{"id":13767027,"url":"https://github.com/cohdjn/cisecurity","last_synced_at":"2025-04-12T23:21:39.746Z","repository":{"id":57665103,"uuid":"105594133","full_name":"cohdjn/cisecurity","owner":"cohdjn","description":"Configures Linux systems to Center for Internet Security Linux hardening standard.","archived":false,"fork":false,"pushed_at":"2020-04-30T15:13:54.000Z","size":179,"stargazers_count":9,"open_issues_count":1,"forks_count":13,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-22T13:16:03.801Z","etag":null,"topics":["cis","cisecurity","linux","puppet","puppet-enterprise","puppet-forge","puppet-module","rhel7"],"latest_commit_sha":null,"homepage":null,"language":"Puppet","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cohdjn.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-10-02T23:06:10.000Z","updated_at":"2024-08-09T14:53:55.000Z","dependencies_parsed_at":"2022-09-26T20:31:16.868Z","dependency_job_id":null,"html_url":"https://github.com/cohdjn/cisecurity","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cohdjn%2Fcisecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cohdjn%2Fcisecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cohdjn%2Fcisecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cohdjn%2Fcisecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cohdjn","download_url":"https://codeload.github.com/cohdjn/cisecurity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248644181,"owners_count":21138564,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cis","cisecurity","linux","puppet","puppet-enterprise","puppet-forge","puppet-module","rhel7"],"created_at":"2024-08-03T16:01:03.725Z","updated_at":"2025-04-12T23:21:39.713Z","avatar_url":"https://github.com/cohdjn.png","language":"Puppet","funding_links":[],"categories":["Security","Hardening"],"sub_categories":["Hardening","Ghidra"],"readme":"[![Build Status](https://travis-ci.org/cohdjn/cisecurity.svg?branch=master)](https://travis-ci.org/cohdjn/cisecurity)\n[![Coverage Status](https://coveralls.io/repos/github/cohdjn/cisecurity/badge.svg)](https://coveralls.io/github/cohdjn/cisecurity)\n\n# cisecurity\n\n## Table of Contents\n\n1. [Module Description](#description)\n2. [Setup - The basics of getting started with cisecurity](#setup)\n    * [What cisecurity affects](#what-cisecurity-affects)\n    * [Beginning with cisecurity](#beginning-with-cisecurity)\n3. [Usage - Configuration options and additional functionality](#usage)\n4. [Reference - An under-the-hood peek at what the module is doing and how](#reference)\n5. [Limitations - OS compatibility, etc.](#limitations)\n6. [Development - Guide for contributing to the module](#development)\n\n## Module Description\n\nThis module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux.  The current version of cisecurity implements v2.10 of the benchmark for Red Hat Enterprise Linux 6 and v2.20 for Red Hat Enterprise Linux 7.  The module provides a lot of dials and knobs to fine-tune the module to your specific needs.\n\nMore information about the benchmark and downloading a copy of it for yourself is available at the [Center for Internet Security](http://www.cisecurity.org).\n\n## Setup\n\n### What cisecurity affects\n\nBy default, this module implements all Level 1 and Level 2 controls and uses the defaults provided in the benchmark.  Make sure to consult the module's documentation for default settings and alter as necessary.  **The defaults should not be intended as a one-size-fits-all solution.**\n\ncisecurity touches a wide variety of system-level settings including:\n\n* Filesystem owners, groups, and permissions\n* modprobe-enabled filesystems\n* Mount point configurations\n* Network subsystem\n* Addition/removal of packages\n* Package configurations\n* PAM\n* SELinux\n* Grub\n* User Accounts\n### Beginning with cisecurity\n\nTo use the cisecurity module with default parameters, declare the cisecurity class.\n\n```puppet\nclass { '::cisecurity': }\n```\n\n## Usage\n\nAll parameters for the `cisecurity` module are broken down into various classes based on the components being modified.\n\n## Reference\n\n### Classes\n\n* `cisecurity::filesystem`: Handles the filesystem controls.\n* `cisecurity::network`: Handles the network controls.\n* `cisecurity::packages`: Handles the package and yum controls.\n* `cisecurity::pam`: Handles the PAM controls.\n* `cisecurity::security`: Handles Grub, SELinux, and other miscellaneous controls.\n* `cisecurity::services`: Handles the network controls.\n\n### Parameters\n\nIf you modify an `Enum['enabled','disabled']` parameter to something other than the default, the module will not autocorrect the desired state of the system.  You will need to go to that system and manually change the configuration to whatever you want it to be.  cisecurity is designed to only enforce the controls in the benchmark and will not make assumptions of what you want a system's configuration to look like when you deviate.\n\nFor parameters in the `cisecurity::packages` class, if you modify an `Enum['installed','uninstalled','ignored']` parameter, the class will attempt to install, purge, or ignore the specified package.\n\n#### Class cisecurity::filesystem\n\n##### `configure_umask_default`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.4.4\n* Related: `umask_default`\n\nDetermines if the default umask will be modified.\n\n##### `cramfs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.1\n\nDetermines if mounting cramfs filesystems will be allowed.\n\n##### `dev_shm_mount_options`\n* Default value: `[ 'noexec', 'nodev', 'nosuid' ]`\n* Data type: `Array[String]`\n* Implements: Control 1.1.15\n\nProvides mount options for /dev/shm.  Set this parameter to an empty array if you don't want the module to modify /dev/shm.\n\n##### `freevxfs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.2\n\nDetermines if mounting freevxfs filesystems will be allowed.\n\n##### `harden_system_file_perms`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 5.1.2 - 5.1.8, 5.2.1, 6.1.2 - 6.1.9\n\nSecures certain system files and directories harder than the default operating system provides.\n\n##### `hfs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.4\n\nDetermines if mounting hfs filesystems will be allowed.\n\n##### `hfsplus`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.5\n\nDetermines if mounting hfsplus filesystems will be allowed.