Premium module

sce_linux

Security Compliance Enforcement for Linux

Module Stats

1,152 downloads

159 latest version

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Puppet Core (see the compatibility list below).

Version information

released Feb 4th 2025

This version is compatible with:

Puppet Enterprise 2025.2.x, 2025.1.x, 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
Puppet >= 6.23.0 < 9.0.0
, , , ,

Tasks:

audit_client_dns

audit_approved_services_listening

audit_authselect

audit_boot

audit_check_ipv6

audit_duplicate_gid

audit_duplicate_group_names

and 55 more. See all tasks

Tags: security, hardening, compliance, stig, cis, comply

Documentation

puppetlabs/sce_linux — version 2.3.1 Feb 4th 2025

`sce_linux`

Product documentation is available on the Puppet Docs website.

SCE for Linux Reference

CIS Red Hat Enterprise Linux 7 Benchmark 4.0.0
Red Hat Enterprise Linux 7 Security Technical Implementation Guide 3
CIS Red Hat Enterprise Linux 8 Benchmark 3.0.0
Red Hat Enterprise Linux 8 Security Technical Implementation Guide 1
CIS Red Hat Enterprise Linux 9 Benchmark 1.0.0
CIS Oracle Linux 7 Benchmark 4.0.0
CIS Oracle Linux 8 Benchmark 3.0.0
CIS Oracle Linux 9 Benchmark 1.0.0
CIS AlmaLinux OS 8 Benchmark 3.0.0
CIS Rocky Linux 8 Benchmark 2.0.0
CIS Ubuntu Linux 20.04 LTS Benchmark 2.0.1
CIS Ubuntu Linux 22.04 LTS Benchmark 2.0.0
List of known CIS control sections that use plans and tasks:

CIS Red Hat Enterprise Linux 7 Benchmark 4.0.0

1.1.1.1 - Ensure cramfs kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: cramfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure cramfs kernel module is not available":
      filesystem: "cramfs"

Alternate Config IDs:

1.1.1.1
c1_1_1_1
ensure_cramfs_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']

1.1.1.2 - Ensure freevxfs kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: freevxfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure freevxfs kernel module is not available":
      filesystem: "freevxfs"

Alternate Config IDs:

1.1.1.2
c1_1_1_2
ensure_freevxfs_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Ensure freevxfs module is not available']

1.1.1.3 - Ensure hfs kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: hfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure hfs kernel module is not available":
      filesystem: "hfs"

Alternate Config IDs:

1.1.1.3
c1_1_1_3
ensure_hfs_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Ensure hfs module is not available']

1.1.1.4 - Ensure hfsplus kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: hfsplus - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure hfsplus kernel module is not available":
      filesystem: "hfsplus"

Alternate Config IDs:

1.1.1.4
c1_1_1_4
ensure_hfsplus_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Ensure hfsplus module is not available']

1.1.1.5 - Ensure jffs2 kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_jffs2 - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install jffs2 /bin/false blacklist jffs2 - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure jffs2 kernel module is not available":
      conf_file: "sce_disable_jffs2"
      content: "install jffs2 /bin/false\nblacklist jffs2\n"

Alternate Config IDs:

1.1.1.5
c1_1_1_5
ensure_jffs2_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Ensure jffs2 kernel module is not available']

1.1.1.6 - Ensure squashfs kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: squashfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure squashfs kernel module is not available":
      filesystem: "squashfs"

Alternate Config IDs:

1.1.1.6
c1_1_1_6
ensure_squashfs_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']

1.1.1.7 - Ensure udf kernel module is not available

Parameters:

filesystem - [ String[1] ] - Default: udf - Filesystem to disable, example xfs.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure udf kernel module is not available":
      filesystem: "udf"

Alternate Config IDs:

1.1.1.7
c1_1_1_7
ensure_udf_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']

1.1.1.8 - Ensure usb-storage kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_usb_storage - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install usb-storage /bin/false blacklist usb-storage - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure usb-storage kernel module is not available":
      conf_file: "sce_disable_usb_storage"
      content: "install usb-storage /bin/false\nblacklist usb-storage\n"

Alternate Config IDs:

1.1.1.8
c1_1_1_8
ensure_usb_storage_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Ensure usb-storage kernel module is not available']

1.1.2.1.2 - Ensure nodev option set on /tmp partition

Parameters:

nodev - [ Boolean ] - Default: true - Set nodev mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /tmp partition":
      nodev: true

Alternate Config IDs:

1.1.2.1.2
c1_1_2_1_2
ensure_nodev_option_set_on_tmp_partition

Resource:

Class['sce_linux::utils::tmp_mount']

1.1.2.1.3 - Ensure nosuid option set on /tmp partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set nosuid mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /tmp partition":
      nosuid: true

Alternate Config IDs:

1.1.2.1.3
c1_1_2_1_3
ensure_nosuid_option_set_on_tmp_partition

Resource:

Class['sce_linux::utils::tmp_mount']

1.1.2.1.4 - Ensure noexec option set on /tmp partition

Parameters:

noexec - [ Boolean ] - Default: true - Set noexec mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /tmp partition":
      noexec: true

Alternate Config IDs:

1.1.2.1.4
c1_1_2_1_4
ensure_noexec_option_set_on_tmp_partition

Resource:

Class['sce_linux::utils::tmp_mount']

1.1.2.2.2 - Ensure nodev option set on /dev/shm partition

Parameters:

nodev - [ Boolean ] - Default: true - Whether to set the nodev option.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /dev/shm partition":
      nodev: true

Alternate Config IDs:

1.1.2.2.2
c1_1_2_2_2
ensure_nodev_option_set_on_devshm_partition

Resource:

Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.2.2.3 - Ensure nosuid option set on /dev/shm partition

Parameters:

nosuid - [ Boolean ] - Default: true - Whether to set the nosuid option.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /dev/shm partition":
      nosuid: true

Alternate Config IDs:

1.1.2.2.3
c1_1_2_2_3
ensure_nosuid_option_set_on_devshm_partition

Resource:

Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.2.2.4 - Ensure noexec option set on /dev/shm partition

Parameters:

noexec - [ Boolean ] - Default: true - Whether to set the noexec option.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /dev/shm partition":
      noexec: true

Alternate Config IDs:

1.1.2.2.4
c1_1_2_2_4
ensure_noexec_option_set_on_devshm_partition

Resource:

Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.2.3.2 - Ensure nodev option set on /home partition

Parameters:

nodev - [ Boolean ] - Default: true - Set nodev option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /home partition":
      nodev: true

Alternate Config IDs:

1.1.2.3.2
c1_1_2_3_2
ensure_nodev_option_set_on_home_partition

Resource:

Class['sce_linux::utils::homedir_mount_opts']

1.1.2.3.3 - Ensure nosuid option set on /home partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set nosuid option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /home partition":
      nosuid: true

Alternate Config IDs:

1.1.2.3.3
c1_1_2_3_3
ensure_nosuid_option_set_on_home_partition

Resource:

Class['sce_linux::utils::homedir_mount_opts']

1.1.2.4.2 - Ensure nodev option set on /var partition

Parameters:

nodev - [ Boolean ] - Default: true - Set the nodev option on the mount point

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /var partition":
      nodev: true

Alternate Config IDs:

1.1.2.4.2
c1_1_2_4_2
ensure_nodev_option_set_on_var_partition

Resource:

Class['sce_linux::utils::var_mount_options']

1.1.2.4.3 - Ensure nosuid option set on /var partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set the nosuid option on the mount point

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /var partition":
      nosuid: true

Alternate Config IDs:

