diff --git a/files/awslinux/etc/audit/audit.rules.64 b/files/awslinux/etc/audit/audit.rules.64 new file mode 100644 index 0000000..b524602 --- /dev/null +++ b/files/awslinux/etc/audit/audit.rules.64 @@ -0,0 +1,121 @@ +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +-D + +# Increase the buffers to survive stress events. +# Make this bigger for busy systems +-b 320 + +## Setting below is needed for CIS compliance +## For 32-bit systems remove lines containing "b64" + +# CIS 5.2.4 Record Events That Modify Date and Time Information +-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change +-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change +-a always,exit -F arch=b64 -S clock_settime -k time-change +-a always,exit -F arch=b32 -S clock_settime -k time-change +-w /etc/localtime -p wa -k time-change + +# CIS 5.2.5 Record Events That Modify User/Group Information +-w /etc/group -p wa -k identity +-w /etc/passwd -p wa -k identity +-w /etc/gshadow -p wa -k identity +-w /etc/shadow -p wa -k identity +-w /etc/security/opasswd -p wa -k identity + +# CIS 5.2.6 Record Events That Modify the System's Network Environment +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-w /etc/issue -p wa -k system-locale +-w /etc/issue.net -p wa -k system-locale +-w /etc/hosts -p wa -k system-locale +-w /etc/sysconfig/network -p wa -k system-locale + +# CIS 5.2.7 Record Events That Modify the System's Mandatory Access Controls +-w /etc/selinux/ -p wa -k MAC-policy + +# CIS 5.2.8 Collect Login and Logout Events +-w /var/log/faillog -p wa -k logins +-w /var/log/lastlog -p wa -k logins +-w /var/log/tallylog -p -wa -k logins + +# CIS 5.2.9 Collect Session Initiation Information +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session + +# CIS 5.2.10 Collect Discretionary Access Control Permission Modification Events +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod + +# CIS 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access + +# CIS 5.2.12 Collect Use of Privileged Commands +-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/lockfile -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/sendmail.sendmail -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/usr/sbin/ccreds_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/cgexec -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/bin/cgclassify -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/sbin/netreport -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged +-a always,exit -F path=/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged + +# CIS 5.2.13 Collect Successful File System Mounts +-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts + +# CIS 5.2.14 Collect File Deletion Events by User +-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete + +# CIS 5.2.15 Collect Changes to System Administration Scope (sudoers) +-w /etc/sudoers -p wa -k scope + +# CIS 5.2.16 Collect System Administrator Actions (sudolog) +-w /var/log/sudo.log -p wa -k actions + +# CIS 5.2.17 Collect Kernel Module Loading and Unloading +-w /sbin/insmod -p x -k modules +-w /sbin/rmmod -p x -k modules +-w /sbin/modprobe -p x -k modules +-a always,exit arch=b64 -S init_module -S delete_module -k modules + +# CIS 5.2.18 Make the Audit Configuration Immutable +-e 2 + +## (End of CIS compliance settings) diff --git a/files/awslinux/etc/audit/auditd.conf b/files/awslinux/etc/audit/auditd.conf new file mode 100644 index 0000000..0f99344 --- /dev/null +++ b/files/awslinux/etc/audit/auditd.conf @@ -0,0 +1,35 @@ +# +# This file controls the configuration of the audit daemon +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 6 +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key + +# keep all audit logs +max_log_file_action = keep_logs diff --git a/files/awslinux/etc/bashrc b/files/awslinux/etc/bashrc new file mode 100644 index 0000000..2305da5 --- /dev/null +++ b/files/awslinux/etc/bashrc @@ -0,0 +1,89 @@ +# /etc/bashrc + +# System wide functions and aliases +# Environment stuff goes in /etc/profile + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +# are we an interactive shell? +if [ "$PS1" ]; then + if [ -z "$PROMPT_COMMAND" ]; then + case $TERM in + xterm*) + if [ -e /etc/sysconfig/bash-prompt-xterm ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' + fi + ;; + screen) + if [ -e /etc/sysconfig/bash-prompt-screen ]; then + PROMPT_COMMAND=/etc/sysconfig/bash-prompt-screen + else + PROMPT_COMMAND='printf "\033]0;%s@%s:%s\033\\" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"' + fi + ;; + *) + [ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default + ;; + esac + fi + # Turn on checkwinsize + shopt -s checkwinsize + [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ " + # You might want to have e.g. tty in prompt (e.g. more virtual machines) + # and console windows + # If you want to do so, just add e.g. + # if [ "$PS1" ]; then + # PS1="[\u@\h:\l \W]\\$ " + # fi + # to your custom modification shell script in /etc/profile.d/ directory +fi + +if ! shopt -q login_shell ; then # We're not a login shell + # Need to redefine pathmunge, it get's undefined at the end of /etc/profile + pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac + } + + # # By default, we want umask to get set. This sets it for non-login shell. + # # Current threshold for system reserved uid/gids is 200 + # # You could check uidgid reservation validity in + # # /usr/share/doc/setup-*/uidgid file + # if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then + # umask 002 + # else + # umask 022 + # fi + + # CIS 7.4 Set Default umask for Users + umask 077 + + # Only display echos from profile.d scripts if we are no login shell + # and interactive - otherwise just process them to set envvars + for i in /etc/profile.d/*.sh; do + if [ -r "$i" ]; then + if [ "$PS1" ]; then + . "$i" + else + . "$i" >/dev/null 2>&1 + fi + fi + done + + unset i + unset pathmunge +fi +# vim:ts=4:sw=4 diff --git a/files/awslinux/etc/csh.cshrc b/files/awslinux/etc/csh.cshrc new file mode 100644 index 0000000..f051532 --- /dev/null +++ b/files/awslinux/etc/csh.cshrc @@ -0,0 +1,75 @@ +# /etc/cshrc +# +# csh configuration for all shell invocations. + +# By default, we want this to get set. +# Even for non-interactive, non-login shells. +# Current threshold for system reserved uid/gids is 200 +# You could check uidgid reservation validity in +# /usr/share/doc/setup-*/uidgid file +# if ($uid > 199 && "`id -gn`" == "`id -un`") then +# umask 002 +# else +# umask 022 +# endif + +# CIS 7.4 Set Default umask for Users +umask 077 + +if ($?prompt) then + if ($?tcsh) then + set promptchars='$#' + set prompt='[%n@%m %c]%# ' + # make completion work better by default + set autolist + else + set prompt=\[$user@`hostname -s`\]\$\ + endif +endif + +if ( $?tcsh ) then + bindkey "^[[3~" delete-char +endif + +bindkey "^R" i-search-back +set echo_style = both +set histdup = erase +set savehist = (1024 merge) + +if ($?prompt) then + if ($?TERM) then + switch($TERM) + case xterm*: + if ($?tcsh) then + set prompt='%{\033]0;%n@%m:%c\007%}[%n@%m %c]%# ' + endif + breaksw + case screen: + if ($?tcsh) then + set prompt='%{\033_%n@%m:%c\033\\%}[%n@%m %c]%# ' + endif + breaksw + default: + breaksw + endsw + endif +endif + +setenv MAIL "/var/spool/mail/$USER" + +# Check if we aren't a loginshell and do stuff if we aren't +if (! $?loginsh) then + if ( -d /etc/profile.d ) then + set nonomatch + foreach i ( /etc/profile.d/*.csh ) + if ( -r "$i" ) then + if ($?prompt) then + source "$i" + else + source "$i" >&/dev/null + endif + endif + end + unset i nonomatch + endif +endif diff --git a/files/awslinux/etc/login.defs b/files/awslinux/etc/login.defs new file mode 100644 index 0000000..f020bcd --- /dev/null +++ b/files/awslinux/etc/login.defs @@ -0,0 +1,67 @@ +# +# Please note that the parameters in this configuration file control the +# behavior of the tools from the shadow-utils component. None of these +# tools uses the PAM mechanism, and the utilities that use PAM (such as the +# passwd command) should therefore be configured elsewhere. Refer to +# /etc/pam.d/system-auth for more information. +# + +# *REQUIRED* +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define both, MAIL_DIR takes precedence. +# QMAIL_DIR is for Qmail +# +#QMAIL_DIR Maildir +MAIL_DIR /var/spool/mail +#MAIL_FILE .mail + +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_MIN_LEN Minimum acceptable password length. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 90 +PASS_MIN_DAYS 7 +PASS_MIN_LEN 5 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 500 +UID_MAX 60000 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 500 +GID_MAX 60000 + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If useradd should create home directories for users by default +# On RH systems, we do. This option is overridden with the -m flag on +# useradd command line. +# +CREATE_HOME yes + +# The permission mask is initialized to this value. If not specified, +# the permission mask will be initialized to 022. +UMASK 077 + +# This enables userdel to remove user groups if no members exist. +# +USERGROUPS_ENAB yes + +# Use SHA512 to encrypt password. +ENCRYPT_METHOD SHA512 + +MD5_CRYPT_ENAB no diff --git a/files/awslinux/etc/pam.d/su b/files/awslinux/etc/pam.d/su new file mode 100644 index 0000000..1f6e35d --- /dev/null +++ b/files/awslinux/etc/pam.d/su @@ -0,0 +1,14 @@ +#%PAM-1.0 +auth sufficient pam_rootok.so +# Uncomment the following line to implicitly trust users in the "wheel" group. +#auth sufficient pam_wheel.so trust use_uid +# Uncomment the following line to require a user to be in the "wheel" group. +auth required pam_wheel.so use_uid +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/files/awslinux/etc/pam.d/system-auth-ac b/files/awslinux/etc/pam.d/system-auth-ac new file mode 100644 index 0000000..343801e --- /dev/null +++ b/files/awslinux/etc/pam.d/system-auth-ac @@ -0,0 +1,21 @@ +#%PAM-1.0 +# This file is auto-generated. +# User changes will be destroyed the next time authconfig is run. +auth required pam_env.so +auth sufficient pam_unix.so nullok try_first_pass +auth requisite pam_succeed_if.so uid >= 500 quiet +auth required pam_deny.so + +account required pam_unix.so +account sufficient pam_localuser.so +account sufficient pam_succeed_if.so uid < 500 quiet +account required pam_permit.so + +password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 +password sufficient pam_unix.so remember=5 sha512 shadow nullok try_first_pass use_authtok +password required pam_deny.so + +session optional pam_keyinit.so revoke +session required pam_limits.so +session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid +session required pam_unix.so diff --git a/files/awslinux/etc/profile b/files/awslinux/etc/profile new file mode 100644 index 0000000..f979ba8 --- /dev/null +++ b/files/awslinux/etc/profile @@ -0,0 +1,81 @@ +# /etc/profile + +# System wide environment and startup programs, for login setup +# Functions and aliases go in /etc/bashrc + +# It's NOT a good idea to change this file unless you know what you +# are doing. It's much better to create a custom.sh shell script in +# /etc/profile.d/ to make custom changes to your environment, as this +# will prevent the need for merging in future updates. + +pathmunge () { + case ":${PATH}:" in + *:"$1":*) + ;; + *) + if [ "$2" = "after" ] ; then + PATH=$PATH:$1 + else + PATH=$1:$PATH + fi + esac +} + + +if [ -x /usr/bin/id ]; then + if [ -z "$EUID" ]; then + # ksh workaround + EUID=`id -u` + UID=`id -ru` + fi + USER="`id -un`" + LOGNAME=$USER + MAIL="/var/spool/mail/$USER" +fi + +# Path manipulation +if [ "$EUID" = "0" ]; then + pathmunge /sbin + pathmunge /usr/sbin + pathmunge /usr/local/sbin +else + pathmunge /usr/local/sbin after + pathmunge /usr/sbin after + pathmunge /sbin after +fi + +HOSTNAME=`/bin/hostname 2>/dev/null` +HISTSIZE=1000 +if [ "$HISTCONTROL" = "ignorespace" ] ; then + export HISTCONTROL=ignoreboth +else + export HISTCONTROL=ignoredups +fi + +export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL + +# # By default, we want umask to get set. This sets it for login shell +# # Current threshold for system reserved uid/gids is 200 +# # You could check uidgid reservation validity in +# # /usr/share/doc/setup-*/uidgid file +# if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then +# umask 002 +# else +# umask 022 +# fi + +# CIS 7.4 Set Default umask for Users +umask 077 + +for i in /etc/profile.d/*.sh ; do + if [ -r "$i" ]; then + if [ "${-#*i}" != "$-" ]; then + . "$i" + else + . "$i" >/dev/null 2>&1 + fi + fi +done + +unset i +unset -f pathmunge diff --git a/files/awslinux/etc/ssh/sshd_config b/files/awslinux/etc/ssh/sshd_config new file mode 100644 index 0000000..17aef34 --- /dev/null +++ b/files/awslinux/etc/ssh/sshd_config @@ -0,0 +1,185 @@ +# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +# If you want to change the port on a SELinux system, you have to tell +# SELinux about this change. +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER +# +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +# The default requires explicit activation of protocol 1 +# CIS 6.2.1 Set SSH Protocol to 2 +Protocol 2 + +# HostKey for protocol version 1 +#HostKey /etc/ssh/ssh_host_key +# HostKeys for protocol version 2 +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key + +# Lifetime and size of ephemeral version 1 server key +#KeyRegenerationInterval 1h +#ServerKeyBits 1024 + +# Logging +# obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +SyslogFacility AUTHPRIV + +# CIS 6.2.2 Set LogLevel to INFO +LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin yes + +# CIS 6.2.8 Disable SSH Root Login +PermitRootLogin no + +# Only allow root to run commands over ssh, no shell +# PermitRootLogin forced-commands-only +#StrictModes