\n\n##### `home_mount_options`\n* Default value: `[ 'nodev' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.13 - 1.1.14\n\nProvides mount options for /home.  If /home is not configured as a separate partition, the module will throw a warning.  Set this parameter to an empty array if you don't want the module to modify /home.\n\n##### `jffs2`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.3\n\nDetermines if mounting hfs filesystems will be allowed.\n\n##### `log_file_perms_cron_start_hour`\n* Default value: `'*'`\n* Data type: `String`\n* Implements: Control 4.2.4\n* Related: `remediate_log_file_perms`\n\nA cron-styled hour when log file permissions will be corrected.\n\n##### `log_file_perms_cron_start_minute`\n* Default value: `'37'`\n* Data type: `String`\nImplements: Control 4.2.4\n* Related: `remediate_log_file_perms`\n\nA cron-styled minute when log file permissions will be corrected.\n\n##### `remediate_log_file_perms`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 4.2.4\n* Related: `log_file_perms_cron_start_hour`, `log_file_perms_cron_start_minute`\n\nSecures log files in /var/log harder than the default operating system provides.\n\n##### `remediate_ungrouped_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.1.12\n* Related: `ungrouped_files_replacement_group`\n\nReassigns group ownership of ungrouped files and directories.\n\n##### `remediate_unowned_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.1.11\n* Related: `unowned_files_replacement_owner`\n\nReassigns user ownership of an unowned files and directories.\n\n##### `remediate_world_writable_dirs`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.21\n* Related: `world_writable_dirs_ignored`\n\nAdds sticky bit to all world writable directories.\n\n##### `remediate_world_writable_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.1.10\n* Related: `world_writable_files_ignored`\n\nRemoves world writable permission from all world writable files.\n\n##### `removable_media_mount_options`\n* Default value: `[ 'noexec', 'nodev', 'nosuid' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.18 - 1.1.20\n* Related: `removable_media_partitions`\n\nProvides mount options for removable media partitions.\n\n##### `removable_media_partitions`\n* Default value: `[ ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.18 - 1.1.20\n* Related: `removable_media_mount_options`\n\nLists all removable partitions that exist on the system.  It is recommended you use set this on a node-by-node basis.\n\n##### `squashfs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.6\n\nDetermines if mounting squashfs filesystems will be allowed.\n\n##### `tmp_mount_options`\n* Default value: `[ 'mode=1777', 'astrictatime', 'noexec', 'nodev', 'nosuid' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.2 - 1.1.5\n* Related: `removable_media_partitions`\n\nProvides mount options for /tmp.  If /tmp is not configured as a separate partition, the module will throw a warning.  Set this parameter to an empty array if you don't want the module to modify /tmp.\n\n##### `udf`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.7\n\nDetermines if mounting udf filesystems will be allowed.\n\n##### `umask_default`\n* Default value: `'027'`\n* Data type: `String`\n* Implements: Control 5.4.4\n* Related: `configure_umask_default`\n\nValue of the default umask.\n\n##### `ungrouped_files_replacement_group`\n* Default value: `'root'`\n* Data type: `String`\n* Implements: Control 6.1.12\n* Related: `remediate_ungrouped_files`\n\nValue of the group to assign to ungrouped files.  You may use GID or name.\n\n##### `unowned_files_replacement_owner`\n* Default value: `'root'`\n* Data type: `String`\n* Implements: Control 6.1.11\n* Related: `remediate_unowned_files`\n\nValue of the user to assign to unowned files.  You may use GID or name.\n\n##### `var_mount_options`\n* Default value: `[ 'defaults' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.6\n\nProvides mount options for /var.  If /var is not configured as a separate partition, the module will throw a warning.  You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).\n\n##### `var_log_audit_mount_options`\n* Default value: `[ 'defaults' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.12\n\nProvides mount options for /var/log/audit.  If /var/log/audit is not configured as a separate partition, the module will throw a warning.  You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).\n\n##### `var_log_mount_options`\n* Default value: `[ 'defaults' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.11\n\nProvides mount options for /var/log.  If /var/log is not configured as a separate partition, the module will throw a warning.  You really shouldn't need to modify this because the benchmark doesn't specify changes to the mount options (hence why it's set to defaults).\n\n##### `var_tmp_mount_options`\n* Default value: `[ 'bind' ]`\n* Data type: `Array[String]`\n* Implements: Controls 1.1.6\n\nProvides mount options for /var/tmp.  Set this parameter to an empty array if you don't want the module to modify /var/tmp.\n\n##### `vfat`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.1.8\n\nDetermines if mounting vfat filesystems will be allowed.\n\n##### `world_writable_dirs_ignored`\n* Default value: `[ ]`\n* Data type: `Array[String]`\n* Implements: Control 1.1.21\n* Related: `remediate_world_writable_dirs`\n\nProvides a list of world writable directories that you don't want the sticky bit automatically set on.\n\n##### `world_writable_files_ignored`\n* Default value: `[ '/var/lib/rsyslog/imjournal.state' ]`\n* Data type: Array[String]`\n* Implements: Control 6.1.10\n* Related: `remediate_world_writable_files`\n\nProvides a list of world writable files that you don't want permissions automatically changed.\n\n#### Class cisecurity::network\n\n##### `dccp`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.5.1\n\nDetermines if the DCCP protocol will be allowed.\n\n##### `disable_wireless_interfaces`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.7\n\nDetermines if wireless interfaces should be disabled.\n\n##### `hosts_allow`\n* Default value: `'puppet:///modules/cisecurity/tcp_wrappers/hosts.allow'`\n* Data type: `String`\n* Implements: Control 3.4.2\n\nProvides the source location for the /etc/hosts.allow file.  It is recommended you use set this on a node-by-node basis.\n\n##### `hosts_deny`\n* Default value: `'puppet:///modules/cisecurity/tcp_wrappers/hosts.deny'`\n* Data type: `String`\n* Implements: Control 3.4.3\n\nProvides the source location for the /etc/hosts.deny file.  