Forge Home

secc_os_linux

Dieses Modul bietet eine teilweise Abdeckung der SoC Anforderungen für OS unter Linux.

13,528 downloads

1,081 latest version

4.2 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.0 (latest)
  • 1.9.0
released Oct 4th 2020
This version is compatible with:
  • Puppet Enterprise 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
  • Puppet >= 4.0.0 < 5.0.0
  • ,
This module has been deprecated by its author since Jun 22nd 2021.

The author has suggested hardening-os_hardening as its replacement.

Start using this module

Tags: os, security, linux

Documentation

tsystemsmms/secc_os_linux — version 2.0.0 Oct 4th 2020

SecC OS Linux Module

Build Status

Table of Contents

  1. Overview
  2. Module Description - What the module does and why it is useful
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Overview

This module provides coverage of the SoC conditions for Linux.

Module Description

This module adjusts kernel settings in /etc/sysctl.conf, manages services, uninstalls unneeded packages. Further it manages files relevant for user authentication, including /etc/login.defs and /etc/pam.d/system-auth.

Requirement - Coverage

  • SoC Requirements 3.01-1, 3.01-3, 3.37-7 are covered in packages.pp and services.pp
  • SoC Requirements 3.21-1, 3.21-3, 3.21-5, 3.37-6, 3.37-10, 3.37-11, 3.37-12 are covered via kernel.pp (/etc/sysctl.conf)
  • SoC Requirement 3.21-4 are partially covered in secc_sshd and with this module
  • SoC Requirements 3.01-23, 3.01-24, 3.01-25 are covered via password.pp, login_defs.pp (password policies - /etc/login.defs and /etc/pam.d/*) and profile.pp
  • SoC Requirement 3.21-10 is covered in profile.pp

Parts

  • audit.pp configures rudimentary logging of bash activities
    • logging can be redirected via syslog to an external server (facility: local6)
  • inputrc.pp configures bash history search (ctrl+r)
  • kernel.pp manages /etc/sysctl.conf with mostly network relevant settings
  • login_defs.pp controls default umask, encryption modes and password min age
  • logrotate.pp adds rotation for bash_history
  • modules.pp blacklists some problematic kernel modules
  • mounts.pp controls mount points and sets sensible mount options
  • packages.pp uninstalls unneeded software
  • password.pp configures password policy (1 special character, upper and lower case letters, and at least one digit, minimum size of 10 chars)
  • profile.pp controls default umask
    • can be parametrized, but this breaks SoC compliance
  • rootsh.pp provides logging of all root acitivites via rootsh (slight duplication to audit logging)
  • services.pp manages state of detault services
  • syslog.ppconfigures logging of:
    • authpriv /var/log/secure
    • local6 /var/log/bash_history (bash audit)
  • users_group.pp deletes unneeded groups and user accounts

Usage

  • the package logrotate has to be installed manually
  • Configuration of mount points can be deactivated
    • Example:
    secc_os_linux::secure_mountpoint_tmp: false
    secc_os_linux::secure_mountpoint_var: false
    secc_os_linux::secure_mountpoint_var_tmp: false
    secc_os_linux::secure_mountpoint_home: false
    
  • Parameters for mount points can be tuned on a per partition basis
    • Example:
    secc_os_linux::mount_options_tmp: 'defaults,noexec,nodev,nosuid'
    secc_os_linux::mount_options_var: 'defaults,noexec,nodev,nosuid'
    secc_os_linux::mount_options_home: 'defaults,nodev'
    secc_os_linux::mount_options_var_tmp: 'bind'
    

Reference

Limitations

  • This module was tested with CentOS6 and CentOS7