{"id":23034113,"url":"https://github.com/autostructure/secure_linux_cis","last_synced_at":"2026-03-10T12:31:09.768Z","repository":{"id":136317437,"uuid":"148193742","full_name":"autostructure/secure_linux_cis","owner":"autostructure","description":null,"archived":false,"fork":false,"pushed_at":"2019-08-05T02:22:38.000Z","size":507,"stargazers_count":4,"open_issues_count":0,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2026-02-28T15:49:42.483Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Puppet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/autostructure.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-10T17:34:24.000Z","updated_at":"2021-04-13T15:57:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"c33820d2-e1c7-4b1e-a750-d66782ef87a6","html_url":"https://github.com/autostructure/secure_linux_cis","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/autostructure/secure_linux_cis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/autostructure%2Fsecure_linux_cis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/autostructure%2Fsecure_linux_cis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/autostructure%2Fsecure_linux_cis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/autostructure%2Fsecure_linux_cis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/autostructure","download_url":"https://codeload.github.com/autostructure/secure_linux_cis/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/autostructure%2Fsecure_linux_cis/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30333431,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-10T05:25:20.737Z","status":"ssl_error","status_checked_at":"2026-03-10T05:25:17.430Z","response_time":106,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-15T16:29:17.313Z","updated_at":"2026-03-10T12:31:09.271Z","avatar_url":"https://github.com/autostructure.png","language":"Puppet","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# secure_linux_cis\n\n#### Table of Contents\n\n1. [Description](#description)\n2. [Setup - The basics of getting started with secure_linux_cis](#setup)\n    * [What secure_linux_cis affects](#what-secure_linux_cis-affects)\n    * [Setup requirements](#setup-requirements)\n    * [Beginning with secure_linux_cis](#beginning-with-secure_linux_cis)\n3. [Usage - Configuration options and additional functionality](#usage)\n4. [Reference - An under-the-hood peek at what the module is doing and how](#reference)\n5. [Limitations - OS compatibility, etc.](#limitations)\n6. [Development - Guide for contributing to the module](#development)\n\n## Description\n\nThis Puppet module implements security controls defined in the Center for Internet Security (CIS) benchmarks for the below operating systems. The benchmark versions are listed below:\n\n| Operating System | Benchmark Version |\n|------------------|-------------------|\n| RedHat 7 | 2.2.0 |\n| CentOS 7 | 2.2.0 |\n\nCIS Benchmarks can be found [here](https://www.cisecurity.org/benchmark/centos_linux/).\n\n## Setup\n\nTo start with Secure Linux and harden your server to CIS standards, declare the `secure_linux_cis::redhat7` class:\n\n```Puppet\nclass {'::secure_linux_cis':}\n```\n\nThe module will begin enforcement and reporting immediately and without breaking by default, but to reach full compliance please specify which users or groups to allow/deny access by specifying any one of the parameters shown below:\n\n```Puppet\nclass {'::secure_linux_cis':\n  $allow_users  =\u003e ['john','jacob','jeremiah']\n  $allow_groups =\u003e 'root',\n  $deny_users   =\u003e 'mark',\n  $deny_groups  =\u003e 'external',\n}\n```\n\n### No-Op Mode\nIt is possible to run the module in \"No-Op Mode\", which identifies detected Configuration Drifts without implementing any actual changes. This is useful for auditing the state of your system without making any changes.\n\n```\npuppet agent -t --noop\n```\n\n## Usage\n\n### Disabling Vulnerabilities with Hiera\n\nAs of enforcement for the Redhat 7 OS, there are 223 CIS rules that are either enforced or documented. Each rule relates to a class which can be turned on or off according to the needs of the system. By default, all vulnerabilities are turned ON to ensure maximum security out-of-box. This is how you would turn off a vulnerablity using your company's Hiera configuration.\n\n```yaml\n# hieradata/common.yaml\nsecure_linux_cis::redhat7::cis_1_1_2::enforced: false\n```\n\nSee [Limitations](#limitations) for a list of vulnerabilities that might not apply to certain system configurations\n\nAny parameters that need to be explicitly defined can be done so in init.pp\n\n## Reference\n\n### Parameters\n\n#### `time_servers`\n\nDefault value: []\n\nThis should be the appropriate time server for your organization.