Home

Awesome

Build Status Coverage Status

cisecurity

Table of Contents

  1. Module Description
  2. Setup - The basics of getting started with cisecurity
  3. Usage - Configuration options and additional functionality
  4. Reference - An under-the-hood peek at what the module is doing and how
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Module Description

This module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux. The current version of cisecurity implements v2.10 of the benchmark for Red Hat Enterprise Linux 6 and v2.20 for Red Hat Enterprise Linux 7. The module provides a lot of dials and knobs to fine-tune the module to your specific needs.

More information about the benchmark and downloading a copy of it for yourself is available at the Center for Internet Security.

Setup

What cisecurity affects

By default, this module implements all Level 1 and Level 2 controls and uses the defaults provided in the benchmark. Make sure to consult the module's documentation for default settings and alter as necessary. The defaults should not be intended as a one-size-fits-all solution.

cisecurity touches a wide variety of system-level settings including:

Beginning with cisecurity

To use the cisecurity module with default parameters, declare the cisecurity class.

class { '::cisecurity': }

Usage

All parameters for the cisecurity module are broken down into various classes based on the components being modified.

Reference

Classes

Parameters

If you modify an Enum['enabled','disabled'] parameter to something other than the default, the module will not autocorrect the desired state of the system. You will need to go to that system and manually change the configuration to whatever you want it to be. cisecurity is designed to only enforce the controls in the benchmark and will not make assumptions of what you want a system's configuration to look like when you deviate.

For parameters in the cisecurity::packages class, if you modify an Enum['installed','uninstalled','ignored'] parameter, the class will attempt to install, purge, or ignore the specified package.

Class cisecurity::filesystem

configure_umask_default

Determines if the default umask will be modified.

cramfs

Determines if mounting cramfs filesystems will be allowed.

dev_shm_mount_options

Provides mount options for /dev/shm. Set this parameter to an empty array if you don't want the module to modify /dev/shm.

freevxfs

Determines if mounting freevxfs filesystems will be allowed.

harden_system_file_perms

Secures certain system files and directories harder than the default operating system provides.

hfs

Determines if mounting hfs filesystems will be allowed.

hfsplus

Determines if mounting hfsplus filesystems will be allowed.

home_mount_options

Provides mount options for /home. If /home is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don't want the module to modify /home.

jffs2

Determines if mounting hfs filesystems will be allowed.

log_file_perms_cron_start_hour

A cron-styled hour when log file permissions will be corrected.

log_file_perms_cron_start_minute

A cron-styled minute when log file permissions will be corrected.

remediate_log_file_perms

Secures log files in /var/log harder than the default operating system provides.

remediate_ungrouped_files

Reassigns group ownership of ungrouped files and directories.

remediate_unowned_files

Reassigns user ownership of an unowned files and directories.

remediate_world_writable_dirs

Adds sticky bit to all world writable directories.

remediate_world_writable_files

Removes world writable permission from all world writable files.

removable_media_mount_options

Provides mount options for removable media partitions.

removable_media_partitions

Lists all removable partitions that exist on the system. It is recommended you use set this on a node-by-node basis.

squashfs

Determines if mounting squashfs filesystems will be allowed.

tmp_mount_options

Provides mount options for /tmp. If /tmp is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don't want the module to modify /tmp.

udf

Determines if mounting udf filesystems will be allowed.

umask_default

Value of the default umask.

ungrouped_files_replacement_group

Value of the group to assign to ungrouped files. You may use GID or name.

unowned_files_replacement_owner

Value of the user to assign to unowned files. You may use GID or name.

var_mount_options

Provides mount options for /var. If /var is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).

var_log_audit_mount_options

Provides mount options for /var/log/audit. If /var/log/audit is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).

var_log_mount_options

Provides mount options for /var/log. If /var/log is not configured as a separate partition, the module will throw a warning. You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).

var_tmp_mount_options

Provides mount options for /var/tmp. Set this parameter to an empty array if you don't want the module to modify /var/tmp.

vfat

Determines if mounting vfat filesystems will be allowed.

world_writable_dirs_ignored

Provides a list of world writable directories that you don't want the sticky bit automatically set on.

world_writable_files_ignored

Provides a list of world writable files that you don't want permissions automatically changed.

