Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 9.0.0
- , , ,
This module has been deprecated by its author since May 8th 2024.
The author has suggested puppetlabs-sce_linux as its replacement.
Tasks:
- audit_authselect
- audit_sshd_installation
- audit_sshd_status
- audit_sssd_certmap
Documentation
cem_linux
Starting with CEM Linux v1.4.0, product documentation is available on the Puppet Docs website.
CEM Linux Reference
Table of Contents
- CIS CentOS Linux 7 Benchmark 3.1.2
- CIS Red Hat Enterprise Linux 7 Benchmark 3.1.1
- Red Hat Enterprise Linux 7 Security Technical Implementation Guide 3
- CIS Red Hat Enterprise Linux 8 Benchmark 2.0.0
- Red Hat Enterprise Linux 8 Security Technical Implementation Guide 1
- CIS Oracle Linux 7 Benchmark 3.1.1
- CIS Oracle Linux 8 Benchmark 2.0.0
- CIS Alma Linux OS 8 Benchmark 2.0.0
CIS CentOS Linux 7 Benchmark 3.1.2
1.1.1.1 - Ensure mounting of cramfs filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:cramfs
- Filesystem to disable, example xfs.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure mounting of cramfs filesystems is disabled":
filesystem: "cramfs"
- Alternate Config IDs:
1.1.1.1
c1_1_1_1
ensure_mounting_of_cramfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']
1.1.1.2 - Ensure mounting of squashfs filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:squashfs
- Filesystem to disable, example xfs.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure mounting of squashfs filesystems is disabled":
filesystem: "squashfs"
- Alternate Config IDs:
1.1.1.2
c1_1_1_2
ensure_mounting_of_squashfs_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']
1.1.1.3 - Ensure mounting of udf filesystems is disabled
- Parameters:
filesystem
- [String[1]
] - Default:udf
- Filesystem to disable, example xfs.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure mounting of udf filesystems is disabled":
filesystem: "udf"
- Alternate Config IDs:
1.1.1.3
c1_1_1_3
ensure_mounting_of_udf_filesystems_is_disabled
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']
1.1.3 - Ensure noexec option set on /tmp partition
- Parameters:
noexec
- [Optional[Boolean]
] - Default:true
- Adds 'noexec' to the tmp.mount unit file options. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure noexec option set on /tmp partition":
noexec: true
- Alternate Config IDs:
1.1.3
c1_1_3
ensure_noexec_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.4 - Ensure nodev option set on /tmp partition
- Parameters:
nodev
- [Optional[Boolean]
] - Default:true
- Adds 'nodev' to the tmp.mount unit file options.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure nodev option set on /tmp partition":
nodev: true
- Alternate Config IDs:
1.1.4
c1_1_4
ensure_nodev_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.5 - Ensure nosuid option set on /tmp partition
- Parameters:
nosuid
- [Optional[Boolean]
] - Default:true
- Adds 'nosuid' to the tmp.mount unit file options.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure nosuid option set on /tmp partition":
nosuid: true
- Alternate Config IDs:
1.1.5
c1_1_5
ensure_nosuid_option_set_on_tmp_partition
- Resource:
Class['cem_linux::utils::services::systemd::tmp_mount']
1.1.7 - Ensure noexec option set on /dev/shm partition
- Parameters:
noexec
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure noexec option set on /dev/shm partition":
noexec: true
- Alternate Config IDs:
1.1.7
c1_1_7
ensure_noexec_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.8 - Ensure nodev option set on /dev/shm partition
- Parameters:
nodev
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure nodev option set on /dev/shm partition":
nodev: true
- Alternate Config IDs:
1.1.8
c1_1_8
ensure_nodev_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.9 - Ensure nosuid option set on /dev/shm partition
- Parameters:
nosuid
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure nosuid option set on /dev/shm partition":
nosuid: true
- Alternate Config IDs:
1.1.9
c1_1_9
ensure_nosuid_option_set_on_devshm_partition
- Resource:
Class['cem_linux::utils::dev_shm_fstab_entry']
1.1.22 - Ensure sticky bit is set on all world-writable directories
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.1.22
c1_1_22
ensure_sticky_bit_is_set_on_all_world_writable_directories
- Resource:
Class['cem_linux::utils::sticky_bit']
1.1.23 - Disable Automounting
- Parameters:
service
- [String[1]
] - Default:autofs
- Service to disable.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Disable Automounting":
service: "autofs"
- Alternate Config IDs:
1.1.23
c1_1_23
disable_automounting
- Resource:
Cem_linux::Utils::Disable_service['Disable autofs']
1.1.24 - Disable USB Storage
- Parameters:
filesystem
- [String[1]
] - Default:usb-storage
- Filesystem to disable, example xfs.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Disable USB Storage":
filesystem: "usb-storage"
- Alternate Config IDs:
1.1.24
c1_1_24
disable_usb_storage
- Resource:
Cem_linux::Utils::Disable_fs_mounting['Disable usb storage']
1.2.3 - Ensure gpgcheck is globally activated
- Parameters:
yum_conf
- [Stdlib::UnixPath
] - Default:/etc/yum.conf
- Full path to yum.conf file.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure gpgcheck is globally activated":
yum_conf: "/etc/yum.conf"
- Alternate Config IDs:
1.2.3
c1_2_3
ensure_gpgcheck_is_globally_activated
- Resource:
Class['cem_linux::utils::yum::enable_gpgcheck']
1.3.1 - Ensure AIDE is installed
- Parameters:
control_package
- [Optional[Boolean]
] - Default:true
- Whether or not to ensure the package is installed. Default: truepackage_ensure
- [Optional[String]
] - Default:present
- Passed directly to the package resource for aide. Default: installedmanage_config
- [Optional[Boolean]
] - Default:true
- Whether or not to manage /etc/aide.conf. Default: truerun_scheduled
- [Optional[Boolean]
] - Default:true
- Whether or not to set AIDE to run on a schedule. Default: truescheduler
- [Optional[Enum[\systemd\, \cron\]]
] - Default:systemd
- Whether to use a systemd timer or cron job to schedule AIDE scans. Default: systemdsystemd_timer_schedule
- [Optional[String]
] - Default:*-*-* 00:00:00
- Used as the systemd timer unit file's OnSchedule directive. Default: '--* 00:00:00'conf_purge
- [Optional[Boolean]
] - Default:undef
- Setting purge to true means that no default values will be used. WARNING: You MUST configure ALL CONFIG OPTIONS when using purge to ensure that AIDE can function. Default: falseconf_db_dir
- [Optional[String]
] - Default:/var/lib/aide
- The directory AIDE will use to store the DB. Default: /var/lib/aideconf_log_dir
- [Optional[String]
] - Default:/var/log/aide
- The directory AIDE will use to store the log file. Default: /var/log/aideconf_verbosity
- [Optional[Integer]
] - Default:5
- How verbose AIDE is in logging. Default: 5conf_report_urls
- [Optional[Array[String]]
] - Default:["file:@@{LOGDIR}/aide.log", "stdout"]
- Where AIDE should send check results. Default: [ 'file:@@{LOGDIR}/aide.log', 'stdout' ]conf_rules
- [Optional[Array[String]]
] - Default:["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
- Custom rule definitions for the AIDE config file. Each item is passed into the config as is, so rule definitions should look like: "PERMS = p+u+g+acl+selinux+xattrs". See docs for defaults.conf_checks
- [Optional[Array[String]]
] - Default:["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Directory and file checks. As AIDE parses these from top to bottom in the config file, the way you order this array matters. Individual file checks should come before their parent directory checks. Each check is passed into the config as is, so checks should look like: "/boot/ CONTENT_EX". See docs for defaults. If you choose not to use the default values, it is HIGHLY RECOMMENDED that you ignore the directory /opt/puppetlabs/puppet/cache/ and ignore the file /opt/puppetlabs/puppet/public/last_run_summary.yaml as these change every Puppet run.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure AIDE is installed":
control_package: true
package_ensure: "present"
manage_config: true
run_scheduled: true
scheduler: "systemd"
systemd_timer_schedule: "*-*-* 00:00:00"
conf_purge: <<Type Boolean>>
conf_db_dir: "/var/lib/aide"
conf_log_dir: "/var/log/aide"
conf_verbosity: 5
conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
conf_checks: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
- Alternate Config IDs:
1.3.1
c1_3_1