\n\nUsed in cis_2_2_1_2, cis_2_2_1_3\n\n#### `logging`\n\nDefault value: 'rsyslog'\n\nWhich system log solution the user prefers and where the logs are sent\n\nUsed in cis_4_2_1_2, cis_4_2_1_3, cis_4_2_1_4, cis_4_2_1_5, cis_4_2_2_1,\ncis_4_2_2_2, cis_4_2_2_3, cis_4_2_2_4, cis_4_2_2_5, cis_4_2_3\n\n#### `logging_host`\n\nDefault value: ''\n\nWhich host the user prefers to send logs to\n\nUsed in cis_4_2_1_4, cis_4_2_2_4\n\n#### `is_logging_host`\n\nDefault value: False\n\nWhether or not the node is a logging host\n\nUsed in cis_4_2_1_5, cis_4_2_2_5\n\n#### `max_log_file`\n\nDefault value: 8\n\nDetermines the size of the specified log file (MB)\n\nUsed in cis_4_1_1_1\n\n#### `max_auth_tries`\n\nDefault value: '4'\n\nThe amount of times authentication is allowed per connection\n\nUsed in cis_5_2_5\n\n#### `time_sync`\n\nDefault value: 'ntp'\n\nWhich time sync service is used\n\nUsed in cis_2_2_1_2, cis_2_2_1_3\n\n#### `ipv6_enabled`\n\nDefault value: true\n\nDetermines whether or not the system will accept ipv6 router advertisements\n\nUsed in cis_3_3_1, cis_3_3_2, cis_3_3_3\n\n#### `approved_mac_algorithms`\n\nDefault values: ['hmac-sha2-512-etm@openssh.com','hmac-sha2-256-etm@openssh.com','umac-128-etm@openssh.com',\n'hmac-sha2-512','hmac-sha2-256','umac-128@openssh.com']\n\nAn array of approved mac algorithms that are used to connect to the system\n\nUsed in cis_5_2_11\n\n#### `client_alive_interval`\n\nDefault value: 300\n\nControls timeout of ssh sessions\n\nUsed in cis_5_2_12\n\n#### `client_alive_count_max`\n\nDefault value: '0'\n\nControls timeout of ssh sessions\n\nUsed in cis_5_2_12\n\n#### `login_grace_time`\n\nDefault value: 60\n\nThe time allowed for successful authentication to the ssh server\n\nUsed in cis_5_2_13\n\n#### `allow_users`\n\nDefault value: []\n\nWhich users can ssh into the system\n\nUsed in cis_5_2_14\n\n#### `allow_groups`\n\nDefault value: []\n\nWhich groups can ssh into the system\n\nUsed in cis_5_2_14\n\n#### `deny_users`\n\nDefault value: []\n\nWhich users are denied access to the system through ssh\n\nUsed in cis_5_2_14\n\n#### `deny_groups`\n\nDefault value: []\n\nWhich groups are denied access to the system through ssh\n\nUsed in cis_5_2_14\n\n#### `minlen`\n\nDefault value: 14\n\nThe minimum length of a user's password\n\nUsed in cis_5_3_1\n\n#### `dcredit`\n\nDefault value: -1\n\nA password rule requiring (in this case) at least one digit\n\nUsed in cis_5_3_1\n\n#### `ucredit`\n\nDefault value: -1\n\nA password rule requiring (in this case) at least one uppercase character\n\nUsed in cis_5_3_1\n\n#### `ocredit`\n\nDefault value: -1\n\nA password rule requiring (in this case) at least one special character\n\nUsed in cis_5_3_1\n\n#### `lcredit`\n\nDefault value: -1\n\nA password rule requiring (in this case) at least one lowercase character\n\nUsed in cis_5_3_1\n\n#### `attempts`\n\nDefault value: 5\n\nThe amount of unsuccessful login attempts allowed before a user is locked out\n\nUsed in cis_5_3_2\n\n#### `lockout_time`\n\nDefault value: 900\n\nHow long a user is locked out of their account after repeated failed attempts (seconds)\n\nUsed in cis_5_3_2\n\n#### `past_passwords`\n\nDefault value: 5\n\nThe amount of previous passwords a user is not allowed to repeat\n\nUsed in cis_5_3_3\n\n#### `pass_max_days`\n\nDefault value: 90\n\nThe amount of days a user is allowed before their password must be changed\n\nUsed in cis_5_4_1_1\n\n#### `pass_min_days`\n\nDefault value: 7\n\nThe amount of days a user has to wait before changing their password again\n\nUsed in cis_5_4_1_2\n\n#### `pass_warn_days`\n\nDefault value: 7\n\nThe amount of days a user has before they are notified of their next password change date\n\nUsed in cis_5_4_1_3\n\n### Useful Organization Information (Highly recommended to read before using module)\n\n#### 1.8\nWe have a cron job running security updates the first of every month\n\n#### 2.2.4\nWith the above rule enforced, any attempt to print using this system will break things\n\n#### 2.2.5\nIf the user intends to make their system a DHCP server, disable the above rule\n\n#### 2.2.6\nIf the user intends to make their system an LDAP server, disable the above rule\n\n#### 2.2.7\nIf the user intends to make their system an NFS server, disable the above rule\n\n#### 2.2.8\nIf the user intends to make their system a DNS server, disable the above rule\n\n#### 2.2.9\nIf the user intends to make their system an FTP server, disable the above rule (sftp is allowed)\n\n#### 2.2.10\nIf the user intends to make their system an HTTP server, disable the above rule\n\n#### 2.2.11\nIf the user intends to make their system either a POP3 or IMAP server, disable the above rule\n\n#### 2.2.12\nIf the user intends to make