1.1.2.4.3
c1_1_2_4_3
ensure_nosuid_option_set_on_var_partition

Resource:

Class['sce_linux::utils::var_mount_options']

1.1.2.5.2 - Ensure nodev option set on /var/tmp partition

Parameters:

nodev - [ Boolean ] - Default: true - Set nodev mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /var/tmp partition":
      nodev: true

Alternate Config IDs:

1.1.2.5.2
c1_1_2_5_2
ensure_nodev_option_set_on_vartmp_partition

Resource:

Class['sce_linux::utils::var_tmp_mount_options']

1.1.2.5.3 - Ensure nosuid option set on /var/tmp partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set nosuid mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /var/tmp partition":
      nosuid: true

Alternate Config IDs:

1.1.2.5.3
c1_1_2_5_3
ensure_nosuid_option_set_on_vartmp_partition

Resource:

Class['sce_linux::utils::var_tmp_mount_options']

1.1.2.5.4 - Ensure noexec option set on /var/tmp partition

Parameters:

noexec - [ Boolean ] - Default: true - Set noexec mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /var/tmp partition":
      noexec: true

Alternate Config IDs:

1.1.2.5.4
c1_1_2_5_4
ensure_noexec_option_set_on_vartmp_partition

Resource:

Class['sce_linux::utils::var_tmp_mount_options']

1.1.2.6.2 - Ensure nodev option set on /var/log partition

Parameters:

nodev - [ Boolean ] - Default: true - Set nodev mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /var/log partition":
      nodev: true

Alternate Config IDs:

1.1.2.6.2
c1_1_2_6_2
ensure_nodev_option_set_on_varlog_partition

Resource:

Class['sce_linux::utils::var_log_mount_options']

1.1.2.6.3 - Ensure nosuid option set on /var/log partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set nosuid mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /var/log partition":
      nosuid: true

Alternate Config IDs:

1.1.2.6.3
c1_1_2_6_3
ensure_nosuid_option_set_on_varlog_partition

Resource:

Class['sce_linux::utils::var_log_mount_options']

1.1.2.6.4 - Ensure noexec option set on /var/log partition

Parameters:

noexec - [ Boolean ] - Default: true - Set noexec mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /var/log partition":
      noexec: true

Alternate Config IDs:

1.1.2.6.4
c1_1_2_6_4
ensure_noexec_option_set_on_varlog_partition

Resource:

Class['sce_linux::utils::var_log_mount_options']

1.1.2.7.2 - Ensure nodev option set on /var/log/audit partition

Parameters:

nodev - [ Boolean ] - Default: true - Set nodev mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /var/log/audit partition":
      nodev: true

Alternate Config IDs:

1.1.2.7.2
c1_1_2_7_2
ensure_nodev_option_set_on_varlogaudit_partition

Resource:

Class['sce_linux::utils::var_log_audit_mount_options']

1.1.2.7.3 - Ensure nosuid option set on /var/log/audit partition

Parameters:

nosuid - [ Boolean ] - Default: true - Set nosuid mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /var/log/audit partition":
      nosuid: true

Alternate Config IDs:

1.1.2.7.3
c1_1_2_7_3
ensure_nosuid_option_set_on_varlogaudit_partition

Resource:

Class['sce_linux::utils::var_log_audit_mount_options']

1.1.2.7.4 - Ensure noexec option set on /var/log/audit partition

Parameters:

noexec - [ Boolean ] - Default: true - Set noexec mount option

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /var/log/audit partition":
      noexec: true

Alternate Config IDs:

1.1.2.7.4
c1_1_2_7_4
ensure_noexec_option_set_on_varlogaudit_partition

Resource:

Class['sce_linux::utils::var_log_audit_mount_options']

1.2.2 - Ensure gpgcheck is globally activated

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.2.2
c1_2_2
ensure_gpgcheck_is_globally_activated

Resource:

Class['sce_linux::utils::yum::enable_gpgcheck']

1.3.1 - Ensure bootloader password is set

Parameters:

password_protect - [ Boolean ] - Default: true - Whether or not to password protect the bootloader.
superuser - [ Optional[String[1]] ] - Default: undef - The username of the grub2 superuser. This is used to set a superuser password in the bootloader configuration. This is only used if password_protect is true.
superuser_password - [ Optional[Sensitive[String]] ] - Default: undef - The password of the grub2 superuser. This will be the superuser password in the bootloader configuration. This is only used if password_protect is true.
password_file - [ Stdlib::UnixPath ] - Default: /etc/grub.d/50_password - The path to the file containing the bootloader password(s). This is only used if password_protect is true.
replace_password_file - [ Boolean ] - If true, replaces the password file if it exists with a NEW hash of the password. Also, when set to true, this resource is NOT idempotent. When set to false, this prevent accidental overwriting of the password file with a new hash of the same password.
hash_superuser_password - [ Boolean ] - Default: true - If true, the superuser password will be hashed using PBKDF2-HMAC-SHA512. If false, the superuser password will be stored in the password file as-is. This is only used if password_protect is true.
superuser_password_salt_length - [ Optional[Integer] ] - Default: undef - The length of the salt in bits used to hash the superuser password. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
superuser_password_buffer_length - [ Optional[Integer] ] - Default: undef - The length of the resulting hash. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
superuser_password_iterations - [ Optional[Integer] ] - Default: undef - The number of times the password is passed through the hash function. Default is 120000. This is optional and only used if password_protect and hash_superuser_password are true.
other_users - [ Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]] ] - Default: undef - An array of structured hashes to add other users besides the superuser to the password file. This is optional only used if password_protect is true. The users specified here will be added to the password file as regular users, not superusers. Other user passwords will be hashed using PBKDF2-HMAC-SHA512, just like the superuser password, if hash_other_user_passwords is true.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure bootloader password is set":
      password_protect: true
      superuser: <<Type String[1]>>
      superuser_password: <<Type Sensitive[String]>>
      password_file: "/etc/grub.d/50_password"
      replace_password_file: false
      hash_superuser_password: true
      superuser_password_salt_length: <<Type Integer>>
      superuser_password_buffer_length: <<Type Integer>>
      superuser_password_iterations: <<Type Integer>>
      other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>

Alternate Config IDs:

1.3.1
c1_3_1
ensure_bootloader_password_is_set

Resource:

Class['sce_linux::utils::bootloader::grub2']

1.3.2 - Ensure permissions on bootloader config are configured

Parameters:

ensure_permissions - [ Boolean ] - Default: true - Whether or not to enforce correct permissions on the bootloader files.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on bootloader config are configured":
      ensure_permissions: true

Alternate Config IDs:

1.3.2
c1_3_2
ensure_permissions_on_bootloader_config_are_configured

Resource:

Class['sce_linux::utils::bootloader::grub2']

1.3.3 - Ensure authentication required for single user mode

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.3.3
c1_3_3
ensure_authentication_required_for_single_user_mode

Resource:

Class['sce_linux::utils::single_user_mode_authentication']

1.4.1 - Ensure address space layout randomization (ASLR) is enabled

Parameters:

sysctl_file - [ String ] - Default: 10-enable_aslr.conf - The sysctl file that values will be written to.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure address space layout randomization (ASLR) is enabled":
      sysctl_file: "10-enable_aslr.conf"

Alternate Config IDs:

1.4.1
c1_4_1
ensure_address_space_layout_randomization_aslr_is_enabled

Resource:

Class['sce_linux::utils::enable_aslr']

