cis_security_hardening
: Security baseline enforcementcis_security_hardening::auditd_cron
: Create a cron job to search privileged commands for auditdcis_security_hardening::config
: Configure the modulecis_security_hardening::reboot
: Handle necessary rebootcis_security_hardening::rules::automatic_error_reporting
: Ensure Automatic Error Reporting is not enabled (Automated)cis_security_hardening::rules::dac_on_hardlinks
: Ensure the operating system is configured to enable DAC on hardlinkscis_security_hardening::rules::dac_on_symlinks
: Ensure the operating system is configured to enable DAC on symlinkscis_security_hardening::rules::gdm_lock_delay
: Ensure overriding the screensaver lock-delay setting is preventedcis_security_hardening::rules::pam_libpwquality
: Ensure libpwquality is installed (Automated)cis_security_hardening::services
: Servicescis_security_hardening::sticky_world_writable_cron
: Create a cron job for the search for world writable directories with sticky bit set.
cis_security_hardening::rules::abrt
: Ensure automated bug reporting tools are not installedcis_security_hardening::rules::adm_crypt_style
: nsure user and group account administration utilities are configured to store only encrypted representations of passwordscis_security_hardening::rules::aide_audit_integrity
: Ensure cryptographic mechanisms are used to protect the integrity of audit tools (Automated)cis_security_hardening::rules::aide_installed
: Ensure AIDE is installedcis_security_hardening::rules::aide_notify_admins
: Ensure System Administrator are notified of changes to the baseline configuration or anomaliescis_security_hardening::rules::aide_regular_checks
: Ensure filesystem integrity is regularly checkedcis_security_hardening::rules::apparmor
: Ensure AppArmor is installedcis_security_hardening::rules::apparmor_bootloader
: Ensure AppArmor is enabled in the bootloader configurationcis_security_hardening::rules::apparmor_profiles
: Ensure all AppArmor Profiles are enforcingcis_security_hardening::rules::apparmor_profiles_enforcing
: Ensure all AppArmor Profiles are in enforce or complain modecis_security_hardening::rules::apt_unused
: Ensure the Advance Package Tool removes all software components after updated versions have been installedcis_security_hardening::rules::at_restrict
: Ensure at is restricted to authorized userscis_security_hardening::rules::auditd_access
: Ensure unsuccessful unauthorized file access attempts are collectedcis_security_hardening::rules::auditd_actions
: Ensure system administrator actions (sudolog) are collectedcis_security_hardening::rules::auditd_apparmor_parser_use
: Ensure successful and unsuccessful attempts to use the apparmor_parser command are recordedcis_security_hardening::rules::auditd_backlog_limit
: Ensure audit_backlog_limit is sufficientcis_security_hardening::rules::auditd_chacl_use
: Ensure successful and unsuccessful attempts to use the chacl command are recordedcis_security_hardening::rules::auditd_chage_use
: Ensure successful and unsuccessful attempts to use the chage command are recordedcis_security_hardening::rules::auditd_chcon_use
: Ensure successful and unsuccessful attempts to use the chcon command are recordedcis_security_hardening::rules::auditd_chfn_use
: Ensure successful and unsuccessful uses of the chfn command are collectedcis_security_hardening::rules::auditd_chsh_use
: Ensure successful and unsuccessful attempts to use the chsh command are recordedcis_security_hardening::rules::auditd_conf_perms
: Ensure audit configuration files are 0640 or more restrictive and confibgure user and groupcis_security_hardening::rules::auditd_crontab_use
: Ensure successful and unsuccessful attempts to use the crontab command are recordedcis_security_hardening::rules::auditd_delete
: Ensure file deletion events by users are collectedcis_security_hardening::rules::auditd_delete_module
: Ensure the operating system generates an audit record when there are successful/unsuccessful attempts to use the "delete_module" commandcis_security_hardening::rules::auditd_disk_error
: Ensure the operating system takes the appropriate action when an audit processing failure occurscis_security_hardening::rules::auditd_failure_processing
: Ensure the auditing processing failures are handled.cis_security_hardening::rules::auditd_fdisk_use
: Ensure successful and unsuccessful attempts to use the fdisk command are recordedcis_security_hardening::rules::auditd_finit_module_use
: Ensure successful and unsuccessful uses of the finit_module syscall are recordedcis_security_hardening::rules::auditd_fremovexattr_use
: Ensure successful and unsuccessful attempts to use the fremovexattr system call are recordedcis_security_hardening::rules::auditd_fsetxattr_use
: Ensure successful and unsuccessful attempts to use the fsetxattr system call are recordedcis_security_hardening::rules::auditd_gpasswd_use
: Ensure successful and unsuccessful attempts to use the gpasswd command are recordedcis_security_hardening::rules::auditd_identity
: Ensure events that modify user/group information are collectedcis_security_hardening::rules::auditd_immutable
: Ensure the audit configuration is immutablecis_security_hardening::rules::auditd_init
: Initialize auditd rules filecis_security_hardening::rules::auditd_init_module
: Ensure the operating system generates an audit record when there are successful/unsuccessful attempts to use the "init_module" commandcis_security_hardening::rules::auditd_kernel_modules
: Ensure kernel module loading unloading and modification is collectedcis_security_hardening::rules::auditd_kmod_use
: Ensure successful and unsuccessful attempts to use the kmod command are recordedcis_security_hardening::rules::auditd_local_events
: Ensure the operating system's audit daemon is configured to include local eventscis_security_hardening::rules::auditd_log_config
: Ensure only authorized groups are assigned ownership of audit log files (Automated)cis_security_hardening::rules::auditd_log_dir_perms
: Ensure the audit log directory is 0750 or more restrictivecis_security_hardening::rules::auditd_log_format
: Ensure the operating system's audit daemon is configured to resolve audit information before writing to diskcis_security_hardening::rules::auditd_log_perms
: Ensure audit log files are not read or write-accessible by unauthorized userscis_security_hardening::rules::auditd_logins
: Ensure login and logout events are collectedcis_security_hardening::rules::auditd_loginuid_immutable
: Ensure the audit system prevents unauthorized changes to logon UIDscis_security_hardening::rules::auditd_lremovexattr_use
: Ensure successful and unsuccessful attempts to use the lremovexattr system call are recordedcis_security_hardening::rules::auditd_lsetxattr_use
: Ensure successful and unsuccessful attempts to use the lsetxattr system call are recordedcis_security_hardening::rules::auditd_mac_policy
: Ensure events that modify the system's Mandatory Access Controls are collectedcis_security_hardening::rules::auditd_max_log_file
: Ensure audit log storage size is configuredcis_security_hardening::rules::auditd_max_log_file_action