It is recommended you use set this on a node-by-node basis.\n\n##### `ipv4_accept_icmp_redirects`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.2\n\nDetermines if ICMP redirect messages are allowed.\n\n##### `ipv4_forwarding`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.1.1\n\nDetermines if forwarding (routing) is allowed.\n\n##### `ipv4_ignore_icmp_bogus_responses`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.6\n\nDetermines if bogus (faked) ICMP reponse messages are allowed.\n\n##### `ipv4_ignore_icmp_broadcasts`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.5\n\nDetermines if broadcast ICMP messages are allowed.\n\n##### `ipv4_log_suspicious_packets`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.4\n\nDetermines if suspicious packets (martians) will be logged.\n\n##### `ipv4_reverse_path_filtering`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.7\n\nDetermines if reverse path filtering of packets should happen.\n\n##### `ipv4_secure_redirects`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.3\n\nDetermines if secure ICMP redirect messages are allowed.\n\n##### `ipv4_send_redirects`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.1.2\n\nDetermines if the system can send ICMP redirect messages.\n\n##### `ipv4_source_routing`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.1\n\nDetermines if source routed packets are accepted.\n\n##### `ipv4_tcp_syncookies`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.2.8\n\nDetermines if TCP SYN cookies are allowed.\n\n##### `ipv6`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.3.3\n\nDetermines if the IPv6 protocol stack is allowed.\n\n##### `ipv6_accept_packet_redirects`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.3.2\n\nDetermines if IPv6 redirect messages are allowed.\n\n##### `ipv6_accept_router_advertisements`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.3.1\n\nDetermines if IPv6 router advertisements are accepted.\n\n##### `rds`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.5.3\n\nDetermines if the RDS protocol will be allowed.\n\n##### `sctp`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.5.2\n\nDetermines if the SCTP protocol will be allowed.\n\n##### `tipc`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 3.5.4\n\nDetermines if the TIPC protocol will be allowed.\n\n#### Class cisecurity::packages\n\n##### `aide`\n* Default value: `'installed'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 1.3.1\n\nDetermines if AIDE will be installed.\n\n##### `aide_cron_start_hour`\n* Default value: `'5'`\n* Data type: `String`\n* Implements: Control 1.3.2\n* Related: `aide_cron_start_minute`\n\nA cron-styled hour when AIDE will run its daily check.\n\n##### `aide_cron_start_minute`\n* Default value: `'0'`\n* Data type: `String`\n* Implements: Control 1.3.2\n* Related: `aide_cron_start_hour`\n\nA cron-styled minute when AIDE will run its daily check.\n\n##### `firewalld`\n* Default value: `'installed'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 3.6.1\n\nDetermines if firewalld will be installed.\n\n##### `libselinux`\n* Default value: `'installed'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 1.6.2\n\nDetermines if libselinux will be installed.\n\n##### `logrotate`\n* Default value: `'installed'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 4.3\n\nDetermines if logrotate will be installed.\n\n##### `mcstrans`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 1.6.1.5\n\nDetermines if the MCS Translation Service will be installed.\n\n##### `openldap_clients`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.3.5\n\nDetermines if the LDAP client will be installed.\n\n##### `prelink`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 3.6.1\n\nDetermines if prelink will be installed.\n\n##### `rsh`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.2.17\n\nDetermines if the rsh server will be installed.\n\n##### `setroubleshoot`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 1.6.1.4\n\nDetermines if setroubleshoot will be installed.\n\n##### `talk`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.2.18\n\nDetermines if talk will be installed.\n\n##### `tcp_wrappers`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 3.4.1\n\nDetermines if the TCP Wrappers will be installed.\n\n##### `telnet`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.3.4\n\nDetermines if the telnet client will be installed.\n\n##### `xorg_x11`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.2.2\n\nDetermines if X Windows will be installed.\n\n##### `ypbind`\n* Default value: `'uninstalled'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 2.3.1\n\nDetermines if the NIS Client will be installed.\n\n##### `yum_auto_update`\n* Default value: `'installed'`\n* Data type: `Enum['installed','uninstalled','ignored']`\n* Implements: Control 1.8\n* Related: `yum_auto_update_action`, `yum_auto_update_email_from`, `yum_auto_update_email_to`, `yum_auto_update_exclude`, `yum_auto_update_notify_email`, `yum_auto_update_update_cmd`\n\nDetermines if yum-cron will be installed and configured.\n\n##### `yum_auto_update_action`\n* Default value: `'apply'`\n* Data type: `Enum['check','download','apply']`\n* Implements: Control 1.8\n* Related: `yum_auto_update`\n\nDetermines how to deal with updates for the system.\n  * `check` detects the presence of updates but takes no further action.\n  * `download` downloads the files and packages necessary to perform the update and takes no further action.\n  * `apply` downloads and installs the updates automatically.\n\n##### `yum_update_email_from`\n* Default value: `'root'`\n* Data type: `String`\n* Implements: Control 1.8\n* Related: `yum_auto_update`, `yum_auto_update_notify_email`\n\nIf email notifications are enabled, this parameter defines the sender's email address.  The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).\n\n##### `yum_update_email_to`\n* Default value: `'root'`\n* Data type: `String`\n* Implements: Control 1.8\n* Related: `yum_auto_update`, `yum_auto_update_notify_email`\n\nIf email notifications are enabled, this parameter defines who to send the notifications to.  The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).\n\n##### `yum_auto_update_exclude`\n* Default value: `[ ]`\n* Data type: `Array[String]`\n* Implements: Control 1.8\n* Related: `yum_auto_update`\n\nAn array of packages to exclude when applying updates.