CEM Linux Reference

Table of Contents

• CIS CentOS Linux 7 Benchmark 3.1.2
• CIS Red Hat Enterprise Linux 7 Benchmark 3.1.1
• Red Hat Enterprise Linux 7 Security Technical Implementation Guide 3
• CIS Red Hat Enterprise Linux 8 Benchmark 2.0.0
• Red Hat Enterprise Linux 8 Security Technical Implementation Guide 1
• CIS Red Hat Enterprise Linux 9 Benchmark 1.0.0
• CIS Oracle Linux 7 Benchmark 3.1.1
• CIS Oracle Linux 8 Benchmark 2.0.0
• CIS Oracle Linux 9 Benchmark 1.0.0
• CIS Alma Linux OS 8 Benchmark 2.0.0
• CIS Rocky Linux 8 Benchmark 1.0.0

CIS CentOS Linux 7 Benchmark 3.1.2

1.1.1.1 - Ensure mounting of cramfs filesystems is disabled

• Parameters:
• filesystem - [ String[1] ] - Default: cramfs - Filesystem to disable, example xfs.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure mounting of cramfs filesystems is disabled":
      filesystem: "cramfs"

• Alternate Config IDs:
• 1.1.1.1
• c1_1_1_1
• ensure_mounting_of_cramfs_filesystems_is_disabled
• Resource: Cem_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']

1.1.1.2 - Ensure mounting of squashfs filesystems is disabled

• Parameters:
• filesystem - [ String[1] ] - Default: squashfs - Filesystem to disable, example xfs.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure mounting of squashfs filesystems is disabled":
      filesystem: "squashfs"

• Alternate Config IDs:
• 1.1.1.2
• c1_1_1_2
• ensure_mounting_of_squashfs_filesystems_is_disabled
• Resource: Cem_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']

1.1.1.3 - Ensure mounting of udf filesystems is disabled

• Parameters:
• filesystem - [ String[1] ] - Default: udf - Filesystem to disable, example xfs.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure mounting of udf filesystems is disabled":
      filesystem: "udf"

• Alternate Config IDs:
• 1.1.1.3
• c1_1_1_3
• ensure_mounting_of_udf_filesystems_is_disabled
• Resource: Cem_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']

1.1.3 - Ensure noexec option set on /tmp partition

• Parameters:
• noexec - [ Optional[Boolean] ] - Default: true - Adds 'noexec' to the tmp.mount unit file options. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure noexec option set on /tmp partition":
      noexec: true

• Alternate Config IDs:
• 1.1.3
• c1_1_3
• ensure_noexec_option_set_on_tmp_partition
• Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.4 - Ensure nodev option set on /tmp partition

• Parameters:
• nodev - [ Optional[Boolean] ] - Default: true - Adds 'nodev' to the tmp.mount unit file options.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure nodev option set on /tmp partition":
      nodev: true

• Alternate Config IDs:
• 1.1.4
• c1_1_4
• ensure_nodev_option_set_on_tmp_partition
• Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.5 - Ensure nosuid option set on /tmp partition

• Parameters:
• nosuid - [ Optional[Boolean] ] - Default: true - Adds 'nosuid' to the tmp.mount unit file options.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure nosuid option set on /tmp partition":
      nosuid: true

• Alternate Config IDs:
• 1.1.5
• c1_1_5
• ensure_nosuid_option_set_on_tmp_partition
• Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.7 - Ensure noexec option set on /dev/shm partition

• Parameters:
• noexec - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure noexec option set on /dev/shm partition":
      noexec: true

• Alternate Config IDs:
• 1.1.7
• c1_1_7
• ensure_noexec_option_set_on_devshm_partition
• Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.8 - Ensure nodev option set on /dev/shm partition

• Parameters:
• nodev - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure nodev option set on /dev/shm partition":
      nodev: true

• Alternate Config IDs:
• 1.1.8
• c1_1_8
• ensure_nodev_option_set_on_devshm_partition
• Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.9 - Ensure nosuid option set on /dev/shm partition

• Parameters:
• nosuid - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure nosuid option set on /dev/shm partition":
      nosuid: true

• Alternate Config IDs:
• 1.1.9
• c1_1_9
• ensure_nosuid_option_set_on_devshm_partition
• Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.22 - Ensure sticky bit is set on all world-writable directories

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.1.22
• c1_1_22
• ensure_sticky_bit_is_set_on_all_world_writable_directories
• Resource: Class['cem_linux::utils::sticky_bit']

1.1.23 - Disable Automounting

• Parameters:
• service - [ String[1] ] - Default: autofs - Service to disable.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Disable Automounting":
      service: "autofs"

• Alternate Config IDs:
• 1.1.23
• c1_1_23
• disable_automounting
• Resource: Cem_linux::Utils::Disable_service['Disable autofs']

1.1.24 - Disable USB Storage

• Parameters:
• filesystem - [ String[1] ] - Default: usb-storage - Filesystem to disable, example xfs.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Disable USB Storage":
      filesystem: "usb-storage"

• Alternate Config IDs:
• 1.1.24
• c1_1_24
• disable_usb_storage
• Resource: Cem_linux::Utils::Disable_fs_mounting['Disable usb storage']

1.2.3 - Ensure gpgcheck is globally activated

• Parameters:
• yum_conf - [ Stdlib::UnixPath ] - Default: /etc/yum.conf - Full path to yum.conf file.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure gpgcheck is globally activated":
      yum_conf: "/etc/yum.conf"

• Alternate Config IDs:
• 1.2.3
• c1_2_3
• ensure_gpgcheck_is_globally_activated
• Resource: Class['cem_linux::utils::yum::enable_gpgcheck']