Class cisecurity::network

dccp

Determines if the DCCP protocol will be allowed.

disable_wireless_interfaces

Determines if wireless interfaces should be disabled.

hosts_allow

Provides the source location for the /etc/hosts.allow file. It is recommended you use set this on a node-by-node basis.

hosts_deny

Provides the source location for the /etc/hosts.deny file. It is recommended you use set this on a node-by-node basis.

ipv4_accept_icmp_redirects

Determines if ICMP redirect messages are allowed.

ipv4_forwarding

Determines if forwarding (routing) is allowed.

ipv4_ignore_icmp_bogus_responses

Determines if bogus (faked) ICMP reponse messages are allowed.

ipv4_ignore_icmp_broadcasts

Determines if broadcast ICMP messages are allowed.

ipv4_log_suspicious_packets

Determines if suspicious packets (martians) will be logged.

ipv4_reverse_path_filtering

Determines if reverse path filtering of packets should happen.

ipv4_secure_redirects

Determines if secure ICMP redirect messages are allowed.

ipv4_send_redirects

Determines if the system can send ICMP redirect messages.

ipv4_source_routing

Determines if source routed packets are accepted.

ipv4_tcp_syncookies

Determines if TCP SYN cookies are allowed.

ipv6

Determines if the IPv6 protocol stack is allowed.

ipv6_accept_packet_redirects

Determines if IPv6 redirect messages are allowed.

ipv6_accept_router_advertisements

Determines if IPv6 router advertisements are accepted.

rds

Determines if the RDS protocol will be allowed.

sctp

Determines if the SCTP protocol will be allowed.

tipc

Determines if the TIPC protocol will be allowed.

Class cisecurity::packages

aide

Determines if AIDE will be installed.

aide_cron_start_hour

A cron-styled hour when AIDE will run its daily check.

aide_cron_start_minute

A cron-styled minute when AIDE will run its daily check.

firewalld

Determines if firewalld will be installed.

libselinux

Determines if libselinux will be installed.

logrotate

Determines if logrotate will be installed.

mcstrans

Determines if the MCS Translation Service will be installed.

openldap_clients

Determines if the LDAP client will be installed.

prelink

Determines if prelink will be installed.

rsh

Determines if the rsh server will be installed.

setroubleshoot

Determines if setroubleshoot will be installed.

talk

Determines if talk will be installed.

tcp_wrappers

Determines if the TCP Wrappers will be installed.

telnet

Determines if the telnet client will be installed.

xorg_x11

Determines if X Windows will be installed.

ypbind

Determines if the NIS Client will be installed.

yum_auto_update

Determines if yum-cron will be installed and configured.

yum_auto_update_action

Determines how to deal with updates for the system.

yum_update_email_from

If email notifications are enabled, this parameter defines the sender's email address. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).

yum_update_email_to

If email notifications are enabled, this parameter defines who to send the notifications to. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).

yum_auto_update_exclude

An array of packages to exclude when applying updates.

yum_auto_update_notify_email

Determines whether notifications are to be sent via email.

yum_auto_update_update_cmd

Defines what category of updates you wish applied.

yum_repo_enforce_gpgcheck

Determines whether to enforce gpgcheck on all available repositories.

