Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet > 6.24 < 8.0.0
- , , , , , , , , , ,
Tasks:
- backup_assessor
- ciscat_scan
This module is licensed for use with Puppet Enterprise. You may also evaluate this module for up to 90 days.Learn More
Start using this module
Add this module to your Puppetfile:
mod 'puppetlabs-comply', '2.17.1'Learn more about managing modules with a PuppetfileDocumentation
Puppet Comply
Puppet Comply is a tool that assesses the infrastructure you manage with Puppet Enterprise against CIS Benchmarks — the best practices for securely configuring systems from the Center for Internet Security (CIS).
Installing
This Module is required by the Puppet Comply product and should only be used as per the complete install instructions
There are two workflows for using the Comply module:
Using Replicated to host the Assessor
This is the default recommend workflow for using Comply. Comply hosts a copy of the latest Assessor. This path enables you to configure once, and allow Comply to easily upgrade your Assessor when you do a product upgrade. You can configure the service hosting the Assessor via KOTS to use certificates generated on your PE instance. Then, mutual TLS enables a secure authenticated between your nodes and Comply.
To generate the certificates on your PE instance, run the following:
[root@pe-instance-01 ~]# puppetserver ca generate --certname comply.10.234.4.193.nip.io
Successfully saved private key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/private_keys/comply.10.234.4.193.nip.io.pem
Successfully saved public key for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/public_keys/comply.10.234.4.193.nip.io.pem
Successfully submitted certificate request for comply.10.234.4.193.nip.io
Successfully saved certificate for comply.10.234.4.193.nip.io to /etc/puppetlabs/puppet/ssl/certs/comply.10.234.4.193.nip.io.pem
Certificate for comply.10.234.4.193.nip.io was autosigned.
Then copy the ca.pem, public certificate and private key for your Comply instance to the KOTS config. Once deployed, the service will now be accessible to your nodes.
In order to keep you up to date, the version of the Assessor is embedded in the module. As such, when doing an upgrade of the Comply product, you should ensure that you have upgraded the module beforehand.
Using a privately hosted file
Alternatively, you can host the file privately elsewhere. If you choose this method, then use scanner_source parameter with the comply class. You may also need to disable the use_mtls paramter too. The version of the Assessor is inferred from the file name so for example if your scanner_source value was https://files.company.net/assessors/Assessor-CLI-v4.6.0.zip, Comply would infer this as being version 4.6.0 of the Assessor.
Configuration
By default, Comply will install various dependencies required in order for the module and the CIS Assessor to function. Should you wish to configure what Comply manages, see the reference for more details.
Obtaining the Product
Please get in touch with a Puppet Representative
Running Acceptance Tests
bundle exec rake litmus:tear_down;
bundle exec rake litmus:provision_list[release_checks]; #reduce hosts in provision.yaml if required
bundle exec rake litmus:install_agent[puppet7];
bundle exec rake litmus:install_module;
bundle exec rake litmus:acceptance:parallel; #bundle exec rake litmus:acceptance:rid-fraternity.delivery.puppetlabs.net
Reference
Table of Contents
Classes
comply: Installs the CIS Assessor.comply::scanners::ciscat: Installs the CIS Assessor along with required dependencies.
Functions
module_version: Gets Comply module versionrandom_string: Generates a random hex stringrandom_uuid: Generates a random uuidreport_errors: Returns error details
Returns error details
Data types
Comply::Url: Comply url
Comply url
Tasks
backup_assessor: Backup operations for the assessor, used for upgrades.ciscat_scan: Run a ciscat scan and upload to comply server.
Classes
comply
Installs the CIS Assessor.
Examples
Use defaults
include comply
Basic example
class { 'comply':
allow_insecure => false
}
Parameters
The following parameters are available in the comply class:
allow_insecuremanage_chocolateylinux_manage_unzipwin_manage_7zipmanage_javascanner_sourcescanner_source_linuxscanner_source_macscanner_source_windowsscanner_checksum_linuxscanner_checksum_macscanner_checksum_windowsscanner_versionuse_mtlswindows_manage_wgetassessor_download_tokenlimits
allow_insecure
Data type: Boolean
Enables skipping of certificate validation when the scanner_source parameter is specified.