their system a SAMBA server, disable the above rule\n\n#### 2.2.13\nIf the user intends to make their system an HTTP proxy server, disable the above rule\n\n#### 2.2.14\nIf the user intends to make their system a SNMP server, disable the above rule\n\n#### 2.3.5\nIf the user intends to make their system an LDAP client, disable the above rule\n\n#### 3.1.1, 3.1.2\nIf the user intends to make their system a router, disable the above rule\n\n#### 3.3.1, 3.3.2, 3.3.3\nIf the user is not using ipv6, set the $ipv6_disabled parameter to false to disable these rules\n\n#### 3.6.1\nIMPORTANT---If the user wants to keep their existing firewall policy, disable this rule. The previous firewall resource will be purged.\n\n#### 4.1.1.2\nOnce audit logs are full, the system will be shut off\n\n#### 4.3\nIf the user has an explicit site policy for log rotation, disable this rule\n\n\n## Limitations\n\nFor some rules, it is up to the user to fully satisfy CIS requirements\n\n#### 1.1.18\nFor all removable media partitions, make sure that the \"nodev\" option is set\n\n#### 1.1.19\nFor all removable media partitions, make sure that the \"nosuid\" option is set\n\n#### 1.1.20\nFor all removable media partitions, make sure that the \"noexec\" option is set\n\n#### 1.2.4\nPlease verify that your system is connected to the Red Hat Subscription Manager\n\n#### 1.5.2\nPlease run \"dmesg | grep NX\" and verify that No Execute (or Execute Disable, for some Intel processors) protection is enabled\n\n#### 6.1.1\nUtilize the RPM package manager to ensure that system packages have been installed properly, and files have correct permissions to the OS\n\n#### 6.1.10\nEnsure no world-writable files exist in network mounted partitions. We can only check the local filesystem\n\n#### 6.2.1\nLock any accounts that do not have passwords for review\n\n### Important Data Stored in Facts\n\n#### 1.2.1\n**yum_repolist** contains the configuration settings for Yum repositories on the system\n\n#### 1.2.3\n**gpgkey** contains information regarding GPG configuration for the system\n\n#### 6.1.1\n**file_permissions** contains information regarding system file permissions and configuration\n\n#### 6.1.13\n**suid_files** can be examined to ensure all SUID files on the system have intended properties\n\n#### 6.1.14\n**sgid_files** can be examined to ensure all SGID files on the system have intended properties\n\n## Development\n\n### How to Contribute\n\nCreate a pull request and we will review your change. Log issues in the issues tab.\n\n\n### Running Tests\n\n\nThis module is built on PDK, which can be used for testing. Download PDK and run the following commands:\n\n```\npdk validate\npdk test unit\n```\n\nAlternatively, you can run the following to test the module:\n\n```\nbundle install\nbundle exec rake rubocop\nbundle exec rake syntax lint\nbundle exec rake metadata_lint\nbundle exec rake spec\n```\n## Contributors\n\nThis module is an open source project that was created and maintained by Autostructure.\n\n## Disclaimer\n\n\u003e This Work is provided \"as is.\" Any express or implied warranties,\nincluding but not limited to, the implied warranties of merchantability\nand fitness for a particular purpose are disclaimed. In no event shall\nthe authors be liable for any direct, indirect,\nincidental, special, exemplary or consequential damages (including, but\nnot limited to, procurement of substitute goods or services, loss of\nuse, data or profits, or business interruption) however caused and on\nany theory of liability, whether in contract, strict liability, or tort\n(including negligence or otherwise) arising in any way out of the use of\nthis Guidance, even if advised of the possibility of such damage.\n\u003e\n\u003e The User of this Work agrees to hold harmless and indemnify Autostructure,\nits agents, parent company, and employees from every claim or liability\n(whether in tort or in contract), including attorneys' fees,\ncourt costs, and expenses, arising in direct consequence of Recipient's\nuse of the item, including, but not limited to, claims or liabilities\nmade for injury to or death of personnel of User or third parties,\ndamage to or destruction of property of User or third parties, and\ninfringement or other violations of intellectual property or technical\ndata rights.\n\u003e\n\u003e Nothing in this Work is intended to constitute an endorsement, explicit\nor implied, by Autostructure of any particular manufacturer's\nproduct or service.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fautostructure%2Fsecure_linux_cis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fautostructure%2Fsecure_linux_cis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fautostructure%2Fsecure_linux_cis/lists"}