Version information
released Feb 4th 2025
This version is compatible with:
- Puppet Enterprise 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.23.0 < 9.0.0
- , , , ,
Tasks:
- audit_client_dns
- audit_approved_services_listening
- audit_authselect
- audit_boot
Start using this module
To install using r10k or Code Manager, follow these steps:
- Generate an API token using the button Create a new key at the bottom of your profile and put it in your r10k.yaml file. Find out more here.
- Add this module to your Puppetfile:
mod 'puppetlabs-sce_linux', '2.3.1'Learn more about managing modules with a PuppetfileDocumentation
puppetlabs/sce_linux — version 2.3.1 Feb 4th 2025
sce_linux
Product documentation is available on the Puppet Docs website.
SCE for Linux Reference
Table of Contents
- CIS Red Hat Enterprise Linux 7 Benchmark 4.0.0
- Red Hat Enterprise Linux 7 Security Technical Implementation Guide 3
- CIS Red Hat Enterprise Linux 8 Benchmark 3.0.0
- Red Hat Enterprise Linux 8 Security Technical Implementation Guide 1
- CIS Red Hat Enterprise Linux 9 Benchmark 1.0.0
- CIS Oracle Linux 7 Benchmark 4.0.0
- CIS Oracle Linux 8 Benchmark 3.0.0
- CIS Oracle Linux 9 Benchmark 1.0.0
- CIS AlmaLinux OS 8 Benchmark 3.0.0
- CIS Rocky Linux 8 Benchmark 2.0.0
- CIS Ubuntu Linux 20.04 LTS Benchmark 2.0.1
- CIS Ubuntu Linux 22.04 LTS Benchmark 2.0.0
- List of known CIS control sections that use plans and tasks:
CIS Red Hat Enterprise Linux 7 Benchmark 4.0.0
1.1.1.1 - Ensure cramfs kernel module is not available
Parameters:
filesystem- [String[1]] - Default:cramfs- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure cramfs kernel module is not available":
filesystem: "cramfs"
Alternate Config IDs:
1.1.1.1c1_1_1_1ensure_cramfs_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']
1.1.1.2 - Ensure freevxfs kernel module is not available
Parameters:
filesystem- [String[1]] - Default:freevxfs- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure freevxfs kernel module is not available":
filesystem: "freevxfs"
Alternate Config IDs:
1.1.1.2c1_1_1_2ensure_freevxfs_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Ensure freevxfs module is not available']
1.1.1.3 - Ensure hfs kernel module is not available
Parameters:
filesystem- [String[1]] - Default:hfs- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure hfs kernel module is not available":
filesystem: "hfs"
Alternate Config IDs:
1.1.1.3c1_1_1_3ensure_hfs_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Ensure hfs module is not available']
1.1.1.4 - Ensure hfsplus kernel module is not available
Parameters:
filesystem- [String[1]] - Default:hfsplus- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure hfsplus kernel module is not available":
filesystem: "hfsplus"
Alternate Config IDs:
1.1.1.4c1_1_1_4ensure_hfsplus_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Ensure hfsplus module is not available']
1.1.1.5 - Ensure jffs2 kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_jffs2- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install jffs2 /bin/false blacklist jffs2- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure jffs2 kernel module is not available":
conf_file: "sce_disable_jffs2"
content: "install jffs2 /bin/false\nblacklist jffs2\n"
Alternate Config IDs:
1.1.1.5c1_1_1_5ensure_jffs2_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Ensure jffs2 kernel module is not available']
1.1.1.6 - Ensure squashfs kernel module is not available
Parameters:
filesystem- [String[1]] - Default:squashfs- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure squashfs kernel module is not available":
filesystem: "squashfs"
Alternate Config IDs:
1.1.1.6c1_1_1_6ensure_squashfs_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']
1.1.1.7 - Ensure udf kernel module is not available
Parameters:
filesystem- [String[1]] - Default:udf- Filesystem to disable, example xfs.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure udf kernel module is not available":
filesystem: "udf"
Alternate Config IDs:
1.1.1.7c1_1_1_7ensure_udf_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']
1.1.1.8 - Ensure usb-storage kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_usb_storage- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install usb-storage /bin/false blacklist usb-storage- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure usb-storage kernel module is not available":
conf_file: "sce_disable_usb_storage"
content: "install usb-storage /bin/false\nblacklist usb-storage\n"
Alternate Config IDs:
1.1.1.8c1_1_1_8ensure_usb_storage_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Ensure usb-storage kernel module is not available']
1.1.2.1.2 - Ensure nodev option set on /tmp partition
Parameters:
nodev- [Boolean] - Default:true- Set nodev mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /tmp partition":
nodev: true
Alternate Config IDs:
1.1.2.1.2c1_1_2_1_2ensure_nodev_option_set_on_tmp_partition
Resource:
Class['sce_linux::utils::tmp_mount']
1.1.2.1.3 - Ensure nosuid option set on /tmp partition
Parameters:
nosuid- [Boolean] - Default:true- Set nosuid mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /tmp partition":
nosuid: true
Alternate Config IDs:
1.1.2.1.3c1_1_2_1_3ensure_nosuid_option_set_on_tmp_partition
Resource:
Class['sce_linux::utils::tmp_mount']
1.1.2.1.4 - Ensure noexec option set on /tmp partition
Parameters:
noexec- [Boolean] - Default:true- Set noexec mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure noexec option set on /tmp partition":
noexec: true
Alternate Config IDs:
1.1.2.1.4c1_1_2_1_4ensure_noexec_option_set_on_tmp_partition
Resource:
Class['sce_linux::utils::tmp_mount']
1.1.2.2.2 - Ensure nodev option set on /dev/shm partition
Parameters:
nodev- [Boolean] - Default:true- Whether to set the nodev option.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /dev/shm partition":
nodev: true
Alternate Config IDs:
1.1.2.2.2c1_1_2_2_2ensure_nodev_option_set_on_devshm_partition
Resource:
Class['sce_linux::utils::dev_shm_fstab_entry']
1.1.2.2.3 - Ensure nosuid option set on /dev/shm partition
Parameters:
nosuid- [Boolean] - Default:true- Whether to set the nosuid option.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /dev/shm partition":
nosuid: true
Alternate Config IDs:
1.1.2.2.3c1_1_2_2_3ensure_nosuid_option_set_on_devshm_partition
Resource:
Class['sce_linux::utils::dev_shm_fstab_entry']
1.1.2.2.4 - Ensure noexec option set on /dev/shm partition
Parameters:
noexec- [Boolean] - Default:true- Whether to set the noexec option.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure noexec option set on /dev/shm partition":
noexec: true
Alternate Config IDs:
1.1.2.2.4c1_1_2_2_4ensure_noexec_option_set_on_devshm_partition
Resource:
Class['sce_linux::utils::dev_shm_fstab_entry']
1.1.2.3.2 - Ensure nodev option set on /home partition
Parameters:
nodev- [Boolean] - Default:true- Set nodev option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /home partition":
nodev: true
Alternate Config IDs:
1.1.2.3.2c1_1_2_3_2ensure_nodev_option_set_on_home_partition
Resource:
Class['sce_linux::utils::homedir_mount_opts']
1.1.2.3.3 - Ensure nosuid option set on /home partition
Parameters:
nosuid- [Boolean] - Default:true- Set nosuid option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /home partition":
nosuid: true
Alternate Config IDs:
1.1.2.3.3c1_1_2_3_3ensure_nosuid_option_set_on_home_partition
Resource:
Class['sce_linux::utils::homedir_mount_opts']
1.1.2.4.2 - Ensure nodev option set on /var partition
Parameters:
nodev- [Boolean] - Default:true- Set the nodev option on the mount point
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /var partition":
nodev: true
Alternate Config IDs:
1.1.2.4.2c1_1_2_4_2ensure_nodev_option_set_on_var_partition
Resource:
Class['sce_linux::utils::var_mount_options']
1.1.2.4.3 - Ensure nosuid option set on /var partition
Parameters:
nosuid- [Boolean] - Default:true- Set the nosuid option on the mount point
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /var partition":
nosuid: true
Alternate Config IDs:
1.1.2.4.3c1_1_2_4_3ensure_nosuid_option_set_on_var_partition
Resource:
Class['sce_linux::utils::var_mount_options']
1.1.2.5.2 - Ensure nodev option set on /var/tmp partition
Parameters:
nodev- [Boolean] - Default:true- Set nodev mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /var/tmp partition":
nodev: true
Alternate Config IDs:
1.1.2.5.2c1_1_2_5_2ensure_nodev_option_set_on_vartmp_partition
Resource:
Class['sce_linux::utils::var_tmp_mount_options']
1.1.2.5.3 - Ensure nosuid option set on /var/tmp partition
Parameters:
nosuid- [Boolean] - Default:true- Set nosuid mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /var/tmp partition":
nosuid: true
Alternate Config IDs:
1.1.2.5.3c1_1_2_5_3ensure_nosuid_option_set_on_vartmp_partition
Resource:
Class['sce_linux::utils::var_tmp_mount_options']
1.1.2.5.4 - Ensure noexec option set on /var/tmp partition
Parameters:
noexec- [Boolean] - Default:true- Set noexec mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure noexec option set on /var/tmp partition":
noexec: true
Alternate Config IDs:
1.1.2.5.4c1_1_2_5_4ensure_noexec_option_set_on_vartmp_partition
Resource:
Class['sce_linux::utils::var_tmp_mount_options']
1.1.2.6.2 - Ensure nodev option set on /var/log partition
Parameters:
nodev- [Boolean] - Default:true- Set nodev mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /var/log partition":
nodev: true
Alternate Config IDs:
1.1.2.6.2c1_1_2_6_2ensure_nodev_option_set_on_varlog_partition
Resource:
Class['sce_linux::utils::var_log_mount_options']
1.1.2.6.3 - Ensure nosuid option set on /var/log partition
Parameters:
nosuid- [Boolean] - Default:true- Set nosuid mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /var/log partition":
nosuid: true
Alternate Config IDs:
1.1.2.6.3c1_1_2_6_3ensure_nosuid_option_set_on_varlog_partition
Resource:
Class['sce_linux::utils::var_log_mount_options']
1.1.2.6.4 - Ensure noexec option set on /var/log partition
Parameters:
noexec- [Boolean] - Default:true- Set noexec mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure noexec option set on /var/log partition":
noexec: true
Alternate Config IDs:
1.1.2.6.4c1_1_2_6_4ensure_noexec_option_set_on_varlog_partition
Resource:
Class['sce_linux::utils::var_log_mount_options']
1.1.2.7.2 - Ensure nodev option set on /var/log/audit partition
Parameters:
nodev- [Boolean] - Default:true- Set nodev mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nodev option set on /var/log/audit partition":
nodev: true
Alternate Config IDs:
1.1.2.7.2c1_1_2_7_2ensure_nodev_option_set_on_varlogaudit_partition
Resource:
Class['sce_linux::utils::var_log_audit_mount_options']
1.1.2.7.3 - Ensure nosuid option set on /var/log/audit partition
Parameters:
nosuid- [Boolean] - Default:true- Set nosuid mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nosuid option set on /var/log/audit partition":
nosuid: true
Alternate Config IDs:
1.1.2.7.3c1_1_2_7_3ensure_nosuid_option_set_on_varlogaudit_partition
Resource:
Class['sce_linux::utils::var_log_audit_mount_options']
1.1.2.7.4 - Ensure noexec option set on /var/log/audit partition
Parameters:
noexec- [Boolean] - Default:true- Set noexec mount option
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure noexec option set on /var/log/audit partition":
noexec: true
Alternate Config IDs:
1.1.2.7.4c1_1_2_7_4ensure_noexec_option_set_on_varlogaudit_partition
Resource:
Class['sce_linux::utils::var_log_audit_mount_options']
1.2.2 - Ensure gpgcheck is globally activated
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.2.2c1_2_2ensure_gpgcheck_is_globally_activated
Resource:
Class['sce_linux::utils::yum::enable_gpgcheck']
1.3.1 - Ensure bootloader password is set
Parameters:
password_protect- [Boolean] - Default:true- Whether or not to password protect the bootloader.superuser- [Optional[String[1]]] - Default:undef- The username of the grub2 superuser. This is used to set a superuser password in the bootloader configuration. This is only used if password_protect is true.superuser_password- [Optional[Sensitive[String]]] - Default:undef- The password of the grub2 superuser. This will be the superuser password in the bootloader configuration. This is only used if password_protect is true.password_file- [Stdlib::UnixPath] - Default:/etc/grub.d/50_password- The path to the file containing the bootloader password(s). This is only used if password_protect is true.replace_password_file- [Boolean] - If true, replaces the password file if it exists with a NEW hash of the password. Also, when set to true, this resource is NOT idempotent. When set to false, this prevent accidental overwriting of the password file with a new hash of the same password.hash_superuser_password- [Boolean] - Default:true- If true, the superuser password will be hashed using PBKDF2-HMAC-SHA512. If false, the superuser password will be stored in the password file as-is. This is only used if password_protect is true.superuser_password_salt_length- [Optional[Integer]] - Default:undef- The length of the salt in bits used to hash the superuser password. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.superuser_password_buffer_length- [Optional[Integer]] - Default:undef- The length of the resulting hash. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.superuser_password_iterations- [Optional[Integer]] - Default:undef- The number of times the password is passed through the hash function. Default is 120000. This is optional and only used if password_protect and hash_superuser_password are true.other_users- [Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]]] - Default:undef- An array of structured hashes to add other users besides the superuser to the password file. This is optional only used if password_protect is true. The users specified here will be added to the password file as regular users, not superusers. Other user passwords will be hashed using PBKDF2-HMAC-SHA512, just like the superuser password, if hash_other_user_passwords is true.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure bootloader password is set":
password_protect: true
superuser: <<Type String[1]>>
superuser_password: <<Type Sensitive[String]>>
password_file: "/etc/grub.d/50_password"
replace_password_file: false
hash_superuser_password: true
superuser_password_salt_length: <<Type Integer>>
superuser_password_buffer_length: <<Type Integer>>
superuser_password_iterations: <<Type Integer>>
other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>
Alternate Config IDs:
1.3.1c1_3_1ensure_bootloader_password_is_set
Resource:
Class['sce_linux::utils::bootloader::grub2']
1.3.2 - Ensure permissions on bootloader config are configured
Parameters:
ensure_permissions- [Boolean] - Default:true- Whether or not to enforce correct permissions on the bootloader files.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on bootloader config are configured":
ensure_permissions: true
Alternate Config IDs:
1.3.2c1_3_2ensure_permissions_on_bootloader_config_are_configured
Resource:
Class['sce_linux::utils::bootloader::grub2']
1.3.3 - Ensure authentication required for single user mode
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.3.3c1_3_3ensure_authentication_required_for_single_user_mode
Resource:
Class['sce_linux::utils::single_user_mode_authentication']
1.4.1 - Ensure address space layout randomization (ASLR) is enabled