\n\n##### `yum_auto_update_notify_email`\n* Default value: `true`\n* Data type: `Boolean`\n* Implements: Control 1.8\n* Related: `yum_auto_update`, `yum_auto_update_email_from`, `yum_auto_update_email_to`\n\nDetermines whether notifications are to be sent via email.\n\n##### `yum_auto_update_update_cmd`\n* Default value: `'default'`\n* Data type: `Enum['default','security','security-severity:Critical','minimal','minimal-security','minimal-security-severity:Critical']`\n* Implements: Control 1.8\n* Related: `yum_auto_update`\n\nDefines what category of updates you wish applied.\n  * `default` provides updates all installed packages.\n  * `security` provides updates with security fixes only.\n  * `security-severity:Critical` provides only critical security fixes.\n  * `minimal` provides updates for bugfixes.\n  * `minimal-security`provides updates to packages with security errata.\n  * `minimal-security-severity:Critical` provides only critical security fixes for packages with security errata.\n\n##### `yum_repo_enforce_gpgcheck`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.2.2\n\nDetermines whether to enforce `gpgcheck` on all available repositories.\n\n#### Class cisecurity::pam\n\n##### `account_lockout_enforcement`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.3.2\n* Related: `account_lockout_attempts`, `account_lockout_time`, `inactive_account_lockout`, `inactive_account_lockout_days`\n\nDetermines whether the system should be configured for account lockout enforcement.\n\n##### `account_lockout_attempts`\n* Default value: `5`\n* Data type: `Integer`\n* Implements: Control 5.3.2\n* Related: `account_lockout_enforcement`\n\nSpecifies the number of times a bad password may be entered before the account is automatically locked out.\n\n##### `account_lockout_time`\n* Default value: `900`\n* Data type: `Integer`\n* Implements: Control 5.3.2\n* Related: `account_lockout_enforcement`\n\nSpecifies the amount of time (in seconds) when an account will be automatically unlocked after failed password attempts.\n\n##### `inactive_account_lockout`\n* Default value: `'enabled'`\n* Data Type: `Enum['enabled','disabled']`\n* Implements: Control 5.4.1.4\n* Related: `account_lockout_enforcement`\n\nSpecifies whether inactive accounts should be locked by the system.\n\n##### `inactive_account_lockout_days`\n* Default value: `30`\n* Data Type: `Integer`\n* Implements: Control 5.4.1.4\n* Related: `account_lockout_enforcement`\n\nSpecifies the number of days when an account is considered inactive.\n\n##### `root_user_settings`\n* Default value: '`{ gid =\u003e 'root' }`\n* Data Type: `Hash`\n* Implements: Control 5.4.3\n\nSpecifies settings for the root user.  The minimum setting needed is for ensuring the primary group but this can be extended to include managing root passwords.\n \n##### `password_aging`\n* Default value: `'enabled'`\n* Data Type: `Enum['enabled','disabled']`\n* Implements: Controls 5.4.1.1 - 5.4.1.3\n* Related: `password_aging_max_days`, `password_aging_min_days`, `password_aging_warn_days`\n\nDetermines whether the system should be configured for password aging enforcement.\n\n##### `password_aging_max_days`\n* Default value: `90`\n* Data Type: `Integer`\n* Implements: Control 5.4.1.1\n* Related: `password_aging`\n\nSpecifies the maximum number of days before a password is required to be changed.\n\n##### `password_aging_min_days`\n* Default value: `7`\n* Data Type: `Integer`\n* Implements: Control 5.4.1.2\n* Related: `password_aging`\n\nSpecifies the minimum number of days before a password must be used before it can be changed.\n\n##### `password_aging_warn_days`\n* Default value: `7`\n* Data Type: `Integer`\n* Implements: Control 5.4.1.3\n* Related: `password_aging`\n\nSpecifies the number of days before a messsage is displayed at user login that their password is going to expire.\n\n##### `password_enforcement`\n* Default value: `'enabled'`\n* Data Type: `Enum['enabled','disabled']`\n* Implements: Controls 5.3.1, 5.3.3\n* Related: `password_min_length`, `password_num_digits`, `password_num_lowercase`, `password_num_uppercase`, `password_num_other_chars`, `password_max_attempts`, `password_num_remembered`\n\nDetermines whether the system should be configured for password complexity restrictions.\n\n##### `password_max_attempts`\n* Default value: `3`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the number of times a user may specify a new password that doesn't meet complexity requirements before the attempt to change the password is rejected.\n\n##### `password_min_length`\n* Default value: `14`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the minimum length of a valid password.\n\n##### `password_num_digits`\n* Default value: `-1`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the number of digits required to be present in the password.\n\n##### `password_num_lowercase`\n* Default value: `-1`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the number of lowercase characers required to be present in the password.\n\n##### `password_num_uppercase`\n* Default value: `-1`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the number of uppercase characers required to be present in the password.\n\n##### `password_num_other_chars`\n* Default value: `-1`\n* Data Type: `Integer`\n* Implements: Control 5.3.1\n* Related: `password_enforcement`\n\nSpecifies the number of special characers required to be present in the password.\n\n##### `password_num_remembered`\n* Default value: `5`\n* Data Type: `Integer`\n* Implements: Control 5.3.3\n* Related: `password_enforcement`\n\nSpecifies the number of passwords the system will store per user to prevent them from resuing old passwords.\n\n##### `wheel`\n* Default value: `'enabled'`\n* Data Type: `Enum['enabled','disabled']`\n* Implements: Control 5.6\n\nSpecifies whether to enable the use of the `wheel` group on the system for the `su` command.\n\n#### Class cisecurity::security\n\n##### `aslr`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.5.3\n\nDetermines whether Address Space Layout Randomization (ASLR) will be enabled.\n\n##### `banner_message_text`\n* Default value: `'Authorized uses only. All activity may be monitored and reported.'`\n* Data type: `String`\n* Implements: Control 1.7.2\n* Related: `x_windows`\n\nBanner message text to be displayed when a GNOME-based graphical login occurs.