ensure_aide_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::aide']
1.4.1 - Ensure bootloader password is set
- Parameters:
password_protect
- [Boolean
] - Default:true
- Whether or not to password protect the bootloader.superuser
- [Optional[String[1]]
] - Default:undef
- The username of the grub2 superuser. This is used to set a superuser password in the bootloader configuration. This is only used if password_protect is true.superuser_password
- [Optional[Sensitive[String]]
] - Default:undef
- The password of the grub2 superuser. This will be the superuser password in the bootloader configuration. This is only used if password_protect is true.password_file
- [Stdlib::UnixPath
] - Default:/etc/grub.d/50_password
- The path to the file containing the bootloader password(s). This is only used if password_protect is true.replace_password_file
- [Boolean
] - If true, replaces the password file if it exists with a NEW hash of the password. Also, when set to true, this resource is NOT idempotent. When set to false, this prevent accidental overwriting of the password file with a new hash of the same password.hash_superuser_password
- [Boolean
] - Default:true
- If true, the superuser password will be hashed using PBKDF2-HMAC-SHA512. If false, the superuser password will be stored in the password file as-is. This is only used if password_protect is true.superuser_password_salt_length
- [Optional[Integer]
] - Default:undef
- The length of the salt in bits used to hash the superuser password. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.superuser_password_buffer_length
- [Optional[Integer]
] - Default:undef
- The length of the resulting hash. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.superuser_password_iterations
- [Optional[Integer]
] - Default:undef
- The number of times the password is passed through the hash function. Default is 120000. This is optional and only used if password_protect and hash_superuser_password are true.other_users
- [Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]]
] - Default:undef
- An array of structured hashes to add other users besides the superuser to the password file. This is optional only used if password_protect is true. The users specified here will be added to the password file as regular users, not superusers. Other user passwords will be hashed using PBKDF2-HMAC-SHA512, just like the superuser password, if hash_other_user_passwords is true.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure bootloader password is set":
password_protect: true
superuser: <<Type String[1]>>
superuser_password: <<Type Sensitive[String]>>
password_file: "/etc/grub.d/50_password"
replace_password_file: false
hash_superuser_password: true
superuser_password_salt_length: <<Type Integer>>
superuser_password_buffer_length: <<Type Integer>>
superuser_password_iterations: <<Type Integer>>
other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>
- Alternate Config IDs:
1.4.1
c1_4_1
ensure_bootloader_password_is_set
- Resource:
Class['cem_linux::utils::bootloader::grub2']
1.4.2 - Ensure permissions on bootloader config are configured
- Parameters:
ensure_permissions
- [Boolean
] - Default:true
- Whether or not to enforce correct permissions on the bootloader files.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on bootloader config are configured":
ensure_permissions: true
- Alternate Config IDs:
1.4.2
c1_4_2
ensure_permissions_on_bootloader_config_are_configured
- Resource:
Class['cem_linux::utils::bootloader::grub2']
1.4.3 - Ensure authentication required for single user mode
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.4.3
c1_4_3
ensure_authentication_required_for_single_user_mode
- Resource:
Class['cem_linux::utils::single_user_mode_authentication']
1.5.1 - Ensure core dumps are restricted
- Parameters:
limits_file
- [Optional[String]
] - Default:10-disable_core_dumps.conf
sysctl_file
- [Optional[String]
] - Default:10-disable_core_dumps.conf
service_content
- [Optional[String]
] - Default:# THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure core dumps are restricted":
limits_file: "10-disable_core_dumps.conf"
sysctl_file: "10-disable_core_dumps.conf"
service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"
- Alternate Config IDs:
1.5.1
c1_5_1
ensure_core_dumps_are_restricted
- Resource:
Class['cem_linux::utils::disable_core_dumps']
1.5.3 - Ensure address space layout randomization (ASLR) is enabled
- Parameters:
sysctl_file
- [Optional[String]
] - Default:10-enable_aslr.conf
- The sysctl file that values will be written to. Default:0-disable_ip_forwarding.conf
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure address space layout randomization (ASLR) is enabled":
sysctl_file: "10-enable_aslr.conf"
- Alternate Config IDs:
1.5.3
c1_5_3
ensure_address_space_layout_randomization_aslr_is_enabled
- Resource:
Class['cem_linux::utils::enable_aslr']
1.5.4 - Ensure prelink is not installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.5.4
c1_5_4
ensure_prelink_is_not_installed
- Resource:
Class['cem_linux::utils::disable_prelink']
1.6.1.1 - Ensure SELinux is installed
- Parameters:
manage_package
- [Optional[Boolean]
] - Default:true
- Enable or disable selinux package management.package_name
- [Optional[String[1]]
] - Default:libselinux
- Name of package.mode
- [Optional[Enum[\permissive\, \enforcing\]]
] - Default:enforcing
- Selinux mode, permissive or enforcing. Disabled is not supported.type
- [Optional[Enum[\targeted\, \mls\]]
] - Default:targeted
- SELinux enforcement type.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SELinux is installed":
manage_package: true
package_name: "libselinux"
mode: "enforcing"
type: "targeted"
- Alternate Config IDs:
1.6.1.1
c1_6_1_1
ensure_selinux_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration
- Parameters:
enable_selinux
- [Boolean
] - Default:true
- Whether or not to enable SELinux in the bootloader boot command.selinux_mode
- [Enum["permissive", "enforcing", "disabled"]
] - Default:enforcing
- The SELinux enforcement mode to set in the bootloader. Only used if enable_selinux is true.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SELinux is not disabled in bootloader configuration":
enable_selinux: true
selinux_mode: "enforcing"
- Alternate Config IDs:
1.6.1.2
c1_6_1_2
ensure_selinux_is_not_disabled_in_bootloader_configuration
- Resource:
Class['cem_linux::utils::bootloader::grub2']
1.6.1.3 - Ensure SELinux policy is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.6.1.3
c1_6_1_3
ensure_selinux_policy_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.4 - Ensure the SELinux mode is enforcing or permissive
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.6.1.4
c1_6_1_4
ensure_the_selinux_mode_is_enforcing_or_permissive
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.5 - Ensure the SELinux mode is enforcing
- Parameters:
No parameters
- Supported Levels:
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.6.1.5
c1_6_1_5
ensure_the_selinux_mode_is_enforcing
- Resource:
Class['cem_linux::utils::packages::linux::selinux']
1.6.1.7 - Ensure SETroubleshoot is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:setroubleshoot
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SETroubleshoot is not installed":
pkg_name: "setroubleshoot"
- Alternate Config IDs:
1.6.1.7
c1_6_1_7
ensure_setroubleshoot_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install setroubleshoot']
1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:mcstrans
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure the MCS Translation Service (mcstrans) is not installed":
pkg_name: "mcstrans"
- Alternate Config IDs:
1.6.1.8
c1_6_1_8
ensure_the_mcs_translation_service_mcstrans_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install mcs translation service']
1.7.1 - Ensure message of the day is configured properly
- Parameters:
dynamic_motd
- [Optional[Boolean]
] - Default:true
- Enables or disables dynamic motd on Debian systems. Defaulttrue
motd_template
- [Optional[String[1]]
] - Default:undef
- Specifies a custom motd template or text file. A template takes precedence overcontent
. Valid options: '/mymodule/mytemplate.epp'.motd_content
- [Optional[String]
] - Default: `` - Specifies a static string as the motd content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"issue_content
- [Optional[String]
] - Default:This is a secure system. Unauthorized access is strictly prohibited.