Class cisecurity::pam

account_lockout_enforcement

Determines whether the system should be configured for account lockout enforcement.

account_lockout_attempts

Specifies the number of times a bad password may be entered before the account is automatically locked out.

account_lockout_time

Specifies the amount of time (in seconds) when an account will be automatically unlocked after failed password attempts.

inactive_account_lockout

Specifies whether inactive accounts should be locked by the system.

inactive_account_lockout_days

Specifies the number of days when an account is considered inactive.

root_user_settings

Specifies settings for the root user. The minimum setting needed is for ensuring the primary group but this can be extended to include managing root passwords.

password_aging

Determines whether the system should be configured for password aging enforcement.

password_aging_max_days

Specifies the maximum number of days before a password is required to be changed.

password_aging_min_days

Specifies the minimum number of days before a password must be used before it can be changed.

password_aging_warn_days

Specifies the number of days before a messsage is displayed at user login that their password is going to expire.

password_enforcement

Determines whether the system should be configured for password complexity restrictions.

password_max_attempts

Specifies the number of times a user may specify a new password that doesn't meet complexity requirements before the attempt to change the password is rejected.

password_min_length

Specifies the minimum length of a valid password.

password_num_digits

Specifies the number of digits required to be present in the password.

password_num_lowercase

Specifies the number of lowercase characers required to be present in the password.

password_num_uppercase

Specifies the number of uppercase characers required to be present in the password.

password_num_other_chars

Specifies the number of special characers required to be present in the password.

password_num_remembered

Specifies the number of passwords the system will store per user to prevent them from resuing old passwords.

wheel

Specifies whether to enable the use of the wheel group on the system for the su command.

Class cisecurity::security

aslr

Determines whether Address Space Layout Randomization (ASLR) will be enabled.

banner_message_text

Banner message text to be displayed when a GNOME-based graphical login occurs.

bootloader_password

For Red Hat 7, a grub SHA512 encrypted password string used as the bootloader password. The encrypted password in RedHat7.yaml is password. To change the bootloader password, use grub2-mkpasswd-pbkdf2 as shown below:

$ grub2-mkpasswd-pbkdf2
Enter password: <new password>
Reenter password: <confirm new password>
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.D70F1...

Copy and paste the entire string into the parameter.

For Red Hat 6, a grub MD5 encrypted password string used as the bootloader password. The encrypted password in RedHat6.yaml is password. To change the bootloader password, use grub-md5-crypt as shown below:

$ grub-md5-crypt
Password: <new password>
Retype password: <confirm new password>
$1$L.MZi/$6i6ZtU/e8WRKfujZac44t.

Copy and paste the entire string into the parameter. Be sure to precede the salted password with the --md5 moniker as the default shows.

bootloader_user

Specifies a username to be created with superuser privileges in grub.

configure_shell_timeout

Determines whether to implement shell timeouts.

configure_system_acct_nologin

Determines whether system accounts (UIDs less than 1000 by default) have their shell changed to /sbin/nologin in /etc/passwd.

home_directories_perm

Defines what permission should be applied to home directories.

issue

Provides the source location for /etc/issue and sets owner, group, and permission.

issue_net

Provides the source location for /etc/issue.net and sets owner, group, and permission.

motd

Provides the source location for /etc/motd and sets owner, group, and permission.

remediate_blank_passwords

Determines whether accounts with blank passwords will be locked out.

remediate_home_directories_dot_files

Removes group and other write permissions to users' dot files.

remediate_home_directories_exist

Creates users' home directories if they don't exist whether they've logged into the system or not.

remediate_home_directories_forward_files

Determines whether .forward files in home directories are forcibly removed.

remediate_home_directories_netrc_files

Determines whether .netrc files in home directories are forcibly removed.

remediate_home_directories_netrc_files_perms

Removes group and other write permissions to users' .netrc files.

remediate_home_directories_owner

Changes the ownership of home directories when the directory isn't owned by the correct user.

remediate_home_directories_perms

Changes the permissions of home directories.

remediate_home_directories_rhosts_files

Determines whether .rhosts files in home directories are forcibly removed.

remediate_home_directories_start_hour

A cron-styled hour when home directory checks will run.

