Configures Linux systems to Center for Internet Security Linux hardening standard.
This module configures and maintains controls listed in the Center for Internet Security Benchmark for Linux. The current version of cisecurity implements v2.10 of the benchmark for Red Hat Enterprise Linux 6 and v2.20 for Red Hat Enterprise Linux 7. The module provides a lot of dials and knobs to fine-tune the module to your specific needs.
More information about the benchmark and downloading a copy of it for yourself is available at the Center for Internet Security.
By default, this module implements all Level 1 and Level 2 controls and uses the defaults provided in the benchmark. Make sure to consult the module’s documentation for default settings and alter as necessary. The defaults should not be intended as a one-size-fits-all solution.
cisecurity touches a wide variety of system-level settings including:
To use the cisecurity module with default parameters, declare the cisecurity class.
class { '::cisecurity': }
All parameters for the cisecurity module are broken down into various classes based on the components being modified.
cisecurity::filesystem: Handles the filesystem controls.cisecurity::network: Handles the network controls.cisecurity::packages: Handles the package and yum controls.cisecurity::pam: Handles the PAM controls.cisecurity::security: Handles Grub, SELinux, and other miscellaneous controls.cisecurity::services: Handles the network controls.If you modify an Enum['enabled','disabled'] parameter to something other than the default, the module will not autocorrect the desired state of the system. You will need to go to that system and manually change the configuration to whatever you want it to be. cisecurity is designed to only enforce the controls in the benchmark and will not make assumptions of what you want a system’s configuration to look like when you deviate.
For parameters in the cisecurity::packages class, if you modify an Enum['installed','uninstalled','ignored'] parameter, the class will attempt to install, purge, or ignore the specified package.
configure_umask_default'enabled'Enum['enabled','disabled']umask_defaultDetermines if the default umask will be modified.
cramfs'disabled'Enum['enabled','disabled']Determines if mounting cramfs filesystems will be allowed.
dev_shm_mount_options[ 'noexec', 'nodev', 'nosuid' ]Array[String]Provides mount options for /dev/shm. Set this parameter to an empty array if you don’t want the module to modify /dev/shm.
freevxfs'disabled'Enum['enabled','disabled']Determines if mounting freevxfs filesystems will be allowed.
harden_system_file_perms'enabled'Enum['enabled','disabled']Secures certain system files and directories harder than the default operating system provides.
hfs'disabled'Enum['enabled','disabled']Determines if mounting hfs filesystems will be allowed.
hfsplus'disabled'Enum['enabled','disabled']Determines if mounting hfsplus filesystems will be allowed.
home_mount_options[ 'nodev' ]Array[String]Provides mount options for /home. If /home is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don’t want the module to modify /home.
jffs2'disabled'Enum['enabled','disabled']Determines if mounting hfs filesystems will be allowed.
log_file_perms_cron_start_hour'*'Stringremediate_log_file_permsA cron-styled hour when log file permissions will be corrected.
log_file_perms_cron_start_minute'37'Stringremediate_log_file_permsA cron-styled minute when log file permissions will be corrected.
remediate_log_file_perms'enabled'Enum['enabled','disabled']log_file_perms_cron_start_hour, log_file_perms_cron_start_minuteSecures log files in /var/log harder than the default operating system provides.
remediate_ungrouped_files'enabled'Enum['enabled','disabled']ungrouped_files_replacement_groupReassigns group ownership of ungrouped files and directories.
remediate_unowned_files'enabled'Enum['enabled','disabled']unowned_files_replacement_ownerReassigns user ownership of an unowned files and directories.
remediate_world_writable_dirs'enabled'Enum['enabled','disabled']world_writable_dirs_ignoredAdds sticky bit to all world writable directories.
remediate_world_writable_files'enabled'Enum['enabled','disabled']world_writable_files_ignoredRemoves world writable permission from all world writable files.
removable_media_mount_options[ 'noexec', 'nodev', 'nosuid' ]Array[String]removable_media_partitionsProvides mount options for removable media partitions.
removable_media_partitions[ ]Array[String]removable_media_mount_optionsLists all removable partitions that exist on the system. It is recommended you use set this on a node-by-node basis.
squashfs'disabled'Enum['enabled','disabled']Determines if mounting squashfs filesystems will be allowed.
tmp_mount_options[ 'mode=1777', 'astrictatime', 'noexec', 'nodev', 'nosuid' ]Array[String]removable_media_partitionsProvides mount options for /tmp. If /tmp is not configured as a separate partition, the module will throw a warning. Set this parameter to an empty array if you don’t want the module to modify /tmp.