\n\n##### `bootloader_password`\n* Default value: Grub encrypted password\n* Data type: `String`\n* Implements: Control 1.4.2\n\nFor Red Hat 7, a grub SHA512 encrypted password string used as the bootloader password.  The encrypted password in `RedHat7.yaml` is `password`.  To change the bootloader password, use `grub2-mkpasswd-pbkdf2` as shown below:\n```\n$ grub2-mkpasswd-pbkdf2\nEnter password: \u003cnew password\u003e\nReenter password: \u003cconfirm new password\u003e\nPBKDF2 hash of your password is grub.pbkdf2.sha512.10000.D70F1...\n```\nCopy and paste the entire string into the parameter.\n\nFor Red Hat 6, a grub MD5 encrypted password string used as the bootloader password.  The encrypted password in `RedHat6.yaml` is `password`.  To change the bootloader password, use `grub-md5-crypt` as shown below:\n```\n$ grub-md5-crypt\nPassword: \u003cnew password\u003e\nRetype password: \u003cconfirm new password\u003e\n$1$L.MZi/$6i6ZtU/e8WRKfujZac44t.\n```\nCopy and paste the entire string into the parameter.  Be sure to precede the salted password with the `--md5` moniker as the default shows.\n\n##### `bootloader_user`\n* Default value: `'rescue'`\n* Data type: `String`\n* Implements: Control 1.4.2\n\nSpecifies a username to be created with superuser privileges in grub.\n\n##### `configure_shell_timeout`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.4.5\n* Related: `shell_timeout`\n\nDetermines whether to implement shell timeouts.\n\n##### `configure_system_acct_nologin`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.4.2\n\nDetermines whether system accounts (UIDs less than 1000 by default) have their shell changed to `/sbin/nologin` in `/etc/passwd`.\n\n##### `home_directories_perm`\n* Default value: `'0750'`\n* Data type: `String`\n* Implements: Control 6.2.8 - 6.2.9\n* Related: `remediate_home_directories`\n\nDefines what permission should be applied to home directories.\n\n##### `issue`\n* Default value: `'puppet:///modules/cisecurity/banners/issue'`\n* Data type: `String`\n* Implements: Controls 1.7.1.2 and 1.7.1.5\n\nProvides the source location for `/etc/issue` and sets owner, group, and permission.\n\n##### `issue_net`\n* Default value: `'puppet:///modules/cisecurity/banners/issue.net'`\n* Data type: `String`\n* Implements: Controls 1.7.1.3 and 1.7.1.6\n\nProvides the source location for `/etc/issue.net` and sets owner, group, and permission.\n\n##### `motd`\n* Default value: `'puppet:///modules/cisecurity/banners/motd'`\n* Data type: `String`\n* Implements: Controls 1.7.1.1 and 1.7.1.4\n\nProvides the source location for `/etc/motd` and sets owner, group, and permission.\n\n##### `remediate_blank_passwords`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.1\n\nDetermines whether accounts with blank passwords will be locked out.\n\n##### `remediate_home_directories_dot_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.10\n\nRemoves group and other write permissions to users' dot files.\n\n##### `remediate_home_directories_exist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.7\n\nCreates users' home directories if they don't exist whether they've logged into the system or not.\n\n##### `remediate_home_directories_forward_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.11\n\nDetermines whether `.forward` files in home directories are forcibly removed.\n\n##### `remediate_home_directories_netrc_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.12\n\nDetermines whether `.netrc` files in home directories are forcibly removed.\n\n##### `remediate_home_directories_netrc_files_perms`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.13\n\nRemoves group and other write permissions to users' `.netrc` files.\n\n##### `remediate_home_directories_owner`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.9\n\nChanges the ownership of home directories when the directory isn't owned by the correct user.\n\n##### `remediate_home_directories_perms`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.8\n\nChanges the permissions of home directories.\n\n##### `remediate_home_directories_rhosts_files`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: 6.2.14\n\nDetermines whether `.rhosts` files in home directories are forcibly removed.\n\n##### `remediate_home_directories_start_hour`\n* Default value: `'5'`\n* Data type: `String`\n* Implements: Controls 6.2.7 - 6.2.19\n\nA cron-styled hour when home directory checks will run.\n\n##### `remediate_home_directories_start_minute`\n* Default value: `'0'`\n* Data type: `String`\n* Implements: Controls 6.2.7 - 6.2.19\n\nA cron-styled minute when home directory checks will run.\n\n##### `remediate_legacy_group_entries`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.4\n\nDetermines whether legacy entries in `/etc/group` exist.\n\n##### `remediate_legacy_passwd_entries`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.2\n\nDetermines whether legacy entries in `/etc/passwd` exist.\n\n##### `remediate_legacy_shadow_entries`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.3\n\nDetermines whether legacy entries in `/etc/shadow` exist.\n\n##### `remediate_root_path`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.6\n* Related: `root_path`\n\nDetermines whether root's path will be managed.  Besides configuring root's path in `/root/.bash_profile`, the module will go through each directory in the path and ensure the directory is owned by root, group owned by root, and removes group and other write attributes.\n\n##### `remediate_uid_zero_accounts`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.5\n\nDetermines whether accounts with UID 0 (other than root) will be deleted.\n\n##### `restricted_core_dumps`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.5.1\n\nDetermines whether core dumps are allowed.\n\n##### `root_path`\n* Default value: `'[ '$PATH', '$HOME/bin' ]`\n* Data type: `Array[String]`\n* Implements: Control 6.2.6\n* Related: `remediate_root_path`\n\nThe path that will be configured in `/root/.bash_profile`.\n\n##### `selinux`\n* Default value: `'enforcing'`\n* Data type: `Enum['enforcing','permissive','disabled']`\n* Implements: Controls 1.6.1.1, 1.6.1.2, 1.6.2\n\nDetermines how SELinux will be configured.\n\n##### `selinux_type`\n* Default value: `'targeted'`\n* Data type: `Enum['targeted','minimum','mls']`\n* Implements: Control 1.6.1.3\n\nDetermines how SELinux will be configured.\n\n##### `secure_terminals`\n* Default value: `[ 'console' ] `\n* Data type: `Array[String]`\n* Implements: Control 5.5\n\nProvides a list of devices where root is permitted to directly log in.