootloader config files after changes are made.
- For details, see the CEM for Linux readme file.
-
Permissions management for log files in the
/var/log directory
is now available in the module. Previously, you had to run a Bolt task to manage permissions for log files.- Because this feature is now supported natively, the Bolt task
cem_linux::logfile_permissions
was removed.
- Because this feature is now supported natively, the Bolt task
-
Added a new fact,
cem_grub_cfg
. This fact contains information related to generalgrub
configuration on the machine.
Changed
- Replaced the
camptocamp-systemd
module with the supportedpuppet-systemd
module. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemd
module v3.5.0 or later. - The
cem_uefi_boot
fact was changed tocem_efi
and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.
v1.0.0 (2021-09-28)
- This is the initial public release of CEM for Linux.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 9.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/puppet_agent (>= 4.0.0 < 5.0.0)
- puppetlabs/inifile (>= 1.6.0 < 6.0.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 2.8.1 < 4.0.0)
- puppet/firewalld (>= 4.4.0 < 5.0.0)
- puppet/logrotate (>= 5.0.0 < 7.0.0)
- puppet/selinux (>= 3.2.0 < 4.0.0)
- puppet/systemd (>= 3.5.0 < 4.0.0)