yes + +# CIS 6.2.5 Set SSH MaxAuthTries to 4 or Less +MaxAuthTries 4 +#MaxSessions 10 + +#RSAAuthentication yes +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#RhostsRSAAuthentication no + +# similar for protocol version 2 +# CIS 6.2.7 Set SSH HostbasedAuthentication to No +HostbasedAuthentication no + +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no + +# CIS 6.2.6 Set SSH IgnoreRhosts to Yes +# Don't read the user's ~/.rhosts and ~/.shosts files +IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes + +# 6.2.9 Set SSH PermitEmptyPasswords to No +PermitEmptyPasswords no + +# EC2 uses keys for remote access +PasswordAuthentication no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no +#KerberosUseKuserok yes + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes +#GSSAPIStrictAcceptorCheck yes +#GSSAPIKeyExchange no + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. +#UsePAM no +# Leaving enabled as described so that account and session checks are run +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no + +# CIS 6.2.4 Disable SSH X11 Forwarding +X11Forwarding no + +# X11Forwarding yes +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +# Explicitly enable +PrintLastLog yes +#TCPKeepAlive yes +#UseLogin no +UsePrivilegeSeparation sandbox # Default for new installations. + +# 6.2.10 Do Not Allow Users to Set Environment Options +PermitUserEnvironment no + +# CIS 6.2.12 Set Idle Timeout Interval for User Login +ClientAliveInterval 300 +ClientAliveCountMax 0 + +#ShowPatchLevel no +#UseDNS yes +#PidFile /var/run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# Accept locale-related environment variables +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS + +# override default of no subsystems +Subsystem sftp /usr/libexec/openssh/sftp-server + +# Uncomment this if you want to use .local domain +#Host *.local +# CheckHostIP no + +# CIS 6.2.11 Use Only Approved Cipher in Counter Mode +Ciphers aes128-ctr,aes192-ctr,aes256-ctr + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# ForceCommand cvs server + diff --git a/files/awslinux/etc/sysconfig/authconfig b/files/awslinux/etc/sysconfig/authconfig new file mode 100644 index 0000000..dae00f3 --- /dev/null +++ b/files/awslinux/etc/sysconfig/authconfig @@ -0,0 +1,26 @@ +IPADOMAINJOINED=no +USEMKHOMEDIR=no +USEPAMACCESS=no +CACHECREDENTIALS=yes +USESSSDAUTH=no +USESHADOW=yes +USEWINBIND=no +USESSSD=no +PASSWDALGORITHM=sha512 +FORCELEGACY=no +USEFPRINTD=no +USEHESIOD=no +FORCESMARTCARD=no +USELDAPAUTH=no +IPAV2NONTP=no +USELDAP=no +USECRACKLIB=yes +USEIPAV2=no +USEWINBINDAUTH=no +USESMARTCARD=no +USELOCAUTHORIZE=yes +USENIS=no +USEKERBEROS=no +USESYSNETAUTH=no +USEDB=no +USEPASSWDQC=no diff --git a/files/awslinux/scripts/cis-5.2.12.sh b/files/awslinux/scripts/cis-5.2.12.sh new file mode 100644 index 0000000..d457b95 --- /dev/null +++ b/files/awslinux/scripts/cis-5.2.12.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +function check_system { + + # CIS 5.2.12 - audit command + # /bin/find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | /bin/awk '{print \ + # "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 \ + # -k privileged" }' + + /bin/find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | while read line + do + /bin/grep -P "${line}.+privileged" /etc/audit/audit.rules >/dev/null + + if [[ $? -ne 0 ]] + then + echo $line + break + fi + done + +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_5_2_12=pass" +else + echo "cis_5_2_12=fail" +fi diff --git a/files/awslinux/scripts/cis-7.2.sh b/files/awslinux/scripts/cis-7.2.sh new file mode 100644 index 0000000..9b91700 --- /dev/null +++ b/files/awslinux/scripts/cis-7.2.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +function check_system { + /bin/egrep -v "^\+" /etc/passwd | /bin/awk -F: \ + '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<500 && $7!="/sbin/nologin") {print}' +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_7_2=pass" +else + echo "cis_7_2=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.1.sh b/files/awslinux/scripts/cis-9.2.1.sh new file mode 100644 index 0000000..07d8ad6 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.1.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +result=$(/bin/cat /etc/shadow | /bin/awk -F: '($2 == "" ) { print $1 " does not have a password "}') + +if [[ -z $result ]] +then + echo "cis_9_2_1=pass" +else + echo "cis_9_2_1=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.10.sh b/files/awslinux/scripts/cis-9.2.10.sh new file mode 100644 index 0000000..0f4f3af --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.10.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +function check_path { + for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|sync|halt|shutdown)' | \ + /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do + for file in $dir/.rhosts; do + if [ ! -h "$file" -a -f "$file" ]; then + echo ".rhosts file in $dir" + fi + done + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_10=pass" +else + echo "cis_9_2_10=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.11.sh b/files/awslinux/scripts/cis-9.2.11.sh new file mode 100644 index 0000000..f7a856d --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.11.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +function check_path { + for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do + grep -q -P "^.*?:x:$i:" /etc/group + if [ $? -ne 0 ]; then + echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group" + fi + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_11=pass" +else + echo "cis_9_2_11=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.12.sh b/files/awslinux/scripts/cis-9.2.12.sh new file mode 100644 index 0000000..727cb02 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.12.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +function check_path { +/bin/cat /etc/passwd | /bin/awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do + if [ $uid -ge 1000 -a ! -d "$dir" -a $user != "nfsnobody" ]; then + echo "The home directory ($dir) of user $user does not exist." + fi +done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_12=pass" +else + echo "cis_9_2_12=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.13.sh b/files/awslinux/scripts/cis-9.2.13.sh new file mode 100644 index 0000000..a0d8ab6 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.13.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +function check_path { + /bin/cat /etc/passwd | /bin/awk -F: '{ print $1 " " $3 " " $6 }' | while read user uid dir; do + if [ $uid -ge 1000 -a -d "$dir" -a $user != "nfsnobody" ]; then + owner=$(/usr/bin/stat -L -c "%U" "$dir") + if [ "$owner" != "$user" ]; then + echo "The home directory ($dir) of user $user is owned by $owner." + fi + fi + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_13=pass" +else + echo "cis_9_2_13=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.14.sh b/files/awslinux/scripts/cis-9.2.14.sh new file mode 100644 index 0000000..9156171 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.14.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +function check_path { + /bin/cat /etc/passwd | /bin/cut -f3 -d":" | /bin/sort -n | /usr/bin/uniq -c | \ + while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + users=`/bin/gawk -F: '($3 == n) { print $1 }' n=$2 \ + /etc/passwd | /usr/bin/xargs` + echo "Duplicate UID ($2): ${users}" + fi + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_14=pass" +else + echo "cis_9_2_14=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.15.sh b/files/awslinux/scripts/cis-9.2.15.sh new file mode 100644 index 0000000..4e8d960 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.15.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +function check_system { + /bin/cat /etc/group | /bin/cut -f3 -d":" | /bin/sort -n | /usr/bin/uniq -c | \ + while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + grps=`/bin/gawk -F: '($3 == n) { print $1 }' n=$2 \ + /etc/group | xargs` + echo "Duplicate GID ($2): ${grps}" + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_15=pass" +else + echo "cis_9_2_15=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.16.sh b/files/awslinux/scripts/cis-9.2.16.sh new file mode 100644 index 0000000..a56425b --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.16.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +function check_system { + +# NOTE: included puppet as a system user +defUsers="root bin daemon adm lp sync shutdown halt mail news uucp operator games +gopher ftp nobody nscd vcsa rpc mailnull smmsp pcap ntp dbus avahi sshd rpcuser +nfsnobody haldaemon avahi-autoipd distcache apache oprofile webalizer dovecot squid +named xfs gdm sabayon usbmuxd rtkit abrt saslauth pulse postfix tcpdump puppet" + + /bin/cat /etc/passwd | \ + /bin/awk -F: '($3 < 500) { print $1" "$3 }' | \ + while read user uid; do + found=0 + for tUser in ${defUsers} + do + if [ ${user} = ${tUser} ]; then + found=1 + fi + done + if [ $found -eq 0 ]; then + echo "User $user has a reserved UID ($uid)." + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_16=pass" +else + echo "cis_9_2_16=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.17.sh b/files/awslinux/scripts/cis-9.2.17.sh new file mode 100644 index 0000000..bbd3754 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.17.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +function check_system { + /bin/cat /etc/passwd | /bin/cut -f1 -d":" | /bin/sort -n | /usr/bin/uniq -c | \ + while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + uids=`/bin/gawk -F: '($1 == n) { print $3 }' n=$2 \ + /etc/passwd | /usr/bin/xargs` + echo "Duplicate User Name ($2): ${uids}" + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_17=pass" +else + echo "cis_9_2_17=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.18.sh b/files/awslinux/scripts/cis-9.2.18.sh new file mode 100644 index 0000000..51da01e --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.18.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +function check_system { + /bin/cat /etc/group | /bin/cut -f1 -d":" | /bin/sort -n | /usr/bin/uniq -c |\ + while read x ; do + [ -z "${x}" ] && break + set - $x + if [ $1 -gt 1 ]; then + gids=`/bin/gawk -F: '($1 == n) { print $3 }' n=$2 \ + /etc/group | /usr/bin/xargs` + echo "Duplicate Group Name ($2): ${gids}" + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_18=pass" +else + echo "cis_9_2_18=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.19.sh b/files/awslinux/scripts/cis-9.2.19.sh new file mode 100644 index 0000000..e8ff3a1 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.19.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +function check_system { + for dir in `/bin/cat /etc/passwd |\ + /bin/awk -F: '{ print $6 }'`; do + if [ ! -h "$dir/.netrc" -a -f "$dir/.netrc" ]; then + echo ".netrc file $dir/.netrc exists" + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_19=pass" +else + echo "cis_9_2_19=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.2.sh b/files/awslinux/scripts/cis-9.2.2.sh new file mode 100644 index 0000000..b53d773 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.2.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +result=$(/bin/grep '^+:' /etc/passwd) + +if [[ -z $result ]] +then + echo "cis_9_2_2=pass" +else + echo "cis_9_2_2=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.20.sh b/files/awslinux/scripts/cis-9.2.20.sh new file mode 100644 index 0000000..5258c44 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.20.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +function check_system { + for dir in `/bin/cat /etc/passwd |\ + /bin/awk -F: '{ print $6 }'`; do + if [ ! -h "$dir/.forward" -a -f "$dir/.forward" ]; then + echo ".forward file $dir/.forward exists" + fi + done +} + +result=$(check_system) + +if [[ -z $result ]] +then + echo "cis_9_2_20=pass" +else + echo "cis_9_2_20=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.3.sh b/files/awslinux/scripts/cis-9.2.3.sh new file mode 100644 index 0000000..289cbb9 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.3.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +result=$(/bin/grep '^+:' /etc/shadow) + +if [[ -z $result ]] +then + echo "cis_9_2_3=pass" +else + echo "cis_9_2_3=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.4.sh b/files/awslinux/scripts/cis-9.2.4.sh new file mode 100644 index 0000000..4908904 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.4.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +result=$(/bin/grep '^+:' /etc/group) + +if [[ -z $result ]] +then + echo "cis_9_2_4=pass" +else + echo "cis_9_2_4=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.5.sh b/files/awslinux/scripts/cis-9.2.5.sh new file mode 100644 index 0000000..7c4aa95 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.5.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +result=$(/bin/cat /etc/passwd | /bin/awk -F: '($3 == 0) { print $1 }' | /bin/grep -v root) + +if [[ $? -ne 0 ]] +then + echo "cis_9_2_5=pass" +else + echo "cis_9_2_5=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.6.sh b/files/awslinux/scripts/cis-9.2.6.sh new file mode 100644 index 0000000..3d411a0 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.6.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +function check_path { + if [ "`echo $PATH | /bin/grep :: `" != "" ]; then + echo "Empty Directory in PATH (::)" + fi + if [ "`echo $PATH | /bin/grep :$`" != "" ]; then + echo "Trailing : in PATH" + fi + + p=`echo $PATH | /bin/sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` + set -- $p + while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + echo "PATH contains ." + shift + continue + fi + + if [ -d $1 ]; then + dirperm=`/bin/ls -ldH $1 | /bin/cut -f1 -d" "` + if [ `echo $dirperm | /bin/cut -c6 ` != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ `echo $dirperm | /bin/cut -c9 ` != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=`ls -ldH $1 | awk '{print $3}'` + if [ "$dirown" != "root" ] ; then + echo $1 is not owned by root + fi + else + echo $1 is not a directory + fi + shift + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_6=pass" +else + echo "cis_9_2_6=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.7.sh b/files/awslinux/scripts/cis-9.2.7.sh new file mode 100644 index 0000000..18ac105 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.7.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +function check_path { + for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|halt|sync|shutdown)' |\ + /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do # removed $8 == "PS" && + dirperm=`/bin/ls -ld $dir | /bin/cut -f1 -d" "` + if [ `echo $dirperm | /bin/cut -c6 ` != "-" ]; then + echo "Group Write permission set on directory $dir" + fi + if [ `echo $dirperm | /bin/cut -c8 ` != "-" ]; then + echo "Other Read permission set on directory $dir" + fi + if [ `echo $dirperm | /bin/cut -c9 ` != "-" ]; then + echo "Other Write permission set on directory $dir" + fi + if [ `echo $dirperm | /bin/cut -c10 ` != "-" ]; then + echo "Other Execute permission set on directory $dir" + fi + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_7=pass" +else + echo "cis_9_2_7=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.8.sh b/files/awslinux/scripts/cis-9.2.8.sh new file mode 100644 index 0000000..b72c504 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.8.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +function check_path { + for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|sync|halt|shutdown)' | \ + /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do + for file in $dir/.[A-Za-z0-9]*; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`/bin/ls -ld $file | /bin/cut -f1 -d" "` + if [ `echo $fileperm | /bin/cut -c6 ` != "-" ]; then + echo "Group Write permission set on file $file" + fi + if [ `echo $fileperm | /bin/cut -c9 ` != "-" ]; then + echo "Other Write permission set on file $file" + fi + fi + done + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_8=pass" +else + echo "cis_9_2_8=fail" +fi diff --git a/files/awslinux/scripts/cis-9.2.9.sh b/files/awslinux/scripts/cis-9.2.9.sh new file mode 100644 index 0000000..e7b9ed4 --- /dev/null +++ b/files/awslinux/scripts/cis-9.2.9.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +function check_path { + for dir in `/bin/cat /etc/passwd | /bin/egrep -v '(root|sync|halt|shutdown)' | \ + /bin/awk -F: '($7 != "/sbin/nologin") { print $6 }'`; do + for file in $dir/.netrc; do + if [ ! -h "$file" -a -f "$file" ]; then + fileperm=`/bin/ls -ld $file | /bin/cut -f1 -d" "` + if [ `echo $fileperm | /bin/cut -c5 ` != "-" ] + then + echo "Group Read set on $file" + fi + if [ `echo $fileperm | /bin/cut -c6 ` != "-" ] + then + echo "Group Write set on $file" + fi + if [ `echo $fileperm | /bin/cut -c7 ` != "-" ] + then + echo "Group Execute set on $file" + fi + if [ `echo $fileperm | /bin/cut -c8 ` != "-" ] + then + echo "Other Read set on $file" + fi + if [ `echo $fileperm | /bin/cut -c9 ` != "-" ] + then + echo "Other Write set on $file" + fi + if [ `echo $fileperm | /bin/cut -c10 ` != "-" ] + then + echo "Other Execute set on $file" + fi + fi + done + done +} + +result=$(check_path) + +if [[ -z $result ]] +then + echo "cis_9_2_9=pass" +else + echo "cis_9_2_9=fail" +fi diff --git a/files/el6/etc/audit/audit.rules.64 b/files/el6/etc/audit/audit.rules.64 index 4bed421..da58f5d 100644 --- a/files/el6/etc/audit/audit.rules.64 +++ b/files/el6/etc/audit/audit.rules.64 @@ -12,18 +12,22 @@ ## Setting below is needed for CIS compliance ## For 32-bit systems remove lines containing "b64" + +# CIS 5.2.4 Record Events That Modify Date and Time Information -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change +# CIS 5.2.5 Record Events That Modify User/Group Information -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity +# CIS 5.2.6 Record Events That Modify the System's Network Environment -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale @@ -31,16 +35,20 @@ -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale +# CIS 5.2.7 Record Events That Modify the System's Mandatory Access Controls -w /etc/selinux/ -p wa -k MAC-policy +# CIS 5.2.8 Collect Login and Logout Events -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p -wa -k logins +# CIS 5.2.9 Collect Session Initiation Information -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session +# CIS 5.2.10 Collect Discretionary Access Control Permission Modification Events -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod @@ -48,31 +56,33 @@ -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +# CIS 5.2.11 Collect Unsuccessful Unauthorized Access Attempts to Files -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +# CIS 5.2.13 Collect Successful File System Mounts -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts +# CIS 5.2.14 Collect File Deletion Events by User -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +# CIS 5.2.15 Collect Changes to System Administration Scope (sudoers) -w /etc/sudoers -p wa -k scope +# CIS 5.2.16 Collect System Administrator Actions (sudolog) -w /var/log/sudo.log -p wa -k actions +# CIS 5.2.17 Collect Kernel Module Loading and Unloading -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit arch=b64 -S init_module -S delete_module -k modules --w /sbin/insmod -p x -k modules --w /sbin/rmmod -p x -k modules --w /sbin/modprobe -p x -k modules --a always,exit arch=b64 -S init_module -S delete_module -k modules - +# CIS 5.2.18 Make the Audit Configuration Immutable -e 2 ## (End of CIS compliance settings) diff --git a/manifests/awslinux.pp b/manifests/awslinux.pp index b9d3217..39967ba 100644 --- a/manifests/awslinux.pp +++ b/manifests/awslinux.pp @@ -70,93 +70,91 @@ include cis::awslinux::5_1_1 include cis::awslinux::5_1_2 include cis::awslinux::5_1_4 - # include cis::awslinux::5_1_5 - # include cis::awslinux::5_2_1_3 - # include cis::awslinux::5_2_2 - # include cis::awslinux::5_2_3 - # include cis::awslinux::5_2_4 - # include cis::awslinux::5_2_5 - # include cis::awslinux::5_2_6 - # include cis::awslinux::5_2_7 - # include cis::awslinux::5_2_8 - # include cis::awslinux::5_2_9 - # include cis::awslinux::5_2_10 - # include cis::awslinux::5_2_11 - # include cis::awslinux::5_2_12 - # include cis::awslinux::5_2_13 - # include cis::awslinux::5_2_14 - # include cis::awslinux::5_2_15 - # include cis::awslinux::5_2_16 - # include cis::awslinux::5_2_17 - # include cis::awslinux::5_2_18 - # include cis::awslinux::6_1_10 - # include cis::awslinux::6_1_11 - # include cis::awslinux::6_1_1 - # include cis::awslinux::6_1_2 - # include cis::awslinux::6_1_3 - # include cis::awslinux::6_1_4 - # include cis::awslinux::6_1_5 - # include cis::awslinux::6_1_6 - # include cis::awslinux::6_1_7 - # include cis::awslinux::6_1_8 - # include cis::awslinux::6_1_9 - # include cis::awslinux::6_2_10 - # include cis::awslinux::6_2_11 - # include cis::awslinux::6_2_12 + # include cis::awslinux::5_1_5 # 5.1.5 Configure rsyslog to Send Logs to a Remote Log Host + include cis::awslinux::5_2_1_3 + include cis::awslinux::5_2_2 + include cis::awslinux::5_2_3 + include cis::awslinux::5_2_4 + include cis::awslinux::5_2_5 + include cis::awslinux::5_2_6 + include cis::awslinux::5_2_7 + include cis::awslinux::5_2_8 + include cis::awslinux::5_2_9 + include cis::awslinux::5_2_10 + include cis::awslinux::5_2_11 + include cis::awslinux::5_2_12 + include cis::awslinux::5_2_13 + include cis::awslinux::5_2_14 + include cis::awslinux::5_2_15 + include cis::awslinux::5_2_16 + include cis::awslinux::5_2_17 + include cis::awslinux::5_2_18 + include cis::awslinux::6_1_1 + include cis::awslinux::6_1_2 + include cis::awslinux::6_1_3 + include cis::awslinux::6_1_4 + include cis::awslinux::6_1_5 + include cis::awslinux::6_1_6 + include cis::awslinux::6_1_7 + include cis::awslinux::6_1_8 + include cis::awslinux::6_1_9 + include cis::awslinux::6_1_10 + include cis::awslinux::6_1_11 + include cis::awslinux::6_2_1 + include cis::awslinux::6_2_2 + include cis::awslinux::6_2_3 + include cis::awslinux::6_2_4 + include cis::awslinux::6_2_5 + include cis::awslinux::6_2_6 + include cis::awslinux::6_2_7 + include cis::awslinux::6_2_8 + include cis::awslinux::6_2_9 + include cis::awslinux::6_2_10 + include cis::awslinux::6_2_11 + include cis::awslinux::6_2_12 # include cis::awslinux::6_2_13 # include cis::awslinux::6_2_14 - # include cis::awslinux::6_2_1 - # include cis::awslinux::6_2_2 - # include cis::awslinux::6_2_3 - # include cis::awslinux::6_2_4 - # include cis::awslinux::6_2_5 - # include cis::awslinux::6_2_6 - # include cis::awslinux::6_2_7 - # include cis::awslinux::6_2_8 - # include cis::awslinux::6_2_9 - # include cis::awslinux::6_3_1 - # include cis::awslinux::6_3_2 - # include cis::awslinux::6_3_3 - # include cis::awslinux::6_3_6 - # include cis::awslinux::6_5 - # include cis::awslinux::7_1_1 + include cis::awslinux::6_3_1 + include cis::awslinux::6_3_2 + include cis::awslinux::6_3_4 + include cis::awslinux::6_5 + include cis::awslinux::7_1_1 # include cis::awslinux::7_1_2 - # include cis::awslinux::7_1_3 - # include cis::awslinux::7_2 - # include cis::awslinux::7_3 - # include cis::awslinux::7_4 - # include cis::awslinux::7_5 - # include cis::awslinux::8_1 - # include cis::awslinux::8_2 - # include cis::awslinux::9_1_11 - # include cis::awslinux::9_1_12 - # include cis::awslinux::9_1_2 - # include cis::awslinux::9_1_3 - # include cis::awslinux::9_1_4 - # include cis::awslinux::9_1_5 - # include cis::awslinux::9_1_6 - # include cis::awslinux::9_1_7 - # include cis::awslinux::9_1_8 - # include cis::awslinux::9_1_9 - # include cis::awslinux::9_2_10 - # include cis::awslinux::9_2_11 - # include cis::awslinux::9_2_12 - # include cis::awslinux::9_2_13 - # include cis::awslinux::9_2_14 - # include cis::awslinux::9_2_15 - # include cis::awslinux::9_2_16 - # include cis::awslinux::9_2_17 - # include cis::awslinux::9_2_18 - # include cis::awslinux::9_2_19 - # include cis::awslinux::9_2_1 - # include cis::awslinux::9_2_20 - # include cis::awslinux::9_2_21 - # include cis::awslinux::9_2_2 - # include cis::awslinux::9_2_3 - # include cis::awslinux::9_2_4 - # include cis::awslinux::9_2_5 - # include cis::awslinux::9_2_6 - # include cis::awslinux::9_2_7 - # include cis::awslinux::9_2_8 - # include cis::awslinux::9_2_9 + include cis::awslinux::7_1_3 + include cis::awslinux::7_2 + include cis::awslinux::7_3 + include cis::awslinux::7_4 + include cis::awslinux::7_5 + include cis::awslinux::8_1 + include cis::awslinux::8_2 + include cis::awslinux::9_1_2 + include cis::awslinux::9_1_3 + include cis::awslinux::9_1_4 + include cis::awslinux::9_1_5 + include cis::awslinux::9_1_6 + include cis::awslinux::9_1_7 + include cis::awslinux::9_1_8 + include cis::awslinux::9_1_9 + include cis::awslinux::9_1_11 + include cis::awslinux::9_1_12 + include cis::awslinux::9_2_1 + include cis::awslinux::9_2_2 + include cis::awslinux::9_2_3 + include cis::awslinux::9_2_4 + include cis::awslinux::9_2_5 + include cis::awslinux::9_2_6 + include cis::awslinux::9_2_7 + include cis::awslinux::9_2_8 + include cis::awslinux::9_2_9 + include cis::awslinux::9_2_10 + include cis::awslinux::9_2_11 + include cis::awslinux::9_2_12 + include cis::awslinux::9_2_13 + include cis::awslinux::9_2_14 + include cis::awslinux::9_2_15 + include cis::awslinux::9_2_16 + include cis::awslinux::9_2_17 + include cis::awslinux::9_2_18 + include cis::awslinux::9_2_19 + include cis::awslinux::9_2_20 } diff --git a/manifests/awslinux/5_1_1.pp b/manifests/awslinux/5_1_1.pp new file mode 100644 index 0000000..5ed6d83 --- /dev/null +++ b/manifests/awslinux/5_1_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_1_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_1_1 { + include cis::linuxcontrols::c0042 +} diff --git a/manifests/awslinux/5_1_2.pp b/manifests/awslinux/5_1_2.pp new file mode 100644 index 0000000..ace4bd2 --- /dev/null +++ b/manifests/awslinux/5_1_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_1_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_1_2 { + include cis::linuxcontrols::c0043 +} diff --git a/manifests/awslinux/5_1_4.pp b/manifests/awslinux/5_1_4.pp new file mode 100644 index 0000000..3b5be40 --- /dev/null +++ b/manifests/awslinux/5_1_4.pp @@ -0,0 +1,13 @@ +# Class cis::awslinux::5_1_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_1_4 { + include cis::linuxcontrols::c0044 + include cis::linuxcontrols::c0045 + include cis::linuxcontrols::c0046 + include cis::linuxcontrols::c0047 + include cis::linuxcontrols::c0048 + include cis::linuxcontrols::c0049 +} diff --git a/manifests/awslinux/5_1_5.pp b/manifests/awslinux/5_1_5.pp new file mode 100644 index 0000000..64f6abf --- /dev/null +++ b/manifests/awslinux/5_1_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_1_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_1_5 { + include cis::linuxcontrols::c0050 +} diff --git a/manifests/awslinux/5_2_10.pp b/manifests/awslinux/5_2_10.pp new file mode 100644 index 0000000..40f9aab --- /dev/null +++ b/manifests/awslinux/5_2_10.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_10 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_10 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_11.pp b/manifests/awslinux/5_2_11.pp new file mode 100644 index 0000000..0528a0e --- /dev/null +++ b/manifests/awslinux/5_2_11.