\n\n##### `single_user_authentication`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.4.3\n\nDetermines whether authentication will be required when the system runs in single-user mode.\n\n##### `syslog_facility`\n* Default value: `'auth'`\n* Data type: `String`\n* Implements: Controls 6.2.15 - 6.2.19\n\nProvides the syslog facility that warning messages will be logged to.\n\n##### `syslog_severity`\n* Default value: `'warn'`\n* Data type: `String`\n* Implements: Controls 6.2.15 - 6.2.19\n\nProvides the syslog severity that warning messages will be logged to.\n\n##### `verify_user_groups_exist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.15\n\nVerifies all groups in /etc/passwd exist in /etc/group.  If a group doesn't exist, a message is written via syslog.\n\n##### `verify_duplicate_gids_notexist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.17\n\nVerifies no duplicate GIDs exist.  If a duplicate GID is found, a message is written via syslog.\n\n##### `verify_duplicate_groupnames_notexist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.19\n\nVerifies no duplicate group names exist.  If a duplicate group name is found, a message is written via syslog.\n\n##### `verify_duplicate_uids_notexist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.16\n\nVerifies no duplicate UIDs exist.  If a duplicate UID is found, a message is written via syslog.\n\n##### `verify_duplicate_usernames_notexist`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 6.2.18\n\nVerifies no duplicate usernames exist.  If a duplicate username is found, a message is written via syslog.\n\n#### Class cisecurity::services\n\n##### `at_allowed_users`\n* Default value: `[ 'root' ]`\n* Data type: `Array[String]`\n* Implements: Control 5.1.8\n* Related: `configure_at_allow`\n\nProvides a list of users allowed to use at.\n\n##### `auditd_action_mail_root`\n* Default value: `'root'`\n* Data type: `String`\n* Implements: Control 4.1.1.2\n* Related: `configure_auditd`\n\nIf email notifications are enabled, this parameter defines who receives the notification.  The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).\n\n##### `auditd_admin_space_left`\n* Default value: `50`\n* Data type: `Integer`\n* Implements: None.\n* Related: `configure_auditd`, `auditd_admin_space_left_action`\n\nValue (in megabytes) that tells the audit daemon when to perform a configurable action because the system is running low on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for `auditd_space_left`.\n\n##### `auditd_admin_space_left_action`\n* Default value: `'halt'`\n* Data type: `Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']`\n* Implements: Control 4.1.1.2\n* Related: `configure_auditd`, `auditd_admin_space_left`\n\nAction to take when the system has detected that it is low on disk space. If set to ignore, the audit daemon does nothing. Syslog means that it will issue a warning to syslog. Email means that it will send a warning to the email account specified in `auditd_action_mail_acct` as well as sending the message to syslog. Suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The single option will cause the audit daemon to put the computer system in single user mode.\n\n##### `auditd_configure_boot_auditing`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 4.1.3\n\nDetermines if process auditing will happen prior to auditd is enabled.\n\n##### `auditd_configure_rules`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 4.1.4 - 4.1.18\n* Related: `configure_auditd`\n\nDetermines whether the rules defined in the benchmark are applied.\n\n##### `auditd_max_log_file`\n* Default value: `8`\n* Data type: `Integer`\n* Implements: Control 4.1.1.1\n* Related: `configure_auditd`\n\nSpecifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.\n\n##### `auditd_max_log_file_action`\n* Default value: `'keep_logs'`\n* Data type: `Enum['keep_logs','ignore','rotate','suspend','syslog']`\n* Implements: Control 4.1.1.3\n* Related: `configure_auditd`, `auditd_max_log_file`\n\nAction to take when the system has detected that the max file size limit has been reached. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs. It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.\n\n##### `auditd_num_logs`\n* Default value: `5`\n* Data type: `Integer[0,999]`\n* Implements: None.\n* Related: `configure_auditd`\n\nSpecifies the number of log files to keep if rotate is given as the `auditd_max_log_file_action`. If the number is less than 2, logs are not rotated. This number must be 999 or less. The default is 0 - which means no rotation.\n\n##### `auditd_space_left`\n* Default value: `75`\n* Data type: `Integer`\n* Implements: None.\n* Related: `configure_auditd`, `auditd_space_left_action`\n\nValue in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space.\n\n##### `auditd_space_left_action`\n* Default value: `'email'`\n* Data type: `Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']`\n* Implements: Control 4.1.1.2\n* Related: `configure_auditd`, `auditd_space_left`\n\nSpecifies what action will be taken when the system detects that it's starting to get low on disk space.\n\n##### `autofs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.1.22\n\nEnables or disables the automounter.\n\n##### `avahi_daemon`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.3\n\nEnables or disables Avahi.\n\n##### `chargen_dgram`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.1\n* Related: `inetd`\n\nEnables or disables chargen services.\n\n##### `chargen_stream`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.1\n* Related: `inetd`\n\nEnables or disables chargen services.\n\n##### `configure_at_allow`\n* Default value: `enabled`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.1.8\n* Related: `at_allowed_users`\n\nDetermines whether to configure at.allow.\n\n##### `configure_auditd`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 4.1.1.1 - 4.1.2\n* Related: `auditd_action_mail_acct`, `auditd_admin_space_left_action`, `auditd_configure_rules`, `auditd_max_log_file`, `auditd_max_log_file_action`, `audit_space_left_action`\n\nDetermines whether the auditing subsystem will be configured.\n\n##### `configure_cron_allow`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 5.1.8\n* Related: `cron_allowed_users`\n\nDetermines whether to configure cron.allow.