Puppet Class: secure_linux_cis

Defined in:: manifests/init.pp

Summary

CIS Red Hat Enterprise Linux 7 Benchmark

Overview

Examples:

include secure_linux_cis

Parameters:

include_rules (Array[String]) (defaults to: []) —

Which rules to include
exclude_rules (Array[String]) (defaults to: []) —

Which rules to exclude
exclude_x_window_packages (Optional[Array[String]]) (defaults to: undef) —

Which X window packages to exclude from removal
grub_config_files (Array[String]) —

Grub configuration
aide_command (String) —

Command used to invoke aide
su_group (String) —

The default group for sudo rights
time_servers (Array[Stdlib::Host]) —

Array of valid NTP Time servers
logging (Enum['rsyslog', 'syslog-ng', 'none']) (defaults to: 'rsyslog') —

How logging is done
logging_host (String) (defaults to: '') —

Which host should logging be sent to
exclude_logs (Array[Stdlib::Unixpath]) (defaults to: []) —

What logs files to exclude from management
is_logging_host (Boolean) (defaults to: false) —

Is this host a logging host
max_log_file (Integer) (defaults to: 32) —

Maximum log file
max_auth_tries (Integer[1,4]) (defaults to: 4) —

How many authorization attempts to allow
max_sessions (Integer[1,10]) (defaults to: 4) —

How many SSH sessions to allow
max_startups (String) (defaults to: '10:30:60') —

How many SSH startups to allow
time_sync (Enum['ntp', 'chrony', 'none']) (defaults to: 'ntp') —

Which NTP program to use
mta (Enum['postfix', 'exim', 'none']) (defaults to: 'postfix') —

Which Mail Transfer program to use
mac (Enum['selinux', 'apparmor', 'none']) (defaults to: 'selinux') —

Which Mandatory Access Control to use
firewall (Enum['nftables','iptables']) (defaults to: 'iptables') —

Which Firewall provider to use
ipv6_enabled (Boolean) (defaults to: false) —

Should ipv6 be enabled
approved_ciphers (Array[String]) (defaults to: [ 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', ]) —

Which SSH Ciphers are approved for use
approved_kex (Array[String]) —

Which SSH Key Exchange algorithms are approved for use.
approved_mac_algorithms (Array[String]) —

Which SSH MAC algorigthms are approved for use
client_alive_interval (Integer) (defaults to: 300) —

Client alive interval to use
client_alive_count_max (Integer[0,3]) (defaults to: 0) —

Maximum specificed client alive count
login_grace_time (Integer) (defaults to: 60) —

Login grace time
allow_users (Array[String]) (defaults to: []) —

Which users to allow
allow_groups (Array[String]) (defaults to: []) —

Which groups to allow
deny_users (Array[String]) (defaults to: []) —

Which users to deny
deny_groups (Array[String]) (defaults to: []) —

Which groups to deny
minlen (Integer) (defaults to: 14) —

Minimum length
dcredit (Integer) (defaults to: -1) —

D Credit
ucredit (Integer) (defaults to: -1) —

U Credit
ocredit (Integer) (defaults to: -1) —

O Credit
lcredit (Integer) (defaults to: -1) —

L Credit
attempts (Integer) (defaults to: 5) —

Number of attempts
lockout_time (Integer) (defaults to: 900) —

Amount of time for lockout
past_passwords (Integer) (defaults to: 5) —

Number of previous passwords
pass_max_days (Integer) (defaults to: 90) —

Password maximum days
pass_min_days (Integer) (defaults to: 7) —

Password minimum days
pass_warn_days (Integer) (defaults to: 7) —

Password warning days
pass_inactive_days (Integer) (defaults to: 30) —

Password inactive days
timeout (Integer) (defaults to: 600) —

Number of seconds of inactivity after which a shell terminates.
repolist (Array) (defaults to: ['updates/7/x86_64','rhel-7-server-rpms/7Server/x86_64']) —

List of acceptable software repos
banner (Optional[String]) (defaults to: undef) —

Optional string to be content of /etc/issue, /etc/issue.net (and /etc/motd if $motd not defined)
motd (Optional[String]) (defaults to: undef) —

Optional string to be content of /etc/motd. If $banner is defined and $motd is not, $banner becomes content of /etc/motd
auto_restart (Boolean) (defaults to: false) —

If an automatic restart should occur when defined classes require a reboot to take effect
grub_username (String) (defaults to: root) —

Account name to authenticate against - defaults to root
grub_pbkdf2_password_hash (Optional[String]) (defaults to: undef) —

String with value of pwssword in GRUB PBKDF2 format
schedule —

If you want to change when this runs use a scheduler
nologin_whitelist (Array[String]) (defaults to: []) —

Array of accounts to allow login shell other than nologin
host_allow_rules (Array[String])
host_deny_rules (Array[String])
update_command (String)
tcp_wrappers_package (Enum['tcp_wrappers', 'tcpd', 'none'])
auditd_package (Enum['audit', 'auditd', 'none'])
samba_service (Enum['smbd', 'smb', 'none'])
cron_service (Enum['cron', 'crond', 'none'])
hardening_schedule (Struct[ { Optional[period] => Enum['hourly', 'daily', 'weekly', 'monthly', 'never'], Optional[periodmatch] => Enum['number', 'distance'], Optional[range] => String[1], Optional[repeat] => Integer, Optional[weekday] => Variant[Array, String[1]], } ])
profile_type (Enum['workstation', 'server']) (defaults to: 'server')
enforcement_level (Enum['1', '2']) (defaults to: '1')
default_firewalld_zone (Enum['drop', 'block', 'public', 'external', 'dmz', 'work', 'home', 'internal', 'trusted']) (defaults to: 'drop')
workstation_level_1 (Array[String]) (defaults to: [])
workstation_level_2 (Array[String]) (defaults to: [])
server_level_1 (Array[String]) (defaults to: [])
server_level_2 (Array[String]) (defaults to: [])
selinux_mode (Enum['enforcing', 'permissive']) (defaults to: 'enforcing')

# File 'manifests/init.pp', line 59

class secure_linux_cis (
  Array[String]                           $grub_config_files,
  Array[String]                           $host_allow_rules,
  Array[String]                           $host_deny_rules,
  String                                  $aide_command,
  String                                  $su_group,
  String                                  $update_command,
  Enum['tcp_wrappers', 'tcpd', 'none']    $tcp_wrappers_package,
  Enum['audit', 'auditd', 'none']         $auditd_package,
  Enum['smbd', 'smb', 'none']             $samba_service,
  Enum['cron', 'crond', 'none']           $cron_service,
  Array[Stdlib::Host]                     $time_servers,
  Array[String]                           $approved_kex,
  Array[String]                           $approved_mac_algorithms,
  Struct[
    {
      Optional[period]      => Enum['hourly', 'daily', 'weekly', 'monthly', 'never'],
      Optional[periodmatch] => Enum['number', 'distance'],
      Optional[range]       => String[1],
      Optional[repeat]      => Integer,
      Optional[weekday]     => Variant[Array, String[1]],
    }
  ]                                       $hardening_schedule,
  Enum['workstation', 'server']           $profile_type       = 'server',
  Enum['1', '2']                          $enforcement_level = '1',
  Enum['drop', 'block', 'public', 'external', 'dmz', 'work', 'home', 'internal', 'trusted'] $default_firewalld_zone = 'drop',
  Array[String]                           $include_rules           = [],
  Array[String]                           $exclude_rules           = [],
  Optional[Array[String]]                 $exclude_x_window_packages = undef,
  Array[String]                           $workstation_level_1     = [],
  Array[String]                           $workstation_level_2     = [],
  Array[String]                           $server_level_1          = [],
  Array[String]                           $server_level_2          = [],
  Boolean                                 $auto_restart            = false,
  String                                  $grub_username           = root,
  Optional[String]                        $grub_pbkdf2_password_hash = undef,
  Enum['rsyslog', 'syslog-ng', 'none']    $logging                 = 'rsyslog',
  String                                  $logging_host            = '',  #lint:ignore:empty_string_assignment
  Boolean                                 $is_logging_host         = false,
  Array[Stdlib::Unixpath]                 $exclude_logs            = [],
  Integer                                 $max_log_file            = 32,
  Integer[1,4]                            $max_auth_tries          = 4,
  Integer[1,10]                           $max_sessions            = 4,
  String                                  $max_startups            = '10:30:60',
  Enum['ntp', 'chrony', 'none']           $time_sync               = 'ntp',
  Enum['postfix', 'exim', 'none']         $mta                     = 'postfix',
  Enum['selinux', 'apparmor', 'none']     $mac                     = 'selinux',
  Enum['enforcing', 'permissive']         $selinux_mode            = 'enforcing',
  Enum['nftables','iptables']             $firewall                = 'iptables',
  Boolean                                 $ipv6_enabled            = false,
  Array[String]                           $approved_ciphers        = [
    'aes256-gcm@openssh.com',
    'aes128-gcm@openssh.com',
    'aes128-ctr',
    'aes192-ctr',
    'aes256-ctr',
  ],
  Integer                                 $client_alive_interval   = 300, # must be between 1 and 300
  Integer[0,3]                            $client_alive_count_max  = 0,
  Integer                                 $login_grace_time        = 60,
  Array[String]                           $allow_users             = [],
  Array[String]                           $allow_groups            = [],
  Array[String]                           $deny_users              = [],
  Array[String]                           $deny_groups             = [],
  Integer                                 $minlen                  = 14,
  Integer                                 $dcredit                 = -1,
  Integer                                 $ucredit                 = -1,
  Integer                                 $ocredit                 = -1,
  Integer                                 $lcredit                 = -1,
  Integer                                 $attempts                = 5,
  Integer                                 $lockout_time            = 900,
  Integer                                 $past_passwords          = 5,
  Integer                                 $pass_max_days           = 90,
  Integer                                 $pass_min_days           = 7,
  Integer                                 $pass_warn_days          = 7,
  Integer                                 $pass_inactive_days      = 30,
  Integer                                 $timeout                 = 600,
  Array                                   $repolist                = ['updates/7/x86_64','rhel-7-server-rpms/7Server/x86_64'],
  Optional[String]                        $banner                  = undef,
  Optional[String]                        $motd                    = undef,
  Array[String]                           $nologin_whitelist       = [],
) {
  schedule { 'harden_schedule':
    period      => $hardening_schedule['period'],
    periodmatch => $hardening_schedule['periodmatch'],
    range       => $hardening_schedule['range'],
    repeat      => $hardening_schedule['repeat'],
    weekday     => $hardening_schedule['weekday'],
  }

  $base_rules = $profile_type ? {
    'workstation' => $enforcement_level ? {
      '1' => $workstation_level_1,
      '2' => $workstation_level_2,
    },
    'server' => $enforcement_level ? {
      '1' => $server_level_1,
      '2' => $server_level_2,
    }
  }

  # Filesystem disable configuration file
  @file { '/etc/modprobe.d/filesystem_disable.conf':
    ensure => file,
  }
  # Storage disable configuration file
  @file { '/etc/modprobe.d/storage_disable.conf':
    ensure => file,
  }

  # Build rules to enforce
  $enforced_rules = $base_rules.map | String $line | {
    "secure_linux_cis::rules::${line}"
  } # + $include_rules - $exclude_rules

  file { '/usr/share/cis_scripts':
    ensure   => directory,
  }

  file { '/usr/share/cis_scripts/enforced_rules.txt':
    ensure  => file,
    content => $enforced_rules.join("\n"),
  }

  include $enforced_rules
  include secure_linux_cis::reboot
}