Parameters:
sysctl_file- [String] - Default:10-enable_aslr.conf- The sysctl file that values will be written to.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure address space layout randomization (ASLR) is enabled":
sysctl_file: "10-enable_aslr.conf"
Alternate Config IDs:
1.4.1c1_4_1ensure_address_space_layout_randomization_aslr_is_enabled
Resource:
Class['sce_linux::utils::enable_aslr']
1.4.2 - Ensure ptrace_scope is restricted
Parameters:
value- [String[1]] - Default:1- The value to set on EACH setting. Is passed directly to the sysctl provider.target- [Stdlib::AbsolutePath] - Default:/etc/sysctl.d/90-kernel_yama_ptrace_scope.conf- A path to a file to write the sysctl settings to.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ptrace_scope is restricted":
value: "1"
target: "/etc/sysctl.d/90-kernel_yama_ptrace_scope.conf"
Alternate Config IDs:
1.4.2c1_4_2ensure_ptrace_scope_is_restricted
Resource:
Sce_linux::Utils::Multi_sysctl['kernel.yama.ptrace_scope']
1.4.3 - Ensure core dump backtraces are disabled
Parameters:
process_size_max- [String[1]] - Default:0
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure core dump backtraces are disabled":
process_size_max: "0"
Alternate Config IDs:
1.4.3c1_4_3ensure_core_dump_backtraces_are_disabled
Resource:
Class['sce_linux::utils::disable_core_dumps']
1.4.4 - Ensure core dump storage is disabled
Parameters:
storage- [Enum["none", "external", "journal"]] - Default:none
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure core dump storage is disabled":
storage: "none"
Alternate Config IDs:
1.4.4c1_4_4ensure_core_dump_storage_is_disabled
Resource:
Class['sce_linux::utils::disable_core_dumps']
1.5.1.1 - Ensure SELinux is installed
Parameters:
manage_package- [Optional[Boolean]] - Default:true- Enable or disable selinux package management.package_name- [Optional[String[1]]] - Default:libselinux- Name of package.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure SELinux is installed":
manage_package: true
package_name: "libselinux"
Alternate Config IDs:
1.5.1.1c1_5_1_1ensure_selinux_is_installed
Resource:
Class['sce_linux::utils::packages::linux::selinux']
1.5.1.2 - Ensure SELinux is not disabled in bootloader configuration
Parameters:
enable_selinux- [Boolean] - Default:true- Whether or not to enable SELinux in the bootloader boot command.selinux_mode- [Enum["permissive", "enforcing", "disabled"]] - Default:enforcing- The SELinux enforcement mode to set in the bootloader. Only used if enable_selinux is true.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure SELinux is not disabled in bootloader configuration":
enable_selinux: true
selinux_mode: "enforcing"
Alternate Config IDs:
1.5.1.2c1_5_1_2ensure_selinux_is_not_disabled_in_bootloader_configuration
Resource:
Class['sce_linux::utils::bootloader::grub2']
1.5.1.3 - Ensure SELinux policy is configured
Parameters:
type- [Optional[Enum[\targeted\, \mls\]]] - Default:targeted- SELinux enforcement type.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure SELinux policy is configured":
type: "targeted"
Alternate Config IDs:
1.5.1.3c1_5_1_3ensure_selinux_policy_is_configured
Resource:
Class['sce_linux::utils::packages::linux::selinux']
1.5.1.4 - Ensure the SELinux mode is not disabled
Parameters:
mode- [Optional[Enum[\permissive\, \enforcing\]]] - Default:enforcing- Selinux mode, permissive or enforcing. Disabled is not supported.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure the SELinux mode is not disabled":
mode: "enforcing"
Alternate Config IDs:
1.5.1.4c1_5_1_4ensure_the_selinux_mode_is_not_disabled
Resource:
Class['sce_linux::utils::packages::linux::selinux']
1.5.1.5 - Ensure the SELinux mode is enforcing
Parameters:
mode- [Optional[Enum[\permissive\, \enforcing\]]] - Default:enforcing- Selinux mode, permissive or enforcing. Disabled is not supported.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure the SELinux mode is enforcing":
mode: "enforcing"
Alternate Config IDs:
1.5.1.5c1_5_1_5ensure_the_selinux_mode_is_enforcing
Resource:
Class['sce_linux::utils::packages::linux::selinux']
1.5.1.7 - Ensure the MCS Translation Service (mcstrans) is not installed
Parameters:
pkg_name- [String[1]] - Default:mcstrans- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure the MCS Translation Service (mcstrans) is not installed":
pkg_name: "mcstrans"
Alternate Config IDs:
1.5.1.7c1_5_1_7ensure_the_mcs_translation_service_mcstrans_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Do not install mcs translation service']
1.5.1.8 - Ensure SETroubleshoot is not installed
Parameters:
pkg_name- [String[1]] - Default:setroubleshoot- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure SETroubleshoot is not installed":
pkg_name: "setroubleshoot"
Alternate Config IDs:
1.5.1.8c1_5_1_8ensure_setroubleshoot_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Do not install setroubleshoot']
1.6.1 - Ensure message of the day is configured properly
Parameters:
dynamic_motd- [Optional[Boolean]] - Default:true- Enables or disables dynamic motd on Debian systems. Defaulttruemotd_template- [Optional[String[1]]] - Default:undef- Specifies a custom motd template or text file. A template takes precedence overcontent. Valid options: '/mymodule/mytemplate.epp'.motd_content- [Optional[String]] - Default:undef- Specifies a static string as the motd content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"issue_content- [Optional[String]] - Default:This is a secure system. Unauthorized access is strictly prohibited.- Specifies a static string as the/etc/issuecontent. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"issue_net_content- [Optional[String]] - Default:This is a secure system. Unauthorized access is strictly prohibited.issue_template- [Optional[String[1]]] - Default:undef- Specifies a custom template or text file to process and save to/etc/issue. A template takes precedence overissue_content.issue_net_template- [Optional[String[1]]] - Default:undef- Specifies a custom template or text file to process and save to/etc/issue.net. A template takes precedence overissue_net_content.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure message of the day is configured properly":
dynamic_motd: true
motd_template: <<Type String[1]>>
motd_content: <<Type String>>
issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_template: <<Type String[1]>>
issue_net_template: <<Type String[1]>>
Alternate Config IDs:
1.6.1c1_6_1ensure_message_of_the_day_is_configured_properly
Resource:
Class['sce_linux::utils::motd']
1.6.2 - Ensure local login warning banner is configured properly
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.6.2c1_6_2ensure_local_login_warning_banner_is_configured_properly
Resource:
Class['sce_linux::utils::motd']
1.6.3 - Ensure remote login warning banner is configured properly
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.6.3c1_6_3ensure_remote_login_warning_banner_is_configured_properly
Resource:
Class['sce_linux::utils::motd']
1.6.4 - Ensure access to /etc/motd is configured
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.6.4c1_6_4ensure_access_to_etcmotd_is_configured
Resource:
Class['sce_linux::utils::motd']
1.6.5 - Ensure access to /etc/issue is configured
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.6.5c1_6_5ensure_access_to_etcissue_is_configured
Resource:
Class['sce_linux::utils::motd']
1.6.6 - Ensure access to /etc/issue.net is configured
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
1.6.6c1_6_6ensure_access_to_etcissue_net_is_configured
Resource:
Class['sce_linux::utils::motd']
1.7.1 - Ensure GNOME Display Manager is removed
Parameters:
pkg_name- [String[1]] - Default:gdm- Name of package to remove.
