Forge Home
Premium module

sce_linux

Security Compliance Enforcement for Linux

583 downloads

13 latest version

Security Compliance Enforcement is a premium feature for Puppet Enterprise and Open Source Puppet

Security Compliance Enforcement uses Puppet policy-as-code (PaC) to enforce security configurations aligned to CIS Benchmarks and DISA STIGs, giving you a leg up on many compliance expectations and streamlining audit prep. In Puppet Enterprise, it is accessed through the included Security Compliance Management Console.

It can be applied to Puppet Enterprise or Open Source Puppet (see the compatibility list below).

Version information

  • 2.2.1 (latest)
  • 2.2.0
  • 2.1.0
  • 2.0.0
released Nov 12th 2024
This version is compatible with:
  • Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.23.0 < 9.0.0
  • , , , , ,
Tasks:
  • audit_partition_crypto
  • audit_approved_services_listening
  • audit_authselect
  • audit_boot
  • audit_check_ipv6
  • audit_client_dns
  • audit_duplicate_gid
  • and 55 more. See all tasks

Documentation

puppetlabs/sce_linux — version 2.2.1 Nov 12th 2024

SCE for Linux Reference

Table of Contents

CIS CentOS Linux 7 Benchmark 3.1.2

1.1.1.1 - Ensure mounting of cramfs filesystems is disabled

Parameters:

  • filesystem - [ String[1] ] - Default: cramfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure mounting of cramfs filesystems is disabled":
      filesystem: "cramfs"

Alternate Config IDs:

  • 1.1.1.1
  • c1_1_1_1
  • ensure_mounting_of_cramfs_filesystems_is_disabled

Resource:

  • Sce_linux::Utils::Disable_fs_mounting['Disable cramfs filesystem mounting']

1.1.1.2 - Ensure mounting of squashfs filesystems is disabled

Parameters:

  • filesystem - [ String[1] ] - Default: squashfs - Filesystem to disable, example xfs.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure mounting of squashfs filesystems is disabled":
      filesystem: "squashfs"

Alternate Config IDs:

  • 1.1.1.2
  • c1_1_1_2
  • ensure_mounting_of_squashfs_filesystems_is_disabled

Resource:

  • Sce_linux::Utils::Disable_fs_mounting['Disable squashfs filesystem mounting']

1.1.1.3 - Ensure mounting of udf filesystems is disabled

Parameters:

  • filesystem - [ String[1] ] - Default: udf - Filesystem to disable, example xfs.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure mounting of udf filesystems is disabled":
      filesystem: "udf"

Alternate Config IDs:

  • 1.1.1.3
  • c1_1_1_3
  • ensure_mounting_of_udf_filesystems_is_disabled

Resource:

  • Sce_linux::Utils::Disable_fs_mounting['Disable udf filesystem mounting']

1.1.3 - Ensure noexec option set on /tmp partition

Parameters:

  • noexec - [ Boolean ] - Default: true - Set noexec mount option

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /tmp partition":
      noexec: true

Alternate Config IDs:

  • 1.1.3
  • c1_1_3
  • ensure_noexec_option_set_on_tmp_partition

Resource:

  • Class['sce_linux::utils::tmp_mount']

1.1.4 - Ensure nodev option set on /tmp partition

Parameters:

  • nodev - [ Boolean ] - Default: true - Set nodev mount option

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /tmp partition":
      nodev: true

Alternate Config IDs:

  • 1.1.4
  • c1_1_4
  • ensure_nodev_option_set_on_tmp_partition

Resource:

  • Class['sce_linux::utils::tmp_mount']

1.1.5 - Ensure nosuid option set on /tmp partition

Parameters:

  • nosuid - [ Boolean ] - Default: true - Set nosuid mount option

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /tmp partition":
      nosuid: true

Alternate Config IDs:

  • 1.1.5
  • c1_1_5
  • ensure_nosuid_option_set_on_tmp_partition

Resource:

  • Class['sce_linux::utils::tmp_mount']

1.1.7 - Ensure noexec option set on /dev/shm partition

Parameters:

  • noexec - [ Boolean ] - Default: true - Whether to set the noexec option.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure noexec option set on /dev/shm partition":
      noexec: true

Alternate Config IDs:

  • 1.1.7
  • c1_1_7
  • ensure_noexec_option_set_on_devshm_partition

Resource:

  • Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.8 - Ensure nodev option set on /dev/shm partition

Parameters:

  • nodev - [ Boolean ] - Default: true - Whether to set the nodev option.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nodev option set on /dev/shm partition":
      nodev: true

Alternate Config IDs:

  • 1.1.8
  • c1_1_8
  • ensure_nodev_option_set_on_devshm_partition

Resource:

  • Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.9 - Ensure nosuid option set on /dev/shm partition

Parameters:

  • nosuid - [ Boolean ] - Default: true - Whether to set the nosuid option.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nosuid option set on /dev/shm partition":
      nosuid: true

Alternate Config IDs:

  • 1.1.9
  • c1_1_9
  • ensure_nosuid_option_set_on_devshm_partition

Resource:

  • Class['sce_linux::utils::dev_shm_fstab_entry']

1.1.22 - Ensure sticky bit is set on all world-writable directories

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.1.22
  • c1_1_22
  • ensure_sticky_bit_is_set_on_all_world_writable_directories

Resource:

  • Class['sce_linux::utils::sticky_bit']

1.1.23 - Disable Automounting

Parameters:

  • service - [ String[1] ] - Default: autofs - Service to disable.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Disable Automounting":
      service: "autofs"

Alternate Config IDs:

  • 1.1.23
  • c1_1_23
  • disable_automounting

Resource:

  • Sce_linux::Utils::Disable_service['Disable autofs']

1.1.24 - Disable USB Storage

Parameters:

  • filesystem - [ String[1] ] - Default: usb-storage - Filesystem to disable, example xfs.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Disable USB Storage":
      filesystem: "usb-storage"

Alternate Config IDs:

  • 1.1.24
  • c1_1_24
  • disable_usb_storage

Resource:

  • Sce_linux::Utils::Disable_fs_mounting['Disable usb storage']

1.2.3 - Ensure gpgcheck is globally activated

Parameters:

  • yum_conf - [ Stdlib::UnixPath ] - Default: /etc/yum.conf - Full path to yum.conf file.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure gpgcheck is globally activated":
      yum_conf: "/etc/yum.conf"

Alternate Config IDs:

  • 1.2.3
  • c1_2_3
  • ensure_gpgcheck_is_globally_activated

Resource:

  • Class['sce_linux::utils::yum::enable_gpgcheck']

1.3.1 - Ensure AIDE is installed

Parameters:

  • control_package - [ Optional[Boolean] ] - Default: true - Whether or not to ensure the package is installed.
  • package_ensure - [ Optional[String] ] - Default: present - Passed directly to the package resource for aide.
  • manage_config - [ Optional[Boolean] ] - Default: true - Whether or not to manage /etc/aide.conf.
  • run_scheduled - [ Optional[Boolean] ] - Default: true - Whether or not to set AIDE to run on a schedule.
  • scheduler - [ Optional[Enum[\systemd\, \cron\]] ] - Default: systemd - Whether to use a systemd timer or cron job to schedule AIDE scans.
  • systemd_timer_schedule - [ Optional[String] ] - Default: *-*-* 00:00:00 - Used as the systemd timer unit file's OnSchedule directive.
  • conf_purge - [ Optional[Boolean] ] - Default: undef - Setting purge to true means that no default values will be used. WARNING: You MUST configure ALL CONFIG OPTIONS when using purge to ensure that AIDE can function.
  • conf_db_dir - [ Optional[String] ] - Default: /var/lib/aide - The directory AIDE will use to store the DB.
  • conf_log_dir - [ Optional[String] ] - Default: /var/log/aide - The directory AIDE will use to store the log file.
  • conf_verbosity - [ Optional[Integer] ] - Default: 5 - How verbose AIDE is in logging. Default: 5
  • conf_report_urls - [ Optional[Array[String]] ] - Default: ["file:@@{LOGDIR}/aide.log", "stdout"] - Where AIDE should send check results.
  • conf_rules - [ Optional[Array[String]] ] - Default: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"] - Custom rule definitions for the AIDE config file. Each item is passed into the config as is, so rule definitions should look like: "PERMS = p+u+g+acl+selinux+xattrs". See docs for defaults.
  • conf_checks - [ Optional[Array[String]] ] - Default: ["/boot/ CONTENT_EX", "/bin/ CONTENT_EX", "/sbin/ CONTENT_EX", "/lib/ CONTENT_EX", "/lib64/ CONTENT_EX", "/opt/ CONTENT_EX", "/root/\\..* PERMS", "/root/ CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/ CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$ CONTENT_EX", "/etc/group$ CONTENT_EX", "/etc/gshadow$ CONTENT_EX", "/etc/shadow$ CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/ PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"] - Directory and file checks. As AIDE parses these from top to bottom in the config file, the way you order this array matters. Individual file checks should come before their parent directory checks. Each check is passed into the config as is, so checks should look like: "/boot/ CONTENT_EX". See docs for defaults. If you choose not to use the default values, it is HIGHLY RECOMMENDED that you ignore the directory /opt/puppetlabs/puppet/cache/ and ignore the file /opt/puppetlabs/puppet/public/last_run_summary.yaml as these change every Puppet run.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure AIDE is installed":
      control_package: true
      package_ensure: "present"
      manage_config: true
      run_scheduled: true
      scheduler: "systemd"
      systemd_timer_schedule: "*-*-* 00:00:00"
      conf_purge: <<Type Boolean>>
      conf_db_dir: "/var/lib/aide"
      conf_log_dir: "/var/log/aide"
      conf_verbosity: 5
      conf_report_urls: ["file:@@{LOGDIR}/aide.log", "stdout"]
      conf_rules: ["PERMS = p+u+g+acl+xattrs", "CONTENT_EX = sha256+ftype+p+u+g+n+acl+xattrs"]
      conf_checks: ["/boot/   CONTENT_EX", "/bin/    CONTENT_EX", "/sbin/   CONTENT_EX", "/lib/    CONTENT_EX", "/lib64/  CONTENT_EX", "/opt/    CONTENT_EX", "/root/\\..* PERMS", "/root/   CONTENT_EX", "!/usr/src/", "!/usr/tmp/", "/usr/    CONTENT_EX", "!/etc/mtab$", "!/etc/.*null", "/etc/hosts$ CONTENT_EX", "/etc/passwd$   CONTENT_EX", "/etc/group$    CONTENT_EX", "/etc/gshadow$  CONTENT_EX", "/etc/shadow$   CONTENT_EX", "/etc/resolv.conf$ CONTENT_EX", "/etc/login.defs$ CONTENT_EX", "/etc/libuser.conf$ CONTENT_EX", "/var/log/faillog$ PERMS", "/var/log/lastlog$ PERMS", "/var/run/faillock/ PERMS", "/etc/pam.d/ CONTENT_EX", "/etc/security$ CONTENT_EX", "/etc/securetty$ CONTENT_EX", "/etc/polkit-1/ CONTENT_EX", "/etc/sudo.conf$ CONTENT_EX", "/etc/sudoers$ CONTENT_EX", "/etc/sudoers.d/ CONTENT_EX", "!/var/log/sa/", "!/var/log/aide.log", "/etc/    PERMS", "!/var/log/httpd/", "!/opt/puppetlabs/puppet/cache/", "!/opt/puppetlabs/puppet/public/last_run_summary.yaml"]

Alternate Config IDs:

  • 1.3.1
  • c1_3_1
  • ensure_aide_is_installed

Resource:

  • Class['sce_linux::utils::packages::linux::aide']

1.4.1 - Ensure bootloader password is set

Parameters:

  • password_protect - [ Boolean ] - Default: true - Whether or not to password protect the bootloader.
  • superuser - [ Optional[String[1]] ] - Default: undef - The username of the grub2 superuser. This is used to set a superuser password in the bootloader configuration. This is only used if password_protect is true.
  • superuser_password - [ Optional[Sensitive[String]] ] - Default: undef - The password of the grub2 superuser. This will be the superuser password in the bootloader configuration. This is only used if password_protect is true.
  • password_file - [ Stdlib::UnixPath ] - Default: /etc/grub.d/50_password - The path to the file containing the bootloader password(s). This is only used if password_protect is true.
  • replace_password_file - [ Boolean ] - If true, replaces the password file if it exists with a NEW hash of the password. Also, when set to true, this resource is NOT idempotent. When set to false, this prevent accidental overwriting of the password file with a new hash of the same password.
  • hash_superuser_password - [ Boolean ] - Default: true - If true, the superuser password will be hashed using PBKDF2-HMAC-SHA512. If false, the superuser password will be stored in the password file as-is. This is only used if password_protect is true.
  • superuser_password_salt_length - [ Optional[Integer] ] - Default: undef - The length of the salt in bits used to hash the superuser password. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
  • superuser_password_buffer_length - [ Optional[Integer] ] - Default: undef - The length of the resulting hash. Default is 128. This is optional and only used if password_protect and hash_superuser_password are true.
  • superuser_password_iterations - [ Optional[Integer] ] - Default: undef - The number of times the password is passed through the hash function. Default is 120000. This is optional and only used if password_protect and hash_superuser_password are true.
  • other_users - [ Optional[Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]] ] - Default: undef - An array of structured hashes to add other users besides the superuser to the password file. This is optional only used if password_protect is true. The users specified here will be added to the password file as regular users, not superusers. Other user passwords will be hashed using PBKDF2-HMAC-SHA512, just like the superuser password, if hash_other_user_passwords is true.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure bootloader password is set":
      password_protect: true
      superuser: <<Type String[1]>>
      superuser_password: <<Type Sensitive[String]>>
      password_file: "/etc/grub.d/50_password"
      replace_password_file: false
      hash_superuser_password: true
      superuser_password_salt_length: <<Type Integer>>
      superuser_password_buffer_length: <<Type Integer>>
      superuser_password_iterations: <<Type Integer>>
      other_users: <<Type Array[Struct[{username=>String[1], password=>Sensitive[String], salt_length=>Optional[String], buffer_length=>Optional[Integer], iterations=>Optional[Integer]}]]>>

Alternate Config IDs:

  • 1.4.1
  • c1_4_1
  • ensure_bootloader_password_is_set

Resource:

  • Class['sce_linux::utils::bootloader::grub2']

1.4.2 - Ensure permissions on bootloader config are configured

Parameters:

  • ensure_permissions - [ Boolean ] - Default: true - Whether or not to enforce correct permissions on the bootloader files.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on bootloader config are configured":
      ensure_permissions: true