1.3.1 - Ensure AIDE is installed

• Parameters:
• control_package - [ Optional[Boolean] ] - Default: true - Whether or not to ensure the package is installed. Default: true
• package_ensure - [ Optional[String] ] - Default: present - Passed directly to the package resource for aide. Default: installed
• manage_config - [ Optional[Boolean] ] - Default: true - Whether or not to manage /etc/aide.conf. Default: true
• run_scheduled - [ Optional[Boolean] ] - Default: true - Whether or not to set AIDE to run on a schedule. Default: true
• scheduler - [ Optional[Enum[\systemd\, \cron\]] ] - Default: systemd - Whether to use a systemd timer or cron job to schedule AIDE scans. Default: systemd
• systemd_timer_schedule - [ Optional[String] ] - Default: *-*-* 00:00:00 - Used as the systemd timer unit file's OnSchedule directive. Default: '--* 00:00:00'
• conf_purge - [ Optional[Boolean] ] - Default: undef - Setting purge to true means that no default values will be used. WARNING: You MUST configure ALL CONFIG OPTIONS when using purge to ensure that AIDE can function. Default: false
• conf_db_dir - [ Optional[String] ] - Default: /var/lib/aide - The directory AIDE will use to store the DB. Default: /var/lib/aide
• conf_log_dir - [ Optional[String] ] - Default: /var/log/aide - The directory AIDE will use to store the log file. Default: /var/log/aide
• conf_verbosity - [ Optional[Integer] ] - Default: 5 - How verbose AIDE is in logging. Default: 5
• conf_report_urls - [ Optional[Array[String]] ] - Default: ["file:@@{LOGDIR}/aide.log", "stdout"] - Where AIDE should send check results. Default: [ 'file:@@{LOGDIR}/aide.log', 'stdout' ]
• conf_rules - [ Optional[Array[String]] ] - Default: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"] - Custom rule definitions for the AIDE config file. Each item is passed into the config as is, so rule definitions should look like: "PERMS = p+u+g+acl+selinux+xattrs". See docs for defaults.
• conf_checks - [ Optional[Array[String]] ] - Default: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"] - Directory and file checks. As AIDE parses these from top to bottom in the config file, the way you order this array matters. Individual file checks should come before their parent directory checks. Each check is passed into the config as is, so checks should look like: "/boot/ CONTENT_EX". See docs for defaults. If you choose not to use the default values, it is HIGHLY RECOMMENDED that you ignore the directory /opt/puppetlabs/puppet/cache/ and ignore the file /opt/puppetlabs/puppet/public/last_run_summary.yaml as these change every Puppet run.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure AIDE is installed":
      control_package: true
      package_ensure: "present"
      manage_config: true
      run_scheduled: true
      scheduler: "systemd"
      systemd_timer_schedule: "*-*-* 00:00:00"
      conf_purge: <<Type Boolean>>
      conf_db_dir: "/var/lib/aide"
      conf_log_dir: "/var/log/aide"
      conf_verbosity: 5
      conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
      conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
      conf_checks: ["/boot/   CONTENT_EX", "/bin/    CONTENT_EX", "/sbin/   CONTENT_EX", "/lib/    CONTENT_EX", "/lib64/  CONTENT_EX", "/opt/    CONTENT_EX", "/root/\\..* PERMS", "/root/   CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/    CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$   CONTENT_EX", "/etc/group$    CONTENT_EX", "/etc/gshadow$  CONTENT_EX", "/etc/shadow$   CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/    PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]

• Alternate Config IDs:
• 1.3.1
• c1_3_1
• ensure_aide_is_installed
• Resource: Class['cem_linux::utils::packages::linux::aide']

1.4.1 - Ensure bootloader password is set

• Parameters:
• password_protect - [ Boolean ] - Default: true - Whether or not to password protect the bootloader.
• superuser - [ Optional[String[1]] ] - Default: undef - The username of the grub2 superuser. This is used to set a superuser password in the bootloader configuration. This is only used if password_protect is true.
• superuser_password - [ Optional[Sensitive[String]] ] - Default: undef - The password of the grub2 superuser. This will be the superuser password in the bootloader configuration. This is only used if password_protect is true.
• password_file - [ Stdlib::UnixPath ] - Default: /etc/grub.d/50_password - The path to the file containing the bootloader password(s). This is only used if password_protect is true.
• replace_password_file - [ Boolean ] - If true, replaces the password file if it exists with a NEW hash of the password. Also, when set to true, this resource is NOT idempotent. When set to false, this prevent accidental overwriting of the password file with a new hash of the same password.
• hash_superuser_password - [ Boolean ] - Default: true - If true, the superuser password will be hashed using PBKDF2-HMAC-SHA512. If false, the superuser password will be stored in the password file as-is. This is only used if password_protect is true.
• superuser_password_salt_length - [ Optional[Integer] ] - Default: undef - The length of the salt in bits used to hash the superuser password. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
• superuser_password_buffer_length - [ Optional[Integer] ] - Default: undef - The length of the resulting hash. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
• superuser_password_iterations - [ Optional[Integer] ] - Default: undef - The number of times the password is passed through the hash function. Default is 120000. This is optional and only used if password_protect and hash_superuser_password are true.
• other_users - [ Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]] ] - Default: undef - An array of structured hashes to add other users besides the superuser to the password file. This is optional only used if password_protect is true. The users specified here will be added to the password file as regular users, not superusers. Other user passwords will be hashed using PBKDF2-HMAC-SHA512, just like the superuser password, if hash_other_user_passwords is true.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure bootloader password is set":
      password_protect: true
      superuser: <<Type String[1]>>
      superuser_password: <<Type Sensitive[String]>>
      password_file: "/etc/grub.d/50_password"
      replace_password_file: false
      hash_superuser_password: true
      superuser_password_salt_length: <<Type Integer>>
      superuser_password_buffer_length: <<Type Integer>>
      superuser_password_iterations: <<Type Integer>>
      other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>

• Alternate Config IDs:
• 1.4.1
• c1_4_1
• ensure_bootloader_password_is_set
• Resource: Class['cem_linux::utils::bootloader::grub2']

1.4.2 - Ensure permissions on bootloader config are configured

• Parameters:
• ensure_permissions - [ Boolean ] - Default: true - Whether or not to enforce correct permissions on the bootloader files.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on bootloader config are configured":
      ensure_permissions: true

• Alternate Config IDs:
• 1.4.2
• c1_4_2
• ensure_permissions_on_bootloader_config_are_configured
• Resource: Class['cem_linux::utils::bootloader::grub2']

1.4.3 - Ensure authentication required for single user mode

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.4.3
• c1_4_3
• ensure_authentication_required_for_single_user_mode
• Resource: Class['cem_linux::utils::single_user_mode_authentication']

1.5.1 - Ensure core dumps are restricted

• Parameters:
• limits_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
• sysctl_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
• service_content - [ Optional[String] ] - Default: # THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure core dumps are restricted":
      limits_file: "10-disable_core_dumps.conf"
      sysctl_file: "10-disable_core_dumps.conf"
      service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"

• Alternate Config IDs:
• 1.5.1
• c1_5_1
• ensure_core_dumps_are_restricted
• Resource: Class['cem_linux::utils::disable_core_dumps']

1.5.3 - Ensure address space layout randomization (ASLR) is enabled

• Parameters:
• sysctl_file - [ Optional[String] ] - Default: 10-enable_aslr.conf - The sysctl file that values will be written to. Default: 0-disable_ip_forwarding.conf
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure address space layout randomization (ASLR) is enabled":
      sysctl_file: "10-enable_aslr.conf"

• Alternate Config IDs:
• 1.5.3
• c1_5_3
• ensure_address_space_layout_randomization_aslr_is_enabled
• Resource: Class['cem_linux::utils::enable_aslr']

1.5.4 - Ensure prelink is not installed

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.5.4
• c1_5_4
• ensure_prelink_is_not_installed
• Resource: Class['cem_linux::utils::disable_prelink']

1.6.1.1 - Ensure SELinux is installed

• Parameters:
• manage_package - [ Optional[Boolean] ] - Default: true - Enable or disable selinux package management.
• package_name - [ Optional[String[1]] ] - Default: libselinux - Name of package.
• mode - [ Optional[Enum[\permissive\, \enforcing\]] ] - Default: enforcing - Selinux mode, permissive or enforcing. Disabled is not supported.
• type - [ Optional[Enum[\targeted\, \mls\]] ] - Default: targeted - SELinux enforcement type.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SELinux is installed":
      manage_package: true
      package_name: "libselinux"
      mode: "enforcing"
      type: "targeted"

• Alternate Config IDs:
• 1.6.1.1
• c1_6_1_1
• ensure_selinux_is_installed
• Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration

• Parameters:
• enable_selinux - [ Boolean ] - Default: true - Whether or not to enable SELinux in the bootloader boot command.
• selinux_mode - [ Enum["permissive", "enforcing", "disabled"] ] - Default: enforcing - The SELinux enforcement mode to set in the bootloader. Only used if enable_selinux is true.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SELinux is not disabled in bootloader configuration":
      enable_selinux: true
      selinux_mode: "enforcing"