remediate_home_directories_start_minute

A cron-styled minute when home directory checks will run.

remediate_legacy_group_entries

Determines whether legacy entries in /etc/group exist.

remediate_legacy_passwd_entries

Determines whether legacy entries in /etc/passwd exist.

remediate_legacy_shadow_entries

Determines whether legacy entries in /etc/shadow exist.

remediate_root_path

Determines whether root's path will be managed. Besides configuring root's path in /root/.bash_profile, the module will go through each directory in the path and ensure the directory is owned by root, group owned by root, and removes group and other write attributes.

remediate_uid_zero_accounts

Determines whether accounts with UID 0 (other than root) will be deleted.

restricted_core_dumps

Determines whether core dumps are allowed.

root_path

The path that will be configured in /root/.bash_profile.

selinux

Determines how SELinux will be configured.

selinux_type

Determines how SELinux will be configured.

secure_terminals

Provides a list of devices where root is permitted to directly log in.

single_user_authentication

Determines whether authentication will be required when the system runs in single-user mode.

syslog_facility

Provides the syslog facility that warning messages will be logged to.

syslog_severity

Provides the syslog severity that warning messages will be logged to.

verify_user_groups_exist

Verifies all groups in /etc/passwd exist in /etc/group. If a group doesn't exist, a message is written via syslog.

verify_duplicate_gids_notexist

Verifies no duplicate GIDs exist. If a duplicate GID is found, a message is written via syslog.

verify_duplicate_groupnames_notexist

Verifies no duplicate group names exist. If a duplicate group name is found, a message is written via syslog.

verify_duplicate_uids_notexist

Verifies no duplicate UIDs exist. If a duplicate UID is found, a message is written via syslog.

verify_duplicate_usernames_notexist

Verifies no duplicate usernames exist. If a duplicate username is found, a message is written via syslog.

Class cisecurity::services

at_allowed_users

Provides a list of users allowed to use at.

auditd_action_mail_root

If email notifications are enabled, this parameter defines who receives the notification. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).

auditd_admin_space_left

Value (in megabytes) that tells the audit daemon when to perform a configurable action because the system is running low on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for auditd_space_left.

auditd_admin_space_left_action

Action to take when the system has detected that it is low on disk space. If set to ignore, the audit daemon does nothing. Syslog means that it will issue a warning to syslog. Email means that it will send a warning to the email account specified in auditd_action_mail_acct as well as sending the message to syslog. Suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The single option will cause the audit daemon to put the computer system in single user mode.

auditd_configure_boot_auditing

Determines if process auditing will happen prior to auditd is enabled.

auditd_configure_rules

Determines whether the rules defined in the benchmark are applied.

auditd_max_log_file

Specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.

auditd_max_log_file_action

Action to take when the system has detected that the max file size limit has been reached. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs. It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.

auditd_num_logs

Specifies the number of log files to keep if rotate is given as the auditd_max_log_file_action. If the number is less than 2, logs are not rotated. This number must be 999 or less. The default is 0 - which means no rotation.

auditd_space_left

Value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space.

auditd_space_left_action

Specifies what action will be taken when the system detects that it's starting to get low on disk space.

autofs

Enables or disables the automounter.

avahi_daemon

Enables or disables Avahi.

chargen_dgram

Enables or disables chargen services.

chargen_stream

Enables or disables chargen services.

configure_at_allow

Determines whether to configure at.allow.

configure_auditd

Determines whether the auditing subsystem will be configured.

configure_cron_allow

Determines whether to configure cron.allow.

configure_postfix

Determines whether postfix will be configured to only listen on localhost interfaces.

configure_rsyslog

Determines whether rsyslog will be configured.

configure_rsyslog_host

Determines whether rsyslog will be configured to be an rsyslog host.

configure_sshd

Determines whether sshd will be configured.

configure_time

Determines whether time services (ntpd or chrony) will be configured.

cron

Enables or disables cron.