1.4.2 - Ensure ptrace_scope is restricted

Parameters:

value - [ String[1] ] - Default: 1 - The value to set on EACH setting. Is passed directly to the sysctl provider.
target - [ Stdlib::AbsolutePath ] - Default: /etc/sysctl.d/90-kernel_yama_ptrace_scope.conf - A path to a file to write the sysctl settings to.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ptrace_scope is restricted":
      value: "1"
      target: "/etc/sysctl.d/90-kernel_yama_ptrace_scope.conf"

Alternate Config IDs:

1.4.2
c1_4_2
ensure_ptrace_scope_is_restricted

Resource:

Sce_linux::Utils::Multi_sysctl['kernel.yama.ptrace_scope']

1.4.3 - Ensure core dump backtraces are disabled

Parameters:

process_size_max - [ String[1] ] - Default: 0

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure core dump backtraces are disabled":
      process_size_max: "0"

Alternate Config IDs:

1.4.3
c1_4_3
ensure_core_dump_backtraces_are_disabled

Resource:

Class['sce_linux::utils::disable_core_dumps']

1.4.4 - Ensure core dump storage is disabled

Parameters:

storage - [ Enum["none", "external", "journal"] ] - Default: none

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure core dump storage is disabled":
      storage: "none"

Alternate Config IDs:

1.4.4
c1_4_4
ensure_core_dump_storage_is_disabled

Resource:

Class['sce_linux::utils::disable_core_dumps']

1.5.1.1 - Ensure SELinux is installed

Parameters:

manage_package - [ Optional[Boolean] ] - Default: true - Enable or disable selinux package management.
package_name - [ Optional[String[1]] ] - Default: libselinux - Name of package.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SELinux is installed":
      manage_package: true
      package_name: "libselinux"

Alternate Config IDs:

1.5.1.1
c1_5_1_1
ensure_selinux_is_installed

Resource:

Class['sce_linux::utils::packages::linux::selinux']

1.5.1.2 - Ensure SELinux is not disabled in bootloader configuration

Parameters:

enable_selinux - [ Boolean ] - Default: true - Whether or not to enable SELinux in the bootloader boot command.
selinux_mode - [ Enum["permissive", "enforcing", "disabled"] ] - Default: enforcing - The SELinux enforcement mode to set in the bootloader. Only used if enable_selinux is true.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SELinux is not disabled in bootloader configuration":
      enable_selinux: true
      selinux_mode: "enforcing"

Alternate Config IDs:

1.5.1.2
c1_5_1_2
ensure_selinux_is_not_disabled_in_bootloader_configuration

Resource:

Class['sce_linux::utils::bootloader::grub2']

1.5.1.3 - Ensure SELinux policy is configured

Parameters:

type - [ Optional[Enum[\targeted\, \mls\]] ] - Default: targeted - SELinux enforcement type.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SELinux policy is configured":
      type: "targeted"

Alternate Config IDs:

1.5.1.3
c1_5_1_3
ensure_selinux_policy_is_configured

Resource:

Class['sce_linux::utils::packages::linux::selinux']

1.5.1.4 - Ensure the SELinux mode is not disabled

Parameters:

mode - [ Optional[Enum[\permissive\, \enforcing\]] ] - Default: enforcing - Selinux mode, permissive or enforcing. Disabled is not supported.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure the SELinux mode is not disabled":
      mode: "enforcing"

Alternate Config IDs:

1.5.1.4
c1_5_1_4
ensure_the_selinux_mode_is_not_disabled

Resource:

Class['sce_linux::utils::packages::linux::selinux']

1.5.1.5 - Ensure the SELinux mode is enforcing

Parameters:

mode - [ Optional[Enum[\permissive\, \enforcing\]] ] - Default: enforcing - Selinux mode, permissive or enforcing. Disabled is not supported.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure the SELinux mode is enforcing":
      mode: "enforcing"

Alternate Config IDs:

1.5.1.5
c1_5_1_5
ensure_the_selinux_mode_is_enforcing

Resource:

Class['sce_linux::utils::packages::linux::selinux']

1.5.1.7 - Ensure the MCS Translation Service (mcstrans) is not installed

Parameters:

pkg_name - [ String[1] ] - Default: mcstrans - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure the MCS Translation Service (mcstrans) is not installed":
      pkg_name: "mcstrans"

Alternate Config IDs:

1.5.1.7
c1_5_1_7
ensure_the_mcs_translation_service_mcstrans_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Do not install mcs translation service']

1.5.1.8 - Ensure SETroubleshoot is not installed

Parameters:

pkg_name - [ String[1] ] - Default: setroubleshoot - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SETroubleshoot is not installed":
      pkg_name: "setroubleshoot"

Alternate Config IDs:

1.5.1.8
c1_5_1_8
ensure_setroubleshoot_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Do not install setroubleshoot']

1.6.1 - Ensure message of the day is configured properly

Parameters:

dynamic_motd - [ Optional[Boolean] ] - Default: true - Enables or disables dynamic motd on Debian systems. Default true
motd_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom motd template or text file. A template takes precedence over content. Valid options: '/mymodule/mytemplate.epp'.
motd_content - [ Optional[String] ] - Default: undef - Specifies a static string as the motd content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited. - Specifies a static string as the /etc/issue content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
issue_net_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited.
issue_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue. A template takes precedence over issue_content.
issue_net_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue.net. A template takes precedence over issue_net_content.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure message of the day is configured properly":
      dynamic_motd: true
      motd_template: <<Type String[1]>>
      motd_content: <<Type String>>
      issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_template: <<Type String[1]>>
      issue_net_template: <<Type String[1]>>

Alternate Config IDs:

1.6.1
c1_6_1
ensure_message_of_the_day_is_configured_properly

Resource:

Class['sce_linux::utils::motd']

1.6.2 - Ensure local login warning banner is configured properly

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.6.2
c1_6_2
ensure_local_login_warning_banner_is_configured_properly

Resource:

Class['sce_linux::utils::motd']

1.6.3 - Ensure remote login warning banner is configured properly

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.6.3
c1_6_3
ensure_remote_login_warning_banner_is_configured_properly

Resource:

Class['sce_linux::utils::motd']

1.6.4 - Ensure access to /etc/motd is configured

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.6.4
c1_6_4
ensure_access_to_etcmotd_is_configured

Resource:

Class['sce_linux::utils::motd']

1.6.5 - Ensure access to /etc/issue is configured

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.6.5
c1_6_5
ensure_access_to_etcissue_is_configured

Resource:

Class['sce_linux::utils::motd']

1.6.6 - Ensure access to /etc/issue.net is configured

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

1.6.6
c1_6_6
ensure_access_to_etcissue_net_is_configured

Resource:

Class['sce_linux::utils::motd']

1.7.1 - Ensure GNOME Display Manager is removed

Parameters:

pkg_name - [ String[1] ] - Default: gdm - Name of package to remove.