udf'disabled'Enum['enabled','disabled']Determines if mounting udf filesystems will be allowed.
umask_default'027'Stringconfigure_umask_defaultValue of the default umask.
ungrouped_files_replacement_group'root'Stringremediate_ungrouped_filesValue of the group to assign to ungrouped files. You may use GID or name.
unowned_files_replacement_owner'root'Stringremediate_unowned_filesValue of the user to assign to unowned files. You may use GID or name.
var_mount_options[ 'defaults' ]Array[String]Provides mount options for /var. If /var is not configured as a separate partition, the module will throw a warning. You really shouldn’t need to modify this because the benchmark doesn’t specify changes to the mount options (hence why it’s set to defaults).
var_log_audit_mount_options[ 'defaults' ]Array[String]Provides mount options for /var/log/audit. If /var/log/audit is not configured as a separate partition, the module will throw a warning. You really shouldn’t need to modify this because the benchmark doesn’t specify changes to the mount options (hence why it’s set to defaults).
var_log_mount_options[ 'defaults' ]Array[String]Provides mount options for /var/log. If /var/log is not configured as a separate partition, the module will throw a warning. You really shouldn’t need to modify this because the benchmark doesn’t specify changes to the mount options (hence why it’s set to defaults).
var_tmp_mount_options[ 'bind' ]Array[String]Provides mount options for /var/tmp. Set this parameter to an empty array if you don’t want the module to modify /var/tmp.
vfat'disabled'Enum['enabled','disabled']Determines if mounting vfat filesystems will be allowed.
world_writable_dirs_ignored[ ]Array[String]remediate_world_writable_dirsProvides a list of world writable directories that you don’t want the sticky bit automatically set on.
world_writable_files_ignored[ '/var/lib/rsyslog/imjournal.state' ]remediate_world_writable_filesProvides a list of world writable files that you don’t want permissions automatically changed.
dccp'disabled'Enum['enabled','disabled']Determines if the DCCP protocol will be allowed.
disable_wireless_interfaces'enabled'Enum['enabled','disabled']Determines if wireless interfaces should be disabled.
hosts_allow'puppet:///modules/cisecurity/tcp_wrappers/hosts.allow'StringProvides the source location for the /etc/hosts.allow file. It is recommended you use set this on a node-by-node basis.
hosts_deny'puppet:///modules/cisecurity/tcp_wrappers/hosts.deny'StringProvides the source location for the /etc/hosts.deny file. It is recommended you use set this on a node-by-node basis.
ipv4_accept_icmp_redirects'disabled'Enum['enabled','disabled']Determines if ICMP redirect messages are allowed.
ipv4_forwarding'disabled'Enum['enabled','disabled']Determines if forwarding (routing) is allowed.
ipv4_ignore_icmp_bogus_responses'disabled'Enum['enabled','disabled']Determines if bogus (faked) ICMP reponse messages are allowed.
ipv4_ignore_icmp_broadcasts'enabled'Enum['enabled','disabled']Determines if broadcast ICMP messages are allowed.
ipv4_log_suspicious_packets'enabled'Enum['enabled','disabled']Determines if suspicious packets (martians) will be logged.
ipv4_reverse_path_filtering'enabled'Enum['enabled','disabled']Determines if reverse path filtering of packets should happen.
ipv4_secure_redirects'disabled'Enum['enabled','disabled']Determines if secure ICMP redirect messages are allowed.
ipv4_send_redirects'disabled'Enum['enabled','disabled']Determines if the system can send ICMP redirect messages.
ipv4_source_routing'disabled'Enum['enabled','disabled']Determines if source routed packets are accepted.
ipv4_tcp_syncookies'enabled'Enum['enabled','disabled']Determines if TCP SYN cookies are allowed.
ipv6'disabled'Enum['enabled','disabled']Determines if the IPv6 protocol stack is allowed.
ipv6_accept_packet_redirects'disabled'Enum['enabled','disabled']Determines if IPv6 redirect messages are allowed.
ipv6_accept_router_advertisements'disabled'Enum['enabled','disabled']Determines if IPv6 router advertisements are accepted.
rds'disabled'Enum['enabled','disabled']Determines if the RDS protocol will be allowed.
sctp'disabled'Enum['enabled','disabled']Determines if the SCTP protocol will be allowed.
