Forge Home


CIS Benchmark Compliance for RHEL 7


8,810 latest version

2.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 1.0.0 (latest)
released Jul 31st 2016
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'perfecto25-cis_rhel7', '1.0.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add perfecto25-cis_rhel7
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install perfecto25-cis_rhel7 --version 1.0.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



perfecto25/cis_rhel7 — version 1.0.0 Jul 31st 2016


Table of Contents

  1. Description
  2. Setup - The basics of getting started with cis_rhel7
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module


This is a Puppet implementation of CIS (Center for Internet Security) Benchmarks for RedHat Enterprise 7 servers. This module contains numbered rules corresponding to the CIS Benchmark document (version 1.0) found here


What cis_rhel7 affects

This module does not change anything on your test systems, it is merely an auditing and reporting tool that reports back with any found vulnerabilities. The way this module controls various server components (files, directories, services, packages, etc) is with a Puppet "noop" parameter, Puppet will try to enforce a declared state with a no-op flag, and will return any inconsitencies.

If you'd like this module to enforce the actual rules on your nodes, open up the $module/manifests/params.pp file and edit the Resource Defaults, set the NOOP parameter to "false"

Setup Requirements

This module requires 2 additional modules

  1. puppetlabs-stdlib
  2. herculesteam-augeasproviders_pam


To use this module, clone it from git into your basemodule path and assign your nodes to the 'cis_rhel7' class. The next time your agents run, they will run a full CIS compliance check and report inconsitencies.

Make sure to run this module at least 2 times on each node, as the first run will generate the facts, the 2nd run will give the fact

Each rule within the benchmark reports the specific rule number that can be referenced in the CIS document.

To include or exclude specific rules, open the $module/manifests/init.pp and comment out any rule #s that you do not want to test for.

Note - not all rules can be handled directly by Puppet. For those that cannot be handled by Puppet's Resources, there are a number of shell scripts under $module/files directory.

The shell scripts are copied to the node into /tmp/cis_scripts directory. The manifest that does this is $module/manifests/rule/prereq.pp

These scripts generate output that gets captured by Puppet custom facts. The custom fact is located in $module/lib/facter directory, its a single fact that generates a number of custom facts with a "cis_" prefix. T

To see these custom facts, run "facter -p"


This module was tested using Puppet 4.5 (PE 2016.2) as the Master (running on Ubuntu 14.04), tested on

  1. RedHat 7 x64
  2. CentOS 7 x64


Testing is welcome, please log any issues here,

cis_rhel7 issues list

Release Notes/Contributors/Etc. Optional

cis_rhel7 module developed by perfecto25 you can contact me via GitHub