secc_os_linux

Dieses Modul bietet eine teilweise Abdeckung der SoC Anforderungen für OS unter Linux.

T-Systems Multimedia Solutions GmbH

tsystemsmms

12,413 downloads

619 latest version

4.2 quality score

Version information

  • 2.0.0 (latest)
  • 1.9.0
released Oct 4th 2020
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • RedHat
    ,
    CentOS

Start using this module

Tags: os, linux, security

Documentation

tsystemsmms/secc_os_linux — version 2.0.0 Oct 4th 2020

SecC OS Linux Module

Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Overview

This module provides coverage of the SoC conditions for Linux.

Module Description

This module adjusts kernel settings in /etc/sysctl.conf, manages services, uninstalls unneeded packages. Further it manages files relevant for user authentication, including /etc/login.defs and /etc/pam.d/system-auth.

Requirement - Coverage

  • SoC Requirements 3.01-1, 3.01-3, 3.37-7 are covered in packages.pp and services.pp
  • SoC Requirements 3.21-1, 3.21-3, 3.21-5, 3.37-6, 3.37-10, 3.37-11, 3.37-12 are covered via kernel.pp (/etc/sysctl.conf)
  • SoC Requirement 3.21-4 are partially covered in secc_sshd and with this module
  • SoC Requirements 3.01-23, 3.01-24, 3.01-25 are covered via password.pp, login_defs.pp (password policies - /etc/login.defs and /etc/pam.d/*) and profile.pp
  • SoC Requirement 3.21-10 is covered in profile.pp

Parts

  • audit.pp configures rudimentary logging of bash activities
    • logging can be redirected via syslog to an external server (facility: local6)
  • inputrc.pp configures bash history search (ctrl+r)
  • kernel.pp manages /etc/sysctl.conf with mostly network relevant settings
  • login_defs.pp controls default umask, encryption modes and password min age
  • logrotate.pp adds rotation for bash_history
  • modules.pp blacklists some problematic kernel modules
  • mounts.pp controls mount points and sets sensible mount options
  • packages.pp uninstalls unneeded software
  • password.pp configures password policy (1 special character, upper and lower case letters, and at least one digit, minimum size of 10 chars)
  • profile.pp controls default umask
    • can be parametrized, but this breaks SoC compliance
  • rootsh.pp provides logging of all root acitivites via rootsh (slight duplication to audit logging)
  • services.pp manages state of detault services
  • syslog.ppconfigures logging of:
    • authpriv /var/log/secure
    • local6 /var/log/bash_history (bash audit)
  • users_group.pp deletes unneeded groups and user accounts

Usage

  • the package logrotate has to be installed manually
  • Configuration of mount points can be deactivated
    • Example:
    secc_os_linux::secure_mountpoint_tmp: false
    secc_os_linux::secure_mountpoint_var: false
    secc_os_linux::secure_mountpoint_var_tmp: false
    secc_os_linux::secure_mountpoint_home: false
    
  • Parameters for mount points can be tuned on a per partition basis
    • Example:
    secc_os_linux::mount_options_tmp: 'defaults,noexec,nodev,nosuid'
    secc_os_linux::mount_options_var: 'defaults,noexec,nodev,nosuid'
    secc_os_linux::mount_options_home: 'defaults,nodev'
    secc_os_linux::mount_options_var_tmp: 'bind'
    

Reference

Limitations

  • This module was tested with CentOS6 and CentOS7