tipc'disabled'Enum['enabled','disabled']Determines if the TIPC protocol will be allowed.
aide'installed'Enum['installed','uninstalled','ignored']Determines if AIDE will be installed.
aide_cron_start_hour'5'Stringaide_cron_start_minuteA cron-styled hour when AIDE will run its daily check.
aide_cron_start_minute'0'Stringaide_cron_start_hourA cron-styled minute when AIDE will run its daily check.
firewalld'installed'Enum['installed','uninstalled','ignored']Determines if firewalld will be installed.
libselinux'installed'Enum['installed','uninstalled','ignored']Determines if libselinux will be installed.
logrotate'installed'Enum['installed','uninstalled','ignored']Determines if logrotate will be installed.
mcstrans'uninstalled'Enum['installed','uninstalled','ignored']Determines if the MCS Translation Service will be installed.
openldap_clients'uninstalled'Enum['installed','uninstalled','ignored']Determines if the LDAP client will be installed.
prelink'uninstalled'Enum['installed','uninstalled','ignored']Determines if prelink will be installed.
rsh'uninstalled'Enum['installed','uninstalled','ignored']Determines if the rsh server will be installed.
setroubleshoot'uninstalled'Enum['installed','uninstalled','ignored']Determines if setroubleshoot will be installed.
talk'uninstalled'Enum['installed','uninstalled','ignored']Determines if talk will be installed.
tcp_wrappers'uninstalled'Enum['installed','uninstalled','ignored']Determines if the TCP Wrappers will be installed.
telnet'uninstalled'Enum['installed','uninstalled','ignored']Determines if the telnet client will be installed.
xorg_x11'uninstalled'Enum['installed','uninstalled','ignored']Determines if X Windows will be installed.
ypbind'uninstalled'Enum['installed','uninstalled','ignored']Determines if the NIS Client will be installed.
yum_auto_update'installed'Enum['installed','uninstalled','ignored']yum_auto_update_action, yum_auto_update_email_from, yum_auto_update_email_to, yum_auto_update_exclude, yum_auto_update_notify_email, yum_auto_update_update_cmdDetermines if yum-cron will be installed and configured.
yum_auto_update_action'apply'Enum['check','download','apply']yum_auto_updateDetermines how to deal with updates for the system.
check detects the presence of updates but takes no further action.download downloads the files and packages necessary to perform the update and takes no further action.apply downloads and installs the updates automatically.yum_update_email_from'root'Stringyum_auto_update, yum_auto_update_notify_emailIf email notifications are enabled, this parameter defines the sender’s email address. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
yum_update_email_to'root'Stringyum_auto_update, yum_auto_update_notify_emailIf email notifications are enabled, this parameter defines who to send the notifications to. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
yum_auto_update_exclude[ ]Array[String]yum_auto_updateAn array of packages to exclude when applying updates.
yum_auto_update_notify_emailtrueBooleanyum_auto_update, yum_auto_update_email_from, yum_auto_update_email_toDetermines whether notifications are to be sent via email.
yum_auto_update_update_cmd'default'Enum['default','security','security-severity:Critical','minimal','minimal-security','minimal-security-severity:Critical']yum_auto_updateDefines what category of updates you wish applied.
default provides updates all installed packages.security provides updates with security fixes only.security-severity:Critical provides only critical security fixes.minimal provides updates for bugfixes.minimal-securityprovides updates to packages with security errata.minimal-security-severity:Critical provides only critical security fixes for packages with security errata.yum_repo_enforce_gpgcheck'enabled'Enum['enabled','disabled']Determines whether to enforce gpgcheck on all available repositories.
account_lockout_enforcement'enabled'Enum['enabled','disabled']account_lockout_attempts, account_lockout_time, inactive_account_lockout, inactive_account_lockout_daysDetermines whether the system should be configured for account lockout enforcement.
account_lockout_attempts5Integeraccount_lockout_enforcementSpecifies the number of times a bad password may be entered before the account is automatically locked out.
account_lockout_time900Integeraccount_lockout_enforcementSpecifies the amount of time (in seconds) when an account will be automatically unlocked after failed password attempts.
inactive_account_lockout'enabled'Enum['enabled','disabled']account_lockout_enforcementSpecifies whether inactive accounts should be locked by the system.
inactive_account_lockout_days30Integeraccount_lockout_enforcementSpecifies the number of days when an account is considered inactive.
root_user_settings{ gid => 'root' }HashSpecifies settings for the root user. The minimum setting needed is for ensuring the primary group but this can be extended to include managing root passwords.