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_11 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_11 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_12.pp b/manifests/awslinux/5_2_12.pp new file mode 100644 index 0000000..855a265 --- /dev/null +++ b/manifests/awslinux/5_2_12.pp @@ -0,0 +1,9 @@ +# Class cis::awslinux::5_2_12 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_12 { + include cis::linuxcontrols::c0053 + include cis::linuxcontrols::c0054 +} diff --git a/manifests/awslinux/5_2_13.pp b/manifests/awslinux/5_2_13.pp new file mode 100644 index 0000000..af73167 --- /dev/null +++ b/manifests/awslinux/5_2_13.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_13 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_13 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_14.pp b/manifests/awslinux/5_2_14.pp new file mode 100644 index 0000000..10aa601 --- /dev/null +++ b/manifests/awslinux/5_2_14.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_14 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_14 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_15.pp b/manifests/awslinux/5_2_15.pp new file mode 100644 index 0000000..566e5d3 --- /dev/null +++ b/manifests/awslinux/5_2_15.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_15 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_15 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_16.pp b/manifests/awslinux/5_2_16.pp new file mode 100644 index 0000000..4c10e56 --- /dev/null +++ b/manifests/awslinux/5_2_16.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_16 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_16 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_17.pp b/manifests/awslinux/5_2_17.pp new file mode 100644 index 0000000..8e63850 --- /dev/null +++ b/manifests/awslinux/5_2_17.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_17 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_17 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_18.pp b/manifests/awslinux/5_2_18.pp new file mode 100644 index 0000000..2b687fb --- /dev/null +++ b/manifests/awslinux/5_2_18.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_18 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_18 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_1_3.pp b/manifests/awslinux/5_2_1_3.pp new file mode 100644 index 0000000..f9d63ea --- /dev/null +++ b/manifests/awslinux/5_2_1_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_1_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_1_3 { + include cis::linuxcontrols::c0051 +} diff --git a/manifests/awslinux/5_2_2.pp b/manifests/awslinux/5_2_2.pp new file mode 100644 index 0000000..ce451fe --- /dev/null +++ b/manifests/awslinux/5_2_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_2 { + include cis::linuxcontrols::c0052 +} diff --git a/manifests/awslinux/5_2_3.pp b/manifests/awslinux/5_2_3.pp new file mode 100644 index 0000000..d543357 --- /dev/null +++ b/manifests/awslinux/5_2_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_3 { + include cis::linuxcontrols::c0006 +} diff --git a/manifests/awslinux/5_2_4.pp b/manifests/awslinux/5_2_4.pp new file mode 100644 index 0000000..56b31ae --- /dev/null +++ b/manifests/awslinux/5_2_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_4 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_5.pp b/manifests/awslinux/5_2_5.pp new file mode 100644 index 0000000..5ccdece --- /dev/null +++ b/manifests/awslinux/5_2_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_5 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_6.pp b/manifests/awslinux/5_2_6.pp new file mode 100644 index 0000000..b5a8105 --- /dev/null +++ b/manifests/awslinux/5_2_6.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_6 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_6 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_7.pp b/manifests/awslinux/5_2_7.pp new file mode 100644 index 0000000..ad4e5d6 --- /dev/null +++ b/manifests/awslinux/5_2_7.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_7 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_7 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_8.pp b/manifests/awslinux/5_2_8.pp new file mode 100644 index 0000000..0ca8db0 --- /dev/null +++ b/manifests/awslinux/5_2_8.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_8 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_8 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/5_2_9.pp b/manifests/awslinux/5_2_9.pp new file mode 100644 index 0000000..5aba763 --- /dev/null +++ b/manifests/awslinux/5_2_9.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::5_2_9 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::5_2_9 { + include cis::linuxcontrols::c0053 +} diff --git a/manifests/awslinux/6_1_1.pp b/manifests/awslinux/6_1_1.pp new file mode 100644 index 0000000..b6916c6 --- /dev/null +++ b/manifests/awslinux/6_1_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_1 { + include cis::linuxcontrols::c0055 +} diff --git a/manifests/awslinux/6_1_10.pp b/manifests/awslinux/6_1_10.pp new file mode 100644 index 0000000..3dfb3ba --- /dev/null +++ b/manifests/awslinux/6_1_10.pp @@ -0,0 +1,9 @@ +# Class cis::awslinux::6_1_10 +# +# CIS Security Benchmark for RHEL7 +# +class cis::awslinux::6_1_10 { + include cis::linuxcontrols::c0064 + include cis::linuxcontrols::c0065 + include cis::linuxcontrols::c0066 +} diff --git a/manifests/awslinux/6_1_11.pp b/manifests/awslinux/6_1_11.pp new file mode 100644 index 0000000..8b6c649 --- /dev/null +++ b/manifests/awslinux/6_1_11.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_1_11 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_11 { + include cis::linuxcontrols::c0064 + include cis::linuxcontrols::c0065 + include cis::linuxcontrols::c0066 +} diff --git a/manifests/awslinux/6_1_2.pp b/manifests/awslinux/6_1_2.pp new file mode 100644 index 0000000..0b290ff --- /dev/null +++ b/manifests/awslinux/6_1_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_2 { + include cis::linuxcontrols::c0056 +} diff --git a/manifests/awslinux/6_1_3.pp b/manifests/awslinux/6_1_3.pp new file mode 100644 index 0000000..67f84dc --- /dev/null +++ b/manifests/awslinux/6_1_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_3 { + include cis::linuxcontrols::c0057 +} diff --git a/manifests/awslinux/6_1_4.pp b/manifests/awslinux/6_1_4.pp new file mode 100644 index 0000000..fab63e5 --- /dev/null +++ b/manifests/awslinux/6_1_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_4 { + include cis::linuxcontrols::c0058 +} diff --git a/manifests/awslinux/6_1_5.pp b/manifests/awslinux/6_1_5.pp new file mode 100644 index 0000000..ad2063a --- /dev/null +++ b/manifests/awslinux/6_1_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_5 { + include cis::linuxcontrols::c0059 +} diff --git a/manifests/awslinux/6_1_6.pp b/manifests/awslinux/6_1_6.pp new file mode 100644 index 0000000..2ac17e5 --- /dev/null +++ b/manifests/awslinux/6_1_6.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_6 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_6 { + include cis::linuxcontrols::c0060 +} diff --git a/manifests/awslinux/6_1_7.pp b/manifests/awslinux/6_1_7.pp new file mode 100644 index 0000000..b5e77fe --- /dev/null +++ b/manifests/awslinux/6_1_7.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_7 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_7 { + include cis::linuxcontrols::c0061 +} diff --git a/manifests/awslinux/6_1_8.pp b/manifests/awslinux/6_1_8.pp new file mode 100644 index 0000000..3dd7697 --- /dev/null +++ b/manifests/awslinux/6_1_8.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_8 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_8 { + include cis::linuxcontrols::c0062 +} diff --git a/manifests/awslinux/6_1_9.pp b/manifests/awslinux/6_1_9.pp new file mode 100644 index 0000000..c3a4db5 --- /dev/null +++ b/manifests/awslinux/6_1_9.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_1_9 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_1_9 { + include cis::linuxcontrols::c0063 +} diff --git a/manifests/awslinux/6_2_1.pp b/manifests/awslinux/6_2_1.pp new file mode 100644 index 0000000..7bf59f6 --- /dev/null +++ b/manifests/awslinux/6_2_1.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_1 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_10.pp b/manifests/awslinux/6_2_10.pp new file mode 100644 index 0000000..f874604 --- /dev/null +++ b/manifests/awslinux/6_2_10.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_10 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_10 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_11.pp b/manifests/awslinux/6_2_11.pp new file mode 100644 index 0000000..dd5db02 --- /dev/null +++ b/manifests/awslinux/6_2_11.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_11 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_11 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_12.pp b/manifests/awslinux/6_2_12.pp new file mode 100644 index 0000000..9d0ccb5 --- /dev/null +++ b/manifests/awslinux/6_2_12.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_12 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_12 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_13.pp b/manifests/awslinux/6_2_13.pp new file mode 100644 index 0000000..b3d01cb --- /dev/null +++ b/manifests/awslinux/6_2_13.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_13 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_13 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_14.pp b/manifests/awslinux/6_2_14.pp new file mode 100644 index 0000000..67359b0 --- /dev/null +++ b/manifests/awslinux/6_2_14.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_14 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_14 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_2.pp b/manifests/awslinux/6_2_2.pp new file mode 100644 index 0000000..ae70ab6 --- /dev/null +++ b/manifests/awslinux/6_2_2.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_2 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_3.pp b/manifests/awslinux/6_2_3.pp new file mode 100644 index 0000000..0c44833 --- /dev/null +++ b/manifests/awslinux/6_2_3.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_3 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_4.pp b/manifests/awslinux/6_2_4.pp new file mode 100644 index 0000000..2a82362 --- /dev/null +++ b/manifests/awslinux/6_2_4.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_4 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_5.pp b/manifests/awslinux/6_2_5.pp new file mode 100644 index 0000000..231a2cd --- /dev/null +++ b/manifests/awslinux/6_2_5.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_5 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_6.pp b/manifests/awslinux/6_2_6.pp new file mode 100644 index 0000000..0493a20 --- /dev/null +++ b/manifests/awslinux/6_2_6.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_6 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_6 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_7.pp b/manifests/awslinux/6_2_7.pp new file mode 100644 index 0000000..968fed4 --- /dev/null +++ b/manifests/awslinux/6_2_7.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_7 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_7 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_8.pp b/manifests/awslinux/6_2_8.pp new file mode 100644 index 0000000..cf97144 --- /dev/null +++ b/manifests/awslinux/6_2_8.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_8 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_8 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_2_9.pp b/manifests/awslinux/6_2_9.pp new file mode 100644 index 0000000..98e4328 --- /dev/null +++ b/manifests/awslinux/6_2_9.pp @@ -0,0 +1,10 @@ +# Class cis::awslinux::6_2_9 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_2_9 { + include cis::linuxcontrols::c0067 + include cis::linuxcontrols::c0068 + include cis::linuxcontrols::c0069 +} diff --git a/manifests/awslinux/6_3_1.pp b/manifests/awslinux/6_3_1.pp new file mode 100644 index 0000000..838dc0b --- /dev/null +++ b/manifests/awslinux/6_3_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_3_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_3_1 { + include cis::linuxcontrols::c0070 +} diff --git a/manifests/awslinux/6_3_2.pp b/manifests/awslinux/6_3_2.pp new file mode 100644 index 0000000..79ae765 --- /dev/null +++ b/manifests/awslinux/6_3_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_3_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_3_2 { + include cis::linuxcontrols::c0071 +} diff --git a/manifests/awslinux/6_3_4.pp b/manifests/awslinux/6_3_4.pp new file mode 100644 index 0000000..331b5f8 --- /dev/null +++ b/manifests/awslinux/6_3_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_3_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_3_4 { + include cis::linuxcontrols::c0071 +} diff --git a/manifests/awslinux/6_5.pp b/manifests/awslinux/6_5.pp new file mode 100644 index 0000000..2929816 --- /dev/null +++ b/manifests/awslinux/6_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::6_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::6_5 { + include cis::linuxcontrols::c0072 +} diff --git a/manifests/awslinux/7_1_1.pp b/manifests/awslinux/7_1_1.pp new file mode 100644 index 0000000..e76fa3d --- /dev/null +++ b/manifests/awslinux/7_1_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_1_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_1_1 { + include cis::linuxcontrols::c0073 +} diff --git a/manifests/awslinux/7_1_2.pp b/manifests/awslinux/7_1_2.pp new file mode 100644 index 0000000..74aff24 --- /dev/null +++ b/manifests/awslinux/7_1_2.pp @@ -0,0 +1,9 @@ +# Class cis::awslinux::7_1_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_1_2 { + # TODO + # include cis::linuxcontrols::c0073 +} diff --git a/manifests/awslinux/7_1_3.pp b/manifests/awslinux/7_1_3.pp new file mode 100644 index 0000000..72a48cf --- /dev/null +++ b/manifests/awslinux/7_1_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_1_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_1_3 { + include cis::linuxcontrols::c0073 +} diff --git a/manifests/awslinux/7_2.pp b/manifests/awslinux/7_2.pp new file mode 100644 index 0000000..813d7c3 --- /dev/null +++ b/manifests/awslinux/7_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_2 { + include cis::linuxcontrols::c0074 +} diff --git a/manifests/awslinux/7_3.pp b/manifests/awslinux/7_3.pp new file mode 100644 index 0000000..33605a3 --- /dev/null +++ b/manifests/awslinux/7_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_3 { + include cis::linuxcontrols::c0075 +} diff --git a/manifests/awslinux/7_4.pp b/manifests/awslinux/7_4.pp new file mode 100644 index 0000000..fc19676 --- /dev/null +++ b/manifests/awslinux/7_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_4 { + include cis::linuxcontrols::c0076 +} diff --git a/manifests/awslinux/7_5.pp b/manifests/awslinux/7_5.pp new file mode 100644 index 0000000..99276ed --- /dev/null +++ b/manifests/awslinux/7_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::7_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::7_5 { + include cis::linuxcontrols::c0077 +} diff --git a/manifests/awslinux/8_1.pp b/manifests/awslinux/8_1.pp new file mode 100644 index 0000000..b6e3858 --- /dev/null +++ b/manifests/awslinux/8_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::8_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::8_1 { + include cis::linuxcontrols::c0078 +} diff --git a/manifests/awslinux/8_2.pp b/manifests/awslinux/8_2.pp new file mode 100644 index 0000000..1ecfe88 --- /dev/null +++ b/manifests/awslinux/8_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::8_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::8_2 { + include cis::linuxcontrols::c0078 +} diff --git a/manifests/awslinux/9_1_11.pp b/manifests/awslinux/9_1_11.pp new file mode 100644 index 0000000..14518ea --- /dev/null +++ b/manifests/awslinux/9_1_11.