Supported Profiles & Levels:
server, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GNOME Display Manager is removed":
pkg_name: "gdm"
Alternate Config IDs:
1.7.1c1_7_1ensure_gnome_display_manager_is_removed
Resource:
Sce_linux::Utils::Packages::Absenter['Remove gnome display manager']
1.7.2 - Ensure GDM login banner is configured
Parameters:
enable_banner_message- [Boolean] - Default:true- Enable the banner message for the GNOME login screenset_banner_message_text- [Optional[Boolean]] - Default:true- DEPRECATED: Set the banner message text. This parameter is deprecated and will be removed in a future release. Please use theenable_banner_messageparameter instead.set_banner_message_text_key_value- [Optional[Variant[Boolean, String[1], Integer]]] - Default:This is a monitored system. Unauthorized access is prohibited.\n- DEPRECATED: The key's value of the set_banner_message_text dconf database keyfile that will be created under the section specified. Can be a boolean or a string or a number. This parameter is deprecated and will be removed in a future release. Please use thebanner_message_textparameter instead.dconf_profile_name- [String] - Default:gdm- The name of the dconf profile that will be createddconf_profile_database- [Array[String[1]]] - Default:["user-db:user", "system-db:gdm", "file-db:/usr/share/gdm/greeter-dconf-defaults"]- The database of the dconf profile that will be createddconf_system_db- [Array[String[1]]] - Default:["gdm"]- The system database of the dconf profile. For example, 'local', 'site', 'distro'dconf_db_choice- [Optional[Enum[\local\, \gdm\, \site\]]] - Default:gdm- The name of the dconf database that will have keyfile created for it
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM login banner is configured":
enable_banner_message: true
set_banner_message_text: true
set_banner_message_text_key_value: "This is a monitored system. Unauthorized access is prohibited.\\n"
dconf_profile_name: "gdm"
dconf_profile_database: ["user-db:user", "system-db:gdm", "file-db:/usr/share/gdm/greeter-dconf-defaults"]
dconf_system_db: ["gdm"]
dconf_db_choice: "gdm"
Alternate Config IDs:
1.7.2c1_7_2ensure_gdm_login_banner_is_configured
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.3 - Ensure GDM disable-user-list option is enabled
Parameters:
disable_user_list_at_login_screen- [Boolean] - Default:true- Disable the user list at the login screen
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM disable-user-list option is enabled":
disable_user_list_at_login_screen: true
Alternate Config IDs:
1.7.3c1_7_3ensure_gdm_disable_user_list_option_is_enabled
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.4 - Ensure GDM screen locks when the user is idle
Parameters:
enable_session_lock- [Boolean] - Default:true- Enable the session lock Defaultfalseset_inactivity_period- [Boolean] - Default:true- Set the inactivity periodset_screensaver_lock_delay- [Boolean] - Default:true- Set the screensaver lock delay
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM screen locks when the user is idle":
enable_session_lock: true
set_inactivity_period: true
set_screensaver_lock_delay: true
Alternate Config IDs:
1.7.4c1_7_4ensure_gdm_screen_locks_when_the_user_is_idle
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.5 - Ensure GDM screen locks cannot be overridden
Parameters:
prevent_overriding_a_session_lock- [Boolean] - Default:true- Prevent overriding a session lockprevent_overriding_screensaver_lock- [Boolean] - Default:true- Prevent overriding the screensaver lock
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM screen locks cannot be overridden":
prevent_overriding_a_session_lock: true
prevent_overriding_screensaver_lock: true
Alternate Config IDs:
1.7.5c1_7_5ensure_gdm_screen_locks_cannot_be_overridden
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.6 - Ensure GDM automatic mounting of removable media is disabled
Parameters:
disable_automount- [Boolean] - Default:true- Disable automountdisable_automount_open- [Boolean] - Default:true- Disable automount open
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM automatic mounting of removable media is disabled":
disable_automount: true
disable_automount_open: true
Alternate Config IDs:
1.7.6c1_7_6ensure_gdm_automatic_mounting_of_removable_media_is_disabled
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.7 - Ensure GDM disabling automatic mounting of removable media is not overridden
Parameters:
ensure_automount_is_not_overriden- [Boolean] - Default:true
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM disabling automatic mounting of removable media is not overridden":
ensure_automount_is_not_overriden: true
Alternate Config IDs:
1.7.7c1_7_7ensure_gdm_disabling_automatic_mounting_of_removable_media_is_not_overridden
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.8 - Ensure GDM autorun-never is enabled
Parameters:
ensure_autorun_is_never_run- [Boolean] - Default:true- Ensure autorun is never run
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM autorun-never is enabled":
ensure_autorun_is_never_run: true
Alternate Config IDs:
1.7.8c1_7_8ensure_gdm_autorun_never_is_enabled
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.9 - Ensure GDM autorun-never is not overridden
Parameters:
ensure_autorun_never_is_locked- [Boolean] - Default:true- Ensure autorun never is locked
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure GDM autorun-never is not overridden":
ensure_autorun_never_is_locked: true
Alternate Config IDs:
1.7.9c1_7_9ensure_gdm_autorun_never_is_not_overridden
Resource:
Class['sce_linux::utils::packages::linux::gnome']
1.7.10 - Ensure XDMCP is not enabled
Parameters:
disable_xdmcp- [Boolean] - Default:true- Disable XDMCP
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure XDMCP is not enabled":
disable_xdmcp: true
Alternate Config IDs:
1.7.10c1_7_10ensure_xdmcp_is_not_enabled
Resource:
Class['sce_linux::utils::packages::linux::gnome']
2.1.1 - Ensure time synchronization is in use
Parameters:
preferred_package- [Enum["chrony", "ntp", "systemd-timesyncd"]] - Default:chrony- The preferred package to use for time synchronization.manage_package- [Boolean] - Default:true- If true, the package will be installed and managed by Puppet.force_exclusivity- [Boolean] - Default:true- If true, the package that was not chosen will be removed from the system. This means that if your preferred package is chrony, ntp will be removed. This only applies to RedHat-family operating systems.timeservers- [Array[String]] - Default:Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3511, 'length' => 2})- Array of strings starting with the type (pool, server, etc.), then hostname / ip, then any options. Each element of the timeservers array will be added to the chrony / ntp / systemd-timesyncd config file as is. Please seeman chrony.conf(5),man ntp.conf(5), orman timesyncd.conf(5)for more details. Example (ntp / chrony): ['server 192.168.0.250 prefer iburst', 'server 192.168.0.251 iburst'] Example (systemd-timesyncd): ['pool 0.ubuntu.pool.ntp.org', 'pool 1.ubuntu.pool.ntp.org']sysconfig_options- [Optional[String[1]]] - Default:undef- Options to be added to the sysconfig file for the chosen package. This defaults to-u chronyfor the chrony package and-u ntp:ntpfor the ntp package. This has no affect on the systemd-timesyncd package.ntp_restricts- [Optional[Array[String[1]]]] - Default:["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]- Array of strings used to createrestrictlines in the ntp config file. Defaults to `['-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery']
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure time synchronization is in use":
preferred_package: "chrony"
manage_package: true