- Specifies a static string as the/etc/issue
content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"issue_net_content
- [Optional[String]
] - Default:This is a secure system. Unauthorized access is strictly prohibited.
issue_template
- [Optional[String[1]]
] - Default:undef
- Specifies a custom template or text file to process and save to/etc/issue
. A template takes precedence overissue_content
.issue_net_template
- [Optional[String[1]]
] - Default:undef
- Specifies a custom template or text file to process and save to/etc/issue.net
. A template takes precedence overissue_net_content
.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure message of the day is configured properly":
dynamic_motd: true
motd_template: <<Type String[1]>>
motd_content: ""
issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_template: <<Type String[1]>>
issue_net_template: <<Type String[1]>>
- Alternate Config IDs:
1.7.1
c1_7_1
ensure_message_of_the_day_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.2 - Ensure local login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.7.2
c1_7_2
ensure_local_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.3 - Ensure remote login warning banner is configured properly
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.7.3
c1_7_3
ensure_remote_login_warning_banner_is_configured_properly
- Resource:
Class['cem_linux::utils::motd']
1.7.4 - Ensure permissions on /etc/motd are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.7.4
c1_7_4
ensure_permissions_on_etcmotd_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.5 - Ensure permissions on /etc/issue are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.7.5
c1_7_5
ensure_permissions_on_etcissue_are_configured
- Resource:
Class['cem_linux::utils::motd']
1.7.6 - Ensure permissions on /etc/issue.net are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
1.7.6
c1_7_6
ensure_permissions_on_etcissue_net_are_configured
- Resource:
Class['cem_linux::utils::motd']
2.1.1 - Ensure xinetd is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:xinetd
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure xinetd is not installed":
pkg_name: "xinetd"
- Alternate Config IDs:
2.1.1
c2_1_1
ensure_xinetd_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install xinetd']
2.2.1.1 - Ensure time synchronization is in use
- Parameters:
preferred_package
- [Enum["chrony", "ntp"]
] - Default:chrony
- The preferred package to use for time synchronization. Defaults tochrony
.manage_package
- [Boolean
] - Default:true
- If true, the package will be installed and managed by Puppet. Defaults totrue
.force_exclusivity
- [Boolean
] - Default:true
- If true, the package that was not chosen will be removed from the system. This means that if your preferred package is chrony, ntp will be removed.timeservers
- [Optional[Array[String[1]]]
] - Default:undef
- Array of strings starting with the type (pool, server, etc.), then hostname / ip, then any options. Each element of the timeservers array will be added to the chrony / ntp config file as is. Please seeman chrony.conf(5)
orman ntp.conf(5)
for more details. Example: ['server 192.168.0.250 prefer iburst', 'server 192.168.0.251 iburst']sysconfig_options
- [Optional[String[1]]
] - Default:undef
- Options to be added to the sysconfig file for the chosen package. This defaults to-u chrony
for the chrony package and-u ntp:ntp
for the ntp package.ntp_restricts
- [Optional[Array[String[1]]]
] - Default:["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Array of strings used to createrestrict
lines in the ntp config file. Defaults to `['-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery']- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure time synchronization is in use":
preferred_package: "chrony"
manage_package: true
force_exclusivity: true
timeservers: <<Type Array[String[1]]>>
sysconfig_options: <<Type String[1]>>
ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
- Alternate Config IDs:
2.2.1.1
c2_2_1_1
ensure_time_synchronization_is_in_use
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.2 - Ensure chrony is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
2.2.1.2
c2_2_1_2
ensure_chrony_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.1.3 - Ensure ntp is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
2.2.1.3
c2_2_1_3
ensure_ntp_is_configured
- Resource:
Class['cem_linux::utils::timesync']
2.2.2 - Ensure X11 Server components are not installed
- Parameters:
pkg_name
- [String[1]
] - Default:xorg-x11-server*
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure X11 Server components are not installed":
pkg_name: "xorg-x11-server*"
- Alternate Config IDs:
2.2.2
c2_2_2
ensure_x11_server_components_are_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install x11 server components']
2.2.3 - Ensure Avahi Server is not installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
2.2.3
c2_2_3
ensure_avahi_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_avahi_server']
2.2.4 - Ensure CUPS is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:cups
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure CUPS is not installed":
pkg_name: "cups"
- Alternate Config IDs:
2.2.4
c2_2_4
ensure_cups_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not install CUPS']
2.2.5 - Ensure DHCP Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:dhcp
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure DHCP Server is not installed":
pkg_name: "dhcp"
- Alternate Config IDs:
2.2.5
c2_2_5
ensure_dhcp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DHCP server']
2.2.6 - Ensure LDAP server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:openldap-servers
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure LDAP server is not installed":
pkg_name: "openldap-servers"
- Alternate Config IDs:
2.2.6
c2_2_6
ensure_ldap_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not LDAP server']
2.2.7 - Ensure DNS Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:bind
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure DNS Server is not installed":
pkg_name: "bind"
- Alternate Config IDs:
2.2.7
c2_2_7
ensure_dns_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use DNS server']
2.2.8 - Ensure FTP Server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:vsftpd
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure FTP Server is not installed":
pkg_name: "vsftpd"
- Alternate Config IDs:
2.2.8
c2_2_8
ensure_ftp_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use ftp server']
2.2.9 - Ensure HTTP server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:httpd
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure HTTP server is not installed":
pkg_name: "httpd"
- Alternate Config IDs:
2.2.9
c2_2_9
ensure_http_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use HTTP Server']
2.2.10 - Ensure IMAP and POP3 server is not installed
- Parameters:
mail_servers
- [Array[String]
] - Default:["dovecot", "postfix"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure IMAP and POP3 server is not installed":
mail_servers: ["dovecot", "postfix"]
- Alternate Config IDs:
2.2.10
c2_2_10
ensure_imap_and_pop3_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_imap_and_pop3']
2.2.11 - Ensure Samba is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:samba
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure Samba is not installed":
pkg_name: "samba"
- Alternate Config IDs:
2.2.11
c2_2_11
ensure_samba_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use Samba']
2.2.12 - Ensure HTTP Proxy Server is not installed
- Parameters:
proxy_packages
- [Array[String]
] - Default:["squid"]
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure HTTP Proxy Server is not installed":
proxy_packages: ["squid"]
- Alternate Config IDs:
2.2.12
c2_2_12
ensure_http_proxy_server_is_not_installed
- Resource:
Class['cem_linux::utils::remove_http_proxy']
2.2.13 - Ensure net-snmp is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:net-snmp
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure net-snmp is not installed":
pkg_name: "net-snmp"
- Alternate Config IDs:
2.2.13
c2_2_13
ensure_net_snmp_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use net-snmp']
2.2.14 - Ensure NIS server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:ypserv
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure NIS server is not installed":
pkg_name: "ypserv"
- Alternate Config IDs:
2.2.14
c2_2_14
ensure_nis_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Disable NIS Server']
2.2.15 - Ensure telnet-server is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:telnet-server
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure telnet-server is not installed":
pkg_name: "telnet-server"
- Alternate Config IDs:
2.2.15
c2_2_15
ensure_telnet_server_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet server']
2.2.16 - Ensure mail transfer agent is configured for local-only mode
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
2.2.16
c2_2_16
ensure_mail_transfer_agent_is_configured_for_local_only_mode
- Resource:
Class['cem_linux::utils::local_only_mta']
2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked
- Parameters:
keep_nfsutils
- [Boolean
]- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure nfs-utils is not installed or the nfs-server service is masked":
keep_nfsutils: false
- Alternate Config IDs:
2.2.17
c2_2_17
ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_nfs']
2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked
- Parameters:
keep_rpcbind
- [Boolean
]- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure rpcbind is not installed or the rpcbind services are masked":