Default value: false
manage_chocolatey
Data type: Boolean
Manage chocolatey in this module for installing packages and allows for 7zip to install with archive, requires chocolatey as the package provider
Default value: true
linux_manage_unzip
Data type: Boolean
Determines if this module should manage the installation of unzip on Linux
Default value: true
win_manage_7zip
Data type: Boolean
Determines if this module should manage the installation of 7zip on windows, requires chocolatey as the package provider.
Default value: false
manage_java
Data type: Boolean
Determines if this module should manage the installation of java Note: This param is DEPRECATED and will be removed in a subsequent version.
Default value: true
scanner_source
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific Assessor distribution within comply This may be specified as a source attribute of a file resource
In the Puppet Comply application config, if you specified "We want to access the assessor through our ingress controller",
then set this value to https://PE TLS FQDN/assessor, otherwise set this value to https://Comply Hostname:30303/assessor
Default value: undef
scanner_source_linux
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific linux bundle should the user wish to host outside of comply.
Default value: "${scanner_source}/linux"
scanner_source_mac
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific mac bundle should the user wish to host outside of comply.
Default value: "${scanner_source}/mac"
scanner_source_windows
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific windows bundle should the user wish to host outside of comply.
Default value: "${scanner_source}/windows"
scanner_checksum_linux
Data type: Optional[String]
Specify the sha256 checksum of the Linux Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: '807f5c2868b70928d66d18b5aced9381d63fcff5d1fbbdcc775e756a5d886ded'
scanner_checksum_mac
Data type: Optional[String]
Specify the sha256 checksum of the Mac Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: 'fd1f7ba6997c22b733a619b6a2b2957c7ed18654664d99efd522f344b080bc09'
scanner_checksum_windows
Data type: Optional[String]
Specify the sha256 checksum of the Windows Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: '9f09693f73bde1569c8fe4f14ea8659af219b65ba05c880dc50b48b598849746'
scanner_version
Data type: Optional[Pattern[/\d+\.\d+\.\d+/]]
Specify the version of the Assessor archive provided in scanner_source.
Defaults to the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: '4.34.0'
use_mtls
Data type: Boolean
Use mutual TLS authentication. Comply is configured to only accept requests from nodes with valid certificates issued with the same CA cert configured in Replicated. Ensure you have configured Comply properly using certs generated on your PE instance.
Default value: true
windows_manage_wget
Data type: Boolean
Allow Comply to manage the wget package. Required for fetching the Assessor, requires chocolatey as the package provider.
Default value: true
assessor_download_token
Data type: Optional[String]
A bearer token to be used when downloading the Assessor.
Default value: ''
limits
Data type: Optional[Hash[String[1],Hash[String[1], Integer]]]
Apply limits to the Assessor process, for example limit CPU usage. The limits parameter is a hash with the following structure: { "systemd-run" => { # Linux only if /usr/bin/systemd-run is available "CPUQuota" => 50 # Percentage of a single CPU core that the Assessor process is allowed to use, can be >100 for multiple cores. }, "nice" => { # Linux and Mac only "increment" => 10 # Increment the nice value of the Assessor process, can be negative. } }
Default value: undef
comply::scanners::ciscat
CIS CAT Pro scanner requires a JRE as a prerequisite.
Examples
Manage packages elsewhere on Linux
class { 'comply::scanners::ciscat':
scanner_source => 'https://comply.10.10.10.10.nip.io/assessor',
linux_manage_unzip => false,
}
Install the CIS Assessor when Comply is configured to access the assessor through an ingress controller
class { 'comply::scanners::ciscat':
scanner_source => 'https://pe-tls-fqdn.10.10.10.10.nip.io/assessor',
linux_manage_unzip => false,
}
Install the CIS Assessor when Comply is configured to access the assessor through a NodePort
class { 'comply::scanners::ciscat':
scanner_source => 'https://comply.10.10.10.10.nip.io:30303/assessor',
linux_manage_unzip => false,
}
Install the CIS Assessor when hosting at a user provided location
class { 'comply::scanners::ciscat':
scanner_source_linux => https://server.puppet.com/Assessor-CLI-windows-v4.26.0.zip',
scanner_source_windows => https://server.puppet.com/Assessor-CLI-linux-v4.26.0.zip',
}
Limit the Assessor process to 50% of a single CPU core on Linux.
