Forge Home
Premium module

cem_linux

Compliance Enforcement Module for Linux

2,823 downloads

23 latest version

Version information

  • 1.4.2 (latest)
  • 1.4.1
  • 1.4.0
  • 1.3.2
  • 1.3.1
  • 1.3.0
  • 1.2.0
  • 1.1.4
  • 1.1.3
  • 1.1.2
  • 1.1.1
  • 1.1.0
  • 1.0.0
released Nov 8th 2022
This version is compatible with:
  • Puppet Enterprise 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.23.0 < 8.0.0
  • ,
Tasks:
  • audit_authselect
  • audit_boot
  • audit_check_ipv6
  • audit_client_dns
  • audit_duplicate_gid
  • audit_duplicate_group_names
  • audit_duplicate_uid
  • and 38 more. See all tasks

Documentation

puppetlabs/cem_linux — version 1.4.2 Nov 8th 2022

CEM Linux Reference

Table of Contents

CIS CentOS Linux 7 Benchmark 3.1.2

1.1.1.1 - Ensure mounting of cramfs filesystems is disabled

  • Parameters:
    • filesystem - [ String[1] ] - Default: cramfs
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure mounting of cramfs filesystems is disabled":
      filesystem: "cramfs"
  • Alternate Config IDs:
    • 1.1.1.1
    • c1_1_1_1
    • ensure_mounting_of_cramfs_filesystems_is_disabled
  • Resource: Cem_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']

1.1.1.2 - Ensure mounting of squashfs filesystems is disabled

  • Parameters:
    • filesystem - [ String[1] ] - Default: squashfs
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure mounting of squashfs filesystems is disabled":
      filesystem: "squashfs"
  • Alternate Config IDs:
    • 1.1.1.2
    • c1_1_1_2
    • ensure_mounting_of_squashfs_filesystems_is_disabled
  • Resource: Cem_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']

1.1.1.3 - Ensure mounting of udf filesystems is disabled

  • Parameters:
    • filesystem - [ String[1] ] - Default: udf
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure mounting of udf filesystems is disabled":
      filesystem: "udf"
  • Alternate Config IDs:
    • 1.1.1.3
    • c1_1_1_3
    • ensure_mounting_of_udf_filesystems_is_disabled
  • Resource: Cem_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']

1.1.3 - Ensure noexec option set on /tmp partition

  • Parameters:
    • noexec - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure noexec option set on /tmp partition":
      noexec: true
  • Alternate Config IDs:
    • 1.1.3
    • c1_1_3
    • ensure_noexec_option_set_on_tmp_partition
  • Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.4 - Ensure nodev option set on /tmp partition

  • Parameters:
    • nodev - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure nodev option set on /tmp partition":
      nodev: true
  • Alternate Config IDs:
    • 1.1.4
    • c1_1_4
    • ensure_nodev_option_set_on_tmp_partition
  • Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.5 - Ensure nosuid option set on /tmp partition

  • Parameters:
    • nosuid - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure nosuid option set on /tmp partition":
      nosuid: true
  • Alternate Config IDs:
    • 1.1.5
    • c1_1_5
    • ensure_nosuid_option_set_on_tmp_partition
  • Resource: Class['cem_linux::utils::services::systemd::tmp_mount']

1.1.7 - Ensure noexec option set on /dev/shm partition

  • Parameters:
    • noexec - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure noexec option set on /dev/shm partition":
      noexec: true
  • Alternate Config IDs:
    • 1.1.7
    • c1_1_7
    • ensure_noexec_option_set_on_devshm_partition
  • Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.8 - Ensure nodev option set on /dev/shm partition

  • Parameters:
    • nodev - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure nodev option set on /dev/shm partition":
      nodev: true
  • Alternate Config IDs:
    • 1.1.8
    • c1_1_8
    • ensure_nodev_option_set_on_devshm_partition
  • Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.9 - Ensure nosuid option set on /dev/shm partition

  • Parameters:
    • nosuid - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure nosuid option set on /dev/shm partition":
      nosuid: true
  • Alternate Config IDs:
    • 1.1.9
    • c1_1_9
    • ensure_nosuid_option_set_on_devshm_partition
  • Resource: Class['cem_linux::utils::dev_shm_fstab_entry']

1.1.22 - Ensure sticky bit is set on all world-writable directories

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.1.22
    • c1_1_22
    • ensure_sticky_bit_is_set_on_all_world_writable_directories
  • Resource: Class['cem_linux::utils::sticky_bit']

1.1.23 - Disable Automounting

  • Parameters:
    • service - [ String[1] ] - Default: autofs
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Disable Automounting":
      service: "autofs"
  • Alternate Config IDs:
    • 1.1.23
    • c1_1_23
    • disable_automounting
  • Resource: Cem_linux::Utils::Disable_service['Disable autofs']

1.1.24 - Disable USB Storage

  • Parameters:
    • filesystem - [ String[1] ] - Default: usb-storage
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Disable USB Storage":
      filesystem: "usb-storage"
  • Alternate Config IDs:
    • 1.1.24
    • c1_1_24
    • disable_usb_storage
  • Resource: Cem_linux::Utils::Disable_fs_mounting['Disable usb storage']

1.2.3 - Ensure gpgcheck is globally activated

  • Parameters:
    • yum_conf - [ Stdlib::UnixPath ] - Default: /etc/yum.conf
    • repo_files - [ Optional[Array[String[1]]] ] - Default: undef
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure gpgcheck is globally activated":
      yum_conf: "/etc/yum.conf"
      repo_files: <<Type Array[String[1]]>>
  • Alternate Config IDs:
    • 1.2.3
    • c1_2_3
    • ensure_gpgcheck_is_globally_activated
  • Resource: Class['cem_linux::utils::yum::enable_gpgcheck']

1.3.1 - Ensure AIDE is installed

  • Parameters:
    • control_package - [ Optional[Boolean] ] - Default: true
    • package_ensure - [ Optional[String] ] - Default: present
    • manage_config - [ Optional[Boolean] ] - Default: true
    • run_scheduled - [ Optional[Boolean] ] - Default: true
    • scheduler - [ Optional[Enum[\systemd\, \cron\]] ] - Default: systemd
    • systemd_timer_schedule - [ Optional[String] ] - Default: *-*-* 00:00:00
    • conf_purge - [ Optional[Boolean] ] - Default: undef
    • conf_db_dir - [ Optional[String] ] - Default: /var/lib/aide
    • conf_log_dir - [ Optional[String] ] - Default: /var/log/aide
    • conf_verbosity - [ Optional[Integer] ] - Default: 5
    • conf_report_urls - [ Optional[Array[String]] ] - Default: ["file:@@{LOGDIR}/aide.log", "stdout"]
    • conf_rules - [ Optional[Array[String]] ] - Default: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
    • conf_checks - [ Optional[Array[String]] ] - Default: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure AIDE is installed":
      control_package: true
      package_ensure: "present"
      manage_config: true
      run_scheduled: true
      scheduler: "systemd"
      systemd_timer_schedule: "*-*-* 00:00:00"
      conf_purge: <<Type Boolean>>
      conf_db_dir: "/var/lib/aide"
      conf_log_dir: "/var/log/aide"
      conf_verbosity: 5
      conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
      conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
      conf_checks: ["/boot/   CONTENT_EX", "/bin/    CONTENT_EX", "/sbin/   CONTENT_EX", "/lib/    CONTENT_EX", "/lib64/  CONTENT_EX", "/opt/    CONTENT_EX", "/root/\\..* PERMS", "/root/   CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/    CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$   CONTENT_EX", "/etc/group$    CONTENT_EX", "/etc/gshadow$  CONTENT_EX", "/etc/shadow$   CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/    PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]
  • Alternate Config IDs:
    • 1.3.1
    • c1_3_1
    • ensure_aide_is_installed
  • Resource: Class['cem_linux::utils::packages::linux::aide']