Alternate Config IDs:

  • 1.4.2
  • c1_4_2
  • ensure_permissions_on_bootloader_config_are_configured

Resource:

  • Class['sce_linux::utils::bootloader::grub2']

1.4.3 - Ensure authentication required for single user mode

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.4.3
  • c1_4_3
  • ensure_authentication_required_for_single_user_mode

Resource:

  • Class['sce_linux::utils::single_user_mode_authentication']

1.5.1 - Ensure core dumps are restricted

Parameters:

  • limits_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
  • sysctl_file - [ Optional[String] ] - Default: 10-disable_core_dumps.conf
  • service_content - [ Optional[String] ] - Default: # THIS FILE IS MANAGED BY PUPPET [Coredump] Storage=none ProcessSizeMax=0

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure core dumps are restricted":
      limits_file: "10-disable_core_dumps.conf"
      sysctl_file: "10-disable_core_dumps.conf"
      service_content: "# THIS FILE IS MANAGED BY PUPPET\n[Coredump]\nStorage=none\nProcessSizeMax=0\n"

Alternate Config IDs:

  • 1.5.1
  • c1_5_1
  • ensure_core_dumps_are_restricted

Resource:

  • Class['sce_linux::utils::disable_core_dumps']

1.5.3 - Ensure address space layout randomization (ASLR) is enabled

Parameters:

  • sysctl_file - [ String ] - Default: 10-enable_aslr.conf - The sysctl file that values will be written to.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure address space layout randomization (ASLR) is enabled":
      sysctl_file: "10-enable_aslr.conf"

Alternate Config IDs:

  • 1.5.3
  • c1_5_3
  • ensure_address_space_layout_randomization_aslr_is_enabled

Resource:

  • Class['sce_linux::utils::enable_aslr']

1.5.4 - Ensure prelink is not installed

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.5.4
  • c1_5_4
  • ensure_prelink_is_not_installed

Resource:

  • Class['sce_linux::utils::disable_prelink']

1.6.1.1 - Ensure SELinux is installed

Parameters:

  • manage_package - [ Optional[Boolean] ] - Default: true - Enable or disable selinux package management.
  • package_name - [ Optional[String[1]] ] - Default: libselinux - Name of package.
  • mode - [ Optional[Enum[\permissive\, \enforcing\]] ] - Default: enforcing - Selinux mode, permissive or enforcing. Disabled is not supported.
  • type - [ Optional[Enum[\targeted\, \mls\]] ] - Default: targeted - SELinux enforcement type.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SELinux is installed":
      manage_package: true
      package_name: "libselinux"
      mode: "enforcing"
      type: "targeted"

Alternate Config IDs:

  • 1.6.1.1
  • c1_6_1_1
  • ensure_selinux_is_installed

Resource:

  • Class['sce_linux::utils::packages::linux::selinux']

1.6.1.2 - Ensure SELinux is not disabled in bootloader configuration

Parameters:

  • enable_selinux - [ Boolean ] - Default: true - Whether or not to enable SELinux in the bootloader boot command.
  • selinux_mode - [ Enum["permissive", "enforcing", "disabled"] ] - Default: enforcing - The SELinux enforcement mode to set in the bootloader. Only used if enable_selinux is true.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SELinux is not disabled in bootloader configuration":
      enable_selinux: true
      selinux_mode: "enforcing"

Alternate Config IDs:

  • 1.6.1.2
  • c1_6_1_2
  • ensure_selinux_is_not_disabled_in_bootloader_configuration

Resource:

  • Class['sce_linux::utils::bootloader::grub2']

1.6.1.3 - Ensure SELinux policy is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.6.1.3
  • c1_6_1_3
  • ensure_selinux_policy_is_configured

Resource:

  • Class['sce_linux::utils::packages::linux::selinux']

1.6.1.4 - Ensure the SELinux mode is enforcing or permissive

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.6.1.4
  • c1_6_1_4
  • ensure_the_selinux_mode_is_enforcing_or_permissive

Resource:

  • Class['sce_linux::utils::packages::linux::selinux']

1.6.1.5 - Ensure the SELinux mode is enforcing

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Alternate Config IDs:

  • 1.6.1.5
  • c1_6_1_5
  • ensure_the_selinux_mode_is_enforcing

Resource:

  • Class['sce_linux::utils::packages::linux::selinux']

1.6.1.7 - Ensure SETroubleshoot is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: setroubleshoot - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SETroubleshoot is not installed":
      pkg_name: "setroubleshoot"

Alternate Config IDs:

  • 1.6.1.7
  • c1_6_1_7
  • ensure_setroubleshoot_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not install setroubleshoot']

1.6.1.8 - Ensure the MCS Translation Service (mcstrans) is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: mcstrans - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure the MCS Translation Service (mcstrans) is not installed":
      pkg_name: "mcstrans"

Alternate Config IDs:

  • 1.6.1.8
  • c1_6_1_8
  • ensure_the_mcs_translation_service_mcstrans_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not install mcs translation service']

1.7.1 - Ensure message of the day is configured properly

Parameters:

  • dynamic_motd - [ Optional[Boolean] ] - Default: true - Enables or disables dynamic motd on Debian systems. Default true
  • motd_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom motd template or text file. A template takes precedence over content. Valid options: '/mymodule/mytemplate.epp'.
  • motd_content - [ Optional[String] ] - Default: `` - Specifies a static string as the motd content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
  • issue_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited. - Specifies a static string as the /etc/issue content. Default "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
  • issue_net_content - [ Optional[String] ] - Default: This is a secure system. Unauthorized access is strictly prohibited.
  • issue_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue. A template takes precedence over issue_content.
  • issue_net_template - [ Optional[String[1]] ] - Default: undef - Specifies a custom template or text file to process and save to /etc/issue.net. A template takes precedence over issue_net_content.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure message of the day is configured properly":
      dynamic_motd: true
      motd_template: <<Type String[1]>>
      motd_content: ""
      issue_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_net_content: "This is a secure system. Unauthorized access is strictly prohibited.\r\n"
      issue_template: <<Type String[1]>>
      issue_net_template: <<Type String[1]>>

Alternate Config IDs:

  • 1.7.1
  • c1_7_1
  • ensure_message_of_the_day_is_configured_properly

Resource:

  • Class['sce_linux::utils::motd']

1.7.2 - Ensure local login warning banner is configured properly

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.7.2
  • c1_7_2
  • ensure_local_login_warning_banner_is_configured_properly

Resource:

  • Class['sce_linux::utils::motd']

1.7.3 - Ensure remote login warning banner is configured properly

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.7.3
  • c1_7_3
  • ensure_remote_login_warning_banner_is_configured_properly

Resource:

  • Class['sce_linux::utils::motd']

1.7.4 - Ensure permissions on /etc/motd are configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.7.4
  • c1_7_4
  • ensure_permissions_on_etcmotd_are_configured

Resource:

  • Class['sce_linux::utils::motd']

1.7.5 - Ensure permissions on /etc/issue are configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.7.5
  • c1_7_5
  • ensure_permissions_on_etcissue_are_configured

Resource:

  • Class['sce_linux::utils::motd']

1.7.6 - Ensure permissions on /etc/issue.net are configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 1.7.6
  • c1_7_6
  • ensure_permissions_on_etcissue_net_are_configured

Resource:

  • Class['sce_linux::utils::motd']