class { 'comply::scanners::ciscat':
scanner_source => 'https://comply.10.10.10.10.nip.io/assessor',
limits => {"systemd-run" => {"CPUQuota" => 50}},
}
Increment the nice value of the Assessor process on Linux or macOS.
class { 'comply::scanners::ciscat':
scanner_source => 'https://comply.10.10.10.10.nip.io/assessor',
limits => {"nice" => {"increment" => 10}},
}
Parameters
The following parameters are available in the comply::scanners::ciscat class:
allow_insecurelinux_manage_unzipmanage_javascanner_sourcescanner_source_linuxscanner_source_macscanner_source_windowsscanner_checksum_linuxscanner_checksum_macscanner_checksum_windowsscanner_versionuse_mtlswindows_manage_wgetassessor_download_tokenlimitswin_manage_7zipmanage_chocolatey
allow_insecure
Data type: Boolean
Enables skipping of certificate validation when the scanner_source parameter is specified.
This parameter should be used only with the scanner_source parameter.
Default value: $comply::allow_insecure
linux_manage_unzip
Data type: Boolean
Determines if this module should manage the installation of unzip on Linux
Default value: $comply::linux_manage_unzip
manage_java
Data type: Boolean
Determines if this module should manage the installation of java Note: This param is DEPRECATED and will be removed in a subsequent version.
Default value: $comply::manage_java
scanner_source
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific Assessor distribution within comply This may be specified as a source attribute of a file resource
In the Puppet Comply application config, if you specified "We want to access the assessor through our ingress controller",
then set this value to https://PE TLS FQDN/assessor, otherwise set this value to https://Comply Hostname:30303/assessor
Default value: $comply::scanner_source
scanner_source_linux
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific linux bundle should the user wish to host outside of comply.
Default value: $comply::scanner_source_linux
scanner_source_mac
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific mac bundle should the user wish to host outside of comply.
Default value: $comply::scanner_source_mac
scanner_source_windows
Data type: Optional[Stdlib::Filesource]
The URL to the location of a specific windows bundle should the user wish to host outside of comply.
Default value: $comply::scanner_source_windows
scanner_checksum_linux
Data type: Optional[String]
Specify the sha256 checksum of the Linux Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: $comply::scanner_checksum_linux
scanner_checksum_mac
Data type: Optional[String]
Specify the sha256 checksum of the Mac Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: $comply::scanner_checksum_mac
scanner_checksum_windows
Data type: Optional[String]
Specify the sha256 checksum of the Windows Assessor archive provided in scanner_source.
Defaults to the checksum of the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: $comply::scanner_checksum_windows
scanner_version
Data type: Optional[Pattern[/\d+\.\d+\.\d+/]]
Specify the version of the Assessor archive provided in scanner_source.
Defaults to the respective version of the scanner as part of Comply deployed in Puppet Application manager.
Default value: $comply::scanner_version
use_mtls
Data type: Boolean
Use mutual TLS authentication. Comply is configured to only accept requests from nodes with valid certificates issued with the same CA cert configured in Replicated. Ensure you have configured Comply properly using certs generated on your PE instance.
Default value: $comply::use_mtls
windows_manage_wget
Data type: Boolean
Allow Comply to manage the wget package. Required for fetching the Assessor.
Default value: $comply::windows_manage_wget
assessor_download_token
Data type: Optional[String]
A bearer token to be used when downloading the Assessor.
Default value: $comply::assessor_download_token
limits
Data type: Optional[Hash[String[1],Hash[String[1], Integer]]]
Apply limits to the Assessor process, for example limit CPU usage. The limits parameter is a hash with the following structure: { "systemd-run" => { # Linux only if /usr/bin/systemd-run is available "CPUQuota" => 50 # Percentage of a single CPU core that the Assessor process is allowed to use, can be >100 for multiple cores. }, "nice" => { # Linux and Mac only "increment" => 10 # Increment the nice value of the Assessor process, can be negative. } }
Default value: $comply::limits
win_manage_7zip
Data type: Boolean
Default value: $comply::win_manage_7zip
manage_chocolatey
Data type: Boolean
Default value: $comply::manage_chocolatey
Functions
module_version
Type: Ruby 4.x API
Gets Comply module version
module_version()
The module_version function.