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_11 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_11 { + include cis::linuxcontrols::c0083 +} diff --git a/manifests/awslinux/9_1_12.pp b/manifests/awslinux/9_1_12.pp new file mode 100644 index 0000000..6f6ec2d --- /dev/null +++ b/manifests/awslinux/9_1_12.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_12 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_12 { + include cis::linuxcontrols::c0084 +} diff --git a/manifests/awslinux/9_1_2.pp b/manifests/awslinux/9_1_2.pp new file mode 100644 index 0000000..8f4d3e7 --- /dev/null +++ b/manifests/awslinux/9_1_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_2 { + include cis::linuxcontrols::c0079 +} diff --git a/manifests/awslinux/9_1_3.pp b/manifests/awslinux/9_1_3.pp new file mode 100644 index 0000000..6a00a4f --- /dev/null +++ b/manifests/awslinux/9_1_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_3 { + include cis::linuxcontrols::c0080 +} diff --git a/manifests/awslinux/9_1_4.pp b/manifests/awslinux/9_1_4.pp new file mode 100644 index 0000000..97362b0 --- /dev/null +++ b/manifests/awslinux/9_1_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_4 { + include cis::linuxcontrols::c0081 +} diff --git a/manifests/awslinux/9_1_5.pp b/manifests/awslinux/9_1_5.pp new file mode 100644 index 0000000..4097206 --- /dev/null +++ b/manifests/awslinux/9_1_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_5 { + include cis::linuxcontrols::c0082 +} diff --git a/manifests/awslinux/9_1_6.pp b/manifests/awslinux/9_1_6.pp new file mode 100644 index 0000000..2bc5d26 --- /dev/null +++ b/manifests/awslinux/9_1_6.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_6 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_6 { + include cis::linuxcontrols::c0079 +} diff --git a/manifests/awslinux/9_1_7.pp b/manifests/awslinux/9_1_7.pp new file mode 100644 index 0000000..05d2b55 --- /dev/null +++ b/manifests/awslinux/9_1_7.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_7 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_7 { + include cis::linuxcontrols::c0080 +} diff --git a/manifests/awslinux/9_1_8.pp b/manifests/awslinux/9_1_8.pp new file mode 100644 index 0000000..6572a61 --- /dev/null +++ b/manifests/awslinux/9_1_8.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_8 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_8 { + include cis::linuxcontrols::c0081 +} diff --git a/manifests/awslinux/9_1_9.pp b/manifests/awslinux/9_1_9.pp new file mode 100644 index 0000000..48abeb3 --- /dev/null +++ b/manifests/awslinux/9_1_9.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_1_9 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_1_9 { + include cis::linuxcontrols::c0082 +} diff --git a/manifests/awslinux/9_2_1.pp b/manifests/awslinux/9_2_1.pp new file mode 100644 index 0000000..fd3a864 --- /dev/null +++ b/manifests/awslinux/9_2_1.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_1 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_1 { + include cis::linuxcontrols::c0085 +} diff --git a/manifests/awslinux/9_2_10.pp b/manifests/awslinux/9_2_10.pp new file mode 100644 index 0000000..87229d7 --- /dev/null +++ b/manifests/awslinux/9_2_10.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_10 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_10 { + include cis::linuxcontrols::c0094 +} diff --git a/manifests/awslinux/9_2_11.pp b/manifests/awslinux/9_2_11.pp new file mode 100644 index 0000000..9a7a3d9 --- /dev/null +++ b/manifests/awslinux/9_2_11.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_11 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_11 { + include cis::linuxcontrols::c0095 +} diff --git a/manifests/awslinux/9_2_12.pp b/manifests/awslinux/9_2_12.pp new file mode 100644 index 0000000..5147dd7 --- /dev/null +++ b/manifests/awslinux/9_2_12.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_12 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_12 { + include cis::linuxcontrols::c0096 +} diff --git a/manifests/awslinux/9_2_13.pp b/manifests/awslinux/9_2_13.pp new file mode 100644 index 0000000..3c8ee10 --- /dev/null +++ b/manifests/awslinux/9_2_13.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_13 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_13 { + include cis::linuxcontrols::c0097 +} diff --git a/manifests/awslinux/9_2_14.pp b/manifests/awslinux/9_2_14.pp new file mode 100644 index 0000000..2b3edad --- /dev/null +++ b/manifests/awslinux/9_2_14.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_14 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_14 { + include cis::linuxcontrols::c0098 +} diff --git a/manifests/awslinux/9_2_15.pp b/manifests/awslinux/9_2_15.pp new file mode 100644 index 0000000..db586cd --- /dev/null +++ b/manifests/awslinux/9_2_15.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_15 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_15 { + include cis::linuxcontrols::c0099 +} diff --git a/manifests/awslinux/9_2_16.pp b/manifests/awslinux/9_2_16.pp new file mode 100644 index 0000000..142531d --- /dev/null +++ b/manifests/awslinux/9_2_16.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_16 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_16 { + include cis::linuxcontrols::c0100 +} diff --git a/manifests/awslinux/9_2_17.pp b/manifests/awslinux/9_2_17.pp new file mode 100644 index 0000000..fdea8dd --- /dev/null +++ b/manifests/awslinux/9_2_17.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_17 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_17 { + include cis::linuxcontrols::cis_9_2_17 +} diff --git a/manifests/awslinux/9_2_18.pp b/manifests/awslinux/9_2_18.pp new file mode 100644 index 0000000..556effb --- /dev/null +++ b/manifests/awslinux/9_2_18.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_18 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_18 { + include cis::linuxcontrols::c0101 +} diff --git a/manifests/awslinux/9_2_19.pp b/manifests/awslinux/9_2_19.pp new file mode 100644 index 0000000..9749db4 --- /dev/null +++ b/manifests/awslinux/9_2_19.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_19 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_19 { + include cis::linuxcontrols::c0102 +} diff --git a/manifests/awslinux/9_2_2.pp b/manifests/awslinux/9_2_2.pp new file mode 100644 index 0000000..88de569 --- /dev/null +++ b/manifests/awslinux/9_2_2.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_2 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_2 { + include cis::linuxcontrols::c0086 +} diff --git a/manifests/awslinux/9_2_20.pp b/manifests/awslinux/9_2_20.pp new file mode 100644 index 0000000..53636de --- /dev/null +++ b/manifests/awslinux/9_2_20.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_20 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_20 { + include cis::linuxcontrols::c0103 +} diff --git a/manifests/awslinux/9_2_3.pp b/manifests/awslinux/9_2_3.pp new file mode 100644 index 0000000..ab5334b --- /dev/null +++ b/manifests/awslinux/9_2_3.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_3 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_3 { + include cis::linuxcontrols::c0087 +} diff --git a/manifests/awslinux/9_2_4.pp b/manifests/awslinux/9_2_4.pp new file mode 100644 index 0000000..c9a5518 --- /dev/null +++ b/manifests/awslinux/9_2_4.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_4 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_4 { + include cis::linuxcontrols::c0088 +} diff --git a/manifests/awslinux/9_2_5.pp b/manifests/awslinux/9_2_5.pp new file mode 100644 index 0000000..d7cd439 --- /dev/null +++ b/manifests/awslinux/9_2_5.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_5 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_5 { + include cis::linuxcontrols::c0089 +} diff --git a/manifests/awslinux/9_2_6.pp b/manifests/awslinux/9_2_6.pp new file mode 100644 index 0000000..12aca9a --- /dev/null +++ b/manifests/awslinux/9_2_6.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_6 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_6 { + include cis::linuxcontrols::c0090 +} diff --git a/manifests/awslinux/9_2_7.pp b/manifests/awslinux/9_2_7.pp new file mode 100644 index 0000000..1483221 --- /dev/null +++ b/manifests/awslinux/9_2_7.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_7 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_7 { + include cis::linuxcontrols::c0091 +} diff --git a/manifests/awslinux/9_2_8.pp b/manifests/awslinux/9_2_8.pp new file mode 100644 index 0000000..7e4c994 --- /dev/null +++ b/manifests/awslinux/9_2_8.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_8 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_8 { + include cis::linuxcontrols::c0092 +} diff --git a/manifests/awslinux/9_2_9.pp b/manifests/awslinux/9_2_9.pp new file mode 100644 index 0000000..dac9600 --- /dev/null +++ b/manifests/awslinux/9_2_9.pp @@ -0,0 +1,8 @@ +# Class cis::awslinux::9_2_9 +# +# CIS Security Benchmark for RHEL7 +# + +class cis::awslinux::9_2_9 { + include cis::linuxcontrols::c0093 +} diff --git a/manifests/linuxcontrols/c0051.pp b/manifests/linuxcontrols/c0051.pp index 72f6724..8b54b4e 100644 --- a/manifests/linuxcontrols/c0051.pp +++ b/manifests/linuxcontrols/c0051.pp @@ -4,11 +4,25 @@ # class cis::linuxcontrols::c0051 { - file {'/etc/audit/auditd.conf': - source => 'puppet:///modules/cis/el6/etc/audit/auditd.conf', - owner => root, - group => root, - mode => '0640', - notify => Service['auditd'], +case $::operatingsystem { + 'RedHat': { + file {'/etc/audit/auditd.conf': + source => 'puppet:///modules/cis/el6/etc/audit/auditd.conf', + owner => root, + group => root, + mode => '0640', + notify => Service['auditd'], + } } + 'Amazon': { + file {'/etc/audit/auditd.conf': + source => 'puppet:///modules/cis/awslinux/etc/audit/auditd.conf', + owner => root, + group => root, + mode => '0640', + notify => Service['auditd'], + } + } + default: { } + } } diff --git a/manifests/linuxcontrols/c0052.pp b/manifests/linuxcontrols/c0052.pp index d4e6c4a..9891381 100644 --- a/manifests/linuxcontrols/c0052.pp +++ b/manifests/linuxcontrols/c0052.pp @@ -4,7 +4,8 @@ # class cis::linuxcontrols::c0052 { - service {'auditd': + service { 'auditd': + ensure => running, enable => true, - } + } } diff --git a/manifests/linuxcontrols/c0053.pp b/manifests/linuxcontrols/c0053.pp index 3f4e94f..221b668 100644 --- a/manifests/linuxcontrols/c0053.pp +++ b/manifests/linuxcontrols/c0053.pp @@ -18,16 +18,37 @@ # class cis::linuxcontrols::c0053 { - $file_source = $::hardwaremodel ? { - 'x86_64' => 'puppet:///modules/cis/el6/etc/audit/audit.rules.64', - default => 'puppet:///modules/cis/el6/etc/audit/audit.rules.32', - } + case $::operatingsystem { + 'RedHat': { + $file_source = $::hardwaremodel ? { + 'x86_64' => 'puppet:///modules/cis/el6/etc/audit/audit.rules.64', + default => 'puppet:///modules/cis/el6/etc/audit/audit.rules.32', + } + + file {'/etc/audit/audit.rules': + source => $file_source, + owner => root, + group => root, + mode => '0640', + notify => Service['auditd'], + } + } + 'Amazon': { + $file_source = $::hardwaremodel ? { + 'x86_64' => 'puppet:///modules/cis/awslinux/etc/audit/audit.rules.64', + default => 'puppet:///modules/cis/awslinux/etc/audit/audit.rules.32', + } - file {'/etc/audit/audit.rules': - source => $file_source, - owner => root, - group => root, - mode => '0640', - notify => Service['auditd'], + file {'/etc/audit/audit.rules': + source => $file_source, + owner => root, + group => root, + mode => '0640', + notify => Service['auditd'], + } } + default: { + fail("Error: ${::operatingsystem} is not supported") + } + } } diff --git a/manifests/linuxcontrols/c0054.pp b/manifests/linuxcontrols/c0054.pp index 90a4f4d..c62e1d7 100644 --- a/manifests/linuxcontrols/c0054.pp +++ b/manifests/linuxcontrols/c0054.pp @@ -1,4 +1,35 @@ -class cis::linuxcontrols::c0054 { # CIS RHEL6 Control 5.2.12 -- TODO Find a way to cron an update to # audit.rules with suid/guid entries. +class cis::linuxcontrols::c0054 { + case $::operatingsystem { + 'RedHat': { + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-5.2.12.