Supported Profiles & Levels:

server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GNOME Display Manager is removed":
      pkg_name: "gdm"

Alternate Config IDs:

1.7.1
c1_7_1
ensure_gnome_display_manager_is_removed

Resource:

Sce_linux::Utils::Packages::Absenter['Remove gnome display manager']

1.7.2 - Ensure GDM login banner is configured

Parameters:

enable_banner_message - [ Boolean ] - Default: true - Enable the banner message for the GNOME login screen
set_banner_message_text - [ Optional[Boolean] ] - Default: true - DEPRECATED: Set the banner message text. This parameter is deprecated and will be removed in a future release. Please use the enable_banner_message parameter instead.
set_banner_message_text_key_value - [ Optional[Variant[Boolean, String[1], Integer]] ] - Default: This is a monitored system. Unauthorized access is prohibited.\n - DEPRECATED: The key's value of the set_banner_message_text dconf database keyfile that will be created under the section specified. Can be a boolean or a string or a number. This parameter is deprecated and will be removed in a future release. Please use the banner_message_text parameter instead.
dconf_profile_name - [ String ] - Default: gdm - The name of the dconf profile that will be created
dconf_profile_database - [ Array[String[1]] ] - Default: ["user-db:user", "system-db:gdm", "file-db:/usr/share/gdm/greeter-dconf-defaults"] - The database of the dconf profile that will be created
dconf_system_db - [ Array[String[1]] ] - Default: ["gdm"] - The system database of the dconf profile. For example, 'local', 'site', 'distro'
dconf_db_choice - [ Optional[Enum[\local\, \gdm\, \site\]] ] - Default: gdm - The name of the dconf database that will have keyfile created for it

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM login banner is configured":
      enable_banner_message: true
      set_banner_message_text: true
      set_banner_message_text_key_value: "This is a monitored system. Unauthorized access is prohibited.\\n"
      dconf_profile_name: "gdm"
      dconf_profile_database: ["user-db:user", "system-db:gdm", "file-db:/usr/share/gdm/greeter-dconf-defaults"]
      dconf_system_db: ["gdm"]
      dconf_db_choice: "gdm"

Alternate Config IDs:

1.7.2
c1_7_2
ensure_gdm_login_banner_is_configured

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.3 - Ensure GDM disable-user-list option is enabled

Parameters:

disable_user_list_at_login_screen - [ Boolean ] - Default: true - Disable the user list at the login screen

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM disable-user-list option is enabled":
      disable_user_list_at_login_screen: true

Alternate Config IDs:

1.7.3
c1_7_3
ensure_gdm_disable_user_list_option_is_enabled

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.4 - Ensure GDM screen locks when the user is idle

Parameters:

enable_session_lock - [ Boolean ] - Default: true - Enable the session lock Default false
set_inactivity_period - [ Boolean ] - Default: true - Set the inactivity period
set_screensaver_lock_delay - [ Boolean ] - Default: true - Set the screensaver lock delay

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM screen locks when the user is idle":
      enable_session_lock: true
      set_inactivity_period: true
      set_screensaver_lock_delay: true

Alternate Config IDs:

1.7.4
c1_7_4
ensure_gdm_screen_locks_when_the_user_is_idle

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.5 - Ensure GDM screen locks cannot be overridden

Parameters:

prevent_overriding_a_session_lock - [ Boolean ] - Default: true - Prevent overriding a session lock
prevent_overriding_screensaver_lock - [ Boolean ] - Default: true - Prevent overriding the screensaver lock

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM screen locks cannot be overridden":
      prevent_overriding_a_session_lock: true
      prevent_overriding_screensaver_lock: true

Alternate Config IDs:

1.7.5
c1_7_5
ensure_gdm_screen_locks_cannot_be_overridden

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.6 - Ensure GDM automatic mounting of removable media is disabled

Parameters:

disable_automount - [ Boolean ] - Default: true - Disable automount
disable_automount_open - [ Boolean ] - Default: true - Disable automount open

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM automatic mounting of removable media is disabled":
      disable_automount: true
      disable_automount_open: true

Alternate Config IDs:

1.7.6
c1_7_6
ensure_gdm_automatic_mounting_of_removable_media_is_disabled

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.7 - Ensure GDM disabling automatic mounting of removable media is not overridden

Parameters:

ensure_automount_is_not_overriden - [ Boolean ] - Default: true

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM disabling automatic mounting of removable media is not overridden":
      ensure_automount_is_not_overriden: true

Alternate Config IDs:

1.7.7
c1_7_7
ensure_gdm_disabling_automatic_mounting_of_removable_media_is_not_overridden

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.8 - Ensure GDM autorun-never is enabled

Parameters:

ensure_autorun_is_never_run - [ Boolean ] - Default: true - Ensure autorun is never run

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM autorun-never is enabled":
      ensure_autorun_is_never_run: true

Alternate Config IDs:

1.7.8
c1_7_8
ensure_gdm_autorun_never_is_enabled

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.9 - Ensure GDM autorun-never is not overridden

Parameters:

ensure_autorun_never_is_locked - [ Boolean ] - Default: true - Ensure autorun never is locked

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure GDM autorun-never is not overridden":
      ensure_autorun_never_is_locked: true

Alternate Config IDs:

1.7.9
c1_7_9
ensure_gdm_autorun_never_is_not_overridden

Resource:

Class['sce_linux::utils::packages::linux::gnome']

1.7.10 - Ensure XDMCP is not enabled

Parameters:

disable_xdmcp - [ Boolean ] - Default: true - Disable XDMCP

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure XDMCP is not enabled":
      disable_xdmcp: true

Alternate Config IDs:

1.7.10
c1_7_10
ensure_xdmcp_is_not_enabled

Resource:

Class['sce_linux::utils::packages::linux::gnome']

2.1.1 - Ensure time synchronization is in use

Parameters:

preferred_package - [ Enum["chrony", "ntp", "systemd-timesyncd"] ] - Default: chrony - The preferred package to use for time synchronization.
manage_package - [ Boolean ] - Default: true - If true, the package will be installed and managed by Puppet.
force_exclusivity - [ Boolean ] - Default: true - If true, the package that was not chosen will be removed from the system. This means that if your preferred package is chrony, ntp will be removed. This only applies to RedHat-family operating systems.
timeservers - [ Array[String] ] - Default: Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3511, 'length' => 2}) - Array of strings starting with the type (pool, server, etc.), then hostname / ip, then any options. Each element of the timeservers array will be added to the chrony / ntp / systemd-timesyncd config file as is. Please see man chrony.conf(5), man ntp.conf(5), or man timesyncd.conf(5) for more details. Example (ntp / chrony): ['server 192.168.0.250 prefer iburst', 'server 192.168.0.251 iburst'] Example (systemd-timesyncd): ['pool 0.ubuntu.pool.ntp.org', 'pool 1.ubuntu.pool.ntp.org']
sysconfig_options - [ Optional[String[1]] ] - Default: undef - Options to be added to the sysconfig file for the chosen package. This defaults to -u chrony for the chrony package and -u ntp:ntp for the ntp package. This has no affect on the systemd-timesyncd package.
ntp_restricts - [ Optional[Array[String[1]]] ] - Default: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"] - Array of strings used to create restrict lines in the ntp config file. Defaults to `['-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery']

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure time synchronization is in use":
      preferred_package: "chrony"
      manage_package: true
      force_exclusivity: true
      timeservers: Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3511, 'length' => 2})
      sysconfig_options: <<Type String[1]>>
      ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]

Alternate Config IDs:

2.1.1
c2_1_1
ensure_time_synchronization_is_in_use

Resource:

Class['sce_linux::utils::timesync']

2.1.2 - Ensure chrony is configured

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

2.1.2
c2_1_2
ensure_chrony_is_configured

Resource:

Class['sce_linux::utils::timesync']

2.1.3 - Ensure chrony is not run as the root user

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

2.1.3
c2_1_3
ensure_chrony_is_not_run_as_the_root_user

Resource:

Class['sce_linux::utils::timesync']

2.2.1 - Ensure autofs services are not in use

Parameters:

service - [ String[1] ] - Default: autofs - Service to disable.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure autofs services are not in use":
      service: "autofs"

Alternate Config IDs:

2.2.1
c2_2_1
ensure_autofs_services_are_not_in_use

Resource:

Sce_linux::Utils::Disable_service['Disable autofs']

2.2.2 - Ensure avahi daemon services are not in use

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Alternate Config IDs:

2.2.2
c2_2_2
ensure_avahi_daemon_services_are_not_in_use

Resource:

Class['sce_linux::utils::remove_avahi_server']

2.2.3 - Ensure dhcp server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: dhcp - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure dhcp server services are not in use":
      pkg_name: "dhcp"

Alternate Config IDs:

2.2.3
c2_2_3
ensure_dhcp_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use DHCP server']

2.2.4 - Ensure dns server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: bind - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure dns server services are not in use":
      pkg_name: "bind"

Alternate Config IDs:

2.2.4
c2_2_4
ensure_dns_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use DNS server']

2.2.5 - Ensure dnsmasq services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: dnsmasq - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure dnsmasq services are not in use":
      pkg_name: "dnsmasq"

Alternate Config IDs:

2.2.5
c2_2_5
ensure_dnsmasq_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use dnsmasq']

2.2.6 - Ensure samba file server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: samba - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure samba file server services are not in use":
      pkg_name: "samba"

Alternate Config IDs:

2.2.6
c2_2_6
ensure_samba_file_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use Samba']

2.2.7 - Ensure ftp server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: vsftpd - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ftp server services are not in use":
      pkg_name: "vsftpd"

Alternate Config IDs:

2.2.7
c2_2_7
ensure_ftp_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use ftp server']

2.2.8 - Ensure message access server services are not in use

Parameters:

mail_servers - [ Array[String] ] - Default: ["dovecot", "postfix"] - Array of mail servers that will be removed from the managed machine

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure message access server services are not in use":
      mail_servers: ["dovecot", "postfix"]

Alternate Config IDs:

2.2.8
c2_2_8
ensure_message_access_server_services_are_not_in_use

Resource:

Class['sce_linux::utils::remove_imap_and_pop3']

2.2.9 - Ensure network file system services are not in use

Parameters:

keep_nfsutils - [ Boolean ] - A boolean value that represent the choice of whether to mask the nfs-server or remove it.
dependent - [ Array ] - Default: ["ensure_rpcbind_services_are_not_in_use"]

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure network file system services are not in use":
      keep_nfsutils: false
      dependent: ["ensure_rpcbind_services_are_not_in_use"]

Alternate Config IDs:

2.2.9
c2_2_9
ensure_network_file_system_services_are_not_in_use

Resource:

Class['sce_linux::utils::disable_or_remove_nfs']

2.2.10 - Ensure nis server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: ypserv - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nis server services are not in use":
      pkg_name: "ypserv"

Alternate Config IDs:

2.2.10
c2_2_10
ensure_nis_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Disable NIS Server']

2.2.11 - Ensure print server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: cups - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure print server services are not in use":
      pkg_name: "cups"

Alternate Config IDs:

2.2.11
c2_2_11
ensure_print_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not install CUPS']

2.2.12 - Ensure rpcbind services are not in use

Parameters:

keep_rpcbind - [ Boolean ] - A boolean value that represent the choice of whether to mask rpcbind or remove it.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rpcbind services are not in use":
      keep_rpcbind: false

Alternate Config IDs:

2.2.12
c2_2_12
ensure_rpcbind_services_are_not_in_use

Resource:

Class['sce_linux::utils::disable_or_remove_rpcbind']

2.2.13 - Ensure rsync services are not in use

Parameters:

keep_rsync - [ Boolean ] - A boolean value that represent the choice of whether to mask rsync or remove it.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rsync services are not in use":
      keep_rsync: false

Alternate Config IDs:

2.2.13
c2_2_13
ensure_rsync_services_are_not_in_use

Resource:

Class['sce_linux::utils::disable_or_remove_rsync']

2.2.14 - Ensure snmp services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: net-snmp - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure snmp services are not in use":
      pkg_name: "net-snmp"

Alternate Config IDs:

2.2.14
c2_2_14
ensure_snmp_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use net-snmp']

2.2.15 - Ensure telnet server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: telnet-server - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure telnet server services are not in use":
      pkg_name: "telnet-server"

Alternate Config IDs:

2.2.15
c2_2_15
ensure_telnet_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Remove Telnet server']

2.2.16 - Ensure tftp server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: tftp-server - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure tftp server services are not in use":
      pkg_name: "tftp-server"

Alternate Config IDs:

2.2.16
c2_2_16
ensure_tftp_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use TFTP Server']

2.2.17 - Ensure web proxy server services are not in use

Parameters:

proxy_packages - [ Array[String] ] - Default: ["squid"] - Array of proxy packages that will be removed from the managed machine

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure web proxy server services are not in use":
      proxy_packages: ["squid"]

Alternate Config IDs:

2.2.17
c2_2_17
ensure_web_proxy_server_services_are_not_in_use

Resource:

Class['sce_linux::utils::remove_http_proxy']

2.2.18 - Ensure web server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: httpd - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure web server services are not in use":
      pkg_name: "httpd"

Alternate Config IDs:

2.2.18
c2_2_18
ensure_web_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use HTTP Server']

2.2.19 - Ensure xinetd services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: xinetd - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure xinetd services are not in use":
      pkg_name: "xinetd"

Alternate Config IDs:

2.2.19
c2_2_19
ensure_xinetd_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not install xinetd']

2.2.20 - Ensure X window server services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: xorg-x11-server* - Name of package to remove.

Supported Profiles & Levels:

server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure X window server services are not in use":
      pkg_name: "xorg-x11-server*"

Alternate Config IDs:

2.2.20
c2_2_20
ensure_x_window_server_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not install x11 server components']

2.2.21 - Ensure mail transfer agents are configured for local-only mode

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

2.2.21
c2_2_21
ensure_mail_transfer_agents_are_configured_for_local_only_mode

Resource:

Class['sce_linux::utils::local_only_mta']

2.3.1 - Ensure ftp client is not installed

Parameters:

pkg_name - [ String[1] ] - Default: ftp - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ftp client is not installed":
      pkg_name: "ftp"

Alternate Config IDs:

2.3.1
c2_3_1
ensure_ftp_client_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use ftp client']

2.3.2 - Ensure ldap client is not installed

Parameters:

pkg_name - [ String[1] ] - Default: openldap-clients - Name of package to remove.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ldap client is not installed":
      pkg_name: "openldap-clients"

Alternate Config IDs:

2.3.2
c2_3_2
ensure_ldap_client_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Remove LDAP Client']

2.3.3 - Ensure nis client is not installed

Parameters:

pkg_name - [ String[1] ] - Default: ypbind - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nis client is not installed":
      pkg_name: "ypbind"

Alternate Config IDs:

2.3.3
c2_3_3
ensure_nis_client_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use NIS Client']

2.3.4 - Ensure telnet client is not installed

Parameters:

pkg_name - [ String[1] ] - Default: telnet - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure telnet client is not installed":
      pkg_name: "telnet"

Alternate Config IDs:

2.3.4
c2_3_4
ensure_telnet_client_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Remove Telnet Client']

2.3.5 - Ensure tftp client is not installed

Parameters:

pkg_name - [ String[1] ] - Default: tftp - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure tftp client is not installed":
      pkg_name: "tftp"

Alternate Config IDs:

2.3.5
c2_3_5
ensure_tftp_client_is_not_installed

Resource:

Sce_linux::Utils::Packages::Absenter['Remove TFTP client']

3.1.2 - Ensure wireless interfaces are disabled

Parameters:

wwan - [ Boolean ] - Default: true - Whether to disable wwan
wifi - [ Boolean ] - Default: true - Whether to disable wifi