password_aging'enabled'Enum['enabled','disabled']password_aging_max_days, password_aging_min_days, password_aging_warn_daysDetermines whether the system should be configured for password aging enforcement.
password_aging_max_days90Integerpassword_agingSpecifies the maximum number of days before a password is required to be changed.
password_aging_min_days7Integerpassword_agingSpecifies the minimum number of days before a password must be used before it can be changed.
password_aging_warn_days7Integerpassword_agingSpecifies the number of days before a messsage is displayed at user login that their password is going to expire.
password_enforcement'enabled'Enum['enabled','disabled']password_min_length, password_num_digits, password_num_lowercase, password_num_uppercase, password_num_other_chars, password_max_attempts, password_num_rememberedDetermines whether the system should be configured for password complexity restrictions.
password_max_attempts3Integerpassword_enforcementSpecifies the number of times a user may specify a new password that doesn’t meet complexity requirements before the attempt to change the password is rejected.
password_min_length14Integerpassword_enforcementSpecifies the minimum length of a valid password.
password_num_digits-1Integerpassword_enforcementSpecifies the number of digits required to be present in the password.
password_num_lowercase-1Integerpassword_enforcementSpecifies the number of lowercase characers required to be present in the password.
password_num_uppercase-1Integerpassword_enforcementSpecifies the number of uppercase characers required to be present in the password.
password_num_other_chars-1Integerpassword_enforcementSpecifies the number of special characers required to be present in the password.
password_num_remembered5Integerpassword_enforcementSpecifies the number of passwords the system will store per user to prevent them from resuing old passwords.
wheel'enabled'Enum['enabled','disabled']Specifies whether to enable the use of the wheel group on the system for the su command.
aslr'enabled'Enum['enabled','disabled']Determines whether Address Space Layout Randomization (ASLR) will be enabled.
banner_message_text'Authorized uses only. All activity may be monitored and reported.'Stringx_windowsBanner message text to be displayed when a GNOME-based graphical login occurs.
bootloader_passwordStringFor Red Hat 7, a grub SHA512 encrypted password string used as the bootloader password. The encrypted password in RedHat7.yaml is password. To change the bootloader password, use grub2-mkpasswd-pbkdf2 as shown below:
$ grub2-mkpasswd-pbkdf2Enter password: <new password>Reenter password: <confirm new password>PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.D70F1...
Copy and paste the entire string into the parameter.
For Red Hat 6, a grub MD5 encrypted password string used as the bootloader password. The encrypted password in RedHat6.yaml is password. To change the bootloader password, use grub-md5-crypt as shown below:
$ grub-md5-cryptPassword: <new password>Retype password: <confirm new password>$1$L.MZi/$6i6ZtU/e8WRKfujZac44t.
Copy and paste the entire string into the parameter. Be sure to precede the salted password with the --md5 moniker as the default shows.
bootloader_user'rescue'StringSpecifies a username to be created with superuser privileges in grub.
configure_shell_timeout'enabled'Enum['enabled','disabled']shell_timeoutDetermines whether to implement shell timeouts.
configure_system_acct_nologin'enabled'Enum['enabled','disabled']Determines whether system accounts (UIDs less than 1000 by default) have their shell changed to /sbin/nologin in /etc/passwd.
home_directories_perm'0750'Stringremediate_home_directoriesDefines what permission should be applied to home directories.
issue'puppet:///modules/cisecurity/banners/issue'StringProvides the source location for /etc/issue and sets owner, group, and permission.
issue_net'puppet:///modules/cisecurity/banners/issue.net'StringProvides the source location for /etc/issue.net and sets owner, group, and permission.
motd'puppet:///modules/cisecurity/banners/motd'StringProvides the source location for /etc/motd and sets owner, group, and permission.
remediate_blank_passwords'enabled'Enum['enabled','disabled']Determines whether accounts with blank passwords will be locked out.
remediate_home_directories_dot_files'enabled'Enum['enabled','disabled']Removes group and other write permissions to users’ dot files.
remediate_home_directories_exist'enabled'Enum['enabled','disabled']Creates users’ home directories if they don’t exist whether they’ve logged into the system or not.
remediate_home_directories_forward_files'enabled'Enum['enabled','disabled']Determines whether .forward files in home directories are forcibly removed.
remediate_home_directories_netrc_files'enabled'Enum['enabled','disabled']Determines whether .netrc files in home directories are forcibly removed.