• Alternate Config IDs:
• 1.6.1.2
• c1_6_1_2
• ensure_selinux_is_not_disabled_in_bootloader_configuration
• Resource: Class['cem_linux::utils::bootloader::grub2']

1.6.1.3 - Ensure SELinux policy is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.6.1.3
• c1_6_1_3
• ensure_selinux_policy_is_configured
• Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.4 - Ensure the SELinux mode is enforcing or permissive

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.6.1.4
• c1_6_1_4
• ensure_the_selinux_mode_is_enforcing_or_permissive
• Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.5 - Ensure the SELinux mode is enforcing

• Parameters:
• No parameters
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.6.1.5
• c1_6_1_5
• ensure_the_selinux_mode_is_enforcing
• Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.7 - Ensure SETroubleshoot is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: setroubleshoot - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SETroubleshoot is not installed":
      pkg_name: "setroubleshoot"

• Alternate Config IDs:
• 1.6.1.7
• c1_6_1_7
• ensure_setroubleshoot_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not install setroubleshoot']

1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: mcstrans - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure the MCS Translation Service (mcstrans) is not installed":
      pkg_name: "mcstrans"

• Alternate Config IDs:
• 1.6.1.8
• c1_6_1_8
• ensure_the_mcs_translation_service_mcstrans_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not install mcs translation service']

1.7.1 - Ensure message of the day is configured properly

• Parameters:
• dynamic_motd - [ Optional[Boolean] ] - Default: true - Enables or disables dynamic motd on Debian systems. Default true
• motd_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom motd template or text file. A template takes precedence over content. Valid options: '/mymodule/mytemplate.epp'.
• motd_content - [ Optional[String] ] - Default: `` - Specifies a static string as the motd content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
• issue_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited. - Specifies a static string as the /etc/issue content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
• issue_net_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited.
• issue_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue. A template takes precedence over issue_content.
• issue_net_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue.net. A template takes precedence over issue_net_content.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure message of the day is configured properly":
      dynamic_motd: true
      motd_template: <<Type String[1]>>
      motd_content: ""
      issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_template: <<Type String[1]>>
      issue_net_template: <<Type String[1]>>

• Alternate Config IDs:
• 1.7.1
• c1_7_1
• ensure_message_of_the_day_is_configured_properly
• Resource: Class['cem_linux::utils::motd']

1.7.2 - Ensure local login warning banner is configured properly

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.7.2
• c1_7_2
• ensure_local_login_warning_banner_is_configured_properly
• Resource: Class['cem_linux::utils::motd']

1.7.3 - Ensure remote login warning banner is configured properly

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.7.3
• c1_7_3
• ensure_remote_login_warning_banner_is_configured_properly
• Resource: Class['cem_linux::utils::motd']

1.7.4 - Ensure permissions on /etc/motd are configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.7.4
• c1_7_4
• ensure_permissions_on_etcmotd_are_configured
• Resource: Class['cem_linux::utils::motd']

1.7.5 - Ensure permissions on /etc/issue are configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.7.5
• c1_7_5
• ensure_permissions_on_etcissue_are_configured
• Resource: Class['cem_linux::utils::motd']

1.7.6 - Ensure permissions on /etc/issue.net are configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 1.7.6
• c1_7_6
• ensure_permissions_on_etcissue_net_are_configured
• Resource: Class['cem_linux::utils::motd']

2.1.1 - Ensure xinetd is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: xinetd - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure xinetd is not installed":
      pkg_name: "xinetd"

• Alternate Config IDs:
• 2.1.1
• c2_1_1
• ensure_xinetd_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not install xinetd']

2.2.1.1 - Ensure time synchronization is in use

• Parameters:
• preferred_package - [ Enum["chrony", "ntp"] ] - Default: chrony - The preferred package to use for time synchronization. Defaults to chrony.
• manage_package - [ Boolean ] - Default: true - If true, the package will be installed and managed by Puppet. Defaults to true.
• force_exclusivity - [ Boolean ] - Default: true - If true, the package that was not chosen will be removed from the system. This means that if your preferred package is chrony, ntp will be removed.
• timeservers - [ Optional[Array[String[1]]] ] - Default: undef - Array of strings starting with the type (pool, server, etc.), then hostname / ip, then any options. Each element of the timeservers array will be added to the chrony / ntp config file as is. Please see man chrony.conf(5) or man ntp.conf(5) for more details. Example: ['server 192.168.0.250 prefer iburst', 'server 192.168.0.251 iburst']
• sysconfig_options - [ Optional[String[1]] ] - Default: undef - Options to be added to the sysconfig file for the chosen package. This defaults to -u chrony for the chrony package and -u ntp:ntp for the ntp package.
• ntp_restricts - [ Optional[Array[String[1]]] ] - Default: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"] - Array of strings used to create restrict lines in the ntp config file. Defaults to `['-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery']
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure time synchronization is in use":
      preferred_package: "chrony"
      manage_package: true
      force_exclusivity: true
      timeservers: <<Type Array[String[1]]>>
      sysconfig_options: <<Type String[1]>>
      ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]

• Alternate Config IDs:
• 2.2.1.1
• c2_2_1_1
• ensure_time_synchronization_is_in_use
• Resource: Class['cem_linux::utils::timesync']

2.2.1.2 - Ensure chrony is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 2.2.1.2
• c2_2_1_2
• ensure_chrony_is_configured
• Resource: Class['cem_linux::utils::timesync']

2.2.1.3 - Ensure ntp is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 2.2.1.3
• c2_2_1_3
• ensure_ntp_is_configured
• Resource: Class['cem_linux::utils::timesync']

2.2.2 - Ensure X11 Server components are not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: xorg-x11-server* - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure X11 Server components are not installed":
      pkg_name: "xorg-x11-server*"

• Alternate Config IDs:
• 2.2.2
• c2_2_2
• ensure_x11_server_components_are_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not install x11 server components']

2.2.3 - Ensure Avahi Server is not installed

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 2.2.3
• c2_2_3
• ensure_avahi_server_is_not_installed
• Resource: Class['cem_linux::utils::remove_avahi_server']

2.2.4 - Ensure CUPS is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: cups - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure CUPS is not installed":
      pkg_name: "cups"

• Alternate Config IDs:
• 2.2.4
• c2_2_4
• ensure_cups_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not install CUPS']

2.2.5 - Ensure DHCP Server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: dhcp - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure DHCP Server is not installed":
      pkg_name: "dhcp"

• Alternate Config IDs:
• 2.2.5
• c2_2_5
• ensure_dhcp_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use DHCP server']

2.2.6 - Ensure LDAP server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: openldap-servers - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure LDAP server is not installed":
      pkg_name: "openldap-servers"

• Alternate Config IDs:
• 2.2.6
• c2_2_6
• ensure_ldap_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not LDAP server']

2.2.7 - Ensure DNS Server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: bind - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure DNS Server is not installed":
      pkg_name: "bind"

• Alternate Config IDs:
• 2.2.7
• c2_2_7
• ensure_dns_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use DNS server']

2.2.8 - Ensure FTP Server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: vsftpd - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure FTP Server is not installed":
      pkg_name: "vsftpd"