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-5.2.12.sh', + } + + $status = $::cis_5_2_12 ? { + 'pass' => 'info', + default => 'warning', + } + + notify{ "CIS Benchmark 5.2.12 : ${::cis_5_2_12}": + require => File['/etc/facter/facts.d/cis-5.2.12.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 5.2.12 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } + } } diff --git a/manifests/linuxcontrols/c0056.pp b/manifests/linuxcontrols/c0056.pp index e1525a6..ee60073 100644 --- a/manifests/linuxcontrols/c0056.pp +++ b/manifests/linuxcontrols/c0056.pp @@ -3,7 +3,7 @@ # Ensure the cron daemon is enabled. # class cis::linuxcontrols::c0056 { - service {'crond': + service { 'crond': ensure => running, enable => true, hasrestart => true, diff --git a/manifests/linuxcontrols/c0057.pp b/manifests/linuxcontrols/c0057.pp index 29dc0b4..2a9d47a 100644 --- a/manifests/linuxcontrols/c0057.pp +++ b/manifests/linuxcontrols/c0057.pp @@ -3,7 +3,7 @@ # Restrict access to the anacron configuration file. # class cis::linuxcontrols::c0057 { - file {'/etc/anacrontab': + file { '/etc/anacrontab': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0058.pp b/manifests/linuxcontrols/c0058.pp index 7a06005..4c7867a 100644 --- a/manifests/linuxcontrols/c0058.pp +++ b/manifests/linuxcontrols/c0058.pp @@ -3,7 +3,7 @@ # Restrict access to the cron configuration file. # class cis::linuxcontrols::c0058 { - file {'/etc/crontab': + file { '/etc/crontab': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0059.pp b/manifests/linuxcontrols/c0059.pp index 18b8a86..9f6803a 100644 --- a/manifests/linuxcontrols/c0059.pp +++ b/manifests/linuxcontrols/c0059.pp @@ -3,7 +3,7 @@ # Restrict access to the cron hourly configuration file. # class cis::linuxcontrols::c0059 { - file {'/etc/cron.hourly': + file { '/etc/cron.hourly': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0060.pp b/manifests/linuxcontrols/c0060.pp index 867b9c4..64dc500 100644 --- a/manifests/linuxcontrols/c0060.pp +++ b/manifests/linuxcontrols/c0060.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0060 { - file {'/etc/cron.daily': + file { '/etc/cron.daily': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0061.pp b/manifests/linuxcontrols/c0061.pp index 720fbcf..6e13588 100644 --- a/manifests/linuxcontrols/c0061.pp +++ b/manifests/linuxcontrols/c0061.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0061 { - file {'/etc/cron.weekly': + file { '/etc/cron.weekly': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0062.pp b/manifests/linuxcontrols/c0062.pp index 411a5ee..b86b27b 100644 --- a/manifests/linuxcontrols/c0062.pp +++ b/manifests/linuxcontrols/c0062.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0062 { - file {'/etc/cron.monthly': + file { '/etc/cron.monthly': owner => root, group => root, mode => '0600', diff --git a/manifests/linuxcontrols/c0063.pp b/manifests/linuxcontrols/c0063.pp index a6bbc58..a5fb4d5 100644 --- a/manifests/linuxcontrols/c0063.pp +++ b/manifests/linuxcontrols/c0063.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0063 { - file {'/etc/cron.d': + file { '/etc/cron.d': owner => root, group => root, mode => '0700', diff --git a/manifests/linuxcontrols/c0064.pp b/manifests/linuxcontrols/c0064.pp index 0f1c4b4..d01a53c 100644 --- a/manifests/linuxcontrols/c0064.pp +++ b/manifests/linuxcontrols/c0064.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0064 { - file {'/etc/at.deny': - ensure => absent, + file { '/etc/at.deny': + ensure => absent, } } diff --git a/manifests/linuxcontrols/c0065.pp b/manifests/linuxcontrols/c0065.pp index 6233816..690377e 100644 --- a/manifests/linuxcontrols/c0065.pp +++ b/manifests/linuxcontrols/c0065.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0065 { - file {'/etc/at.allow': + file { '/etc/at.allow': source => 'puppet:///modules/cis/el6/etc/at.allow', owner => root, group => root, diff --git a/manifests/linuxcontrols/c0066.pp b/manifests/linuxcontrols/c0066.pp index 360cc6f..512e534 100644 --- a/manifests/linuxcontrols/c0066.pp +++ b/manifests/linuxcontrols/c0066.pp @@ -4,7 +4,11 @@ # class cis::linuxcontrols::c0066 { - file {'/etc/cron.allow': + file { '/etc/cron.deny': + ensure => absent, + } + + file { '/etc/cron.allow': source => 'puppet:///modules/cis/el6/etc/cron.allow', owner => root, group => root, diff --git a/manifests/linuxcontrols/c0068.pp b/manifests/linuxcontrols/c0068.pp index 2bc93be..89e0b71 100644 --- a/manifests/linuxcontrols/c0068.pp +++ b/manifests/linuxcontrols/c0068.pp @@ -4,11 +4,25 @@ # class cis::linuxcontrols::c0068 { - file { '/etc/ssh/sshd_config': - ensure => present, - source => 'puppet:///modules/cis/el6/etc/ssh/sshd_config', - owner => root, - group => root, - mode => '0600', + case $::operatingsystem { + 'RedHat': { + file { '/etc/ssh/sshd_config': + ensure => present, + source => 'puppet:///modules/cis/el6/etc/ssh/sshd_config', + owner => root, + group => root, + mode => '0600', + } + } + 'Amazon': { + file { '/etc/ssh/sshd_config': + ensure => present, + source => 'puppet:///modules/cis/awslinux/etc/ssh/sshd_config', + owner => root, + group => root, + mode => '0600', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } } diff --git a/manifests/linuxcontrols/c0070.pp b/manifests/linuxcontrols/c0070.pp index 09cf3ef..116998e 100644 --- a/manifests/linuxcontrols/c0070.pp +++ b/manifests/linuxcontrols/c0070.pp @@ -4,10 +4,23 @@ # class cis::linuxcontrols::c0070 { - file {'/etc/sysconfig/authconfig': - source => 'puppet:///modules/cis/el6/etc/sysconfig/authconfig', - owner => root, - group => root, - mode => '0644', + case $::operatingsystem { + 'RedHat': { + file { '/etc/sysconfig/authconfig': + source => 'puppet:///modules/cis/el6/etc/sysconfig/authconfig', + owner => root, + group => root, + mode => '0644', + } + } + 'Amazon': { + file { '/etc/sysconfig/authconfig': + source => 'puppet:///modules/cis/awslinux/etc/sysconfig/authconfig', + owner => root, + group => root, + mode => '0644', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } } diff --git a/manifests/linuxcontrols/c0071.pp b/manifests/linuxcontrols/c0071.pp index 2b0fe26..eb1215b 100644 --- a/manifests/linuxcontrols/c0071.pp +++ b/manifests/linuxcontrols/c0071.pp @@ -6,14 +6,28 @@ # class cis::linuxcontrols::c0071 { - file {'/etc/pam.d/system-auth': + file { '/etc/pam.d/system-auth': ensure => link, target => '/etc/pam.d/system-auth-ac', } - file {'/etc/pam.d/system-auth-ac': - source => 'puppet:///modules/cis/el6/etc/pam.d/system-auth-ac', - owner => root, - group => root, - mode => '0644', + + case $::operatingsystem { + 'RedHat': { + file { '/etc/pam.d/system-auth-ac': + source => 'puppet:///modules/cis/el6/etc/pam.d/system-auth-ac', + owner => root, + group => root, + mode => '0644', + } + } + 'Amazon': { + file { '/etc/pam.d/system-auth-ac': + source => 'puppet:///modules/cis/awslinux/etc/pam.d/system-auth-ac', + owner => root, + group => root, + mode => '0644', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } } diff --git a/manifests/linuxcontrols/c0072.pp b/manifests/linuxcontrols/c0072.pp index 1188742..4e647ce 100644 --- a/manifests/linuxcontrols/c0072.pp +++ b/manifests/linuxcontrols/c0072.pp @@ -4,10 +4,23 @@ # class cis::linuxcontrols::c0072 { - file {'/etc/pam.d/su': - source => 'puppet:///modules/cis/el6/etc/pam.d/su', - owner => root, - group => root, - mode => '0644', + case $::operatingsystem { + 'RedHat': { + file { '/etc/pam.d/su': + source => 'puppet:///modules/cis/el6/etc/pam.d/su', + owner => root, + group => root, + mode => '0644', + } + } + 'Amazon': { + file { '/etc/pam.d/su': + source => 'puppet:///modules/cis/awslinux/etc/pam.d/su', + owner => root, + group => root, + mode => '0644', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } } diff --git a/manifests/linuxcontrols/c0073.pp b/manifests/linuxcontrols/c0073.pp index 007ae66..ed9daaf 100644 --- a/manifests/linuxcontrols/c0073.pp +++ b/manifests/linuxcontrols/c0073.pp @@ -6,10 +6,24 @@ # class cis::linuxcontrols::c0073 { - file {'/etc/login.defs': - source => 'puppet:///modules/cis/el6/etc/login.defs', - owner => root, - group => root, - mode => '0644', + case $::operatingsystem { + 'RedHat': { + file {'/etc/login.defs': + source => 'puppet:///modules/cis/el6/etc/login.defs', + owner => root, + group => root, + mode => '0644', + } + } + 'Amazon': { + file {'/etc/login.defs': + source => 'puppet:///modules/cis/awslinux/etc/login.defs', + owner => root, + group => root, + mode => '0644', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } + } diff --git a/manifests/linuxcontrols/c0074.pp b/manifests/linuxcontrols/c0074.pp index 35a9c33..9029096 100644 --- a/manifests/linuxcontrols/c0074.pp +++ b/manifests/linuxcontrols/c0074.pp @@ -1,18 +1,52 @@ # Class cis::linuxcontrols::c0074 # -# Disable system accounts with non-interactive shells. -# # This is a reported, not enforced, compliance item. # +# CIS 7.2 [RedHat] +# CIS 7.2 [Amazon Linux] +# - Disable System Accounts (Scored) +# - Disable system accounts with non-interactive shells. +# class cis::linuxcontrols::c0074 { - file {'/usr/local/sbin/f0001.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0001.sh', - owner => root, - group => root, - mode => '0700', -} - if $::f0001 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 7.2 (f0001)') + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0001.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0001.sh', + owner => root, + group => root, + mode => '0700', + } + if $::f0001 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 7.2 (f0001)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-7.2.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-7.2.sh', + } + + $status = $::cis_7_2 ? { + 'pass' => 'info', + default => 'warning', + } + + notify{ "CIS Benchmark 7.2 : ${::cis_7_2}": + require => File['/etc/facter/facts.d/cis-7.2.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 7.2 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0075.pp b/manifests/linuxcontrols/c0075.pp index a876f08..5119c2b 100644 --- a/manifests/linuxcontrols/c0075.pp +++ b/manifests/linuxcontrols/c0075.pp @@ -1,6 +1,6 @@ # Class cis::linuxcontrol::c0075 # -# Ensure the default group for user 'root' is GID 0. +# CIS 7.3 Ensure the default group for user 'root' is GID 0. # class cis::linuxcontrols::c0075 { diff --git a/manifests/linuxcontrols/c0076.pp b/manifests/linuxcontrols/c0076.pp index 72426da..000f58e 100644 --- a/manifests/linuxcontrols/c0076.pp +++ b/manifests/linuxcontrols/c0076.pp @@ -4,22 +4,51 @@ # class cis::linuxcontrols::c0076 { - file {'/etc/profile': - source => 'puppet:///modules/cis/el6/etc/profile', - owner => root, - group => root, - mode => '0644', - } - file {'/etc/bashrc': - source => 'puppet:///modules/cis/el6/etc/bashrc', - owner => root, - group => root, - mode => '0644', - } - file {'/etc/csh.cshrc': - source => 'puppet:///modules/cis/el6/etc/csh.cshrc', - owner => root, - group => root, - mode => '0644', + case $::operatingsystem { + 'RedHat': { + file { '/etc/profile': + source => 'puppet:///modules/cis/el6/etc/profile', + owner => root, + group => root, + mode => '0644', + } + + file { '/etc/bashrc': + source => 'puppet:///modules/cis/el6/etc/bashrc', + owner => root, + group => root, + mode => '0644', + } + + file { '/etc/csh.cshrc': + source => 'puppet:///modules/cis/el6/etc/csh.cshrc', + owner => root, + group => root, + mode => '0644', + } + } + 'Amazon': { + file { '/etc/profile': + source => 'puppet:///modules/cis/awslinux/etc/profile', + owner => root, + group => root, + mode => '0644', + } + + file { '/etc/bashrc': + source => 'puppet:///modules/cis/awslinux/etc/bashrc', + owner => root, + group => root, + mode => '0644', + } + + file { '/etc/csh.cshrc': + source => 'puppet:///modules/cis/awslinux/etc/csh.cshrc', + owner => root, + group => root, + mode => '0644', + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } } } diff --git a/manifests/linuxcontrols/c0077.pp b/manifests/linuxcontrols/c0077.pp index 542e7df..613d9df 100644 --- a/manifests/linuxcontrols/c0077.pp +++ b/manifests/linuxcontrols/c0077.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0077 { - file {'/etc/default/useradd': + file { '/etc/default/useradd': source => 'puppet:///modules/cis/el6/etc/default/useradd', owner => root, group => root, diff --git a/manifests/linuxcontrols/c0078.pp b/manifests/linuxcontrols/c0078.pp index 1a31aef..653b2f5 100644 --- a/manifests/linuxcontrols/c0078.pp +++ b/manifests/linuxcontrols/c0078.pp @@ -4,19 +4,19 @@ # class cis::linuxcontrols::c0078 { - file {'/etc/issue.net': + file { '/etc/issue.net': source => 'puppet:///modules/cis/el6/etc/issue.net', owner => root, group => root, mode => '0644', } - file {'/etc/issue': + file { '/etc/issue': source => 'puppet:///modules/cis/el6/etc/issue.net', owner => root, group => root, mode => '0644', } - file {'/etc/motd': + file { '/etc/motd': source => 'puppet:///modules/cis/el6/etc/issue.net', owner => root, group => root, diff --git a/manifests/linuxcontrols/c0079.pp b/manifests/linuxcontrols/c0079.pp index 4f8beea..a1e9e2e 100644 --- a/manifests/linuxcontrols/c0079.pp +++ b/manifests/linuxcontrols/c0079.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0079 { - file {'/etc/passwd': + file { '/etc/passwd': owner => root, group => root, mode => '0644', diff --git a/manifests/linuxcontrols/c0080.pp b/manifests/linuxcontrols/c0080.pp index eade84f..e42c5e1 100644 --- a/manifests/linuxcontrols/c0080.pp +++ b/manifests/linuxcontrols/c0080.