1.4.1 - Ensure bootloader password is set

  • Parameters:
    • password_protect - [ Boolean ] - Default: true
    • superuser - [ Optional[String[1]] ] - Default: undef
    • superuser_password - [ Optional[Sensitive[String]] ] - Default: undef
    • password_file - [ Stdlib::UnixPath ] - Default: /etc/grub.d/50_password
    • replace_password_file - [ Boolean ]
    • hash_superuser_password - [ Boolean ] - Default: true
    • superuser_password_salt_length - [ Optional[Integer] ] - Default: undef
    • superuser_password_buffer_length - [ Optional[Integer] ] - Default: undef
    • superuser_password_iterations - [ Optional[Integer] ] - Default: undef
    • other_users - [ Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]] ] - Default: undef
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure bootloader password is set":
      password_protect: true
      superuser: <<Type String[1]>>
      superuser_password: <<Type Sensitive[String]>>
      password_file: "/etc/grub.d/50_password"
      replace_password_file: false
      hash_superuser_password: true
      superuser_password_salt_length: <<Type Integer>>
      superuser_password_buffer_length: <<Type Integer>>
      superuser_password_iterations: <<Type Integer>>
      other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>
  • Alternate Config IDs:
    • 1.4.1
    • c1_4_1
    • ensure_bootloader_password_is_set
  • Resource: Class['cem_linux::utils::bootloader::grub2']

1.4.2 - Ensure permissions on bootloader config are configured

  • Parameters:
    • ensure_permissions - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on bootloader config are configured":
      ensure_permissions: true
  • Alternate Config IDs:
    • 1.4.2
    • c1_4_2
    • ensure_permissions_on_bootloader_config_are_configured
  • Resource: Class['cem_linux::utils::bootloader::grub2']

1.4.3 - Ensure authentication required for single user mode

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.4.3
    • c1_4_3
    • ensure_authentication_required_for_single_user_mode
  • Resource: Class['cem_linux::utils::services::systemd::secure_rescue_service']

1.4.3 - Ensure authentication required for single user mode

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.4.3
    • c1_4_3
    • ensure_authentication_required_for_single_user_mode
  • Resource: Class['cem_linux::utils::services::systemd::secure_emergency_service']

1.5.1 - Ensure core dumps are restricted

  • Parameters:
    • limits_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
    • sysctl_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
    • service_content - [ Optional[String] ] - Default: # THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure core dumps are restricted":
      limits_file: "10-disable_core_dumps.conf"
      sysctl_file: "10-disable_core_dumps.conf"
      service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"
  • Alternate Config IDs:
    • 1.5.1
    • c1_5_1
    • ensure_core_dumps_are_restricted
  • Resource: Class['cem_linux::utils::disable_core_dumps']

1.5.3 - Ensure address space layout randomization (ASLR) is enabled

  • Parameters:
    • sysctl_file - [ Optional[String] ] - Default: 10-enable_aslr.conf
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure address space layout randomization (ASLR) is enabled":
      sysctl_file: "10-enable_aslr.conf"
  • Alternate Config IDs:
    • 1.5.3
    • c1_5_3
    • ensure_address_space_layout_randomization_aslr_is_enabled
  • Resource: Class['cem_linux::utils::enable_aslr']

1.5.4 - Ensure prelink is not installed

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.5.4
    • c1_5_4
    • ensure_prelink_is_not_installed
  • Resource: Class['cem_linux::utils::disable_prelink']

1.6.1.1 - Ensure SELinux is installed

  • Parameters:
    • manage_package - [ Optional[Boolean] ] - Default: true
    • package_name - [ Optional[String[1]] ] - Default: libselinux
    • mode - [ Optional[Enum[\permissive\, \enforcing\]] ] - Default: enforcing
    • type - [ Optional[Enum[\targeted\, \mls\]] ] - Default: targeted
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SELinux is installed":
      manage_package: true
      package_name: "libselinux"
      mode: "enforcing"
      type: "targeted"
  • Alternate Config IDs:
    • 1.6.1.1
    • c1_6_1_1
    • ensure_selinux_is_installed
  • Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration

  • Parameters:
    • enable_selinux - [ Boolean ] - Default: true
    • selinux_mode - [ Enum["permissive", "enforcing", "disabled"] ] - Default: enforcing
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SELinux is not disabled in bootloader configuration":
      enable_selinux: true
      selinux_mode: "enforcing"
  • Alternate Config IDs:
    • 1.6.1.2
    • c1_6_1_2
    • ensure_selinux_is_not_disabled_in_bootloader_configuration
  • Resource: Class['cem_linux::utils::bootloader::grub2']

1.6.1.3 - Ensure SELinux policy is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.6.1.3
    • c1_6_1_3
    • ensure_selinux_policy_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.4 - Ensure the SELinux mode is enforcing or permissive

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.6.1.4
    • c1_6_1_4
    • ensure_the_selinux_mode_is_enforcing_or_permissive
  • Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.5 - Ensure the SELinux mode is enforcing

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.6.1.5
    • c1_6_1_5
    • ensure_the_selinux_mode_is_enforcing
  • Resource: Class['cem_linux::utils::packages::linux::selinux']

1.6.1.7 - Ensure SETroubleshoot is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: setroubleshoot
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SETroubleshoot is not installed":
      pkg_name: "setroubleshoot"
  • Alternate Config IDs:
    • 1.6.1.7
    • c1_6_1_7
    • ensure_setroubleshoot_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not install setroubleshoot']

1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: mcstrans
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure the MCS Translation Service (mcstrans) is not installed":
      pkg_name: "mcstrans"
  • Alternate Config IDs:
    • 1.6.1.8
    • c1_6_1_8
    • ensure_the_mcs_translation_service_mcstrans_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not install mcs translation service']

1.7.1 - Ensure message of the day is configured properly

  • Parameters:
    • dynamic_motd - [ Optional[Boolean] ] - Default: true
    • motd_template - [ Optional[String[1]] ] - Default: undef
    • motd_content - [ Optional[String] ] - Default: ``
    • issue_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited.
    • issue_net_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited.
    • issue_template - [ Optional[String[1]] ] - Default: undef
    • issue_net_template - [ Optional[String[1]] ] - Default: undef
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure message of the day is configured properly":
      dynamic_motd: true
      motd_template: <<Type String[1]>>
      motd_content: ""
      issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_template: <<Type String[1]>>
      issue_net_template: <<Type String[1]>>
  • Alternate Config IDs:
    • 1.7.1
    • c1_7_1
    • ensure_message_of_the_day_is_configured_properly
  • Resource: Class['cem_linux::utils::motd']

