Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 8.0.0
- ,
This module has been deprecated by its author since May 8th 2024.
The author has suggested puppetlabs-sce_linux as its replacement.
Tasks:
- audit_check_ipv6
- audit_client_dns
- audit_authselect
- audit_duplicate_gid
Documentation
cem_linux
Starting with CEM Linux v1.4.0, product documentation is available on the Puppet Docs website.
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_authselect
Audit authselect profile for RHEL8 and CentOS8
audit_boot
Audit if the system is configured to boot to the command line or to the graphical user interface.
audit_check_ipv6
Audit IPV6 for RHEL8
audit_client_dns
Audit DNS servers configured in /etc/resolv.conf
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_firewalld_config
Returns the results of firewall-cmd --list-all
audit_for_emergency_accounts
Audit all accounts expiration dates for removal.
audit_kerberos_keytab_files
List all the keytab files on the system at /etc
audit_library_files
Audit library files permission, ownership, and group ownership
audit_mcafee_endpoint_security
Audit McAfee Endpoint Security for Linux
audit_no_execution_bit_flag
Audit for the no-execution bit flag on the system
audit_partition_crypto
Audit partition cryptography
audit_pkcs11_eventmgr
This task will report on whether the screen is locked or not when using smart card.
audit_pw_change_date
Returns the last password change date for all users
audit_selinux_user_roles
Returns the output of 'semanage user -l' on the target system
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_sshd_installation
Verify if sshd is installed
audit_sshd_status
Report sshd status
audit_sssd_certmap
Audit the existance of sssd certmap configuration
audit_sudo_authentication_timeout
Return the sudo authentication timeout in minutes
audit_sudo_nopasswd
Return instances of NOPASSWD: in sudo configuration files.
audit_sudo_re_authentication
Returns a list of any ungrouped sudo configuration entries that contain !authenticate.
audit_suid_executables
Returns a list of SUID executable files
audit_system_command_permission
Audit system commands permission, ownership and group ownership
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.4.2 (2022-10-20)
Starting with the Compliance Enforcement Module (CEM) for Linux v1.4.0, the product documentation is revised to improve visibility, usability, and retrievability. Key parts of the documentation were migrated to the Puppet Docs website, where documentation for other Puppet products is published:
- The change log was migrated and renamed to Release notes. You can find the product updates for CEM Linux v1.4.0 there.
- The readme content was revised and transformed into a series of topics with a structure similar to other Puppet documentation. The revised readme content can be viewed on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
- The Reference, Tasks, and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
v1.3.2 (2022-09-08)
Added
- The
Ensure core dump storage is disabled
andEnsure core dump backtraces are disabled
controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled
, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
- The
Ensure audit log is disabled when audit logs are full
control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntp
andchrony
classes were combined into thetimesync
class.
Fixed
- The
Disable USB Storage
control is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.d
directory are now loaded by using theaugenrules --load
command. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct
metaparameter
before
instead ofsubscribe
. - Fixed a parsing error for
chrony
that caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when
unsanitized user input was used in the
command
,onlyif
, orunless
parameters of anexec
resource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctl
feature to return a result offalse
without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mta
fact that caused errors in RHEL 6.
v1.3.1 (2022-08-18)
Fixed
- Controls that configure
journald
now properly configure thejournald.conf
file. - The
cem_coredump
fact will no longer attempt to resolve on nodes that do not supportsystemctl
. - The
cem_grub_cfg
fact will now identify the correct GRUB2 configuration file on Red Hat Enterprise Linux 7. - The CIS-specific parameters
enable_systemd_journal
andenable_nopasswd_sudo_prune
now function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
ensure_password_creation_requirements_are_configured
. - Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntp
as the time synchronization service.
v1.3.0 (2022-08-03)
Changed
- The core architecture for the module has changed. These changes should
be transparent to the user. However, using Hiera automatic parameter
lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*
namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. - For more information on the new architecture, see the readme file.
- The reference was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
- Added proper containment to the
cem_coredump
fact so it will no longer run on operating systems that do not support it. - Fixed how NTP options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0 (2022-05-24)
Added
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached
End of Life (EOL).
- CEM Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
- Fixed an issue that prevented the
coredump
configuration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4 (2022-03-25)
Changed
- Updated the
audit_user_homedir
task to prevent the task from modifying permissions on top-level directories:/boot
,/boot/
,/etc
,/lib
,/lib64
,/proc
,/proc/
,/home
,/opt
,/tmp
,/var
, and/srv/
. Theaudit_user_homedir
task can still modify permissions on subdirectories within the listed directories, except for/boot
and/proc
. - In the
audit_user_homedir
task, addedrtkit
to the list of ignored usernames. Becausertkit
is a system user, CIS states that the home directory permissions forrtkit
should not be audited.
v1.1.3 (2022-03-24)
Fixed
- Fixed a bug in the
audit_user_homedir
task to prevent the inadvertent modification of permissions on bin directories:/bin
,/sbin
,/usr/bin
, and/usr/sbin
.
v1.1.2 (2022-03-16)
Added
- Added a section to the CEM Reference about configuring
chrony/ntp
time servers.
Changed
- Expanded the range of versions in the
metadata.json
file so that users can install the latest modules to meet dependency requirements.
Fixed
- Fixed a bug in the
cem_linux::utils::timesync
configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditd
config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditd
service.
v1.1.1 (2022-01-25)
Fixed
- Fixed an issue related to non-idempotent resources when managing
permissions for the
Grub2
bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0 (2021-12-14)
Added
-
Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Server Level 2 recommendations.
-
Updates related to bootloader configurations. Configurations, including password settings, can now be managed through the CEM module on systems that use the
grub2
bootloader.- You can also opt in to automatically regenerate the bootloader config files after changes are made.
- For details, see the CEM for Linux readme file.
-
Permissions management for log files in the
/var/log directory
is now available in the module. Previously, you had to run a Bolt task to manage permissions for log files.- Because this feature is now supported natively, the Bolt task
cem_linux::logfile_permissions
was removed.
- Because this feature is now supported natively, the Bolt task
-
Added a new fact,
cem_grub_cfg
. This fact contains information related to generalgrub
configuration on the machine.
Changed
- Replaced the
camptocamp-systemd
module with the supportedpuppet-systemd
module. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemd
module v3.5.0 or later. - The
cem_uefi_boot
fact was changed tocem_efi
and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.
v1.0.0 (2021-09-28)
- This is the initial public release of CEM for Linux.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 9.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/puppet_agent (>= 4.0.0 < 5.0.0)
- puppetlabs/inifile (>= 1.6.0 < 6.0.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 2.8.1 < 4.0.0)
- puppet/firewalld (>= 4.4.0 < 5.0.0)
- puppet/logrotate (>= 5.0.0 < 7.0.0)
- puppet/selinux (>= 3.2.0 < 4.0.0)
- puppet/systemd (>= 3.5.0 < 4.0.0)