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0080 { - file {'/etc/shadow': + file { '/etc/shadow': owner => root, group => root, mode => '0000', diff --git a/manifests/linuxcontrols/c0081.pp b/manifests/linuxcontrols/c0081.pp index 6f27f7c..7ff82f1 100644 --- a/manifests/linuxcontrols/c0081.pp +++ b/manifests/linuxcontrols/c0081.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0081 { - file {'/etc/gshadow': + file { '/etc/gshadow': owner => root, group => root, mode => '0000', diff --git a/manifests/linuxcontrols/c0082.pp b/manifests/linuxcontrols/c0082.pp index 6c3591c..05149a5 100644 --- a/manifests/linuxcontrols/c0082.pp +++ b/manifests/linuxcontrols/c0082.pp @@ -4,7 +4,7 @@ # class cis::linuxcontrols::c0082 { - file {'/etc/group': + file { '/etc/group': owner => root, group => root, mode => '0644', diff --git a/manifests/linuxcontrols/c0083.pp b/manifests/linuxcontrols/c0083.pp index 3cecae6..d61bbff 100644 --- a/manifests/linuxcontrols/c0083.pp +++ b/manifests/linuxcontrols/c0083.pp @@ -6,14 +6,14 @@ # class cis::linuxcontrols::c0083 { - file {'/usr/local/sbin/f0002.sh': + file { '/usr/local/sbin/f0002.sh': source => 'puppet:///modules/cis/linuxcontrols/scripts/f0002.sh', owner => root, group => root, mode => '0700', } - cron {'f0002.sh': + cron { 'f0002.sh': command => '/usr/local/sbin/f0002.sh', user => 'root', hour => 4, diff --git a/manifests/linuxcontrols/c0084.pp b/manifests/linuxcontrols/c0084.pp index 60821fc..31c8763 100644 --- a/manifests/linuxcontrols/c0084.pp +++ b/manifests/linuxcontrols/c0084.pp @@ -6,14 +6,14 @@ # class cis::linuxcontrols::c0084 { - file {'/usr/local/sbin/f0003.sh': + file { '/usr/local/sbin/f0003.sh': source => 'puppet:///modules/cis/linuxcontrols/scripts/f0003.sh', owner => root, group => root, mode => '0700', } - cron {'f0003.sh': + cron { 'f0003.sh': command => '/usr/local/sbin/f0003.sh', user => 'root', hour => 3, diff --git a/manifests/linuxcontrols/c0085.pp b/manifests/linuxcontrols/c0085.pp index 1021f8d..1a78d18 100644 --- a/manifests/linuxcontrols/c0085.pp +++ b/manifests/linuxcontrols/c0085.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0085 { - file {'/usr/local/sbin/f0004.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0004.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file { '/usr/local/sbin/f0004.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0004.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0004 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.1 (f0004)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.1.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.1.sh', + } - if $::f0004 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.1 (f0004)') + if $::cis_9_2_1 == 'pass' { + notify{ "CIS Benchmark 9.2.1 : ${::cis_9_2_1}": + require => File['/etc/facter/facts.d/cis-9.2.1.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.1 : ${::cis_9_2_1}": + require => File['/etc/facter/facts.d/cis-9.2.1.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.1 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0086.pp b/manifests/linuxcontrols/c0086.pp index 77e8c97..1853cc5 100644 --- a/manifests/linuxcontrols/c0086.pp +++ b/manifests/linuxcontrols/c0086.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0086 { - file {'/usr/local/sbin/f0005.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0005.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file { '/usr/local/sbin/f0005.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0005.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0005 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.2 (f0005)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.2.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.2.sh', + } - if $::f0005 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.2 (f0005)') + if $::cis_9_2_2 == 'pass' { + notify{ "CIS Benchmark 9.2.2 : ${::cis_9_2_2}": + require => File['/etc/facter/facts.d/cis-9.2.2.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.2 : ${::cis_9_2_2}": + require => File['/etc/facter/facts.d/cis-9.2.2.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.2 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0087.pp b/manifests/linuxcontrols/c0087.pp index ee9df00..6660782 100644 --- a/manifests/linuxcontrols/c0087.pp +++ b/manifests/linuxcontrols/c0087.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0087 { - file {'/usr/local/sbin/f0006.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0006.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file { '/usr/local/sbin/f0006.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0006.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0006 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.3 (f0006)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.3.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.3.sh', + } - if $::f0006 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.3 (f0006)') + if $::cis_9_2_3 == 'pass' { + notify{ "CIS Benchmark 9.2.3 : ${::cis_9_2_3}": + require => File['/etc/facter/facts.d/cis-9.2.3.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.3 : ${::cis_9_2_3}": + require => File['/etc/facter/facts.d/cis-9.2.3.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.3 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0088.pp b/manifests/linuxcontrols/c0088.pp index b9e5556..017efd2 100644 --- a/manifests/linuxcontrols/c0088.pp +++ b/manifests/linuxcontrols/c0088.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0088 { - file {'/usr/local/sbin/f0007.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0007.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file { '/usr/local/sbin/f0007.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0007.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0007 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.4 (f0007)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.4.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.4.sh', + } - if $::f0007 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.4 (f0007)') + if $::cis_9_2_4 == 'pass' { + notify{ "CIS Benchmark 9.2.4 : ${::cis_9_2_4}": + require => File['/etc/facter/facts.d/cis-9.2.4.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.4 : ${::cis_9_2_4}": + require => File['/etc/facter/facts.d/cis-9.2.4.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.4 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0089.pp b/manifests/linuxcontrols/c0089.pp index c3c3aef..dd4893f 100644 --- a/manifests/linuxcontrols/c0089.pp +++ b/manifests/linuxcontrols/c0089.pp @@ -1,19 +1,51 @@ # Class cis::linuxcontrols:::c0089 # -# Ensure no UID 0 account exist other than root. -# # This is a reported, not enforced, control item. # +# CIS 9.2.5 [RedHat] +# CIS 9.2.5 [Amazon Linux] +# - Ensure no UID 0 account exist other than root. class cis::linuxcontrols::c0089 { - file {'/usr/local/sbin/f0008.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0008.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file { '/usr/local/sbin/f0008.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0008.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0008 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.5 (f0008)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.5.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.5.sh', + } + + $status = $::cis_9_2_5 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0008 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.5 (f0008)') + notify{ "CIS Benchmark 9.2.5 : ${::cis_9_2_5}": + require => File['/etc/facter/facts.d/cis-9.2.5.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.5 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0090.pp b/manifests/linuxcontrols/c0090.pp index eba0b10..f3fa46a 100644 --- a/manifests/linuxcontrols/c0090.pp +++ b/manifests/linuxcontrols/c0090.pp @@ -4,34 +4,68 @@ # class cis::linuxcontrols::c0090 { - file {'/root/.bash_logout': - source => 'puppet:///modules/cis/el6/root/bash_logout', - owner => root, - group => root, - mode => '0600', - } - file {'/root/.bash_profile': - source => 'puppet:///modules/cis/el6/root/bash_profile', - owner => root, - group => root, - mode => '0600', - } - file {'/root/.bashrc': - source => 'puppet:///modules/cis/el6/root/bashrc', - owner => root, - group => root, - mode => '0600', - } - file {'/root/.cshrc': - source => 'puppet:///modules/cis/el6/root/cshrc', - owner => root, - group => root, - mode => '0600', - } - file {'/root/.tcshrc': - source => 'puppet:///modules/cis/el6/root/tcshrc', - owner => root, - group => root, - mode => '0600', + case $::operatingsystem { + 'RedHat': { + file {'/root/.bash_logout': + source => 'puppet:///modules/cis/el6/root/bash_logout', + owner => root, + group => root, + mode => '0600', + } + file {'/root/.bash_profile': + source => 'puppet:///modules/cis/el6/root/bash_profile', + owner => root, + group => root, + mode => '0600', + } + file {'/root/.bashrc': + source => 'puppet:///modules/cis/el6/root/bashrc', + owner => root, + group => root, + mode => '0600', + } + file {'/root/.cshrc': + source => 'puppet:///modules/cis/el6/root/cshrc', + owner => root, + group => root, + mode => '0600', + } + file {'/root/.tcshrc': + source => 'puppet:///modules/cis/el6/root/tcshrc', + owner => root, + group => root, + mode => '0600', + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.6.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.6.sh', + } + + if $::cis_9_2_6 == 'pass' { + notify{ "CIS Benchmark 9.2.6 : ${::cis_9_2_6}": + require => File['/etc/facter/facts.d/cis-9.2.6.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.6 : ${::cis_9_2_6}": + require => File['/etc/facter/facts.d/cis-9.2.6.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.6 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0091.pp b/manifests/linuxcontrols/c0091.pp index c2ec83f..e4fcb58 100644 --- a/manifests/linuxcontrols/c0091.pp +++ b/manifests/linuxcontrols/c0091.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0091 { - file {'/usr/local/sbin/f0009.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0009.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0009.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0009.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0009 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.7 (f0009)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.7.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.7.sh', + } - if $::f0009 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.7 (f0009)') + if $::cis_9_2_7 == 'pass' { + notify{ "CIS Benchmark 9.2.7 : ${::cis_9_2_7}": + require => File['/etc/facter/facts.d/cis-9.2.7.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.7 : ${::cis_9_2_7}": + require => File['/etc/facter/facts.d/cis-9.2.7.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.7 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0092.pp b/manifests/linuxcontrols/c0092.pp index af61976..4e316a1 100644 --- a/manifests/linuxcontrols/c0092.pp +++ b/manifests/linuxcontrols/c0092.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0092 { - file {'/usr/local/sbin/f0010.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0010.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0010.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0010.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0010 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.8 (f0010)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.8.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.8.sh', + } - if $::f0010 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.8 (f0010)') + if $::cis_9_2_8 == 'pass' { + notify{ "CIS Benchmark 9.2.8 : ${::cis_9_2_8}": + require => File['/etc/facter/facts.d/cis-9.2.8.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.8 : ${::cis_9_2_8}": + require => File['/etc/facter/facts.d/cis-9.2.8.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.8 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0093.pp b/manifests/linuxcontrols/c0093.pp index 88a5f29..ff24d93 100644 --- a/manifests/linuxcontrols/c0093.pp +++ b/manifests/linuxcontrols/c0093.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0093 { - file {'/usr/local/sbin/f0011.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0011.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0011.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0011.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0011 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.9 (f0011)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.9.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.9.sh', + } - if $::f0011 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.9 (f0011)') + if $::cis_9_2_9 == 'pass' { + notify{ "CIS Benchmark 9.2.9 : ${::cis_9_2_9}": + require => File['/etc/facter/facts.d/cis-9.2.9.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.9 : ${::cis_9_2_9}": + require => File['/etc/facter/facts.d/cis-9.2.9.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.9 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0094.pp b/manifests/linuxcontrols/c0094.pp index d84bff0..9325338 100644 --- a/manifests/linuxcontrols/c0094.pp +++ b/manifests/linuxcontrols/c0094.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0094 { - file {'/usr/local/sbin/f0012.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0012.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0012.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0012.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0012 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.10 (f0012)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.10.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.10.sh', + } - if $::f0012 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.10 (f0012)') + if $::cis_9_2_10 == 'pass' { + notify{ "CIS Benchmark 9.2.10 : ${::cis_9_2_10}": + require => File['/etc/facter/facts.d/cis-9.2.10.