Returns: String Comply module version
random_string
Type: Ruby 4.x API
Generates a random hex string
random_string()
The random_string function.
Returns: String Random hex string
random_uuid
Type: Ruby 4.x API
Generates a random uuid
random_uuid()
The random_uuid function.
Returns: String Random uuid
report_errors
Type: Ruby 4.x API
Returns error details
Returns error details
Examples
report_erros('[a, hash, of, errors]', true)
report_errors(ResultSet $error_hash, Optional[Boolean] $allow_exit_code2)
The report_errors function.
Returns: String Returns error string
Examples
report_erros('[a, hash, of, errors]', true)
error_hash
Data type: ResultSet
allow_exit_code2
Data type: Optional[Boolean]
Data types
Comply::Url
Comply url
Comply url
Alias of
Variant[Array[Stdlib::HTTPUrl], Stdlib::HTTPUrl]
Tasks
backup_assessor
Backup operations for the assessor, used for upgrades.
Supports noop? false
Parameters
operation
Data type: Enum[create,delete,restore]
Allows create / delete / restore backups of the assessor.
ciscat_scan
Run a ciscat scan and upload to comply server.
Supports noop? false
Parameters
benchmark
Data type: Optional[String[1]]
Name of the benchmark file to run with the scan. Mutually exclusive with scan_hash.
comply_server
Data type: String[1]
Name of the FQDB comply server to upload to. NB passing 'nil' will prevent the upload
comply_port
Data type: String[1]
Port used from comply server.
custom_profile_id
Data type: Optional[Integer[1]]
A given custom_profile_id to be used for scans to have a custom profile applied.
debug
Data type: Optional[Boolean]
Runs the scan with debug options turned on.
profile
Data type: Optional[String[1]]
Name of the profile to run with the scan. This will use the default profile for that benchmark, if not specified.
scan_hash
Data type: Optional[String[1]]
JSON struct in string format of benchmarks/profiles and their machine names. Mutually exclusive with scan_hash.
scan_type
Data type: Optional[Enum['ad hoc','scheduled']]
The type of scan to be performed, ad hoc or scheduled.
ssl_verify_mode
Data type: Optional[Enum['none','peer']]
The SSL verify mode to use
scan_id
Data type: Optional[String[1]]
An id given to the scan that is about to be run
auth_token
Data type: Optional[String[1]]
A bearer token to be used when uploading scan reports (currently only used in SaaS deployment)
scan_report_upload_path
Data type: Optional[String[1]]
The path to which scan reports will be uploaded
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v2.17.1 (2023-11-08)
Added
v2.17.0 (2023-10-11)
Added
- (CISC-6127) Update for Assessor 4.34.0 #535 (ComplianceService)
v2.16.0 (2023-09-18)
Added
- (CISC-3313-2) Update for Assessor 4.33.0 #528 (ComplianceService)
async (2023-09-13)
v2.15.0 (2023-08-01)
Added
- (CISC-3312) Update for Assessor 4.32.0 #525 (ComplianceService)
v2.14.0 (2023-06-19)
Added
- (CISC-3302) Update for Assessor 4.30.0 #520 (ComplianceService)
v2.13.0 (2023-04-24)
Added
- (CISC-2338) pass command as string if puppet version does not support arrays #510 (cliveweir)
- (CISC-3215) Assessor 4.28.0 #508 (seamymckenna)
v2.12.0 (2023-03-13)
Added
- (CISC-3077-licence-update) Update for Assessor 4.27.0 #503 (ComplianceService)
- (CISC-3017) Use Linux embedded JAVA #498 (seamymckenna)
- (CISC-2951) Use Windows embedded JAVA #492 (seamymckenna)
- (CISC-2992) Update for Assessor 4.26.0 #489 (ComplianceService)
v2.11.1 (2023-02-14)
v2.11.0 (2023-01-23)
Added
- (CISC-2783) Replace theq with redis #484 (seamymckenna)
- (CISC-2963) Checksum change folllowing sce script updates #482 (seamymckenna)
