Repository files navigation

1. Overview
2. Module Description - What the module does and why it is useful
3. Setup - The basics of getting started with cis_benchmarks
   • What cis_benchmarks affects
   • Setup requirements
   • Beginning with cis_benchmarks
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

MTN implimentation of CIS module with allowance for changing versions.

Applys configuration and tests for CIS benchmark fromhttp://cisecurity.org/Initially reimpliments V1.0.0 and developed to impliment V2.1.1

Supports use of Hieradata, and params.pp class.uses Added execute control functionality frombossbear/cis_benchmarks and rule_specialperms.pp (and matching rule_specialperms hash in common.yaml) where one can add any extra hashes (file/dir: permission) to enforce permissions on files or directories

CIS benchmark versions supported by OS

clone the module:git clonehttp://github.com/abuxton/cis_benchmarksorpuppet module install abuxton-cis_benchmarks

(See Usage below for staging dependent modules)

main list of subsystems impacted:

• sshd (and anything that requires authentication)
• auditd
• cron
• grub
• su
• kernel parameters
• network parameters
• selinux

Currently, this module requires 4 additional modules:

1. puppetlabs-stdlib
2. herculesteam-augeasproviders_core
3. herculesteam-augeasproviders_pam
4. fiddyspence-sysctl

Once you've cloned it you can run it two ways:

1. Stage all dependent modules in fixtures and run against spec/fixtures/modules directory. Following the below steps as root:

    cd cis_benchmarks bundle install --path vendor/bundle bundle exec rake spec_prep  #this will populate spec/fixtures/modules dir. puppet apply -v --modulepath spec/fixtures/modules examples/init.pp

2. Manually stage the dependent modules and run against /etc/puppetlabs/code/environments/production/modules directory:

   puppet module install puppetlabs-stdlibpuppet module install herculesteam-augeasproviders_corepuppet module install herculesteam-augeasproviders_pampuppet module install fiddyspence-sysctlcd cis_benchmarkspuppet apply -v --modulepath /etc/puppetlabs/code/environments/production/modules examples/init.pp

Obviously, you can add --noop flag to run things in an audit mode.

In order to run RSpec testing run the following commands:

cd cis_benchmarksbundle install --path vendor/pathbundle exec rake spec

In order to run beaker testing run the following commands:

cd cis_benchmarksbundle install --path vendor/pathbundle exec rake beaker:centos-7-x86_64-docker

Strongly suggest profiling the module with trlinkin/noop

##Reference

This module was tested using Puppet Agent 4.7 and have been tested on following systems:

1. RedHat 7 x64
2. CentOS 7 x64

The module will test for components and deploy certain packages but it does not enforce iptables or firewalld rules we suggest puppetlabs/firewall for those tasks

RHEL6 supportTidy up custom facts currently does not support changing script dir or missing scripts well

Based on the work:bossbear/cis_benchmarks