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.10 : ${::cis_9_2_10}": + require => File['/etc/facter/facts.d/cis-9.2.10.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.10 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0095.pp b/manifests/linuxcontrols/c0095.pp index d4bcdb8..7272ecd 100644 --- a/manifests/linuxcontrols/c0095.pp +++ b/manifests/linuxcontrols/c0095.pp @@ -1,19 +1,54 @@ # Class cis::linuxcontrols::c0095 # -# Ensures no .rhosts files are present. -# -# This is a reported, not enforced, control item. +# CIS Benchmark 9.2.11 # +# Rationale: +# Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to +# system security since group permissions are not properly managed. class cis::linuxcontrols::c0095 { - file {'/usr/local/sbin/f0013.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0013.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0013.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0013.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0013 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.11 (f0013)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.11.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.11.sh', + } - if $::f0013 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.11 (f0013)') + if $::cis_9_2_11 == 'pass' { + notify{ "CIS Benchmark 9.2.11 : ${::cis_9_2_11}": + require => File['/etc/facter/facts.d/cis-9.2.11.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.11 : ${::cis_9_2_11}": + require => File['/etc/facter/facts.d/cis-9.2.11.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.11 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0096.pp b/manifests/linuxcontrols/c0096.pp index ad29fd1..7de885c 100644 --- a/manifests/linuxcontrols/c0096.pp +++ b/manifests/linuxcontrols/c0096.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0096 { - file {'/usr/local/sbin/f0014.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0014.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0014.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0014.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0014 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.12 (f0014)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.12.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.12.sh', + } - if $::f0014 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.12 (f0014)') + if $::cis_9_2_12 == 'pass' { + notify{ "CIS Benchmark 9.2.12 : ${::cis_9_2_12}": + require => File['/etc/facter/facts.d/cis-9.2.12.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.12 : ${::cis_9_2_12}": + require => File['/etc/facter/facts.d/cis-9.2.12.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.12 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0097.pp b/manifests/linuxcontrols/c0097.pp index 2d5b799..6938638 100644 --- a/manifests/linuxcontrols/c0097.pp +++ b/manifests/linuxcontrols/c0097.pp @@ -6,14 +6,48 @@ # class cis::linuxcontrols::c0097 { - file {'/usr/local/sbin/f0015.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0015.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0015.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0015.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0015 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.13 (f0015)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.13.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.13.sh', + } - if $::f0015 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.13 (f0015)') + if $::cis_9_2_13 == 'pass' { + notify{ "CIS Benchmark 9.2.13 : ${::cis_9_2_13}": + require => File['/etc/facter/facts.d/cis-9.2.13.sh'], + loglevel => info, + } + } + else { + notify{ "CIS Benchmark 9.2.13 : ${::cis_9_2_13}": + require => File['/etc/facter/facts.d/cis-9.2.13.sh'], + loglevel => warning, + } + } + } + else { + fail("Error: Can't check for CIS 9.2.13 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0098.pp b/manifests/linuxcontrols/c0098.pp index 3ef0c85..ec3a6d0 100644 --- a/manifests/linuxcontrols/c0098.pp +++ b/manifests/linuxcontrols/c0098.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0098 # -# Ensure user home ownership is correct. -# # This is a reported, not enforced, control item. # +# CIS 9.2.14 [RedHat] +# - Ensure user home ownership is correct. +# +# CIS 9.2.14 [Amazon Linux] +# - Check for Duplicate UIDs (Scored) class cis::linuxcontrols::c0098 { - file {'/usr/local/sbin/f0016.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0016.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0016.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0016.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0016 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.14 (f0016)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.14.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.14.sh', + } + + $status = $::cis_9_2_14 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0016 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.14 (f0016)') + notify{ "CIS Benchmark 9.2.14 : ${::cis_9_2_14}": + require => File['/etc/facter/facts.d/cis-9.2.14.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.14 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0099.pp b/manifests/linuxcontrols/c0099.pp index fe4c5be..a6a8a61 100644 --- a/manifests/linuxcontrols/c0099.pp +++ b/manifests/linuxcontrols/c0099.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0099 # -# Ensure no duplicate UIDs exist. -# # This is a reported, not enforced, control item. # +# CIS 9.2.15 [RedHat] +# - Ensure no duplicate UIDs exist. +# +# CIS 9.2.15 [Amazon Linux] +# - Check for Duplicate GIDs (Scored) class cis::linuxcontrols::c0099 { - file {'/usr/local/sbin/f0017.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0017.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0017.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0017.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0017 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.15 (f0017)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.15.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.15.sh', + } + + $status = $::cis_9_2_15 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0017 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.15 (f0017)') + notify{ "CIS Benchmark 9.2.15 : ${::cis_9_2_15}": + require => File['/etc/facter/facts.d/cis-9.2.15.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.15 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0100.pp b/manifests/linuxcontrols/c0100.pp index c49d385..b82911b 100644 --- a/manifests/linuxcontrols/c0100.pp +++ b/manifests/linuxcontrols/c0100.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0100 # -# Ensure no duplicate GIDs exist. -# # This is a reported, not enforced, control item. # +# CIS 9.2.16 [RedHat] +# - Ensure no duplicate GIDs exist. +# +# CIS 9.2.16 [Amazon Linux] +# - Check That Reserved UIDs Are Assigned to System Accounts (Scored) class cis::linuxcontrols::c0100 { - file {'/usr/local/sbin/f0018.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0018.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0018.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0018.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0018 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.16 (f0018)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.16.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.16.sh', + } + + $status = $::cis_9_2_16 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0018 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.16 (f0018)') + notify{ "CIS Benchmark 9.2.16 : ${::cis_9_2_16}": + require => File['/etc/facter/facts.d/cis-9.2.16.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.16 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0101.pp b/manifests/linuxcontrols/c0101.pp index c11b9a4..29a6f2f 100644 --- a/manifests/linuxcontrols/c0101.pp +++ b/manifests/linuxcontrols/c0101.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0101 # -# Ensure no duplicate user names are present. -# # This is a repoted, not enforced, control item. # +# CIS 9.2.18 [RedHat] +# - Ensure no duplicate user names are present. +# +# CIS 9.2.18 [Amazon Linux] +# - Check for Duplicate Group Names (Scored) class cis::linuxcontrols::c0101 { - file {'/usr/local/sbin/f0019.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0019.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0019.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0019.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0019 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.18 (f0019)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.18.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.18.sh', + } + + $status = $::cis_9_2_18 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0019 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.18 (f0019)') + notify{ "CIS Benchmark 9.2.18 : ${::cis_9_2_18}": + require => File['/etc/facter/facts.d/cis-9.2.18.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.18 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0102.pp b/manifests/linuxcontrols/c0102.pp index 435bd08..56eec13 100644 --- a/manifests/linuxcontrols/c0102.pp +++ b/manifests/linuxcontrols/c0102.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0102 # -# Ensure no duplicate group names are present. -# # This is a reported, not enforced, control item. # +# CIS 9.2.18 [RedHat] +# - Ensure no duplicate group names are present. +# +# CIS 9.2.19 [Amazon Linux] +# - Check for Duplicate Group Names (Scored) class cis::linuxcontrols::c0102 { - file {'/usr/local/sbin/f0020.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0020.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0020.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0020.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0020 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.19 (f0020)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.19.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.19.sh', + } + + $status = $::cis_9_2_19 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0020 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.19 (f0020)') + notify{ "CIS Benchmark 9.2.19 : ${::cis_9_2_19}": + require => File['/etc/facter/facts.d/cis-9.2.19.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.19 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/c0103.pp b/manifests/linuxcontrols/c0103.pp index d07110c..3ac1f75 100644 --- a/manifests/linuxcontrols/c0103.pp +++ b/manifests/linuxcontrols/c0103.pp @@ -1,19 +1,53 @@ # Class cis::linuxcontrols::c0103 # -# Ensure no .netrc files are prensent. -# # This is a reported, not enforced, control item. # +# CIS 9.2.20 [RedHat] +# - Ensure no .netrc files are prensent. +# +# CIS 9.2.20 [Amazon Linux] +# - Check for Presence of User .forward Files (Scored) class cis::linuxcontrols::c0103 { - file {'/usr/local/sbin/f0021.sh': - source => 'puppet:///modules/cis/linuxcontrols/scripts/f0021.sh', - owner => root, - group => root, - mode => '0700', - } + case $::operatingsystem { + 'RedHat': { + file {'/usr/local/sbin/f0021.sh': + source => 'puppet:///modules/cis/linuxcontrols/scripts/f0021.sh', + owner => root, + group => root, + mode => '0700', + } + + if $::f0021 == 'fail' { + warning('Node $fqdn failed CIS RHEL6 Control 9.2.20 (f0021)') + } + } + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.20.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.20.sh', + } + + $status = $::cis_9_2_20 ? { + 'pass' => 'info', + default => 'warning', + } - if $::f0021 == 'fail' { - warning('Node $fqdn failed CIS RHEL6 Control 9.2.20 (f0021)') + notify{ "CIS Benchmark 9.2.20 : ${::cis_9_2_20}": + require => File['/etc/facter/facts.d/cis-9.2.20.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.20 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { + fail("Error: ${::operatingsystem} is not supported") + } } } diff --git a/manifests/linuxcontrols/cis_9_2_17.pp b/manifests/linuxcontrols/cis_9_2_17.pp new file mode 100644 index 0000000..79b218b --- /dev/null +++ b/manifests/linuxcontrols/cis_9_2_17.pp @@ -0,0 +1,35 @@ +# Class cis::linuxcontrols::cis_9_2_17 +# +# CIS 9.2.17 [Amazon Linux] +# - Check for Duplicate User Names (Scored) + +class cis::linuxcontrols::cis_9_2_17 { + case $::operatingsystem { + 'Amazon': { + if versioncmp($::facterversion, '1.7') > 0 { + file { '/etc/facter/facts.d/cis-9.2.17.sh': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + source => 'puppet:///modules/cis/awslinux/scripts/cis-9.2.17.sh', + } + + $status = $::cis_9_2_17 ? { + 'pass' => 'info', + default => 'warning', + } + + notify{ "CIS Benchmark 9.2.17 : ${::cis_9_2_17}": + require => File['/etc/facter/facts.d/cis-9.2.17.sh'], + loglevel => $status, + } + } + else { + fail("Error: Can't check for CIS 9.2.17 in ${::fqdn}, facter must be upgraded (> 1.7)") + } + } + default: { fail("ERROR: unsupported OS = ${::operatingsystem}") } + } + +} diff --git a/templates/awslinux/etc/grub.conf.erb b/templates/awslinux/etc/grub.conf.erb index 9440854..880c972 100644 --- a/templates/awslinux/etc/grub.conf.erb +++ b/templates/awslinux/etc/grub.conf.erb @@ -6,10 +6,10 @@ hiddenmenu title Amazon Linux 2014.09 (<%= @kernelrelease -%>) root (hd0,0) -kernel /boot/vmlinuz-<%= @kernelrelease -%> root=LABEL=/ selinux=1 security=selinux enforcing=1 console=ttyS0 LANG=en_US.UTF-8 KEYTABLE=us +kernel /boot/vmlinuz-<%= @kernelrelease -%> root=LABEL=/ audit=1 selinux=1 security=selinux enforcing=1 console=ttyS0 LANG=en_US.UTF-8 KEYTABLE=us initrd /boot/initramfs-<%= @kernelrelease -%>.img title Amazon Linux 2014.09 (3.14.27-25.47.amzn1.x86_64) root (hd0,0) -kernel /boot/vmlinuz-3.14.27-25.47.amzn1.x86_64 root=LABEL=/ console=ttyS0 +kernel /boot/vmlinuz-3.14.27-25.47.amzn1.x86_64 root=LABEL=/ audit=1 console=ttyS0 initrd /boot/initramfs-3.14.27-25.47.amzn1.x86_64.img