remediate_home_directories_netrc_files_perms'enabled'Enum['enabled','disabled']Removes group and other write permissions to users’ .netrc files.
remediate_home_directories_owner'enabled'Enum['enabled','disabled']Changes the ownership of home directories when the directory isn’t owned by the correct user.
remediate_home_directories_perms'enabled'Enum['enabled','disabled']Changes the permissions of home directories.
remediate_home_directories_rhosts_files'enabled'Enum['enabled','disabled']Determines whether .rhosts files in home directories are forcibly removed.
remediate_home_directories_start_hour'5'StringA cron-styled hour when home directory checks will run.
remediate_home_directories_start_minute'0'StringA cron-styled minute when home directory checks will run.
remediate_legacy_group_entries'enabled'Enum['enabled','disabled']Determines whether legacy entries in /etc/group exist.
remediate_legacy_passwd_entries'enabled'Enum['enabled','disabled']Determines whether legacy entries in /etc/passwd exist.
remediate_legacy_shadow_entries'enabled'Enum['enabled','disabled']Determines whether legacy entries in /etc/shadow exist.
remediate_root_path'enabled'Enum['enabled','disabled']root_pathDetermines whether root’s path will be managed. Besides configuring root’s path in /root/.bash_profile, the module will go through each directory in the path and ensure the directory is owned by root, group owned by root, and removes group and other write attributes.
remediate_uid_zero_accounts'enabled'Enum['enabled','disabled']Determines whether accounts with UID 0 (other than root) will be deleted.
restricted_core_dumps'enabled'Enum['enabled','disabled']Determines whether core dumps are allowed.
root_path'[ '$PATH', '$HOME/bin' ]Array[String]remediate_root_pathThe path that will be configured in /root/.bash_profile.
selinux'enforcing'Enum['enforcing','permissive','disabled']Determines how SELinux will be configured.
selinux_type'targeted'Enum['targeted','minimum','mls']Determines how SELinux will be configured.
secure_terminals[ 'console' ]Array[String]Provides a list of devices where root is permitted to directly log in.
single_user_authentication'enabled'Enum['enabled','disabled']Determines whether authentication will be required when the system runs in single-user mode.
syslog_facility'auth'StringProvides the syslog facility that warning messages will be logged to.
syslog_severity'warn'StringProvides the syslog severity that warning messages will be logged to.
verify_user_groups_exist'enabled'Enum['enabled','disabled']Verifies all groups in /etc/passwd exist in /etc/group. If a group doesn’t exist, a message is written via syslog.
verify_duplicate_gids_notexist'enabled'Enum['enabled','disabled']Verifies no duplicate GIDs exist. If a duplicate GID is found, a message is written via syslog.
verify_duplicate_groupnames_notexist'enabled'Enum['enabled','disabled']Verifies no duplicate group names exist. If a duplicate group name is found, a message is written via syslog.
verify_duplicate_uids_notexist'enabled'Enum['enabled','disabled']Verifies no duplicate UIDs exist. If a duplicate UID is found, a message is written via syslog.
verify_duplicate_usernames_notexist'enabled'Enum['enabled','disabled']Verifies no duplicate usernames exist. If a duplicate username is found, a message is written via syslog.
at_allowed_users[ 'root' ]Array[String]configure_at_allowProvides a list of users allowed to use at.
auditd_action_mail_root'root'Stringconfigure_auditdIf email notifications are enabled, this parameter defines who receives the notification. The parameter may be a local user (as in the case with root as the default) or a fully-qualified email address (someone@somewhere.com).
auditd_admin_space_left50Integerconfigure_auditd, auditd_admin_space_left_actionValue (in megabytes) that tells the audit daemon when to perform a configurable action because the system is running low on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for auditd_space_left.
auditd_admin_space_left_action'halt'Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']configure_auditd, auditd_admin_space_leftAction to take when the system has detected that it is low on disk space. If set to ignore, the audit daemon does nothing. Syslog means that it will issue a warning to syslog. Email means that it will send a warning to the email account specified in auditd_action_mail_acct as well as sending the message to syslog. Suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The single option will cause the audit daemon to put the computer system in single user mode.
auditd_configure_boot_auditing'enabled'Enum['enabled','disabled']Determines if process auditing will happen prior to auditd is enabled.
auditd_configure_rules'enabled'Enum['enabled','disabled']configure_auditdDetermines whether the rules defined in the benchmark are applied.
auditd_max_log_file8Integerconfigure_auditdSpecifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action.