2.1.1 - Ensure xinetd is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: xinetd - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure xinetd is not installed":
      pkg_name: "xinetd"

Alternate Config IDs:

  • 2.1.1
  • c2_1_1
  • ensure_xinetd_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not install xinetd']

2.2.1.1 - Ensure time synchronization is in use

Parameters:

  • preferred_package - [ Enum["chrony", "ntp", "systemd-timesyncd"] ] - Default: chrony - The preferred package to use for time synchronization.
  • manage_package - [ Boolean ] - Default: true - If true, the package will be installed and managed by Puppet.
  • force_exclusivity - [ Boolean ] - Default: true - If true, the package that was not chosen will be removed from the system. This means that if your preferred package is chrony, ntp will be removed. This only applies to RedHat-family operating systems.
  • timeservers - [ Array[String] ] - Default: Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3328, 'length' => 2}) - Array of strings starting with the type (pool, server, etc.), then hostname / ip, then any options. Each element of the timeservers array will be added to the chrony / ntp / systemd-timesyncd config file as is. Please see man chrony.conf(5), man ntp.conf(5), or man timesyncd.conf(5) for more details. Example (ntp / chrony): ['server 192.168.0.250 prefer iburst', 'server 192.168.0.251 iburst'] Example (systemd-timesyncd): ['pool 0.ubuntu.pool.ntp.org', 'pool 1.ubuntu.pool.ntp.org']
  • sysconfig_options - [ Optional[String[1]] ] - Default: undef - Options to be added to the sysconfig file for the chosen package. This defaults to -u chrony for the chrony package and -u ntp:ntp for the ntp package. This has no affect on the systemd-timesyncd package.
  • ntp_restricts - [ Optional[Array[String[1]]] ] - Default: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"] - Array of strings used to create restrict lines in the ntp config file. Defaults to `['-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery']

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure time synchronization is in use":
      preferred_package: "chrony"
      manage_package: true
      force_exclusivity: true
      timeservers: Puppet::AST::LiteralList({'locator' => Puppet::AST::Locator({}), 'offset' => 3328, 'length' => 2})
      sysconfig_options: <<Type String[1]>>
      ntp_restricts: ["-4 default kod nomodify notrap nopeer noquery", "-6 default kod nomodify notrap nopeer noquery"]

Alternate Config IDs:

  • 2.2.1.1
  • c2_2_1_1
  • ensure_time_synchronization_is_in_use

Resource:

  • Class['sce_linux::utils::timesync']

2.2.1.2 - Ensure chrony is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 2.2.1.2
  • c2_2_1_2
  • ensure_chrony_is_configured

Resource:

  • Class['sce_linux::utils::timesync']

2.2.1.3 - Ensure ntp is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 2.2.1.3
  • c2_2_1_3
  • ensure_ntp_is_configured

Resource:

  • Class['sce_linux::utils::timesync']

2.2.2 - Ensure X11 Server components are not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: xorg-x11-server* - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure X11 Server components are not installed":
      pkg_name: "xorg-x11-server*"

Alternate Config IDs:

  • 2.2.2
  • c2_2_2
  • ensure_x11_server_components_are_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not install x11 server components']

2.2.3 - Ensure Avahi Server is not installed

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_2

Alternate Config IDs:

  • 2.2.3
  • c2_2_3
  • ensure_avahi_server_is_not_installed

Resource:

  • Class['sce_linux::utils::remove_avahi_server']

2.2.4 - Ensure CUPS is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: cups - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure CUPS is not installed":
      pkg_name: "cups"

Alternate Config IDs:

  • 2.2.4
  • c2_2_4
  • ensure_cups_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not install CUPS']

2.2.5 - Ensure DHCP Server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: dhcp - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure DHCP Server is not installed":
      pkg_name: "dhcp"

Alternate Config IDs:

  • 2.2.5
  • c2_2_5
  • ensure_dhcp_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use DHCP server']

2.2.6 - Ensure LDAP server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: openldap-servers - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure LDAP server is not installed":
      pkg_name: "openldap-servers"

Alternate Config IDs:

  • 2.2.6
  • c2_2_6
  • ensure_ldap_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not LDAP server']

2.2.7 - Ensure DNS Server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: bind - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure DNS Server is not installed":
      pkg_name: "bind"

Alternate Config IDs:

  • 2.2.7
  • c2_2_7
  • ensure_dns_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use DNS server']

2.2.8 - Ensure FTP Server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: vsftpd - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure FTP Server is not installed":
      pkg_name: "vsftpd"

Alternate Config IDs:

  • 2.2.8
  • c2_2_8
  • ensure_ftp_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use ftp server']

2.2.9 - Ensure HTTP server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: httpd - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure HTTP server is not installed":
      pkg_name: "httpd"

Alternate Config IDs:

  • 2.2.9
  • c2_2_9
  • ensure_http_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use HTTP Server']

2.2.10 - Ensure IMAP and POP3 server is not installed

Parameters:

  • mail_servers - [ Array[String] ] - Default: ["dovecot", "postfix"] - Array of mail servers that will be removed from the managed machine

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure IMAP and POP3 server is not installed":
      mail_servers: ["dovecot", "postfix"]

Alternate Config IDs:

  • 2.2.10
  • c2_2_10
  • ensure_imap_and_pop3_server_is_not_installed

Resource:

  • Class['sce_linux::utils::remove_imap_and_pop3']

2.2.11 - Ensure Samba is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: samba - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure Samba is not installed":
      pkg_name: "samba"

Alternate Config IDs:

  • 2.2.11
  • c2_2_11
  • ensure_samba_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use Samba']

2.2.12 - Ensure HTTP Proxy Server is not installed

Parameters:

  • proxy_packages - [ Array[String] ] - Default: ["squid"] - Array of proxy packages that will be removed from the managed machine

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure HTTP Proxy Server is not installed":
      proxy_packages: ["squid"]

Alternate Config IDs:

  • 2.2.12
  • c2_2_12
  • ensure_http_proxy_server_is_not_installed

Resource:

  • Class['sce_linux::utils::remove_http_proxy']

2.2.13 - Ensure net-snmp is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: net-snmp - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure net-snmp is not installed":
      pkg_name: "net-snmp"

Alternate Config IDs:

  • 2.2.13
  • c2_2_13
  • ensure_net_snmp_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use net-snmp']

2.2.14 - Ensure NIS server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: ypserv - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure NIS server is not installed":
      pkg_name: "ypserv"

Alternate Config IDs:

  • 2.2.14
  • c2_2_14
  • ensure_nis_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Disable NIS Server']

2.2.15 - Ensure telnet-server is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: telnet-server - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure telnet-server is not installed":
      pkg_name: "telnet-server"

Alternate Config IDs:

  • 2.2.15
  • c2_2_15
  • ensure_telnet_server_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Remove Telnet server']

2.2.16 - Ensure mail transfer agent is configured for local-only mode

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 2.2.16
  • c2_2_16
  • ensure_mail_transfer_agent_is_configured_for_local_only_mode

Resource:

  • Class['sce_linux::utils::local_only_mta']

2.2.17 - Ensure nfs-utils is not installed or the nfs-server service is masked

Parameters:

  • keep_nfsutils - [ Boolean ] - A boolean value that represent the choice of whether to mask the nfs-server or remove it.
  • dependent - [ Array ] - Default: ["ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked"]

