Skip to content

Latest commit

 

History

History
1484 lines (1032 loc) · 76.9 KB

REFERENCE.md

File metadata and controls

1484 lines (1032 loc) · 76.9 KB
Raw

Reference

Table of Contents

Classes

Public Classes

Private Classes

  • cis_security_hardening::rules::abrt: Ensure automated bug reporting tools are not installed
  • cis_security_hardening::rules::adm_crypt_style: nsure user and group account administration utilities are configured to store only encrypted representations of passwords
  • cis_security_hardening::rules::aide_audit_integrity: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)
  • cis_security_hardening::rules::aide_installed: Ensure AIDE is installed
  • cis_security_hardening::rules::aide_notify_admins: Ensure System Administrator are notified of changes to the baseline configuration or anomalies
  • cis_security_hardening::rules::aide_regular_checks: Ensure filesystem integrity is regularly checked
  • cis_security_hardening::rules::apparmor: Ensure AppArmor is installed
  • cis_security_hardening::rules::apparmor_bootloader: Ensure AppArmor is enabled in the bootloader configuration
  • cis_security_hardening::rules::apparmor_profiles: Ensure all AppArmor Profiles are enforcing
  • cis_security_hardening::rules::apparmor_profiles_enforcing: Ensure all AppArmor Profiles are in enforce or complain mode
  • cis_security_hardening::rules::apt_unused: Ensure the Advance Package Tool removes all software components after updated versions have been installed
  • cis_security_hardening::rules::at_restrict: Ensure at is restricted to authorized users
  • cis_security_hardening::rules::auditd_access: Ensure unsuccessful unauthorized file access attempts are collected
  • cis_security_hardening::rules::auditd_actions: Ensure system administrator actions (sudolog) are collected
  • cis_security_hardening::rules::auditd_apparmor_parser_use: Ensure successful and unsuccessful attempts to use the apparmor_parser command are recorded
  • cis_security_hardening::rules::auditd_backlog_limit: Ensure audit_backlog_limit is sufficient
  • cis_security_hardening::rules::auditd_chacl_use: Ensure successful and unsuccessful attempts to use the chacl command are recorded
  • cis_security_hardening::rules::auditd_chage_use: Ensure successful and unsuccessful attempts to use the chage command are recorded
  • cis_security_hardening::rules::auditd_chcon_use: Ensure successful and unsuccessful attempts to use the chcon command are recorded
  • cis_security_hardening::rules::auditd_chfn_use: Ensure successful and unsuccessful uses of the chfn command are collected
  • cis_security_hardening::rules::auditd_chsh_use: Ensure successful and unsuccessful attempts to use the chsh command are recorded
  • cis_security_hardening::rules::auditd_conf_perms: Ensure audit configuration files are 0640 or more restrictive and confibgure user and group
  • cis_security_hardening::rules::auditd_crontab_use: Ensure successful and unsuccessful attempts to use the crontab command are recorded
  • cis_security_hardening::rules::auditd_delete: Ensure file deletion events by users are collected
  • cis_security_hardening::rules::auditd_delete_module: Ensure the operating system generates an audit record when there are successful/unsuccessful attempts to use the "delete_module" command
  • cis_security_hardening::rules::auditd_disk_error: Ensure the operating system takes the appropriate action when an audit processing failure occurs
  • cis_security_hardening::rules::auditd_failure_processing: Ensure the auditing processing failures are handled.
  • cis_security_hardening::rules::auditd_fdisk_use: Ensure successful and unsuccessful attempts to use the fdisk command are recorded
  • cis_security_hardening::rules::auditd_finit_module_use: Ensure successful and unsuccessful uses of the finit_module syscall are recorded
  • cis_security_hardening::rules::auditd_fremovexattr_use: Ensure successful and unsuccessful attempts to use the fremovexattr system call are recorded
  • cis_security_hardening::rules::auditd_fsetxattr_use: Ensure successful and unsuccessful attempts to use the fsetxattr system call are recorded
  • cis_security_hardening::rules::auditd_gpasswd_use: Ensure successful and unsuccessful attempts to use the gpasswd command are recorded
  • cis_security_hardening::rules::auditd_identity: Ensure events that modify user/group information are collected
  • cis_security_hardening::rules::auditd_immutable: Ensure the audit configuration is immutable
  • cis_security_hardening::rules::auditd_init: Initialize auditd rules file
  • cis_security_hardening::rules::auditd_init_module: Ensure the operating system generates an audit record when there are successful/unsuccessful attempts to use the "init_module" command
  • cis_security_hardening::rules::auditd_kernel_modules: Ensure kernel module loading unloading and modification is collected
  • cis_security_hardening::rules::auditd_kmod_use: Ensure successful and unsuccessful attempts to use the kmod command are recorded
  • cis_security_hardening::rules::auditd_local_events: Ensure the operating system's audit daemon is configured to include local events
  • cis_security_hardening::rules::auditd_log_config: Ensure only authorized groups are assigned ownership of audit log files (Automated)
  • cis_security_hardening::rules::auditd_log_dir_perms: Ensure the audit log directory is 0750 or more restrictive
  • cis_security_hardening::rules::auditd_log_format: Ensure the operating system's audit daemon is configured to resolve audit information before writing to disk
  • cis_security_hardening::rules::auditd_log_perms: Ensure audit log files are not read or write-accessible by unauthorized users
  • cis_security_hardening::rules::auditd_logins: Ensure login and logout events are collected
  • cis_security_hardening::rules::auditd_loginuid_immutable: Ensure the audit system prevents unauthorized changes to logon UIDs
  • cis_security_hardening::rules::auditd_lremovexattr_use: Ensure successful and unsuccessful attempts to use the lremovexattr system call are recorded
  • cis_security_hardening::rules::auditd_lsetxattr_use: Ensure successful and unsuccessful attempts to use the lsetxattr system call are recorded
  • cis_security_hardening::rules::auditd_mac_policy: Ensure events that modify the system's Mandatory Access Controls are collected
  • cis_security_hardening::rules::auditd_max_log_file: Ensure audit log storage size is configured
  • cis_security_hardening::rules::auditd_max_log_file_action: Ensure audit logs are not automatically deleted
  • cis_security_hardening::rules::auditd_modules: Ensure kernel module loading and unloading is collected
  • cis_security_hardening::rules::auditd_mounts: Ensure successful file system mounts are collected
  • cis_security_hardening::rules::auditd_newgrp_use: Ensure successful and unsuccessful attempts to use the newgrp command are recorded
  • cis_security_hardening::rules::auditd_nonlocal_admin_access: Ensure nonlocal administrative access events are collected
  • cis_security_hardening::rules::auditd_open_by_handle_use: Ensure successful and unsuccessful uses of the open_by_handle_at system call are recorded