cron_allowed_users

Provides a list of users allowed to use cron.

cups

Enables or disables the printing subsystem.

daytime_dgram

Enables or disables daytime services.

daytime_stream

Enables or disables daytime services.

dhcpd

Enables or disables DHCP services.

discard_dgram

Enables or disables discard services.

discard_stream

Enables or disables discard services.

dovecot

Enables or disables POP3/IMAP services.

echo_dgram

Enables or disables echo services.

echo_stream

Enables or disables echo services.

httpd

Enables or disables web services.

inetd

Enables or disables the (x)inetd super server.

named

Enables or disables DNS services.

nfs

Enables or disables NFS services.

nfs_server

Enabled or disables NFS Server services.

ntalk

Enables or disables talk services.

ntp_service_restrictions

Configures NTP restrict statements.

rexec

Enables or disables rexec services.

rhnsd

Enables or disables Red Hat Network Services.

rlogin

Enables or disables rlogin services.

rpcbind

Enables or disables RPC portmapper service.

rsh

Enables or disables rsh services.

rsyncd

Enables or disables rsync services.

rsyslog_conf

Provides the source location for the /etc/rsyslog.conf file. It is recommended you reconfigure this setting to some kind of master file to be distributed to all nodes or devise another mechanism to ensure log settings are properly configured.

rsyslog_remote_servers

Configures what loghosts to send syslog messages to.

slapd

Enables or disables LDAP services.

smb

Enables or disables Samba services.

snmpd

Enables or disables SNMP services.

sshd_allowed_groups

Login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.

sshd_allowed_users

Login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.

sshd_banner_file

Provides the location where SSH will send the login banner from.

sshd_client_alive_count_max

Sets the number of client alive messages sshd will send without receiving messages back from the client.

sshd_client_alive_interval

Sets the timeout interval (in seconds) after which if no data has been received from the client will force sshd to send a message through the encrypted channel to request a response from the client.

sshd_denied_groups

Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.

sshd_denied_users

Login is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.

sshd_hostbased_authenticaton

Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed.

sshd_ignore_rhosts

Specifies that .rhosts and .shosts will not be used in RhostsRSAAuthentication or HostbasedAuthentication.

sshd_login_grace_time

Amount of time (in seconds) when the server disconnects if the user has not successfully logged in.

sshd_log_level

Sets the verbosity level that is used when logging messages.

sshd_max_auth_tries

Specifies the maximum number of authentication attempts permitted per connection.

sshd_permit_empty_passwords

Specifies whether the server allows login to accounts with empty password strings.

sshd_permit_root_login

Specifies whether root can log in directly with ssh.

sshd_permitted_ciphers

Specifies the ciphers allowed for protocol version 2.

sshd_permitted_macs

Specifies the available MAC (message authentication code) algorithms allowed for protocol version 2.

sshd_permit_user_environment

Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed.

sshd_protocol

Specifies the protocol versions sshd supports.

sshd_x11_forwarding

Specifies whether X11 forwarding is permitted.

squid

Enables or disables HTTP Proxy services.

telnet

Enables or disables telnet server services.

tftp

Enables or disables TFTP server services.

time_dgram

Enables or disables time services through (x)inetd super server. Do not confuse this parameter with ntpd and chrony.

time_service_provider

Controls whether the system will use ntpd or chrony.

time_service_servers

Provides a list of time servers to synchronize with.

time_stream

Enables or disables time services through (x)ientd super server. Do not confuse this parameter with ntpd or chrony.

vsftpd

Enables or disables FTP server services.

ypserv

Enables or disables NIS server services.

Limitations

This module has been tested on RHEL 6 and 7 and it "should" work on CentOS 6 and 7 but no testing has been performed.

Development

Bugs

Please use GitHub to file an issue if you run into problems with the module.

Pull Request

If you can patch the bugs you find or want to add features and functionality, please create a pull request.