Other OSes may work but there's no guarantee. ReferenceĬurrently the module is tested with RedHat 7, 8, CentOS 7, 8, AlmaLinux 8, Rocky Linux 8, Suse SLES 12, Debian 10, Ubuntu 18.04 and Ubuntu 20.04. You also can look into the reference documentation. The data folder contains files named *_param.yaml which contain all configurable options for each benchmark. class Ĭis_security_hardening::time_until_reboot: 60Ĭis_security_hardening::exclude_dirs_sticky_ww: Ĭis_security_hardening::update_postrun_command: trueĬis_security_hardening::fact_upload_command: "/usr/share/cis_security_hardening/bin/fact_upload.sh"Ĭis_security_hardening::auditd_dirs_to_include:Ĭis_security_hardening::verbose_logging: falseĬis_security_hardening::rules::cramfs::enforce: trueĬis_security_hardening::rules::squashfs::enforce: trueĬis_security_hardening::rules::fat::enforce: falseĬis_security_hardening::rules::udf::enforce: true The most easiest way to use the security baseline module is just calling the class or including the class. These modules are defined in the metadata.json file and are all available at Puppet Forge. The cis_security_hardening module needs several other Puppet modules. searching filesystems for s-bit programs). Some information is collected with cronjobs once a day as these jobs might run for a long time (e. This module creates a larger fact cis_security_hardening to have all required information for applying the rules. Under the base directory there will be a directory bin where all scripts for gathering information are located. Some data is collected with cronjobs once a day as collecting this data is somewhat expensive and time consuming depending on the server size, e. The base directory /usr/share/cis_security_hardening is created by the module during the fist run. Please test your settings before rolling out to production environments. This can have severe impacts to the machines, especially if security settings are defined in a wrong way. If this parameter is set to true all necessary changes are made to make a server compliant to the security baseline rules. The cis_security_hardening module has a parameter enforce for each rule. This enables you to have different security baselines for groups of servers, environments or even special single servers. It is highly recommended to have the complete security baseline definition written in Hiera definitions. The benchmarks can be found at CIS Benchmarks Website. The code of this security hardening module is based on the following CIS Benchmarks: OSĬIS Red Hat Enterprise Linux 7 STIG BenchmarkĬIS Red Hat Enterprise Linux 8 STIG BenchmarkĬIS Ubuntu Linux 20.04 LTS STIG Benchmark For the STIG benchmarks there's a third level stig available as STIG benchmarks are more strict than level 2 is. So it is your task to define a security baseline to define which tool to use or which settings to use.įor this module level 1 and level 2 server tests from the CIS benchmarks below are taken into account. Surely it makes no sense to have all of them running in parallel. with RedHat 8 you can use firewalld, iptables or nftables to setup a firewall. Sometimes the benchmarks contain different ways to achieve a goal, e.g. But depending on server classes not all rules of a CIS benchmark will be used. The baseline may be different for each server class like database servers, application or web servers.Ī security baseline can be based on a CIS benchmark but can include more rules specific to your environment. Security baselineĪ security baseline describes how servers in your environment are setup with a secure configuration. The reports can be created as a Puppet fact uploaded to the Puppet Master or as a CSV file which will remain on the servers for later collection. This module also has the ability to create compliance reports. Therefore the module uses a generic interface to call classes implementing particular security baseline rules. One main purpose is to ensure this module can be extended by further security settings and monitorings without changing the code of this module. These numbers change from OS version to OS version and even from benchmark version to benchmark version. The cis_security_hardening module does not use bechmark numbers for the class names of the rules. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks. The definition of the baseline should be done in Hiera. Setup - The basics of getting started with cis_security_hardeningĭefine a complete security baseline and monitor the baseline's rules.
0 Comments
Leave a Reply. |