\n\n##### `configure_postfix`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.15\n\nDetermines whether postfix will be configured to only listen on localhost interfaces.\n\n##### `configure_rsyslog`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 4.2.1\n* Related: `rsyslog_conf`, `rsyslog_remote_servers`\n\nDetermines whether rsyslog will be configured.\n\n##### `configure_rsyslog_host`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 4.2.1.5\n\nDetermines whether rsyslog will be configured to be an rsyslog host.\n\n##### `configure_sshd`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 5.2.1 - 5.2.16\n* Related: `sshd_banner_file`, `sshd_client_alive_count_max`, `sshd_client_alive_interval`, `sshd_hostbased_authentication`, `sshd_ignore_rhosts`, `sshd_login_grace_time`, `sshd_log_level`, `sshd_max_auth_tries`, `sshd_permit_empty_passwords`, `sshd_permit_root_login`, `sshd_permitted_ciphers`, `sshd_permitted_macs`, `sshd_permit_user_environment`, `sshd_protocol`, `sshd_x11_forwarding`\n\nDetermines whether sshd will be configured.\n\n##### `configure_time`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 2.2.1.1 - 2.2.1.3\n* Related: `time_server_provider`, `time_service_servers`\n\nDetermines whether time services (ntpd or chrony) will be configured.\n\n##### `cron`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.1\n\nEnables or disables cron.\n\n##### `cron_allowed_users`\n* Default value: `[ 'root' ]`\n* Data type: `Array[String]`\n* Implements: Control 5.1.8\n* Related: `configure_cron_allow`\n\nProvides a list of users allowed to use cron.\n\n##### `cups`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.4\n\nEnables or disables the printing subsystem.\n\n##### `daytime_dgram`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.2\n* Related: `inetd`\n\nEnables or disables daytime services.\n\n##### `daytime_stream`\n* Default value: `'enabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.2\n* Related: `inetd`\n\nEnables or disables daytime services.\n\n##### `dhcpd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.5\n\nEnables or disables DHCP services.\n\n##### `discard_dgram`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.3\n* Related: `inetd`\n\nEnables or disables discard services.\n\n##### `discard_stream`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.3\n* Related: `inetd`\n\nEnables or disables discard services.\n\n##### `dovecot`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.11\n\nEnables or disables POP3/IMAP services.\n\n##### `echo_dgram`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.4\n* Related: `inetd`\n\nEnables or disables echo services.\n\n##### `echo_stream`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.4\n* Related: `inetd`\n\nEnables or disables echo services.\n\n##### `httpd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.10\n\nEnables or disables web services.\n\n##### `inetd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.7\n* Related: `chargen_dgram`, `chargen_stream`, `daytime_dgram`, `daytime_stream`, `discard_dgram`, `discard_stream`, `echo_dgram`, `echo_stream`, `time_dgram`, `time_stream`, `tftp_server`\n\nEnables or disables the (x)inetd super server.\n\n##### `named`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.8\n\nEnables or disables DNS services.\n\n##### `nfs`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.7\n* Related: `rpcbind`\n\nEnables or disables NFS services.\n\n##### `nfs_server`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.7\n* Related: `rpcbind`\n\nEnabled or disables NFS Server services.\n\n##### `ntalk`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.18\n\nEnables or disables talk services.\n\n##### `ntp_service_restrictions`\n* Default value: `'[ '-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery', '127.0.0.1', '-6 ::1' ]`\n* Data type: `Array[String]`\n* Implements: Control 2.2.1.2\n* Related: `configure_time`\n\nConfigures NTP restrict statements.\n\n##### `rexec`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.17\n\nEnables or disables rexec services.\n\n##### `rhnsd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 1.2.5\n\nEnables or disables Red Hat Network Services.\n\n##### `rlogin`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.17\n\nEnables or disables rlogin services.\n\n##### `rpcbind`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.7\n* Related: `nfs`,`nfs_server`\n\nEnables or disables RPC portmapper service.\n\n##### `rsh`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.17\n\nEnables or disables rsh services.\n\n##### `rsyncd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.21\n\nEnables or disables rsync services.\n\n##### `rsyslog_conf`\n* Default value: `'puppet:///modules/cisecurity/rsyslog/rsyslog.conf'`\n* Data type: `String`\n* Implements: Control 4.2.1.2\n* Related: `configure_rsyslog`\n\nProvides the source location for the /etc/rsyslog.conf file.  It is recommended you reconfigure this setting to some kind of master file to be distributed to all nodes or devise another mechanism to ensure log settings are properly configured.\n\n##### `rsyslog_remote_servers`\n* Default value: `[ { 'host' =\u003e 'log.domain.com', 'port' =\u003e 514 } ]`\n* Data type: `Array[Hash[String, Integer]]`\n* Implements: Control 4.2.1.4\n\nConfigures what loghosts to send syslog messages to.\n\n##### `slapd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.6\n\nEnables or disables LDAP services.\n\n##### `smb`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.12\n\nEnables or disables Samba services.\n\n##### `snmpd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.14\n\nEnables or disables SNMP services.\n\n##### `sshd_allowed_groups`\n* Default value: `[ ]`\n* Data type: `Array[String]`\n* Implements: Control 5.2.14\n* Related: `configure_sshd`\n\nLogin is allowed only for users whose primary group or supplementary group list matches one of the patterns.  Only group names are valid; a numerical group ID is not recognized.\n\n##### `sshd_allowed_users`\n* Default value: `'[ ]'`\n* Data type: `Array[String]`\n* Implements: Control 5.2.14\n* Related: `configure_sshd`\n\nLogin is allowed only for user names that match one of the patterns.  Only user names are valid; a numerical user ID is not recognized.\n\n##### `sshd_banner_file`\n* Default value: `'/etc/issue.net'`\n* Data type: `String`\n* Implements: Control 5.2.16\n* Related: `configure_sshd`\n\nProvides the location where SSH will send the login banner from.