keep_rpcbind: false
- Alternate Config IDs:
2.2.18
c2_2_18
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rpcbind']
2.2.19 - Ensure rsync is not installed or the rsyncd service is masked
- Parameters:
keep_rsync
- [Boolean
]- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure rsync is not installed or the rsyncd service is masked":
keep_rsync: false
- Alternate Config IDs:
2.2.19
c2_2_19
ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
- Resource:
Class['cem_linux::utils::disable_or_remove_rsync']
2.3.1 - Ensure NIS Client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:ypbind
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure NIS Client is not installed":
pkg_name: "ypbind"
- Alternate Config IDs:
2.3.1
c2_3_1
ensure_nis_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use NIS Client']
2.3.2 - Ensure rsh client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:rsh
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure rsh client is not installed":
pkg_name: "rsh"
- Alternate Config IDs:
2.3.2
c2_3_2
ensure_rsh_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use rsh']
2.3.3 - Ensure talk client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:talk
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure talk client is not installed":
pkg_name: "talk"
- Alternate Config IDs:
2.3.3
c2_3_3
ensure_talk_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Do not use talk client']
2.3.4 - Ensure telnet client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:telnet
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure telnet client is not installed":
pkg_name: "telnet"
- Alternate Config IDs:
2.3.4
c2_3_4
ensure_telnet_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove Telnet Client']
2.3.5 - Ensure LDAP client is not installed
- Parameters:
pkg_name
- [String[1]
] - Default:openldap-clients
- Name of package to remove.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure LDAP client is not installed":
pkg_name: "openldap-clients"
- Alternate Config IDs:
2.3.5
c2_3_5
ensure_ldap_client_is_not_installed
- Resource:
Cem_linux::Utils::Packages::Absenter['Remove LDAP Client']
3.1.1 - Disable IPv6
- Parameters:
strategy
- [Enum["sysctl", "grub"]
] - Default:sysctl
- Whether to disable IPv6 with sysctl or in the grub configcreate_sysctl_file
- [Boolean
] - Default:true
- Whether to create a new sysctl file or to use the default config filesysctl_conf
- [String
] - Default:/etc/sysctl.conf
- Path to sysctl.conf.sysctl_d_path
- [String
] - Default:/etc/sysctl.d
- Path to sysctl.d.sysctl_prefix
- [String
] - Default:10-
- A prefix to add to the created file name.sysctl_comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to the created file.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Disable IPv6":
strategy: "sysctl"
create_sysctl_file: true
sysctl_conf: "/etc/sysctl.conf"
sysctl_d_path: "/etc/sysctl.d"
sysctl_prefix: "10-"
sysctl_comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.1.1
c3_1_1
disable_ipv6
- Resource:
Class['cem_linux::utils::network::disable_ipv6']
3.1.2 - Ensure wireless interfaces are disabled
- Parameters:
wwan
- [Boolean
] - Default:true
- Whether to disable wwan Default: falsewifi
- [Boolean
] - Default:true
- Whether to disable wifi Default: false- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure wireless interfaces are disabled":
wwan: true
wifi: true
- Alternate Config IDs:
3.1.2
c3_1_2
ensure_wireless_interfaces_are_disabled
- Resource:
Cem_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']
3.2.1 - Ensure IP forwarding is disabled
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-disable_ip_forwarding.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure IP forwarding is disabled":
target: "/etc/sysctl.d/90-disable_ip_forwarding.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.1
c3_2_1
ensure_ip_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_ip_forwarding']
3.2.2 - Ensure packet redirect sending is disabled
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-disable_packet_redirect_sending.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure packet redirect sending is disabled":
target: "/etc/sysctl.d/90-disable_packet_redirect_sending.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.2.2
c3_2_2
ensure_packet_redirect_sending_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_packet_redirect_sending']
3.3.1 - Ensure source routed packets are not accepted
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-disable_source_routes.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure source routed packets are not accepted":
target: "/etc/sysctl.d/90-disable_source_routes.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.1
c3_3_1
ensure_source_routed_packets_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_source_routes']
3.3.2 - Ensure ICMP redirects are not accepted
- Parameters:
disable_ipv4_accept_default
- [Boolean
] - Default:true
- Disable accepting IPv4 ICMP redirects on default routedisable_ipv4_accept_all
- [Boolean
] - Default:true
- Disable accepting IPv4 ICMP redirects on all routesdisable_ipv6_accept_default
- [Boolean
] - Default:true
- Disable accepting IPv6 ICMP redirects on default routedisable_ipv6_accept_all
- [Boolean
] - Default:true
- Disable accepting IPv6 ICMP redirects on all routestarget
- [Stdlib::UnixPath
] - Default:/etc/sysctl.d/90-disable_icmp_redirects.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure ICMP redirects are not accepted":
disable_ipv4_accept_default: true
disable_ipv4_accept_all: true
disable_ipv6_accept_default: true
disable_ipv6_accept_all: true
target: "/etc/sysctl.d/90-disable_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.2
c3_3_2
ensure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_icmp_redirects']
3.3.3 - Ensure secure ICMP redirects are not accepted
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-disable_secure_icmp_redirects.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure secure ICMP redirects are not accepted":
target: "/etc/sysctl.d/90-disable_secure_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.3
c3_3_3
ensure_secure_icmp_redirects_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_secure_icmp_redirects']
3.3.4 - Ensure suspicious packets are logged
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-enable_log_martians.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure suspicious packets are logged":
target: "/etc/sysctl.d/90-enable_log_martians.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.4
c3_3_4
ensure_suspicious_packets_are_logged
- Resource:
Class['cem_linux::utils::network::enable_log_martians']
3.3.5 - Ensure broadcast ICMP requests are ignored
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-ignore_icmp_broadcast.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure broadcast ICMP requests are ignored":
target: "/etc/sysctl.d/90-ignore_icmp_broadcast.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.5
c3_3_5
ensure_broadcast_icmp_requests_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_icmp_broadcast']
3.3.6 - Ensure bogus ICMP responses are ignored
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-ignore_bogus_icmp.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure bogus ICMP responses are ignored":
target: "/etc/sysctl.d/90-ignore_bogus_icmp.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.6
c3_3_6
ensure_bogus_icmp_responses_are_ignored
- Resource:
Class['cem_linux::utils::network::ignore_bogus_icmp']
3.3.7 - Ensure Reverse Path Filtering is enabled
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-enable_reverse_path_filtering.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure Reverse Path Filtering is enabled":
target: "/etc/sysctl.d/90-enable_reverse_path_filtering.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.7
c3_3_7
ensure_reverse_path_filtering_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_reverse_path_filtering']
3.3.8 - Ensure TCP SYN Cookies is enabled
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-enable_tcp_syn_cookies.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure TCP SYN Cookies is enabled":
target: "/etc/sysctl.d/90-enable_tcp_syn_cookies.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.8
c3_3_8
ensure_tcp_syn_cookies_is_enabled
- Resource:
Class['cem_linux::utils::network::enable_tcp_syn_cookies']
3.3.9 - Ensure IPv6 router advertisements are not accepted
- Parameters:
target
- [String[1]
] - Default:/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf
- The sysctl file that values will be written to.persist
- [Boolean
] - Default:true
- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment
- [String
] - Default:MANAGED BY PUPPET
- A comment to add to add to each setting. Default:MANAGED BY PUPPET
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure IPv6 router advertisements are not accepted":
target: "/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf"
persist: true
comment: "MANAGED BY PUPPET"
- Alternate Config IDs:
3.3.9
c3_3_9
ensure_ipv6_router_advertisements_are_not_accepted
- Resource:
Class['cem_linux::utils::network::disable_ipv6_router_advertisements']
3.4.1 - Ensure DCCP is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/modprobe.d/dccp.conf
- Target file to write.content
- [Optional[String]
] - Default:install dccp /bin/true
- Target file content.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure DCCP is disabled":
target: "/etc/modprobe.d/dccp.conf"
content: "install dccp /bin/true"
- Alternate Config IDs:
3.4.1
c3_4_1
ensure_dccp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_dccp']
3.4.2 - Ensure SCTP is disabled
- Parameters:
target
- [Optional[String[1]]
] - Default:/etc/modprobe.d/sctp.conf
- Target file to write.content
- [Optional[String]
] - Default:install sctp /bin/true
- Target file content.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SCTP is disabled":
target: "/etc/modprobe.d/sctp.conf"
content: "install sctp /bin/true"
- Alternate Config IDs:
3.4.2
c3_4_2
ensure_sctp_is_disabled
- Resource:
Class['cem_linux::utils::network::disable_sctp']
3.5.1.1 - Ensure firewalld is installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.1.1
c3_5_1_1
ensure_firewalld_is_installed
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.2 - Ensure iptables-services not installed with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.1.2
c3_5_1_2
ensure_iptables_services_not_installed_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.3 - Ensure nftables either not installed or masked with firewalld
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.1.3
c3_5_1_3
ensure_nftables_either_not_installed_or_masked_with_firewalld
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.4 - Ensure firewalld service enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.1.4
c3_5_1_4
ensure_firewalld_service_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.5 - Ensure firewalld default zone is set
- Parameters:
default_zone
- [Optional[String[1]]
] - Default:public
- Sets the default firewalld zone to this zone. Default:public
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure firewalld default zone is set":
default_zone: "public"
- Alternate Config IDs:
3.5.1.5
c3_5_1_5
ensure_firewalld_default_zone_is_set
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.1.6 - Ensure network interfaces are assigned to appropriate zone
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.1.6
c3_5_1_6
ensure_network_interfaces_are_assigned_to_appropriate_zone
- Resource:
Class['cem_linux::utils::firewall::firewalld']
3.5.3.1.1 - Ensure iptables packages are installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.1.1
c3_5_3_1_1
ensure_iptables_packages_are_installed
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.2 - Ensure nftables is not installed with iptables
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.1.2
c3_5_3_1_2
ensure_nftables_is_not_installed_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.1.3
c3_5_3_1_3
ensure_firewalld_is_either_not_installed_or_masked_with_iptables
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.1 - Ensure iptables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.1
c3_5_3_2_1
ensure_iptables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.2 - Ensure iptables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.2
c3_5_3_2_2
ensure_iptables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.3 - Ensure iptables rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.3
c3_5_3_2_3
ensure_iptables_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.4 - Ensure iptables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.4
c3_5_3_2_4
ensure_iptables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.5 - Ensure iptables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.5
c3_5_3_2_5
ensure_iptables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.2.6 - Ensure iptables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.2.6
c3_5_3_2_6
ensure_iptables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.1 - Ensure ip6tables loopback traffic is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.1
c3_5_3_3_1
ensure_ip6tables_loopback_traffic_is_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.2
c3_5_3_3_2
ensure_ip6tables_outbound_and_established_connections_are_configured
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.3
c3_5_3_3_3
ensure_ip6tables_firewall_rules_exist_for_all_open_ports
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.4 - Ensure ip6tables default deny firewall policy
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.4
c3_5_3_3_4
ensure_ip6tables_default_deny_firewall_policy
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.5 - Ensure ip6tables rules are saved
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.5
c3_5_3_3_5
ensure_ip6tables_rules_are_saved
- Resource:
Class['cem_linux::utils::firewall::iptables']
3.5.3.3.6 - Ensure ip6tables is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
3.5.3.3.6
c3_5_3_3_6
ensure_ip6tables_is_enabled_and_running
- Resource:
Class['cem_linux::utils::firewall::iptables']
4.1.1.1 - Ensure auditd is installed
- Parameters:
package
- [Array
] - Default:["audit", "audit-libs"]
- Packages to install for auditd. Default ['audit', 'audit-libs']- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure auditd is installed":
package: ["audit", "audit-libs"]
- Alternate Config IDs:
4.1.1.1
c4_1_1_1
ensure_auditd_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.2 - Ensure auditd service is enabled and running
- Parameters:
service
- [String[1]
] - Default:auditd
- Name of auditd service. Default 'auditd'- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure auditd service is enabled and running":
service: "auditd"
- Alternate Config IDs:
4.1.1.2
c4_1_1_2
ensure_auditd_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled
- Parameters:
enable_auditd
- [Boolean
] - Default:true
- Whether or not to enable auditd in the bootloader boot command.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure auditing for processes that start prior to auditd is enabled":
enable_auditd: true
- Alternate Config IDs:
4.1.1.3
c4_1_1_3
ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
- Resource:
Class['cem_linux::utils::bootloader::grub2']
4.1.2.1 - Ensure audit log storage size is configured
- Parameters:
max_log_file
- [Integer[0]
] - Default:8
- Default 8- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure audit log storage size is configured":
max_log_file: 8
- Alternate Config IDs:
4.1.2.1
c4_1_2_1
ensure_audit_log_storage_size_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.2 - Ensure audit logs are not automatically deleted
- Parameters:
max_log_file_action
- [Enum["keep_logs", "rotate", "ignore", "syslog", "suspend"]
] - Default:keep_logs
- Default 'keep_logs'- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure audit logs are not automatically deleted":
max_log_file_action: "keep_logs"
- Alternate Config IDs:
4.1.2.2
c4_1_2_2
ensure_audit_logs_are_not_automatically_deleted
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.3 - Ensure system is disabled when audit logs are full
- Parameters:
space_left_action
- [Enum["ignore", "syslog", "email", "suspend", "single", "halt"]
] - Default:halt
- Default 'email'admin_space_left_action
- [Enum["ignore", "syslog", "email", "suspend", "single", "halt"]
] - Default:halt
- Default 'halt'action_mail_acct
- [String[1]
] - Default:root
- Default 'root'- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure system is disabled when audit logs are full":
space_left_action: "halt"
admin_space_left_action: "halt"
action_mail_acct: "root"
- Alternate Config IDs:
4.1.2.3
c4_1_2_3
ensure_system_is_disabled_when_audit_logs_are_full
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.2.4 - Ensure audit_backlog_limit is sufficient
- Parameters:
audit_backlog_limit
- [Integer
] - Default:8192
- The maximum number of audit log entries to keep in the backlog.- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure audit_backlog_limit is sufficient":
audit_backlog_limit: 8192
- Alternate Config IDs:
4.1.2.4
c4_1_2_4
ensure_audit_backlog_limit_is_sufficient
- Resource:
Class['cem_linux::utils::bootloader::grub2']
4.1.3 - Ensure events that modify date and time information are collected
- Parameters:
audit_time_change
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure events that modify date and time information are collected":
audit_time_change: true
- Alternate Config IDs:
4.1.3
c4_1_3
ensure_events_that_modify_date_and_time_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.4 - Ensure events that modify user/group information are collected
- Parameters:
audit_usergroup_modification
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure events that modify user/group information are collected":
audit_usergroup_modification: true
- Alternate Config IDs:
4.1.4
c4_1_4
ensure_events_that_modify_usergroup_information_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.5 - Ensure events that modify the system's network environment are collected
- Parameters:
audit_network_environment
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure events that modify the system's network environment are collected":
audit_network_environment: true
- Alternate Config IDs:
4.1.5
c4_1_5
ensure_events_that_modify_the_systems_network_environment_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected
- Parameters:
audit_mac_modification
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure events that modify the system's Mandatory Access Controls are collected":
audit_mac_modification: true
- Alternate Config IDs:
4.1.6
c4_1_6
ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.7 - Ensure login and logout events are collected
- Parameters:
audit_lastlog_log
- [Boolean
] - Default:true
audit_faillock_run
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure login and logout events are collected":
audit_lastlog_log: true
audit_faillock_run: true
- Alternate Config IDs:
4.1.7
c4_1_7
ensure_login_and_logout_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.8 - Ensure session initiation information is collected
- Parameters:
audit_session_initiation
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure session initiation information is collected":
audit_session_initiation: true
- Alternate Config IDs:
4.1.8
c4_1_8
ensure_session_initiation_information_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.9 - Ensure discretionary access control permission modification events are collected
- Parameters:
audit_dac_modification
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure discretionary access control permission modification events are collected":
audit_dac_modification: true
- Alternate Config IDs:
4.1.9
c4_1_9
ensure_discretionary_access_control_permission_modification_events_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected
- Parameters:
audit_unauthorized_file_access
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure unsuccessful unauthorized file access attempts are collected":
audit_unauthorized_file_access: true
- Alternate Config IDs:
4.1.10
c4_1_10
ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.11 - Ensure use of privileged commands is collected
- Parameters:
audit_privileged_commands
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure use of privileged commands is collected":
audit_privileged_commands: true
- Alternate Config IDs:
4.1.11
c4_1_11
ensure_use_of_privileged_commands_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.12 - Ensure successful file system mounts are collected
- Parameters:
audit_file_system_mounts
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure successful file system mounts are collected":
audit_file_system_mounts: true
- Alternate Config IDs:
4.1.12
c4_1_12
ensure_successful_file_system_mounts_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.13 - Ensure file deletion events by users are collected
- Parameters:
audit_file_deletion_events
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure file deletion events by users are collected":
audit_file_deletion_events: true
- Alternate Config IDs:
4.1.13
c4_1_13
ensure_file_deletion_events_by_users_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.14 - Ensure changes to system administration scope (sudoers) is collected
- Parameters:
audit_sudoers_modification
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure changes to system administration scope (sudoers) is collected":
audit_sudoers_modification: true
- Alternate Config IDs:
4.1.14
c4_1_14
ensure_changes_to_system_administration_scope_sudoers_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.15 - Ensure system administrator command executions (sudo) are collected
- Parameters:
audit_sudo_actions
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure system administrator command executions (sudo) are collected":
audit_sudo_actions: true
- Alternate Config IDs:
4.1.15
c4_1_15
ensure_system_administrator_command_executions_sudo_are_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.16 - Ensure kernel module loading and unloading is collected
- Parameters:
audit_kernel_module_loading
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure kernel module loading and unloading is collected":
audit_kernel_module_loading: true
- Alternate Config IDs:
4.1.16
c4_1_16
ensure_kernel_module_loading_and_unloading_is_collected
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.1.17 - Ensure the audit configuration is immutable
- Parameters:
set_immutable_configuration
- [Boolean
] - Default:true
- Supported Levels:
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure the audit configuration is immutable":
set_immutable_configuration: true
- Alternate Config IDs:
4.1.17
c4_1_17
ensure_the_audit_configuration_is_immutable
- Resource:
Class['cem_linux::utils::packages::linux::auditd']
4.2.1.1 - Ensure rsyslog is installed
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
4.2.1.1
c4_2_1_1
ensure_rsyslog_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.2 - Ensure rsyslog Service is enabled and running
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
4.2.1.2
c4_2_1_2
ensure_rsyslog_service_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.3 - Ensure rsyslog default file permissions configured
- Parameters:
filecreatemode
- [Optional[String]
] - Default:0640
- Default file creation mode. Default '0640'.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure rsyslog default file permissions configured":
filecreatemode: "0640"
- Alternate Config IDs:
4.2.1.3
c4_2_1_3
ensure_rsyslog_default_file_permissions_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.4 - Ensure logging is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
4.2.1.4
c4_2_1_4
ensure_logging_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host
- Parameters:
remote_log_host
- [Optional[Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]]
] - Default:undef
tcp_port
- [Optional[Integer]
] - Default:514
- The port to use for the $InputTCPServerRun option. Default: 514- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure rsyslog is configured to send logs to a remote log host":
remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]>>
tcp_port: 514
- Alternate Config IDs:
4.2.1.5
c4_2_1_5
ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
4.2.1.6
c4_2_1_6
ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
- Resource:
Class['cem_linux::utils::packages::linux::rsyslog']
4.2.2.1 - Ensure journald is configured to send logs to rsyslog
- Parameters:
forward_to_syslog
- [Optional[Variant[Boolean, Stdlib::Yes_no]]
] - Default:true
- If defined, configures optionForwardToSyslog=<yes|no>
in the journald config. If a Boolean value is passed, true maps toyes
and false maps tono
.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure journald is configured to send logs to rsyslog":
forward_to_syslog: true
- Alternate Config IDs:
4.2.2.1
c4_2_2_1
ensure_journald_is_configured_to_send_logs_to_rsyslog
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.2 - Ensure journald is configured to compress large log files
- Parameters:
compress_large_files
- [Optional[Variant[Boolean, Stdlib::Yes_no]]
] - Default:true
- If defined, configures optionCompress=<yes|no>
in the journald config. If a Boolean value is passed, true maps toyes
and false maps tono
.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure journald is configured to compress large log files":
compress_large_files: true
- Alternate Config IDs:
4.2.2.2
c4_2_2_2
ensure_journald_is_configured_to_compress_large_log_files
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk
- Parameters:
persistent_storage
- [Optional[Boolean]
] - Default:true
- Convenience method to set persistent as the storage option. If true, configures optionStorage=persistent
in the journald config.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure journald is configured to write logfiles to persistent disk":
persistent_storage: true
- Alternate Config IDs:
4.2.2.3
c4_2_2_3
ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
- Resource:
Class['cem_linux::utils::services::systemd::journald']
4.2.3 - Ensure permissions on all logfiles are configured
- Parameters:
mode
- [Stdlib::Filemode
] - Default:0640
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on all logfiles are configured":
mode: "0640"
- Alternate Config IDs:
4.2.3
c4_2_3
ensure_permissions_on_all_logfiles_are_configured
- Resource:
Class['cem_linux::utils::chmod_logfiles']
4.2.4 - Ensure logrotate is configured
- Parameters:
No parameters
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Alternate Config IDs:
4.2.4
c4_2_4
ensure_logrotate_is_configured
- Resource:
Class['cem_linux::utils::packages::linux::logrotate']
5.1.1 - Ensure cron daemon is enabled and running
- Parameters:
manage_package
- [Optional[Boolean]
] - Default:true
- If true, ensures thecronie
package is installed. Default: truemanage_service
- [Optional[Boolean]
] - Default:true
- If true, enables and runs thecrond
daemon with a service resource. Default: truecron_allow_path
- [Optional[Stdlib::AbsolutePath]
] - Default:/etc/cron.allow
- The path for the cron.allow file to manage. Only relevant ifset_cron_allow_perms
is set totrue
. Default: /etc/cron.allowpurge_cron_deny
- [Optional[Boolean]
] - Default:true
- If true, removes (if they exist) /etc/cron.deny and /etc/cron.d/cron.deny. Default: truemanage_cron_allow
- [Optional[Boolean]
] - Default:true
- If true, creates the cron.allow file specified by thecron_allow_path
parameter and enforces0600
permissions on the file. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure cron daemon is enabled and running":
manage_package: true
manage_service: true
cron_allow_path: "/etc/cron.allow"
purge_cron_deny: true
manage_cron_allow: true
- Alternate Config IDs:
5.1.1
c5_1_1
ensure_cron_daemon_is_enabled_and_running
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.2 - Ensure permissions on /etc/crontab are configured
- Parameters:
set_crontab_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0600
permissions on /etc/crontab. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/crontab are configured":
set_crontab_perms: true
- Alternate Config IDs:
5.1.2
c5_1_2
ensure_permissions_on_etccrontab_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.3 - Ensure permissions on /etc/cron.hourly are configured
- Parameters:
set_hourly_cron_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0700
permissions on /etc/cron.hourly. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.hourly are configured":
set_hourly_cron_perms: true
- Alternate Config IDs:
5.1.3
c5_1_3
ensure_permissions_on_etccron_hourly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.4 - Ensure permissions on /etc/cron.daily are configured
- Parameters:
set_daily_cron_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0700
permissions on /etc/cron.daily. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.daily are configured":
set_daily_cron_perms: true
- Alternate Config IDs:
5.1.4
c5_1_4
ensure_permissions_on_etccron_daily_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.5 - Ensure permissions on /etc/cron.weekly are configured
- Parameters:
set_weekly_cron_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0700
permissions on /etc/cron.weekly. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.weekly are configured":
set_weekly_cron_perms: true
- Alternate Config IDs:
5.1.5
c5_1_5
ensure_permissions_on_etccron_weekly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.6 - Ensure permissions on /etc/cron.monthly are configured
- Parameters:
set_monthly_cron_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0700
permissions on /etc/cron.monthly. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.monthly are configured":
set_monthly_cron_perms: true
- Alternate Config IDs:
5.1.6
c5_1_6
ensure_permissions_on_etccron_monthly_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.7 - Ensure permissions on /etc/cron.d are configured
- Parameters:
set_cron_d_perms
- [Optional[Boolean]
] - Default:true
- If true, enforces0700
permissions on /etc/cron.d. Default: true- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/cron.d are configured":
set_cron_d_perms: true
- Alternate Config IDs:
5.1.7
c5_1_7
ensure_permissions_on_etccron_d_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.8 - Ensure cron is restricted to authorized users
- Parameters:
cron_allowlist
- [Optional[Array[String[1]]]
] - Default:["root"]
- An array of user names to add to the cron.allow file. Default: [root]- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure cron is restricted to authorized users":
cron_allowlist: ["root"]
- Alternate Config IDs:
5.1.8
c5_1_8
ensure_cron_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::cron']
5.1.9 - Ensure at is restricted to authorized users
- Parameters:
at_allowlist
- [Optional[Array[String[1]]]
] - Default:["root"]
- An array of user names to add to the at.allow file. Default: [root]- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure at is restricted to authorized users":
at_allowlist: ["root"]
- Alternate Config IDs:
5.1.9
c5_1_9
ensure_at_is_restricted_to_authorized_users
- Resource:
Class['cem_linux::utils::packages::linux::at']
5.2.1 - Ensure sudo is installed
- Parameters:
package_ensure
- [Optional[Enum[\installed\, \latest\, \absent\]]
] - Default:installed
- Used with the sudo package resource.package_name
- [Optional[String[1]]
] - Default:sudo
- The name of the sudo package to ensure. Defaults to "sudo"sudoers_path
- [Optional[Stdlib::UnixPath]
] - Default:/etc/sudoers
- Path to the sudoers file. Default: /etc/sudoerssudoers_d_path
- [Optional[Stdlib::UnixPath]
] - Default:/etc/sudoers.d
- Path to the sudoers.d directory. Default: /etc/sudoers.ddefaults
- [Optional[Hash[String[1], Optional[String]]]
] - Default:undef
- Options to be added as Defaults in the sudoers file. Keys in the hash become options, and values become the values. If the option you want to specify does not have a value, make the value "undef". For example, to set a default sudo logfile, it would look like:$defaults => { 'logfile' => '/var/log/sudo.log'}
which would then be written to the sudoers file asDefaults logfile = /var/log/sudo.log
. If you wanted to specify an option with no value, it would look like:$defaults => { 'use_pty' => undef }
which would then be written to the sudoers file asDefaults use_pty
.drop_ins
- [Optional[Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]]
] - Default:undef
- Allows to you configure "drop-in" suoders files that are created in the sudoers.d directory. This param gets passed directly to the defined type cem_linux::utils::packages::linux::sudo::user_group. The key of the hash equates to the defined type's resource name, while the value is a struct with options aligning directly to the defined type's parameters. See cem_linux::utils::packages::linux::sudo::user_group for more details.- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure sudo is installed":
package_ensure: "installed"
package_name: "sudo"
sudoers_path: "/etc/sudoers"
sudoers_d_path: "/etc/sudoers.d"
defaults: <<Type Hash[String[1], Optional[String]]>>
drop_ins: <<Type Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]>>
- Alternate Config IDs:
5.2.1
c5_2_1
ensure_sudo_is_installed
- Resource:
Class['cem_linux::utils::packages::linux::sudo']
5.2.2 - Ensure sudo commands use pty
- Parameters:
sudoers_path
- [String[1]
] - Default:/etc/sudoers
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure sudo commands use pty":
sudoers_path: "/etc/sudoers"
- Alternate Config IDs:
5.2.2
c5_2_2
ensure_sudo_commands_use_pty
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['use_pty']
5.2.3 - Ensure sudo log file exists
- Parameters:
sudoers_path
- [String[1]
] - Default:/etc/sudoers
value
- [Optional[Variant[String[1], Array[String[1]]]]
] - Default:/var/log/sudo.log
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure sudo log file exists":
sudoers_path: "/etc/sudoers"
value: "/var/log/sudo.log"
- Alternate Config IDs:
5.2.3
c5_2_3
ensure_sudo_log_file_exists
- Resource:
Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['logfile']
5.3.1 - Ensure permissions on /etc/ssh/sshd_config are configured
- Parameters:
enforce_sshd_config_perms
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on /etc/ssh/sshd_config are configured":
enforce_sshd_config_perms: true
- Alternate Config IDs:
5.3.1
c5_3_1
ensure_permissions_on_etcsshsshd_config_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.2 - Ensure permissions on SSH private host key files are configured
- Parameters:
enforce_pri_host_key_perms
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on SSH private host key files are configured":
enforce_pri_host_key_perms: true
- Alternate Config IDs:
5.3.2
c5_3_2
ensure_permissions_on_ssh_private_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.3 - Ensure permissions on SSH public host key files are configured
- Parameters:
enforce_pub_host_key_perms
- [Boolean
] - Default:true
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure permissions on SSH public host key files are configured":
enforce_pub_host_key_perms: true
- Alternate Config IDs:
5.3.3
c5_3_3
ensure_permissions_on_ssh_public_host_key_files_are_configured
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.4 - Ensure SSH access is limited
- Parameters:
allow_users
- [Optional[Array[String[1]]]
] - Default:undef
allow_groups
- [Optional[Array[String[1]]]
] - Default:undef
deny_users
- [Optional[Array[String[1]]]
] - Default:undef
deny_groups
- [Optional[Array[String[1]]]
] - Default:undef
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH access is limited":
allow_users: <<Type Array[String[1]]>>
allow_groups: <<Type Array[String[1]]>>
deny_users: <<Type Array[String[1]]>>
deny_groups: <<Type Array[String[1]]>>
- Alternate Config IDs:
5.3.4
c5_3_4
ensure_ssh_access_is_limited
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.5 - Ensure SSH LogLevel is appropriate
- Parameters:
log_level
- [Optional[Enum[\INFO\, \VERBOSE\]]
] - Default:INFO
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH LogLevel is appropriate":
log_level: "INFO"
- Alternate Config IDs:
5.3.5
c5_3_5
ensure_ssh_loglevel_is_appropriate
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.6 - Ensure SSH X11 forwarding is disabled
- Parameters:
x11_forwarding
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH X11 forwarding is disabled":
x11_forwarding: "no"
- Alternate Config IDs:
5.3.6
c5_3_6
ensure_ssh_x11_forwarding_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less
- Parameters:
max_auth_tries
- [Optional[Integer]
] - Default:4
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH MaxAuthTries is set to 4 or less":
max_auth_tries: 4
- Alternate Config IDs:
5.3.7
c5_3_7
ensure_ssh_maxauthtries_is_set_to_4_or_less
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.8 - Ensure SSH IgnoreRhosts is enabled
- Parameters:
ignore_rhosts
- [Optional[Enum[\yes\, \no\]]
] - Default:yes
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH IgnoreRhosts is enabled":
ignore_rhosts: "yes"
- Alternate Config IDs:
5.3.8
c5_3_8
ensure_ssh_ignorerhosts_is_enabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.9 - Ensure SSH HostbasedAuthentication is disabled
- Parameters:
host_based_authentication
- [Optional[Enum[\yes\, \no\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH HostbasedAuthentication is disabled":
host_based_authentication: "no"
- Alternate Config IDs:
5.3.9
c5_3_9
ensure_ssh_hostbasedauthentication_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.10 - Ensure SSH root login is disabled
- Parameters:
permit_root_login
- [Optional[Enum[\yes\, \no\, \without-password\, \forced-commands-only\]]
] - Default:no
- Supported Levels:
level_1
level_2
- Supported Profiles:
server
- Hiera Configuration Example:
cem_linux::config:
control_configs:
"Ensure SSH root login is disabled":
permit_root_login: "no"
- Alternate Config IDs:
5.3.10
c5_3_10
ensure_ssh_root_login_is_disabled
- Resource:
Class['cem_linux::utils::packages::linux::ssh']
5.3.11 - Ensure SSH PermitEmptyPasswords is disabled
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_authselect
Audit authselect profile for RHEL8 and CentOS8
audit_boot
Audit if the system is configured to boot to the command line or to the graphical user interface.
audit_check_ipv6
Audit IPV6 for RHEL8
audit_client_dns
Audit DNS servers configured in /etc/resolv.conf
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_firewalld_config
Returns the results of firewall-cmd --list-all
audit_for_emergency_accounts
Audit all accounts expiration dates for removal.
audit_kerberos_keytab_files
List all the keytab files on the system at /etc
audit_library_files
Audit library files permission, ownership, and group ownership
audit_mcafee_endpoint_security
Audit McAfee Endpoint Security for Linux
audit_no_execution_bit_flag
Audit for the no-execution bit flag on the system
audit_partition_crypto
Audit partition cryptography
audit_pkcs11_eventmgr
This task will report on whether the screen is locked or not when using smart card.
audit_pw_change_date
Returns the last password change date for all users
audit_selinux_user_roles
Returns the output of 'semanage user -l' on the target system
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_sshd_installation
Verify if sshd is installed
audit_sshd_status
Report sshd status
audit_sssd_certmap
Audit the existance of sssd certmap configuration
audit_sudo_authentication_timeout
Return the sudo authentication timeout in minutes
audit_sudo_nopasswd
Return instances of NOPASSWD: in sudo configuration files.
audit_sudo_re_authentication
Returns a list of any ungrouped sudo configuration entries that contain !authenticate.
audit_suid_executables
Returns a list of SUID executable files
audit_system_command_permission
Audit system commands permission, ownership and group ownership
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.4.2 (2022-10-20)
Starting with the Compliance Enforcement Module (CEM) for Linux v1.4.0, the product documentation is revised to improve visibility, usability, and retrievability. Key parts of the documentation were migrated to the Puppet Docs website, where documentation for other Puppet products is published:
- The change log was migrated and renamed to Release notes. You can find the product updates for CEM Linux v1.4.0 there.
- The readme content was revised and transformed into a series of topics with a structure similar to other Puppet documentation. The revised readme content can be viewed on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
- The Reference, Tasks, and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
v1.3.2 (2022-09-08)
Added
- The
Ensure core dump storage is disabled
andEnsure core dump backtraces are disabled
controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled
, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
- The
Ensure audit log is disabled when audit logs are full
control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntp
andchrony
classes were combined into thetimesync
class.
Fixed
- The
Disable USB Storage
control is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.d
directory are now loaded by using theaugenrules --load
command. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct
metaparameter
before
instead ofsubscribe
. - Fixed a parsing error for
chrony
that caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when
unsanitized user input was used in the
command
,onlyif
, orunless
parameters of anexec
resource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctl
feature to return a result offalse
without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mta
fact that caused errors in RHEL 6.
v1.3.1 (2022-08-18)
Fixed
- Controls that configure
journald
now properly configure thejournald.conf
file. - The
cem_coredump
fact will no longer attempt to resolve on nodes that do not supportsystemctl
. - The
cem_grub_cfg
fact will now identify the correct GRUB2 configuration file on Red Hat Enterprise Linux 7. - The CIS-specific parameters
enable_systemd_journal
andenable_nopasswd_sudo_prune
now function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
ensure_password_creation_requirements_are_configured
. - Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntp
as the time synchronization service.
v1.3.0 (2022-08-03)
Changed
- The core architecture for the module has changed. These changes should
be transparent to the user. However, using Hiera automatic parameter
lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*
namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. - For more information on the new architecture, see the readme file.
- The reference was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
- Added proper containment to the
cem_coredump
fact so it will no longer run on operating systems that do not support it. - Fixed how NTP options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0 (2022-05-24)
Added
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached
End of Life (EOL).
- CEM Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
- Fixed an issue that prevented the
coredump
configuration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4 (2022-03-25)
Changed
- Updated the
audit_user_homedir
task to prevent the task from modifying permissions on top-level directories:/boot
,/boot/
,/etc
,/lib
,/lib64
,/proc
,/proc/
,/home
,/opt
,/tmp
,/var
, and/srv/
. Theaudit_user_homedir
task can still modify permissions on subdirectories within the listed directories, except for/boot
and/proc
. - In the
audit_user_homedir
task, addedrtkit
to the list of ignored usernames. Becausertkit
is a system user, CIS states that the home directory permissions forrtkit
should not be audited.
v1.1.3 (2022-03-24)
Fixed
- Fixed a bug in the
audit_user_homedir
task to prevent the inadvertent modification of permissions on bin directories:/bin
,/sbin
,/usr/bin
, and/usr/sbin
.
v1.1.2 (2022-03-16)
Added
- Added a section to the CEM Reference about configuring
chrony/ntp
time servers.
Changed
- Expanded the range of versions in the
metadata.json
file so that users can install the latest modules to meet dependency requirements.
Fixed
- Fixed a bug in the
cem_linux::utils::timesync
configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditd
config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditd
service.
v1.1.1 (2022-01-25)
Fixed
- Fixed an issue related to non-idempotent resources when managing
permissions for the
Grub2
bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0 (2021-12-14)
Added
-
Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Server Level 2 recommendations.
-
Updates related to bootloader configurations. Configurations, including password settings, can now be managed through the CEM module on systems that use the
grub2
bootloader.- You can also opt in to automatically regenerate the bootloader config files after changes are made.
- For details, see the CEM for Linux readme file.
-
Permissions management for log files in the
/var/log directory
is now available in the module. Previously, you had to run a Bolt task to manage permissions for log files.- Because this feature is now supported natively, the Bolt task
cem_linux::logfile_permissions
was removed.
- Because this feature is now supported natively, the Bolt task
-
Added a new fact,
cem_grub_cfg
. This fact contains information related to generalgrub
configuration on the machine.
Changed
- Replaced the
camptocamp-systemd
module with the supportedpuppet-systemd
module. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemd
module v3.5.0 or later. - The
cem_uefi_boot
fact was changed tocem_efi
and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.
v1.0.0 (2021-09-28)
- This is the initial public release of CEM for Linux.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 9.0.0)
- puppetlabs/concat (>= 6.4.0 < 9.0.0)
- puppetlabs/inifile (>= 1.6.0 < 6.1.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 2.8.1 < 6.0.0)
- puppet/firewalld (>= 4.5.0 < 5.0.0)
- puppet/logrotate (>= 5.0.0 < 7.0.0)
- puppet/selinux (>= 3.2.0 < 4.0.0)
- puppet/systemd (>= 3.5.0 < 5.1.0)