1.7.2 - Ensure local login warning banner is configured properly

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.7.2
    • c1_7_2
    • ensure_local_login_warning_banner_is_configured_properly
  • Resource: Class['cem_linux::utils::motd']

1.7.3 - Ensure remote login warning banner is configured properly

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.7.3
    • c1_7_3
    • ensure_remote_login_warning_banner_is_configured_properly
  • Resource: Class['cem_linux::utils::motd']

1.7.4 - Ensure permissions on /etc/motd are configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.7.4
    • c1_7_4
    • ensure_permissions_on_etcmotd_are_configured
  • Resource: Class['cem_linux::utils::motd']

1.7.5 - Ensure permissions on /etc/issue are configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.7.5
    • c1_7_5
    • ensure_permissions_on_etcissue_are_configured
  • Resource: Class['cem_linux::utils::motd']

1.7.6 - Ensure permissions on /etc/issue.net are configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 1.7.6
    • c1_7_6
    • ensure_permissions_on_etcissue_net_are_configured
  • Resource: Class['cem_linux::utils::motd']

2.1.1 - Ensure xinetd is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: xinetd
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure xinetd is not installed":
      pkg_name: "xinetd"
  • Alternate Config IDs:
    • 2.1.1
    • c2_1_1
    • ensure_xinetd_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not install xinetd']

2.2.1.1 - Ensure time synchronization is in use

  • Parameters:
    • preferred_package - [ Enum["chrony", "ntp"] ] - Default: chrony
    • manage_package - [ Boolean ] - Default: true
    • force_exclusivity - [ Boolean ] - Default: true
    • timeservers - [ Optional[Array[String[1]]] ] - Default: undef
    • sysconfig_options - [ Optional[String[1]] ] - Default: undef
    • ntp_restricts - [ Optional[Array[String[1]]] ] - Default: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure time synchronization is in use":
      preferred_package: "chrony"
      manage_package: true
      force_exclusivity: true
      timeservers: <<Type Array[String[1]]>>
      sysconfig_options: <<Type String[1]>>
      ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
  • Alternate Config IDs:
    • 2.2.1.1
    • c2_2_1_1
    • ensure_time_synchronization_is_in_use
  • Resource: Class['cem_linux::utils::timesync']

2.2.1.2 - Ensure chrony is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 2.2.1.2
    • c2_2_1_2
    • ensure_chrony_is_configured
  • Resource: Class['cem_linux::utils::timesync']

2.2.1.3 - Ensure ntp is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 2.2.1.3
    • c2_2_1_3
    • ensure_ntp_is_configured
  • Resource: Class['cem_linux::utils::timesync']

2.2.2 - Ensure X11 Server components are not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: xorg-x11-server*
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure X11 Server components are not installed":
      pkg_name: "xorg-x11-server*"
  • Alternate Config IDs:
    • 2.2.2
    • c2_2_2
    • ensure_x11_server_components_are_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not install x11 server components']

2.2.3 - Ensure Avahi Server is not installed

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 2.2.3
    • c2_2_3
    • ensure_avahi_server_is_not_installed
  • Resource: Class['cem_linux::utils::remove_avahi_server']

2.2.4 - Ensure CUPS is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: cups
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure CUPS is not installed":
      pkg_name: "cups"
  • Alternate Config IDs:
    • 2.2.4
    • c2_2_4
    • ensure_cups_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not install CUPS']

2.2.5 - Ensure DHCP Server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: dhcp
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure DHCP Server is not installed":
      pkg_name: "dhcp"
  • Alternate Config IDs:
    • 2.2.5
    • c2_2_5
    • ensure_dhcp_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use DHCP server']

2.2.6 - Ensure LDAP server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: openldap-servers
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure LDAP server is not installed":
      pkg_name: "openldap-servers"
  • Alternate Config IDs:
    • 2.2.6
    • c2_2_6
    • ensure_ldap_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not LDAP server']

2.2.7 - Ensure DNS Server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: bind
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure DNS Server is not installed":
      pkg_name: "bind"
  • Alternate Config IDs:
    • 2.2.7
    • c2_2_7
    • ensure_dns_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use DNS server']

2.2.8 - Ensure FTP Server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: vsftpd
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure FTP Server is not installed":
      pkg_name: "vsftpd"
  • Alternate Config IDs:
    • 2.2.8
    • c2_2_8
    • ensure_ftp_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use ftp server']

2.2.9 - Ensure HTTP server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: httpd
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure HTTP server is not installed":
      pkg_name: "httpd"
  • Alternate Config IDs:
    • 2.2.9
    • c2_2_9
    • ensure_http_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use HTTP Server']

2.2.10 - Ensure IMAP and POP3 server is not installed

  • Parameters:
    • mail_servers - [ Array[String] ] - Default: ["dovecot", "postfix"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure IMAP and POP3 server is not installed":
      mail_servers: ["dovecot", "postfix"]
  • Alternate Config IDs:
    • 2.2.10
    • c2_2_10
    • ensure_imap_and_pop3_server_is_not_installed
  • Resource: Class['cem_linux::utils::remove_imap_and_pop3']

2.2.11 - Ensure Samba is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: samba
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure Samba is not installed":
      pkg_name: "samba"
  • Alternate Config IDs:
    • 2.2.11
    • c2_2_11
    • ensure_samba_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use Samba']

2.2.12 - Ensure HTTP Proxy Server is not installed

  • Parameters:
    • proxy_packages - [ Array[String] ] - Default: ["squid"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure HTTP Proxy Server is not installed":
      proxy_packages: ["squid"]
  • Alternate Config IDs:
    • 2.2.12
    • c2_2_12
    • ensure_http_proxy_server_is_not_installed
  • Resource: Class['cem_linux::utils::remove_http_proxy']

2.2.13 - Ensure net-snmp is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: net-snmp
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure net-snmp is not installed":
      pkg_name: "net-snmp"
  • Alternate Config IDs:
    • 2.2.13
    • c2_2_13
    • ensure_net_snmp_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use net-snmp']

2.2.14 - Ensure NIS server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: ypserv
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure NIS server is not installed":
      pkg_name: "ypserv"
  • Alternate Config IDs:
    • 2.2.14
    • c2_2_14
    • ensure_nis_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Disable NIS Server']

2.2.15 - Ensure telnet-server is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: telnet-server
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure telnet-server is not installed":
      pkg_name: "telnet-server"
  • Alternate Config IDs:
    • 2.2.15
    • c2_2_15
    • ensure_telnet_server_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Remove Telnet server']

2.2.16 - Ensure mail transfer agent is configured for local-only mode

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 2.2.16
    • c2_2_16
    • ensure_mail_transfer_agent_is_configured_for_local_only_mode
  • Resource: Class['cem_linux::utils::local_only_mta']

2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked

  • Parameters:
    • keep_nfsutils - [ Boolean ]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure nfs-utils is not installed or the  nfs-server service is masked":
      keep_nfsutils: false
  • Alternate Config IDs:
    • 2.2.17
    • c2_2_17
    • ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
  • Resource: Class['cem_linux::utils::disable_or_remove_nfs']

2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked

  • Parameters:
    • keep_rpcbind - [ Boolean ]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure rpcbind is not installed or the  rpcbind services are masked":
      keep_rpcbind: false
  • Alternate Config IDs:
    • 2.2.18
    • c2_2_18
    • ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
  • Resource: Class['cem_linux::utils::disable_or_remove_rpcbind']