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure nfs-utils is not installed or the  nfs-server service is masked":
      keep_nfsutils: false
      dependent: ["ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked"]

Alternate Config IDs:

  • 2.2.17
  • c2_2_17
  • ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked

Resource:

  • Class['sce_linux::utils::disable_or_remove_nfs']

2.2.18 - Ensure rpcbind is not installed or the rpcbind services are masked

Parameters:

  • keep_rpcbind - [ Boolean ] - A boolean value that represent the choice of whether to mask rpcbind or remove it.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rpcbind is not installed or the  rpcbind services are masked":
      keep_rpcbind: false

Alternate Config IDs:

  • 2.2.18
  • c2_2_18
  • ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked

Resource:

  • Class['sce_linux::utils::disable_or_remove_rpcbind']

2.2.19 - Ensure rsync is not installed or the rsyncd service is masked

Parameters:

  • keep_rsync - [ Boolean ] - A boolean value that represent the choice of whether to mask rsync or remove it.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rsync is not installed or the rsyncd service is masked":
      keep_rsync: false

Alternate Config IDs:

  • 2.2.19
  • c2_2_19
  • ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked

Resource:

  • Class['sce_linux::utils::disable_or_remove_rsync']

2.3.1 - Ensure NIS Client is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: ypbind - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure NIS Client is not installed":
      pkg_name: "ypbind"

Alternate Config IDs:

  • 2.3.1
  • c2_3_1
  • ensure_nis_client_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use NIS Client']

2.3.2 - Ensure rsh client is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: rsh - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rsh client is not installed":
      pkg_name: "rsh"

Alternate Config IDs:

  • 2.3.2
  • c2_3_2
  • ensure_rsh_client_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use rsh']

2.3.3 - Ensure talk client is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: talk - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure talk client is not installed":
      pkg_name: "talk"

Alternate Config IDs:

  • 2.3.3
  • c2_3_3
  • ensure_talk_client_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Do not use talk client']

2.3.4 - Ensure telnet client is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: telnet - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure telnet client is not installed":
      pkg_name: "telnet"

Alternate Config IDs:

  • 2.3.4
  • c2_3_4
  • ensure_telnet_client_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Remove Telnet Client']

2.3.5 - Ensure LDAP client is not installed

Parameters:

  • pkg_name - [ String[1] ] - Default: openldap-clients - Name of package to remove.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure LDAP client is not installed":
      pkg_name: "openldap-clients"

Alternate Config IDs:

  • 2.3.5
  • c2_3_5
  • ensure_ldap_client_is_not_installed

Resource:

  • Sce_linux::Utils::Packages::Absenter['Remove LDAP Client']

3.1.1 - Disable IPv6

Parameters:

  • strategy - [ Enum["sysctl", "grub"] ] - Default: sysctl - Whether to disable IPv6 with sysctl or in the grub config
  • create_sysctl_file - [ Boolean ] - Default: true - Whether to create a new sysctl file or to use the default config file
  • sysctl_conf - [ String ] - Default: /etc/sysctl.conf - Path to sysctl.conf.
  • sysctl_d_path - [ String ] - Default: /etc/sysctl.d - Path to sysctl.d.
  • sysctl_prefix - [ String ] - Default: 10- - A prefix to add to the created file name.
  • sysctl_comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to the created file.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Disable IPv6":
      strategy: "sysctl"
      create_sysctl_file: true
      sysctl_conf: "/etc/sysctl.conf"
      sysctl_d_path: "/etc/sysctl.d"
      sysctl_prefix: "10-"
      sysctl_comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.1.1
  • c3_1_1
  • disable_ipv6

Resource:

  • Class['sce_linux::utils::network::disable_ipv6']

3.1.2 - Ensure wireless interfaces are disabled

Parameters:

  • wwan - [ Boolean ] - Default: true - Whether to disable wwan
  • wifi - [ Boolean ] - Default: true - Whether to disable wifi

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure wireless interfaces are disabled":
      wwan: true
      wifi: true

Alternate Config IDs:

  • 3.1.2
  • c3_1_2
  • ensure_wireless_interfaces_are_disabled

Resource:

  • Sce_linux::Utils::Network::Disable_wireless_interfaces['Disable wireless interfaces']

3.2.1 - Ensure IP forwarding is disabled

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ip_forwarding.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure IP forwarding is disabled":
      target: "/etc/sysctl.d/90-disable_ip_forwarding.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.2.1
  • c3_2_1
  • ensure_ip_forwarding_is_disabled

Resource:

  • Class['sce_linux::utils::network::disable_ip_forwarding']

3.2.2 - Ensure packet redirect sending is disabled

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_packet_redirect_sending.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure packet redirect sending is disabled":
      target: "/etc/sysctl.d/90-disable_packet_redirect_sending.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.2.2
  • c3_2_2
  • ensure_packet_redirect_sending_is_disabled

Resource:

  • Class['sce_linux::utils::network::disable_packet_redirect_sending']

3.3.1 - Ensure source routed packets are not accepted

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_source_routes.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure source routed packets are not accepted":
      target: "/etc/sysctl.d/90-disable_source_routes.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.1
  • c3_3_1
  • ensure_source_routed_packets_are_not_accepted

Resource:

  • Class['sce_linux::utils::network::disable_source_routes']

3.3.2 - Ensure ICMP redirects are not accepted

Parameters:

  • disable_ipv4_accept_default - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on default route
  • disable_ipv4_accept_all - [ Boolean ] - Default: true - Disable accepting IPv4 ICMP redirects on all routes
  • disable_ipv6_accept_default - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on default route
  • disable_ipv6_accept_all - [ Boolean ] - Default: true - Disable accepting IPv6 ICMP redirects on all routes
  • target - [ Stdlib::UnixPath ] - Default: /etc/sysctl.d/90-disable_icmp_redirects.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure ICMP redirects are not accepted":
      disable_ipv4_accept_default: true
      disable_ipv4_accept_all: true
      disable_ipv6_accept_default: true
      disable_ipv6_accept_all: true
      target: "/etc/sysctl.d/90-disable_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.2
  • c3_3_2
  • ensure_icmp_redirects_are_not_accepted

Resource:

  • Class['sce_linux::utils::network::disable_icmp_redirects']

3.3.3 - Ensure secure ICMP redirects are not accepted

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_secure_icmp_redirects.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure secure ICMP redirects are not accepted":
      target: "/etc/sysctl.d/90-disable_secure_icmp_redirects.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.3
  • c3_3_3
  • ensure_secure_icmp_redirects_are_not_accepted

Resource:

  • Class['sce_linux::utils::network::disable_secure_icmp_redirects']

3.3.4 - Ensure suspicious packets are logged

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_log_martians.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure suspicious packets are logged":
      target: "/etc/sysctl.d/90-enable_log_martians.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.4
  • c3_3_4
  • ensure_suspicious_packets_are_logged

Resource:

  • Class['sce_linux::utils::network::enable_log_martians']

3.3.5 - Ensure broadcast ICMP requests are ignored

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_icmp_broadcast.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure broadcast ICMP requests are ignored":
      target: "/etc/sysctl.d/90-ignore_icmp_broadcast.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.5
  • c3_3_5
  • ensure_broadcast_icmp_requests_are_ignored

Resource:

  • Class['sce_linux::utils::network::ignore_icmp_broadcast']