Supported Profiles & Levels:

server, level_1
server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure wireless interfaces are disabled":
      wwan: true
      wifi: true

Alternate Config IDs:

3.1.2
c3_1_2
ensure_wireless_interfaces_are_disabled

Resource:

Sce_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']

3.1.3 - Ensure bluetooth services are not in use

Parameters:

pkg_name - [ String[1] ] - Default: bluez - Name of package to remove.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure bluetooth services are not in use":
      pkg_name: "bluez"

Alternate Config IDs:

3.1.3
c3_1_3
ensure_bluetooth_services_are_not_in_use

Resource:

Sce_linux::Utils::Packages::Absenter['Do not use bluetooth services']

3.2.1 - Ensure dccp kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_dccp - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install dccp /bin/false blacklist dccp - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure dccp kernel module is not available":
      conf_file: "sce_disable_dccp"
      content: "install dccp /bin/false\nblacklist dccp\n"

Alternate Config IDs:

3.2.1
c3_2_1
ensure_dccp_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Disable DCCP']

3.2.2 - Ensure tipc kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_tipc - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install tipc /bin/false blacklist tipc - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure tipc kernel module is not available":
      conf_file: "sce_disable_tipc"
      content: "install tipc /bin/false\nblacklist tipc\n"

Alternate Config IDs:

3.2.2
c3_2_2
ensure_tipc_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Ensure tipc kernel module is not available']

3.2.3 - Ensure rds kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_rds - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install rds /bin/false blacklist rds - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rds kernel module is not available":
      conf_file: "sce_disable_rds"
      content: "install rds /bin/false\nblacklist rds\n"

Alternate Config IDs:

3.2.3
c3_2_3
ensure_rds_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Disable rds kernel module']

3.2.4 - Ensure sctp kernel module is not available

Parameters:

conf_file - [ String[1] ] - Default: sce_disable_sctp - A unique name for the config file without a path of file extension
content - [ Optional[String] ] - Default: install sctp /bin/false blacklist sctp - The file content. Mutually exclusive with source.

Supported Profiles & Levels:

server, level_2
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure sctp kernel module is not available":
      conf_file: "sce_disable_sctp"
      content: "install sctp /bin/false\nblacklist sctp\n"

Alternate Config IDs:

3.2.4
c3_2_4
ensure_sctp_kernel_module_is_not_available

Resource:

Sce_linux::Utils::Modprobe_conf['Disable SCTP']

3.3.1 - Ensure ip forwarding is disabled

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ip_forwarding.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ip forwarding is disabled":
      target: "/etc/sysctl.d/90-disable_ip_forwarding.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.1
c3_3_1
ensure_ip_forwarding_is_disabled

Resource:

Class['sce_linux::utils::network::disable_ip_forwarding']

3.3.2 - Ensure packet redirect sending is disabled

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_packet_redirect_sending.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure packet redirect sending is disabled":
      target: "/etc/sysctl.d/90-disable_packet_redirect_sending.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.2
c3_3_2
ensure_packet_redirect_sending_is_disabled

Resource:

Class['sce_linux::utils::network::disable_packet_redirect_sending']

3.3.3 - Ensure bogus icmp responses are ignored

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_bogus_icmp.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure bogus icmp responses are ignored":
      target: "/etc/sysctl.d/90-ignore_bogus_icmp.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.3
c3_3_3
ensure_bogus_icmp_responses_are_ignored

Resource:

Class['sce_linux::utils::network::ignore_bogus_icmp']

3.3.4 - Ensure broadcast icmp requests are ignored

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_icmp_broadcast.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure broadcast icmp requests are ignored":
      target: "/etc/sysctl.d/90-ignore_icmp_broadcast.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.4
c3_3_4
ensure_broadcast_icmp_requests_are_ignored

Resource:

Class['sce_linux::utils::network::ignore_icmp_broadcast']

3.3.5 - Ensure icmp redirects are not accepted

Parameters:

disable_ipv4_accept_default - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on default route
disable_ipv4_accept_all - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on all routes
disable_ipv6_accept_default - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on default route
disable_ipv6_accept_all - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on all routes

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure icmp redirects are not accepted":
      disable_ipv4_accept_default: true
      disable_ipv4_accept_all: true
      disable_ipv6_accept_default: true
      disable_ipv6_accept_all: true

Alternate Config IDs:

3.3.5
c3_3_5
ensure_icmp_redirects_are_not_accepted

Resource:

Class['sce_linux::utils::network::disable_icmp_redirects']

3.3.6 - Ensure secure icmp redirects are not accepted

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_secure_icmp_redirects.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure secure icmp redirects are not accepted":
      target: "/etc/sysctl.d/90-disable_secure_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.6
c3_3_6
ensure_secure_icmp_redirects_are_not_accepted

Resource:

Class['sce_linux::utils::network::disable_secure_icmp_redirects']

3.3.7 - Ensure reverse path filtering is enabled

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_reverse_path_filtering.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure reverse path filtering is enabled":
      target: "/etc/sysctl.d/90-enable_reverse_path_filtering.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.7
c3_3_7
ensure_reverse_path_filtering_is_enabled

Resource:

Class['sce_linux::utils::network::enable_reverse_path_filtering']

3.3.8 - Ensure source routed packets are not accepted

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_source_routes.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure source routed packets are not accepted":
      target: "/etc/sysctl.d/90-disable_source_routes.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.8
c3_3_8
ensure_source_routed_packets_are_not_accepted

Resource:

Class['sce_linux::utils::network::disable_source_routes']

3.3.9 - Ensure suspicious packets are logged

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_log_martians.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure suspicious packets are logged":
      target: "/etc/sysctl.d/90-enable_log_martians.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.9
c3_3_9
ensure_suspicious_packets_are_logged

Resource:

Class['sce_linux::utils::network::enable_log_martians']

3.3.10 - Ensure tcp syn cookies is enabled

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_tcp_syn_cookies.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure tcp syn cookies is enabled":
      target: "/etc/sysctl.d/90-enable_tcp_syn_cookies.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.10
c3_3_10
ensure_tcp_syn_cookies_is_enabled

Resource:

Class['sce_linux::utils::network::enable_tcp_syn_cookies']

3.3.11 - Ensure ipv6 router advertisements are not accepted

Parameters:

target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ipv6_router_advertisements.conf - The sysctl file that values will be written to.
persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting. Default: MANAGED BY PUPPET

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ipv6 router advertisements are not accepted":
      target: "/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

3.3.11
c3_3_11
ensure_ipv6_router_advertisements_are_not_accepted

Resource:

Class['sce_linux::utils::network::disable_ipv6_router_advertisements']

