Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jeff1evesque/cis_benchmark

Puppet hardening using cis benchmark
https://github.com/jeff1evesque/cis_benchmark

Last synced: 2 months ago
JSON representation

Puppet hardening using cis benchmark

Host: GitHub
URL: https://github.com/jeff1evesque/cis_benchmark
Owner: jeff1evesque
Created: 2017-01-27T20:18:15.000Z (almost 8 years ago)
Default Branch: master
Last Pushed: 2018-08-20T01:50:54.000Z (over 6 years ago)
Last Synced: 2024-10-12T02:47:43.569Z (3 months ago)
Language: Puppet
Homepage: https://forge.puppet.com/jeff1evesque/cis_benchmark
Size: 1.84 MB
Stars: 2
Watchers: 2
Forks: 0
Open Issues: 43
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # cis-benchmark [![Build Status](https://travis-ci.org/jeff1evesque/cis_benchmark.svg?branch=master)](https://travis-ci.org/jeff1evesque/cis_benchmark)

Puppet hardening module premised on [cis benchmark](https://www.cisecurity.org/cis-benchmarks/):

- [Ubuntu 14.04](https://github.com/jeff1evesque/cis_benchmark/raw/master/doc/CIS_Ubuntu_Linux_14.04_LTS_Benchmark_v2.0.0.pdf)

**Note:** the puppet numbering scheme, matches the corresponding benchmark.

## Dependency

The `Puppetfile` requires the following:

- [`comment_line`](https://forge.puppet.com/geoffwilliams/comment_line) 

- [`multitemplate`](https://forge.puppet.com/deanwilson/multitemplate/types)

- [`apt`](https://forge.puppet.com/puppetlabs/apt)

- [`cron`](https://forge.puppet.com/puppet/cron)

## Execution

Specific rules can be nested under the following [yaml keys](https://github.com/jeff1evesque/cis_benchmark/blob/a8e94846d048cf8b500886333a4babb9c14cf8ed/manifests/params.pp#L11-L15),

of a yaml file defined from the `hiera.yaml`, of the corresponding puppetserver:

- `[node-certificate]`

- `cis_benchmark`

- `trusty64`

If the yaml key exists, by the name of the nodes certificate (delimited by underscores),

then the corresponding cis rules will take precedence. Otherwise, if the `cis_benchmark`,

or the `trusty64` yaml key exists, it will load the respective rules.

The following is the [Ubuntu 14.04](https://github.com/jeff1evesque/cis_benchmark/raw/master/doc/CIS_Ubuntu_Linux_14.04_LTS_Benchmark_v2.0.0.pdf)

implementation:

```yaml

cis_benchmark::trusty64:

    stig:

        cis_1_1_1_1: true

        cis_1_1_1_2: true

        cis_1_1_1_3: true

```

**Note:** the [`params.pp`](https://github.com/jeff1evesque/cis_benchmark/blob/master/manifests/params.pp)

can be further reviewed in order to override default cis rules.

Similar rules can be defined directly in the environment's `site.pp`, as an alternative

approach to the hiera implementation:

```puppet

class { 'cis_benchmark':

    cis_1_1_1_1 => true,

    cis_1_1_1_2 => true,

    cis_1_1_1_3 => true,

}

```

**Note:** the [`params.pp`](https://github.com/jeff1evesque/cis_benchmark/blob/master/manifests/params.pp)

can be further reviewed in order to override default cis rules.