- (CISC2847) Update for Assessor 4.25.0 #480 (ComplianceService)
- report upload: compression_mode for report upload #475 (kyleterry)
Fixed
v2.10.0 (2022-12-01)
Added
- Bump chocolatey #473 (seamymckenna)
- (CISC-2828-2) Update for Assessor 4.23.0 #472 (ComplianceService)
v2.9.0 (2022-10-20)
Added
- (CISC-2787) Updates for v2.9.0 #468 (cliveweir)
- (CISC-2748) Update for Assessor 4.22.0 #467 (ComplianceService)
v2.8.0 (2022-09-08)
Added
- (CISC-2664-2) Update for Assessor 4.21.0 #461 (ComplianceService)
- Release #457 (kbrezina)
- (CMPL-102) Add optional parameter for Assessor download token #454 (danielkee)
Fixed
v2.7.0 (2022-07-08)
Added
- (CISC-2607) Update for Assessor 4.19.0 #450 (ComplianceService)
- (CMPL-77) Add support for auth token and configurable scan report upload path #449 (danielkee)
v2.6.0 (2022-06-15)
Added
- (CISC-2588) Changes for 2.6.0 release #448 (ragingra)
- (CISC-2562) Update for Assessor 4.18.0 #445 (ComplianceService)
- (CMPL-11) Remove dependency on agent certs #441 (danielkee)
v2.5.0 (2022-05-05)
Added
- Changes for 2.5.0 release #440 (kbrezina)
- Changes for 2.5.0 release #438 (kbrezina)
- (maint) Update java version requirement #434 (cliveweir)
- (CISC-2497-2) Update for Assessor 4.16.1 #433 (ComplianceService)
- (CISC-2496) Update for Assessor 4.16.1 #431 (ComplianceService)
- (CISC-2256) Create symlink for wget.exe #430 (cliveweir)
- (CISC-2380) Update for Assessor 4.15.0 #425 (ComplianceService)
v2.4.0 (2022-03-24)
v2.3.0 (2022-02-02)
Added
- (CISC-2247) Store ad hoc consistently #423 (seamymckenna)
- (CISC-2253) Update for Assessor 4.14.0 #422 (ComplianceService)
v2.2.2 (2022-01-10)
Added
- (CISC-2070) Update for Assessor 4.13.1 #420 (ComplianceService)
- (CISC-2112) 2.2.1 Release #416 (seamymckenna)
- (CISC-1004) Update for Assessor 4.13.0 #413 (ComplianceService)
- (CISC-2014) 2.2.0 Release #409 (seamymckenna)
v2.2.1 (2021-12-21)
v2.2.0 (2021-11-08)
Added
- (CISC-1805) Update Assessor to 4.11.0 #406 (seamymckenna)
- (CISC-1548) Rev assessor to version 4.9.0 and change scanner defaults. #403 (eoinmcq)
- (CISC-1467,CISC-1470) Add scanID to task #397 (cliveweir)
- (CISC-1491) Rev the assessor version to 4.8.2. #384 (eoinmcq)
- (CISC-1386) Add checksum to fix issue where assessor is not upgraded #381 (yachub)
- manage chocolatey independently and fix redhat version #378 (chrislorro)
- Retool scanner_source usage #377 (yachub)
- (CISC-1237) Add new workflow for install/upgrade of Assessor #361 (eimlav)
- (CISC-1246) Update for Assessor 4.6.0 #360 (eimlav)
- (CISC-1229) Update module dependencies #359 (eimlav)
- (CISC-1126) Add support for Windows 10 benchmarks #349 (CoMfUcIoS)
- (CISC-1174) Update for Assessor 4.4.0 #348 (eoinmcq)
- (CISC-1129) Add support for OSX benchmarks #347 (eimlav)
- (CISC-1035) Add Rake task for grabbing xccdf reports from demo env #336 (eimlav)
- (CISC-1038) Update the assessor version to 4.3.1 #335 (eoinmcq)
Fixed
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-1296) Comply always tries to install 7-zip on Windows #373 (CoMfUcIoS)
- (CISC-1291) chdir to Assessor-CLI before running scans #366 (Sharpie)
- (CISC-1125) Fix scan task not setting custom profile id correctly #339 (eimlav)
- (CISC-1080) Fix integration tests not setting PE creds #333 (eimlav)
- Update Windows Java Package #329 (yachub)
- Move install_type flag to correct plan #323 (da-ar)
v2.1.0 (2021-10-04)
v2.0.0 (2021-08-18)
v1.0.5 (2021-06-02)
v1.0.4 (2021-05-13)
v1.0.3 (2021-03-29)
v1.0.2 (2021-02-24)
v1.0.1 (2021-01-29)
Added
- (CISC-916) allows scans to run in debug mode #306 (tphoney)
- (CISC-948) make java installation configurable for all OSes #302 (tphoney)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-1048) Fix linux manage unzip triggering on Windows nodes #328 (eimlav)
- Avoid package collision by using ensure_packges #308 (psreed)
v1.0.0 (2020-12-02)
Added
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-946) adding the appropriate license file #301 (tphoney)
- (CISC-871) Add Settings table to Hasura #294 (eimlav)
v0.9.0 (2020-11-25)
Added
- (CISC-917) remove un-needed files from resultant module #290 (tphoney)
- (CISC-837) adding more OSes to scanner support #283 (tphoney)
- (CISC-762) Add docker pepper secret #275 (HelenCampbell)
- (CISC-845) remove the app_stack class #274 (tphoney)
- (CISC-780) changing to 4.0.24 of the CIS scanner #271 (tphoney)
- (CISC-734) config for secure/insecure report sending #270 (tphoney)
- (CISC-757) adding watcher to the stack #267 (tphoney)
- (CISC-733,CISC-758,CISC-759) Enable Authentication #266 (CoMfUcIoS)
- (CISC-723,CISC-726,CISC-727,CISC-729,CISC-730,CISC-731) Get gatekeeper and identity services into our stack #264 (CoMfUcIoS)
- (CISC-722) Random Password generator #262 (CoMfUcIoS)
- (CISC-743) [module] Docker secrets to store sensitive stack information #261 (CoMfUcIoS)
- (CISC-739) Update scarp api base uri. #258 (tphoney)
- (CISC-745) [module] Pass module version to UI #256 (CoMfUcIoS)
- (CISC-712) task to allow upgrades of the assessor #255 (tphoney)
- (CISC-655) move to 4.0.23 of the assessor #248 (tphoney)
- (CISC-688) Ciscat scan custom_profile_id and scan_type params #247 (HelenCampbell)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-893) use certname as a param when pushing reports #292 (tphoney)
- (CISC-893) use certnames not hostnames #291 (tphoney)
- (CISC-844) removing the cis scanner from the module #284 (tphoney)
- (CISC-889) pass the fqdn with the report #281 (tphoney)
- (CISC-862) [Task] task reports back to a hardcoded port. #279 (CoMfUcIoS)
- (CISC-794) Fix custom profile usage in ciscat task #268 (eimlav)
- (CISC-740) allow setting of pe tls checks in scarp #265 (tphoney)
- (CISC-744) improve error message/handing for ciscat scan #259 (tphoney)
- (CISC-747) update hasura metadata for profile_rule table #257 (tphoney)
v0.8.0 (2020-09-17)
Added
- (CISC-661,CISC-665) Add graphQL Layer into our stack, import graphql metadata into production #244 (CoMfUcIoS)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-683) ciscat task set java memory options, fqdn match in lowercase #249 (tphoney)
- (CISC-672) Fix path issues in script.sh #245 (eimlav)
v0.7.0 (2020-08-27)
Added
- (CISC-615) Use string for scan_hash in ciscat task #237 (HelenCampbell)
- (CISC-457) ciscat scan task allows a hash of benchmark/profile #229 (tphoney)
- (CISC-534) add assessor version fact and tests #228 (tphoney)
- (CISC-491) add release helper action #226 (maxiegit)
- (CISC-480) add more ubuntu OSes #225 (tphoney)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-622) Modify ciscat to negate need to reboot on Windows #238 (eimlav)
- (CISC-402) Add idempotency check for Assessor-CLI installation #235 (eimlav)
- (CISC-459) Improve error reporting when Java is not present #224 (da-ar)
- (bugfix) Fix
image_helper.shissue with Postgres image #223 (da-ar)
v0.6.0 (2020-07-17)
v0.5.1 (2020-06-15)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
v0.5.0 (2020-06-03)
Added
- (feat) Make scarp address configurable #204 (tphoney)
- (CISC-377) add extra oses to scanner matrix #199 (maxiegit)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
v0.4.0 (2020-05-27)
Added
v0.3.0 (2020-05-14)
Added
- (feat) adding postgres to the application stack #193 (tphoney)
