Tags RSS Feed
Baseline Security Hardening
Puppet Module
label security   puppet   schedule 1 min 8 s.

Define a complete security baseline and monitor the baseline’s rules.

… also has the ability to create compliance reports. A security baseline describes how servers in your environment are setup with a secure configuration. The baseline may be different for each server class like database servers, application or web servers.

Folgende | Benchmarks bestehen:

OS Benchmark version Version Date
Suse SLES 12 SUSE Linux Enterprise 12 Benchmark 3.1.0 01-24-2022
Suse SLES 15 SUSE Linux Enterprise 15 Benchmark 1.1.1 09-17-2021
RedHat 7 Red Hat Enterprise Linux 7 Benchmark 3.1.1 05-21-2021
RedHat 7 Red Hat Enterprise Linux 7 STIG Benchmark 2.0.0 11-29-2021
RedHat 8 Red Hat Enterprise Linux 8 Benchmark 2.0.0 02-23-2022
RedHat 8 Red Hat Enterprise Linux 8 STIG Benchmark 1.0.0 11-12-2021
CentOS 7 CentOS Linux 7 Benchmark 3.1.2 08-31-2021
CentOS 8 CentOS Linux 8 Benchmark 2.0.0 02-23-2022
Ubuntu 18.04 Ubuntu Linux 18.04 LTS Benchmark 2.0.1 01-03-2020
Ubuntu 20.04 Ubuntu Linux 20.04 LTS Benchmark 1.1.0 03-31-2021
Ubuntu 20.04 Ubuntu Linux 20.04 LTS STIG Benchmark 1.0.0 26.07.2021
Debian 10 Debian Linux 10 Benchmark 1.0.0 02-13-2020
Alma Linux 8 Alma Linux OS 8 Benchmark 2.0.0 05-31-2022
Rocky Linux 8 Rocky Linux 8 Benchmark 1.0.0 03-29-2022

Die Manifest Konfiguration in Hiera sähe ungefähr so aus: 

cis_security_hardening::profile: server
cis_security_hardening::level: "2"
cis_security_hardening::time_until_reboot: 60
cis_security_hardening::exclude_dirs_sticky_ww: []
cis_security_hardening::update_postrun_command: true
cis_security_hardening::fact_upload_command: "/usr/share/cis_security_hardening/bin/fact_upload.sh"
cis_security_hardening::auditd_dirs_to_include:
  - "/usr"
cis_security_hardening::verbose_logging: false

cis_security_hardening::rules::cramfs::enforce: true
cis_security_hardening::rules::squashfs::enforce: true
cis_security_hardening::rules::fat::enforce: false
cis_security_hardening::rules::udf::enforce: true

The data folder contains files named * _ param.yaml which contain all configurable options for each benchmark.

Note to myself: check out https://forge.puppet.com/modules/tomkrieger/cis_security_hardening bzw. https://forge.puppet.com/modules/tomkrieger/security_baseline

Zuletzt bearbeitet am 22.11.2022

best practice
never touch a running system
Tags RSS Feed
Hugo Theme Diary von Rise
Adaptiert von Makito's Journal.

© whatever