the source control repo is missing tags for forge build versions, please release tags to github so the matching commits for builds can be sourced when proxying the project.

cis have recently published the benchmarks for centos 8 & rhel 8. I have just downloaded and will look at the changelogs tonight. My preference is to get centos in first.

Would be great to get this into the module.

if /etc/sysconfig/sshd contais emtpy assignment:
CRYPTO_POLICY=

Then an error comes:
"Error: Facter: error while resolving custom fact "crypto_policy_sshd": unexpected return"

There is a typo in cis_5_2_15.pp. I did a pull request for the fix -> #56

Can someone review and merge?

Thank you
Ken

if chrony is selected as time_sync value, cis_2_2_1_3 fails to apply as there is no chrony resource listed in dependencies. I have looked briefly at using aboe/chrony however this should be further checked as there are a few chrony modules to choose from (not all will work with an array time source for example).

aboe/chrony was removed on a previous merge when fixtures and metadata were made uniform - may have been my bad...

EDIT: it does appear in .fixtures but not in puppetfile or metadata

This module is resource intensive.

Customers don't want this running every half hour or so.

A scheduler should be accepted that limits the time this can run.

So in the RHEL 7 CIS, version 2.2.0, the standard checks if grep "^GRUB2_PASSWORD" /boot/grub2/grub.cfg returns anything. lib/facter/grub_pass.rb checks for that in /boot/grub/*.cfg, but the grub_user resource in manifests/rules/ensure_bootloader_password_is_set.pp results in a line

password_pbkdf2 root grub.pbkdf2....

in /boot/grub2/grub.cfg, causing the grub_pass fact to always flag for a missing password.

The simplest fix would be to adjust the grep in the fact code, but I figured I'd get feedback on this before submitting a PR. The Debian section of the fact may also need similar changes, but I haven't tested this on a Debian system to know for certain.

Applying the secure_linux_cis::rules::ensure_lockout_for_failed_password_attempts_is_configured rule causes all logins to be denied, because pam_tally2.so is not found.

pam_tally2.so is not available in Debian 11 (stable) and later, instead pam_faillock.so should be used.

Need to disable rules with Hiera also applicable to 3.0.0 descriptive based 'rules' .pp files.

Reason: some rules need to be excluded to avoid "Dublicate resource error" when applying hardening together with environment-specific hardening that might have more granular rules or rules that use same resources as secure_linux_cis does.

I can't seem to install the module as the module dependency is broken:

[centos@puppet ~]$ puppet module install fervid-secure_linux_cis --version 2.1.16 Notice: Preparing to install into /home/centos/.puppetlabs/etc/code/modules ... Notice: Downloading from https://forgeapi.puppet.com ... Error: Could not install module 'fervid-secure_linux_cis' (???) No version of 'fervid-secure_linux_cis' can satisfy all dependencies Use puppet module install --ignore-dependencies to install only this module

And before you reply 'wait, that's a lot of work', please look at https://github.com/bjvrielink/secure_linux_cis/tree/debian for an almost complete implementation I'm currently working on for debian9.
It is still work in progress:

• A dozen or so checks do not yet result in a passing grade in CIS-CAT
• I need to write spec tests for a few new classes
• More testing

I could use some input/feedback on how I wrote the code for Debian 9 support. I tried to re-use as much code as possible, and made any class that was RedHat specific also work on Debian(9). This resulted in many 'redhat7' classes included in 'debian9.pp'. Which looks weird, but works. Any thoughts on a better way of doing this?

RHEL 8.3.0 (from AWS AMI RHEL-8.3.0_HVM-20201031-x86_64-0-Hourly2-GP2 [ami-044c46b1952ad5861]) is failing the following rules:

secure_linux_cis::rules::ensure_nftables_is_not_enabled
secure_linux_cis::rules::ensure_ipv6_loopback_traffic_is_configured
secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition
secure_linux_cis::rules::ensure_mail_transfer_agent_is_configured_for_local_only_mode

Is this expected?

Your README has the following under Limitations: "RedHat family '8' OSes are not fully covered. Almost, but not quite."

metadata.json has "version": "2.1.13",, however this appears to be tagged as 2.0.13

The tag versions appear to be inconsistent since 2.1.10?

Available tags for v2+
v2.1.12
v2.1.11
v2.1.10
v2.0.13
v2.0.10

The module on the forge is not current with what is here on Github, despite the version being the same in metadata.

Also the version on the forge fails to install as the dependency for nftables is incorrect, referencing puppetlabs instead of puppet (vox pupuli). The version is also too low, with an upper limit of <2.0.0 (it is now at v2.1.0)

Can you please update the metadata as below and publish the current github copy to the forge?