- (CISC-292) Automate comply tar upload #185 (maxiegit)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (bugfix) Limit profile values in ciscat scan task #189 (tom-krieger)
v0.2.1 (2020-04-20)
Added
- (feat) initial commit, of using a single task for scanning and uploading #184 (tphoney)
- (CISC-284) Switch to change log generator #183 (maxiegit)
0.2.0 (2020-04-14)
Added
- (CISC-281) Changes for the Beta #181 (da-ar)
- Adding the terms of service #179 (tphoney)
- 🙅 Beta switch #178 (da-ar)
alpha-0.1.0 (2020-04-08)
Added
- Fix: Add mapping to Windows 2019 benchmark file #174 (kreeuwijk)
- (CISC-254) Use artifactory to get scarpy #163 (tphoney)
- (CISC-261) use pe + agent instead of upload and puppet apply #159 (maxiegit)
- Combining modules and updating code #153 (genebean)
- (feat) enable trusted external facts #145 (tphoney)
- (CISC-203) Update scan plan to find comply stack #140 (da-ar)
- (CISC-204) adding the ciscat scanner to the module #139 (tphoney)
- (CISC-203) Update Beta to allow Comply Stack to run on standalone node #138 (da-ar)
- (feat) move the comply stack to its own machine #136 (tphoney)
- (CISC-170) Add integration tests for comply UI #123 (da-ar)
- (CISC-169) Enable deployment of compliance ui stack #122 (da-ar)
- [CISC-164] Auto update scarp from artifactory #121 (maxiegit)
- (bugfix) use OS specific tempdir for scan results #120 (tphoney)
- [CISC-162] move rbac token retrieval to spec helper #118 (maxiegit)
- (CISC-141) Enable SSL verified connections #115 (da-ar)
- (CISC-139)puppet agents do not autostart, caused timing issues #113 (tphoney)
- Setup docker on PE for scarp server #102 (tphoney)
- automate the startup of scarp in docker (#95) #97 (da-ar)
- automate the startup of scarp in docker #95 (da-ar)
- Dgraph setup for the docker-compose stack #94 (tphoney)
- Send scan to scarp container #93 (tphoney)
- First attempt at getting scarp in a container #89 (tphoney)
- (CISC-111) install comply bash script #87 (Lavinia-Dan)
- (CISC-96) Installing scarp by default with comply #83 (HelenCampbell)
- Integration tests via GitHub Actions #77 (da-ar)
- (CISC-45) Build the module as part of the demo setup #76 (da-ar)
- [CISC-88] add profile parameter #71 (maxiegit)
- (CISC-115) target_roles helper function and initial integration tests #69 (da-ar)
- [CISC-76] add cross compiled scarp for windows and linux #67 (maxiegit)
- (CISC-69) adding github actions #65 (tphoney)
- [CISC-104] Additional splunk dashboard updates to automation #63 (HelenCampbell)
- (CISC-107) Apply Lidar config to PE server only #59 (da-ar)
- (CISC-101) initial commit for adding lidar #57 (tphoney)
- [CISC-73]Add PQL querying for target nodes #56 (maxiegit)
- (CISC-72) Add ability to define scan targets #50 (HelenCampbell)
- [CISC-64] add percentage compliancy to splunk table #49 (maxiegit)
- (CISC-36) initial attempt at running ciscat workbenches #47 (tphoney)
- [CISC-64] Automate installing compliance dashboard #46 (maxiegit)
- (CISC-80) install java 1.8 on linux #44 (tphoney)
- (CISC-61) rename to comply #42 (tphoney)
- (CISC-79) use scarp, updated to 0.0.15 #41 (tphoney)
- Helper plan to redeploy pfhind module #38 (da-ar)
- (CISC-66) windows support for pfhix #36 (tphoney)
- ciscat task uses facter helper #35 (tphoney)
- (CISC-55) Add support for encoding of pfhix task results #34 (da-ar)
- bump pfhix to 0.0.10 #25 (tphoney)
- Add trusted fact for CIS in pp_securitypolicy #24 (tphoney)
- Add CISCat scan task #22 (da-ar)
- compliance_status plan takes target list, demo cleanup #20 (tphoney)
- Adding a plan to setup splunk #19 (tphoney)