3.4.1.2 - Ensure a single firewall configuration utility is in use

Parameters:

ensure_package - [ Optional[Enum[\present\, \installed\, \latest\]] ] - Default: installed - Ensure for the firewalld package resource. Default: installed
ensure_iptables_package - [ Optional[Enum[\present\, \installed\, \latest\]] ] - Default: installed - Ensure for the iptables package resource. Default: installed
merge_defaults - [ Optional[Boolean] ] - Default: true - If true, will merge user-specified parameters with class defaults, where appropriate. This affects the $ports parameter because this class specifies to open ports in the default settings, 22 and 8140, that are required for SSH and Puppet agent communication, respectively. These two port statements do not need to be redeclared if you have this parameter set to true. Default: true
purge_iptables_services - [ Optional[Boolean] ] - Default: true - When true, removes the package iptables-services. Default: true
purge_nftables - [ Optional[Boolean] ] - Default: undef - When true, removes the package nftables. If set to false, the nftables service is stopped and masked instead.
default_zone - [ Optional[String[1]] ] - Default: public - Sets the default firewalld zone to this zone. Default: public
zones - [ Optional[Hash] ] - Default: {} - A hash of firewalld zones to create. Default: {}
services - [ Optional[Hash] ] - Default: {} - A hash of services to create. Default: {}
rich_rules - [ Optional[Hash] ] - Default: {} - A hash of rich firewall rules to create. Default: {}
custom_services - [ Optional[Hash] ] - Default: {} - A hash of custom firewall services to create. This parameter is deprecated in puppet/firewalld and should not be used, but is exposed here for posterity. Default: {}
ipsets - [ Optional[Hash] ] - Default: {} - A hash of ipsets to create. Default: {}
direct_rules - [ Optional[Hash] ] - Default: {} - A hash of direct rules to create. Default: {}
direct_chains - [ Optional[Hash] ] - Default: {} - A hash of direct chains to create. Default: {}
direct_passthroughs - [ Optional[Hash] ] - Default: {} - A hash of direct passthroughs to create. Default: {}
purge_direct_rules - [ Optional[Boolean] ] - Default: undef - If true, will purge all direct rules not managed by this class. Default: false
purge_direct_chains - [ Optional[Boolean] ] - Default: undef - If true, will purge all direct chains not managed by this class. Default: false
purge_direct_passthroughs - [ Optional[Boolean] ] - Default: undef - If true, will purge all direct passthroughs not managed by this class. Default: false
purge_unknown_ipsets - [ Optional[Boolean] ] - Default: undef - If true, will purge all ipsets not managed by this class. Default: false
firewall_backend - [ Optional[Enum[\iptables\, \nftables\]] ] - Default: nftables - Sets the firewall backend to use

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure a single firewall configuration utility is in use":
      ensure_package: "installed"
      ensure_iptables_package: "installed"
      merge_defaults: true
      purge_iptables_services: true
      purge_nftables: <<Type Boolean>>
      default_zone: "public"
      zones: {}
      services: {}
      rich_rules: {}
      custom_services: {}
      ipsets: {}
      direct_rules: {}
      direct_chains: {}
      direct_passthroughs: {}
      purge_direct_rules: <<Type Boolean>>
      purge_direct_chains: <<Type Boolean>>
      purge_direct_passthroughs: <<Type Boolean>>
      purge_unknown_ipsets: <<Type Boolean>>
      firewall_backend: "nftables"

Alternate Config IDs:

3.4.1.2
c3_4_1_2
ensure_a_single_firewall_configuration_utility_is_in_use

Resource:

Class['sce_linux::utils::firewall::firewalld']

3.4.2.1 - Ensure firewalld is installed

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

3.4.2.1
c3_4_2_1
ensure_firewalld_is_installed

Resource:

Class['sce_linux::utils::firewall::firewalld']

3.4.2.2 - Ensure firewalld service enabled and running

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

3.4.2.2
c3_4_2_2
ensure_firewalld_service_enabled_and_running

Resource:

Class['sce_linux::utils::firewall::firewalld']

3.4.2.4 - Ensure network interfaces are assigned to appropriate zone

Parameters:

No parameters

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Alternate Config IDs:

3.4.2.4
c3_4_2_4
ensure_network_interfaces_are_assigned_to_appropriate_zone

Resource:

Class['sce_linux::utils::firewall::firewalld']

4.1.1.1 - Ensure cron daemon is enabled and active

Parameters:

manage_package - [ Boolean ] - Default: true - If true, ensures the cron package is installed. See the package_name parameter for more information.
unmask_service - [ Boolean ] - Default: true - If true, unmasks the crond service.
manage_service - [ Boolean ] - Default: true - If true, enables and runs the cron daemon with a service resource. See the service_name parameter for more information.
cron_allow_path - [ Stdlib::AbsolutePath ] - Default: /etc/cron.allow - The path for the cron.allow file to manage. Only relevant if set_cron_allow_perms is set to true.
manage_cron_allow - [ Boolean ] - Default: true - If true, creates the cron.allow file specified by the cron_allow_path parameter and enforces 0600 permissions on the file.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure cron daemon is enabled and active":
      manage_package: true
      unmask_service: true
      manage_service: true
      cron_allow_path: "/etc/cron.allow"
      manage_cron_allow: true

Alternate Config IDs:

4.1.1.1
c4_1_1_1
ensure_cron_daemon_is_enabled_and_active

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.2 - Ensure permissions on /etc/crontab are configured

Parameters:

set_crontab_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/crontab.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/crontab are configured":
      set_crontab_perms: true

Alternate Config IDs:

4.1.1.2
c4_1_1_2
ensure_permissions_on_etccrontab_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.3 - Ensure permissions on /etc/cron.hourly are configured

Parameters:

set_hourly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.hourly.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.hourly are configured":
      set_hourly_cron_perms: true

Alternate Config IDs:

4.1.1.3
c4_1_1_3
ensure_permissions_on_etccron_hourly_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.4 - Ensure permissions on /etc/cron.daily are configured

Parameters:

set_daily_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.daily.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.daily are configured":
      set_daily_cron_perms: true

Alternate Config IDs:

4.1.1.4
c4_1_1_4
ensure_permissions_on_etccron_daily_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.5 - Ensure permissions on /etc/cron.weekly are configured

Parameters:

set_weekly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.weekly.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.weekly are configured":
      set_weekly_cron_perms: true

Alternate Config IDs:

4.1.1.5
c4_1_1_5
ensure_permissions_on_etccron_weekly_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.6 - Ensure permissions on /etc/cron.monthly are configured

Parameters:

set_monthly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.monthly.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.monthly are configured":
      set_monthly_cron_perms: true

Alternate Config IDs:

4.1.1.6
c4_1_1_6
ensure_permissions_on_etccron_monthly_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.7 - Ensure permissions on /etc/cron.d are configured

Parameters:

set_cron_d_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.d.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.d are configured":
      set_cron_d_perms: true

Alternate Config IDs:

4.1.1.7
c4_1_1_7
ensure_permissions_on_etccron_d_are_configured

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.1.8 - Ensure crontab is restricted to authorized users

Parameters:

manage_cron_allow - [ Boolean ] - Default: true - If true, creates the cron.allow file specified by the cron_allow_path parameter and enforces 0600 permissions on the file.
cron_allow_path - [ Stdlib::AbsolutePath ] - Default: /etc/cron.allow - The path for the cron.allow file to manage. Only relevant if set_cron_allow_perms is set to true.
cron_allowlist - [ Array[String[1]] ] - Default: ["root"] - An array of user names to add to the cron.allow file.
purge_cron_deny - [ Boolean ] - If true, removes (if they exist) /etc/cron.deny and /etc/cron.d/cron.deny.
manage_cron_deny - [ Boolean ] - Default: true - If true and file already exists, manages group and owner of cron.deny file at /etc/cron.deny and enforces 0600 permissions on the file.