force_exclusivity: true
timeservers: Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3511, 'length' => 2})
sysconfig_options: <<Type String[1]>>
ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]
Alternate Config IDs:
2.1.1c2_1_1ensure_time_synchronization_is_in_use
Resource:
Class['sce_linux::utils::timesync']
2.1.2 - Ensure chrony is configured
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
2.1.2c2_1_2ensure_chrony_is_configured
Resource:
Class['sce_linux::utils::timesync']
2.1.3 - Ensure chrony is not run as the root user
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
2.1.3c2_1_3ensure_chrony_is_not_run_as_the_root_user
Resource:
Class['sce_linux::utils::timesync']
2.2.1 - Ensure autofs services are not in use
Parameters:
service- [String[1]] - Default:autofs- Service to disable.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure autofs services are not in use":
service: "autofs"
Alternate Config IDs:
2.2.1c2_2_1ensure_autofs_services_are_not_in_use
Resource:
Sce_linux::Utils::Disable_service['Disable autofs']
2.2.2 - Ensure avahi daemon services are not in use
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Alternate Config IDs:
2.2.2c2_2_2ensure_avahi_daemon_services_are_not_in_use
Resource:
Class['sce_linux::utils::remove_avahi_server']
2.2.3 - Ensure dhcp server services are not in use
Parameters:
pkg_name- [String[1]] - Default:dhcp- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure dhcp server services are not in use":
pkg_name: "dhcp"
Alternate Config IDs:
2.2.3c2_2_3ensure_dhcp_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use DHCP server']
2.2.4 - Ensure dns server services are not in use
Parameters:
pkg_name- [String[1]] - Default:bind- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure dns server services are not in use":
pkg_name: "bind"
Alternate Config IDs:
2.2.4c2_2_4ensure_dns_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use DNS server']
2.2.5 - Ensure dnsmasq services are not in use
Parameters:
pkg_name- [String[1]] - Default:dnsmasq- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure dnsmasq services are not in use":
pkg_name: "dnsmasq"
Alternate Config IDs:
2.2.5c2_2_5ensure_dnsmasq_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use dnsmasq']
2.2.6 - Ensure samba file server services are not in use
Parameters:
pkg_name- [String[1]] - Default:samba- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure samba file server services are not in use":
pkg_name: "samba"
Alternate Config IDs:
2.2.6c2_2_6ensure_samba_file_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use Samba']
2.2.7 - Ensure ftp server services are not in use
Parameters:
pkg_name- [String[1]] - Default:vsftpd- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ftp server services are not in use":
pkg_name: "vsftpd"
Alternate Config IDs:
2.2.7c2_2_7ensure_ftp_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use ftp server']
2.2.8 - Ensure message access server services are not in use
Parameters:
mail_servers- [Array[String]] - Default:["dovecot", "postfix"]- Array of mail servers that will be removed from the managed machine
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure message access server services are not in use":
mail_servers: ["dovecot", "postfix"]
Alternate Config IDs:
2.2.8c2_2_8ensure_message_access_server_services_are_not_in_use
Resource:
Class['sce_linux::utils::remove_imap_and_pop3']
2.2.9 - Ensure network file system services are not in use
Parameters:
keep_nfsutils- [Boolean] - A boolean value that represent the choice of whether to mask the nfs-server or remove it.dependent- [Array] - Default:["ensure_rpcbind_services_are_not_in_use"]
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure network file system services are not in use":
keep_nfsutils: false
dependent: ["ensure_rpcbind_services_are_not_in_use"]
Alternate Config IDs:
2.2.9c2_2_9ensure_network_file_system_services_are_not_in_use
Resource:
Class['sce_linux::utils::disable_or_remove_nfs']
2.2.10 - Ensure nis server services are not in use
Parameters:
pkg_name- [String[1]] - Default:ypserv- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nis server services are not in use":
pkg_name: "ypserv"
Alternate Config IDs:
2.2.10c2_2_10ensure_nis_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Disable NIS Server']
2.2.11 - Ensure print server services are not in use
Parameters:
pkg_name- [String[1]] - Default:cups- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure print server services are not in use":
pkg_name: "cups"
Alternate Config IDs:
2.2.11c2_2_11ensure_print_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not install CUPS']
2.2.12 - Ensure rpcbind services are not in use
Parameters:
keep_rpcbind- [Boolean] - A boolean value that represent the choice of whether to mask rpcbind or remove it.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure rpcbind services are not in use":
keep_rpcbind: false
Alternate Config IDs:
2.2.12c2_2_12ensure_rpcbind_services_are_not_in_use
Resource:
Class['sce_linux::utils::disable_or_remove_rpcbind']
2.2.13 - Ensure rsync services are not in use
Parameters:
keep_rsync- [Boolean] - A boolean value that represent the choice of whether to mask rsync or remove it.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure rsync services are not in use":
keep_rsync: false
Alternate Config IDs:
2.2.13c2_2_13ensure_rsync_services_are_not_in_use
Resource:
Class['sce_linux::utils::disable_or_remove_rsync']
2.2.14 - Ensure snmp services are not in use
Parameters:
pkg_name- [String[1]] - Default:net-snmp- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure snmp services are not in use":
pkg_name: "net-snmp"
Alternate Config IDs:
2.2.14c2_2_14ensure_snmp_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use net-snmp']
2.2.15 - Ensure telnet server services are not in use
Parameters:
pkg_name- [String[1]] - Default:telnet-server- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure telnet server services are not in use":
pkg_name: "telnet-server"
Alternate Config IDs:
2.2.15c2_2_15ensure_telnet_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Remove Telnet server']
2.2.16 - Ensure tftp server services are not in use
Parameters:
pkg_name- [String[1]] - Default:tftp-server- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure tftp server services are not in use":
pkg_name: "tftp-server"
Alternate Config IDs:
2.2.16c2_2_16ensure_tftp_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use TFTP Server']
2.2.17 - Ensure web proxy server services are not in use
Parameters:
proxy_packages- [Array[String]] - Default:["squid"]- Array of proxy packages that will be removed from the managed machine
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure web proxy server services are not in use":
proxy_packages: ["squid"]
Alternate Config IDs:
2.2.17c2_2_17ensure_web_proxy_server_services_are_not_in_use
Resource:
Class['sce_linux::utils::remove_http_proxy']
2.2.18 - Ensure web server services are not in use
Parameters:
pkg_name- [String[1]] - Default:httpd- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure web server services are not in use":
pkg_name: "httpd"
Alternate Config IDs:
2.2.18c2_2_18ensure_web_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use HTTP Server']
2.2.19 - Ensure xinetd services are not in use
Parameters:
pkg_name- [String[1]] - Default:xinetd- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure xinetd services are not in use":
pkg_name: "xinetd"
Alternate Config IDs:
2.2.19c2_2_19ensure_xinetd_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not install xinetd']
2.2.20 - Ensure X window server services are not in use
Parameters:
pkg_name- [String[1]] - Default:xorg-x11-server*- Name of package to remove.