3.3.6 - Ensure bogus ICMP responses are ignored

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-ignore_bogus_icmp.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure bogus ICMP responses are ignored":
      target: "/etc/sysctl.d/90-ignore_bogus_icmp.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.6
  • c3_3_6
  • ensure_bogus_icmp_responses_are_ignored

Resource:

  • Class['sce_linux::utils::network::ignore_bogus_icmp']

3.3.7 - Ensure Reverse Path Filtering is enabled

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_reverse_path_filtering.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure Reverse Path Filtering is enabled":
      target: "/etc/sysctl.d/90-enable_reverse_path_filtering.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.7
  • c3_3_7
  • ensure_reverse_path_filtering_is_enabled

Resource:

  • Class['sce_linux::utils::network::enable_reverse_path_filtering']

3.3.8 - Ensure TCP SYN Cookies is enabled

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-enable_tcp_syn_cookies.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure TCP SYN Cookies is enabled":
      target: "/etc/sysctl.d/90-enable_tcp_syn_cookies.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.8
  • c3_3_8
  • ensure_tcp_syn_cookies_is_enabled

Resource:

  • Class['sce_linux::utils::network::enable_tcp_syn_cookies']

3.3.9 - Ensure IPv6 router advertisements are not accepted

Parameters:

  • target - [ String[1] ] - Default: /etc/sysctl.d/90-disable_ipv6_router_advertisements.conf - The sysctl file that values will be written to.
  • persist - [ Boolean ] - Default: true - If set to false, no values will be persisted to disk. Setting this to false will cause $target and $comment to be ignored.
  • comment - [ String ] - Default: MANAGED BY PUPPET - A comment to add to add to each setting. Default: MANAGED BY PUPPET

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure IPv6 router advertisements are not accepted":
      target: "/etc/sysctl.d/90-disable_ipv6_router_advertisements.conf"
      persist: true
      comment: "MANAGED BY PUPPET"

Alternate Config IDs:

  • 3.3.9
  • c3_3_9
  • ensure_ipv6_router_advertisements_are_not_accepted

Resource:

  • Class['sce_linux::utils::network::disable_ipv6_router_advertisements']

3.4.1 - Ensure DCCP is disabled

Parameters:

  • target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/dccp.conf - Target file to write.
  • content - [ Optional[String] ] - Default: install dccp /bin/true - Target file content.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure DCCP is disabled":
      target: "/etc/modprobe.d/dccp.conf"
      content: "install dccp /bin/true"

Alternate Config IDs:

  • 3.4.1
  • c3_4_1
  • ensure_dccp_is_disabled

Resource:

  • Class['sce_linux::utils::network::disable_dccp']

3.4.2 - Ensure SCTP is disabled

Parameters:

  • target - [ Optional[String[1]] ] - Default: /etc/modprobe.d/sctp.conf - Target file to write.
  • content - [ Optional[String] ] - Default: install sctp /bin/true - Target file content.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure SCTP is disabled":
      target: "/etc/modprobe.d/sctp.conf"
      content: "install sctp /bin/true"

Alternate Config IDs:

  • 3.4.2
  • c3_4_2
  • ensure_sctp_is_disabled

Resource:

  • Class['sce_linux::utils::network::disable_sctp']

3.5.1.1 - Ensure firewalld is installed

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.1.1
  • c3_5_1_1
  • ensure_firewalld_is_installed

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.1.2 - Ensure iptables-services not installed with firewalld

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.1.2
  • c3_5_1_2
  • ensure_iptables_services_not_installed_with_firewalld

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.1.3 - Ensure nftables either not installed or masked with firewalld

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.1.3
  • c3_5_1_3
  • ensure_nftables_either_not_installed_or_masked_with_firewalld

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.1.4 - Ensure firewalld service enabled and running

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.1.4
  • c3_5_1_4
  • ensure_firewalld_service_enabled_and_running

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.1.5 - Ensure firewalld default zone is set

Parameters:

  • default_zone - [ Optional[String[1]] ] - Default: public - Sets the default firewalld zone to this zone. Default: public

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure firewalld default zone is set":
      default_zone: "public"

Alternate Config IDs:

  • 3.5.1.5
  • c3_5_1_5
  • ensure_firewalld_default_zone_is_set

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.1.6 - Ensure network interfaces are assigned to appropriate zone

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.1.6
  • c3_5_1_6
  • ensure_network_interfaces_are_assigned_to_appropriate_zone

Resource:

  • Class['sce_linux::utils::firewall::firewalld']

3.5.3.1.1 - Ensure iptables packages are installed

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.1.1
  • c3_5_3_1_1
  • ensure_iptables_packages_are_installed

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.1.2 - Ensure nftables is not installed with iptables

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.1.2
  • c3_5_3_1_2
  • ensure_nftables_is_not_installed_with_iptables

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.1.3 - Ensure firewalld is either not installed or masked with iptables

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.1.3
  • c3_5_3_1_3
  • ensure_firewalld_is_either_not_installed_or_masked_with_iptables

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.1 - Ensure iptables loopback traffic is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.1
  • c3_5_3_2_1
  • ensure_iptables_loopback_traffic_is_configured

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.2 - Ensure iptables outbound and established connections are configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.2
  • c3_5_3_2_2
  • ensure_iptables_outbound_and_established_connections_are_configured

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.3 - Ensure iptables rules exist for all open ports

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.3
  • c3_5_3_2_3
  • ensure_iptables_rules_exist_for_all_open_ports

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.4 - Ensure iptables default deny firewall policy

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.4
  • c3_5_3_2_4
  • ensure_iptables_default_deny_firewall_policy

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.5 - Ensure iptables rules are saved

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.5
  • c3_5_3_2_5
  • ensure_iptables_rules_are_saved

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.2.6 - Ensure iptables is enabled and running

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.2.6
  • c3_5_3_2_6
  • ensure_iptables_is_enabled_and_running

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.1 - Ensure ip6tables loopback traffic is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.1
  • c3_5_3_3_1
  • ensure_ip6tables_loopback_traffic_is_configured

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.2 - Ensure ip6tables outbound and established connections are configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.2
  • c3_5_3_3_2
  • ensure_ip6tables_outbound_and_established_connections_are_configured

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.3 - Ensure ip6tables firewall rules exist for all open ports

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.3
  • c3_5_3_3_3
  • ensure_ip6tables_firewall_rules_exist_for_all_open_ports

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.4 - Ensure ip6tables default deny firewall policy

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.4
  • c3_5_3_3_4
  • ensure_ip6tables_default_deny_firewall_policy

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.5 - Ensure ip6tables rules are saved

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.5
  • c3_5_3_3_5
  • ensure_ip6tables_rules_are_saved

Resource:

  • Class['sce_linux::utils::firewall::iptables']

3.5.3.3.6 - Ensure ip6tables is enabled and running

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 3.5.3.3.6
  • c3_5_3_3_6
  • ensure_ip6tables_is_enabled_and_running

Resource:

  • Class['sce_linux::utils::firewall::iptables']

4.1.1.1 - Ensure auditd is installed

Parameters:

  • package - [ Array ] - Default: ["audit", "audit-libs"] - Packages to install for auditd.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure auditd is installed":
      package: ["audit", "audit-libs"]

Alternate Config IDs:

  • 4.1.1.1
  • c4_1_1_1
  • ensure_auditd_is_installed

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.1.2 - Ensure auditd service is enabled and running

Parameters:

  • service - [ String[1] ] - Default: auditd - Name of auditd service.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure auditd service is enabled and running":
      service: "auditd"

Alternate Config IDs:

  • 4.1.1.2
  • c4_1_1_2
  • ensure_auditd_service_is_enabled_and_running

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.1.3 - Ensure auditing for processes that start prior to auditd is enabled

Parameters:

  • enable_auditd - [ Boolean ] - Default: true - Whether or not to enable auditd in the bootloader boot command.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure auditing for processes that start prior to auditd is enabled":
      enable_auditd: true

Alternate Config IDs:

  • 4.1.1.3
  • c4_1_1_3
  • ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled

Resource:

  • Class['sce_linux::utils::bootloader::grub2']

4.1.2.1 - Ensure audit log storage size is configured

Parameters:

  • max_log_file - [ Integer[0] ] - Default: 8

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure audit log storage size is configured":
      max_log_file: 8

Alternate Config IDs:

  • 4.1.2.1
  • c4_1_2_1
  • ensure_audit_log_storage_size_is_configured

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.2.2 - Ensure audit logs are not automatically deleted

Parameters:

  • max_log_file_action - [ Enum["keep_logs", "rotate", "ignore", "syslog", "suspend"] ] - Default: keep_logs

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure audit logs are not automatically deleted":
      max_log_file_action: "keep_logs"

Alternate Config IDs:

  • 4.1.2.2
  • c4_1_2_2
  • ensure_audit_logs_are_not_automatically_deleted

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.2.3 - Ensure system is disabled when audit logs are full

Parameters:

  • space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt
  • admin_space_left_action - [ Enum["ignore", "syslog", "email", "suspend", "single", "halt"] ] - Default: halt
  • action_mail_acct - [ String[1] ] - Default: root

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure system is disabled when audit logs are full":
      space_left_action: "halt"
      admin_space_left_action: "halt"
      action_mail_acct: "root"

Alternate Config IDs:

  • 4.1.2.3
  • c4_1_2_3
  • ensure_system_is_disabled_when_audit_logs_are_full

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.2.4 - Ensure audit_backlog_limit is sufficient

Parameters:

  • audit_backlog_limit - [ Integer ] - Default: 8192 - The maximum number of audit log entries to keep in the backlog.

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure audit_backlog_limit is sufficient":
      audit_backlog_limit: 8192

Alternate Config IDs:

  • 4.1.2.4
  • c4_1_2_4
  • ensure_audit_backlog_limit_is_sufficient

Resource:

  • Class['sce_linux::utils::bootloader::grub2']

4.1.3 - Ensure events that modify date and time information are collected

Parameters:

  • audit_time_change - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure events that modify date and time information are collected":
      audit_time_change: true

Alternate Config IDs:

  • 4.1.3
  • c4_1_3
  • ensure_events_that_modify_date_and_time_information_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.4 - Ensure events that modify user/group information are collected

Parameters:

  • audit_usergroup_modification - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure events that modify user/group information are collected":
      audit_usergroup_modification: true

Alternate Config IDs:

  • 4.1.4
  • c4_1_4
  • ensure_events_that_modify_usergroup_information_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.5 - Ensure events that modify the system's network environment are collected

Parameters:

  • audit_network_environment - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure events that modify the system's network environment are collected":
      audit_network_environment: true

Alternate Config IDs:

  • 4.1.5
  • c4_1_5
  • ensure_events_that_modify_the_systems_network_environment_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.6 - Ensure events that modify the system's Mandatory Access Controls are collected

Parameters:

  • audit_mac_modification - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure events that modify the system's Mandatory Access Controls are collected":
      audit_mac_modification: true

Alternate Config IDs:

  • 4.1.6
  • c4_1_6
  • ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.7 - Ensure login and logout events are collected

Parameters:

  • audit_lastlog_log - [ Boolean ] - Default: true
  • audit_faillock_run - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure login and logout events are collected":
      audit_lastlog_log: true
      audit_faillock_run: true

Alternate Config IDs:

  • 4.1.7
  • c4_1_7
  • ensure_login_and_logout_events_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.8 - Ensure session initiation information is collected

Parameters:

  • audit_session_initiation - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure session initiation information is collected":
      audit_session_initiation: true

Alternate Config IDs:

  • 4.1.8
  • c4_1_8
  • ensure_session_initiation_information_is_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.9 - Ensure discretionary access control permission modification events are collected

Parameters:

  • audit_dac_modification - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure discretionary access control permission modification events are collected":
      audit_dac_modification: true

Alternate Config IDs:

  • 4.1.9
  • c4_1_9
  • ensure_discretionary_access_control_permission_modification_events_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.10 - Ensure unsuccessful unauthorized file access attempts are collected

Parameters:

  • audit_unauthorized_file_access - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure unsuccessful unauthorized file access attempts are collected":
      audit_unauthorized_file_access: true

Alternate Config IDs:

  • 4.1.10
  • c4_1_10
  • ensure_unsuccessful_unauthorized_file_access_attempts_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.11 - Ensure use of privileged commands is collected

Parameters:

  • audit_privileged_commands - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure use of privileged commands is collected":
      audit_privileged_commands: true

Alternate Config IDs:

  • 4.1.11
  • c4_1_11
  • ensure_use_of_privileged_commands_is_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.12 - Ensure successful file system mounts are collected

Parameters:

  • audit_file_system_mounts - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure successful file system mounts are collected":
      audit_file_system_mounts: true

Alternate Config IDs:

  • 4.1.12
  • c4_1_12
  • ensure_successful_file_system_mounts_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.13 - Ensure file deletion events by users are collected

Parameters:

  • audit_file_deletion_events - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure file deletion events by users are collected":
      audit_file_deletion_events: true

Alternate Config IDs:

  • 4.1.13
  • c4_1_13
  • ensure_file_deletion_events_by_users_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.14 - Ensure changes to system administration scope (sudoers) is collected

Parameters:

  • audit_sudoers_modification - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure changes to system administration scope (sudoers) is collected":
      audit_sudoers_modification: true

Alternate Config IDs:

  • 4.1.14
  • c4_1_14
  • ensure_changes_to_system_administration_scope_sudoers_is_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.15 - Ensure system administrator command executions (sudo) are collected

Parameters:

  • audit_sudo_actions - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure system administrator command executions (sudo) are collected":
      audit_sudo_actions: true

Alternate Config IDs:

  • 4.1.15
  • c4_1_15
  • ensure_system_administrator_command_executions_sudo_are_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.16 - Ensure kernel module loading and unloading is collected

Parameters:

  • audit_kernel_module_loading - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure kernel module loading and unloading is collected":
      audit_kernel_module_loading: true

Alternate Config IDs:

  • 4.1.16
  • c4_1_16
  • ensure_kernel_module_loading_and_unloading_is_collected

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.1.17 - Ensure the audit configuration is immutable

Parameters:

  • set_immutable_configuration - [ Boolean ] - Default: true

Supported Profiles & Levels:

  • server, level_2
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure the audit configuration is immutable":
      set_immutable_configuration: true

Alternate Config IDs:

  • 4.1.17
  • c4_1_17
  • ensure_the_audit_configuration_is_immutable

Resource:

  • Class['sce_linux::utils::packages::linux::auditd']

4.2.1.1 - Ensure rsyslog is installed

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 4.2.1.1
  • c4_2_1_1
  • ensure_rsyslog_is_installed