2.2.19 - Ensure rsync is not installed or the rsyncd service is masked

  • Parameters:
    • keep_rsync - [ Boolean ]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure rsync is not installed or the rsyncd service is masked":
      keep_rsync: false
  • Alternate Config IDs:
    • 2.2.19
    • c2_2_19
    • ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
  • Resource: Class['cem_linux::utils::disable_or_remove_rsync']

2.3.1 - Ensure NIS Client is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: ypbind
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure NIS Client is not installed":
      pkg_name: "ypbind"
  • Alternate Config IDs:
    • 2.3.1
    • c2_3_1
    • ensure_nis_client_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use NIS Client']

2.3.2 - Ensure rsh client is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: rsh
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure rsh client is not installed":
      pkg_name: "rsh"
  • Alternate Config IDs:
    • 2.3.2
    • c2_3_2
    • ensure_rsh_client_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use rsh']

2.3.3 - Ensure talk client is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: talk
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure talk client is not installed":
      pkg_name: "talk"
  • Alternate Config IDs:
    • 2.3.3
    • c2_3_3
    • ensure_talk_client_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Do not use talk client']

2.3.4 - Ensure telnet client is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: telnet
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure telnet client is not installed":
      pkg_name: "telnet"
  • Alternate Config IDs:
    • 2.3.4
    • c2_3_4
    • ensure_telnet_client_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Remove Telnet Client']

2.3.5 - Ensure LDAP client is not installed

  • Parameters:
    • pkg_name - [ String[1] ] - Default: openldap-clients
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure LDAP client is not installed":
      pkg_name: "openldap-clients"
  • Alternate Config IDs:
    • 2.3.5
    • c2_3_5
    • ensure_ldap_client_is_not_installed
  • Resource: Cem_linux::Utils::Packages::Absenter['Remove LDAP Client']

3.1.1 - Disable IPv6

  • Parameters:
    • strategy - [ Optional[Enum[\sysctl\, \grub\]] ] - Default: sysctl
    • create_sysctl_file - [ Optional[Boolean] ] - Default: true
    • sysctl_conf - [ Optional[String] ] - Default: /etc/sysctl.conf
    • sysctl_d_path - [ Optional[String] ] - Default: /etc/sysctl.d
    • sysctl_prefix - [ Optional[String] ] - Default: 10-
    • sysctl_comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Disable IPv6":
      strategy: "sysctl"
      create_sysctl_file: true
      sysctl_conf: "/etc/sysctl.conf"
      sysctl_d_path: "/etc/sysctl.d"
      sysctl_prefix: "10-"
      sysctl_comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.1.1
    • c3_1_1
    • disable_ipv6
  • Resource: Class['cem_linux::utils::network::disable_ipv6']

3.1.2 - Ensure wireless interfaces are disabled

  • Parameters:
    • wwan - [ Boolean ] - Default: true
    • wifi - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure wireless interfaces are disabled":
      wwan: true
      wifi: true
  • Alternate Config IDs:
    • 3.1.2
    • c3_1_2
    • ensure_wireless_interfaces_are_disabled
  • Resource: Cem_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']

3.2.1 - Ensure IP forwarding is disabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-disable_ip_forwarding.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure IP forwarding is disabled":
      target: "/etc/sysctl.d/10-disable_ip_forwarding.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.2.1
    • c3_2_1
    • ensure_ip_forwarding_is_disabled
  • Resource: Class['cem_linux::utils::network::disable_ip_forwarding']

3.2.2 - Ensure packet redirect sending is disabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-disable_packet_redirect_sending.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure packet redirect sending is disabled":
      target: "/etc/sysctl.d/10-disable_packet_redirect_sending.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.2.2
    • c3_2_2
    • ensure_packet_redirect_sending_is_disabled
  • Resource: Class['cem_linux::utils::network::disable_packet_redirect_sending']

3.3.1 - Ensure source routed packets are not accepted

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-disable_source_routes.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure source routed packets are not accepted":
      target: "/etc/sysctl.d/10-disable_source_routes.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.1
    • c3_3_1
    • ensure_source_routed_packets_are_not_accepted
  • Resource: Class['cem_linux::utils::network::disable_source_routes']

3.3.2 - Ensure ICMP redirects are not accepted

  • Parameters:
    • disable_ipv4_accept_default - [ Boolean ] - Default: true
    • disable_ipv4_accept_all - [ Boolean ] - Default: true
    • disable_ipv6_accept_default - [ Boolean ] - Default: true
    • disable_ipv6_accept_all - [ Boolean ] - Default: true
    • target - [ Stdlib::UnixPath ] - Default: /etc/sysctl.d/10-disable_icmp_redirects.conf
    • persist - [ Boolean ] - Default: true
    • comment - [ String ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure ICMP redirects are not accepted":
      disable_ipv4_accept_default: true
      disable_ipv4_accept_all: true
      disable_ipv6_accept_default: true
      disable_ipv6_accept_all: true
      target: "/etc/sysctl.d/10-disable_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.2
    • c3_3_2
    • ensure_icmp_redirects_are_not_accepted
  • Resource: Class['cem_linux::utils::network::disable_icmp_redirects']

3.3.3 - Ensure secure ICMP redirects are not accepted

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-disable_secure_icmp_redirects.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure secure ICMP redirects are not accepted":
      target: "/etc/sysctl.d/10-disable_secure_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.3
    • c3_3_3
    • ensure_secure_icmp_redirects_are_not_accepted
  • Resource: Class['cem_linux::utils::network::disable_secure_icmp_redirects']

3.3.4 - Ensure suspicious packets are logged

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-enable_log_martians.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure suspicious packets are logged":
      target: "/etc/sysctl.d/10-enable_log_martians.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.4
    • c3_3_4
    • ensure_suspicious_packets_are_logged
  • Resource: Class['cem_linux::utils::network::enable_log_martians']

3.3.5 - Ensure broadcast ICMP requests are ignored

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-ignore_icmp_broadcast.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure broadcast ICMP requests are ignored":
      target: "/etc/sysctl.d/10-ignore_icmp_broadcast.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.5
    • c3_3_5
    • ensure_broadcast_icmp_requests_are_ignored
  • Resource: Class['cem_linux::utils::network::ignore_icmp_broadcast']

3.3.6 - Ensure bogus ICMP responses are ignored

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-ignore_bogus_icmp.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure bogus ICMP responses are ignored":
      target: "/etc/sysctl.d/10-ignore_bogus_icmp.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.6
    • c3_3_6
    • ensure_bogus_icmp_responses_are_ignored
  • Resource: Class['cem_linux::utils::network::ignore_bogus_icmp']

3.3.7 - Ensure Reverse Path Filtering is enabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-enable_reverse_path_filtering.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure Reverse Path Filtering is enabled":
      target: "/etc/sysctl.d/10-enable_reverse_path_filtering.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.7
    • c3_3_7
    • ensure_reverse_path_filtering_is_enabled
  • Resource: Class['cem_linux::utils::network::enable_reverse_path_filtering']

3.3.8 - Ensure TCP SYN Cookies is enabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-enable_tcp_syn_cookies.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure TCP SYN Cookies is enabled":
      target: "/etc/sysctl.d/10-enable_tcp_syn_cookies.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.8
    • c3_3_8
    • ensure_tcp_syn_cookies_is_enabled
  • Resource: Class['cem_linux::utils::network::enable_tcp_syn_cookies']