: Ensure audit logs are not automatically deletedcis_security_hardening::rules::auditd_modules
: Ensure kernel module loading and unloading is collectedcis_security_hardening::rules::auditd_mounts
: Ensure successful file system mounts are collectedcis_security_hardening::rules::auditd_newgrp_use
: Ensure successful and unsuccessful attempts to use the newgrp command are recordedcis_security_hardening::rules::auditd_nonlocal_admin_access
: Ensure nonlocal administrative access events are collectedcis_security_hardening::rules::auditd_open_by_handle_use
: Ensure successful and unsuccessful uses of the open_by_handle_at system call are recordedcis_security_hardening::rules::auditd_overflow_action
: Ensure action is taken when audisp-remote buffer is fullcis_security_hardening::rules::auditd_package
: Ensure auditd is installedcis_security_hardening::rules::auditd_pam_timestamp_check_use
: Ensure successful and unsuccessful attempts to use the pam_timestamp_check command are recordedcis_security_hardening::rules::auditd_passwd_use
: Ensure successful and unsuccessful attempts to use the passwd command are recordedcis_security_hardening::rules::auditd_perm_mod
: Ensure discretionary access control permission modification events are collectedcis_security_hardening::rules::auditd_postdrop
: Ensure audit of postdrop commandcis_security_hardening::rules::auditd_postqueue
: Ensure audit of postqueue command.cis_security_hardening::rules::auditd_privileged_commands
: Ensure use of privileged commands is collectedcis_security_hardening::rules::auditd_privileged_functions_use
: Ensure execution of privileged functions is recordedcis_security_hardening::rules::auditd_privileged_priv_change
: Ensure successful and unsuccessful uses of the su command are collectedcis_security_hardening::rules::auditd_process
: Ensure auditing for processes that start prior to auditd is enabledcis_security_hardening::rules::auditd_remote
: Ensure audit event multiplexor is configured to off-load audit logs onto a different system or storage media from the system being auditedcis_security_hardening::rules::auditd_remote_conf
: Ensure off-load of audit logs.cis_security_hardening::rules::auditd_remote_encrypt
: Ensure audit logs on separate system are encryptedcis_security_hardening::rules::auditd_remote_labeled
: Ensure off-loaded audit logs are labeled.cis_security_hardening::rules::auditd_removexattr_use
: Ensure successful and unsuccessful attempts to use the removexattr system call are recordedcis_security_hardening::rules::auditd_rmdir
: Ensure audit of the rmdir syscallcis_security_hardening::rules::auditd_rsyslog_gnutls
: Ensure the operating system has the packages required for encrypting offloaded audit logscis_security_hardening::rules::auditd_scope
: Ensure changes to system administration scope (sudoers) is collectedcis_security_hardening::rules::auditd_semanage
: Ensure audit of semanage commandcis_security_hardening::rules::auditd_sending_errors
: Ensure audit system action is defined for sending errorscis_security_hardening::rules::auditd_service
: Ensure auditd service is enabled .cis_security_hardening::rules::auditd_session_logins
: Ensure session initiation information is collectedcis_security_hardening::rules::auditd_setfacl_use
: Ensure successful and unsuccessful attempts to use the setfacl command are recordedcis_security_hardening::rules::auditd_setfiles
: Ensure audit of setfiles command.cis_security_hardening::rules::auditd_setsebool
: Ensure audit of the setsebool command.cis_security_hardening::rules::auditd_setxattr_use
: Ensure successful and unsuccessful attempts to use the setxattr system call are recordedcis_security_hardening::rules::auditd_space_left
: Ensure the operating system takes action when allocated audit record storage volume reaches 75 percentcis_security_hardening::rules::auditd_ssh_agent_use
: Ensure successful and unsuccessful uses of the ssh-agent command are collectedcis_security_hardening::rules::auditd_ssh_keysign_use
: Ensure successful and unsuccessful uses of the ssh-keysign command are collectedcis_security_hardening::rules::auditd_sudo_use
: Ensure successful and unsuccessful uses of the sudo command are recordedcis_security_hardening::rules::auditd_sudoedit_use
: Ensure successful and unsuccessful attempts to use the sudoedit command are recordedcis_security_hardening::rules::auditd_sudoers
: Ensure the operating system generates audit records for all account creations, modifications, disabling, and termination eventscis_security_hardening::rules::auditd_sudoersd
: Ensure the operating system generates audit records for all account creations, modifications, disabling, and termination eventscis_security_hardening::rules::auditd_system_locale
: Ensure events that modify the system's network environment are collectedcis_security_hardening::rules::auditd_time_change
: Ensure events that modify date and time information are collectedcis_security_hardening::rules::auditd_tools_perms
: Ensure audit tools are mode of 0755 or more restrictive and owned by the right user and groupcis_security_hardening::rules::auditd_umount
: Ensure audit the umount commandcis_security_hardening::rules::auditd_unix_checkpwd
: Ensure auditing of the unix_chkpwd command.cis_security_hardening::rules::auditd_unix_update_use
: Ensure successful and unsuccessful attempts to use the unix_update command are recordedcis_security_hardening::rules::auditd_usbguard
: Ensure the operating system enables Linux audit logging of the USBGuard daemoncis_security_hardening::rules::auditd_user_emulation
: Ensure actions as another user are always loggedcis_security_hardening::rules::auditd_userhelper
: Ensure audit of the userhelper command.cis_security_hardening::rules::auditd_usermod_use
: Ensure successful and unsuccessful attempts to use the usermod command are recordedcis_security_hardening::rules::auditd_when_disk_full
: Ensure system is disabled when audit logs are fullcis_security_hardening::rules::authselect
: Create custom authselect profile (Scored)cis_security_hardening::rules::avahi
: Ensure Avahi Server is not enabledcis_security_hardening::rules::bind
: Ensure DNS Server is not installedcis_security_hardening::rules::boot_efi_nosuid
: Ensure the "/boot/efi" directory is mounted with the "nosuid" optioncis_security_hardening::rules::boot_nosuid
: Ensure the "/boot" directory is mounted with the "nosuid" option.cis_security_hardening::rules::chrony
: Ensure chrony is configuredcis_security_hardening::rules::cramfs
: Ensure mounting of cramfs filesystems is disabledcis_security_hardening::rules::cron_daily
: Ensure permissions on /etc/cron.daily are configuredcis_security_hardening::rules::cron_hourly
: Ensure permissions on /etc/cron.hourly are configuredcis_security_hardening::rules::cron_monthly
: Ensure permissions on /etc/cron.monthly are configuredcis_security_hardening::rules::cron_restrict
: Ensure cron is restricted to authorized userscis_security_hardening::rules::cron_weekly
: Ensure permissions on /etc/cron.weekly are configuredcis_security_hardening::rules::crond_service
: Ensure cron daemon is enabled and runningcis_security_hardening::rules::crontab
: Ensure permissions on /etc/crontab are configuredcis_security_hardening::rules::crtl_alt_del
: Ensure the Ctrl-Alt-Delete key sequence is disabledcis_security_hardening::rules::crypto_policy
: Ensure system-wide crypto policy is FUTURE or FIPScis_security_hardening::rules::ctrl_alt_del_graphical
: Ensure the graphical user Ctrl-Alt-Delete key sequence is disabledcis_security_hardening::rules::cups
: Ensure CUPS is not enabledcis_security_hardening::rules::debug_shell
: Ensure the operating system is configured to mask the debug- shell systemd servicecis_security_hardening::rules::dev_shm
: Ensure /dev/shm is configuredcis_security_hardening::rules::dev_shm_nodev
: Ensure nodev option set on /dev/shm partitioncis_security_hardening::rules::dev_shm_noexec
: Ensure noexec option set on /dev/shm partitioncis_security_hardening::rules::dev_shm_nosuid
: Ensure nosuid option set on /dev/shm partitioncis_security_hardening::rules::dhcp
: Ensure DHCP Server is not enabledcis_security_hardening::rules::disable_apport
: Ensure Automatic Error Reporting is not enabled (Automated)cis_security_hardening::rules::disable_atm
: Ensure ATM is disabledcis_security_hardening::rules::disable_automount
: Disable Automountingcis_security_hardening::rules::disable_bluetooth
: Ensure Bluetooth is disabledcis_security_hardening::rules::disable_can
: Ensure CAN is disabledcis_security_hardening::rules::disable_core_dumps
: Ensure the operating system disables the storing core dumpscis_security_hardening::rules::disable_coredump_socket
: Ensure the operating system is not configured to acquire, save, or process core dumpscis_security_hardening::rules::disable_dccp
: Ensure DCCP is disabledcis_security_hardening::rules::disable_ip_forwarding
: Ensure IP forwarding is disabledcis_security_hardening::rules::disable_ipv6
: Disable IPv6cis_security_hardening::rules::disable_packet_redirect
: Ensure packet redirect sending is disabledcis_security_hardening::rules::disable_prelink
: Ensure prelink is disabledcis_security_hardening::rules::disable_rds
: Ensure RDS is disabledcis_security_hardening::rules::disable_sctp
: Ensure SCTP is disabledcis_security_hardening::rules::disable_tipc
: Ensure TIPC is disabledcis_security_hardening::rules::disable_usb_storage
: Disable USB Storagecis_security_hardening::rules::disable_wireless
: Ensure wireless interfaces are disabled (Not Scored)cis_security_hardening::rules::dmesg_restrict
: Ensure the operating system is configured to restrict access to the kernel message buffercis_security_hardening::rules::dns
: Ensure DNS is servers are configuredcis_security_hardening::rules::dnsmasq
: Ensure dnsmasq is not installed (Automated)cis_security_hardening::rules::dovecot
: Ensure IMAP and POP3 server is not enabledcis_security_hardening::rules::dracut_fips
: Ensure NIST FIPS-validated cryptography is configuredcis_security_hardening::rules::enable_aslr
: Ensure address space layout randomization (ASLR) is enabledcis_security_hardening::rules::enable_reverse_path_filtering
: Ensure Reverse Path Filtering is enabledcis_security_hardening::rules::enable_tcp_syn_cookies
: Ensure TCP SYN Cookies is enabledcis_security_hardening::rules::etc_crond
: Ensure permissions on /etc/cron.d are configuredcis_security_hardening::rules::fapolicyd
: Ensure "fapolicyd" is installedcis_security_hardening::rules::fapolicyd_policy
: Ensure "fapolicyd" employs a deny-all, permit-by-exception policycis_security_hardening::rules::fapolicyd_service
: Ensure "fapolicyd" is enabled and runningcis_security_hardening::rules::fat
: Ensure mounting of FAT filesystems is disabledcis_security_hardening::rules::fips_bootloader
: Ensure FIPS mode is enabledcis_security_hardening::rules::firewalld_default_zone
: Ensure default zone is setcis_security_hardening::rules::firewalld_install
: Ensure a Firewall package is installedcis_security_hardening::rules::firewalld_interfaces
: Ensure network interfaces are assigned to appropriate zonecis_security_hardening::rules::firewalld_ports_services
: Ensure unnecessary services and ports are not acceptedcis_security_hardening::rules::firewalld_service
: Ensure firewalld service is enabled and runningcis_security_hardening::rules::firewire_core
: @summary# Ensure the operating system disables the ability to load the firewire-core kernel module The operating system must disable IEEEcis_security_hardening::rules::freevxfs
: Ensure mounting of freevxfs filesystems is disabledcis_security_hardening::rules::ftp
: Ensure FTP Server is not installedcis_security_hardening::rules::gdm_auto_mount
: Ensure automatic mounting of removable media is disabledcis_security_hardening::rules::gdm_autologin
: Ensure automatic logon via GUI is not allowedcis_security_hardening::rules::gdm_lock_enabled
: Ensure user's session lock is enabledcis_security_hardening::rules::gdm_mfa
: Ensure users must authenticate users using MFA via a graphical user logoncis_security_hardening::rules::gdm_screensaver
: Ensure GNOME Screensaver period of inactivity is configuredcis_security_hardening::rules::gnome_gdm
cis_security_hardening::rules::gnome_gdm_package
: Ensure GNOME Display Manager is removedcis_security_hardening::rules::group_bak_perms
: Ensure permissions on /etc/group- are configuredcis_security_hardening::rules::group_perms
: Ensure permissions on /etc/group are configuredcis_security_hardening::rules::grub_bootloader_config
: Ensure permissions on bootloader config are configuredcis_security_hardening::rules::grub_page_poison
: Ensure GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilitiescis_security_hardening::rules::grub_password
: Ensure bootloader password is setcis_security_hardening::rules::grub_slub_debug
: Ensure GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilitiescis_security_hardening::rules::grub_vsyscall
: Ensure GRUB 2 is configured to disable vsyscallscis_security_hardening::rules::gshadow_bak_perms
: Ensure permissions on /etc/gshadow- are configuredcis_security_hardening::rules::gshadow_perms
: Ensure permissions on /etc/gshadow are configuredcis_security_hardening::rules::gssproxy
: Ensure the gssproxy package has not been installed on the systemcis_security_hardening::rules::hfs
: Ensure mounting of hfs filesystems is disabledcis_security_hardening::rules::hfsplus
: Ensure mounting of hfsplus filesystems is disabledcis_security_hardening::rules::home_grpquota
: Ensure grpquota option set on /home partitioncis_security_hardening::rules::home_nodev
: Ensure nodev option set on /home partitioncis_security_hardening::rules::home_noexec
: Ensure file systems that contain user home directories are mounted with the "noexec" optioncis_security_hardening::rules::home_nosuid
: Ensure nosuid option set on /home partitioncis_security_hardening::rules::home_usrquota
: Ensure usrquota option set on /home partitioncis_security_hardening::rules::httpd
: Ensure HTTP server is not enabledcis_security_hardening::rules::icmp_redirects
: Ensure ICMP redirects are not acceptedcis_security_hardening::rules::ignore_bogus_icmp_responses
: Ensure bogus ICMP responses are ignoredcis_security_hardening::rules::ignore_icmp_broadcast
: Ensure broadcast ICMP requests are ignoredcis_security_hardening::rules::inactive_password_lock
: Ensure inactive password lock is 0 dayscis_security_hardening::rules::ip6tables_deny_policy
: Ensure default deny firewall policycis_security_hardening::rules::ip6tables_loopback
: Ensure loopback traffic is configuredcis_security_hardening::rules::ip6tables_open_ports
: Ensure IPv6 firewall rules exist for all open portscis_security_hardening::rules::ip6tables_outbound_established
: Ensure outbound and established connections are configuredcis_security_hardening::rules::iprutils
: Ensure the iprutils package has not been installed on the system.cis_security_hardening::rules::iptables_deny_policy
: Ensure default deny firewall policycis_security_hardening::rules::iptables_install
: Ensure iptables is installedcis_security_hardening::rules::iptables_loopback
: Ensure loopback traffic is configuredcis_security_hardening::rules::iptables_open_ports
: Ensure firewall rules exist for all open portscis_security_hardening::rules::iptables_outbound_established
: Ensure outbound and established connections are configuredcis_security_hardening::rules::ipv6_router_advertisements
: Ensure IPv6 router advertisements are not acceptedcis_security_hardening::rules::issue_net_perms
: Ensure permissions on /etc/issue.net are configuredcis_security_hardening::rules::issue_perms
: Ensure permissions on /etc/issue are configuredcis_security_hardening::rules::jffs2
: Ensure mounting of jffs2 filesystems is disabledcis_security_hardening::rules::journald_compress
: Ensure journald is configured to compress large log filescis_security_hardening::rules::journald_persistent
: Ensure journald is configured to write logfiles to persistent diskcis_security_hardening::rules::journald_rsyslog
: Ensure journald is configured to send logs to rsyslogcis_security_hardening::rules::kdump_service
: Ensure kdump service is not enabledcis_security_hardening::rules::kexec_load_disabled
: Ensure kernel image loading is disabledcis_security_hardening::rules::kptr_restrict
: Ensure the operating system restricts exposed kernel pointer addresses accesscis_security_hardening::rules::krb5_server
: Ensure the krb5-server package has not been installed on the systemcis_security_hardening::rules::krb5_workstation
: Ensure the krb5-workstation package has not been installed on the systemcis_security_hardening::rules::ldap_client
: Ensure LDAP client is not installedcis_security_hardening::rules::ldapd
: Ensure LDAP server is not enabledcis_security_hardening::rules::limits_maxlogins
: Ensure maxlogins is 10 or lesscis_security_hardening::rules::lock_root
: Ensure root account is lockedcis_security_hardening::rules::log_suspicious_packets
: Ensure suspicious packets are loggedcis_security_hardening::rules::logfile_permissions
: Ensure permissions on all logfiles are configuredcis_security_hardening::rules::login_create_home
: Ensure upon user creation a home directory is assigned.cis_security_hardening::rules::login_fail_delay
: Ensure delay between logon prompts on failurecis_security_hardening::rules::logrotate
: Ensure logrotate is configuredcis_security_hardening::rules::logrotate_configuration
: Ensure logrotate assigns appropriate permissionscis_security_hardening::rules::mcstrans
: Ensure the MCS Translation Service (mcstrans) is not installedcis_security_hardening::rules::mfetp
: Ensure Endpoint Security for Linux Threat Prevention is installedcis_security_hardening::rules::motd_perms
: Ensure message of the day is configured properlycis_security_hardening::rules::mta_local
: Ensure mail transfer agent is configured for local-only modecis_security_hardening::rules::mta_unrestriced_relay
cis_security_hardening::rules::net_bpf_jit_harden
: Ensure the operating system enables hardening for the BPF JITcis_security_hardening::rules::net_snmp
: Ensure net-snmp is not installedcis_security_hardening::rules::nfs
: Ensure NFS is not enabledcis_security_hardening::rules::nfs_nodev
: Ensure file systems being imported via NFS are mounted with the "nosuid" option.cis_security_hardening::rules::nfs_noexec
: Ensure noexec option is configured for NFS.cis_security_hardening::rules::nfs_nosuid
: Ensure nosuid option is set for NFScis_security_hardening::rules::nfs_sec_opt
: Ensure NFS is configured to use RPCSEC_GSScis_security_hardening::rules::nfs_utils
: Ensure nfs-utils is not installed or the nfs-server service is maskedcis_security_hardening::rules::nftables_base_chains
: Ensure base chains existcis_security_hardening::rules::nftables_default_deny
: Ensure default deny firewall policycis_security_hardening::rules::nftables_flush_iptables
: Ensure iptables are flushedcis_security_hardening::rules::nftables_install
: Ensure nftables is installedcis_security_hardening::rules::nftables_loopback
: Ensure loopback traffic is configuredcis_security_hardening::rules::nftables_outbound_established
: Ensure outbound and established connections are configuredcis_security_hardening::rules::nftables_persistence
: Ensure nftables rules are permanentcis_security_hardening::rules::nftables_service
: Ensure nftables service is enabledcis_security_hardening::rules::nftables_table
: Ensure a table existscis_security_hardening::rules::nis
: Ensure NIS Server is not enabledcis_security_hardening::rules::nis_client
: Ensure NIS Client is not installedcis_security_hardening::rules::ntp_package
: Install ntp packagecis_security_hardening::rules::ntpd
: Ensure ntp is configuredcis_security_hardening::rules::opassword_perms
: Ensure permissions on /etc/security/opasswd are configuredcis_security_hardening::rules::opensc_pkcs11
: Ensure the opensc-pcks11 is installedcis_security_hardening::rules::openssl_pkcs11
: Ensure the operating system has the packages required for multifactor authenticationcis_security_hardening::rules::pam_cached_auth
: Ensure PAM prohibits the use of cached authentications after one daycis_security_hardening::rules::pam_fail_delay
: Ensure loging delay after failed logon attemptcis_security_hardening::rules::pam_last_logon
: Ensure last successful account logon is displayed upon logoncis_security_hardening::rules::pam_lockout
: Ensure lockout for failed password attempts is configuredcis_security_hardening::rules::pam_mfa
: Ensure smart card logins for multifactor authentication for local and network accesscis_security_hardening::rules::pam_mfa_redhat
: Ensure multi-factor authentication is enable for userscis_security_hardening::rules::pam_old_passwords
: Ensure password reuse is limitedcis_security_hardening::rules::pam_passwd
: Ensure system-auth is used when changing passwordscis_security_hardening::rules::pam_passwd_sha512
: Ensure password hashing algorithm is SHA-512cis_security_hardening::rules::pam_pkcs11
: Ensure the libpam-pkcs11 package is installedcis_security_hardening::rules::pam_pw_requirements
: Ensure password creation requirements are configuredcis_security_hardening::rules::pam_use_mappers
: Ensure authenticated identity is mapped to the user or group account for PKI-based authenticationcis_security_hardening::rules::passwd_bak_perms
: Ensure permissions on /etc/group- are configuredcis_security_hardening::rules::passwd_expiration
: Ensure password expiration is 365 days or lesscis_security_hardening::rules::passwd_inactive_days
: Ensure inactive password lock is 30 days or lesscis_security_hardening::rules::passwd_min_days
: Ensure minimum days between password changes is 7 or morecis_security_hardening::rules::passwd_perms
: Ensure permissions on /etc/passwd are configuredcis_security_hardening::rules::passwd_sha512
: Ensure ENCRYPT_METHOD is SHA512cis_security_hardening::rules::passwd_warn_days
: Ensure password expiration warning days is 7 or morecis_security_hardening::rules::perf_event_paranoid
: . Ensure the operating system is configured to prevent kernel profiling by unprivileged users The operating system must prevent kernel procis_security_hardening::rules::pki_certs_validation
: Ensure certificates are validated by constructing a certification path to an accepted trust anchorcis_security_hardening::rules::policycoreutils
: Ensure the operating system has the policycoreutils package installedcis_security_hardening::rules::postmaster_alias
: Ensure administrators are notified if an audit processing failure occurrs by modifying "/etc/aliases"cis_security_hardening::rules::pti
: Ensure kernel page-table isolation is enabledcis_security_hardening::rules::ptrace_scope
: @summary# Ensure the operating system restricts usage of ptrace to descendant processes The operating system must restrict usage of ptraccis_security_hardening::rules::restrict_core_dumps
: A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean concis_security_hardening::rules::restrict_su
: Ensure access to the su command is restrictedcis_security_hardening::rules::rhnsd
: Disable the rhnsd Daemoncis_security_hardening::rules::rng_tools
: Ensure the system has the packages required to enable the hardware random number generator entropy gatherer servicecis_security_hardening::rules::rngd
: Ensure the operating system has enabled the hardware random number generator entropy gatherer servicecis_security_hardening::rules::root_gid
: Ensure default group for the root account is GID 0cis_security_hardening::rules::rpcbind
: Ensure rpcbind is not installed or the rpcbind services are maskedcis_security_hardening::rules::rsh_client
: Ensure rsh client is not installedcis_security_hardening::rules::rsh_server
: Ensure rsh-server is not installedcis_security_hardening::rules::rsyncd
: Ensure rsync is not installed or the rsyncd service is maskedcis_security_hardening::rules::rsyslog_default_file_perms
: Ensure rsyslog default file permissions configuredcis_security_hardening::rules::rsyslog_installed
: Ensure rsyslog or syslog-ng is installedcis_security_hardening::rules::rsyslog_logging
: Ensure logging is configuredcis_security_hardening::rules::rsyslog_remote_logs
: Ensure rsyslog is configured to send logs to a remote log hostcis_security_hardening::rules::rsyslog_remote_syslog
: Ensure remote rsyslog messages are only accepted on designated log hosts.cis_security_hardening::rules::rsyslog_service
: Ensure rsyslog Service is enabledcis_security_hardening::rules::samba
: Ensure Samba is not installedcis_security_hardening::rules::secure_icmp_redirects
: Ensure secure ICMP redirects are not acceptedcis_security_hardening::rules::selinux
: Ensure SELinux is installedcis_security_hardening::rules::selinux_bootloader
: Ensure SELinux is not disabled in bootloader configurationcis_security_hardening::rules::selinux_policy
: Ensure SELinux policy is configuredcis_security_hardening::rules::selinux_state
: Ensure the SELinux state is enforcing or permissivecis_security_hardening::rules::sendmail
: Ensure the sendmail package is not installed.cis_security_hardening::rules::setroubleshoot
: Ensure SETroubleshoot is not installedcis_security_hardening::rules::shadow_bak_perms
: Ensure permissions on /etc/shadow- are configuredcis_security_hardening::rules::shadow_encrypt_sha512
: Ensure password hashing algorithm is SHA-512cis_security_hardening::rules::shadow_perms
: Ensure permissions on /etc/shadow are configuredcis_security_hardening::rules::shadowed_passwords
: Ensure accounts in /etc/passwd use shadowed passwordscis_security_hardening::rules::shell_nologin
: Ensure system accounts aresecuredcis_security_hardening::rules::shells_perms
: Ensure permissions on /etc/shells are configuredcis_security_hardening::rules::single_user_mode
: Ensure authentication required for single user modecis_security_hardening::rules::source_routed_packets
: Ensure source routed packets are not acceptedcis_security_hardening::rules::squashfs
: Ensure mounting of squashfs filesystems is disabledcis_security_hardening::rules::squid
: Ensure HTTP Proxy Server is not enabledcis_security_hardening::rules::sshd_banner
cis_security_hardening::rules::sshd_ciphers
: Ensure only strong Ciphers are usedcis_security_hardening::rules::sshd_compression
: Ensure SSH compressions setting is delayedcis_security_hardening::rules::sshd_config_permissions
: Ensure permissions on /etc/ssh/sshd_config are configuredcis_security_hardening::rules::sshd_crypto_policy
: Ensure system-wide crypto policy is not over-riddencis_security_hardening::rules::sshd_empty_passwords
: Ensure SSH PermitEmptyPasswords is disabledcis_security_hardening::rules::sshd_gssapi
: Ensure SSH does not permit GSSAPIcis_security_hardening::rules::sshd_hostbased_authentication
: Ensure SSH HostbasedAuthentication is disabledcis_security_hardening::rules::sshd_ignore_rhosts
: Ensure SSH IgnoreRhosts is enabledcis_security_hardening::rules::sshd_ignore_user_known_hosts
: Ensure SSH IgnoreUserKnownHosts is enabledcis_security_hardening::rules::sshd_install
: Ensure SSH is installed and activecis_security_hardening::rules::sshd_kerberos
: Ensure SSH does not permit Kerberos authenticationcis_security_hardening::rules::sshd_kex
: Ensure only strong Key Exchange algorithms are usedcis_security_hardening::rules::sshd_limit_access
: Ensure SSH access is limitedcis_security_hardening::rules::sshd_login_gracetime
: Ensure SSH LoginGraceTime is set to one minute or lesscis_security_hardening::rules::sshd_loglevel
: Ensure SSH LogLevel is set to INFOcis_security_hardening::rules::sshd_macs
: Ensure only approved MAC algorithms are usedcis_security_hardening::rules::sshd_max_auth_tries
: Ensure SSH MaxAuthTries is set to 4 or lesscis_security_hardening::rules::sshd_max_sessions
: Ensure SSH MaxSessions is set to 4 or lesscis_security_hardening::rules::sshd_max_startups
: Ensure SSH MaxStartups is configuredcis_security_hardening::rules::sshd_printlastlog
: Ensure Printlastlog is enabledcis_security_hardening::rules::sshd_priv_separation
: Ensure SSH uses privilege separationcis_security_hardening::rules::sshd_private_keys
: Ensure permissions on SSH private host key files are configuredcis_security_hardening::rules::sshd_protocol
: Ensure SSH Protocol is set to 2cis_security_hardening::rules::sshd_public_keys
: Ensure permissions on SSH public host key files are configuredcis_security_hardening::rules::sshd_rekey_limit
: Ensure the SSH server is configured to force frequent session key renegotiationcis_security_hardening::rules::sshd_root_login
: Ensure SSH root login is disabledcis_security_hardening::rules::sshd_rsa_rhosts_authentication
: Ensure RSA rhosts authentication is not allowedcis_security_hardening::rules::sshd_strict_modes
: Ensure SSH performs checks of home directory configuration filescis_security_hardening::rules::sshd_strong_rng
: Ensure the SSH server uses strong entropycis_security_hardening::rules::sshd_tcp_forwarding
: Ensure SSH AllowTcpForwarding is disabledcis_security_hardening::rules::sshd_timeouts
: Ensure SSH Idle Timeout Interval is configuredcis_security_hardening::rules::sshd_use_pam
: Ensure SSH PAM is enabledcis_security_hardening::rules::sshd_user_environment
: Ensure SSH PermitUserEnvironment is disabledcis_security_hardening::rules::sshd_x11_forward
: Ensure SSH X11 forwarding is disabledcis_security_hardening::rules::sshd_x11_use_localhost
: Ensure X11UseLocalhost is enabledcis_security_hardening::rules::sssd_ldap_tls_reqcert
: Ensure ldap_tls_reqcert is set for LDAP.cis_security_hardening::rules::sssd_mfa_services
: Ensure multifactor authentication for access to privileged accountscis_security_hardening::rules::sssd_use_start_tls
: Ensure ldap_id_use_start_tls is set for LDAP.cis_security_hardening::rules::sticky_world_writeable_files
: Ensure sticky bit is set on all world-writable directoriescis_security_hardening::rules::sudo_installed
: Ensure sudo is installedcis_security_hardening::rules::sudo_log
: Ensure sudo log file existscis_security_hardening::rules::sudo_passwd_required
: Ensure users password required for privilege escalation when using sudocis_security_hardening::rules::sudo_timeout
: Ensure sudo authentication timeout is configured correctlycis_security_hardening::rules::sudo_use_pty
: Ensure sudo commands use ptycis_security_hardening::rules::system_cmd_group
: Ensure system command files are group-owned by rootcis_security_hardening::rules::systemd_journal_remote
: Ensure systemd-journal-remote is installedcis_security_hardening::rules::systemd_journal_remote_config
: Ensure systemd-journal-remote is configuredcis_security_hardening::rules::systemd_journal_remote_receive
: Ensure journald is not configured to recieve logs from a remote client (Automated)cis_security_hardening::rules::systemd_journal_remote_service
: A Ensure systemd-journal-remote is enabledcis_security_hardening::rules::systemd_journald_service
: Ensure journald service is enabled (Automated)cis_security_hardening::rules::systemd_timesyncd
: Ensure systemd-timesyncd is configured (Not Scored)cis_security_hardening::rules::talk_client
: Ensure talk client is not installedcis_security_hardening::rules::telnet_client
: Ensure telnet client is not installedcis_security_hardening::rules::telnet_server
: Ensure telnet-server is not installedcis_security_hardening::rules::tftp_client
: Ensure TFTP client is not installedcis_security_hardening::rules::tftp_server
: Ensure TFTP Server is not installedcis_security_hardening::rules::timeout_setting
: Ensure default user shell timeout is configuredcis_security_hardening::rules::timezone_utc_gmt
: Ensure system timezone is set to UTC or GMTcis_security_hardening::rules::tmp_filesystem
: Ensure /tmp is configuredcis_security_hardening::rules::tmp_nodev
: Ensure nodev option set on /tmp partitioncis_security_hardening::rules::tmp_noexec
: Ensure noexec option set on /tmp partitioncis_security_hardening::rules::tmp_nosuid
: Ensure nosuid option set on /tmp partitioncis_security_hardening::rules::tmux_package
: Ensure the "tmux" package installedcis_security_hardening::rules::tuned
: Ensure the tuned package has not been installed on the system.cis_security_hardening::rules::udf
: Ensure mounting of udf filesystems is disabledcis_security_hardening::rules::ufw_default_deny
: Ensure default deny firewall policycis_security_hardening::rules::ufw_install
: Ensure ufw is installedcis_security_hardening::rules::ufw_loopback
: Ensure loopback traffic is configuredcis_security_hardening::rules::ufw_open_ports
: Ensure firewall rules exist for all open portscis_security_hardening::rules::ufw_outbound
: Ensure outbound connections are configured (Not Scored)cis_security_hardening::rules::ufw_service
: Ensure ufw service is enabledcis_security_hardening::rules::umask_setting
: Ensure default user umask is configuredcis_security_hardening::rules::unprivileged_bpf_disabled
: Ensure the operating system prevents privilege escalation through the kernel by disabling access to the bpf syscallcis_security_hardening::rules::usbguard_package
: Ensure USBGuard is installed on the operating systemcis_security_hardening::rules::usbguard_service
: Ensure the operating system has enabled the use of the USBGuardcis_security_hardening::rules::user_namespaces
: Ensure the operating system disables the use of user namespacescis_security_hardening::rules::var_log_audit_nodev
: Ensure nodev option set on /var/log/audit partitioncis_security_hardening::rules::var_log_audit_noexec
: Ensure noexec option set on /var/log/audit partitioncis_security_hardening::rules::var_log_audit_nosuid
: Ensure nosuid option set on /var/log/audit partitioncis_security_hardening::rules::var_log_nodev
: Ensure nodev option set on /var/log partitioncis_security_hardening::rules::var_log_noexec
: Ensure noexec option set on /var/log partitioncis_security_hardening::rules::var_log_nosuid
: Ensure nosuid option set on /var/log partitioncis_security_hardening::rules::var_log_syslog_perms
: Ensure /var/log/syslog is group-owned by adm, owned by syslog and has permissions 0640cis_security_hardening::rules::var_nodev
: Ensure nodev option set on /var partitioncis_security_hardening::rules::var_noexec
: Ensure noexec option set on /var partitioncis_security_hardening::rules::var_nosuid
: Ensure nosuid option set on /var partitioncis_security_hardening::rules::var_tmp_nodev
: Ensure nodev option set on /var/tmp partitioncis_security_hardening::rules::var_tmp_noexec
: Ensure noexec option set on /var/tmp partitioncis_security_hardening::rules::var_tmp_nosuid
: Ensure nosuid option set on /var/tmp partitioncis_security_hardening::rules::vlock
: Ensure vlock is installedcis_security_hardening::rules::vsftp
: Ensure FTP Server is not enabledcis_security_hardening::rules::x11_installed
: Ensure X Window System is not installedcis_security_hardening::rules::xdmcp_config
: Ensure XDCMP is not enabledcis_security_hardening::rules::xinetd
: Ensure xinetd is not installedcis_security_hardening::rules::yum_clean_requirements
: Ensure removal of software components after updatecis_security_hardening::rules::yum_gpgcheck
: Ensure gpgcheck is globally activatedcis_security_hardening::rules::yum_local_gpgcheck
: Ensure software packages have been digitally signed by a Certificate Authoritycis_security_hardening::rules::zypper_gpgcheck
: Ensure gpgcheck is globally activated
cis_security_hardening::parent_dirs
: Create directories recursivlycis_security_hardening::set_mount_options
: Change mount optionscis_security_hardening::unmask_systemd_service
: Unmask a systemd service
sanitize_input
: sanitize_input.rb Uses Shellwords.escape to sabitize cmd.
cis_security_hardening::hash_key
: Check if a hash contains a particular key
Cis_security_hardening::Mountoption
: Validate mountoptionCis_security_hardening::Mountpoint
: Validate mountpointCis_security_hardening::Nftables_address_families
: Valid nftables address familiesCis_security_hardening::Numbers_letters
: Check for only numbers and lettersCis_security_hardening::Servicename
: Check service nameCis_security_hardening::Word
: Word datatype
audit_sgid_executables
: Audit SGID executablesaudit_suid_executables
: Audit SUID executablescheck_auditd_dirs_and_files
: Check auditd directory and file permissions.check_for_duplicate_gids
: Check no duplicate GIDs exist.check_for_duplicate_group_names
: Check no duplicate group names exist.check_for_duplicate_uids
: Check no duplicate UIDs exist.check_for_duplicate_user_names
: Check no duplicate user names exist.check_for_forward_files
: Check users users have no .forward files.check_for_nertrc_files
: Check users have no .netrc files.check_for_rhosts_files
: Check users have no .rhosts files.check_inactive_passwd_lock
: Check inactive password lock is 30 days or less.check_pass_max_days
: Check password expiration is 365 days or less.check_pass_min_days
: Check minimum days between password changes is configured.check_pass_warn_age
: Check password expiration warning days is 7 or more.check_root_path_integrety
: Check root PATH Integrity.check_shadow_group_is_empty
: Check shadow group is empty.check_shell_timeout
: Check default user shell timeout is 600 seconds or less.check_stig_cert_fingerprints
: Check if all certificates match DoD fingerprints.check_system_accounts_secured
: Check system accounts are secured.check_uid_0_files
: Check root is the only UID 0 account.check_unconfines_services
: Check for unconfined services.check_user_home_dirs_exist
: Check all users' home directories exist.check_user_last_passwd_in_past
: Check all users last password change date is in the past.check_users_dot_files
: Check users' dot files are not group or world writable.check_users_own_home_dirs
: Check users own their home directories.cleanup_old_stuff
: Cleanup old files from (previous) cis modulefind_ungrouped_files_dirs
: Find ungrouped files and directories.find_unowned_files_dirs
: Find unowned files and directories.find_world_writable_files
: Find world writable files.fix_wrong_home_dir_permissions
: Fix or report wrong home directory permissions
Define a complete security baseline and monitor the rules. The definition of the baseline can be done in Hiera. The purpose of the module is to give the ability to setup complete security baseline which not necessarily have to stick to an industry security guide like the CIS benchmarks.
The easiest way to use the module is to put all rule data into a hiera file. For more information please coinsult the README file.
include cis_security_hardening
The following parameters are available in the cis_security_hardening
class:
profile
level
update_postrun_command
fact_upload_command
exclude_dirs_sticky_ww
auditd_dirs_to_include
time_until_reboot
auto_reboot
verbose_logging
remove_authconfig
enable_sticky_world_writable_cron
enable_auditd_cron
Data type: Enum['server']
The benchmark profile to use. Currently only server profiles are supported.
Default value: 'server'
Data type: Enum['1', '2', 'stig']
The CIS Benchmark server security level. Higher levels include all rules of lover levels. Therefore level1 rules are all included in the level2 rules and stig includes level1 nd level 2 rules.
Default value: '2'
Data type: Boolean
Update Puppet agent post run command
Default value: true
Data type: Stdlib::Absolutepath
Command to use to upload facts to Puppet master
Default value: '/usr/share/cis_security_hardening/bin/fact_upload.sh'
Data type: Array
Araay of directories to exclude from the search for world writable directories with sticky bit
Default value: []
Data type: Array
Directories to search for privileged commands to create auditd rules.
Default value: ['/usr']
Data type: Integer
Time to wait until system is rebooted if required. Time in seconds. For reboot
the puppetlabs-reboot
module is used. Please obey
the follwing comment from this module: POSIX systems (with the exception of Solaris) only support
specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the
nearest minute and a warning will be issued.
Default value: 120
Data type: Boolean
Reboot when necessary after time_until_reboot
is exeeded
Default value: true
Data type: Boolean
Print various info messages
Default value: false
Data type: Boolean
remove authconfig package on Redhat 7 or similar OSes
Default value: false
Data type: Boolean
Whether to enable the sticky world writable cron job.
Default value: true
Data type: Boolean
Whether to enable the auditd cron job.
Default value: true
Auditd rules can monitor privileged command use. As filesystems cn be huge and searching the relevant commands can be time consuming this cron job will create a custom fact to provide the auditd rule with appriate imput.
include cis_security_hardening::auditd_cron
The following parameters are available in the cis_security_hardening::auditd_cron
class:
Data type: Enum['present', 'absent']
Whether the cron job should be present or absent.
Default value: 'present'
Data type: Array
A list of directories to search
Default value: ['/usr']
Data type: Integer
The minute to start the cronjob
Default value: 37
Data type: Integer
The hour to run the cronjob
Default value: 3
Data type: Enum['0','2','4','6','8']
Interval to repeat the cronjob in hours. 0 means run only once a day.
Default value: '0'
Data type: Stdlib::Absolutepath
File to write fact data.
Default value: '/usr/share/cis_security_hardening/data/auditd_priv_cmds.txt'
Data type: Stdlib::Absolutepath
Filename of the script to riun from cron.
Default value: '/usr/share/cis_security_hardening/bin/auditd_priv_cmds.sh'
Create files, install scripts and cron jobs
include cis_security_hardening::config
The following parameters are available in the cis_security_hardening::config
class:
Data type: Boolean
Update Puppet agent's postrun command.
Data type: Stdlib::Absolutepath
Directory where all files go to.
Data type: Stdlib::Absolutepath
Command to use for fact upload.
Class triggered by resources requesting a system reboot
include cis_security_hardening::reboot
The following parameters are available in the cis_security_hardening::reboot
class:
Data type: Integer
Time to wait until system is rebooted if required. Time in seconds. For reboot
the puppetlabs-reboot
module is used. Please obey
the follwing comment from this module: POSIX systems (with the exception of Solaris) only support
specifying the timeout as minutes. As such, the value of timeout must be a multiple of 60. Other values will be rounded up to the
nearest minute and a warning will be issued.
Default value: $cis_security_hardening::time_until_reboot
Data type: Boolean
Reboot when necessary after time_until_reboot
is exeeded
Default value: $cis_security_hardening::auto_reboot
The Apport Error Reporting Service automatically generates crash reports for debugging
Rationale: Apport collects potentially sensitive data, such as core dumps, stack traces, and log files. They can contain passwords, credit card numbers, serial numbers, and other private material.
class { 'cis_security_hardening::rules::automatic_error_reporting':
enforce => true,
}
The following parameters are available in the cis_security_hardening::rules::automatic_error_reporting
class:
Data type: Boolean
Sets rule enforcemt. If set to true, code will be exeuted to bring the system into a comliant state.
Default value: false
Data type: Boolean
If set to trur apport package will be removed, otherwise onle the service gets stopped and masked
Default value: false
The operating system must enable kernel parameters to enforce discretionary access control on hardlinks.
Rationale: Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312- GPOS-00124, SRG-OS-000324-GPOS-00125
include cis_security_hardening::rules::dac_on_hardlinks
The following parameters are available in the cis_security_hardening::rules::dac_on_hardlinks
class:
Data type: Boolean
Enforce the rule.
Default value: false
The operating system must enable kernel parameters to enforce discretionary access control on symlinks.
Rationale: Discretionary Access Control (DAC) is based on the notion that individual users are "owners" of objects and therefore have discretion over who should be authorized to access the object and in which mode (e.g., read or write). Ownership is usually acquired as a consequence of creating the object or via specified ownership assignment. DAC allows the owner to determine who will have access to objects they control. An example of DAC includes user-controlled file permissions.
When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing (i.e., the subjects have the discretion to pass) the information to other subjects or objects. A subject that is constrained in its operation by Mandatory Access Control policies is still able to operate under the less rigorous constraints of this requirement. Thus, while Mandatory Access Control imposes constraints preventing a subject from passing information to another subject operating at a different sensitivity level, this requirement permits the subject to pass the information to any subject at the same sensitivity level. The policy is bounded by the information system boundary. Once the information is passed outside the control of the information system, additional means may be required to ensure the constraints remain in effect. While the older, more traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this use of discretionary access control.
By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().
Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312- GPOS-00124, SRG-OS-000324-GPOS-00125
class { 'cis_security_hardening::rules::dac_on_symlinks':
enforce => true,
}
The following parameters are available in the cis_security_hardening::rules::dac_on_symlinks
class:
Data type: Boolean
Enforce the rule.
Default value: false
The operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
Rationale: A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
The session lock is implemented at the point where session activity can be determined and/or controlled.
include cis_security_hardening::rules::gdm_lock_delay
The following parameters are available in the cis_security_hardening::rules::gdm_lock_delay
class:
Data type: Boolean
Enforce the rule.
Default value: false
Data type: Integer
Lock delay timeout.
Default value: 900
The libpwquality package provides common functions for password quality checking
Rationale: Strong passwords reduce the risk of systems being hacked through brute force methods.
class {'cis_security_hardening::rules::pam_libpwquality':
enforce +> true,
}
The following parameters are available in the cis_security_hardening::rules::pam_libpwquality
class:
Data type: Boolean
Enforce the rule
Default value: false
Several exec resources needed from multiple classes.
include cis_security_hardening::services
Create a cron job for the search for world writable directories with sticky bit set.
include cis_security_hardening::sticky_world_writable_cron
The following parameters are available in the cis_security_hardening::sticky_world_writable_cron
class:
Data type: Enum['present', 'absent']
Whether the cron job should be present or absent.
Default value: 'present'
Data type: Array
Array of directories to exclude from search.
Default value: []
Data type: Stdlib::Absolutepath
The file to write data to
Default value: '/usr/share/cis_security_hardening/data/world-writable-files.txt'
Data type: Stdlib::Absolutepath
The script to run
Default value: '/usr/share/cis_security_hardening/bin/sticy-world-writable.sh'
Create all missing directories
}
pxe_installarent_dirs{ 'create script dir':
dir_path => '/var/www/scripts',
The following parameters are available in the cis_security_hardening::parent_dirs
defined type:
Data type: Stdlib::Unixpath
The directories to be created.
Data type: Optional[Stdlib::Unixpath]
A base path wich does not need to be created
Default value: undef
Data type: Optional[String]
The directory owner.
Default value: undef
Data type: Optional[String]
The directoray group.
Default value: undef
Data type: Optional[String]
The directory permissions.
Default value: undef
Change the mount options of a mountpoint.
cis_security_hardening::set_mount_options {
mountpoint => '/home',
mountoptions => 'nodev',
}
The following parameters are available in the cis_security_hardening::set_mount_options
defined type:
Data type: Cis_security_hardening::Mountpoint
Mountpoint to work on
Data type: Cis_security_hardening::Mountoption
Options to set
Execute a systemd command to unmask a service.
}
cis_security_hardening::unmask_systemd_service { 'namevar':
service => 'umask',
The following parameters are available in the cis_security_hardening::unmask_systemd_service
defined type:
Data type: Cis_security_hardening::Servicename
The service to unmask
Type: Ruby 4.x API
sanitize_input.rb Uses Shellwords.escape to sabitize cmd.
sanitize_input.rb Uses Shellwords.escape to sabitize cmd.
Returns: String
Data type: String
Check a mount option
Alias of Pattern[/(^[\/a-zA-Z0-9]+$|^sec=[\/a-zA-Z0-9:]+$)|^size=[\/a-zA-Z0-9]+$|^fmask=[0-9]+$|^uid=[0-9]+$|^gid=[0-9]+$/]
Check a mountpoint with a regex
Alias of Pattern[/^[\/a-zA-Z0-9_-]+$/]
Valid nftables address families
Alias of Enum['ip', 'ip6', 'inet', 'arp', 'bridge', 'netdev']
Check for only numbers and letters
Alias of Pattern[/^[0-9a-zA-Z]+$/, /^$/]
Check service name
Alias of Pattern[/^[a-zA-Z0-9\.\-_]+$/]
Word datatype
Alias of Pattern[/^[a-zA-Z0-9_]+$/]
Audit SGID executables
Supports noop? false
Audit SUID executables
Supports noop? false
Check auditd directory and file permissions.
Supports noop? false
Data type: String
Directory containing auditd log files.
Check no duplicate GIDs exist.
Supports noop? false
Check no duplicate group names exist.
Supports noop? false
Check no duplicate UIDs exist.
Supports noop? false
Check no duplicate user names exist.
Supports noop? false
Check users users have no .forward files.
Supports noop? false
Check users have no .netrc files.
Supports noop? false
Check users have no .rhosts files.
Supports noop? false
Check inactive password lock is 30 days or less.
Supports noop? false
Data type: Integer
Max. inactive days.
Check password expiration is 365 days or less.
Supports noop? false
Check minimum days between password changes is configured.
Supports noop? false
Check password expiration warning days is 7 or more.
Supports noop? false
Check root PATH Integrity.
Supports noop? false
Check shadow group is empty.
Supports noop? false
Check default user shell timeout is 600 seconds or less.
Supports noop? false
Data type: Integer
Maximal timeout setting.
Check if all certificates match DoD fingerprints.
Supports noop? false
Check system accounts are secured.
Supports noop? false
Check root is the only UID 0 account.
Supports noop? false
Check for unconfined services.
Supports noop? false
Check all users' home directories exist.
Supports noop? false
Check all users last password change date is in the past.
Supports noop? false
Check users' dot files are not group or world writable.
Supports noop? false
Data type: Enum[y,n]
Check for strickter STIG permissions.
Check users own their home directories.
Supports noop? false
Cleanup old files from (previous) cis module
Supports noop? false
Find ungrouped files and directories.
Supports noop? false
Find unowned files and directories.
Supports noop? false
Find world writable files.
Supports noop? false
Fix or report wrong home directory permissions
Supports noop? false
Data type: Enum[yes,no]
Fix permissions or just report.