Supported Profiles & Levels:
server, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure X window server services are not in use":
pkg_name: "xorg-x11-server*"
Alternate Config IDs:
2.2.20c2_2_20ensure_x_window_server_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not install x11 server components']
2.2.21 - Ensure mail transfer agents are configured for local-only mode
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
2.2.21c2_2_21ensure_mail_transfer_agents_are_configured_for_local_only_mode
Resource:
Class['sce_linux::utils::local_only_mta']
2.3.1 - Ensure ftp client is not installed
Parameters:
pkg_name- [String[1]] - Default:ftp- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ftp client is not installed":
pkg_name: "ftp"
Alternate Config IDs:
2.3.1c2_3_1ensure_ftp_client_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use ftp client']
2.3.2 - Ensure ldap client is not installed
Parameters:
pkg_name- [String[1]] - Default:openldap-clients- Name of package to remove.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ldap client is not installed":
pkg_name: "openldap-clients"
Alternate Config IDs:
2.3.2c2_3_2ensure_ldap_client_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Remove LDAP Client']
2.3.3 - Ensure nis client is not installed
Parameters:
pkg_name- [String[1]] - Default:ypbind- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure nis client is not installed":
pkg_name: "ypbind"
Alternate Config IDs:
2.3.3c2_3_3ensure_nis_client_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use NIS Client']
2.3.4 - Ensure telnet client is not installed
Parameters:
pkg_name- [String[1]] - Default:telnet- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure telnet client is not installed":
pkg_name: "telnet"
Alternate Config IDs:
2.3.4c2_3_4ensure_telnet_client_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Remove Telnet Client']
2.3.5 - Ensure tftp client is not installed
Parameters:
pkg_name- [String[1]] - Default:tftp- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure tftp client is not installed":
pkg_name: "tftp"
Alternate Config IDs:
2.3.5c2_3_5ensure_tftp_client_is_not_installed
Resource:
Sce_linux::Utils::Packages::Absenter['Remove TFTP client']
3.1.2 - Ensure wireless interfaces are disabled
Parameters:
wwan- [Boolean] - Default:true- Whether to disable wwanwifi- [Boolean] - Default:true- Whether to disable wifi
Supported Profiles & Levels:
server, level_1server, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure wireless interfaces are disabled":
wwan: true
wifi: true
Alternate Config IDs:
3.1.2c3_1_2ensure_wireless_interfaces_are_disabled
Resource:
Sce_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']
3.1.3 - Ensure bluetooth services are not in use
Parameters:
pkg_name- [String[1]] - Default:bluez- Name of package to remove.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure bluetooth services are not in use":
pkg_name: "bluez"
Alternate Config IDs:
3.1.3c3_1_3ensure_bluetooth_services_are_not_in_use
Resource:
Sce_linux::Utils::Packages::Absenter['Do not use bluetooth services']
3.2.1 - Ensure dccp kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_dccp- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install dccp /bin/false blacklist dccp- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure dccp kernel module is not available":
conf_file: "sce_disable_dccp"
content: "install dccp /bin/false\nblacklist dccp\n"
Alternate Config IDs:
3.2.1c3_2_1ensure_dccp_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Disable DCCP']
3.2.2 - Ensure tipc kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_tipc- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install tipc /bin/false blacklist tipc- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure tipc kernel module is not available":
conf_file: "sce_disable_tipc"
content: "install tipc /bin/false\nblacklist tipc\n"
Alternate Config IDs:
3.2.2c3_2_2ensure_tipc_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Ensure tipc kernel module is not available']
3.2.3 - Ensure rds kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_rds- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install rds /bin/false blacklist rds- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure rds kernel module is not available":
conf_file: "sce_disable_rds"
content: "install rds /bin/false\nblacklist rds\n"
Alternate Config IDs:
3.2.3c3_2_3ensure_rds_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Disable rds kernel module']
3.2.4 - Ensure sctp kernel module is not available
Parameters:
conf_file- [String[1]] - Default:sce_disable_sctp- A unique name for the config file without a path of file extensioncontent- [Optional[String]] - Default:install sctp /bin/false blacklist sctp- The file content. Mutually exclusive with source.
Supported Profiles & Levels:
server, level_2workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure sctp kernel module is not available":
conf_file: "sce_disable_sctp"
content: "install sctp /bin/false\nblacklist sctp\n"
Alternate Config IDs:
3.2.4c3_2_4ensure_sctp_kernel_module_is_not_available
Resource:
Sce_linux::Utils::Modprobe_conf['Disable SCTP']
3.3.1 - Ensure ip forwarding is disabled
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-disable_ip_forwarding.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ip forwarding is disabled":
target: "/etc/sysctl.d/90-disable_ip_forwarding.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.1c3_3_1ensure_ip_forwarding_is_disabled
Resource:
Class['sce_linux::utils::network::disable_ip_forwarding']
3.3.2 - Ensure packet redirect sending is disabled
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-disable_packet_redirect_sending.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure packet redirect sending is disabled":
target: "/etc/sysctl.d/90-disable_packet_redirect_sending.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.2c3_3_2ensure_packet_redirect_sending_is_disabled
Resource:
Class['sce_linux::utils::network::disable_packet_redirect_sending']
3.3.3 - Ensure bogus icmp responses are ignored
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-ignore_bogus_icmp.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure bogus icmp responses are ignored":
target: "/etc/sysctl.d/90-ignore_bogus_icmp.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.3c3_3_3ensure_bogus_icmp_responses_are_ignored
Resource:
Class['sce_linux::utils::network::ignore_bogus_icmp']
3.3.4 - Ensure broadcast icmp requests are ignored
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-ignore_icmp_broadcast.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure broadcast icmp requests are ignored":
target: "/etc/sysctl.d/90-ignore_icmp_broadcast.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.4c3_3_4ensure_broadcast_icmp_requests_are_ignored
Resource:
Class['sce_linux::utils::network::ignore_icmp_broadcast']
3.3.5 - Ensure icmp redirects are not accepted
Parameters:
disable_ipv4_accept_default- [Boolean] - Default:true- Disable accepting IPv4 ICMP redirects on default routedisable_ipv4_accept_all- [Boolean] - Default:true- Disable accepting IPv4 ICMP redirects on all routesdisable_ipv6_accept_default- [Boolean] - Default:true- Disable accepting IPv6 ICMP redirects on default routedisable_ipv6_accept_all- [Boolean] - Default:true- Disable accepting IPv6 ICMP redirects on all routes
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure icmp redirects are not accepted":
disable_ipv4_accept_default: true
disable_ipv4_accept_all: true
disable_ipv6_accept_default: true
disable_ipv6_accept_all: true
Alternate Config IDs:
3.3.5c3_3_5ensure_icmp_redirects_are_not_accepted
Resource:
Class['sce_linux::utils::network::disable_icmp_redirects']
3.3.6 - Ensure secure icmp redirects are not accepted
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-disable_secure_icmp_redirects.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure secure icmp redirects are not accepted":
target: "/etc/sysctl.d/90-disable_secure_icmp_redirects.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.6c3_3_6ensure_secure_icmp_redirects_are_not_accepted
Resource:
Class['sce_linux::utils::network::disable_secure_icmp_redirects']
3.3.7 - Ensure reverse path filtering is enabled
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-enable_reverse_path_filtering.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure reverse path filtering is enabled":
target: "/etc/sysctl.d/90-enable_reverse_path_filtering.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.7c3_3_7ensure_reverse_path_filtering_is_enabled
Resource:
Class['sce_linux::utils::network::enable_reverse_path_filtering']
3.3.8 - Ensure source routed packets are not accepted
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-disable_source_routes.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure source routed packets are not accepted":
target: "/etc/sysctl.d/90-disable_source_routes.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.8c3_3_8ensure_source_routed_packets_are_not_accepted
Resource:
Class['sce_linux::utils::network::disable_source_routes']
3.3.9 - Ensure suspicious packets are logged
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-enable_log_martians.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure suspicious packets are logged":
target: "/etc/sysctl.d/90-enable_log_martians.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.9c3_3_9ensure_suspicious_packets_are_logged
Resource:
Class['sce_linux::utils::network::enable_log_martians']