3.3.9 - Ensure IPv6 router advertisements are not accepted

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/sysctl.d/10-disable_ipv6_router_advertisements.conf
    • persist - [ Optional[Boolean] ] - Default: true
    • comment - [ Optional[String] ] - Default: MANAGED BY PUPPET
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure IPv6 router advertisements are not accepted":
      target: "/etc/sysctl.d/10-disable_ipv6_router_advertisements.conf"
      persist: true
      comment: "MANAGED BY PUPPET"
  • Alternate Config IDs:
    • 3.3.9
    • c3_3_9
    • ensure_ipv6_router_advertisements_are_not_accepted
  • Resource: Class['cem_linux::utils::network::disable_ipv6_router_advertisements']

3.4.1 - Ensure DCCP is disabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/dccp.conf
    • content - [ Optional[String] ] - Default: install dccp /bin/true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure DCCP is disabled":
      target: "/etc/modprobe.d/dccp.conf"
      content: "install dccp /bin/true"
  • Alternate Config IDs:
    • 3.4.1
    • c3_4_1
    • ensure_dccp_is_disabled
  • Resource: Class['cem_linux::utils::network::disable_dccp']

3.4.2 - Ensure SCTP is disabled

  • Parameters:
    • target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/sctp.conf
    • content - [ Optional[String] ] - Default: install sctp /bin/true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SCTP is disabled":
      target: "/etc/modprobe.d/sctp.conf"
      content: "install sctp /bin/true"
  • Alternate Config IDs:
    • 3.4.2
    • c3_4_2
    • ensure_sctp_is_disabled
  • Resource: Class['cem_linux::utils::network::disable_sctp']

3.5.1.1 - Ensure firewalld is installed

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.1.1
    • c3_5_1_1
    • ensure_firewalld_is_installed
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.2 - Ensure iptables-services not installed with firewalld

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.1.2
    • c3_5_1_2
    • ensure_iptables_services_not_installed_with_firewalld
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.3 - Ensure nftables either not installed or masked with firewalld

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.1.3
    • c3_5_1_3
    • ensure_nftables_either_not_installed_or_masked_with_firewalld
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.4 - Ensure firewalld service enabled and running

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.1.4
    • c3_5_1_4
    • ensure_firewalld_service_enabled_and_running
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.5 - Ensure firewalld default zone is set

  • Parameters:
    • default_zone - [ Optional[String[1]] ] - Default: public
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure firewalld default zone is set":
      default_zone: "public"
  • Alternate Config IDs:
    • 3.5.1.5
    • c3_5_1_5
    • ensure_firewalld_default_zone_is_set
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.1.6 - Ensure network interfaces are assigned to appropriate zone

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.1.6
    • c3_5_1_6
    • ensure_network_interfaces_are_assigned_to_appropriate_zone
  • Resource: Class['cem_linux::utils::firewall::firewalld']

3.5.3.1.1 - Ensure iptables packages are installed

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.1.1
    • c3_5_3_1_1
    • ensure_iptables_packages_are_installed
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.1.2 - Ensure nftables is not installed with iptables

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.1.2
    • c3_5_3_1_2
    • ensure_nftables_is_not_installed_with_iptables
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.1.3
    • c3_5_3_1_3
    • ensure_firewalld_is_either_not_installed_or_masked_with_iptables
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.1 - Ensure iptables loopback traffic is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.1
    • c3_5_3_2_1
    • ensure_iptables_loopback_traffic_is_configured
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.2 - Ensure iptables outbound and established connections are configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.2
    • c3_5_3_2_2
    • ensure_iptables_outbound_and_established_connections_are_configured
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.3 - Ensure iptables rules exist for all open ports

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.3
    • c3_5_3_2_3
    • ensure_iptables_rules_exist_for_all_open_ports
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.4 - Ensure iptables default deny firewall policy

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.4
    • c3_5_3_2_4
    • ensure_iptables_default_deny_firewall_policy
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.5 - Ensure iptables rules are saved

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.5
    • c3_5_3_2_5
    • ensure_iptables_rules_are_saved
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.2.6 - Ensure iptables is enabled and running

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.2.6
    • c3_5_3_2_6
    • ensure_iptables_is_enabled_and_running
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.1 - Ensure ip6tables loopback traffic is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.1
    • c3_5_3_3_1
    • ensure_ip6tables_loopback_traffic_is_configured
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.2
    • c3_5_3_3_2
    • ensure_ip6tables_outbound_and_established_connections_are_configured
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.3
    • c3_5_3_3_3
    • ensure_ip6tables_firewall_rules_exist_for_all_open_ports
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.4 - Ensure ip6tables default deny firewall policy

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.4
    • c3_5_3_3_4
    • ensure_ip6tables_default_deny_firewall_policy
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.5 - Ensure ip6tables rules are saved

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.5
    • c3_5_3_3_5
    • ensure_ip6tables_rules_are_saved
  • Resource: Class['cem_linux::utils::firewall::iptables']

3.5.3.3.6 - Ensure ip6tables is enabled and running

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 3.5.3.3.6
    • c3_5_3_3_6
    • ensure_ip6tables_is_enabled_and_running
  • Resource: Class['cem_linux::utils::firewall::iptables']

4.1.1.1 - Ensure auditd is installed

  • Parameters:
    • package - [ Array ] - Default: ["audit", "audit-libs"]
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure auditd is installed":
      package: ["audit", "audit-libs"]
  • Alternate Config IDs:
    • 4.1.1.1
    • c4_1_1_1
    • ensure_auditd_is_installed
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.1.2 - Ensure auditd service is enabled and running

  • Parameters:
    • service - [ String[1] ] - Default: auditd
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure auditd service is enabled and running":
      service: "auditd"
  • Alternate Config IDs:
    • 4.1.1.2
    • c4_1_1_2
    • ensure_auditd_service_is_enabled_and_running
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled

  • Parameters:
    • enable_auditd - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure auditing for processes that start prior to auditd is enabled":
      enable_auditd: true
  • Alternate Config IDs:
    • 4.1.1.3
    • c4_1_1_3
    • ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
  • Resource: Class['cem_linux::utils::bootloader::grub2']

4.1.2.1 - Ensure audit log storage size is configured

  • Parameters:
    • max_log_file - [ Integer[0] ] - Default: 8
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure audit log storage size is configured":
      max_log_file: 8
  • Alternate Config IDs:
    • 4.1.2.1
    • c4_1_2_1
    • ensure_audit_log_storage_size_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.2 - Ensure audit logs are not automatically deleted

  • Parameters:
    • max_log_file_action - [ Enum["keep_logs", "rotate", "ignore", "syslog", "suspend"] ] - Default: keep_logs
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure audit logs are not automatically deleted":
      max_log_file_action: "keep_logs"
  • Alternate Config IDs:
    • 4.1.2.2
    • c4_1_2_2
    • ensure_audit_logs_are_not_automatically_deleted
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.3 - Ensure system is disabled when audit logs are full

  • Parameters:
    • space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt
    • admin_space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt
    • action_mail_acct - [ String[1] ] - Default: root
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure system is disabled when audit logs are full":
      space_left_action: "halt"
      admin_space_left_action: "halt"
      action_mail_acct: "root"
  • Alternate Config IDs:
    • 4.1.2.3
    • c4_1_2_3
    • ensure_system_is_disabled_when_audit_logs_are_full
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.2.4 - Ensure audit_backlog_limit is sufficient

  • Parameters:
    • audit_backlog_limit - [ Integer ] - Default: 8192
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure audit_backlog_limit is sufficient":
      audit_backlog_limit: 8192
  • Alternate Config IDs:
    • 4.1.2.4
    • c4_1_2_4
    • ensure_audit_backlog_limit_is_sufficient
  • Resource: Class['cem_linux::utils::bootloader::grub2']

4.1.3 - Ensure events that modify date and time information are collected

  • Parameters:
    • audit_time_change - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure events that modify date and time information are collected":
      audit_time_change: true
  • Alternate Config IDs:
    • 4.1.3
    • c4_1_3
    • ensure_events_that_modify_date_and_time_information_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.4 - Ensure events that modify user/group information are collected

  • Parameters:
    • audit_usergroup_modification - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure events that modify user/group information are collected":
      audit_usergroup_modification: true
  • Alternate Config IDs:
    • 4.1.4
    • c4_1_4
    • ensure_events_that_modify_usergroup_information_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.5 - Ensure events that modify the system's network environment are collected

  • Parameters:
    • audit_network_environment - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure events that modify the system's network environment are collected":
      audit_network_environment: true
  • Alternate Config IDs:
    • 4.1.5
    • c4_1_5
    • ensure_events_that_modify_the_systems_network_environment_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected

  • Parameters:
    • audit_mac_modification - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure events that modify the system's Mandatory Access Controls are collected":
      audit_mac_modification: true
  • Alternate Config IDs:
    • 4.1.6
    • c4_1_6
    • ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.7 - Ensure login and logout events are collected

  • Parameters:
    • audit_login_logout - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure login and logout events are collected":
      audit_login_logout: true
  • Alternate Config IDs:
    • 4.1.7
    • c4_1_7
    • ensure_login_and_logout_events_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.8 - Ensure session initiation information is collected

  • Parameters:
    • audit_session_initiation - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure session initiation information is collected":
      audit_session_initiation: true
  • Alternate Config IDs:
    • 4.1.8
    • c4_1_8
    • ensure_session_initiation_information_is_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.9 - Ensure discretionary access control permission modification events are collected

  • Parameters:
    • audit_dac_modification - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure discretionary access control permission modification events are collected":
      audit_dac_modification: true
  • Alternate Config IDs:
    • 4.1.9
    • c4_1_9
    • ensure_discretionary_access_control_permission_modification_events_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected

  • Parameters:
    • audit_unauthorized_file_access - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure unsuccessful unauthorized file access attempts are collected":
      audit_unauthorized_file_access: true
  • Alternate Config IDs:
    • 4.1.10
    • c4_1_10
    • ensure_unsuccessful_unauthorized_file_access_attempts_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.11 - Ensure use of privileged commands is collected

  • Parameters:
    • audit_privileged_commands - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure use of privileged commands is collected":
      audit_privileged_commands: true
  • Alternate Config IDs:
    • 4.1.11
    • c4_1_11
    • ensure_use_of_privileged_commands_is_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.12 - Ensure successful file system mounts are collected

  • Parameters:
    • audit_file_system_mounts - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure successful file system mounts are collected":
      audit_file_system_mounts: true
  • Alternate Config IDs:
    • 4.1.12
    • c4_1_12
    • ensure_successful_file_system_mounts_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.13 - Ensure file deletion events by users are collected

  • Parameters:
    • audit_file_deletion_events - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure file deletion events by users are collected":
      audit_file_deletion_events: true
  • Alternate Config IDs:
    • 4.1.13
    • c4_1_13
    • ensure_file_deletion_events_by_users_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.14 - Ensure changes to system administration scope (sudoers) is collected

  • Parameters:
    • audit_sudoers_modification - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure changes to system administration scope (sudoers) is collected":
      audit_sudoers_modification: true
  • Alternate Config IDs:
    • 4.1.14
    • c4_1_14
    • ensure_changes_to_system_administration_scope_sudoers_is_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.15 - Ensure system administrator command executions (sudo) are collected

  • Parameters:
    • audit_sudo_actions - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure system administrator command executions (sudo) are collected":
      audit_sudo_actions: true
  • Alternate Config IDs:
    • 4.1.15
    • c4_1_15
    • ensure_system_administrator_command_executions_sudo_are_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.16 - Ensure kernel module loading and unloading is collected

  • Parameters:
    • audit_kernel_module_loading - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure kernel module loading and unloading is collected":
      audit_kernel_module_loading: true
  • Alternate Config IDs:
    • 4.1.16
    • c4_1_16
    • ensure_kernel_module_loading_and_unloading_is_collected
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.1.17 - Ensure the audit configuration is immutable

  • Parameters:
    • set_immutable_configuration - [ Boolean ] - Default: true
  • Supported Levels:
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure the audit configuration is immutable":
      set_immutable_configuration: true
  • Alternate Config IDs:
    • 4.1.17
    • c4_1_17
    • ensure_the_audit_configuration_is_immutable
  • Resource: Class['cem_linux::utils::packages::linux::auditd']

4.2.1.1 - Ensure rsyslog is installed

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 4.2.1.1
    • c4_2_1_1
    • ensure_rsyslog_is_installed
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.2 - Ensure rsyslog Service is enabled and running

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 4.2.1.2
    • c4_2_1_2
    • ensure_rsyslog_service_is_enabled_and_running
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.3 - Ensure rsyslog default file permissions configured

  • Parameters:
    • filecreatemode - [ Optional[String] ] - Default: 0640
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure rsyslog default file permissions configured":
      filecreatemode: "0640"
  • Alternate Config IDs:
    • 4.2.1.3
    • c4_2_1_3
    • ensure_rsyslog_default_file_permissions_configured
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.4 - Ensure logging is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 4.2.1.4
    • c4_2_1_4
    • ensure_logging_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host

  • Parameters:
    • remote_log_host - [ Optional[Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]] ] - Default: undef
    • tcp_port - [ Optional[Integer] ] - Default: 514
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure rsyslog is configured to send logs to a remote log host":
      remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]>>
      tcp_port: 514
  • Alternate Config IDs:
    • 4.2.1.5
    • c4_2_1_5
    • ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 4.2.1.6
    • c4_2_1_6
    • ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts
  • Resource: Class['cem_linux::utils::packages::linux::rsyslog']

4.2.2.1 - Ensure journald is configured to send logs to rsyslog

  • Parameters:
    • forward_to_syslog - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure journald is configured to send logs to rsyslog":
      forward_to_syslog: true
  • Alternate Config IDs:
    • 4.2.2.1
    • c4_2_2_1
    • ensure_journald_is_configured_to_send_logs_to_rsyslog
  • Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.2.2 - Ensure journald is configured to compress large log files

  • Parameters:
    • compress_large_files - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure journald is configured to compress large log files":
      compress_large_files: true
  • Alternate Config IDs:
    • 4.2.2.2
    • c4_2_2_2
    • ensure_journald_is_configured_to_compress_large_log_files
  • Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk

  • Parameters:
    • persistent_storage - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure journald is configured to write logfiles to persistent disk":
      persistent_storage: true
  • Alternate Config IDs:
    • 4.2.2.3
    • c4_2_2_3
    • ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
  • Resource: Class['cem_linux::utils::services::systemd::journald']

4.2.3 - Ensure permissions on all logfiles are configured

  • Parameters:
    • mode - [ Stdlib::Filemode ] - Default: 0640
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on all logfiles are configured":
      mode: "0640"
  • Alternate Config IDs:
    • 4.2.3
    • c4_2_3
    • ensure_permissions_on_all_logfiles_are_configured
  • Resource: Class['cem_linux::utils::chmod_logfiles']

4.2.4 - Ensure logrotate is configured

  • Parameters:
    • No parameters
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Alternate Config IDs:
    • 4.2.4
    • c4_2_4
    • ensure_logrotate_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::logrotate']

5.1.1 - Ensure cron daemon is enabled and running

  • Parameters:
    • manage_package - [ Optional[Boolean] ] - Default: true
    • manage_service - [ Optional[Boolean] ] - Default: true
    • cron_allow_path - [ Optional[Stdlib::AbsolutePath] ] - Default: /etc/cron.allow
    • purge_cron_deny - [ Optional[Boolean] ] - Default: true
    • manage_cron_allow - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure cron daemon is enabled and running":
      manage_package: true
      manage_service: true
      cron_allow_path: "/etc/cron.allow"
      purge_cron_deny: true
      manage_cron_allow: true
  • Alternate Config IDs:
    • 5.1.1
    • c5_1_1
    • ensure_cron_daemon_is_enabled_and_running
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.2 - Ensure permissions on /etc/crontab are configured

  • Parameters:
    • set_crontab_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/crontab are configured":
      set_crontab_perms: true
  • Alternate Config IDs:
    • 5.1.2
    • c5_1_2
    • ensure_permissions_on_etccrontab_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.3 - Ensure permissions on /etc/cron.hourly are configured

  • Parameters:
    • set_hourly_cron_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.hourly are configured":
      set_hourly_cron_perms: true
  • Alternate Config IDs:
    • 5.1.3
    • c5_1_3
    • ensure_permissions_on_etccron_hourly_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.4 - Ensure permissions on /etc/cron.daily are configured

  • Parameters:
    • set_daily_cron_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.daily are configured":
      set_daily_cron_perms: true
  • Alternate Config IDs:
    • 5.1.4
    • c5_1_4
    • ensure_permissions_on_etccron_daily_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.5 - Ensure permissions on /etc/cron.weekly are configured

  • Parameters:
    • set_weekly_cron_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.weekly are configured":
      set_weekly_cron_perms: true
  • Alternate Config IDs:
    • 5.1.5
    • c5_1_5
    • ensure_permissions_on_etccron_weekly_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.6 - Ensure permissions on /etc/cron.monthly are configured

  • Parameters:
    • set_monthly_cron_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.monthly are configured":
      set_monthly_cron_perms: true
  • Alternate Config IDs:
    • 5.1.6
    • c5_1_6
    • ensure_permissions_on_etccron_monthly_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.7 - Ensure permissions on /etc/cron.d are configured

  • Parameters:
    • set_cron_d_perms - [ Optional[Boolean] ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.d are configured":
      set_cron_d_perms: true
  • Alternate Config IDs:
    • 5.1.7
    • c5_1_7
    • ensure_permissions_on_etccron_d_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.8 - Ensure cron is restricted to authorized users

  • Parameters:
    • cron_allowlist - [ Optional[Array[String[1]]] ] - Default: ["root"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure cron is restricted to authorized users":
      cron_allowlist: ["root"]
  • Alternate Config IDs:
    • 5.1.8
    • c5_1_8
    • ensure_cron_is_restricted_to_authorized_users
  • Resource: Class['cem_linux::utils::packages::linux::cron']

5.1.9 - Ensure at is restricted to authorized users

  • Parameters:
    • at_allowlist - [ Optional[Array[String[1]]] ] - Default: ["root"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure at is restricted to authorized users":
      at_allowlist: ["root"]
  • Alternate Config IDs:
    • 5.1.9
    • c5_1_9
    • ensure_at_is_restricted_to_authorized_users
  • Resource: Class['cem_linux::utils::packages::linux::at']

5.2.1 - Ensure sudo is installed

  • Parameters:
    • package_ensure - [ Optional[Enum[\installed\, \latest\, \absent\]] ] - Default: installed
    • package_name - [ Optional[String[1]] ] - Default: sudo
    • sudoers_path - [ Optional[Stdlib::UnixPath] ] - Default: /etc/sudoers
    • sudoers_d_path - [ Optional[Stdlib::UnixPath] ] - Default: /etc/sudoers.d
    • defaults - [ Optional[Hash[String[1], Optional[String]]] ] - Default: undef
    • drop_ins - [ Optional[Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]] ] - Default: undef
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure sudo is installed":
      package_ensure: "installed"
      package_name: "sudo"
      sudoers_path: "/etc/sudoers"
      sudoers_d_path: "/etc/sudoers.d"
      defaults: <<Type Hash[String[1], Optional[String]]>>
      drop_ins: <<Type Hash[String[1], Struct[{user_group=>Optional[Variant[String[1], Array[String[1]]]], host=>Optional[String[1]], target_users=>Optional[Variant[String[1], Array[String[1]]]], priority=>Optional[Integer], commands=>Optional[Variant[Enum[\\\\\\\\\\\\\\\\ALL\\\\\\\\\\\\\\\\], Array[String[1]]]], options=>Optional[Array[String[1]]], file_name=>Optional[String[1]]}]]>>
  • Alternate Config IDs:
    • 5.2.1
    • c5_2_1
    • ensure_sudo_is_installed
  • Resource: Class['cem_linux::utils::packages::linux::sudo']

5.2.2 - Ensure sudo commands use pty

  • Parameters:
    • sudoers_path - [ String[1] ] - Default: /etc/sudoers
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure sudo commands use pty":
      sudoers_path: "/etc/sudoers"
  • Alternate Config IDs:
    • 5.2.2
    • c5_2_2
    • ensure_sudo_commands_use_pty
  • Resource: Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['use_pty']

5.2.3 - Ensure sudo log file exists

  • Parameters:
    • sudoers_path - [ String[1] ] - Default: /etc/sudoers
    • value - [ Optional[Variant[String[1], Array[String[1]]]] ] - Default: /var/log/sudo.log
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure sudo log file exists":
      sudoers_path: "/etc/sudoers"
      value: "/var/log/sudo.log"
  • Alternate Config IDs:
    • 5.2.3
    • c5_2_3
    • ensure_sudo_log_file_exists
  • Resource: Cem_linux::Utils::Packages::Linux::Sudo::Sudoers_default['logfile']

5.3.1 - Ensure permissions on /etc/ssh/sshd_config are configured

  • Parameters:
    • enforce_sshd_config_perms - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on /etc/ssh/sshd_config are configured":
      enforce_sshd_config_perms: true
  • Alternate Config IDs:
    • 5.3.1
    • c5_3_1
    • ensure_permissions_on_etcsshsshd_config_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.2 - Ensure permissions on SSH private host key files are configured

