arildjensen / cis-puppet Goto Github PK
View Code? Open in Web Editor NEWCenter for Internet Security Linux Benchmark implementation for PuppetLabs
License: Other
Center for Internet Security Linux Benchmark implementation for PuppetLabs
License: Other
The current version only supports Amazon Linux 2014.09, which has been release over 12 months ago.
Current script only change /tmp
According to CIS document (https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_6_Benchmark_v1.1.0.pdf)
The changes needs to be applied to ALL world-writable directory in the system.
Hi,
I am using c0010.pp for f0000.sh According to my understanding f0000.sh which is under scripts will be executed and provided the output(pass or fail) under /usr/local/sbin/ as f000.sh.
But for me the f000.sh under scripts is just copiying the file and placing it under /usr/local/sbin. And when I execute just f0000.sh it is throwing me error.
2
3
4 # This script is used by the cis Puppet module.
5 # For the latest version see https://github.com/arildjensen/cis-puppet/
6
7
8 COMMAND=`grep ^password /boot/grub/grub.conf 2>/dev/null`
9
10 if [ $COMMAND = x ];
11 then
12 echo fail;
13 else
14 echo pass;
15 fi
16
/usr/local/sbin/f000.sh: line 10: [: too many arguments
Please help me
This file is not used anywhere that I can see -- it is probably leftover from before templates/el6/etc/rsyslog.conf.erb was created instead.
Log server is currently hard coded to "logger". Instead the module should use hiera to look up the name of the central log server and use a default value if none found.
Since there is no license mentioned in the README or a LICENSE file this isn't properly open sourced, which makes it hard to reuse in my environment.
Please attach a license, I recommend the Apache 2 License for anything Puppet related.
It seems this module is incompatible with the just released Puppet 4.
I haven't tested this yet on a VM myself, but the Travis CI builds that are used in testing Pull Requests fail big time. Example 1 and example 2:
[SNIP]
Installing puppet 4.0.0
[SNIP]
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_1.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_10.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_14.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_15.pp at line 6:17
Could not parse for environment *root*: Illegal fully qualified name in file /home/travis/build/arildjensen/cis-puppet/manifests/el6/1_1_16.pp at line 6:17
[SNIP]
After some Googling, this came up from the Puppetlabs website:
Each namespace segment must begin with a lowercase letter and can include Lowercase letters, Numbers and Underscores.
So for compatibility with Puppet 4.0.0+ it looks classes like el6::1_1_1 will need to be renamed to el6::c1_1_1 or something similar that makes seach namespace segment begin with a lowercase letter.
From EL6 Benchmark 1.4.6:
Perform the following to determine if unconfined daemons are running on the system. # ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' [no output produced]
The current code returns "fail" if the audit succeeds (because no output is produced by the $COMMAND in the conditional expression).
not sure what Evidence of any suck unauthorized use collected during monitoring
means in the issue file ... =)
The bind mount of /var/tmp on /tmp doesn't have the same mount options as /tmp.
This means that /var/tmp doesn't have noexec,nodev,nosuid.
A quick test shows that the same shell scipt is executable on /var/tmp, but not on /tmp.
It should be non-executable on both.
Hi,
when I run your modules I am getting this error:
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
And .sh files are not placed /usr/local/sbin where the results stored?
Please let me know.
Appreciate your help.
Thank You
Should be /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses.
Fixed in PR #28.
From the way I read it, those tests can never fail. Since the COMMANDS
variable is being set but the FILES
variable is being tested.
Red Hat 7 has exec-shield enabled by default and removed the /proc entry. Quote from Red Hat:
Exec-shield is no longer an option in sysctl for kernel tuning.
This is a security measure, as documented in the RHEL 7 Security Guide.
source => $hardwaremode ? {
should be
source => $hardwaremodel ? {
Thanks for the great module!
With CIS v2.1.1 for RHEL and CentOS specification how would you like this structured within the repo? Much of the specification i'm writing will be able to reuse existing manifests but more requirements have been added and existing requirements have been relabeled and enumerated differently in the newer specification version. While I wait to hear back I am creating a new directory with el7v2_1_1 as the name.
I did a minimal install of CentOS 6.5, added puppet 3.4.2, and cis. I get the following errors:
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
Warning: Variable access via 'ntpserver' is deprecated. Use '@ntpserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb]:5
(at /etc/puppet/modules/cis/templates/el6/etc/ntp.conf.erb:5:in result') Warning: Variable access via 'logserver' is deprecated. Use '@logserver' instead. template[/etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb]:16 (at /etc/puppet/modules/cis/templates/el6/etc/rsyslog.conf.erb:16:in
result')
Notice: Compiled catalog for vmtest3.ats.msu.edu in environment production in 4.39 seconds
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0003: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
/bin/cat: /var/log/control_f0002: No such file or directory
Scripts cis/files/linuxcontrols/scripts/f000[23].sh send output to /var/log/control_f000[23] and it is checked in cis/lib/facter/f000[23].rb. The other scripts send pass/fail to standard out and check the results of the shell.
If I change f0002 and 3 to behave like the other scripts it seems to work so I don't understand why the difference.
Hi,
when I am using the c0010.pp where the output goes I mean where will be the result of f000.sh
please let me know
not sure what Evidence of any suck unauthorized use collected during monitoring
means in the issue file
Find out how to properly handle grub config, possibly using facter.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.