  • cis_security_hardening::rules::auditd_overflow_action: Ensure action is taken when audisp-remote buffer is full
  • cis_security_hardening::rules::auditd_package: Ensure auditd is installed
  • cis_security_hardening::rules::auditd_pam_timestamp_check_use: Ensure successful and unsuccessful attempts to use the pam_timestamp_check command are recorded
  • cis_security_hardening::rules::auditd_passwd_use: Ensure successful and unsuccessful attempts to use the passwd command are recorded
  • cis_security_hardening::rules::auditd_perm_mod: Ensure discretionary access control permission modification events are collected
  • cis_security_hardening::rules::auditd_postdrop: Ensure audit of postdrop command
  • cis_security_hardening::rules::auditd_postqueue: Ensure audit of postqueue command.
  • cis_security_hardening::rules::auditd_privileged_commands: Ensure use of privileged commands is collected
  • cis_security_hardening::rules::auditd_privileged_functions_use: Ensure execution of privileged functions is recorded
  • cis_security_hardening::rules::auditd_privileged_priv_change: Ensure successful and unsuccessful uses of the su command are collected
  • cis_security_hardening::rules::auditd_process: Ensure auditing for processes that start prior to auditd is enabled
  • cis_security_hardening::rules::auditd_remote: Ensure audit event multiplexor is configured to off-load audit logs onto a different system or storage media from the system being audited
  • cis_security_hardening::rules::auditd_remote_conf: Ensure off-load of audit logs.
  • cis_security_hardening::rules::auditd_remote_encrypt: Ensure audit logs on separate system are encrypted
  • cis_security_hardening::rules::auditd_remote_labeled: Ensure off-loaded audit logs are labeled.
  • cis_security_hardening::rules::auditd_removexattr_use: Ensure successful and unsuccessful attempts to use the removexattr system call are recorded
  • cis_security_hardening::rules::auditd_rmdir: Ensure audit of the rmdir syscall
  • cis_security_hardening::rules::auditd_rsyslog_gnutls: Ensure the operating system has the packages required for encrypting offloaded audit logs
  • cis_security_hardening::rules::auditd_scope: Ensure changes to system administration scope (sudoers) is collected
  • cis_security_hardening::rules::auditd_semanage: Ensure audit of semanage command
  • cis_security_hardening::rules::auditd_sending_errors: Ensure audit system action is defined for sending errors
  • cis_security_hardening::rules::auditd_service: Ensure auditd service is enabled .
  • cis_security_hardening::rules::auditd_session_logins: Ensure session initiation information is collected
  • cis_security_hardening::rules::auditd_setfacl_use: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
  • cis_security_hardening::rules::auditd_setfiles: Ensure audit of setfiles command.
  • cis_security_hardening::rules::auditd_setsebool: Ensure audit of the setsebool command.
  • cis_security_hardening::rules::auditd_setxattr_use: Ensure successful and unsuccessful attempts to use the setxattr system call are recorded
  • cis_security_hardening::rules::auditd_space_left: Ensure the operating system takes action when allocated audit record storage volume reaches 75 percent
  • cis_security_hardening::rules::auditd_ssh_agent_use: Ensure successful and unsuccessful uses of the ssh-agent command are collected
  • cis_security_hardening::rules::auditd_ssh_keysign_use: Ensure successful and unsuccessful uses of the ssh-keysign command are collected
  • cis_security_hardening::rules::auditd_sudo_use: Ensure successful and unsuccessful uses of the sudo command are recorded
  • cis_security_hardening::rules::auditd_sudoedit_use: Ensure successful and unsuccessful attempts to use the sudoedit command are recorded
  • cis_security_hardening::rules::auditd_sudoers: Ensure the operating system generates audit records for all account creations, modifications, disabling, and termination events
  • cis_security_hardening::rules::auditd_sudoersd: Ensure the operating system generates audit records for all account creations, modifications, disabling, and termination events
  • cis_security_hardening::rules::auditd_system_locale: Ensure events that modify the system's network environment are collected
  • cis_security_hardening::rules::auditd_time_change: Ensure events that modify date and time information are collected
  • cis_security_hardening::rules::auditd_tools_perms: Ensure audit tools are mode of 0755 or more restrictive and owned by the right user and group
  • cis_security_hardening::rules::auditd_umount: Ensure audit the umount command
  • cis_security_hardening::rules::auditd_unix_checkpwd: Ensure auditing of the unix_chkpwd command.
  • cis_security_hardening::rules::auditd_unix_update_use: Ensure successful and unsuccessful attempts to use the unix_update command are recorded
  • cis_security_hardening::rules::auditd_usbguard: Ensure the operating system enables Linux audit logging of the USBGuard daemon
  • cis_security_hardening::rules::auditd_user_emulation: Ensure actions as another user are always logged
  • cis_security_hardening::rules::auditd_userhelper: Ensure audit of the userhelper command.
  • cis_security_hardening::rules::auditd_usermod_use: Ensure successful and unsuccessful attempts to use the usermod command are recorded
  • cis_security_hardening::rules::auditd_when_disk_full: Ensure system is disabled when audit logs are full
  • cis_security_hardening::rules::authselect: Create custom authselect profile (Scored)
  • cis_security_hardening::rules::avahi: Ensure Avahi Server is not enabled
  • cis_security_hardening::rules::bind: Ensure DNS Server is not installed
  • cis_security_hardening::rules::boot_efi_nosuid: Ensure the "/boot/efi" directory is mounted with the "nosuid" option
  • cis_security_hardening::rules::boot_nosuid: Ensure the "/boot" directory is mounted with the "nosuid" option.
  • cis_security_hardening::rules::chrony: Ensure chrony is configured
  • cis_security_hardening::rules::cramfs: Ensure mounting of cramfs filesystems is disabled
  • cis_security_hardening::rules::cron_daily: Ensure permissions on /etc/cron.daily are configured
  • cis_security_hardening::rules::cron_hourly: Ensure permissions on /etc/cron.hourly are configured
  • cis_security_hardening::rules::cron_monthly: Ensure permissions on /etc/cron.monthly are configured
  • cis_security_hardening::rules::cron_restrict: Ensure cron is restricted to authorized users
  • cis_security_hardening::rules::cron_weekly: Ensure permissions on /etc/cron.weekly are configured
  • cis_security_hardening::rules::crond_service: Ensure cron daemon is enabled and running
  • cis_security_hardening::rules::crontab: Ensure permissions on /etc/crontab are configured
  • cis_security_hardening::rules::crtl_alt_del: Ensure the Ctrl-Alt-Delete key sequence is disabled
  • cis_security_hardening::rules::crypto_policy: Ensure system-wide crypto policy is FUTURE or FIPS
  • cis_security_hardening::rules::ctrl_alt_del_graphical: Ensure the graphical user Ctrl-Alt-Delete key sequence is disabled
  • cis_security_hardening::rules::cups: Ensure CUPS is not enabled
  • cis_security_hardening::rules::debug_shell: Ensure the operating system is configured to mask the debug- shell systemd service
  • cis_security_hardening::rules::dev_shm: Ensure /dev/shm is configured
  • cis_security_hardening::rules::dev_shm_nodev: Ensure nodev option set on /dev/shm partition
  • cis_security_hardening::rules::dev_shm_noexec: Ensure noexec option set on /dev/shm partition
  • cis_security_hardening::rules::dev_shm_nosuid: Ensure nosuid option set on /dev/shm partition
  • cis_security_hardening::rules::dhcp: Ensure DHCP Server is not enabled
  • cis_security_hardening::rules::disable_apport: Ensure Automatic Error Reporting is not enabled (Automated)
  • cis_security_hardening::rules::disable_atm: Ensure ATM is disabled
  • cis_security_hardening::rules::disable_automount: Disable Automounting
  • cis_security_hardening::rules::disable_bluetooth: Ensure Bluetooth is disabled
  • cis_security_hardening::rules::disable_can: Ensure CAN is disabled
  • cis_security_hardening::rules::disable_core_dumps: Ensure the operating system disables the storing core dumps
  • cis_security_hardening::rules::disable_coredump_socket: Ensure the operating system is not configured to acquire, save, or process core dumps
  • cis_security_hardening::rules::disable_dccp: Ensure DCCP is disabled
  • cis_security_hardening::rules::disable_ip_forwarding: Ensure IP forwarding is disabled
  • cis_security_hardening::rules::disable_ipv6: Disable IPv6
  • cis_security_hardening::rules::disable_packet_redirect: Ensure packet redirect sending is disabled
  • cis_security_hardening::rules::disable_prelink: Ensure prelink is disabled
  • cis_security_hardening::rules::disable_rds: Ensure RDS is disabled
  • cis_security_hardening::rules::disable_sctp: Ensure SCTP is disabled
  • cis_security_hardening::rules::disable_tipc: Ensure TIPC is disabled
  • cis_security_hardening::rules::disable_usb_storage: Disable USB Storage
  • cis_security_hardening::rules::disable_wireless: Ensure wireless interfaces are disabled (Not Scored)
  • cis_security_hardening::rules::dmesg_restrict: Ensure the operating system is configured to restrict access to the kernel message buffer
  • cis_security_hardening::rules::dns: Ensure DNS is servers are configured
  • cis_security_hardening::rules::dnsmasq: Ensure dnsmasq is not installed (Automated)
  • cis_security_hardening::rules::dovecot: Ensure IMAP and POP3 server is not enabled
  • cis_security_hardening::rules::dracut_fips: Ensure NIST FIPS-validated cryptography is configured
  • cis_security_hardening::rules::enable_aslr: Ensure address space layout randomization (ASLR) is enabled
  • cis_security_hardening::rules::enable_reverse_path_filtering: Ensure Reverse Path Filtering is enabled
  • cis_security_hardening::rules::enable_tcp_syn_cookies: Ensure TCP SYN Cookies is enabled
  • cis_security_hardening::rules::etc_crond: Ensure permissions on /etc/cron.d are configured
  • cis_security_hardening::rules::fapolicyd: Ensure "fapolicyd" is installed
  • cis_security_hardening::rules::fapolicyd_policy: Ensure "fapolicyd" employs a deny-all, permit-by-exception policy
  • cis_security_hardening::rules::fapolicyd_service: Ensure "fapolicyd" is enabled and running
  • cis_security_hardening::rules::fat: Ensure mounting of FAT filesystems is disabled
  • cis_security_hardening::rules::fips_bootloader: Ensure FIPS mode is enabled
  • cis_security_hardening::rules::firewalld_default_zone: Ensure default zone is set
  • cis_security_hardening::rules::firewalld_install: Ensure a Firewall package is installed
  • cis_security_hardening::rules::firewalld_interfaces: Ensure network interfaces are assigned to appropriate zone
  • cis_security_hardening::rules::firewalld_ports_services: Ensure unnecessary services and ports are not accepted
  • cis_security_hardening::rules::firewalld_service: Ensure firewalld service is enabled and running
  • cis_security_hardening::rules::firewire_core: @summary# Ensure the operating system disables the ability to load the firewire-core kernel module The operating system must disable IEEE
  • cis_security_hardening::rules::freevxfs: Ensure mounting of freevxfs filesystems is disabled
  • cis_security_hardening::rules::ftp: Ensure FTP Server is not installed
  • cis_security_hardening::rules::gdm_auto_mount: Ensure automatic mounting of removable media is disabled
  • cis_security_hardening::rules::gdm_autologin: Ensure automatic logon via GUI is not allowed
  • cis_security_hardening::rules::gdm_lock_enabled: Ensure user's session lock is enabled
  • cis_security_hardening::rules::gdm_mfa: Ensure users must authenticate users using MFA via a graphical user logon
  • cis_security_hardening::rules::gdm_screensaver: Ensure GNOME Screensaver period of inactivity is configured
  • cis_security_hardening::rules::gnome_gdm
  • cis_security_hardening::rules::gnome_gdm_package: Ensure GNOME Display Manager is removed
  • cis_security_hardening::rules::group_bak_perms: Ensure permissions on /etc/group- are configured
  • cis_security_hardening::rules::group_perms: Ensure permissions on /etc/group are configured
  • cis_security_hardening::rules::grub_bootloader_config: Ensure permissions on bootloader config are configured
  • cis_security_hardening::rules::grub_page_poison: Ensure GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities
  • cis_security_hardening::rules::grub_password: Ensure bootloader password is set
  • cis_security_hardening::rules::grub_slub_debug: Ensure GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities
  • cis_security_hardening::rules::grub_vsyscall: Ensure GRUB 2 is configured to disable vsyscalls
  • cis_security_hardening::rules::gshadow_bak_perms: Ensure permissions on /etc/gshadow- are configured
  • cis_security_hardening::rules::gshadow_perms: Ensure permissions on /etc/gshadow are configured
  • cis_security_hardening::rules::gssproxy: Ensure the gssproxy package has not been installed on the system
  • cis_security_hardening::rules::hfs: Ensure mounting of hfs filesystems is disabled
  • cis_security_hardening::rules::hfsplus: Ensure mounting of hfsplus filesystems is disabled
  • cis_security_hardening::rules::home_grpquota: Ensure grpquota option set on /home partition
  • cis_security_hardening::rules::home_nodev: Ensure nodev option set on /home partition
  • cis_security_hardening::rules::home_noexec: Ensure file systems that contain user home directories are mounted with the "noexec" option
  • cis_security_hardening::rules::home_nosuid: Ensure nosuid option set on /home partition
  • cis_security_hardening::rules::home_usrquota: Ensure usrquota option set on /home partition
  • cis_security_hardening::rules::httpd: Ensure HTTP server is not enabled
  • cis_security_hardening::rules::icmp_redirects: Ensure ICMP redirects are not accepted
  • cis_security_hardening::rules::ignore_bogus_icmp_responses: Ensure bogus ICMP responses are ignored
  • cis_security_hardening::rules::ignore_icmp_broadcast: Ensure broadcast ICMP requests are ignored
  • cis_security_hardening::rules::inactive_password_lock: Ensure inactive password lock is 0 days
  • cis_security_hardening::rules::ip6tables_deny_policy: Ensure default deny firewall policy
  • cis_security_hardening::rules::ip6tables_loopback: Ensure loopback traffic is configured
  • cis_security_hardening::rules::ip6tables_open_ports: Ensure IPv6 firewall rules exist for all open ports
  • cis_security_hardening::rules::ip6tables_outbound_established: Ensure outbound and established connections are configured
  • cis_security_hardening::rules::iprutils: Ensure the iprutils package has not been installed on the system.
  • cis_security_hardening::rules::iptables_deny_policy: Ensure default deny firewall policy
  • cis_security_hardening::rules::iptables_install: Ensure iptables is installed
  • cis_security_hardening::rules::iptables_loopback: Ensure loopback traffic is configured
  • cis_security_hardening::rules::iptables_open_ports: Ensure firewall rules exist for all open ports
  • cis_security_hardening::rules::iptables_outbound_established: Ensure outbound and established connections are configured
  • cis_security_hardening::rules::ipv6_router_advertisements: Ensure IPv6 router advertisements are not accepted
  • cis_security_hardening::rules::issue_net_perms: Ensure permissions on /etc/issue.net are configured
  • cis_security_hardening::rules::issue_perms: Ensure permissions on /etc/issue are configured
  • cis_security_hardening::rules::jffs2: Ensure mounting of jffs2 filesystems is disabled
  • cis_security_hardening::rules::journald_compress: Ensure journald is configured to compress large log files
  • cis_security_hardening::rules::journald_persistent: Ensure journald is configured to write logfiles to persistent disk
  • cis_security_hardening::rules::journald_rsyslog: Ensure journald is configured to send logs to rsyslog
  • cis_security_hardening::rules::kdump_service: Ensure kdump service is not enabled
  • cis_security_hardening::rules::kexec_load_disabled: Ensure kernel image loading is disabled
  • cis_security_hardening::rules::kptr_restrict: Ensure the operating system restricts exposed kernel pointer addresses access
  • cis_security_hardening::rules::krb5_server: Ensure the krb5-server package has not been installed on the system
  • cis_security_hardening::rules::krb5_workstation: Ensure the krb5-workstation package has not been installed on the system
  • cis_security_hardening::rules::ldap_client: Ensure LDAP client is not installed
  • cis_security_hardening::rules::ldapd: Ensure LDAP server is not enabled
  • cis_security_hardening::rules::limits_maxlogins: Ensure maxlogins is 10 or less
  • cis_security_hardening::rules::lock_root: Ensure root account is locked
  • cis_security_hardening::rules::log_suspicious_packets: Ensure suspicious packets are logged
  • cis_security_hardening::rules::logfile_permissions: Ensure permissions on all logfiles are configured
  • cis_security_hardening::rules::login_create_home: Ensure upon user creation a home directory is assigned.
  • cis_security_hardening::rules::login_fail_delay: Ensure delay between logon prompts on failure
  • cis_security_hardening::rules::logrotate: Ensure logrotate is configured
  • cis_security_hardening::rules::logrotate_configuration: Ensure logrotate assigns appropriate permissions
  • cis_security_hardening::rules::mcstrans: Ensure the MCS Translation Service (mcstrans) is not installed
  • cis_security_hardening::rules::mfetp: Ensure Endpoint Security for Linux Threat Prevention is installed
  • cis_security_hardening::rules::motd_perms: Ensure message of the day is configured properly
  • cis_security_hardening::rules::mta_local: Ensure mail transfer agent is configured for local-only mode
  • cis_security_hardening::rules::mta_unrestriced_relay
  • cis_security_hardening::rules::net_bpf_jit_harden: Ensure the operating system enables hardening for the BPF JIT
  • cis_security_hardening::rules::net_snmp: Ensure net-snmp is not installed
  • cis_security_hardening::rules::nfs: Ensure NFS is not enabled
  • cis_security_hardening::rules::nfs_nodev: Ensure file systems being imported via NFS are mounted with the "nosuid" option.
  • cis_security_hardening::rules::nfs_noexec: Ensure noexec option is configured for NFS.
  • cis_security_hardening::rules::nfs_nosuid: Ensure nosuid option is set for NFS
  • cis_security_hardening::rules::nfs_sec_opt: Ensure NFS is configured to use RPCSEC_GSS
  • cis_security_hardening::rules::nfs_utils: Ensure nfs-utils is not installed or the nfs-server service is masked
  • cis_security_hardening::rules::nftables_base_chains: Ensure base chains exist
  • cis_security_hardening::rules::nftables_default_deny: Ensure default deny firewall policy
  • cis_security_hardening::rules::nftables_flush_iptables: Ensure iptables are flushed
  • cis_security_hardening::rules::nftables_install: Ensure nftables is installed
  • cis_security_hardening::rules::nftables_loopback: Ensure loopback traffic is configured
  • cis_security_hardening::rules::nftables_outbound_established: Ensure outbound and established connections are configured
  • cis_security_hardening::rules::nftables_persistence: Ensure nftables rules are permanent
  • cis_security_hardening::rules::nftables_service: Ensure nftables service is enabled
  • cis_security_hardening::rules::nftables_table: Ensure a table exists
  • cis_security_hardening::rules::nis: Ensure NIS Server is not enabled
  • cis_security_hardening::rules::nis_client: Ensure NIS Client is not installed
  • cis_security_hardening::rules::ntp_package: Install ntp package
  • cis_security_hardening::rules::ntpd: Ensure ntp is configured
  • cis_security_hardening::rules::opassword_perms: Ensure permissions on /etc/security/opasswd are configured
  • cis_security_hardening::rules::opensc_pkcs11: Ensure the opensc-pcks11 is installed
  • cis_security_hardening::rules::openssl_pkcs11: Ensure the operating system has the packages required for multifactor authentication
  • cis_security_hardening::rules::pam_cached_auth: Ensure PAM prohibits the use of cached authentications after one day
  • cis_security_hardening::rules::pam_fail_delay: Ensure loging delay after failed logon attempt
  • cis_security_hardening::rules::pam_last_logon: Ensure last successful account logon is displayed upon logon
  • cis_security_hardening::rules::pam_lockout: Ensure lockout for failed password attempts is configured
  • cis_security_hardening::rules::pam_mfa: Ensure smart card logins for multifactor authentication for local and network access
  • cis_security_hardening::rules::pam_mfa_redhat: Ensure multi-factor authentication is enable for users
  • cis_security_hardening::rules::pam_old_passwords: Ensure password reuse is limited
  • cis_security_hardening::rules::pam_passwd: Ensure system-auth is used when changing passwords
  • cis_security_hardening::rules::pam_passwd_sha512: Ensure password hashing algorithm is SHA-512
  • cis_security_hardening::rules::pam_pkcs11: Ensure the libpam-pkcs11 package is installed
  • cis_security_hardening::rules::pam_pw_requirements: Ensure password creation requirements are configured
  • cis_security_hardening::rules::pam_use_mappers: Ensure authenticated identity is mapped to the user or group account for PKI-based authentication
  • cis_security_hardening::rules::passwd_bak_perms: Ensure permissions on /etc/group- are configured
  • cis_security_hardening::rules::passwd_expiration: Ensure password expiration is 365 days or less
  • cis_security_hardening::rules::passwd_inactive_days: Ensure inactive password lock is 30 days or less
  • cis_security_hardening::rules::passwd_min_days: Ensure minimum days between password changes is 7 or more
  • cis_security_hardening::rules::passwd_perms: Ensure permissions on /etc/passwd are configured
  • cis_security_hardening::rules::passwd_sha512: Ensure ENCRYPT_METHOD is SHA512
  • cis_security_hardening::rules::passwd_warn_days: Ensure password expiration warning days is 7 or more
  • cis_security_hardening::rules::perf_event_paranoid: . Ensure the operating system is configured to prevent kernel profiling by unprivileged users The operating system must prevent kernel pro
  • cis_security_hardening::rules::pki_certs_validation: Ensure certificates are validated by constructing a certification path to an accepted trust anchor
  • cis_security_hardening::rules::policycoreutils: Ensure the operating system has the policycoreutils package installed
  • cis_security_hardening::rules::postmaster_alias: Ensure administrators are notified if an audit processing failure occurrs by modifying "/etc/aliases"
  • cis_security_hardening::rules::pti: Ensure kernel page-table isolation is enabled
  • cis_security_hardening::rules::ptrace_scope: @summary# Ensure the operating system restricts usage of ptrace to descendant processes The operating system must restrict usage of ptrac
  • cis_security_hardening::rules::restrict_core_dumps: A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean con
  • cis_security_hardening::rules::restrict_su: Ensure access to the su command is restricted
  • cis_security_hardening::rules::rhnsd: Disable the rhnsd Daemon
  • cis_security_hardening::rules::rng_tools: Ensure the system has the packages required to enable the hardware random number generator entropy gatherer service
  • cis_security_hardening::rules::rngd: Ensure the operating system has enabled the hardware random number generator entropy gatherer service
  • cis_security_hardening::rules::root_gid: Ensure default group for the root account is GID 0
  • cis_security_hardening::rules::rpcbind: Ensure rpcbind is not installed or the rpcbind services are masked
  • cis_security_hardening::rules::rsh_client: Ensure rsh client is not installed
  • cis_security_hardening::rules::rsh_server: Ensure rsh-server is not installed
  • cis_security_hardening::rules::rsyncd: Ensure rsync is not installed or the rsyncd service is masked
  • cis_security_hardening::rules::rsyslog_default_file_perms: Ensure rsyslog default file permissions configured
  • cis_security_hardening::rules::rsyslog_installed: Ensure rsyslog or syslog-ng is installed
  • cis_security_hardening::rules::rsyslog_logging: Ensure logging is configured
  • cis_security_hardening::rules::rsyslog_remote_logs: Ensure rsyslog is configured to send logs to a remote log host
  • cis_security_hardening::rules::rsyslog_remote_syslog: Ensure remote rsyslog messages are only accepted on designated log hosts.
  • cis_security_hardening::rules::rsyslog_service: Ensure rsyslog Service is enabled
  • cis_security_hardening::rules::samba: Ensure Samba is not installed
  • cis_security_hardening::rules::secure_icmp_redirects: Ensure secure ICMP redirects are not accepted
  • cis_security_hardening::rules::selinux: Ensure SELinux is installed
  • cis_security_hardening::rules::selinux_bootloader: Ensure SELinux is not disabled in bootloader configuration
  • cis_security_hardening::rules::selinux_policy: Ensure SELinux policy is configured
  • cis_security_hardening::rules::selinux_state: Ensure the SELinux state is enforcing or permissive
  • cis_security_hardening::rules::sendmail: Ensure the sendmail package is not installed.
  • cis_security_hardening::rules::setroubleshoot: Ensure SETroubleshoot is not installed
  • cis_security_hardening::rules::shadow_bak_perms: Ensure permissions on /etc/shadow- are configured
  • cis_security_hardening::rules::shadow_encrypt_sha512: Ensure password hashing algorithm is SHA-512
  • cis_security_hardening::rules::shadow_perms: Ensure permissions on /etc/shadow are configured
  • cis_security_hardening::rules::shadowed_passwords: Ensure accounts in /etc/passwd use shadowed passwords
  • cis_security_hardening::rules::shell_nologin: Ensure system accounts aresecured
  • cis_security_hardening::rules::shells_perms: Ensure permissions on /etc/shells are configured
  • cis_security_hardening::rules::single_user_mode: Ensure authentication required for single user mode
  • cis_security_hardening::rules::source_routed_packets: Ensure source routed packets are not accepted
  • cis_security_hardening::rules::squashfs: Ensure mounting of squashfs filesystems is disabled
  • cis_security_hardening::rules::squid: Ensure HTTP Proxy Server is not enabled
  • cis_security_hardening::rules::sshd_banner
  • cis_security_hardening::rules::sshd_ciphers: Ensure only strong Ciphers are used
  • cis_security_hardening::rules::sshd_compression: Ensure SSH compressions setting is delayed
  • cis_security_hardening::rules::sshd_config_permissions: Ensure permissions on /etc/ssh/sshd_config are configured
  • cis_security_hardening::rules::sshd_crypto_policy: Ensure system-wide crypto policy is not over-ridden
  • cis_security_hardening::rules::sshd_empty_passwords: Ensure SSH PermitEmptyPasswords is disabled
  • cis_security_hardening::rules::sshd_gssapi: Ensure SSH does not permit GSSAPI
  • cis_security_hardening::rules::sshd_hostbased_authentication: Ensure SSH HostbasedAuthentication is disabled
  • cis_security_hardening::rules::sshd_ignore_rhosts: Ensure SSH IgnoreRhosts is enabled
  • cis_security_hardening::rules::sshd_ignore_user_known_hosts: Ensure SSH IgnoreUserKnownHosts is enabled
  • cis_security_hardening::rules::sshd_install: Ensure SSH is installed and active
  • cis_security_hardening::rules::sshd_kerberos: Ensure SSH does not permit Kerberos authentication
  • cis_security_hardening::rules::sshd_kex: Ensure only strong Key Exchange algorithms are used
  • cis_security_hardening::rules::sshd_limit_access: Ensure SSH access is limited
  • cis_security_hardening::rules::sshd_login_gracetime: Ensure SSH LoginGraceTime is set to one minute or less
  • cis_security_hardening::rules::sshd_loglevel: Ensure SSH LogLevel is set to INFO
  • cis_security_hardening::rules::sshd_macs: Ensure only approved MAC algorithms are used
  • cis_security_hardening::rules::sshd_max_auth_tries: Ensure SSH MaxAuthTries is set to 4 or less
  • cis_security_hardening::rules::sshd_max_sessions: Ensure SSH MaxSessions is set to 4 or less
  • cis_security_hardening::rules::sshd_max_startups: Ensure SSH MaxStartups is configured
  • cis_security_hardening::rules::sshd_printlastlog: Ensure Printlastlog is enabled
  • cis_security_hardening::rules::sshd_priv_separation: Ensure SSH uses privilege separation
  • cis_security_hardening::rules::sshd_private_keys: Ensure permissions on SSH private host key files are configured
  • cis_security_hardening::rules::sshd_protocol: Ensure SSH Protocol is set to 2
  • cis_security_hardening::rules::sshd_public_keys: Ensure permissions on SSH public host key files are configured
  • cis_security_hardening::rules::sshd_rekey_limit: Ensure the SSH server is configured to force frequent session key renegotiation
  • cis_security_hardening::rules::sshd_root_login: Ensure SSH root login is disabled
  • cis_security_hardening::rules::sshd_rsa_rhosts_authentication: Ensure RSA rhosts authentication is not allowed
  • cis_security_hardening::rules::sshd_strict_modes: Ensure SSH performs checks of home directory configuration files
  • cis_security_hardening::rules::sshd_strong_rng: Ensure the SSH server uses strong entropy
  • cis_security_hardening::rules::sshd_tcp_forwarding: Ensure SSH AllowTcpForwarding is disabled
  • cis_security_hardening::rules::sshd_timeouts: Ensure SSH Idle Timeout Interval is configured
  • cis_security_hardening::rules::sshd_use_pam: Ensure SSH PAM is enabled
  • cis_security_hardening::rules::sshd_user_environment: Ensure SSH PermitUserEnvironment is disabled
  • cis_security_hardening::rules::sshd_x11_forward: Ensure SSH X11 forwarding is disabled
  • cis_security_hardening::rules::sshd_x11_use_localhost: Ensure X11UseLocalhost is enabled
  • cis_security_hardening::rules::sssd_ldap_tls_reqcert: Ensure ldap_tls_reqcert is set for LDAP.
  • cis_security_hardening::rules::sssd_mfa_services: Ensure multifactor authentication for access to privileged accounts
  • cis_security_hardening::rules::sssd_use_start_tls: Ensure ldap_id_use_start_tls is set for LDAP.
  • cis_security_hardening::rules::sticky_world_writeable_files: Ensure sticky bit is set on all world-writable directories
  • cis_security_hardening::rules::sudo_installed: Ensure sudo is installed
  • cis_security_hardening::rules::sudo_log: Ensure sudo log file exists
  • cis_security_hardening::rules::sudo_passwd_required: Ensure users password required for privilege escalation when using sudo
  • cis_security_hardening::rules::sudo_timeout: Ensure sudo authentication timeout is configured correctly
  • cis_security_hardening::rules::sudo_use_pty: Ensure sudo commands use pty
  • cis_security_hardening::rules::system_cmd_group: Ensure system command files are group-owned by root
  • cis_security_hardening::rules::systemd_journal_remote: Ensure systemd-journal-remote is installed
  • cis_security_hardening::rules::systemd_journal_remote_config: Ensure systemd-journal-remote is configured
  • cis_security_hardening::rules::systemd_journal_remote_receive: Ensure journald is not configured to recieve logs from a remote client (Automated)
  • cis_security_hardening::rules::systemd_journal_remote_service: A Ensure systemd-journal-remote is enabled
  • cis_security_hardening::rules::systemd_journald_service: Ensure journald service is enabled (Automated)
  • cis_security_hardening::rules::systemd_timesyncd: Ensure systemd-timesyncd is configured (Not Scored)
  • cis_security_hardening::rules::talk_client: Ensure talk client is not installed
  • cis_security_hardening::rules::telnet_client: Ensure telnet client is not installed
  • cis_security_hardening::rules::telnet_server: Ensure telnet-server is not installed
  • cis_security_hardening::rules::tftp_client: Ensure TFTP client is not installed
  • cis_security_hardening::rules::tftp_server: Ensure TFTP Server is not installed
  • cis_security_hardening::rules::timeout_setting: Ensure default user shell timeout is configured
  • cis_security_hardening::rules::timezone_utc_gmt: Ensure system timezone is set to UTC or GMT
  • cis_security_hardening::rules::tmp_filesystem: Ensure /tmp is configured
  • cis_security_hardening::rules::tmp_nodev: Ensure nodev option set on /tmp partition
  • cis_security_hardening::rules::tmp_noexec: Ensure noexec option set on /tmp partition
  • cis_security_hardening::rules::tmp_nosuid: Ensure nosuid option set on /tmp partition
  • cis_security_hardening::rules::tmux_package: Ensure the "tmux" package installed
  • cis_security_hardening::rules::tuned: Ensure the tuned package has not been installed on the system.
  • cis_security_hardening::rules::udf: Ensure mounting of udf filesystems is disabled
  • cis_security_hardening::rules::ufw_default_deny: Ensure default deny firewall policy
  • cis_security_hardening::rules::ufw_install: Ensure ufw is installed
  • cis_security_hardening::rules::ufw_loopback: Ensure loopback traffic is configured
  • cis_security_hardening::rules::ufw_open_ports: Ensure firewall rules exist for all open ports
  • cis_security_hardening::rules::ufw_outbound: Ensure outbound connections are configured (Not Scored)
  • cis_security_hardening::rules::ufw_service: Ensure ufw service is enabled
  • cis_security_hardening::rules::umask_setting: Ensure default user umask is configured
  • cis_security_hardening::rules::unprivileged_bpf_disabled: Ensure the operating system prevents privilege escalation through the kernel by disabling access to the bpf syscall
  • cis_security_hardening::rules::usbguard_package: Ensure USBGuard is installed on the operating system
  • cis_security_hardening::rules::usbguard_service: Ensure the operating system has enabled the use of the USBGuard
  • cis_security_hardening::rules::user_namespaces: Ensure the operating system disables the use of user namespaces
  • cis_security_hardening::rules::var_log_audit_nodev: Ensure nodev option set on /var/log/audit partition
  • cis_security_hardening::rules::var_log_audit_noexec: Ensure noexec option set on /var/log/audit partition
  • cis_security_hardening::rules::var_log_audit_nosuid: Ensure nosuid option set on /var/log/audit partition
  • cis_security_hardening::rules::var_log_nodev: Ensure nodev option set on /var/log partition
  • cis_security_hardening::rules::var_log_noexec: Ensure noexec option set on /var/log partition
  • cis_security_hardening::rules::var_log_nosuid: Ensure nosuid option set on /var/log partition
  • cis_security_hardening::rules::var_log_syslog_perms: Ensure /var/log/syslog is group-owned by adm, owned by syslog and has permissions 0640
  • cis_security_hardening::rules::var_nodev: Ensure nodev option set on /var partition
  • cis_security_hardening::rules::var_noexec: Ensure noexec option set on /var partition
  • cis_security_hardening::rules::var_nosuid: Ensure nosuid option set on /var partition
  • cis_security_hardening::rules::var_tmp_nodev: Ensure nodev option set on /var/tmp partition
  • cis_security_hardening::rules::var_tmp_noexec: Ensure noexec option set on /var/tmp partition
  • cis_security_hardening::rules::var_tmp_nosuid: Ensure nosuid option set on /var/tmp partition
  • cis_security_hardening::rules::vlock: Ensure vlock is installed
  • cis_security_hardening::rules::vsftp: Ensure FTP Server is not enabled
  • cis_security_hardening::rules::x11_installed: Ensure X Window System is not installed
  • cis_security_hardening::rules::xdmcp_config: Ensure XDCMP is not enabled
  • cis_security_hardening::rules::xinetd: Ensure xinetd is not installed
  • cis_security_hardening::rules::yum_clean_requirements: Ensure removal of software components after update
  • cis_security_hardening::rules::yum_gpgcheck: Ensure gpgcheck is globally activated
  • cis_security_hardening::rules::yum_local_gpgcheck: Ensure software packages have been digitally signed by a Certificate Authority
  • cis_security_hardening::rules::zypper_gpgcheck: Ensure gpgcheck is globally activated

Defined types

Functions

Public Functions

  • sanitize_input: sanitize_input.rb Uses Shellwords.escape to sabitize cmd.

Private Functions

  • cis_security_hardening::hash_key: Check if a hash contains a particular key

Data types

Tasks

Classes

cis_security_hardening

Define a complete security baseline and monitor the rules. The definition of the baseline can be done in Hiera. The purpose of the module is to give the ability to setup complete security baseline which not necessarily have to stick to an industry security guide like the CIS benchmarks.

The easiest way to use the module is to put all rule data into a hiera file. For more information please coinsult the README file.

Examples

include cis_security_hardening

Parameters

The following parameters are available in the cis_security_hardening class:

profile

Data type: Enum['server']

The benchmark profile to use. Currently only server profiles are supported.

Default value: 'server'

level

Data type: Enum['1', '2', 'stig']

The CIS Benchmark server security level. Higher levels include all rules of lover levels. Therefore level1 rules are all included in the level2 rules and stig includes level1 nd level 2 rules.

Default value: '2'

update_postrun_command

Data type: Boolean

Update Puppet agent post run command

Default value: true

fact_upload_command

Data type: Stdlib::Absolutepath

Command to use to upload facts to Puppet master

Default value: '/usr/share/cis_security_hardening/bin/fact_upload.sh'

exclude_dirs_sticky_ww

Data type: Array

Araay of directories to exclude from the search for world writable directories with sticky bit

Default value: []

auditd_dirs_to_include

Data type: Array

Directories to search for privileged commands to create auditd rules.

Default value: ['/usr']

time_until_reboot

Data type: Integer

Time to wait until system is rebooted if required. Time in seconds. For reboot the puppetlabs-reboot module is used. Please obey the follwing comment from this module: POSIX systems (with the exception of Solaris) only support specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the nearest minute and a warning will be issued.

Default value: 120

auto_reboot

Data type: Boolean

Reboot when necessary after time_until_reboot is exeeded

Default value: true

verbose_logging

Data type: Boolean

Print various info messages

Default value: false

remove_authconfig

Data type: Boolean

remove authconfig package on Redhat 7 or similar OSes

Default value: false

enable_sticky_world_writable_cron

Data type: Boolean

Whether to enable the sticky world writable cron job.

Default value: true

enable_auditd_cron

Data type: Boolean

Whether to enable the auditd cron job.

Default value: true

cis_security_hardening::auditd_cron

Auditd rules can monitor privileged command use. As filesystems cn be huge and searching the relevant commands can be time consuming this cron job will create a custom fact to provide the auditd rule with appriate imput.

Examples

include cis_security_hardening::auditd_cron

Parameters

The following parameters are available in the cis_security_hardening::auditd_cron class:

ensure

Data type: Enum['present', 'absent']

Whether the cron job should be present or absent.

Default value: 'present'

dirs_to_include

Data type: Array

A list of directories to search

Default value: ['/usr']

start_time_minute

Data type: Integer

The minute to start the cronjob

Default value: 37

start_time_hour

Data type: Integer

The hour to run the cronjob

Default value: 3

cron_repeat

Data type: Enum['0','2','4','6','8']

Interval to repeat the cronjob in hours. 0 means run only once a day.

Default value: '0'

output_file

Data type: Stdlib::Absolutepath

File to write fact data.

Default value: '/usr/share/cis_security_hardening/data/auditd_priv_cmds.txt'

script

Data type: Stdlib::Absolutepath

Filename of the script to riun from cron.

Default value: '/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh'

cis_security_hardening::config

Create files, install scripts and cron jobs

Examples

include cis_security_hardening::config

Parameters

The following parameters are available in the cis_security_hardening::config class:

update_postrun_command

Data type: Boolean

Update Puppet agent's postrun command.

base_dir

Data type: Stdlib::Absolutepath

Directory where all files go to.

fact_upload_command

Data type: Stdlib::Absolutepath

Command to use for fact upload.

cis_security_hardening::reboot

Class triggered by resources requesting a system reboot

Examples

include cis_security_hardening::reboot

Parameters

The following parameters are available in the cis_security_hardening::reboot class:

time_until_reboot

Data type: Integer

Time to wait until system is rebooted if required. Time in seconds. For reboot the puppetlabs-reboot module is used. Please obey the follwing comment from this module: POSIX systems (with the exception of Solaris) only support specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the nearest minute and a warning will be issued.

Default value: $cis_security_hardening::time_until_reboot

auto_reboot

Data type: Boolean

Reboot when necessary after time_until_reboot is exeeded

Default value: $cis_security_hardening::auto_reboot

cis_security_hardening::rules::automatic_error_reporting

The Apport Error Reporting Service automatically generates crash reports for debugging

Rationale: Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.

Examples

class { 'cis_security_hardening::rules::automatic_error_reporting':
          enforce => true,
}

Parameters

The following parameters are available in the cis_security_hardening::rules::automatic_error_reporting class:

enforce

Data type: Boolean

Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.

Default value: false

delete_package

Data type: Boolean

If set to trur apport package will be removed, otherwise onle the service gets stopped and masked

Default value: false

cis_security_hardening::rules::dac_on_hardlinks

The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.

Rationale: Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312- GPOS-00124, SRG-OS-000324-GPOS-00125

Examples

include cis_security_hardening::rules::dac_on_hardlinks

Parameters

The following parameters are available in the cis_security_hardening::rules::dac_on_hardlinks class:

enforce

Data type: Boolean

Enforce the rule.

Default value: false

cis_security_hardening::rules::dac_on_symlinks

The operating system must enable kernel parameters to enforce discretionary access control on symlinks.

Rationale: Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.

By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner.

Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().

Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312- GPOS-00124, SRG-OS-000324-GPOS-00125

Examples

class { 'cis_security_hardening::rules::dac_on_symlinks':
  enforce => true,
}

Parameters

The following parameters are available in the cis_security_hardening::rules::dac_on_symlinks class:

enforce

Data type: Boolean

Enforce the rule.

Default value: false

cis_security_hardening::rules::gdm_lock_delay

The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.

Rationale: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The session lock is implemented at the point where session activity can be determined and/or controlled.

Examples

include cis_security_hardening::rules::gdm_lock_delay

Parameters

The following parameters are available in the cis_security_hardening::rules::gdm_lock_delay class:

enforce

Data type: Boolean

Enforce the rule.

Default value: false

timeout

Data type: Integer

Lock delay timeout.

Default value: 900

cis_security_hardening::rules::pam_libpwquality

The libpwquality package provides common functions for password quality checking

Rationale: Strong passwords reduce the risk of systems being hacked through brute force methods.

Examples

class {'cis_security_hardening::rules::pam_libpwquality':
 enforce +> true,
}

Parameters

The following parameters are available in the cis_security_hardening::rules::pam_libpwquality class:

enforce

Data type: Boolean

Enforce the rule

Default value: false

cis_security_hardening::services

Several exec resources needed from multiple classes.

Examples

include cis_security_hardening::services

cis_security_hardening::sticky_world_writable_cron

Create a cron job for the search for world writable directories with sticky bit set.

Examples

include cis_security_hardening::sticky_world_writable_cron

Parameters

The following parameters are available in the cis_security_hardening::sticky_world_writable_cron class:

ensure

Data type: Enum['present', 'absent']

Whether the cron job should be present or absent.

Default value: 'present'

dirs_to_exclude

Data type: Array

Array of directories to exclude from search.

Default value: []

filename

Data type: Stdlib::Absolutepath

The file to write data to

Default value: '/usr/share/cis_security_hardening/data/world-writable-files.txt'

script

Data type: Stdlib::Absolutepath

The script to run

Default value: '/usr/share/cis_security_hardening/bin/sticy-world-writable.sh'

Defined types

cis_security_hardening::parent_dirs

Create all missing directories

}

Examples

pxe_installarent_dirs{ 'create script dir':
 dir_path => '/var/www/scripts',

Parameters

The following parameters are available in the cis_security_hardening::parent_dirs defined type:

dir_path

Data type: Stdlib::Unixpath

The directories to be created.

base_path

Data type: Optional[Stdlib::Unixpath]

A base path wich does not need to be created

Default value: undef

owner

Data type: Optional[String]

The directory owner.

Default value: undef

group

Data type: Optional[String]

The directoray group.

Default value: undef

mode

Data type: Optional[String]

The directory permissions.

Default value: undef

cis_security_hardening::set_mount_options

Change the mount options of a mountpoint.

Examples

cis_security_hardening::set_mount_options {
  mountpoint => '/home',
  mountoptions => 'nodev',
}

Parameters

The following parameters are available in the cis_security_hardening::set_mount_options defined type:

mountpoint

Data type: Cis_security_hardening::Mountpoint

Mountpoint to work on

mountoptions

Data type: Cis_security_hardening::Mountoption

Options to set

cis_security_hardening::unmask_systemd_service

Execute a systemd command to unmask a service.

}

Examples

cis_security_hardening::unmask_systemd_service { 'namevar':
    service => 'umask',

Parameters

The following parameters are available in the cis_security_hardening::unmask_systemd_service defined type:

service

Data type: Cis_security_hardening::Servicename

The service to unmask

Functions

sanitize_input

Type: Ruby 4.x API

sanitize_input.rb Uses Shellwords.escape to sabitize cmd.

sanitize_input(String $cmd)

sanitize_input.rb Uses Shellwords.escape to sabitize cmd.

Returns: String

cmd

Data type: String

Data types

Cis_security_hardening::Mountoption

Check a mount option

Alias of Pattern[/(^[\/a-zA-Z0-9]+$|^sec=[\/a-zA-Z0-9:]+$)|^size=[\/a-zA-Z0-9]+$|^fmask=[0-9]+$|^uid=[0-9]+$|^gid=[0-9]+$/]

Cis_security_hardening::Mountpoint

Check a mountpoint with a regex

Alias of Pattern[/^[\/a-zA-Z0-9_-]+$/]

Cis_security_hardening::Nftables_address_families

Valid nftables address families

Alias of Enum['ip', 'ip6', 'inet', 'arp', 'bridge', 'netdev']

Cis_security_hardening::Numbers_letters

Check for only numbers and letters

Alias of Pattern[/^[0-9a-zA-Z]+$/, /^$/]

Cis_security_hardening::Servicename

Check service name

Alias of Pattern[/^[a-zA-Z0-9\.\-_]+$/]

Cis_security_hardening::Word

Word datatype

Alias of Pattern[/^[a-zA-Z0-9_]+$/]

Tasks

audit_sgid_executables

Audit SGID executables

Supports noop? false

audit_suid_executables

Audit SUID executables

Supports noop? false

check_auditd_dirs_and_files

Check auditd directory and file permissions.

Supports noop? false

Parameters

audit_dir

Data type: String

Directory containing auditd log files.

check_for_duplicate_gids

Check no duplicate GIDs exist.

Supports noop? false

check_for_duplicate_group_names

Check no duplicate group names exist.

Supports noop? false

check_for_duplicate_uids

Check no duplicate UIDs exist.

Supports noop? false

check_for_duplicate_user_names

Check no duplicate user names exist.

Supports noop? false

check_for_forward_files

Check users users have no .forward files.

Supports noop? false

check_for_nertrc_files

Check users have no .netrc files.

Supports noop? false

check_for_rhosts_files

Check users have no .rhosts files.

Supports noop? false

check_inactive_passwd_lock

Check inactive password lock is 30 days or less.

Supports noop? false

Parameters

inactive

Data type: Integer

Max. inactive days.

check_pass_max_days

Check password expiration is 365 days or less.

Supports noop? false

check_pass_min_days

Check minimum days between password changes is configured.

Supports noop? false

check_pass_warn_age

Check password expiration warning days is 7 or more.

Supports noop? false

check_root_path_integrety

Check root PATH Integrity.

Supports noop? false

check_shadow_group_is_empty

Check shadow group is empty.

Supports noop? false

check_shell_timeout

Check default user shell timeout is 600 seconds or less.

Supports noop? false

Parameters

tmout

Data type: Integer

Maximal timeout setting.

check_stig_cert_fingerprints

Check if all certificates match DoD fingerprints.

Supports noop? false

check_system_accounts_secured

Check system accounts are secured.

Supports noop? false

check_uid_0_files

Check root is the only UID 0 account.

Supports noop? false

check_unconfines_services

Check for unconfined services.

Supports noop? false

check_user_home_dirs_exist

Check all users' home directories exist.

Supports noop? false

check_user_last_passwd_in_past

Check all users last password change date is in the past.

Supports noop? false

check_users_dot_files

Check users' dot files are not group or world writable.

Supports noop? false

Parameters

stig

Data type: Enum[y,n]

Check for strickter STIG permissions.

check_users_own_home_dirs

Check users own their home directories.

Supports noop? false

cleanup_old_stuff

Cleanup old files from (previous) cis module

Supports noop? false

find_ungrouped_files_dirs

Find ungrouped files and directories.

Supports noop? false

find_unowned_files_dirs

Find unowned files and directories.

Supports noop? false

find_world_writable_files

Find world writable files.

Supports noop? false

fix_wrong_home_dir_permissions

Fix or report wrong home directory permissions

Supports noop? false

Parameters

fix

Data type: Enum[yes,no]

Fix permissions or just report.