3.3.10 - Ensure tcp syn cookies is enabled
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-enable_tcp_syn_cookies.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure tcp syn cookies is enabled":
target: "/etc/sysctl.d/90-enable_tcp_syn_cookies.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.10c3_3_10ensure_tcp_syn_cookies_is_enabled
Resource:
Class['sce_linux::utils::network::enable_tcp_syn_cookies']
3.3.11 - Ensure ipv6 router advertisements are not accepted
Parameters:
target- [String[1]] - Default:/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf- The sysctl file that values will be written to.persist- [Boolean] - Default:true- If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.comment- [String] - Default:MANAGED BY PUPPET- A comment to add to add to each setting. Default:MANAGED BY PUPPET
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure ipv6 router advertisements are not accepted":
target: "/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf"
persist: true
comment: "MANAGED BY PUPPET"
Alternate Config IDs:
3.3.11c3_3_11ensure_ipv6_router_advertisements_are_not_accepted
Resource:
Class['sce_linux::utils::network::disable_ipv6_router_advertisements']
3.4.1.2 - Ensure a single firewall configuration utility is in use
Parameters:
ensure_package- [Optional[Enum[\present\, \installed\, \latest\]]] - Default:installed- Ensure for the firewalld package resource. Default:installedensure_iptables_package- [Optional[Enum[\present\, \installed\, \latest\]]] - Default:installed- Ensure for the iptables package resource. Default:installedmerge_defaults- [Optional[Boolean]] - Default:true- If true, will merge user-specified parameters with class defaults, where appropriate. This affects the $ports parameter because this class specifies to open ports in the default settings, 22 and 8140, that are required for SSH and Puppet agent communication, respectively. These two port statements do not need to be redeclared if you have this parameter set to true. Default:truepurge_iptables_services- [Optional[Boolean]] - Default:true- When true, removes the packageiptables-services. Default:truepurge_nftables- [Optional[Boolean]] - Default:undef- When true, removes the packagenftables. If set to false, the nftables service is stopped and masked instead.default_zone- [Optional[String[1]]] - Default:public- Sets the default firewalld zone to this zone. Default:publiczones- [Optional[Hash]] - Default:{}- A hash of firewalld zones to create. Default:{}services- [Optional[Hash]] - Default:{}- A hash of services to create. Default:{}rich_rules- [Optional[Hash]] - Default:{}- A hash of rich firewall rules to create. Default:{}custom_services- [Optional[Hash]] - Default:{}- A hash of custom firewall services to create. This parameter is deprecated in puppet/firewalld and should not be used, but is exposed here for posterity. Default:{}ipsets- [Optional[Hash]] - Default:{}- A hash of ipsets to create. Default:{}direct_rules- [Optional[Hash]] - Default:{}- A hash of direct rules to create. Default:{}direct_chains- [Optional[Hash]] - Default:{}- A hash of direct chains to create. Default:{}direct_passthroughs- [Optional[Hash]] - Default:{}- A hash of direct passthroughs to create. Default:{}purge_direct_rules- [Optional[Boolean]] - Default:undef- If true, will purge all direct rules not managed by this class. Default:falsepurge_direct_chains- [Optional[Boolean]] - Default:undef- If true, will purge all direct chains not managed by this class. Default:falsepurge_direct_passthroughs- [Optional[Boolean]] - Default:undef- If true, will purge all direct passthroughs not managed by this class. Default:falsepurge_unknown_ipsets- [Optional[Boolean]] - Default:undef- If true, will purge all ipsets not managed by this class. Default:falsefirewall_backend- [Optional[Enum[\iptables\, \nftables\]]] - Default:nftables- Sets the firewall backend to use
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure a single firewall configuration utility is in use":
ensure_package: "installed"
ensure_iptables_package: "installed"
merge_defaults: true
purge_iptables_services: true
purge_nftables: <<Type Boolean>>
default_zone: "public"
zones: {}
services: {}
rich_rules: {}
custom_services: {}
ipsets: {}
direct_rules: {}
direct_chains: {}
direct_passthroughs: {}
purge_direct_rules: <<Type Boolean>>
purge_direct_chains: <<Type Boolean>>
purge_direct_passthroughs: <<Type Boolean>>
purge_unknown_ipsets: <<Type Boolean>>
firewall_backend: "nftables"
Alternate Config IDs:
3.4.1.2c3_4_1_2ensure_a_single_firewall_configuration_utility_is_in_use
Resource:
Class['sce_linux::utils::firewall::firewalld']
3.4.2.1 - Ensure firewalld is installed
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
3.4.2.1c3_4_2_1ensure_firewalld_is_installed
Resource:
Class['sce_linux::utils::firewall::firewalld']
3.4.2.2 - Ensure firewalld service enabled and running
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
3.4.2.2c3_4_2_2ensure_firewalld_service_enabled_and_running
Resource:
Class['sce_linux::utils::firewall::firewalld']
3.4.2.4 - Ensure network interfaces are assigned to appropriate zone
Parameters:
No parameters
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Alternate Config IDs:
3.4.2.4c3_4_2_4ensure_network_interfaces_are_assigned_to_appropriate_zone
Resource:
Class['sce_linux::utils::firewall::firewalld']
4.1.1.1 - Ensure cron daemon is enabled and active
Parameters:
manage_package- [Boolean] - Default:true- If true, ensures the cron package is installed. See thepackage_nameparameter for more information.unmask_service- [Boolean] - Default:true- If true, unmasks thecrondservice.manage_service- [Boolean] - Default:true- If true, enables and runs the cron daemon with a service resource. See theservice_nameparameter for more information.cron_allow_path- [Stdlib::AbsolutePath] - Default:/etc/cron.allow- The path for the cron.allow file to manage. Only relevant ifset_cron_allow_permsis set totrue.manage_cron_allow- [Boolean] - Default:true- If true, creates the cron.allow file specified by thecron_allow_pathparameter and enforces0600permissions on the file.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure cron daemon is enabled and active":
manage_package: true
unmask_service: true
manage_service: true
cron_allow_path: "/etc/cron.allow"
manage_cron_allow: true
Alternate Config IDs:
4.1.1.1c4_1_1_1ensure_cron_daemon_is_enabled_and_active
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.2 - Ensure permissions on /etc/crontab are configured
Parameters:
set_crontab_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/crontab.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/crontab are configured":
set_crontab_perms: true
Alternate Config IDs:
4.1.1.2c4_1_1_2ensure_permissions_on_etccrontab_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.3 - Ensure permissions on /etc/cron.hourly are configured
Parameters:
set_hourly_cron_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/cron.hourly.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/cron.hourly are configured":
set_hourly_cron_perms: true
Alternate Config IDs:
4.1.1.3c4_1_1_3ensure_permissions_on_etccron_hourly_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.4 - Ensure permissions on /etc/cron.daily are configured
Parameters:
set_daily_cron_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/cron.daily.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/cron.daily are configured":
set_daily_cron_perms: true
Alternate Config IDs:
4.1.1.4c4_1_1_4ensure_permissions_on_etccron_daily_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.5 - Ensure permissions on /etc/cron.weekly are configured
Parameters:
set_weekly_cron_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/cron.weekly.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/cron.weekly are configured":
set_weekly_cron_perms: true
Alternate Config IDs:
4.1.1.5c4_1_1_5ensure_permissions_on_etccron_weekly_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.6 - Ensure permissions on /etc/cron.monthly are configured
Parameters:
set_monthly_cron_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/cron.monthly.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/cron.monthly are configured":
set_monthly_cron_perms: true
Alternate Config IDs:
4.1.1.6c4_1_1_6ensure_permissions_on_etccron_monthly_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.7 - Ensure permissions on /etc/cron.d are configured
Parameters:
set_cron_d_perms- [Boolean] - Default:true- If true, enforces permissions on /etc/cron.d.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/cron.d are configured":
set_cron_d_perms: true
Alternate Config IDs:
4.1.1.7c4_1_1_7ensure_permissions_on_etccron_d_are_configured
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.1.8 - Ensure crontab is restricted to authorized users
Parameters:
manage_cron_allow- [Boolean] - Default:true- If true, creates the cron.allow file specified by thecron_allow_pathparameter and enforces0600permissions on the file.cron_allow_path- [Stdlib::AbsolutePath] - Default:/etc/cron.allow- The path for the cron.allow file to manage. Only relevant ifset_cron_allow_permsis set totrue.cron_allowlist- [Array[String[1]]] - Default:["root"]- An array of user names to add to the cron.allow file.purge_cron_deny- [Boolean] - If true, removes (if they exist) /etc/cron.deny and /etc/cron.d/cron.deny.manage_cron_deny- [Boolean] - Default:true- If true and file already exists, manages group and owner of cron.deny file at/etc/cron.denyand enforces0600permissions on the file.