{ "name": "puppet/nftables", "version_requirement": ">= 2.0.0 < 3.0.0" },

can you please publish it so I can do cli install? thanks

Hey - thanks for all your work on this module. Been very helpful getting us across the line for CIS hardening.
Wondering if you're interested in a pull request & discussion around how your module handles kernel parameters.

Currently, some assumptions are made on whether kernel parameters should live in GRUB_CMDLINE_LINUX or GRUB_CMDLINE_LINUX_DEFAULT & no checks are done on whether each parameter is already set in an alternative boot mode.

This leads to a couple of potential complications

1. Duplicate kernel parameters if already set in an alternate bootmode (potentially with conflicting values)
2. No ability to override which bootmode a kernel parameter is set for

I propose changing the logic to

1. Check if a parameter exists in alternative bootmodes, do not add in if it does.
2. Change bootmode to a variable, with the current values configured as default, allowing you to override.

Happy to supply a pull request, or discuss further- if you're interested in changing this logic.

In previous secure_linux_cis releases (ex. v2.1.18) the benchmark version for Amazon 2 was 2.2.0, now I'm seeing that for the latest secure_linux_cis release (v3.1.2) Amazon 2 benchmark version is 1.0.0 - is this intentional?

Thank you!

CIS level 1 settings of authentication required for single user mode on RHEL 8 is different as compared to older RHEL versions. rules/ensure_authentication_required_for_single_user_mode.pp with below ExecStart for RHEL8. CIS RHEL 8 1.5.3.

grep /systemd-sulogin-shell /usr/lib/systemd/system/rescue.service

ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

grep /systemd-sulogin-shell /usr/lib/systemd/system/emergency.service

ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

This rule does not work.
File should be file_line, or you get duplicate resource declaration.

Scanning against Nessus with CentOS 7 CIS L1 & L2 v3.0.0 shows that CIS have added compliance rules from v 2.2.0 which this module does not yet have (It looks like around 30). Unfortunately CIS have not included their usual changelog at the bottom of new PDF
CIS_CentOS_Linux_7_Benchmark_v3.0.0.pdf

I see that v 3.0.0 of this module has been published to the Puppet forge on 24/3, however is not visible here. The changelog is not updated, and there is a breaking change that has me concerned.

The 'enforced' param has been removed from the class logic, though it still appears as a documented param. This breaks conditional logic that I had implemented in a wrapping class such as the example below. Any information on this, and how to manage opt-out based on conditional logic in a wrapping class (not just relying on hiera) is appreciated.

I had been using such logic as (does not work with v 3.0.0) :

  if !$install_aide {
    # Opt out of cis_1_3_1 AIDE package
    class{'::secure_linux_cis::rules::ensure_aide_is_installed':enforced => false}
    # Opt out of cis_1_3_2 AIDE cron
    class{'::secure_linux_cis::rules::ensure_filesystem_integrity_is_regularly_checked':enforced => false}
  }

  # Allow vfat filesystem if EFI present. Rule varies by os.major.release
  if $facts['mountpoints']['/boot/efi'] {
    if $facts['os']['release']['major'] == '7' {
      # Opt out of cis_1_1_1_8
      class{'::secure_linux_cis::rules::ensure_mounting_of_fat_filesystems_is_disabled':enforced => false}
    } elsif $facts['os']['release']['major'] == '8' {
      # Opt out of cis_1_1_1_2
      class{'::secure_linux_cis::rules::ensure_mounting_of_vfat_filesystems_is_limited':enforced => false}
    }
  }

I have tried adjusting the array, however unlike the underlying ruby, Puppet arrays are immutable.
class{'::secure_linux_cis':exclude_rules += ['ensure_aide_is_installed']} and variations do not work, nor does .delete.

I am trying to understand why spec/unit tests fail with the camptocamp-postfix module that is specified in metadata, and instead use a puppet-postfix module served in fixtures from a github repo?

This restricts unit tests to require internet connectivity to resolve the postfix module from "https://github.com/fervidus/puppet-postfix.git". However, acceptance tests and real-world use of the module work with the camptocamp-postfix specified in metadata.

Any clarification of why this is so and if it can be fixed is appreciated.

lines 37 and 66 are missing a dash in time-change and therefore a host with this module applied and then scanned with Nessus fails rule 4.1.4 which checks audit.rules file

lines in cis_4_1_4.pp are currently :
line => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange',

and should be:
line => '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change',

Dear,

In rhel8/cis_3_4_2_3.pp there if referred to the class :secure_linux_cis::rules::ensure_nftables_is_not_enabled, which is not existing.