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure crontab is restricted to authorized users":
      manage_cron_allow: true
      cron_allow_path: "/etc/cron.allow"
      cron_allowlist: ["root"]
      purge_cron_deny: false
      manage_cron_deny: true

Alternate Config IDs:

4.1.1.8
c4_1_1_8
ensure_crontab_is_restricted_to_authorized_users

Resource:

Class['sce_linux::utils::packages::linux::cron']

4.1.2.1 - Ensure at is restricted to authorized users

Parameters:

at_allowlist - [ Optional[Array[String[1]]] ] - Default: ["root"] - An array of user names to add to the at.allow file. Default: ['root']
purge_at_deny - [ Optional[Boolean] ] - Default: undef - If true, removes /etc/at.deny. Default: true
manage_at_deny - [ Optional[Boolean] ] - Default: true - If true and file already exists, manages group and owner of at.deny file at /etc/at.deny and enforces 0600 permissions on the file. Default: false

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure at is restricted to authorized users":
      at_allowlist: ["root"]
      purge_at_deny: <<Type Boolean>>
      manage_at_deny: true

Alternate Config IDs:

4.1.2.1
c4_1_2_1
ensure_at_is_restricted_to_authorized_users

Resource:

Class['sce_linux::utils::packages::linux::at']

4.2.1 - Ensure permissions on /etc/ssh/sshd_config are configured

Parameters:

enforce_sshd_config_perms - [ Boolean ] - Default: true

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/ssh/sshd_config are configured":
      enforce_sshd_config_perms: true

Alternate Config IDs:

4.2.1
c4_2_1
ensure_permissions_on_etcsshsshd_config_are_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.2 - Ensure permissions on SSH private host key files are configured

Parameters:

enforce_pri_host_key_perms - [ Boolean ] - Default: true

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on SSH private host key files are configured":
      enforce_pri_host_key_perms: true

Alternate Config IDs:

4.2.2
c4_2_2
ensure_permissions_on_ssh_private_host_key_files_are_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.3 - Ensure permissions on SSH public host key files are configured

Parameters:

enforce_pub_host_key_perms - [ Boolean ] - Default: true

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on SSH public host key files are configured":
      enforce_pub_host_key_perms: true

Alternate Config IDs:

4.2.3
c4_2_3
ensure_permissions_on_ssh_public_host_key_files_are_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.4 - Ensure sshd access is configured

Parameters:

allow_users - [ Optional[Array[String[1]]] ] - Default: undef
allow_groups - [ Optional[Array[String[1]]] ] - Default: undef
deny_users - [ Optional[Array[String[1]]] ] - Default: undef
deny_groups - [ Optional[Array[String[1]]] ] - Default: undef

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure sshd access is configured":
      allow_users: <<Type Array[String[1]]>>
      allow_groups: <<Type Array[String[1]]>>
      deny_users: <<Type Array[String[1]]>>
      deny_groups: <<Type Array[String[1]]>>

Alternate Config IDs:

4.2.4
c4_2_4
ensure_sshd_access_is_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.5 - Ensure sshd Banner is configured

Parameters:

banner - [ Optional[Stdlib::AbsolutePath] ] - Default: /etc/issue.net

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure sshd Banner is configured":
      banner: "/etc/issue.net"

Alternate Config IDs:

4.2.5
c4_2_5
ensure_sshd_banner_is_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.6 - Ensure sshd Ciphers are configured

Parameters:

ciphers - [ Optional[Array[String[1]]] ] - Default: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure sshd Ciphers are configured":
      ciphers: ["aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "chacha20-poly1305@openssh.com"]

Alternate Config IDs:

4.2.6
c4_2_6
ensure_sshd_ciphers_are_configured

Resource:

Class['sce_linux::utils::packages::linux::ssh']

4.2.7 - Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured

Parameters:

client_alive_interval - [ Optional[Integer] ] - Default: 15
client_alive_count_max - [ Optional[Integer] ] - Default: 3

Supported Profiles & Levels:

server, level_1
server, level_2
workstation, level_1
workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured":
      client_alive_interval: 15
      client_alive_count_max: 3

Alternate Config IDs:

What are tasks?

Modules can contain tasks that take action outside of a desired state managed by Puppet. It’s perfect for troubleshooting or deploying one-off changes, distributing scripts to run across your infrastructure, or automating changes that need to happen in a particular order as part of an application deployment.

Tasks in this module release

audit_approved_services_listening

Report only approved services are listening on a network interface

audit_authselect

Audit authselect profile for RHEL family systems version 8+.

audit_boot

Audit if the system is configured to boot to the command line or to the graphical user interface.

audit_check_ipv6

Audits IPv6 configuration on the host.

audit_client_dns

Audit DNS servers configured in /etc/resolv.conf

audit_duplicate_gid

Finds and returns duplicate GIDs in /etc/group

audit_duplicate_group_names

Finds and returns duplicate group names in /etc/group.

audit_duplicate_uid

Finds duplicate UIDs in /etc/passwd and returns the UID and all users that use it

audit_duplicate_user_names

Finds and returns duplicate user names in /etc/passwd.

audit_etc_shadow

Verify if /etc/shadow have empty password fields

audit_etcpasswd_groups

Finds groups that exist in /etc/passwd but do not exist in /etc/group

audit_firewalld_config

Returns the results of firewall-cmd --list-all

audit_for_emergency_accounts

Audit all accounts expiration dates for removal.

audit_journald_log_rotation

Report journald log rotation is configured per site policy

audit_journald_logs_to_rsyslog

Report journald is not configured to send logs to rsyslog

audit_kerberos_keytab_files

List all the keytab files on the system at /etc

audit_library_files

Audit library files permission, ownership, and group ownership

audit_mcafee_endpoint_security

Audit McAfee Endpoint Security for RHEL-family systems.

audit_no_execution_bit_flag

Audit for the no-execution bit flag on the system

audit_partition_crypto

Audit partition cryptography

audit_pkcs11_eventmgr

This task will report on whether the screen is locked or not when using smart card.

audit_pw_change_date

Returns the last password change date for all users

audit_selinux_user_roles

Returns the output of 'semanage user -l' on the target system

audit_sgid_executables

A short description of this task

audit_shadow_group

Finds and returns any users in the shadow group

audit_ssh_key_authorized_access

This task checks that the given SSH provate keys are passphrase protected.

Parameters
private_keys	The SSH private keys to check. `Array[String]`

audit_sshd_installation

Verify if sshd is installed

audit_sshd_status

Report sshd status

audit_sssd_certmap

Audit the existance of sssd certmap configuration

audit_sudo_authentication_timeout

Return the sudo authentication timeout in minutes

Dependencies

puppetlabs/stdlib (>= 4.13.1 < 10.0.0)
puppetlabs/concat (>= 6.4.0 < 10.0.0)
puppetlabs/inifile (>= 1.6.0 < 7.0.0)
puppetlabs/augeas_core (>= 1.1.1 < 2.0.0)
puppetlabs/firewall (>= 5.0.0 < 9.0.0)
puppet/firewalld (>= 4.5.0 < 6.0.0)
puppet/logrotate (>= 5.0.0 < 8.0.0)
puppet/selinux (>= 3.2.0 < 5.0.0)
puppet/systemd (>= 3.5.0 < 7.0.0)

sce_linux

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Puppet Core

Version information

This version is compatible with:

Tasks:

Documentation

sce_linux

SCE for Linux Reference

Table of Contents

CIS Red Hat Enterprise Linux 7 Benchmark 4.0.0

1.1.1.1 - Ensure cramfs kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.2 - Ensure freevxfs kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.3 - Ensure hfs kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.4 - Ensure hfsplus kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.5 - Ensure jffs2 kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.6 - Ensure squashfs kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.7 - Ensure udf kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.1.8 - Ensure usb-storage kernel module is not available

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2.1.2 - Ensure nodev option set on /tmp partition

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2.1.3 - Ensure nosuid option set on /tmp partition

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2.1.4 - Ensure noexec option set on /tmp partition

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

Alternate Config IDs:

Resource:

1.1.2.2.2 - Ensure nodev option set on /dev/shm partition

Parameters:

Supported Profiles & Levels:

Hiera Configuration Example:

`sce_linux`