- add the latest version of pfhix and add sumstat support #16 (tphoney)
- ground work for puppet pipelines #15 (tphoney)
- Add CISCat scanner install option to agents plan #13 (da-ar)
- Adding the compliance_status task #11 (tphoney)
- Setup of external facts on PE server #10 (tphoney)
- Updates to the plans #9 (da-ar)
- adding in trusted external facts #8 (tphoney)
- add pfhix install and task #7 (tphoney)
- Oscap scan task #6 (tphoney)
- CI the things #4 (da-ar)
- install oscap scanner and acceptance test #3 (tphoney)
- pdksync #2 (tphoney)
- adding some module structure #1 (tphoney)
UNCATEGORIZED PRS; LABEL THEM ON GITHUB
- (CISC-282) Add guard for Java prerequisite #172 (da-ar)
- (CISC-273) task_helper will use correct exit_status #171 (da-ar)
- (bugfix) use 'value' in targets response #165 (tphoney)
- (CISC-251) fixing acceptance / integration tests and better error checking in demo plans #155 (tphoney)
- (CISC-211) Remove Authentication for Scarp temporarily #144 (HelenCampbell)
- Better messaging for extending the vmlife rake task #114 (tphoney)
- Use choco's own installer and pin Java to jre8 #112 (kreeuwijk)
- Don't use content param #110 (kreeuwijk)
- clarify the docker image vs docker compose instructions #105 (tphoney)
- tweaks to docker initialization #104 (da-ar)
- update to SSL cert generation #103 (da-ar)
- change the dgraph port in docker-compose #101 (tphoney)
- Volumes #100 (da-ar)
- Ignore docker volumes #99 (da-ar)
- latest scarp 0.0.27 #98 (tphoney)
- Integration test changes #91 (da-ar)
- Fix to get Lidar demo plan working #86 (HelenCampbell)
- (CISC-129) Update latest docker-compose file #84 (HelenCampbell)
- (CISC-114) Hardening of tests and documentation addition #73 (HelenCampbell)
- [CISC-117] Fix invalid scanner names defaulting to oscap #72 (maxiegit)
- amend the readme for scan_plan #68 (tphoney)
- remove a blank line from the readme #66 (tphoney)
- (CISC-78) clean up trusted external facts for comply #60 (tphoney)
- (CISC-85) Ensure the task fails if the scan fails to complete correctly #55 (da-ar)
- (CISC-106) fail hard for oscap scans, for unsupported OSes #54 (tphoney)
- (CISC-105) remove puppet agent -t from compliance_scan and document. #53 (tphoney)
- Clean up tasks for compliance_scan #52 (da-ar)
- [CISS-64] Fix overall compliance chart for new json #51 (maxiegit)
- (CISC-84) Fixing the output to be true json in the scan result file #48 (HelenCampbell)
- (CISC-86) Oscap scan failure fix #45 (HelenCampbell)
- (CISC-81) chocolatey is installed in one apply #43 (tphoney)
- (CISC-48) Compliance Scan plan should not fail for singular errors #40 (da-ar)
- (CISC-82) fix for windows and facter #39 (tphoney)
- (CISC-62) Improve Plan step reporting #37 (da-ar)
- Oscap graceful on windows, run the correct scan according to OS #33 (tphoney)
- (CISC-49) ciscat is the default scanner now, plan renaming #32 (tphoney)
- working plan for ciscat scanning #31 (tphoney)
- Updates Splunk automation due to changes in PIE_tools #30 (HelenCampbell)
- Add unit test for ciscat_scan task #29 (da-ar)
- [CISC-37] Fix token not being kept by manifest #28 (maxiegit)
- Fix unit test checkouts #27 (tphoney)
- remove line about running in pe ui #26 (tphoney)
- symlinks to make pe ui work with 'puppet module install' #21 (tphoney)
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppet/archive (>= 4.3.0 <= 7.1.0)
- puppetlabs/chocolatey (>= 5.0.0 <= 8.0.0)
- puppetlabs/inifile (>= 4.1.0 <= 6.1.0)
- puppetlabs/ruby_task_helper (>= 0.4.0 < 1.0.0)
- puppetlabs/stdlib (>= 5.0.0 <= 9.4.1)
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.