Kind regards
Johan

Steps to reproduce:

1. build a standard BIOS minimal CentOS7 VM (eg in VMware Workstation)
2. apply this module
3. reboot

boot error:
Warning: /dev/mapper/centos_{hostname}-root does not exist
Warning: /dev/vg0/root does not exist
Warning: /dev/vg0/swap does not exist

Setting this class to enforced => false avoids the issue.

This issue has also been branched into 1.0.8.

I will investigate further however any thoughts appreciated. Rolling this file back to release 1.0.5 version an option?

although as per the CIS benchmark, their advisory appears incorrect as regards the location and syntax for the grub2 password.

The custom fact grub_pass currently has:
'grep "^GRUB2 PASSWORD" /boot/grub2/grub.cfg'

However it should be:
'grep "^GRUB2_PASSWORD" /boot/grub2/user.cfg' - note the user.cfg file not grub.cfg, and the added underscore in keyword.

for some reason i am getting a bunch of these errors. ANy advise how to resolve it?

Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_suspicious_packets_are_logged/Sysctl[net.ipv4.conf.default.log_martians]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_suspicious_packets_are_logged.pp, line: 25)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_broadcast_icmp_requests_are_ignored/Sysctl[net.ipv4.icmp_echo_ignore_broadcasts]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_broadcast_icmp_requests_are_ignored.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_bogus_icmp_responses_are_ignored/Sysctl[net.ipv4.icmp_ignore_bogus_error_responses]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_bogus_icmp_responses_are_ignored.pp, line: 22)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_reverse_path_filtering_is_enabled/Sysctl[net.ipv4.conf.all.rp_filter]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 26)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_reverse_path_filtering_is_enabled/Sysctl[net.ipv4.conf.default.rp_filter]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_reverse_path_filtering_is_enabled.pp, line: 30)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)
Error: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)
Wrapped exception:
no implicit conversion of Integer into String
Error: /Stage[main]/Secure_linux_cis::Rules::Ensure_tcp_syn_cookies_is_enabled/Sysctl[net.ipv4.tcp_syncookies]/ensure: change from 'absent' to 'present' failed: Could not set 'present' on ensure: no implicit conversion of Integer into String (file: /etc/puppetlabs/code/environments/production/modules/secure_linux_cis/manifests/rules/ensure_tcp_syn_cookies_is_enabled.pp, line: 29)

the resource declaration on line 36 of 'services' should be 'service' and fails to compile a catalog when ipv6_enabled => false, however when corrected results in duplicate resource declaration with puppetlabs/firewall.

A way to overcome this is to set in hiera:
firewall::ensure_v6: 'stopped'
however there needs to be a method determined how to do this in the manifest.

I am trying resource collectors etc but as yet not have a way to stop/disable ip6tables from the firewall dependency. Overriding a default in a dependency is not as easy as it could be.

In manifests/rules/ensure_root_path_integrity.pp, the notify is triggered if the root_path.sh script returns any output.

Warning: /Stage[main]/Secure_linux_cis::Rules::Ensure_root_path_integrity/Notify[rp]/message: defined 'message' as 'Not in compliance with CIS  (Scored). There is a "." or other writable directory in the root executable path. Check the root_path fact for details'

# facter -p root_path
/root/bin is not a directory

It possibly should only trigger for writable paths, and not for missing paths. I'm pretty sure that the default settings on RHEL 7 include /root/bin in root's default path, but there's no /root/bin folder created.

the following classes use the deprecated '.empty' evaluator instead of the preferred '== undef', and raise warnings on puppet apply:

cis_5_4_1_1.pp line 38
cis_5_4_1_2.pp line 37
cis_5_4_1_3.pp line 36
cis_5_4_1_4.pp line 28

Warning: Calling function empty() with Numeric value is deprecated.

When this module is present on a PuppetServer that manages both Windows and Linux hosts, unconfined facts cause errors on Windows hosts even though this class is not bound to the Windows hosts, as all custom facts get copied down and executed during a Puppet run.

Confining the facts to osfamily RedHat eliminates this issue, eg:
Facter.add('nologin') do
confine :osfamily => :RedHat
setcode do
...

The errors occur for the following facts, but the confine should probably be set for all facts:

• nologin
• shm_nodev
• shm_noexec
• shm_nosuid
• tmp_nodev
• tmp_noexec
• tmp_nosuid
• var_tmp_partition_nodev
• var_tmp_partition_noexec
• var_tmp_partition_nosuid

Hi, 3.0.0 and 3.0.1 for rhel7 was released some time ago. I adjusted the module for 3.0.0.
Are you interested in a pull-request?
But since we're not using the firewall part, this would be missing.

