Baseline Security Hardening
Puppet Module
Define a complete security baseline and monitor the baseline’s rules.
… also has the ability to create compliance reports. A security baseline describes how servers in your environment are setup with a secure configuration. The baseline may be different for each server class like database servers, application or web servers.
Folgende | Benchmarks bestehen:
OS | Benchmark version | Version | Date |
---|---|---|---|
Suse SLES 12 | SUSE Linux Enterprise 12 Benchmark | 3.1.0 | 01-24-2022 |
Suse SLES 15 | SUSE Linux Enterprise 15 Benchmark | 1.1.1 | 09-17-2021 |
RedHat 7 | Red Hat Enterprise Linux 7 Benchmark | 3.1.1 | 05-21-2021 |
RedHat 7 | Red Hat Enterprise Linux 7 STIG Benchmark | 2.0.0 | 11-29-2021 |
RedHat 8 | Red Hat Enterprise Linux 8 Benchmark | 2.0.0 | 02-23-2022 |
RedHat 8 | Red Hat Enterprise Linux 8 STIG Benchmark | 1.0.0 | 11-12-2021 |
CentOS 7 | CentOS Linux 7 Benchmark | 3.1.2 | 08-31-2021 |
CentOS 8 | CentOS Linux 8 Benchmark | 2.0.0 | 02-23-2022 |
Ubuntu 18.04 | Ubuntu Linux 18.04 LTS Benchmark | 2.0.1 | 01-03-2020 |
Ubuntu 20.04 | Ubuntu Linux 20.04 LTS Benchmark | 1.1.0 | 03-31-2021 |
Ubuntu 20.04 | Ubuntu Linux 20.04 LTS STIG Benchmark | 1.0.0 | 26.07.2021 |
Debian 10 | Debian Linux 10 Benchmark | 1.0.0 | 02-13-2020 |
Alma Linux 8 | Alma Linux OS 8 Benchmark | 2.0.0 | 05-31-2022 |
Rocky Linux 8 | Rocky Linux 8 Benchmark | 1.0.0 | 03-29-2022 |
Die Manifest Konfiguration in Hiera sähe ungefähr so aus:
cis_security_hardening::profile: server
cis_security_hardening::level: "2"
cis_security_hardening::time_until_reboot: 60
cis_security_hardening::exclude_dirs_sticky_ww: []
cis_security_hardening::update_postrun_command: true
cis_security_hardening::fact_upload_command: "/usr/share/cis_security_hardening/bin/fact_upload.sh"
cis_security_hardening::auditd_dirs_to_include:
- "/usr"
cis_security_hardening::verbose_logging: false
cis_security_hardening::rules::cramfs::enforce: true
cis_security_hardening::rules::squashfs::enforce: true
cis_security_hardening::rules::fat::enforce: false
cis_security_hardening::rules::udf::enforce: true
The data folder contains files named * _ param.yaml which contain all configurable options for each benchmark.
Note to myself: check out https://forge.puppet.com/modules/tomkrieger/cis_security_hardening bzw. https://forge.puppet.com/modules/tomkrieger/security_baseline
Zuletzt bearbeitet am 22.11.2022