The current version only supports Amazon Linux 2014.09, which has been release over 12 months ago.

Current script only change /tmp

According to CIS document (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf)
The changes needs to be applied to ALL world-writable directory in the system.

Hi,

I am using c0010.pp for f0000.sh According to my understanding f0000.sh which is under scripts will be executed and provided the output(pass or fail) under /usr/local/sbin/ as f000.sh.
But for me the f000.sh under scripts is just copiying the file and placing it under /usr/local/sbin. And when I execute just f0000.sh it is throwing me error.

!/bin/sh

  2
  3
  4 # This script is used by the cis Puppet module.
  5 # For the latest version see https://github.com/arildjensen/cis-puppet/
  6
  7
  8 COMMAND=`grep ^password /boot/grub/grub.conf 2>/dev/null`
  9
 10 if [ $COMMAND = x ];
 11   then
 12     echo fail;
 13   else
 14     echo pass;
 15 fi
 16

/usr/local/sbin/f000.sh: line 10: [: too many arguments

Please help me

This file is not used anywhere that I can see -- it is probably leftover from before templates/el6/etc/rsyslog.conf.erb was created instead.

Log server is currently hard coded to "logger". Instead the module should use hiera to look up the name of the central log server and use a default value if none found.

Since there is no license mentioned in the README or a LICENSE file this isn't properly open sourced, which makes it hard to reuse in my environment.

Please attach a license, I recommend the Apache 2 License for anything Puppet related.

It seems this module is incompatible with the just released Puppet 4.
I haven't tested this yet on a VM myself, but the Travis CI builds that are used in testing Pull Requests fail big time. Example 1 and example 2:

[SNIP]
Installing puppet 4.0.0
[SNIP]
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_1.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_10.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_14.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_15.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_16.pp at line 6:17
[SNIP]

After some Googling, this came up from the Puppetlabs website:

Each namespace segment must begin with a lowercase letter and can include Lowercase letters, Numbers and Underscores.

So for compatibility with Puppet 4.0.0+ it looks classes like el6::1_1_1 will need to be renamed to el6::c1_1_1 or something similar that makes seach namespace segment begin with a lowercase letter.

From EL6 Benchmark 1.4.6:

Perform the following to determine if unconfined daemons are running on the system. # ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' [no output produced]

The current code returns "fail" if the audit succeeds (because no output is produced by the $COMMAND in the conditional expression).

not sure what Evidence of any suck unauthorized use collected during monitoring means in the issue file ... =)

The bind mount of /var/tmp on /tmp doesn't have the same mount options as /tmp.
This means that /var/tmp doesn't have noexec,nodev,nosuid.

A quick test shows that the same shell scipt is executable on /var/tmp, but not on /tmp.
It should be non-executable on both.

Hi,

when I run your modules I am getting this error:
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory

And .sh files are not placed /usr/local/sbin where the results stored?

Please let me know.

Appreciate your help.

Thank You

Should be /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses.
Fixed in PR #28.

From the way I read it, those tests can never fail. Since the COMMANDS variable is being set but the FILES variable is being tested.

Red Hat 7 has exec-shield enabled by default and removed the /proc entry. Quote from Red Hat:

Exec-shield is no longer an option in sysctl for kernel tuning.
This is a security measure, as documented in the RHEL 7 Security Guide.

source => $hardwaremode ? {

should be

source => $hardwaremodel ? {

Thanks for the great module!

With CIS v2.1.1 for RHEL and CentOS specification how would you like this structured within the repo? Much of the specification i'm writing will be able to reuse existing manifests but more requirements have been added and existing requirements have been relabeled and enumerated differently in the newer specification version. While I wait to hear back I am creating a new directory with el7v2_1_1 as the name.

I did a minimal install of CentOS 6.5, added puppet 3.4.2, and cis. I get the following errors:

puppet apply -e 'include cis::el6all'

/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
Warning: Variable access via 'ntpserver' is deprecated. Use '@ntpserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb]:5
(at /etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb:5:in result') Warning: Variable access via 'logserver' is deprecated. Use '@logserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb]:16 (at /etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb:16:inresult')
Notice: Compiled catalog for vmtest3.ats.msu.edu in environment production in 4.39 seconds
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory

Scripts cis/files/linuxcontrols/scripts/f000[23].sh send output to /var/log/control_f000[23] and it is checked in cis/lib/facter/f000[23].rb. The other scripts send pass/fail to standard out and check the results of the shell.

If I change f0002 and 3 to behave like the other scripts it seems to work so I don't understand why the difference.

Hi,

when I am using the c0010.pp where the output goes I mean where will be the result of f000.sh

please let me know

not sure what Evidence of any suck unauthorized use collected during monitoring means in the issue file

Find out how to properly handle grub config, possibly using facter.