\n\n##### `sshd_client_alive_count_max`\n* Default value: `'4'`\n* Data type: `String`\n* Implements: Control 5.2.13\n* Related: `configure_sshd`\n\nSets the number of client alive messages sshd will send without receiving messages back from the client.\n\n##### `sshd_client_alive_interval`\n* Default value: `'300'`\n* Data type: `String`\n* Implements: Control 5.2.13\n* Related: `configure_sshd`\n\nSets the timeout interval (in seconds) after which if no data has been received from the client will force sshd to send a message through the encrypted channel to request a response from the client.\n\n##### `sshd_denied_groups`\n* Default value: `'[ ]'`\n* Data type: `Array[String]`\n* Implements: Control 5.2.14\n* Related: `configure_sshd`\n\nLogin is disallowed for users whose primary group or supplementary group list matches one of the patterns.  Only group names are valid; a numerical group ID is not recognized.\n\n##### `sshd_denied_users`\n* Default value: `'[ ]'`\n* Data type: `Array[String]`\n* Implements: Control 5.2.14\n* Related: `configure_sshd`\n\nLogin is disallowed for user names that match one of the patterns.  Only user names are valid; a numerical user ID is not recognized.\n\n##### `sshd_hostbased_authenticaton`\n* Default value: `'no'`\n* Data type: `Enum['yes','no']`\n* Implements: Control 5.2.7\n* Related: `configure_sshd`\n\nSpecifies whether `rhosts` or `/etc/hosts.equiv` authentication together with successful public key client host authentication is allowed.\n\n##### `sshd_ignore_rhosts`\n* Default value: `'yes'`\n* Data type: `Enum['yes','no'`\n* Implements: Control 5.2.6\n* Related: `configure_sshd`\n\nSpecifies that `.rhosts` and `.shosts` will not be used in `RhostsRSAAuthentication` or `HostbasedAuthentication`.\n\n##### `sshd_login_grace_time`\n* Default value: `'60'`\n* Data type: `String`\n* Implements: Control 5.2.14\n* Related: `configure_sshd`\n\nAmount of time (in seconds) when the server disconnects if the user has not successfully logged in.\n\n##### `sshd_log_level`\n* Default value: `'INFO'`\n* Data type: `Enum['DEBUG','DEBUG1','DEBUG2','DEBUG3','ERROR','FATAL','INFO','QUIET','VERBOSE']`\n* Implements: Control 5.2.3\n* Related: `configure_sshd`\n\nSets the verbosity level that is used when logging messages.\n\n##### `sshd_max_auth_tries`\n* Default value: `'4'`\n* Data type: `String`\n* Implements: Control 5.2.5\n* Related: `configure_sshd`\n\nSpecifies the maximum number of authentication attempts permitted per connection.\n\n##### `sshd_permit_empty_passwords`\n* Default value: `'no'`\n* Data type: `Enum['yes','no']`\n* Implements: Control 5.2.9\n* Related: `configure_sshd`\n\nSpecifies whether the server allows login to accounts with empty password strings.\n\n##### `sshd_permit_root_login`\n* Default value: `'no'`\n* Data type: `Enum['yes','no']`\n* Implements: Control 5.2.8\n* Related: `configure_sshd`\n\nSpecifies whether root can log in directly with ssh.\n\n##### `sshd_permitted_ciphers`\n* Default value: `'[ 'aes256-ctr', aes192-ctr', 'aes128-ctr', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com' ]`\n* Data type: `Array[String]`\n* Implements: Control 5.2.11\n* Related: `configure_sshd`, `sshd_protocol`\n\nSpecifies the ciphers allowed for protocol version 2.\n\n##### `sshd_permitted_macs`\n* Default value: `[ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com', 'curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256' ]`\n* Data type: `Array[String]`\n* Implements: Control 5.2.12\n* Related: `configure_sshd`, `sshd_protocol`\n\nSpecifies the available MAC (message authentication code) algorithms allowed for protocol version 2.\n\n##### `sshd_permit_user_environment`\n* Default value: `'no'`\n* Data type: `Enum['yes','no']`\n* Implements: Control 5.2.10\n* Related: `configure_sshd`\n\nSpecifies whether `~/.ssh/environment` and `environment=` options in `~/.ssh/authorized_keys` are processed.\n\n##### `sshd_protocol`\n* Default value: `'2'`\n* Data type: `String`\n* Implements: Control 5.2.2\n* Related: `configure_sshd`\n\nSpecifies the protocol versions sshd supports.\n\n##### `sshd_x11_forwarding`\n* Default value: `'no'`\n* Data type: `Enum['yes','no']`\n* Implements: Control 5.2.4\n* Related: `configure_sshd`\n\nSpecifies whether X11 forwarding is permitted.\n\n##### `squid`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.13\n\nEnables or disables HTTP Proxy services.\n\n##### `telnet`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.19\n\nEnables or disables telnet server services.\n\n##### `tftp`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.20\n\nEnables or disables TFTP server services.\n\n##### `time_dgram`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.5\n* Related: `inetd`\n\nEnables or disables time services through (x)inetd super server.  Do not confuse this parameter with ntpd and chrony.\n\n##### `time_service_provider`\n* Default value: `'ntp'`\n* Data type: `Enum['ntp','chrony']`\n* Implements: Controls 2.2.1.1 - 2.2.1.3\n* Related: `configure_time`\n\nControls whether the system will use ntpd or chrony.\n\n##### `time_service_servers`\n* Default value: `'[ '0.rhel.pool.ntp.org', '1.rhel.pool.ntp.org', '2.rhel.pool.ntp.org', '3.rhel.pool.ntp.org' ]'`\n* Data type: `Array[String]`\n* Implements: Control 2.2.1.1\n* Related: `configure_time`\n\nProvides a list of time servers to synchronize with.\n\n##### `time_stream`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.1.5\n* Related: `inetd`\n\nEnables or disables time services through (x)ientd super server.  Do not confuse this parameter with ntpd or chrony.\n\n##### `vsftpd`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Control 2.2.9\n\nEnables or disables FTP server services.\n\n##### `ypserv`\n* Default value: `'disabled'`\n* Data type: `Enum['enabled','disabled']`\n* Implements: Controls 2.2.1.6\n\nEnables or disables NIS server services.\n\n\n## Limitations\n\nThis module has been tested on RHEL 6 and 7 and it \"should\" work on CentOS 6 and 7 but no testing has been performed.\n\n## Development\n\n### Bugs\n\nPlease use GitHub to file an issue if you run into problems with the module.\n\n### Pull Request\n\nIf you can patch the bugs you find or want to add features and functionality, please create a pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcohdjn%2Fcisecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcohdjn%2Fcisecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcohdjn%2Fcisecurity/lists"}