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure crontab is restricted to authorized users":
manage_cron_allow: true
cron_allow_path: "/etc/cron.allow"
cron_allowlist: ["root"]
purge_cron_deny: false
manage_cron_deny: true
Alternate Config IDs:
4.1.1.8c4_1_1_8ensure_crontab_is_restricted_to_authorized_users
Resource:
Class['sce_linux::utils::packages::linux::cron']
4.1.2.1 - Ensure at is restricted to authorized users
Parameters:
at_allowlist- [Optional[Array[String[1]]]] - Default:["root"]- An array of user names to add to the at.allow file. Default: ['root']purge_at_deny- [Optional[Boolean]] - Default:undef- If true, removes /etc/at.deny. Default: truemanage_at_deny- [Optional[Boolean]] - Default:true- If true and file already exists, manages group and owner of at.deny file at/etc/at.denyand enforces0600permissions on the file. Default: false
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure at is restricted to authorized users":
at_allowlist: ["root"]
purge_at_deny: <<Type Boolean>>
manage_at_deny: true
Alternate Config IDs:
4.1.2.1c4_1_2_1ensure_at_is_restricted_to_authorized_users
Resource:
Class['sce_linux::utils::packages::linux::at']
4.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured
Parameters:
enforce_sshd_config_perms- [Boolean] - Default:true
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on /etc/ssh/sshd_config are configured":
enforce_sshd_config_perms: true
Alternate Config IDs:
4.2.1c4_2_1ensure_permissions_on_etcsshsshd_config_are_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.2 - Ensure permissions on SSH private host key files are configured
Parameters:
enforce_pri_host_key_perms- [Boolean] - Default:true
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on SSH private host key files are configured":
enforce_pri_host_key_perms: true
Alternate Config IDs:
4.2.2c4_2_2ensure_permissions_on_ssh_private_host_key_files_are_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.3 - Ensure permissions on SSH public host key files are configured
Parameters:
enforce_pub_host_key_perms- [Boolean] - Default:true
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure permissions on SSH public host key files are configured":
enforce_pub_host_key_perms: true
Alternate Config IDs:
4.2.3c4_2_3ensure_permissions_on_ssh_public_host_key_files_are_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.4 - Ensure sshd access is configured
Parameters:
allow_users- [Optional[Array[String[1]]]] - Default:undefallow_groups- [Optional[Array[String[1]]]] - Default:undefdeny_users- [Optional[Array[String[1]]]] - Default:undefdeny_groups- [Optional[Array[String[1]]]] - Default:undef
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure sshd access is configured":
allow_users: <<Type Array[String[1]]>>
allow_groups: <<Type Array[String[1]]>>
deny_users: <<Type Array[String[1]]>>
deny_groups: <<Type Array[String[1]]>>
Alternate Config IDs:
4.2.4c4_2_4ensure_sshd_access_is_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.5 - Ensure sshd Banner is configured
Parameters:
banner- [Optional[Stdlib::AbsolutePath]] - Default:/etc/issue.net
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure sshd Banner is configured":
banner: "/etc/issue.net"
Alternate Config IDs:
4.2.5c4_2_5ensure_sshd_banner_is_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.6 - Ensure sshd Ciphers are configured
Parameters:
ciphers- [Optional[Array[String[1]]]] - Default:["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure sshd Ciphers are configured":
ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]
Alternate Config IDs:
4.2.6c4_2_6ensure_sshd_ciphers_are_configured
Resource:
Class['sce_linux::utils::packages::linux::ssh']
4.2.7 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured
Parameters:
client_alive_interval- [Optional[Integer]] - Default:15client_alive_count_max- [Optional[Integer]] - Default:3
Supported Profiles & Levels:
server, level_1server, level_2workstation, level_1workstation, level_2
Hiera Configuration Example:
sce_linux::config:
control_configs:
"Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured":
client_alive_interval: 15
client_alive_count_max: 3
Alternate Config IDs:
What are tasks?
Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.
Tasks in this module release
audit_approved_services_listening
Report only approved services are listening on a network interface
audit_authselect
Audit authselect profile for RHEL family systems version 8+.
audit_boot
Audit if the system is configured to boot to the command line or to the graphical user interface.
audit_check_ipv6
Audits IPv6 configuration on the host.
audit_client_dns
Audit DNS servers configured in /etc/resolv.conf
audit_duplicate_gid
Finds and returns duplicate GIDs in /etc/group
audit_duplicate_group_names
Finds and returns duplicate group names in /etc/group.
audit_duplicate_uid
Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it
audit_duplicate_user_names
Finds and returns duplicate user names in /etc/passwd.
audit_etc_shadow
Verify if /etc/shadow have empty password fields
audit_etcpasswd_groups
Finds groups that exist in /etc/passwd but do not exist in /etc/group
audit_firewalld_config
Returns the results of firewall-cmd --list-all
audit_for_emergency_accounts
Audit all accounts expiration dates for removal.
audit_journald_log_rotation
Report journald log rotation is configured per site policy
audit_journald_logs_to_rsyslog
Report journald is not configured to send logs to rsyslog
audit_kerberos_keytab_files
List all the keytab files on the system at /etc
audit_library_files
Audit library files permission, ownership, and group ownership
audit_mcafee_endpoint_security
Audit McAfee Endpoint Security for RHEL-family systems.
audit_no_execution_bit_flag
Audit for the no-execution bit flag on the system
audit_partition_crypto
Audit partition cryptography
audit_pkcs11_eventmgr
This task will report on whether the screen is locked or not when using smart card.
audit_pw_change_date
Returns the last password change date for all users
audit_selinux_user_roles
Returns the output of 'semanage user -l' on the target system
audit_sgid_executables
A short description of this task
audit_shadow_group
Finds and returns any users in the shadow group
audit_sshd_installation
Verify if sshd is installed
audit_sshd_status
Report sshd status
audit_sssd_certmap
Audit the existance of sssd certmap configuration
audit_sudo_authentication_timeout
Return the sudo authentication timeout in minutes
Change log
The changelog for SCE for Linux lives on the official documentation site.
Dependencies
- puppetlabs/stdlib (>= 4.13.1 < 10.0.0)
- puppetlabs/concat (>= 6.4.0 < 10.0.0)
- puppetlabs/inifile (>= 1.6.0 < 7.0.0)
- puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
- puppetlabs/firewall (>= 5.0.0 < 9.0.0)
- puppet/firewalld (>= 4.5.0 < 6.0.0)
- puppet/logrotate (>= 5.0.0 < 8.0.0)
- puppet/selinux (>= 3.2.0 < 5.0.0)
- puppet/systemd (>= 3.5.0 < 7.0.0)