secure_linux_cis

Table of Contents

1. Description
2. Setup - The basics of getting started
   • What secure_linux_cis affects
   • Setup requirements
   • Beginning with test
3. Usage - Configuration options and additional functionality
   • Opening firewall ports
   • Disabling rules with Hiera
   • No-Op Mode
4. Limitations - OS compatibility, etc.
5. Development - Guide for contributing to the module

Description

This Puppet module implements security controls defined in the Center for Internet Security (CIS) benchmarks for the following operating systems and benchmark versions:

CIS Benchmarks can be found here.

Setup

What secure_linux_cis affects

This module touches the:

• Kernel settings
• Bootloader configuration
• Update settings
• Firewall
• TCP wrappers
• File and directory permissions

These are good things. They keep you safe.

But, please run tests before slamming it into productions.

Beginning with secure_linux_cis

To start with Secure Linux and harden your server to CIS standards, declare the secure_linux_cis: class.

NOTE: you will want to open up at least one firewall port. See Opening firewall ports.

Three parameters are required:

• time_sync Specify choice of 'ntp' or 'chrony'

• time_servers Specify your enterprise's time server(s)

• profile_type It will be workstation or server

• allow_users At least one user needs to ssh in. NOT root

class {'::secure_linux_cis':
   time_servers  => ['tick.usno.navy.mil', 'tock.usno.navy.mil'],
   profile_type  => 'server',
   allow_users   => 'trusteduser',
}

Usage

Opening firewall ports

This module opens up port 22. Everythings else is shut down by default.

If using iptables (Everything but RedHat family version 8) you will need to add firewall rules.

For example we want to open up for 8080 for tomcat:

  firewall { '010 tomcat http port':
    chain  => 'INPUT',
    dport  => 8080,
    state  => 'NEW',
    action => 'accept',
    proto  => 'tcp',
    tag    => 'cis_firewall_rule',
  }

Notice the tag parameter. Include this on all firewall rules.

It ensures firewall rules are implemented in the proper order.

TCP wrappers

This module is very generous with tcp controls. It relies on firewall rules for enforecment.

You should tighten them down.

TODO: TCP wrapper example

Disabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

As of enforcement for the Redhat 7 OS, there are 223 CIS rules that are either enforced or documented. Each rule relates to a class which can be turned on or off according to the needs of the system. By default, all vulnerabilities are turned ON to ensure maximum security out-of-box. This is how you would disable enforcement of a particular recommendation using Hiera:

# hieradata/common.yaml
secure_linux_cis::rules::ensure_mounting_of_squashfs_filesystems_is_disabled::enforced: false

Enabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

Some recommendations are not enforced by default. For example, to enforce password-protected bootloader, a hash value for password must be present:

# hieradata/common.yaml
secure_linux_cis::rules::ensure_bootloader_password_is_set::enforced: true
secure_linux_cis::rules::ensure_bootloader_password_is_set::grub_username: root
secure_linux_cis::rules::ensure_bootloader_password_is_set::grub_pbkdf2_password_hash: grub.pbkdf2.sha512.10000.7D81626...ABC0123C616C3210CBA

NOTE: Don't use the example pbkdf2 string value. It needs to be a hash you've generated with the intended password.

See Limitations for a list of vulnerabilities that might not apply to certain system configurations

Any parameters that need to be explicitly defined can be done so in init.pp

Include usage examples for common use cases in the Usage section. Show your users how to use your module to solve problems, and be sure to include code examples. Include three to five examples of the most important or common tasks a user can accomplish with your module. Show users how to accomplish more complex tasks that involve different types, classes, and functions working in tandem.

No-Op Mode

It is possible to run the module in "No-Op Mode", which identifies detected Configuration Drifts without implementing any actual changes. This is useful for auditing the state of your system without making any changes.

puppet agent -t --noop

Limitations

RedHat family '8' OSes are not fully covered. Almost, but not quite.

Help getting this out the door would be appreciated. Also, we do not have acceptance testing completed for OracleLinux, Aliyun, or Amazon Linux.

Same deal. Any help appreciated.

Development

Please ensure PDK validation and unit tests pass.

Ideally make sure litmus tests pass too, but we understand this will be out of scope for some.

Reference

Table of Contents

Classes

Public Classes

• secure_linux_cis: CIS Hardening Module
• secure_linux_cis::refresh_mount_options: A short summary of the purpose of this class
• secure_linux_cis::rules::ensure_code_dump_backtraces_are_disabled: Ensure authentication required for single user mode (Scored)
• secure_linux_cis::rules::ensure_code_dump_storage_is_disabled: Ensure authentication required for single user mode (Scored)
• secure_linux_cis::rules::ensure_default_group_for_the_root_account_is_gid_0: Ensure default group for the root account is GID 0 (Scored)
• secure_linux_cis::rules::ensure_events_that_modify_the_system_s_mandatory_access_controls_are_collected: Ensure events that modify the system's Mandatory Access Controls are collected (Scored)
• secure_linux_cis::rules::ensure_events_that_modify_the_system_s_network_environment_are_collected: Ensure events that modify the system's network environment are collected (Scored)
• secure_linux_cis::rules::ensure_gpg_keys_are_configured: Ensure GPG keys are configured (Not Scored)
• secure_linux_cis::rules::ensure_inactive_password_lock_is_30_days_or_less: Ensure inactive password lock is 30 days or less (Scored)
• secure_linux_cis::rules::ensure_ip6tables_default_deny_firewall_policy: Ensure iptables is installed (Scored)
• secure_linux_cis::rules::ensure_ip6tables_is_enabled_and_active: Ensure iptables is installed (Scored)
• secure_linux_cis::rules::ensure_iptables_is_not_enabled: Ensure iptables is not enabled
• secure_linux_cis::rules::ensure_ipv6_firewall_rules_exist_for_all_open_ports: Ensure firewall rules exist for all open ports (Scored)
• secure_linux_cis::rules::ensure_ipv6_is_disabled: Ensure IPv6 is disabled (Not Scored)
• secure_linux_cis::rules::ensure_ipv6_outbound_and_established_connections_are_configured: Ensure outbound and established connections are configured (Not Scored)
• secure_linux_cis::rules::ensure_ipv6_redirects_are_not_accepted: Ensure IPv6 redirects are not accepted (Not Scored)
• secure_linux_cis::rules::ensure_ipv6_router_advertisements_are_not_accepted: Ensure IPv6 router advertisements are not accepted (Not Scored)
• secure_linux_cis::rules::ensure_logrotate_is_configured: Ensure logrotate is configured (Not Scored)
• secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_7_or_more: Ensure minimum days between password changes is 7 or more (Scored)
• secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled: Ensure mounting of FAT filesystems is disabled (Scored)
• secure_linux_cis::rules::ensure_mounting_of_jffs2_filesystems_is_disabled: Ensure mounting of jffs2 filesystems is disabled (Scored)
• secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited: Ensure mounting of FAT filesystems is disabled (Scored)
• secure_linux_cis::rules::ensure_nfs_and_rpc_are_not_enabled: Ensure NFS and RPC are not enabled (Scored)
• secure_linux_cis::rules::ensure_nftables_is_not_installed_with_firewalld: Ensure nftables base chains exist
• secure_linux_cis::rules::ensure_outbound_and_established_connections_are_configured: Ensure outbound and established connections are configured (Not Scored)
• secure_linux_cis::rules::ensure_package_manager_repositories_are_configured: Ensure package manager repositories are configured (Not Scored)
• secure_linux_cis::rules::ensure_password_expiration_is_365_days_or_less: Ensure password expiration is 365 days or less (Scored)
• secure_linux_cis::rules::ensure_password_expiration_warning_days_is_7_or_more: Ensure password expiration warning days is 7 or more (Scored)
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_tab_are_configured: Ensure permissions on /etc/cron.d are configured (Scored)
• secure_linux_cis::rules::ensure_permissions_on_etc_group_dash_are_configured: Ensure permissions on /etc/group- are configured (Scored)
• secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured: Ensure permissions on /etc/gshadow- are configured (Scored)
• secure_linux_cis::rules::ensure_ssh_loglevel_is_set_to_info: Ensure SSH LogLevel is set to INFO (Scored)

Private Classes

• secure_linux_cis::reboot: A short summary of the purpose of this class
• secure_linux_cis::rules::disable_automounting: Disable Automounting
• secure_linux_cis::rules::disable_the_rhnsd_daemon: Disable the rhnsd Daemon
• secure_linux_cis::rules::disable_usb_storage: Disable USB Storage
• secure_linux_cis::rules::ensure_a_nftables_table_exists: Ensure a nftables table exists
• secure_linux_cis::rules::ensure_a_single_time_synchronization_daemon_is_in_use: Ensure a single time synchronization daemon is in use
• secure_linux_cis::rules::ensure_a_table_exists: Ensure a table exists
• secure_linux_cis::rules::ensure_a_web_server_is_not_installed: Ensure a web server is not installed
• secure_linux_cis::rules::ensure_access_to_the_su_command_is_restricted: Ensure access to the su command is restricted
• secure_linux_cis::rules::ensure_accounts_in_etc_passwd_use_shadowed_passwords: Ensure accounts in /etc/passwd use shadowed passwords
• secure_linux_cis::rules::ensure_actions_as_another_user_are_always_logged: Ensure actions as another user are always logged
• secure_linux_cis::rules::ensure_address_space_layout_randomization_aslr_is_enabled: Ensure address space layout randomization (ASLR) is   enabled
• secure_linux_cis::rules::ensure_aide_is_installed: Ensure AIDE is installed
• secure_linux_cis::rules::ensure_all_apparmor_profiles_are_enforcing: Ensure all AppArmor Profiles are enforcing
• secure_linux_cis::rules::ensure_all_apparmor_profiles_are_in_enforce_or_complain_mode: Ensure all AppArmor Profiles are in enforce or complain mode
• secure_linux_cis::rules::ensure_all_groups_in_etc_passwd_exist_in_etc_group: Ensure all groups in /etc/passwd exist in /etc/group
• secure_linux_cis::rules::ensure_all_logfiles_have_appropriate_permissions_and_ownership: Ensure all logfiles have appropriate permissions and ownership
• secure_linux_cis::rules::ensure_all_users_home_directories_exist: Ensure all users' home directories exist
• secure_linux_cis::rules::ensure_all_users_last_password_change_date_is_in_the_past: Ensure all users last password change date is in the past
• secure_linux_cis::rules::ensure_apparmor_is_enabled_in_the_bootloader_configuration: Ensure AppArmor is enabled in the bootloader configuration
• secure_linux_cis::rules::ensure_apparmor_is_installed: Ensure AppArmor is installed
• secure_linux_cis::rules::ensure_at_is_restricted_to_authorized_users: Ensure at is restricted to authorized users
• secure_linux_cis::rules::ensure_audit_backlog_limit_is_sufficient: Ensure audit_backlog_limit is sufficient
• secure_linux_cis::rules::ensure_audit_configuration_files_are_owned_by_root: Ensure audit configuration files are owned by root
• secure_linux_cis::rules::ensure_audit_configuration_files_belong_to_group_root: Ensure audit configuration files belong to group root
• secure_linux_cis::rules::ensure_audit_log_storage_size_is_configured: Ensure audit log storage size is configured
• secure_linux_cis::rules::ensure_audit_logs_are_not_automatically_deleted: Ensure audit logs are not automatically deleted
• secure_linux_cis::rules::ensure_audit_tools_are_owned_by_root: Ensure audit tools are owned by root
• secure_linux_cis::rules::ensure_audit_tools_belong_to_group_root: Ensure audit tools belong to group root
• secure_linux_cis::rules::ensure_auditd_is_installed: Ensure auditd is installed
• secure_linux_cis::rules::ensure_auditd_service_is_enabled: Ensure auditd service is enabled
• secure_linux_cis::rules::ensure_auditd_service_is_enabled_and_active: Ensure auditd service is enabled and active
• secure_linux_cis::rules::ensure_auditd_service_is_enabled_and_running: Ensure auditd service is enabled and running
• secure_linux_cis::rules::ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled: Ensure auditing for processes that start prior to auditd is enabled
• secure_linux_cis::rules::ensure_augenrules_is_enabled: Ensure augenrules is enabled
• secure_linux_cis::rules::ensure_authentication_is_required_when_booting_into_rescue_mode: Ensure authentication is required when booting into rescue mode
• secure_linux_cis::rules::ensure_authentication_required_for_single_user_mode: Ensure authentication required for single user mode
• secure_linux_cis::rules::ensure_authselect_includes_with_faillock: Ensure authselect includes with-faillock
• secure_linux_cis::rules::ensure_automatic_error_reporting_is_not_enabled: Ensure Automatic Error Reporting is not enabled
• secure_linux_cis::rules::ensure_automatic_mounting_of_removable_media_is_disabled: Ensure automatic mounting of removable media is disabled
• secure_linux_cis::rules::ensure_avahi_server_is_not_installed: Ensure Avahi Server is not installed
• secure_linux_cis::rules::ensure_base_chains_exist: Ensure base chains exist
• secure_linux_cis::rules::ensure_bogus_icmp_responses_are_ignored: Ensure bogus ICMP responses are ignored
• secure_linux_cis::rules::ensure_bootloader_password_is_set: Ensure bootloader password is set
• secure_linux_cis::rules::ensure_broadcast_icmp_requests_are_ignored: Ensure broadcast ICMP requests are ignored
• secure_linux_cis::rules::ensure_changes_to_system_administration_scope_sudoers_is_collected: Ensure changes to system administration scope (sudoers) is collected
• secure_linux_cis::rules::ensure_chargen_services_are_not_enabled: Ensure chargen services are not enabled
• secure_linux_cis::rules::ensure_chrony_is_configured: Ensure chrony is configured
• secure_linux_cis::rules::ensure_chrony_is_enabled_and_running: Ensure chrony is enabled and running
• secure_linux_cis::rules::ensure_chrony_is_running_as_user_chrony: Ensure chrony is running as user _chrony
• secure_linux_cis::rules::ensure_core_dump_backtraces_are_disabled: Ensure core dump backtraces are disabled
• secure_linux_cis::rules::ensure_core_dump_storage_is_disabled: Ensure core dump storage is disabled
• secure_linux_cis::rules::ensure_core_dumps_are_restricted: Ensure core dumps are restricted
• secure_linux_cis::rules::ensure_cron_daemon_is_enabled: Ensure cron daemon is enabled
• secure_linux_cis::rules::ensure_cron_daemon_is_enabled_and_running: Ensure cron daemon is enabled and running
• secure_linux_cis::rules::ensure_cron_is_restricted_to_authorized_users: Ensure cron is restricted to authorized users
• secure_linux_cis::rules::ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools: Ensure cryptographic mechanisms are used to protect   the integrity of audit tools
• secure_linux_cis::rules::ensure_cups_is_not_installed: Ensure CUPS is not installed
• secure_linux_cis::rules::ensure_daytime_services_are_not_enabled: Ensure daytime services are not enabled
• secure_linux_cis::rules::ensure_dccp_is_disabled: Ensure DCCP is disabled
• secure_linux_cis::rules::ensure_default_deny_firewall_policy: Ensure default deny firewall policy
• secure_linux_cis::rules::ensure_default_user_shell_timeout_is_configured: Ensure default user shell timeout is configured
• secure_linux_cis::rules::ensure_default_user_umask_is_configured: Ensure default user umask is configured
• secure_linux_cis::rules::ensure_default_zone_is_set: Ensure default zone is set
• secure_linux_cis::rules::ensure_dev_shm_is_configured: Ensure /dev/shm is configured
• secure_linux_cis::rules::ensure_dhcp_server_is_not_installed: Ensure DHCP Server is not installed
• secure_linux_cis::rules::ensure_disable_user_list_is_enabled: Ensure disable-user-list is enabled
• secure_linux_cis::rules::ensure_discard_services_are_not_enabled: Ensure discard services are not enabled
• secure_linux_cis::rules::ensure_discretionary_access_control_permission_modification_events_are_collected: Ensure discretionary access control permission modification events are collected
• secure_linux_cis::rules::ensure_dns_server_is_not_installed: Ensure DNS Server is not installed
• secure_linux_cis::rules::ensure_echo_services_are_not_enabled: Ensure echo services are not enabled
• secure_linux_cis::rules::ensure_etc_hosts_allow_is_configured: Ensure /etc/hosts.allow is configured
• secure_linux_cis::rules::ensure_etc_hosts_deny_is_configured: Ensure /etc/hosts.deny is configured
• secure_linux_cis::rules::ensure_etc_shadow_password_fields_are_not_empty: Ensure /etc/shadow password fields are not empty  
• secure_linux_cis::rules::ensure_events_that_modify_date_and_time_information_are_collected: Ensure events that modify date and time information are collected
• secure_linux_cis::rules::ensure_events_that_modify_the_sudo_log_file_are_collected: Ensure events that modify the sudo log file are collected
• secure_linux_cis::rules::ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected: Ensure events that modify the system's Mandatory Access Controls are collected
• secure_linux_cis::rules::ensure_events_that_modify_the_systems_network_environment_are_collected: Ensure events that modify the system's network   environment are collected
• secure_linux_cis::rules::ensure_events_that_modify_user_group_information_are_collected: Ensure events that modify user/group information are collected
• secure_linux_cis::rules::ensure_file_deletion_events_by_users_are_collected: Ensure file deletion events by users are collected
• secure_linux_cis::rules::ensure_filesystem_integrity_is_regularly_checked: Ensure filesystem integrity is regularly checked
• secure_linux_cis::rules::ensure_firewall_rules_exist_for_all_open_ports: Ensure firewall rules exist for all open ports
• secure_linux_cis::rules::ensure_firewalld_is_either_not_installed_or_masked_with_iptables: Ensure firewalld is either not installed or masked with iptables
• secure_linux_cis::rules::ensure_firewalld_is_installed: Ensure firewalld is installed
• secure_linux_cis::rules::ensure_firewalld_is_not_installed_or_stopped_and_masked: Ensure firewalld is not installed or stopped and masked
• secure_linux_cis::rules::ensure_firewalld_service_enabled_and_running: Ensure firewalld service enabled and running
• secure_linux_cis::rules::ensure_firewalld_service_is_enabled_and_running: Ensure firewalld service is enabled and running
• secure_linux_cis::rules::ensure_ftp_client_is_not_installed: Ensure FTP client is not installed
• secure_linux_cis::rules::ensure_ftp_server_is_not_installed: Ensure FTP Server is not installed
• secure_linux_cis::rules::ensure_gdm_automatic_mounting_of_removable_media_is_disabled: Ensure GDM automatic mounting of removable media is disabled
• secure_linux_cis::rules::ensure_gdm_autorun_never_is_enabled: Ensure GDM autorun-never is enabled
• secure_linux_cis::rules::ensure_gdm_autorun_never_is_not_overridden: Ensure GDM autorun-never is not overridden
• secure_linux_cis::rules::ensure_gdm_disable_user_list_option_is_enabled: Ensure GDM disable-user-list option is enabled
• secure_linux_cis::rules::ensure_gdm_disabling_automatic_mounting_of_removable_media_is_not_overridden: Ensure GDM disabling automatic mounting of removable media is not overridden
• secure_linux_cis::rules::ensure_gdm_is_removed_or_login_is_configured: Ensure GDM is removed or login is configured
• secure_linux_cis::rules::ensure_gdm_login_banner_is_configured: Ensure GDM login banner is configured
• secure_linux_cis::rules::ensure_gdm_screen_locks_cannot_be_overridden: Ensure GDM screen locks cannot be overridden
• secure_linux_cis::rules::ensure_gdm_screen_locks_when_the_user_is_idle: Ensure GDM screen locks when the user is idle
• secure_linux_cis::rules::ensure_gnome_display_manager_is_removed: Ensure GNOME Display Manager is removed
• secure_linux_cis::rules::ensure_gpgcheck_is_globally_activated: Ensure gpgcheck is globally activated
• secure_linux_cis::rules::ensure_grpquota_option_set_on_home_partition: Ensure grpquota option set on /home partition
• secure_linux_cis::rules::ensure_home_partition_includes_the_nodev_option: Ensure /home partition includes the nodev option
• secure_linux_cis::rules::ensure_http_proxy_server_is_not_installed: Ensure HTTP Proxy Server is not installed
• secure_linux_cis::rules::ensure_http_server_is_not_installed: Ensure HTTP server is not installed
• secure_linux_cis::rules::ensure_icmp_redirects_are_not_accepted: Ensure ICMP redirects are not accepted
• secure_linux_cis::rules::ensure_imap_and_pop3_server_are_not_installed: 1 Ensure IMAP and POP3 server is not enabled (Scored)
• secure_linux_cis::rules::ensure_imap_and_pop3_server_is_not_installed: 1 Ensure IMAP and POP3 server is not enabled (Scored)
• secure_linux_cis::rules::ensure_interactive_boot_is_not_enabled: Ensure interactive boot is not enabled
• secure_linux_cis::rules::ensure_ip_forwarding_is_disabled: Ensure IP forwarding is disabled
• secure_linux_cis::rules::ensure_iptables_default_deny_firewall_policy: Ensure iptables default deny firewall policy
• secure_linux_cis::rules::ensure_iptables_firewall_rules_exist_for_all_open_ports: Ensure iptables firewall rules exist for all open ports  
• secure_linux_cis::rules::ensure_iptables_is_enabled_and_active: Ensure iptables is enabled and active
• secure_linux_cis::rules::ensure_iptables_is_enabled_and_running: Ensure iptables is enabled and running
• secure_linux_cis::rules::ensure_iptables_is_installed: Ensure iptables is installed
• secure_linux_cis::rules::ensure_iptables_loopback_traffic_is_configured: Ensure iptables loopback traffic is configured
• secure_linux_cis::rules::ensure_iptables_package_is_installed: Ensure iptables package is installed
• secure_linux_cis::rules::ensure_iptables_packages_are_installed: Ensure iptables packages are installed
• secure_linux_cis::rules::ensure_iptables_persistent_is_not_installed_with_ufw: Ensure iptables-persistent is not installed with ufw
• secure_linux_cis::rules::ensure_iptables_rules_are_saved: Ensure iptables rules are saved
• secure_linux_cis::rules::ensure_iptables_rules_exist_for_all_open_ports: Ensure iptables rules exist for all open ports
• secure_linux_cis::rules::ensure_iptables_services_not_installed_with_firewalld: Ensure iptables-services not installed with firewalld  
• secure_linux_cis::rules::ensure_ipv6_loopback_traffic_is_configured: Ensure IPv6 loopback traffic is configured (Scored)
• secure_linux_cis::rules::ensure_journald_is_configured_to_compress_large_log_files: Ensure journald is configured to compress large log files
• secure_linux_cis::rules::ensure_journald_is_configured_to_send_logs_to_rsyslog: Ensure journald is configured to send logs to rsyslog
• secure_linux_cis::rules::ensure_journald_is_configured_to_write_logfiles_to_persistent_disk: Ensure journald is configured to write logfiles to persistent disk
• secure_linux_cis::rules::ensure_journald_is_not_configured_to_receive_logs_from_a_remote_client: Ensure journald is not configured to receive logs from a remote client
• secure_linux_cis::rules::ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client: Ensure journald is not configured to recieve logs from a remote client
• secure_linux_cis::rules::ensure_journald_service_is_enabled: Ensure journald service is enabled
• secure_linux_cis::rules::ensure_kernel_module_loading_and_unloading_is_collected: Ensure kernel module loading and unloading is collected
• secure_linux_cis::rules::ensure_kernel_module_loading_unloading_and_modification_is_collected: Ensure kernel module loading unloading and   modification is collected
• secure_linux_cis::rules::ensure_last_logged_in_user_display_is_disabled: Ensure last logged in user display is disabled
• secure_linux_cis::rules::ensure_ldap_client_is_not_installed: Ensure LDAP client is not installed
• secure_linux_cis::rules::ensure_ldap_server_is_not_installed: Ensure LDAP server is not installed
• secure_linux_cis::rules::ensure_local_interactive_user_dot_files_are_not_group_or_world_writable: Ensure local interactive user dot files are not group or  world writable
• secure_linux_cis::rules::ensure_local_interactive_user_home_directories_exist: Ensure local interactive user home directories exist
• secure_linux_cis::rules::ensure_local_interactive_users_own_their_home_directories: Ensure local interactive users own their home directories
• secure_linux_cis::rules::ensure_local_login_warning_banner_is_configured_properly: Ensure local login warning banner is configured properly
• secure_linux_cis::rules::ensure_lockout_for_failed_password_attempts_is_configured: Ensure lockout for failed password attempts is   configured
• secure_linux_cis::rules::ensure_login_and_logout_events_are_collected: Ensure login and logout events are collected
• secure_linux_cis::rules::ensure_logrotate_assigns_appropriate_permissions: Ensure logrotate assigns appropriate permissions
• secure_linux_cis::rules::ensure_loopback_traffic_is_configured: Ensure loopback traffic is configured
• secure_linux_cis::rules::ensure_mail_transfer_agent_is_configured_for_local_only_mode: Ensure mail transfer agent is configured for local-only mode
• secure_linux_cis::rules::ensure_message_of_the_day_is_configured_properly: Ensure message of the day is configured properly
• secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_configured: Ensure minimum days between password changes is configured
• secure_linux_cis::rules::ensure_mounting_of_cramfs_filesystems_is_disabled: Ensure mounting of cramfs filesystems is disabled
• secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_limited: Ensure mounting of FAT filesystems is limited
• secure_linux_cis::rules::ensure_mounting_of_freevxfs_filesystems_is_disabled: Ensure mounting of freevxfs filesystems is disabled
• secure_linux_cis::rules::ensure_mounting_of_hfs_filesystems_is_disabled: Ensure mounting of hfs filesystems is disabled
• secure_linux_cis::rules::ensure_mounting_of_hfsplus_filesystems_is_disabled: Ensure mounting of hfsplus filesystems is disabled
• secure_linux_cis::rules::ensure_mounting_of_squashfs_filesystems_is_disabled: Ensure mounting of squashfs filesystems is disabled
• secure_linux_cis::rules::ensure_mounting_of_udf_filesystems_is_disabled: Ensure mounting of udf filesystems is disabled
• secure_linux_cis::rules::ensure_net_snmp_is_not_installed: Ensure net-snmp is not installed
• secure_linux_cis::rules::ensure_nfs_is_not_installed: Ensure NFS is not installed
• secure_linux_cis::rules::ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_disabled: Ensure nfs-utils is not installed or the nfs-server service is disabled
• secure_linux_cis::rules::ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked: Ensure nfs-utils is not installed or the nfs-server service is masked
• secure_linux_cis::rules::ensure_nftables_base_chains_exist: Ensure nftables base chains exist
• secure_linux_cis::rules::ensure_nftables_default_deny_firewall_policy: Ensure nftables default deny firewall policy
• secure_linux_cis::rules::ensure_nftables_is_installed: Ensure nftables is installed
• secure_linux_cis::rules::ensure_nftables_is_not_installed: Ensure nftables is not installed
• secure_linux_cis::rules::ensure_nftables_is_not_installed_or_stopped_and_masked: Ensure nftables is not installed or stopped and masked
• secure_linux_cis::rules::ensure_nftables_is_not_installed_with_iptables: Ensure nftables is not installed with iptables
• secure_linux_cis::rules::ensure_nftables_loopback_traffic_is_configured: Ensure nftables loopback traffic is configured
• secure_linux_cis::rules::ensure_nftables_rules_are_permanent: Ensure nftables rules are permanent
• secure_linux_cis::rules::ensure_nftables_service_is_enabled: Ensure nftables service is enabled
• secure_linux_cis::rules::ensure_nis_client_is_not_installed: Ensure NIS Client is not installed
• secure_linux_cis::rules::ensure_nis_server_is_not_enabled: 6 Ensure NIS Server is not enabled (Scored)
• secure_linux_cis::rules::ensure_nis_server_is_not_installed: Ensure NIS Server is not installed
• secure_linux_cis::rules::ensure_no_duplicate_gids_exist: Ensure no duplicate GIDs exist
• secure_linux_cis::rules::ensure_no_duplicate_group_names_exist: Ensure no duplicate group names exist
• secure_linux_cis::rules::ensure_no_duplicate_uids_exist: Ensure no duplicate UIDs exist
• secure_linux_cis::rules::ensure_no_duplicate_user_names_exist: Ensure no duplicate user names exist
• secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_group: Ensure no legacy "+" entries exist in /etc/group
• secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_passwd: Ensure no legacy "+" entries exist in /etc/passwd
• secure_linux_cis::rules::ensure_no_legacy_entries_exist_in_etc_shadow: Ensure no legacy "+" entries exist in /etc/shadow
• secure_linux_cis::rules::ensure_no_local_interactive_user_has_forward_files: Ensure no local interactive user has .forward files
• secure_linux_cis::rules::ensure_no_local_interactive_user_has_netrc_files: Ensure no local interactive user has .netrc files
• secure_linux_cis::rules::ensure_no_local_interactive_user_has_rhosts_files: Ensure no local interactive user has .rhosts files
• secure_linux_cis::rules::ensure_no_unconfined_daemons_exist: Ensure no unconfined daemons exist
• secure_linux_cis::rules::ensure_no_unconfined_services_exist: Ensure no unconfined services exist
• secure_linux_cis::rules::ensure_no_ungrouped_files_or_directories_exist: Ensure no ungrouped files or directories exist
• secure_linux_cis::rules::ensure_no_unowned_files_or_directories_exist: Ensure no unowned files or directories exist
• secure_linux_cis::rules::ensure_no_users_have_forward_files: Ensure no users have .forward files
• secure_linux_cis::rules::ensure_no_users_have_netrc_files: Ensure no users have .netrc files
• secure_linux_cis::rules::ensure_no_users_have_rhosts_files: Ensure no users have .rhosts files
• secure_linux_cis::rules::ensure_no_world_writable_files_exist: Ensure no world writable files exist
• secure_linux_cis::rules::ensure_nodev_option_set_on_dev_shm_partition: Ensure nodev option set on /dev/shm partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_home_partition: Ensure nodev option set on /home partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_removable_media_partitions: Ensure nodev option set on removable media partitions
• secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition: Ensure nodev option set on /tmp partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_audit_partition: Ensure nodev option set on /var/log/audit partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_partition: Ensure nodev option set on /var/log partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_var_partition: Ensure nodev option set on /var partition
• secure_linux_cis::rules::ensure_nodev_option_set_on_var_tmp_partition: Ensure nodev option set on /var/tmp partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_dev_shm_partition: Ensure noexec option set on /dev/shm partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_home_partition: 7 Ensure noexec option set on /home partition (Scored)
• secure_linux_cis::rules::ensure_noexec_option_set_on_removable_media_partitions: 0 Ensure noexec option set on removable media partitions (Not Scored)
• secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition: Ensure noexec option set on /tmp partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_audit_partition: Ensure noexec option set on /var/log/audit partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_partition: Ensure noexec option set on /var/log partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_var_partition: Ensure noexec option set on /var partition
• secure_linux_cis::rules::ensure_noexec_option_set_on_var_tmp_partition: Ensure noexec option set on /var/tmp partition  
• secure_linux_cis::rules::ensure_nosuid_option_set_on_dev_shm_partition: Ensure nosuid option set on /dev/shm partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_home_partition: Ensure nosuid option set on /home partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_removable_media_partitions: Ensure nosuid option set on removable media partitions
• secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition: Ensure nosuid option set on /tmp partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_audit_partition: Ensure nosuid option set on /var/log/audit partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_partition: Ensure nosuid option set on /var/log partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_var_partition: Ensure nosuid option set on /var partition
• secure_linux_cis::rules::ensure_nosuid_option_set_on_var_tmp_partition: Ensure nosuid option set on /var/tmp partition
• secure_linux_cis::rules::ensure_ntp_access_control_is_configured: Ensure ntp access control is configured
• secure_linux_cis::rules::ensure_ntp_is_configured: Ensure ntp is configured
• secure_linux_cis::rules::ensure_ntp_is_enabled_and_running: Ensure ntp is enabled and running
• secure_linux_cis::rules::ensure_ntp_is_running_as_user_ntp: Ensure ntp is running as user ntp
• secure_linux_cis::rules::ensure_only_authorized_groups_are_assigned_ownership_of_audit_log_files: Ensure only authorized groups are assigned ownership of audit log files
• secure_linux_cis::rules::ensure_only_authorized_users_own_audit_log_files: Ensure only authorized users own audit log files
• secure_linux_cis::rules::ensure_only_strong_ciphers_are_used: Ensure only strong Ciphers are used
• secure_linux_cis::rules::ensure_only_strong_key_exchange_algorithms_are_used: Ensure only strong Key Exchange algorithms are used
• secure_linux_cis::rules::ensure_only_strong_mac_algorithms_are_used: Ensure only strong MAC algorithms are used
• secure_linux_cis::rules::ensure_packet_redirect_sending_is_disabled: Ensure packet redirect sending is disabled
• secure_linux_cis::rules::ensure_password_creation_requirements_are_configured: Ensure password creation requirements are configured
• secure_linux_cis::rules::ensure_password_fields_are_not_empty: Ensure password fields are not empty
• secure_linux_cis::rules::ensure_password_hashing_algorithm_is_up_to_date_with_the_latest_standards: Ensure password hashing algorithm is up to date with the latest standards
• secure_linux_cis::rules::ensure_password_reuse_is_limited: Ensure password reuse is limited
• secure_linux_cis::rules::ensure_permissions_on_all_logfiles_are_configured: Ensure permissions on all logfiles are configured
• secure_linux_cis::rules::ensure_permissions_on_bootloader_config_are_configured: Ensure permissions on bootloader config are configured
• secure_linux_cis::rules::ensure_permissions_on_bootloader_config_are_not_overridden: Ensure permissions on bootloader config are not overridden
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_d_are_configured: Ensure permissions on /etc/cron.d are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_daily_are_configured: Ensure permissions on /etc/cron.daily are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_hourly_are_configured: Ensure permissions on /etc/cron.hourly are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_monthly_are_configured: Ensure permissions on /etc/cron.monthly are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_cron_weekly_are_configured: Ensure permissions on /etc/cron.weekly are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_crontab_are_configured: Ensure permissions on /etc/crontab are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_group_are_configured: Ensure permissions on /etc/group are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_gshadow_are_configured: Ensure permissions on /etc/gshadow are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_gshadow_dash_are_configured: Ensure permissions on /etc/gshadow- are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_hosts_allow_are_configured: Ensure permissions on /etc/hosts.allow are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_hosts_deny_are_configured: Ensure permissions on /etc/hosts.deny are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_issue_are_configured: Ensure permissions on /etc/issue are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_issue_net_are_configured: Ensure permissions on /etc/issue.net are configured  
• secure_linux_cis::rules::ensure_permissions_on_etc_motd_are_configured: Ensure permissions on /etc/motd are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_passwd_are_configured: Ensure permissions on /etc/passwd are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_passwd_dash_are_configured: Ensure permissions on /etc/group- are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_shadow_are_configured: Ensure permissions on /etc/shadow are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_shadow_dash_are_configured: Ensure permissions on /etc/shadow- are configured
• secure_linux_cis::rules::ensure_permissions_on_etc_ssh_sshd_config_are_configured: Ensure permissions on /etc/ssh/sshd_config are configured
• secure_linux_cis::rules::ensure_permissions_on_ssh_private_host_key_files_are_configured: Ensure permissions on SSH private host key files are configured
• secure_linux_cis::rules::ensure_permissions_on_ssh_public_host_key_files_are_configured: Ensure permissions on SSH public host key files are configured
• secure_linux_cis::rules::ensure_prelink_is_disabled: Ensure prelink is disabled
• secure_linux_cis::rules::ensure_prelink_is_not_installed: Ensure prelink is not installed
• secure_linux_cis::rules::ensure_rds_is_disabled: Ensure RDS is disabled
• secure_linux_cis::rules::ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally: Ensure re-authentication for privilege escalation is not disabled globally
• secure_linux_cis::rules::ensure_remote_login_warning_banner_is_configured_properly: Ensure remote login warning banner is configured properly
• secure_linux_cis::rules::ensure_removable_media_partitions_include_noexec_option: Ensure removable media partitions include noexec option
• secure_linux_cis::rules::ensure_reverse_path_filtering_is_enabled: Ensure Reverse Path Filtering is enabled
• secure_linux_cis::rules::ensure_root_path_integrity: Ensure root PATH Integrity
• secure_linux_cis::rules::ensure_rpc_is_not_installed: Ensure RPC is not installed
• secure_linux_cis::rules::ensure_rpcbind_is_not_installed_or_the_rpcbind_service_is_disabled: Ensure rpcbind is not installed or the rpcbind service is disabled
• secure_linux_cis::rules::ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked: Ensure rpcbind is not installed or the rpcbind services are masked
• secure_linux_cis::rules::ensure_rsh_client_is_not_installed: Ensure rsh client is not installed
• secure_linux_cis::rules::ensure_rsh_server_is_not_enabled: Ensure rsh server is not enabled
• secure_linux_cis::rules::ensure_rsync_daemon_is_not_installed_or_the_rsyncd_service_is_masked: Ensure rsync-daemon is not installed or the rsyncd service is masked
• secure_linux_cis::rules::ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked: Ensure rsync is not installed or the rsyncd service is masked
• secure_linux_cis::rules::ensure_rsync_service_is_either_not_installed_or_masked: Ensure rsync service is either not installed or masked
• secure_linux_cis::rules::ensure_rsync_service_is_not_enabled: Ensure rsync service is not enabled
• secure_linux_cis::rules::ensure_rsync_service_is_not_installed: Ensure rsync service is not installed
• secure_linux_cis::rules::ensure_rsyslog_default_file_permissions_are_configured: Ensure rsyslog default file permissions are configured  
• secure_linux_cis::rules::ensure_rsyslog_default_file_permissions_configured: Ensure rsyslog default file permissions configured
• secure_linux_cis::rules::ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host: Ensure rsyslog is configured to send logs to a remote log   host
• secure_linux_cis::rules::ensure_rsyslog_is_installed: Ensure rsyslog is installed
• secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_receive_logs_from_a_remote_client: Ensure rsyslog is not configured to receive logs from a remote client
• secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client: Ensure rsyslog is not configured to recieve logs from a remote client
• secure_linux_cis::rules::ensure_rsyslog_service_is_enabled: Ensure rsyslog service is enabled
• secure_linux_cis::rules::ensure_rsyslog_service_is_enabled_and_running: Ensure rsyslog Service is enabled and running
• secure_linux_cis::rules::ensure_samba_is_not_installed: Ensure Samba is not installed
• secure_linux_cis::rules::ensure_sctp_is_disabled: Ensure SCTP is disabled
• secure_linux_cis::rules::ensure_secure_icmp_redirects_are_not_accepted: Ensure secure ICMP redirects are not accepted
• secure_linux_cis::rules::ensure_selinux_is_installed: Ensure SELinux is installed
• secure_linux_cis::rules::ensure_selinux_is_not_disabled_in_bootloader_configuration: Ensure SELinux is not disabled in bootloader configuration
• secure_linux_cis::rules::ensure_selinux_policy_is_configured: Ensure SELinux policy is configured
• secure_linux_cis::rules::ensure_separate_partition_exists_for_home: Ensure separate partition exists for /home
• secure_linux_cis::rules::ensure_separate_partition_exists_for_var: Ensure separate partition exists for /var
• secure_linux_cis::rules::ensure_separate_partition_exists_for_var_log: Ensure separate partition exists for /var/log
• secure_linux_cis::rules::ensure_separate_partition_exists_for_var_log_audit: Ensure separate partition exists for /var/log/audit
• secure_linux_cis::rules::ensure_separate_partition_exists_for_var_tmp: Ensure separate partition exists for /var/tmp
• secure_linux_cis::rules::ensure_session_initiation_information_is_collected: Ensure session initiation information is collected
• secure_linux_cis::rules::ensure_setroubleshoot_is_not_installed: Ensure SETroubleshoot is not installed
• secure_linux_cis::rules::ensure_shadow_group_is_empty: Ensure shadow group is empty
• secure_linux_cis::rules::ensure_snmp_server_is_not_installed: Ensure SNMP Server is not installed
• secure_linux_cis::rules::ensure_source_routed_packets_are_not_accepted: Ensure source routed packets are not accepted
• secure_linux_cis::rules::ensure_ssh_access_is_limited: Ensure SSH access is limited
• secure_linux_cis::rules::ensure_ssh_allowtcpforwarding_is_disabled: Ensure SSH AllowTcpForwarding is disabled
• secure_linux_cis::rules::ensure_ssh_hostbasedauthentication_is_disabled: Ensure SSH HostbasedAuthentication is disabled
• secure_linux_cis::rules::ensure_ssh_idle_timeout_interval_is_configured: Ensure SSH Idle Timeout Interval is configured
• secure_linux_cis::rules::ensure_ssh_ignorerhosts_is_enabled: Ensure SSH IgnoreRhosts is enabled
• secure_linux_cis::rules::ensure_ssh_logingracetime_is_set_to_one_minute_or_less: Ensure SSH LoginGraceTime is set to one minute or less
• secure_linux_cis::rules::ensure_ssh_loglevel_is_appropriate: Ensure SSH LogLevel is appropriate
• secure_linux_cis::rules::ensure_ssh_maxsessions_is_limited: Ensure SSH MaxSessions is limited
• secure_linux_cis::rules::ensure_ssh_maxstartups_is_configured: Ensure SSH MaxStartups is configured
• secure_linux_cis::rules::ensure_ssh_pam_is_enabled: Ensure SSH PAM is enabled
• secure_linux_cis::rules::ensure_ssh_permitemptypasswords_is_disabled: Ensure SSH PermitEmptyPasswords is disabled
• secure_linux_cis::rules::ensure_ssh_permituserenvironment_is_disabled: Ensure SSH PermitUserEnvironment is disabled
• secure_linux_cis::rules::ensure_ssh_root_login_is_disabled: Ensure SSH root login is disabled
• secure_linux_cis::rules::ensure_ssh_warning_banner_is_configured: Ensure SSH warning banner is configured
• secure_linux_cis::rules::ensure_sticky_bit_is_set_on_all_world_writable_directories: Ensure sticky bit is set on all world-writable directories
• secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded: Ensure successful and unsuccessful attempts to use the chacl command are recorded
• secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded: Ensure successful and unsuccessful attempts to use the chcon command are recorded
• secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded: Ensure successful and unsuccessful attempts to use the setfacl command are recorded
• secure_linux_cis::rules::ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded: Ensure successful and unsuccessful attempts to use the usermod command are recorded
• secure_linux_cis::rules::ensure_successful_file_system_mounts_are_collected: Ensure successful file system mounts are collected
• secure_linux_cis::rules::ensure_sudo_authentication_timeout_is_configured_correctly: Ensure sudo authentication timeout is configured correctly
• secure_linux_cis::rules::ensure_sudo_commands_use_pty: Ensure sudo commands use pty
• secure_linux_cis::rules::ensure_sudo_is_installed: Ensure sudo is installed
• secure_linux_cis::rules::ensure_sudo_log_file_exists: Ensure sudo log file exists
• secure_linux_cis::rules::ensure_suspicious_packets_are_logged: Ensure suspicious packets are logged
• secure_linux_cis::rules::ensure_system_accounts_are_secured: Ensure system accounts are secured
• secure_linux_cis::rules::ensure_system_administrator_actions_sudolog_are_collected: Ensure system administrator actions (sudolog) are collected
• secure_linux_cis::rules::ensure_system_administrator_command_executions_sudo_are_collected: Ensure system administrator command executions (sudo) are collected
• secure_linux_cis::rules::ensure_system_is_disabled_when_audit_logs_are_full: Ensure system is disabled when audit logs are full
• secure_linux_cis::rules::ensure_system_wide_crypto_policy_is_not_legacy: Ensure system-wide crypto policy is not legacy
• secure_linux_cis::rules::ensure_system_wide_crypto_policy_is_not_over_ridden: Ensure system-wide crypto policy is not over-ridden
• secure_linux_cis::rules::ensure_systemd_journal_remote_is_installed: Ensure systemd-journal-remote is installed
• secure_linux_cis::rules::ensure_systemd_timesyncd_is_configured: Ensure systemd-timesyncd is configured
• secure_linux_cis::rules::ensure_systemd_timesyncd_is_enabled_and_running: Ensure systemd-timesyncd is enabled and running
• secure_linux_cis::rules::ensure_talk_client_is_not_installed: Ensure talk client is not installed
• secure_linux_cis::rules::ensure_talk_server_is_not_enabled: Ensure talk server is not enabled
• secure_linux_cis::rules::ensure_tcp_syn_cookies_is_enabled: Ensure TCP SYN Cookies is enabled
• secure_linux_cis::rules::ensure_tcp_wrappers_is_installed: Ensure TCP Wrappers is installed (deprecated)
• secure_linux_cis::rules::ensure_telnet_client_is_not_installed: Ensure telnet client is not installed
• secure_linux_cis::rules::ensure_telnet_server_is_not_installed: Ensure telnet-server is not installed
• secure_linux_cis::rules::ensure_tftp_client_is_not_installed: Ensure TFTP client is not installed
• secure_linux_cis::rules::ensure_tftp_server_is_not_enabled: Ensure tftp server is not enabled
• secure_linux_cis::rules::ensure_tftp_server_is_not_installed: Ensure TFTP Server is not installed
• secure_linux_cis::rules::ensure_the_audit_configuration_is_immutable: Ensure the audit configuration is immutable
• secure_linux_cis::rules::ensure_the_mcs_translation_service_mcstrans_is_not_installed: Ensure the MCS Translation Service (mcstrans) is not installed
• secure_linux_cis::rules::ensure_the_selinux_mode_is_enforcing: Ensure the SELinux mode is enforcing
• secure_linux_cis::rules::ensure_the_selinux_mode_is_enforcing_or_permissive: Ensure the SELinux mode is enforcing or permissive
• secure_linux_cis::rules::ensure_the_selinux_mode_is_not_disabled: Ensure the SELinux mode is not disabled
• secure_linux_cis::rules::ensure_time_services_are_not_enabled: Ensure time services are not enabled
• secure_linux_cis::rules::ensure_time_synchronization_is_in_use: Ensure time synchronization is in use
• secure_linux_cis::rules::ensure_tipc_is_disabled: Ensure TIPC is disabled
• secure_linux_cis::rules::ensure_tmp_is_a_separate_partition: Ensure /tmp is a separate partition
• secure_linux_cis::rules::ensure_tmp_is_configured: Ensure /tmp is configured
• secure_linux_cis::rules::ensure_ufw_default_deny_firewall_policy: Ensure ufw default deny firewall policy
• secure_linux_cis::rules::ensure_ufw_firewall_rules_exist_for_all_open_ports: Ensure ufw firewall rules exist for all open ports
• secure_linux_cis::rules::ensure_ufw_is_installed: Ensure ufw is installed
• secure_linux_cis::rules::ensure_ufw_is_uninstalled_or_disabled_with_iptables: Ensure ufw is uninstalled or disabled with iptables
• secure_linux_cis::rules::ensure_ufw_is_uninstalled_or_disabled_with_nftables: Ensure ufw is uninstalled or disabled with nftables
• secure_linux_cis::rules::ensure_ufw_loopback_traffic_is_configured: Ensure ufw loopback traffic is configured
• secure_linux_cis::rules::ensure_ufw_service_is_enabled: Ensure ufw service is enabled
• secure_linux_cis::rules::ensure_unsuccessful_file_access_attempts_are_collected: Ensure unsuccessful file access attempts are collected
• secure_linux_cis::rules::ensure_unsuccessful_unauthorized_file_access_attempts_are_collected: Ensure unsuccessful unauthorized file access attempts are collected
• secure_linux_cis::rules::ensure_updates_patches_and_additional_security_software_are_installed: Ensure updates, patches, and additional security software are installed
• secure_linux_cis::rules::ensure_use_of_privileged_commands_are_collected: Ensure use of privileged commands are collected
• secure_linux_cis::rules::ensure_use_of_privileged_commands_is_collected: Ensure use of privileged commands is collected
• secure_linux_cis::rules::ensure_users_dot_files_are_not_group_or_world_writable: Ensure users' dot files are not group or world writable
• secure_linux_cis::rules::ensure_users_must_provide_password_for_escalation: Ensure users must provide password for escalation
• secure_linux_cis::rules::ensure_users_must_provide_password_for_privilege_escalation: Ensure users must provide password for privilege escalation
• secure_linux_cis::rules::ensure_users_netrc_files_are_not_group_or_world_accessible: Ensure users' .netrc Files are not group or world accessible
• secure_linux_cis::rules::ensure_users_own_their_home_directories: Ensure users own their home directories
• secure_linux_cis::rules::ensure_usrquota_option_set_on_home_partition: Ensure usrquota option set on /home partition
• secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_nodev_option: Ensure /var/tmp partition includes the nodev option
• secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_noexec_option: Ensure /var/tmp partition includes the noexec option
• secure_linux_cis::rules::ensure_var_tmp_partition_includes_the_nosuid_option: Ensure /var/tmp partition includes the nosuid option
• secure_linux_cis::rules::ensure_vsftp_server_is_not_installed: Ensure VSFTP Server is not installed
• secure_linux_cis::rules::ensure_wireless_interfaces_are_disabled: Ensure wireless interfaces are disabled
• secure_linux_cis::rules::ensure_x_window_system_is_not_installed: Ensure X Window System is not installed
• secure_linux_cis::rules::ensure_xd_nx_support_is_enabled: Ensure XD/NX support is enabled
• secure_linux_cis::rules::ensure_xdcmp_is_not_enabled: Ensure XDCMP is not enabled
• secure_linux_cis::rules::ensure_xdmcp_is_not_enabled: Ensure XDMCP is not enabled
• secure_linux_cis::rules::ensure_xinetd_is_not_enabled: Ensure xinetd is not enabled
• secure_linux_cis::rules::ensure_xinetd_is_not_installed: Ensure xinetd is not installed
• secure_linux_cis::sshd_service: Helper class for reloading various services when needed

Defined types

Public Defined types

Private Defined types

• secure_linux_cis::mount_options: Check and fix a mount with a single option

Plans

• secure_linux_cis

Classes

secure_linux_cis

CIS Hardening Module

Parameters

The following parameters are available in the secure_linux_cis class:

• include_rules
• exclude_rules
• exclude_x_window_packages
• grub_config_files
• su_group
• time_servers
• host_allow_rules
• host_deny_rules
• logging_host
• exclude_logs
• is_logging_host
• max_log_file
• max_auth_tries
• max_sessions
• max_startups
• time_sync
• mta
• mac
• ipv6_enabled
• approved_ciphers
• approved_kex
• approved_mac_algorithms
• client_alive_interval
• client_alive_count_max
• login_grace_time
• allow_users
• update_command
• allow_groups
• deny_users
• deny_groups
• minlen
• dcredit
• ucredit
• ocredit
• lcredit
• attempts
• lockout_time
• past_passwords
• pass_max_days
• pass_min_days
• pass_warn_days
• pass_inactive_days
• cron_service
• timeout
• banner
• motd
• auto_restart
• workstation_level_1
• workstation_level_2
• server_level_1
• server_level_2
• profile_type
• enforcement_level
• auditd_package
• selinux_mode
• default_firewalld_zone

include_rules

Data type: Array[String]

Which rules to include

exclude_rules

Data type: Array[String]

Which rules to exclude

exclude_x_window_packages

Data type: Array[String]

Which X window packages to exclude from removal

grub_config_files

Data type: Array[String]

Grub configuration

su_group

Data type: String

The default group for sudo rights

time_servers

Data type: Array[Stdlib::Host]

Array of valid NTP Time servers

host_allow_rules

Data type: Array[String]

Specifies which IP addresses are permitted to connect to the host

host_deny_rules

Data type: Array[String]

Specifies which IP addresses are not permitted to connect to the host

logging_host

Data type: String

Which host should logging be sent to

exclude_logs

Data type: Array[Stdlib::Unixpath]

What logs files to exclude from management

is_logging_host

Data type: Boolean

Is this host a logging host

max_log_file

Data type: Integer

Maximum log file

max_auth_tries

Data type: Integer[1,4]

How many authorization attempts to allow

max_sessions

Data type: Integer[1,10]

How many SSH sessions to allow

max_startups

Data type: String

How many SSH startups to allow

time_sync

Data type: Enum['ntp', 'chrony', 'systemd-timesuncd']

Which NTP program to use

mta

Data type: Enum['postfix', 'exim', 'none']

Which Mail Transfer program to use

mac

Data type: Enum['selinux', 'apparmor', 'none']

Which Mandatory Access Control to use

ipv6_enabled

Data type: Boolean

Should ipv6 be enabled

approved_ciphers

Data type: Array[String]

Which SSH Ciphers are approved for use

approved_kex

Data type: Array[String]

Which SSH Key Exchange algorithms are approved for use.

approved_mac_algorithms

Data type: Array[String]

Which SSH MAC algorigthms are approved for use

client_alive_interval

Data type: Integer

Client alive interval to use

client_alive_count_max

Data type: Integer[0,3]

Maximum specificed client alive count

login_grace_time

Data type: Integer

Login grace time

allow_users

Data type: Array[String]

Which users to allow

update_command

Data type: String

Command used to update OS packages

allow_groups

Data type: Array[String]

Which groups to allow

deny_users

Data type: Array[String]

Which users to deny

deny_groups

Data type: Array[String]

Which groups to deny

minlen

Data type: Integer

Minimum length

dcredit

Data type: Integer

D Credit

ucredit

Data type: Integer

U Credit

ocredit

Data type: Integer

O Credit

lcredit

Data type: Integer

L Credit

attempts

Data type: Integer

Number of attempts

lockout_time

Data type: Integer

Amount of time for lockout

past_passwords

Data type: Integer

Number of previous passwords

pass_max_days

Data type: Integer

Password maximum days

pass_min_days

Data type: Integer

Password minimum days

pass_warn_days

Data type: Integer

Password warning days

pass_inactive_days

Data type: Integer

Password inactive days

cron_service

Data type: Enum['cron', 'crond']

Should this system use cron or crond

timeout

Data type: Integer

Number of seconds of inactivity after which a shell terminates.

banner

Data type: String

String to be content of /etc/issue, /etc/issue.net (and /etc/motd if $motd not defined)

motd

Data type: String

String to be content of /etc/motd. If $banner is defined and $motd is not, $banner becomes content of /etc/motd

auto_restart

Data type: Boolean

If an automatic restart should occur when defined classes require a reboot to take effect

workstation_level_1

Data type: Array[String]

Workstation level 1 rules for this node

workstation_level_2

Data type: Array[String]

Workstation level 2 rules for this node

server_level_1

Data type: Array[String]

Server level 1 rules for this node

server_level_2

Data type: Array[String]

Server level 2 rules for this node

profile_type

Data type: Enum['workstation', 'server']

Is this node a server or workstation

enforcement_level

Data type: Integer[1, 2]

Enforce level 1 or level 2 rules

auditd_package

Data type: String

Auditd package

selinux_mode

Data type: Enum['enforcing', 'permissive']

SElinux mode enforcing or permissive. Defaults to enforcing.

default_firewalld_zone

Data type: Enum['drop', 'block', 'public', 'external', 'dmz', 'work', 'home', 'internal', 'trusted']

Firewalld zone to default o. Defaults to drop.

secure_linux_cis::refresh_mount_options

A description of what this class does

Examples

include secure_linux_cis::refresh_mount_options

secure_linux_cis::rules::ensure_code_dump_backtraces_are_disabled

Description: ingle user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

secure_linux_cis::rules::ensure_code_dump_storage_is_disabled

Description: ingle user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

secure_linux_cis::rules::ensure_default_group_for_the_root_account_is_gid_0

Description: The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.

secure_linux_cis::rules::ensure_events_that_modify_the_system_s_mandatory_access_controls_are_collected

Description: Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux or directory.

Rationale: Changes to files in these directories could indicate that an unauthorized user is attempting to modify access controls and change security contexts, leading to a compromise of the system.

secure_linux_cis::rules::ensure_events_that_modify_the_system_s_network_environment_are_collected

Description: Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed prelogin), /etc/hosts (file containing host names and associated IP addresses), /etc/sysconfig/network file and /etc/sysconfig/network-scripts/ directory (containing network interface scripts and configurations).

Rationale: Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network and /etc/sysconfig/network-scripts/ is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records will be tagged with the identifier "system-locale."

secure_linux_cis::rules::ensure_gpg_keys_are_configured

Description: The gpgcheck option, found in the main section of the /etc/yum.conf and individual /etc/yum/repos.d/* files determines if an RPM package's signature is checked prior to its installation.

secure_linux_cis::rules::ensure_inactive_password_lock_is_30_days_or_less

Description: User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 30 days after password expiration be disabled.

Rationale: Inactive accounts pose a threat to system security since the users are not logging in to notice failed login attempts or other anomalies.

secure_linux_cis::rules::ensure_ip6tables_default_deny_firewall_policy

Description: iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.

Rationale: iptables is required for firewall management and configuration.

secure_linux_cis::rules::ensure_ip6tables_is_enabled_and_active

Description: iptables allows configuration of the IPv4 tables in the linux kernel and the rules stored within them. Most firewall configuration utilities operate as a front end to iptables.

Rationale: iptables is required for firewall management and configuration.

secure_linux_cis::rules::ensure_iptables_is_not_enabled

Description: IPtables is an application that allows a system administrator to configure the IPv4 and IPv6 tables, chains and rules provided by the Linux kernel firewall. IPtables is installed as a dependency with firewalld.

Rationale: Running firewalld and IPtables concurrently may lead to conflict, therefore IPtables should be stopped and masked when using firewalld.

secure_linux_cis::rules::ensure_ipv6_firewall_rules_exist_for_all_open_ports

Description: Any ports that have been opened on non-loopback addresses need firewall rules to govern traffic.

Rationale: Without a firewall rule configured for open ports default firewall policy will drop all packets to these ports.

secure_linux_cis::rules::ensure_ipv6_is_disabled

Description: Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6.

Rationale: If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system.

secure_linux_cis::rules::ensure_ipv6_outbound_and_established_connections_are_configured

Description: Configure the firewall rules for new outbound, and established connections.

Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.

secure_linux_cis::rules::ensure_ipv6_redirects_are_not_accepted

Description: This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.

Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

secure_linux_cis::rules::ensure_ipv6_router_advertisements_are_not_accepted

Description: This setting disables the system's ability to accept IPv6 router advertisements.

Rationale: It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

secure_linux_cis::rules::ensure_logrotate_is_configured

Description: The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/syslog is the configuration file used to rotate log files created by syslog or rsyslog.

Rationale: By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files.

secure_linux_cis::rules::ensure_minimum_days_between_password_changes_is_7_or_more

Description: The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days.

Rationale: By restricting the frequency of password changes, an administrator can prevent users from repeatedly changing their password in an attempt to circumvent password reuse controls.

secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled

Description: The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

secure_linux_cis::rules::ensure_mounting_of_jffs2_filesystems_is_disabled

Description: The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited

Description: The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

secure_linux_cis::rules::ensure_nfs_and_rpc_are_not_enabled

Description: The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.

Rationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface.

secure_linux_cis::rules::ensure_nftables_is_not_installed_with_firewalld

Description: Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.

Rationale: If a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.

secure_linux_cis::rules::ensure_outbound_and_established_connections_are_configured

Description: Configure the firewall rules for new outbound, and established connections.

Rationale: If rules are not in place for new outbound, and established connections all packets will be dropped by the default policy preventing network usage.

secure_linux_cis::rules::ensure_package_manager_repositories_are_configured

Description: Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.

secure_linux_cis::rules::ensure_password_expiration_is_365_days_or_less

Description: The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 365 days.

Rationale: The window of opportunity for an attacker to leverage compromised credentials or successfully compromise credentials via an online brute force attack is limited by the age of the password. Therefore, reducing the maximum age of a password also reduces an attacker's window of opportunity.

secure_linux_cis::rules::ensure_password_expiration_warning_days_is_7_or_more

Description: The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days.

Rationale: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered.

secure_linux_cis::rules::ensure_permissions_on_etc_cron_tab_are_configured

Description: The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

secure_linux_cis::rules::ensure_permissions_on_etc_group_dash_are_configured

Description: The /etc/group- file contains a backup list of all the valid groups defined in the system.

secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured

Description: The /etc/gshadow- file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information.

Parameters

The following parameters are available in the secure_linux_cis::rules::ensure_permissions_on_etc_gshadow__are_configured class:

• enforced

enforced

Data type: Boolean

Default value: true

secure_linux_cis::rules::ensure_ssh_loglevel_is_set_to_info

Description: The INFO parameter specifies that login and logout activity will be logged.

Rationale: SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

Defined types

Plans

secure_linux_cis

The secure_linux_cis class.

Parameters

The following parameters are available in the secure_linux_cis plan:

• targets
• time_servers
• profile_type

targets

Data type: TargetSpec

time_servers

Data type: Array[Stdlib::Host]

Default value: ['time.google.com']

profile_type

Data type: Enum['workstation', 'server']

Default value: 'server'

Changelog

Release 4.0.0

• Simplified main API
• Added back include and exclude rules

Release 3.2.1

• Slowly becoming usable again
• Remove old classes
• Remove unsupported OS versions
• Simplify documentation
• Add AlmaLinux

Release 3.2.0

• Add missing checks
• Remove some facts
• Limit firewall to iptables
• Remove unused hardening schedule

Release 3.1.0

• Moved multiple code to execs instead of using facts.
• Fixed home nodev selection fact
• Formatting changes

Release 2.0.18

• Ensure grub2 password is super user

Release 2.0.17

• Strengthened ciphers. Thanks to Tom Parker @tparkercbn.

Release 2.0.14

• Cleaned up and fixed the way /var/log directory is secured.

Release 2.0.13

• Important fixes

Release 2.0.12

• Fix for su command is restricted bug

Release 2.0.11

• Add whitelist for non-nologin shells
• Make TMOUT variable configurable
• Support for Debian10
• Add file test for tcp6 to pevent warning if tcp6 disabled

Release 2.0.10

• New updated documentation
• Apache license
• Litmus acceptance testing

Release 2.0.5 Release Candidate

• Added plan to harden OS's
• Separated Centos 7 and RHEL 7 into server / workstation profiles

Release 2.0.0 Release Candidate

• Major release adding Linux releases and refactoring
• Module level hiera now used with (optional) exclude_rules subtracted from include_rules
• Not all OS's supported as yet

Release 1.0.17

• Fix issue with logic in cis_1_7_2
• Correct syntax in rootpw fact
• Fix logic in cis_1_2_1
• Fix type for cis_6_2_6 in centos.pp

Release 1.0.16

• Add file_line management of /etc/default/useradd INACTIVE entry in cis_5_4_1_4 to meet Nessus scan requirement
• Expand puppetlabs/firewall version range to >= 1.15.0 < 3.0.0 as many other modules still have < 2.0.0 and this module will fail to install
• Added support for CIS 4.1.12
• Add newlines to the end of /etc/hosts.{allow,deny} in cis_3_4_2 and cis_3_4_3
• cis_5_4_1_4 now also covers the default setting

Release 1.0.15

• Activate use of cis_1_1_3, cis 1_1_4 and cis_1_1_5 to manage /tmp partition options in centos7.pp
• Change management of /dev/shm to use mount resource in cis_1_1_15 as not listed in /etc/fstab and mount_options.pp fails
• Move TMOUT setting from cis_5_4_4 to cis 5_4_5, add export and readonly lines to /etc/bashrc
• Add oboe/chrony to dependencies in metadata to allow time_sync to work with chrony
• Add puppetlabs/mount_core to metadata to maintain compliance with puppet 6
• Raise minimum version requirements for dependencies in metadata
• Raise Puppet version requirement to >= 5.0.0 < 7.0.0

Release 1.0.14

Thanks to Bart-Jan Vrielink for fixing our spec test.

Release 1.0.13

• Added AIDE database renaming to cis_1_3_1 as 'aide --init' command creates a new temporary file requiring renaming
• Change cis_1_6_11 to use kernel_parameter instead of file_line to set 'quiet' in grub.cfg, to avoid entire line being overwritten in /etc/default/grub.cfg
• Add optional $motd parameter to be sole content of /etc/motd in cis_1_7_1_4. If not defined and $banner is defined, $banner becomes content of /etc/motd
• Restore sysctl resources when disabling ipv6 in cis_3_3_1, cis_3_3_2 and cis_3_3_3, remove kernel_parameter from cis_3_3_3 as problematic when using sysctl to disable and check ipv6, add /etc/sysconfig/network entries
• Update cis_3_3_3 and cis_3_6_2 to allow ip6_tables to drop undefined traffic
• Fix typo in cis_5_3_1 of try_first_path instead of try_first_pass
• Remove nullok and add shadow to /etc/pam.d system-auth and password-auth in cis_5_3_3
• Remove all use of pkill, add rsyslog and rsyslog-ng classes to array of classes that trigger an opt-in reboot, as rsyslog can be (outside of this module) configured to halt system or boot into single mode if terminated
• Fix various custom fact scripts issues with missing .sh, false positives when home dir absent, reduce script file and directory permissions to 0700
• Update local_users custom fact to allow for users whose password needs to be changed
• Move location of custom fact scripts directory from /tmp/cis_scripts to /usr/share/cis_scripts as fail to execute if /tmp mounted noexec as per recommendations!
• Remove subscription_manager from dependencies as appears unused

Release 1.0.12

• Fix cis_5_2_14 ssh DenyGroups typo
• Refactor remaining bash scripts using Shellcheck and test functions
• Replace sysctl resources with file_line in cis_3_3_1, cis_3_3_2 and cis_3_3_3 as sysctl fails to write to /proc/sys/net/ipv6 when kernel_parameter ipv6.disable=1 in effect and system has been rebooted. Kernel_parameter requires a reboot to have effect.
• Add shared resources block to end of centos7.pp and redhat7.pp to invoke service/system reload or restart only when notified
• Add parameter for auto_restart when defined classes make changes that require a reboot to take effect (defaults to false)
• Add optional parameter for banner which becomes the sole content of /etc/issue, /etc/issue.net and /etc/motd

Release 1.0.11

• Create resource collector override to disable ip6tables in class cis_3_3_3 when ipv6 disabled
• Change default of ip6_enabled to false (ipv6 is now now opt-in)
• Increase max_log_file default size from 8 to 32Mb to satisfy Nessus scan

Release 1.0.10

• Fix multiple line issue with cis 5.2.10

Release 1.0.9

• Multiple cleanup
• Grub fixes
• Started plan

Release 1.0.8

• Refactoring by CanIHaveThisOne
• Change audit.rules entries to /etc/audit/rules.d/audit.rules so persistent across reboots
• Add '-e 2' to audit.rules to make immutable (activate class cis_4_1_18)
• Refactor and expand local_users fact and classes cis_5_4_1_1 to cis_5_4_1_5
• Reinstate confining facts to RedHat
• Re-fix typo in auditd rule cis_4_1_4

Release 1.0.7

• Added multiple enhancements by Dan Wittenberg
• Move to PDK 12

Release 1.0.5

• Confined facts to RedHat family

Release 1.0.1

Added selinux test and check by Patrick Picard (patpicos).

Made changes for Puppet 6.

Features

Bugfixes

Known Issues