• Alternate Config IDs:
• 2.2.8
• c2_2_8
• ensure_ftp_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use ftp server']

2.2.9 - Ensure HTTP server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: httpd - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure HTTP server is not installed":
      pkg_name: "httpd"

• Alternate Config IDs:
• 2.2.9
• c2_2_9
• ensure_http_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use HTTP Server']

2.2.10 - Ensure IMAP and POP3 server is not installed

• Parameters:
• mail_servers - [ Array[String] ] - Default: ["dovecot", "postfix"]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure IMAP and POP3 server is not installed":
      mail_servers: ["dovecot", "postfix"]

• Alternate Config IDs:
• 2.2.10
• c2_2_10
• ensure_imap_and_pop3_server_is_not_installed
• Resource: Class['cem_linux::utils::remove_imap_and_pop3']

2.2.11 - Ensure Samba is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: samba - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure Samba is not installed":
      pkg_name: "samba"

• Alternate Config IDs:
• 2.2.11
• c2_2_11
• ensure_samba_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use Samba']

2.2.12 - Ensure HTTP Proxy Server is not installed

• Parameters:
• proxy_packages - [ Array[String] ] - Default: ["squid"]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure HTTP Proxy Server is not installed":
      proxy_packages: ["squid"]

• Alternate Config IDs:
• 2.2.12
• c2_2_12
• ensure_http_proxy_server_is_not_installed
• Resource: Class['cem_linux::utils::remove_http_proxy']

2.2.13 - Ensure net-snmp is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: net-snmp - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure net-snmp is not installed":
      pkg_name: "net-snmp"

• Alternate Config IDs:
• 2.2.13
• c2_2_13
• ensure_net_snmp_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use net-snmp']

2.2.14 - Ensure NIS server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: ypserv - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure NIS server is not installed":
      pkg_name: "ypserv"

• Alternate Config IDs:
• 2.2.14
• c2_2_14
• ensure_nis_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Disable NIS Server']

2.2.15 - Ensure telnet-server is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: telnet-server - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure telnet-server is not installed":
      pkg_name: "telnet-server"

• Alternate Config IDs:
• 2.2.15
• c2_2_15
• ensure_telnet_server_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Remove Telnet server']

2.2.16 - Ensure mail transfer agent is configured for local-only mode

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 2.2.16
• c2_2_16
• ensure_mail_transfer_agent_is_configured_for_local_only_mode
• Resource: Class['cem_linux::utils::local_only_mta']

2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked

• Parameters:
• keep_nfsutils - [ Boolean ]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure nfs-utils is not installed or the  nfs-server service is masked":
      keep_nfsutils: false

• Alternate Config IDs:
• 2.2.17
• c2_2_17
• ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
• Resource: Class['cem_linux::utils::disable_or_remove_nfs']

2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked

• Parameters:
• keep_rpcbind - [ Boolean ]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure rpcbind is not installed or the  rpcbind services are masked":
      keep_rpcbind: false

• Alternate Config IDs:
• 2.2.18
• c2_2_18
• ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
• Resource: Class['cem_linux::utils::disable_or_remove_rpcbind']

2.2.19 - Ensure rsync is not installed or the rsyncd service is masked

• Parameters:
• keep_rsync - [ Boolean ]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure rsync is not installed or the rsyncd service is masked":
      keep_rsync: false

• Alternate Config IDs:
• 2.2.19
• c2_2_19
• ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
• Resource: Class['cem_linux::utils::disable_or_remove_rsync']

2.3.1 - Ensure NIS Client is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: ypbind - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure NIS Client is not installed":
      pkg_name: "ypbind"

• Alternate Config IDs:
• 2.3.1
• c2_3_1
• ensure_nis_client_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use NIS Client']

2.3.2 - Ensure rsh client is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: rsh - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure rsh client is not installed":
      pkg_name: "rsh"

• Alternate Config IDs:
• 2.3.2
• c2_3_2
• ensure_rsh_client_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use rsh']

2.3.3 - Ensure talk client is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: talk - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure talk client is not installed":
      pkg_name: "talk"

• Alternate Config IDs:
• 2.3.3
• c2_3_3
• ensure_talk_client_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Do not use talk client']

2.3.4 - Ensure telnet client is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: telnet - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure telnet client is not installed":
      pkg_name: "telnet"

• Alternate Config IDs:
• 2.3.4
• c2_3_4
• ensure_telnet_client_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Remove Telnet Client']

2.3.5 - Ensure LDAP client is not installed

• Parameters:
• pkg_name - [ String[1] ] - Default: openldap-clients - Name of package to remove.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure LDAP client is not installed":
      pkg_name: "openldap-clients"

• Alternate Config IDs:
• 2.3.5
• c2_3_5
• ensure_ldap_client_is_not_installed
• Resource: Cem_linux::Utils::Packages::Absenter['Remove LDAP Client']

3.1.1 - Disable IPv6

• Parameters:
• strategy - [ Enum["sysctl", "grub"] ] - Default: sysctl - Whether to disable IPv6 with sysctl or in the grub config
• create_sysctl_file - [ Boolean ] - Default: true - Whether to create a new sysctl file or to use the default config file
• sysctl_conf - [ String ] - Default: /etc/sysctl.conf - Path to sysctl.conf.
• sysctl_d_path - [ String ] - Default: /etc/sysctl.d - Path to sysctl.d.
• sysctl_prefix - [ String ] - Default: 10- - A prefix to add to the created file name.
• sysctl_comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to the created file.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Disable IPv6":
      strategy: "sysctl"
      create_sysctl_file: true
      sysctl_conf: "/etc/sysctl.conf"
      sysctl_d_path: "/etc/sysctl.d"
      sysctl_prefix: "10-"
      sysctl_comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.1.1
• c3_1_1
• disable_ipv6
• Resource: Class['cem_linux::utils::network::disable_ipv6']

3.1.2 - Ensure wireless interfaces are disabled

• Parameters:
• wwan - [ Boolean ] - Default: true - Whether to disable wwan Default: false
• wifi - [ Boolean ] - Default: true - Whether to disable wifi Default: false
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure wireless interfaces are disabled":
      wwan: true
      wifi: true

• Alternate Config IDs:
• 3.1.2
• c3_1_2
• ensure_wireless_interfaces_are_disabled
• Resource: Cem_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']

3.2.1 - Ensure IP forwarding is disabled

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ip_forwarding.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure IP forwarding is disabled":
      target: "/etc/sysctl.d/90-disable_ip_forwarding.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.2.1
• c3_2_1
• ensure_ip_forwarding_is_disabled
• Resource: Class['cem_linux::utils::network::disable_ip_forwarding']

3.2.2 - Ensure packet redirect sending is disabled

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_packet_redirect_sending.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure packet redirect sending is disabled":
      target: "/etc/sysctl.d/90-disable_packet_redirect_sending.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.2.2
• c3_2_2
• ensure_packet_redirect_sending_is_disabled
• Resource: Class['cem_linux::utils::network::disable_packet_redirect_sending']

3.3.1 - Ensure source routed packets are not accepted

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_source_routes.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure source routed packets are not accepted":
      target: "/etc/sysctl.d/90-disable_source_routes.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.1
• c3_3_1
• ensure_source_routed_packets_are_not_accepted
• Resource: Class['cem_linux::utils::network::disable_source_routes']

3.3.2 - Ensure ICMP redirects are not accepted

• Parameters:
• disable_ipv4_accept_default - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on default route
• disable_ipv4_accept_all - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on all routes
• disable_ipv6_accept_default - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on default route
• disable_ipv6_accept_all - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on all routes
• target - [ Stdlib::UnixPath ] - Default: /etc/sysctl.d/90-disable_icmp_redirects.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure ICMP redirects are not accepted":
      disable_ipv4_accept_default: true
      disable_ipv4_accept_all: true
      disable_ipv6_accept_default: true
      disable_ipv6_accept_all: true
      target: "/etc/sysctl.d/90-disable_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.2
• c3_3_2
• ensure_icmp_redirects_are_not_accepted
• Resource: Class['cem_linux::utils::network::disable_icmp_redirects']

3.3.3 - Ensure secure ICMP redirects are not accepted

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_secure_icmp_redirects.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure secure ICMP redirects are not accepted":
      target: "/etc/sysctl.d/90-disable_secure_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.3
• c3_3_3
• ensure_secure_icmp_redirects_are_not_accepted
• Resource: Class['cem_linux::utils::network::disable_secure_icmp_redirects']

3.3.4 - Ensure suspicious packets are logged

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_log_martians.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure suspicious packets are logged":
      target: "/etc/sysctl.d/90-enable_log_martians.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.4
• c3_3_4
• ensure_suspicious_packets_are_logged
• Resource: Class['cem_linux::utils::network::enable_log_martians']

3.3.5 - Ensure broadcast ICMP requests are ignored

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_icmp_broadcast.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure broadcast ICMP requests are ignored":
      target: "/etc/sysctl.d/90-ignore_icmp_broadcast.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.5
• c3_3_5
• ensure_broadcast_icmp_requests_are_ignored
• Resource: Class['cem_linux::utils::network::ignore_icmp_broadcast']

3.3.6 - Ensure bogus ICMP responses are ignored

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_bogus_icmp.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure bogus ICMP responses are ignored":
      target: "/etc/sysctl.d/90-ignore_bogus_icmp.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.6
• c3_3_6
• ensure_bogus_icmp_responses_are_ignored
• Resource: Class['cem_linux::utils::network::ignore_bogus_icmp']

3.3.7 - Ensure Reverse Path Filtering is enabled

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_reverse_path_filtering.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure Reverse Path Filtering is enabled":
      target: "/etc/sysctl.d/90-enable_reverse_path_filtering.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.7
• c3_3_7
• ensure_reverse_path_filtering_is_enabled
• Resource: Class['cem_linux::utils::network::enable_reverse_path_filtering']

3.3.8 - Ensure TCP SYN Cookies is enabled

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_tcp_syn_cookies.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure TCP SYN Cookies is enabled":
      target: "/etc/sysctl.d/90-enable_tcp_syn_cookies.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.8
• c3_3_8
• ensure_tcp_syn_cookies_is_enabled
• Resource: Class['cem_linux::utils::network::enable_tcp_syn_cookies']

3.3.9 - Ensure IPv6 router advertisements are not accepted

• Parameters:
• target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ipv6_router_advertisements.conf - The sysctl file that values will be written to.
• persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
• comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting. Default: MANAGED BY PUPPET
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure IPv6 router advertisements are not accepted":
      target: "/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

• Alternate Config IDs:
• 3.3.9
• c3_3_9
• ensure_ipv6_router_advertisements_are_not_accepted
• Resource: Class['cem_linux::utils::network::disable_ipv6_router_advertisements']

3.4.1 - Ensure DCCP is disabled

• Parameters:
• target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/dccp.conf - Target file to write.
• content - [ Optional[String] ] - Default: install dccp /bin/true - Target file content.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure DCCP is disabled":
      target: "/etc/modprobe.d/dccp.conf"
      content: "install dccp /bin/true"

• Alternate Config IDs:
• 3.4.1
• c3_4_1
• ensure_dccp_is_disabled
• Resource: Class['cem_linux::utils::network::disable_dccp']

3.4.2 - Ensure SCTP is disabled

• Parameters:
• target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/sctp.conf - Target file to write.
• content - [ Optional[String] ] - Default: install sctp /bin/true - Target file content.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SCTP is disabled":
      target: "/etc/modprobe.d/sctp.conf"
      content: "install sctp /bin/true"

• Alternate Config IDs:
• 3.4.2
• c3_4_2
• ensure_sctp_is_disabled
• Resource: Class['cem_linux::utils::network::disable_sctp']

3.5.1.1 - Ensure firewalld is installed

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.1.1
• c3_5_1_1
• ensure_firewalld_is_installed
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.2 - Ensure iptables-services not installed with firewalld

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.1.2
• c3_5_1_2
• ensure_iptables_services_not_installed_with_firewalld
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.3 - Ensure nftables either not installed or masked with firewalld

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.1.3
• c3_5_1_3
• ensure_nftables_either_not_installed_or_masked_with_firewalld
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.4 - Ensure firewalld service enabled and running

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.1.4
• c3_5_1_4
• ensure_firewalld_service_enabled_and_running
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.5 - Ensure firewalld default zone is set

• Parameters:
• default_zone - [ Optional[String[1]] ] - Default: public - Sets the default firewalld zone to this zone. Default: public
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure firewalld default zone is set":
      default_zone: "public"

• Alternate Config IDs:
• 3.5.1.5
• c3_5_1_5
• ensure_firewalld_default_zone_is_set
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.6 - Ensure network interfaces are assigned to appropriate zone

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.1.6
• c3_5_1_6
• ensure_network_interfaces_are_assigned_to_appropriate_zone
• Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.3.1.1 - Ensure iptables packages are installed

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.1.1
• c3_5_3_1_1
• ensure_iptables_packages_are_installed
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.1.2 - Ensure nftables is not installed with iptables

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.1.2
• c3_5_3_1_2
• ensure_nftables_is_not_installed_with_iptables
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.1.3
• c3_5_3_1_3
• ensure_firewalld_is_either_not_installed_or_masked_with_iptables
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.1 - Ensure iptables loopback traffic is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.1
• c3_5_3_2_1
• ensure_iptables_loopback_traffic_is_configured
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.2 - Ensure iptables outbound and established connections are configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.2
• c3_5_3_2_2
• ensure_iptables_outbound_and_established_connections_are_configured
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.3 - Ensure iptables rules exist for all open ports

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.3
• c3_5_3_2_3
• ensure_iptables_rules_exist_for_all_open_ports
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.4 - Ensure iptables default deny firewall policy

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.4
• c3_5_3_2_4
• ensure_iptables_default_deny_firewall_policy
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.5 - Ensure iptables rules are saved

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.5
• c3_5_3_2_5
• ensure_iptables_rules_are_saved
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.6 - Ensure iptables is enabled and running

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.2.6
• c3_5_3_2_6
• ensure_iptables_is_enabled_and_running
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.1 - Ensure ip6tables loopback traffic is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.1
• c3_5_3_3_1
• ensure_ip6tables_loopback_traffic_is_configured
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.2
• c3_5_3_3_2
• ensure_ip6tables_outbound_and_established_connections_are_configured
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.3
• c3_5_3_3_3
• ensure_ip6tables_firewall_rules_exist_for_all_open_ports
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.4 - Ensure ip6tables default deny firewall policy

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.4
• c3_5_3_3_4
• ensure_ip6tables_default_deny_firewall_policy
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.5 - Ensure ip6tables rules are saved

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.5
• c3_5_3_3_5
• ensure_ip6tables_rules_are_saved
• Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.6 - Ensure ip6tables is enabled and running

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 3.5.3.3.6
• c3_5_3_3_6
• ensure_ip6tables_is_enabled_and_running
• Resource: Class['cem_linux::utils::firewall::iptables']

4.1.1.1 - Ensure auditd is installed

• Parameters:
• package - [ Array ] - Default: ["audit", "audit-libs"] - Packages to install for auditd. Default ['audit', 'audit-libs']
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure auditd is installed":
      package: ["audit", "audit-libs"]

• Alternate Config IDs:
• 4.1.1.1
• c4_1_1_1
• ensure_auditd_is_installed
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.1.2 - Ensure auditd service is enabled and running

• Parameters:
• service - [ String[1] ] - Default: auditd - Name of auditd service. Default 'auditd'
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure auditd service is enabled and running":
      service: "auditd"

• Alternate Config IDs:
• 4.1.1.2
• c4_1_1_2
• ensure_auditd_service_is_enabled_and_running
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled

• Parameters:
• enable_auditd - [ Boolean ] - Default: true - Whether or not to enable auditd in the bootloader boot command.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure auditing for processes that start prior to auditd is enabled":
      enable_auditd: true

• Alternate Config IDs:
• 4.1.1.3
• c4_1_1_3
• ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
• Resource: Class['cem_linux::utils::bootloader::grub2']

4.1.2.1 - Ensure audit log storage size is configured

• Parameters:
• max_log_file - [ Integer[0] ] - Default: 8 - Default 8
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure audit log storage size is configured":
      max_log_file: 8

• Alternate Config IDs:
• 4.1.2.1
• c4_1_2_1
• ensure_audit_log_storage_size_is_configured
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.2 - Ensure audit logs are not automatically deleted

• Parameters:
• max_log_file_action - [ Enum["keep_logs", "rotate", "ignore", "syslog", "suspend"] ] - Default: keep_logs - Default 'keep_logs'
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure audit logs are not automatically deleted":
      max_log_file_action: "keep_logs"

• Alternate Config IDs:
• 4.1.2.2
• c4_1_2_2
• ensure_audit_logs_are_not_automatically_deleted
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.3 - Ensure system is disabled when audit logs are full

• Parameters:
• space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt - Default 'email'
• admin_space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt - Default 'halt'
• action_mail_acct - [ String[1] ] - Default: root - Default 'root'
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure system is disabled when audit logs are full":
      space_left_action: "halt"
      admin_space_left_action: "halt"
      action_mail_acct: "root"

• Alternate Config IDs:
• 4.1.2.3
• c4_1_2_3
• ensure_system_is_disabled_when_audit_logs_are_full
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.4 - Ensure audit_backlog_limit is sufficient

• Parameters:
• audit_backlog_limit - [ Integer ] - Default: 8192 - The maximum number of audit log entries to keep in the backlog.
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure audit_backlog_limit is sufficient":
      audit_backlog_limit: 8192

• Alternate Config IDs:
• 4.1.2.4
• c4_1_2_4
• ensure_audit_backlog_limit_is_sufficient
• Resource: Class['cem_linux::utils::bootloader::grub2']

4.1.3 - Ensure events that modify date and time information are collected

• Parameters:
• audit_time_change - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure events that modify date and time information are collected":
      audit_time_change: true

• Alternate Config IDs:
• 4.1.3
• c4_1_3
• ensure_events_that_modify_date_and_time_information_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.4 - Ensure events that modify user/group information are collected

• Parameters:
• audit_usergroup_modification - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure events that modify user/group information are collected":
      audit_usergroup_modification: true

• Alternate Config IDs:
• 4.1.4
• c4_1_4
• ensure_events_that_modify_usergroup_information_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.5 - Ensure events that modify the system's network environment are collected

• Parameters:
• audit_network_environment - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure events that modify the system's network environment are collected":
      audit_network_environment: true

• Alternate Config IDs:
• 4.1.5
• c4_1_5
• ensure_events_that_modify_the_systems_network_environment_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected

• Parameters:
• audit_mac_modification - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure events that modify the system's Mandatory Access Controls are collected":
      audit_mac_modification: true

• Alternate Config IDs:
• 4.1.6
• c4_1_6
• ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.7 - Ensure login and logout events are collected

• Parameters:
• audit_lastlog_log - [ Boolean ] - Default: true
• audit_faillock_run - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure login and logout events are collected":
      audit_lastlog_log: true
      audit_faillock_run: true

• Alternate Config IDs:
• 4.1.7
• c4_1_7
• ensure_login_and_logout_events_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.8 - Ensure session initiation information is collected

• Parameters:
• audit_session_initiation - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure session initiation information is collected":
      audit_session_initiation: true

• Alternate Config IDs:
• 4.1.8
• c4_1_8
• ensure_session_initiation_information_is_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.9 - Ensure discretionary access control permission modification events are collected

• Parameters:
• audit_dac_modification - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure discretionary access control permission modification events are collected":
      audit_dac_modification: true

• Alternate Config IDs:
• 4.1.9
• c4_1_9
• ensure_discretionary_access_control_permission_modification_events_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected

• Parameters:
• audit_unauthorized_file_access - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure unsuccessful unauthorized file access attempts are collected":
      audit_unauthorized_file_access: true

• Alternate Config IDs:
• 4.1.10
• c4_1_10
• ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.11 - Ensure use of privileged commands is collected

• Parameters:
• audit_privileged_commands - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure use of privileged commands is collected":
      audit_privileged_commands: true

• Alternate Config IDs:
• 4.1.11
• c4_1_11
• ensure_use_of_privileged_commands_is_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.12 - Ensure successful file system mounts are collected

• Parameters:
• audit_file_system_mounts - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure successful file system mounts are collected":
      audit_file_system_mounts: true

• Alternate Config IDs:
• 4.1.12
• c4_1_12
• ensure_successful_file_system_mounts_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.13 - Ensure file deletion events by users are collected

• Parameters:
• audit_file_deletion_events - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure file deletion events by users are collected":
      audit_file_deletion_events: true

• Alternate Config IDs:
• 4.1.13
• c4_1_13
• ensure_file_deletion_events_by_users_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.14 - Ensure changes to system administration scope (sudoers) is collected

• Parameters:
• audit_sudoers_modification - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure changes to system administration scope (sudoers) is collected":
      audit_sudoers_modification: true

• Alternate Config IDs:
• 4.1.14
• c4_1_14
• ensure_changes_to_system_administration_scope_sudoers_is_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.15 - Ensure system administrator command executions (sudo) are collected

• Parameters:
• audit_sudo_actions - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure system administrator command executions (sudo) are collected":
      audit_sudo_actions: true

• Alternate Config IDs:
• 4.1.15
• c4_1_15
• ensure_system_administrator_command_executions_sudo_are_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.16 - Ensure kernel module loading and unloading is collected

• Parameters:
• audit_kernel_module_loading - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure kernel module loading and unloading is collected":
      audit_kernel_module_loading: true

• Alternate Config IDs:
• 4.1.16
• c4_1_16
• ensure_kernel_module_loading_and_unloading_is_collected
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.17 - Ensure the audit configuration is immutable

• Parameters:
• set_immutable_configuration - [ Boolean ] - Default: true
• Supported Levels:
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure the audit configuration is immutable":
      set_immutable_configuration: true

• Alternate Config IDs:
• 4.1.17
• c4_1_17
• ensure_the_audit_configuration_is_immutable
• Resource: Class['cem_linux::utils::packages::linux::auditd']

4.2.1.1 - Ensure rsyslog is installed

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 4.2.1.1
• c4_2_1_1
• ensure_rsyslog_is_installed
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.2 - Ensure rsyslog Service is enabled and running

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 4.2.1.2
• c4_2_1_2
• ensure_rsyslog_service_is_enabled_and_running
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.3 - Ensure rsyslog default file permissions configured

• Parameters:
• filecreatemode - [ Optional[String] ] - Default: 0640 - Default file creation mode. Default '0640'.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure rsyslog default file permissions configured":
      filecreatemode: "0640"

• Alternate Config IDs:
• 4.2.1.3
• c4_2_1_3
• ensure_rsyslog_default_file_permissions_configured
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.4 - Ensure logging is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 4.2.1.4
• c4_2_1_4
• ensure_logging_is_configured
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host

• Parameters:
• remote_log_host - [ Optional[Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]] ] - Default: undef
• tcp_port - [ Optional[Integer] ] - Default: 514 - The port to use for the $InputTCPServerRun option. Default: 514
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure rsyslog is configured to send logs to a remote log host":
      remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]>>
      tcp_port: 514

• Alternate Config IDs:
• 4.2.1.5
• c4_2_1_5
• ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 4.2.1.6
• c4_2_1_6
• ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
• Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.2.1 - Ensure journald is configured to send logs to rsyslog

• Parameters:
• forward_to_syslog - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true - If defined, configures option ForwardToSyslog=<yes|no> in the journald config. If a Boolean value is passed, true maps to yes and false maps to no.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure journald is configured to send logs to rsyslog":
      forward_to_syslog: true

• Alternate Config IDs:
• 4.2.2.1
• c4_2_2_1
• ensure_journald_is_configured_to_send_logs_to_rsyslog
• Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.2.2 - Ensure journald is configured to compress large log files

• Parameters:
• compress_large_files - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true - If defined, configures option Compress=<yes|no> in the journald config. If a Boolean value is passed, true maps to yes and false maps to no.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure journald is configured to compress large log files":
      compress_large_files: true

• Alternate Config IDs:
• 4.2.2.2
• c4_2_2_2
• ensure_journald_is_configured_to_compress_large_log_files
• Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk

• Parameters:
• persistent_storage - [ Optional[Boolean] ] - Default: true - Convenience method to set persistent as the storage option. If true, configures option Storage=persistent in the journald config.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure journald is configured to write logfiles to persistent disk":
      persistent_storage: true

• Alternate Config IDs:
• 4.2.2.3
• c4_2_2_3
• ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
• Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.3 - Ensure permissions on all logfiles are configured

• Parameters:
• mode - [ Stdlib::Filemode ] - Default: 0640
• manage_dotfiles - [ Boolean ] - Default: true - Whether or not to manage dotfiles (files that start with a .)
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on all logfiles are configured":
      mode: "0640"
      manage_dotfiles: true

• Alternate Config IDs:
• 4.2.3
• c4_2_3
• ensure_permissions_on_all_logfiles_are_configured
• Resource: Class['cem_linux::utils::chmod_logfiles']

4.2.4 - Ensure logrotate is configured

• Parameters:
• No parameters
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Alternate Config IDs:
• 4.2.4
• c4_2_4
• ensure_logrotate_is_configured
• Resource: Class['cem_linux::utils::packages::linux::logrotate']

5.1.1 - Ensure cron daemon is enabled and running

• Parameters:
• manage_package - [ Optional[Boolean] ] - Default: true - If true, ensures the cronie package is installed. Default: true
• manage_service - [ Optional[Boolean] ] - Default: true - If true, enables and runs the crond daemon with a service resource. Default: true
• cron_allow_path - [ Optional[Stdlib::AbsolutePath] ] - Default: /etc/cron.allow - The path for the cron.allow file to manage. Only relevant if set_cron_allow_perms is set to true. Default: /etc/cron.allow
• purge_cron_deny - [ Optional[Boolean] ] - Default: true - If true, removes (if they exist) /etc/cron.deny and /etc/cron.d/cron.deny. Default: true
• manage_cron_allow - [ Optional[Boolean] ] - Default: true - If true, creates the cron.allow file specified by the cron_allow_path parameter and enforces 0600 permissions on the file. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure cron daemon is enabled and running":
      manage_package: true
      manage_service: true
      cron_allow_path: "/etc/cron.allow"
      purge_cron_deny: true
      manage_cron_allow: true

• Alternate Config IDs:
• 5.1.1
• c5_1_1
• ensure_cron_daemon_is_enabled_and_running
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.2 - Ensure permissions on /etc/crontab are configured

• Parameters:
• set_crontab_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0600 permissions on /etc/crontab. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/crontab are configured":
      set_crontab_perms: true

• Alternate Config IDs:
• 5.1.2
• c5_1_2
• ensure_permissions_on_etccrontab_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.3 - Ensure permissions on /etc/cron.hourly are configured

• Parameters:
• set_hourly_cron_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0700 permissions on /etc/cron.hourly. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.hourly are configured":
      set_hourly_cron_perms: true

• Alternate Config IDs:
• 5.1.3
• c5_1_3
• ensure_permissions_on_etccron_hourly_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.4 - Ensure permissions on /etc/cron.daily are configured

• Parameters:
• set_daily_cron_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0700 permissions on /etc/cron.daily. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.daily are configured":
      set_daily_cron_perms: true

• Alternate Config IDs:
• 5.1.4
• c5_1_4
• ensure_permissions_on_etccron_daily_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.5 - Ensure permissions on /etc/cron.weekly are configured

• Parameters:
• set_weekly_cron_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0700 permissions on /etc/cron.weekly. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.weekly are configured":
      set_weekly_cron_perms: true

• Alternate Config IDs:
• 5.1.5
• c5_1_5
• ensure_permissions_on_etccron_weekly_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.6 - Ensure permissions on /etc/cron.monthly are configured

• Parameters:
• set_monthly_cron_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0700 permissions on /etc/cron.monthly. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.monthly are configured":
      set_monthly_cron_perms: true

• Alternate Config IDs:
• 5.1.6
• c5_1_6
• ensure_permissions_on_etccron_monthly_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.7 - Ensure permissions on /etc/cron.d are configured

• Parameters:
• set_cron_d_perms - [ Optional[Boolean] ] - Default: true - If true, enforces 0700 permissions on /etc/cron.d. Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.d are configured":
      set_cron_d_perms: true

• Alternate Config IDs:
• 5.1.7
• c5_1_7
• ensure_permissions_on_etccron_d_are_configured
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.8 - Ensure cron is restricted to authorized users

• Parameters:
• cron_allowlist - [ Optional[Array[String[1]]] ] - Default: ["root"] - An array of user names to add to the cron.allow file. Default: [root]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure cron is restricted to authorized users":
      cron_allowlist: ["root"]

• Alternate Config IDs:
• 5.1.8
• c5_1_8
• ensure_cron_is_restricted_to_authorized_users
• Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.9 - Ensure at is restricted to authorized users

• Parameters:
• at_allowlist - [ Optional[Array[String[1]]] ] - Default: ["root"] - An array of user names to add to the at.allow file. Default: [root]
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure at is restricted to authorized users":
      at_allowlist: ["root"]

• Alternate Config IDs:
• 5.1.9
• c5_1_9
• ensure_at_is_restricted_to_authorized_users
• Resource: Class['cem_linux::utils::packages::linux::at']

5.2.1 - Ensure sudo is installed

• Parameters:
• package_ensure - [ Optional[Enum[\installed\, \latest\, \absent\]] ] - Default: installed - Used with the sudo package resource.
• package_name - [ Optional[String[1]] ] - Default: sudo - The name of the sudo package to ensure. Defaults to "sudo"
• sudoers_path - [ Optional[Stdlib::UnixPath] ] - Default: /etc/sudoers - Path to the sudoers file. Default: /etc/sudoers
• sudoers_d_path - [ Optional[Stdlib::UnixPath] ] - Default: /etc/sudoers.d - Path to the sudoers.d directory. Default: /etc/sudoers.d
• defaults - [ Optional[Hash[String[1], Optional[String]]] ] - Default: undef - Options to be added as Defaults in the sudoers file. Keys in the hash become options, and values become the values. If the option you want to specify does not have a value, make the value "undef". For example, to set a default sudo logfile, it would look like: $defaults => { 'logfile' => '/var/log/sudo.log'} which would then be written to the sudoers file as Defaults logfile = /var/log/sudo.log. If you wanted to specify an option with no value, it would look like: $defaults => { 'use_pty' => undef } which would then be written to the sudoers file as Defaults use_pty.
• drop_ins - [ Optional[Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]] ] - Default: undef - Allows to you configure "drop-in" suoders files that are created in the sudoers.d directory. This param gets passed directly to the defined type cem_linux::utils::packages::linux::sudo::user_group. The key of the hash equates to the defined type's resource name, while the value is a struct with options aligning directly to the defined type's parameters. See cem_linux::utils::packages::linux::sudo::user_group for more details.
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure sudo is installed":
      package_ensure: "installed"
      package_name: "sudo"
      sudoers_path: "/etc/sudoers"
      sudoers_d_path: "/etc/sudoers.d"
      defaults: <<Type Hash[String[1], Optional[String]]>>
      drop_ins: <<Type Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]>>

• Alternate Config IDs:
• 5.2.1
• c5_2_1
• ensure_sudo_is_installed
• Resource: Class['cem_linux::utils::packages::linux::sudo']

5.2.2 - Ensure sudo commands use pty

• Parameters:
• sudoers_path - [ String[1] ] - Default: /etc/sudoers
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure sudo commands use pty":
      sudoers_path: "/etc/sudoers"

• Alternate Config IDs:
• 5.2.2
• c5_2_2
• ensure_sudo_commands_use_pty
• Resource: Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['use_pty']

5.2.3 - Ensure sudo log file exists

• Parameters:
• sudoers_path - [ String[1] ] - Default: /etc/sudoers
• value - [ Optional[Variant[String[1], Array[String[1]]]] ] - Default: /var/log/sudo.log
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure sudo log file exists":
      sudoers_path: "/etc/sudoers"
      value: "/var/log/sudo.log"

• Alternate Config IDs:
• 5.2.3
• c5_2_3
• ensure_sudo_log_file_exists
• Resource: Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['logfile']

5.3.1 - Ensure permissions on /etc/ssh/sshd_config are configured

• Parameters:
• enforce_sshd_config_perms - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/ssh/sshd_config are configured":
      enforce_sshd_config_perms: true

• Alternate Config IDs:
• 5.3.1
• c5_3_1
• ensure_permissions_on_etcsshsshd_config_are_configured
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.2 - Ensure permissions on SSH private host key files are configured

• Parameters:
• enforce_pri_host_key_perms - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on SSH private host key files are configured":
      enforce_pri_host_key_perms: true

• Alternate Config IDs:
• 5.3.2
• c5_3_2
• ensure_permissions_on_ssh_private_host_key_files_are_configured
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.3 - Ensure permissions on SSH public host key files are configured

• Parameters:
• enforce_pub_host_key_perms - [ Boolean ] - Default: true
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure permissions on SSH public host key files are configured":
      enforce_pub_host_key_perms: true

• Alternate Config IDs:
• 5.3.3
• c5_3_3
• ensure_permissions_on_ssh_public_host_key_files_are_configured
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.4 - Ensure SSH access is limited

• Parameters:
• allow_users - [ Optional[Array[String[1]]] ] - Default: undef
• allow_groups - [ Optional[Array[String[1]]] ] - Default: undef
• deny_users - [ Optional[Array[String[1]]] ] - Default: undef
• deny_groups - [ Optional[Array[String[1]]] ] - Default: undef
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH access is limited":
      allow_users: <<Type Array[String[1]]>>
      allow_groups: <<Type Array[String[1]]>>
      deny_users: <<Type Array[String[1]]>>
      deny_groups: <<Type Array[String[1]]>>

• Alternate Config IDs:
• 5.3.4
• c5_3_4
• ensure_ssh_access_is_limited
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.5 - Ensure SSH LogLevel is appropriate

• Parameters:
• log_level - [ Optional[Enum[\INFO\, \VERBOSE\]] ] - Default: INFO
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH LogLevel is appropriate":
      log_level: "INFO"

• Alternate Config IDs:
• 5.3.5
• c5_3_5
• ensure_ssh_loglevel_is_appropriate
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.6 - Ensure SSH X11 forwarding is disabled

• Parameters:
• x11_forwarding - [ Optional[Enum[\yes\, \no\]] ] - Default: no
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH X11 forwarding is disabled":
      x11_forwarding: "no"

• Alternate Config IDs:
• 5.3.6
• c5_3_6
• ensure_ssh_x11_forwarding_is_disabled
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less

• Parameters:
• max_auth_tries - [ Optional[Integer] ] - Default: 4
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH MaxAuthTries is set to 4 or less":
      max_auth_tries: 4

• Alternate Config IDs:
• 5.3.7
• c5_3_7
• ensure_ssh_maxauthtries_is_set_to_4_or_less
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.8 - Ensure SSH IgnoreRhosts is enabled

• Parameters:
• ignore_rhosts - [ Optional[Enum[\yes\, \no\]] ] - Default: yes
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH IgnoreRhosts is enabled":
      ignore_rhosts: "yes"

• Alternate Config IDs:
• 5.3.8
• c5_3_8
• ensure_ssh_ignorerhosts_is_enabled
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.9 - Ensure SSH HostbasedAuthentication is disabled

• Parameters:
• host_based_authentication - [ Optional[Enum[\yes\, \no\]] ] - Default: no
• Supported Levels:
• level_1
• level_2
• Supported Profiles:
• server
• Hiera Configuration Example:

cem_linux::config:
  control_configs:
    "Ensure SSH HostbasedAuthentication is disabled":
      host_based_authentication: "no"

• Alternate Config IDs:
• 5.3.9
• c5_3_9
• ensure_ssh_hostbasedauthentication_is_disabled
• Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.10 - Ensure SSH root login is disabled