  • Parameters:
    • enforce_pri_host_key_perms - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on SSH private host key files are configured":
      enforce_pri_host_key_perms: true
  • Alternate Config IDs:
    • 5.3.2
    • c5_3_2
    • ensure_permissions_on_ssh_private_host_key_files_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.3 - Ensure permissions on SSH public host key files are configured

  • Parameters:
    • enforce_pub_host_key_perms - [ Boolean ] - Default: true
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure permissions on SSH public host key files are configured":
      enforce_pub_host_key_perms: true
  • Alternate Config IDs:
    • 5.3.3
    • c5_3_3
    • ensure_permissions_on_ssh_public_host_key_files_are_configured
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.4 - Ensure SSH access is limited

  • Parameters:
    • allow_users - [ Optional[Array[String[1]]] ] - Default: undef
    • allow_groups - [ Optional[Array[String[1]]] ] - Default: undef
    • deny_users - [ Optional[Array[String[1]]] ] - Default: undef
    • deny_groups - [ Optional[Array[String[1]]] ] - Default: undef
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH access is limited":
      allow_users: <<Type Array[String[1]]>>
      allow_groups: <<Type Array[String[1]]>>
      deny_users: <<Type Array[String[1]]>>
      deny_groups: <<Type Array[String[1]]>>
  • Alternate Config IDs:
    • 5.3.4
    • c5_3_4
    • ensure_ssh_access_is_limited
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.5 - Ensure SSH LogLevel is appropriate

  • Parameters:
    • log_level - [ Optional[Enum[\INFO\, \VERBOSE\]] ] - Default: INFO
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH LogLevel is appropriate":
      log_level: "INFO"
  • Alternate Config IDs:
    • 5.3.5
    • c5_3_5
    • ensure_ssh_loglevel_is_appropriate
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.6 - Ensure SSH X11 forwarding is disabled

  • Parameters:
    • x11_forwarding - [ Optional[Enum[\yes\, \no\]] ] - Default: no
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • workstation
    • server
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH X11 forwarding is disabled":
      x11_forwarding: "no"
  • Alternate Config IDs:
    • 5.3.6
    • c5_3_6
    • ensure_ssh_x11_forwarding_is_disabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.7 - Ensure SSH MaxAuthTries is set to 4 or less

  • Parameters:
    • max_auth_tries - [ Optional[Integer] ] - Default: 4
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH MaxAuthTries is set to 4 or less":
      max_auth_tries: 4
  • Alternate Config IDs:
    • 5.3.7
    • c5_3_7
    • ensure_ssh_maxauthtries_is_set_to_4_or_less
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.8 - Ensure SSH IgnoreRhosts is enabled

  • Parameters:
    • ignore_rhosts - [ Optional[Enum[\yes\, \no\]] ] - Default: yes
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH IgnoreRhosts is enabled":
      ignore_rhosts: "yes"
  • Alternate Config IDs:
    • 5.3.8
    • c5_3_8
    • ensure_ssh_ignorerhosts_is_enabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.9 - Ensure SSH HostbasedAuthentication is disabled

  • Parameters:
    • host_based_authentication - [ Optional[Enum[\yes\, \no\]] ] - Default: no
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH HostbasedAuthentication is disabled":
      host_based_authentication: "no"
  • Alternate Config IDs:
    • 5.3.9
    • c5_3_9
    • ensure_ssh_hostbasedauthentication_is_disabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.10 - Ensure SSH root login is disabled

  • Parameters:
    • permit_root_login - [ Optional[Enum[\yes\, \no\, \without-password\, \forced-commands-only\]] ] - Default: no
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH root login is disabled":
      permit_root_login: "no"
  • Alternate Config IDs:
    • 5.3.10
    • c5_3_10
    • ensure_ssh_root_login_is_disabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.11 - Ensure SSH PermitEmptyPasswords is disabled

  • Parameters:
    • permit_empty_passwords - [ Optional[Enum[\yes\, \no\]] ] - Default: no
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH PermitEmptyPasswords is disabled":
      permit_empty_passwords: "no"
  • Alternate Config IDs:
    • 5.3.11
    • c5_3_11
    • ensure_ssh_permitemptypasswords_is_disabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.12 - Ensure SSH PermitUserEnvironment is disabled

  • Parameters:
    • permit_user_environment - [ Optional[Enum[\yes\, \no\]] ] - Default: no
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH PermitUserEnvironment is disabled":
      permit_user_environment: "no"
  • Alternate Config IDs:
    • 5.3.12
    • c5_3_12
    • ensure_ssh_permituserenvironment_is_disabled
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.13 - Ensure only strong Ciphers are used

  • Parameters:
    • ciphers - [ Optional[Array[String[1]]] ] - Default: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure only strong Ciphers are used":
      ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
  • Alternate Config IDs:
    • 5.3.13
    • c5_3_13
    • ensure_only_strong_ciphers_are_used
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.14 - Ensure only strong MAC algorithms are used

  • Parameters:
    • macs - [ Optional[Array[String[1]]] ] - Default: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure only strong MAC algorithms are used":
      macs: ["hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256"]
  • Alternate Config IDs:
    • 5.3.14
    • c5_3_14
    • ensure_only_strong_mac_algorithms_are_used
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.15 - Ensure only strong Key Exchange algorithms are used

  • Parameters:
    • kex_algorithms - [ Optional[Array[String[1]]] ] - Default: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure only strong Key Exchange algorithms are used":
      kex_algorithms: ["curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "ecdh-sha2-nistp521", "ecdh-sha2-nistp384", "ecdh-sha2-nistp256", "diffie-hellman-group-exchange-sha256"]
  • Alternate Config IDs:
    • 5.3.15
    • c5_3_15
    • ensure_only_strong_key_exchange_algorithms_are_used
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.16 - Ensure SSH Idle Timeout Interval is configured

  • Parameters:
    • client_alive_interval - [ Optional[Integer] ] - Default: 300
    • client_alive_count_max - [ Optional[Integer] ] - Default: 0
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH Idle Timeout Interval is configured":
      client_alive_interval: 300
      client_alive_count_max: 0
  • Alternate Config IDs:
    • 5.3.16
    • c5_3_16
    • ensure_ssh_idle_timeout_interval_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.17 - Ensure SSH LoginGraceTime is set to one minute or less

  • Parameters:
    • login_grace_time - [ Optional[Integer] ] - Default: 60
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH LoginGraceTime is set to one minute or less":
      login_grace_time: 60
  • Alternate Config IDs:
    • 5.3.17
    • c5_3_17
    • ensure_ssh_logingracetime_is_set_to_one_minute_or_less
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.18 - Ensure SSH warning banner is configured

  • Parameters:
    • banner - [ Optional[Stdlib::AbsolutePath] ] - Default: /etc/issue.net
  • Supported Levels:
    • level_1
    • level_2
  • Supported Profiles:
    • server
    • workstation
  • Hiera Configuration Example:
puppetlabs-cem_linux::config:
  control_configs:
    "Ensure SSH warning banner is configured":
      banner: "/etc/issue.net"
  • Alternate Config IDs:
    • 5.3.18
    • c5_3_18
    • ensure_ssh_warning_banner_is_configured
  • Resource: Class['cem_linux::utils::packages::linux::ssh']

5.3.19 - Ensure SSH PAM is enabled