The build status is showing as failed. Not sure if there hasn't been a new build to puppet forge.

Any ETA when a new release will be pushed to puppet forge?

Thanks

Version 3.0.0 on Puppet Forge doesn't work on Oracle Linux as the OS name is incorrect. Facter reports OracleLinux for the OS name, but the Hiera folder is data/os/Oracle. I see this fix has already been made on this repo, is there a timeline to fix this on Forge?

Also, the Forge module lists a number of rules which haven't been implemented, breaking the module. I've disabled them locally, but I wanted to make a note of them here:

• ensure_authselect_includes_withfaillock
• ensure_nftables_is_not_enabled
• ensure_password_hashing_algorithm_is_sha512
• ensure_permissions_on_etc_issuenet_are_configured
• ensure_sticky_bit_is_set_on_all_worldwritable_directories
• ensure_systemwide_crypto_policy_is_future_or_fips
• ensure_systemwide_crypto_policy_is_not_legacy
• ensure_systemwide_crypto_policy_is_not_overridden

Given that these rules aren't listed on the OL8 rules here, should we be using this repo as our source instead of Puppet Forge?

the changes in https://github.com/fervidus/secure_linux_cis/tree/f565e7cf69ab53b9e0b475dc35592247c5f243ce
removed the useful information in the readme regarding usage and considerations for exceptions and profiles

can we break that information out to a separate file or reintroduce to the read me as it is invaluable to end users and consumers of the module.

Hello!

I've noticed that include_rules and exclude_rules values have been commented out in the modules init.pp.

In previous releases this was enabled and allowed users to use hiera.

Was this an intended change to interfacing with the module?

Thankyou for your time and the work you have done on this repo!

There is a parameter auto_restart that I'd really want to be off, but even if it was off, the parameter is not used anyway.

Simply upgrading the module from 1.x to 2.x would mean all our servers would reboot, as for instance audit rules have slightly changed. This just scared the shit out of me.

Please please please do not default to rebooting systems!

puppetlabs/reboot is now at version 3.2.0 however this module limits it to < 3.0.0. I am unaware of any compatibility issue. Raising this limit will also be one step toward Puppet 7 compatibility as offered by reboot v3.2.0

We are trying to integrate the secure_linux_check by fervidus into our existing Puppet infrastructure.

We have a lot of existing Puppet modules to prepare our cloud platform, we would like to harden some systems accordingly the CIS standard, but not all of them yet, since different customers have different requirements.

Our problem is that some of our modules declare same resources as CIS hardening module self then it comes to conflicts, like: "Duplicate declaration: Package[XXX] is already declared".

We would like to prevent loading of some modules altogether, if the corresponding rule is disabled, like if 'secure_linux_cis::rules::ensure_chrony_is_configured::enforced false' rule is disabled in Hiera, then the ./manifests/rules/ensure_chrony_is_configured.pp won't be included at all to prevent definition conflicts like 'Duplicate declaration: Package[chrony] is already declared at...'

I suppose that will be for great help for every big cloud provider that already has Puppet modules in place.

I'm running into another issue with two dependencies on this module, puppetlabs-firewall and puppet-firewalld. After switching to the GitHub repo in my Puppetfile, I've consistently been getting errors with the two modules duplicating a service declaration for firewalld. I ran into this before with this module, but updating to 3.0.0 on the Puppet Forge fixed it.

Here's the error:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Duplicate declaration: Service[firewalld] is already declared at (file: /etc/puppetlabs/code/environments/development/modules/firewall/manifests/linux/redhat.pp, line: 54); cannot redeclare (file: /etc/puppetlabs/code/environments/development/modules/firewalld/manifests/init.pp, line: 78) (file: /etc/puppetlabs/code/environments/development/modules/firewalld/manifests/init.pp, line: 78, column: 3) on node [redacted]

I've tried disabling the ensure_firewalld_service_is_enabled_and_running rule as I think that's the main cause of the conflict, but haven't had any luck. A quick grep of the rest of the rules points to ensure_a_firewall_package_is_installed.pp as a potential problem, but I don't believe my code is triggering its else conditional.

    else {
      class { '::firewalld':
        default_zone              => 'drop',
        schedule                  => 'harden_schedule',
        purge_direct_rules        => true,
        purge_direct_chains       => true,
        purge_direct_passthroughs => true,
      }
    }

line 17 needs to be changed from
if $enforced and !$facts['gnome_installed'].empty {

to
if $enforced and $facts['gnome_installed'] {

so it works with the refactored fact.

I can do this in my next pull request, however if another contributor has a pull request sooner can they please incorporate the fix?