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.1.2 - Ensure rsyslog Service is enabled and running

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 4.2.1.2
  • c4_2_1_2
  • ensure_rsyslog_service_is_enabled_and_running

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.1.3 - Ensure rsyslog default file permissions configured

Parameters:

  • filecreatemode - [ Stdlib::FileMode ] - Default: 0640 - Default file creation mode for rsyslog. Also used as the mode for the rsyslog configuration files.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rsyslog default file permissions configured":
      filecreatemode: "0640"

Alternate Config IDs:

  • 4.2.1.3
  • c4_2_1_3
  • ensure_rsyslog_default_file_permissions_configured

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.1.4 - Ensure logging is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 4.2.1.4
  • c4_2_1_4
  • ensure_logging_is_configured

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.1.5 - Ensure rsyslog is configured to send logs to a remote log host

Parameters:

  • remote_log_host - [ Optional[Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]] ] - Default: undef
  • tcp_port - [ Integer ] - Default: 514 - The port to use for the $InputTCPServerRun option.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure rsyslog is configured to send logs to a remote log host":
      remote_log_host: <<Type Variant[Stdlib::IP::Address, String[1], Array[Struct[{service=>String[1], host=>Variant[Stdlib::IP::Address, String[1]]}]]]>>
      tcp_port: 514

Alternate Config IDs:

  • 4.2.1.5
  • c4_2_1_5
  • ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.1.6 - Ensure remote rsyslog messages are only accepted on designated log hosts.

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 4.2.1.6
  • c4_2_1_6
  • ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts

Resource:

  • Class['sce_linux::utils::packages::linux::rsyslog']

4.2.2.1 - Ensure journald is configured to send logs to rsyslog

Parameters:

  • forward_to_syslog - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true - If defined, configures option ForwardToSyslog=<yes|no> in the journald config. If a Boolean value is passed, true maps to yes and false maps to no.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure journald is configured to send logs to rsyslog":
      forward_to_syslog: true

Alternate Config IDs:

  • 4.2.2.1
  • c4_2_2_1
  • ensure_journald_is_configured_to_send_logs_to_rsyslog

Resource:

  • Class['sce_linux::utils::services::systemd::journald']

4.2.2.2 - Ensure journald is configured to compress large log files

Parameters:

  • compress_large_files - [ Optional[Variant[Boolean, Stdlib::Yes_no]] ] - Default: true - If defined, configures option Compress=<yes|no> in the journald config. If a Boolean value is passed, true maps to yes and false maps to no.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure journald is configured to compress large log files":
      compress_large_files: true

Alternate Config IDs:

  • 4.2.2.2
  • c4_2_2_2
  • ensure_journald_is_configured_to_compress_large_log_files

Resource:

  • Class['sce_linux::utils::services::systemd::journald']

4.2.2.3 - Ensure journald is configured to write logfiles to persistent disk

Parameters:

  • persistent_storage - [ Optional[Boolean] ] - Default: true - Convenience method to set persistent as the storage option. If true, configures option Storage=persistent in the journald config.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure journald is configured to write logfiles to persistent disk":
      persistent_storage: true

Alternate Config IDs:

  • 4.2.2.3
  • c4_2_2_3
  • ensure_journald_is_configured_to_write_logfiles_to_persistent_disk

Resource:

  • Class['sce_linux::utils::services::systemd::journald']

4.2.3 - Ensure permissions on all logfiles are configured

Parameters:

  • mode - [ Stdlib::Filemode ] - Default: 0640 - The mode to set the log files to
  • manage_dotfiles - [ Boolean ] - Default: true - Whether or not to manage dotfiles (files that start with a .)

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on all logfiles are configured":
      mode: "0640"
      manage_dotfiles: true

Alternate Config IDs:

  • 4.2.3
  • c4_2_3
  • ensure_permissions_on_all_logfiles_are_configured

Resource:

  • Class['sce_linux::utils::chmod_logfiles']

4.2.4 - Ensure logrotate is configured

Parameters:

  • No parameters

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Alternate Config IDs:

  • 4.2.4
  • c4_2_4
  • ensure_logrotate_is_configured

Resource:

  • Class['sce_linux::utils::packages::linux::logrotate']

5.1.1 - Ensure cron daemon is enabled and running

Parameters:

  • manage_package - [ Boolean ] - Default: true - If true, ensures the cron package is installed. See the package_name parameter for more information.
  • manage_service - [ Boolean ] - Default: true - If true, enables and runs the cron daemon with a service resource. See the service_name parameter for more information.
  • cron_allow_path - [ Stdlib::AbsolutePath ] - Default: /etc/cron.allow - The path for the cron.allow file to manage. Only relevant if set_cron_allow_perms is set to true.
  • purge_cron_deny - [ Boolean ] - Default: true - If true, removes (if they exist) /etc/cron.deny and /etc/cron.d/cron.deny.
  • manage_cron_allow - [ Boolean ] - Default: true - If true, creates the cron.allow file specified by the cron_allow_path parameter and enforces 0600 permissions on the file.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure cron daemon is enabled and running":
      manage_package: true
      manage_service: true
      cron_allow_path: "/etc/cron.allow"
      purge_cron_deny: true
      manage_cron_allow: true

Alternate Config IDs:

  • 5.1.1
  • c5_1_1
  • ensure_cron_daemon_is_enabled_and_running

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.2 - Ensure permissions on /etc/crontab are configured

Parameters:

  • set_crontab_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/crontab.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/crontab are configured":
      set_crontab_perms: true

Alternate Config IDs:

  • 5.1.2
  • c5_1_2
  • ensure_permissions_on_etccrontab_are_configured

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.3 - Ensure permissions on /etc/cron.hourly are configured

Parameters:

  • set_hourly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.hourly.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.hourly are configured":
      set_hourly_cron_perms: true

Alternate Config IDs:

  • 5.1.3
  • c5_1_3
  • ensure_permissions_on_etccron_hourly_are_configured

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.4 - Ensure permissions on /etc/cron.daily are configured

Parameters:

  • set_daily_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.daily.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.daily are configured":
      set_daily_cron_perms: true

Alternate Config IDs:

  • 5.1.4
  • c5_1_4
  • ensure_permissions_on_etccron_daily_are_configured

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.5 - Ensure permissions on /etc/cron.weekly are configured

Parameters:

  • set_weekly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.weekly.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.weekly are configured":
      set_weekly_cron_perms: true

Alternate Config IDs:

  • 5.1.5
  • c5_1_5
  • ensure_permissions_on_etccron_weekly_are_configured

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.6 - Ensure permissions on /etc/cron.monthly are configured

Parameters:

  • set_monthly_cron_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.monthly.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example:

sce_linux::config:
  control_configs:
    "Ensure permissions on /etc/cron.monthly are configured":
      set_monthly_cron_perms: true

Alternate Config IDs:

  • 5.1.6
  • c5_1_6
  • ensure_permissions_on_etccron_monthly_are_configured

Resource:

  • Class['sce_linux::utils::packages::linux::cron']

5.1.7 - Ensure permissions on /etc/cron.d are configured

Parameters:

  • set_cron_d_perms - [ Boolean ] - Default: true - If true, enforces permissions on /etc/cron.d.

Supported Profiles & Levels:

  • server, level_1
  • server, level_2
  • workstation, level_1
  • workstation, level_2

Hiera Configuration Example: