fervidus / secure_linux_cis Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
the source control repo is missing tags for forge build versions, please release tags to github so the matching commits for builds can be sourced when proxying the project.
cis have recently published the benchmarks for centos 8 & rhel 8. I have just downloaded and will look at the changelogs tonight. My preference is to get centos in first.
Would be great to get this into the module.
if /etc/sysconfig/sshd contais emtpy assignment:
CRYPTO_POLICY=
Then an error comes:
"Error: Facter: error while resolving custom fact "crypto_policy_sshd": unexpected return"
There is a typo in cis_5_2_15.pp. I did a pull request for the fix -> #56
Can someone review and merge?
Thank you
Ken
if chrony is selected as time_sync value, cis_2_2_1_3 fails to apply as there is no chrony resource listed in dependencies. I have looked briefly at using aboe/chrony however this should be further checked as there are a few chrony modules to choose from (not all will work with an array time source for example).
aboe/chrony was removed on a previous merge when fixtures and metadata were made uniform - may have been my bad...
EDIT: it does appear in .fixtures but not in puppetfile or metadata
This module is resource intensive.
Customers don't want this running every half hour or so.
A scheduler should be accepted that limits the time this can run.
So in the RHEL 7 CIS, version 2.2.0, the standard checks if grep "^GRUB2_PASSWORD" /boot/grub2/grub.cfg
returns anything. lib/facter/grub_pass.rb
checks for that in /boot/grub/*.cfg
, but the grub_user
resource in manifests/rules/ensure_bootloader_password_is_set.pp
results in a line
password_pbkdf2 root grub.pbkdf2....
in /boot/grub2/grub.cfg
, causing the grub_pass
fact to always flag for a missing password.
The simplest fix would be to adjust the grep in the fact code, but I figured I'd get feedback on this before submitting a PR. The Debian section of the fact may also need similar changes, but I haven't tested this on a Debian system to know for certain.
Applying the secure_linux_cis::rules::ensure_lockout_for_failed_password_attempts_is_configured
rule causes all logins to be denied, because pam_tally2.so
is not found.
pam_tally2.so
is not available in Debian 11 (stable) and later, instead pam_faillock.so
should be used.
Need to disable rules with Hiera also applicable to 3.0.0 descriptive based 'rules' .pp files.
Reason: some rules need to be excluded to avoid "Dublicate resource error" when applying hardening together with environment-specific hardening that might have more granular rules or rules that use same resources as secure_linux_cis does.
I can't seem to install the module as the module dependency is broken:
[centos@puppet ~]$ puppet module install fervid-secure_linux_cis --version 2.1.16 Notice: Preparing to install into /home/centos/.puppetlabs/etc/code/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Error: Could not install module 'fervid-secure_linux_cis' (???) No version of 'fervid-secure_linux_cis' can satisfy all dependencies Use
puppet module install --ignore-dependencies to install only this module
And before you reply 'wait, that's a lot of work', please look at https://github.com/bjvrielink/secure_linux_cis/tree/debian for an almost complete implementation I'm currently working on for debian9.
It is still work in progress:
I could use some input/feedback on how I wrote the code for Debian 9 support. I tried to re-use as much code as possible, and made any class that was RedHat specific also work on Debian(9). This resulted in many 'redhat7' classes included in 'debian9.pp'. Which looks weird, but works. Any thoughts on a better way of doing this?
RHEL 8.3.0 (from AWS AMI RHEL-8.3.0_HVM-20201031-x86_64-0-Hourly2-GP2 [ami-044c46b1952ad5861]) is failing the following rules:
secure_linux_cis::rules::ensure_nftables_is_not_enabled
secure_linux_cis::rules::ensure_ipv6_loopback_traffic_is_configured
secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_mail_transfer_agent_is_configured_for_local_only_mode
Is this expected?
Your README has the following under Limitations: "RedHat family '8' OSes are not fully covered. Almost, but not quite."
metadata.json
has "version": "2.1.13",
, however this appears to be tagged as 2.0.13
The tag versions appear to be inconsistent since 2.1.10?
Available tags for v2+
v2.1.12
v2.1.11
v2.1.10
v2.0.13
v2.0.10
The module on the forge is not current with what is here on Github, despite the version being the same in metadata.
Also the version on the forge fails to install as the dependency for nftables is incorrect, referencing puppetlabs instead of puppet (vox pupuli). The version is also too low, with an upper limit of <2.0.0 (it is now at v2.1.0)
Can you please update the metadata as below and publish the current github copy to the forge?
{ "name": "puppet/nftables", "version_requirement": ">= 2.0.0 < 3.0.0" },
can you please publish it so I can do cli install? thanks
Hey - thanks for all your work on this module. Been very helpful getting us across the line for CIS hardening.
Wondering if you're interested in a pull request & discussion around how your module handles kernel parameters.
Currently, some assumptions are made on whether kernel parameters should live in GRUB_CMDLINE_LINUX or GRUB_CMDLINE_LINUX_DEFAULT & no checks are done on whether each parameter is already set in an alternative boot mode.
This leads to a couple of potential complications
I propose changing the logic to
Happy to supply a pull request, or discuss further- if you're interested in changing this logic.
In previous secure_linux_cis
releases (ex. v2.1.18) the benchmark version for Amazon 2 was 2.2.0, now I'm seeing that for the latest secure_linux_cis
release (v3.1.2) Amazon 2 benchmark version is 1.0.0 - is this intentional?
Thank you!
CIS level 1 settings of authentication required for single user mode on RHEL 8 is different as compared to older RHEL versions. rules/ensure_authentication_required_for_single_user_mode.pp with below ExecStart for RHEL8. CIS RHEL 8 1.5.3.
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
This rule does not work.
File should be file_line, or you get duplicate resource declaration.
Scanning against Nessus with CentOS 7 CIS L1 & L2 v3.0.0 shows that CIS have added compliance rules from v 2.2.0 which this module does not yet have (It looks like around 30). Unfortunately CIS have not included their usual changelog at the bottom of new PDF
CIS_CentOS_Linux_7_Benchmark_v3.0.0.pdf
I see that v 3.0.0 of this module has been published to the Puppet forge on 24/3, however is not visible here. The changelog is not updated, and there is a breaking change that has me concerned.
The 'enforced' param has been removed from the class logic, though it still appears as a documented param. This breaks conditional logic that I had implemented in a wrapping class such as the example below. Any information on this, and how to manage opt-out based on conditional logic in a wrapping class (not just relying on hiera) is appreciated.
I had been using such logic as (does not work with v 3.0.0) :
if !$install_aide {
# Opt out of cis_1_3_1 AIDE package
class{'::secure_linux_cis::rules::ensure_aide_is_installed':enforced => false}
# Opt out of cis_1_3_2 AIDE cron
class{'::secure_linux_cis::rules::ensure_filesystem_integrity_is_regularly_checked':enforced => false}
}
# Allow vfat filesystem if EFI present. Rule varies by os.major.release
if $facts['mountpoints']['/boot/efi'] {
if $facts['os']['release']['major'] == '7' {
# Opt out of cis_1_1_1_8
class{'::secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled':enforced => false}
} elsif $facts['os']['release']['major'] == '8' {
# Opt out of cis_1_1_1_2
class{'::secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited':enforced => false}
}
}
I have tried adjusting the array, however unlike the underlying ruby, Puppet arrays are immutable.
class{'::secure_linux_cis':exclude_rules += ['ensure_aide_is_installed']} and variations do not work, nor does .delete.
I am trying to understand why spec/unit tests fail with the camptocamp-postfix module that is specified in metadata, and instead use a puppet-postfix module served in fixtures from a github repo?
This restricts unit tests to require internet connectivity to resolve the postfix module from "https://github.com/fervidus/puppet-postfix.git". However, acceptance tests and real-world use of the module work with the camptocamp-postfix specified in metadata.
Any clarification of why this is so and if it can be fixed is appreciated.
lines 37 and 66 are missing a dash in time-change and therefore a host with this module applied and then scanned with Nessus fails rule 4.1.4 which checks audit.rules file
lines in cis_4_1_4.pp are currently :
line => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange',
and should be:
line => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change',
Dear,
In rhel8/cis_3_4_2_3.pp there if referred to the class :secure_linux_cis::rules::ensure_nftables_is_not_enabled, which is not existing.
Kind regards
Johan
Steps to reproduce:
boot error:
Warning: /dev/mapper/centos_{hostname}-root does not exist
Warning: /dev/vg0/root does not exist
Warning: /dev/vg0/swap does not exist
Setting this class to enforced => false avoids the issue.
This issue has also been branched into 1.0.8.
I will investigate further however any thoughts appreciated. Rolling this file back to release 1.0.5 version an option?
although as per the CIS benchmark, their advisory appears incorrect as regards the location and syntax for the grub2 password.
The custom fact grub_pass currently has:
'grep "^GRUB2 PASSWORD" /boot/grub2/grub.cfg'
However it should be:
'grep "^GRUB2_PASSWORD" /boot/grub2/user.cfg' - note the user.cfg file not grub.cfg, and the added underscore in keyword.
for some reason i am getting a bunch of these errors. ANy advise how to resolve it?
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_suspicious_packets_are_logged/Sysctl[net.ipv4.conf.default.log_martians]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_broadcast_icmp_requests_are_ignored/Sysctl[net.ipv4.icmp_echo_ignore_broadcasts]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_bogus_icmp_responses_are_ignored/Sysctl[net.ipv4.icmp_ignore_bogus_error_responses]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_reverse_path_filtering_is_enabled/Sysctl[net.ipv4.conf.all.rp_filter]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_reverse_path_filtering_is_enabled/Sysctl[net.ipv4.conf.default.rp_filter]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_tcp_syn_cookies_is_enabled/Sysctl[net.ipv4.tcp_syncookies]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)
the resource declaration on line 36 of 'services' should be 'service' and fails to compile a catalog when ipv6_enabled => false, however when corrected results in duplicate resource declaration with puppetlabs/firewall.
A way to overcome this is to set in hiera:
firewall::ensure_v6: 'stopped'
however there needs to be a method determined how to do this in the manifest.
I am trying resource collectors etc but as yet not have a way to stop/disable ip6tables from the firewall dependency. Overriding a default in a dependency is not as easy as it could be.
In manifests/rules/ensure_root_path_integrity.pp, the notify is triggered if the root_path.sh script returns any output.
Warning: /Stage[main]/Secure_linux_cis::Rules::Ensure_root_path_integrity/Notify[rp]/message: defined 'message' as 'Not in compliance with CIS (Scored). There is a "." or other writable directory in the root executable path. Check the root_path fact for details'
# facter -p root_path
/root/bin is not a directory
It possibly should only trigger for writable paths, and not for missing paths. I'm pretty sure that the default settings on RHEL 7 include /root/bin in root's default path, but there's no /root/bin folder created.
the following classes use the deprecated '.empty' evaluator instead of the preferred '== undef', and raise warnings on puppet apply:
cis_5_4_1_1.pp line 38
cis_5_4_1_2.pp line 37
cis_5_4_1_3.pp line 36
cis_5_4_1_4.pp line 28
Warning: Calling function empty() with Numeric value is deprecated.
When this module is present on a PuppetServer that manages both Windows and Linux hosts, unconfined facts cause errors on Windows hosts even though this class is not bound to the Windows hosts, as all custom facts get copied down and executed during a Puppet run.
Confining the facts to osfamily RedHat eliminates this issue, eg:
Facter.add('nologin') do
confine :osfamily => :RedHat
setcode do
...
The errors occur for the following facts, but the confine should probably be set for all facts:
Hi, 3.0.0 and 3.0.1 for rhel7 was released some time ago. I adjusted the module for 3.0.0.
Are you interested in a pull-request?
But since we're not using the firewall part, this would be missing.
The build status is showing as failed. Not sure if there hasn't been a new build to puppet forge.
Any ETA when a new release will be pushed to puppet forge?
Thanks
Version 3.0.0 on Puppet Forge doesn't work on Oracle Linux as the OS name is incorrect. Facter reports OracleLinux
for the OS name, but the Hiera folder is data/os/Oracle
. I see this fix has already been made on this repo, is there a timeline to fix this on Forge?
Also, the Forge module lists a number of rules which haven't been implemented, breaking the module. I've disabled them locally, but I wanted to make a note of them here:
Given that these rules aren't listed on the OL8 rules here, should we be using this repo as our source instead of Puppet Forge?
the changes in https://github.com/fervidus/secure_linux_cis/tree/f565e7cf69ab53b9e0b475dc35592247c5f243ce
removed the useful information in the readme regarding usage and considerations for exceptions and profiles
can we break that information out to a separate file or reintroduce to the read me as it is invaluable to end users and consumers of the module.
Hello!
I've noticed that include_rules
and exclude_rules
values have been commented out in the modules init.pp
.
In previous releases this was enabled and allowed users to use hiera.
Was this an intended change to interfacing with the module?
Thankyou for your time and the work you have done on this repo!
There is a parameter auto_restart that I'd really want to be off, but even if it was off, the parameter is not used anyway.
Simply upgrading the module from 1.x to 2.x would mean all our servers would reboot, as for instance audit rules have slightly changed. This just scared the shit out of me.
Please please please do not default to rebooting systems!
puppetlabs/reboot is now at version 3.2.0 however this module limits it to < 3.0.0. I am unaware of any compatibility issue. Raising this limit will also be one step toward Puppet 7 compatibility as offered by reboot v3.2.0
We are trying to integrate the secure_linux_check by fervidus into our existing Puppet infrastructure.
We have a lot of existing Puppet modules to prepare our cloud platform, we would like to harden some systems accordingly the CIS standard, but not all of them yet, since different customers have different requirements.
Our problem is that some of our modules declare same resources as CIS hardening module self then it comes to conflicts, like: "Duplicate declaration: Package[XXX] is already declared".
We would like to prevent loading of some modules altogether, if the corresponding rule is disabled, like if 'secure_linux_cis::rules::ensure_chrony_is_configured::enforced false' rule is disabled in Hiera, then the ./manifests/rules/ensure_chrony_is_configured.pp won't be included at all to prevent definition conflicts like 'Duplicate declaration: Package[chrony] is already declared at...'
I suppose that will be for great help for every big cloud provider that already has Puppet modules in place.
I'm running into another issue with two dependencies on this module, puppetlabs-firewall
and puppet-firewalld
. After switching to the GitHub repo in my Puppetfile, I've consistently been getting errors with the two modules duplicating a service declaration for firewalld. I ran into this before with this module, but updating to 3.0.0 on the Puppet Forge fixed it.
Here's the error:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Service[firewalld] is already declared at (file: /etc/puppetlabs/code/environments/development/modules/firewall/manifests/linux/redhat.pp, line: 54); cannot redeclare (file: /etc/puppetlabs/code/environments/development/modules/firewalld/manifests/init.pp, line: 78) (file: /etc/puppetlabs/code/environments/development/modules/firewalld/manifests/init.pp, line: 78, column: 3) on node [redacted]
I've tried disabling the ensure_firewalld_service_is_enabled_and_running
rule as I think that's the main cause of the conflict, but haven't had any luck. A quick grep of the rest of the rules points to ensure_a_firewall_package_is_installed.pp
as a potential problem, but I don't believe my code is triggering its else conditional.
else {
class { '::firewalld':
default_zone => 'drop',
schedule => 'harden_schedule',
purge_direct_rules => true,
purge_direct_chains => true,
purge_direct_passthroughs => true,
}
}
line 17 needs to be changed from
if $enforced and !$facts['gnome_installed'].empty {
to
if $enforced and $facts['gnome_installed'] {
so it works with the refactored fact.
I can do this in my next pull request, however if another contributor has a pull request sooner can they please incorporate the fix?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.