auditd_max_log_file_action'keep_logs'Enum['keep_logs','ignore','rotate','suspend','syslog']configure_auditd, auditd_max_log_fileAction to take when the system has detected that the max file size limit has been reached. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs. It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.
auditd_num_logs5Integer[0,999]configure_auditdSpecifies the number of log files to keep if rotate is given as the auditd_max_log_file_action. If the number is less than 2, logs are not rotated. This number must be 999 or less. The default is 0 - which means no rotation.
auditd_space_left75Integerconfigure_auditd, auditd_space_left_actionValue in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space.
auditd_space_left_action'email'Enum['email','exec','halt','ignore','rotate','single','suspend','syslog']configure_auditd, auditd_space_leftSpecifies what action will be taken when the system detects that it’s starting to get low on disk space.
autofs'disabled'Enum['enabled','disabled']Enables or disables the automounter.
avahi_daemon'disabled'Enum['enabled','disabled']Enables or disables Avahi.
chargen_dgram'disabled'Enum['enabled','disabled']inetdEnables or disables chargen services.
chargen_stream'disabled'Enum['enabled','disabled']inetdEnables or disables chargen services.
configure_at_allowenabledEnum['enabled','disabled']at_allowed_usersDetermines whether to configure at.allow.
configure_auditd'enabled'Enum['enabled','disabled']auditd_action_mail_acct, auditd_admin_space_left_action, auditd_configure_rules, auditd_max_log_file, auditd_max_log_file_action, audit_space_left_actionDetermines whether the auditing subsystem will be configured.
configure_cron_allow'enabled'Enum['enabled','disabled']cron_allowed_usersDetermines whether to configure cron.allow.
configure_postfix'enabled'Enum['enabled','disabled']Determines whether postfix will be configured to only listen on localhost interfaces.
configure_rsyslog'enabled'Enum['enabled','disabled']rsyslog_conf, rsyslog_remote_serversDetermines whether rsyslog will be configured.
configure_rsyslog_host'disabled'Enum['enabled','disabled']Determines whether rsyslog will be configured to be an rsyslog host.
configure_sshd'enabled'Enum['enabled','disabled']sshd_banner_file, sshd_client_alive_count_max, sshd_client_alive_interval, sshd_hostbased_authentication, sshd_ignore_rhosts, sshd_login_grace_time, sshd_log_level, sshd_max_auth_tries, sshd_permit_empty_passwords, sshd_permit_root_login, sshd_permitted_ciphers, sshd_permitted_macs, sshd_permit_user_environment, sshd_protocol, sshd_x11_forwardingDetermines whether sshd will be configured.
configure_time'enabled'Enum['enabled','disabled']time_server_provider, time_service_serversDetermines whether time services (ntpd or chrony) will be configured.
cron'enabled'Enum['enabled','disabled']Enables or disables cron.
cron_allowed_users[ 'root' ]Array[String]configure_cron_allowProvides a list of users allowed to use cron.
cups'disabled'Enum['enabled','disabled']Enables or disables the printing subsystem.
daytime_dgram'disabled'Enum['enabled','disabled']inetdEnables or disables daytime services.
daytime_stream'enabled'Enum['enabled','disabled']inetdEnables or disables daytime services.
dhcpd'disabled'Enum['enabled','disabled']Enables or disables DHCP services.
discard_dgram'disabled'Enum['enabled','disabled']inetdEnables or disables discard services.
discard_stream'disabled'Enum['enabled','disabled']inetdEnables or disables discard services.
dovecot'disabled'Enum['enabled','disabled']Enables or disables POP3/IMAP services.
echo_dgram'disabled'Enum['enabled','disabled']inetdEnables or disables echo services.
echo_stream'disabled'Enum['enabled','disabled']inetdEnables or disables echo services.
httpd'disabled'Enum['enabled','disabled']Enables or disables web services.
inetd'disabled'Enum['enabled','disabled']chargen_dgram, chargen_stream, daytime_dgram, daytime_stream, discard_dgram, discard_stream, echo_dgram, echo_stream, time_dgram, time_stream, tftp_serverEnables or disables the (x)inetd super server.
named'disabled'Enum['enabled','disabled']Enables or disables DNS services.
nfs'disabled'Enum['enabled','disabled']rpcbindEnables or disables NFS services.
nfs_server'disabled'Enum['enabled','disabled']rpcbindEnabled or disables NFS Server services.
ntalk'disabled'Enum['enabled','disabled']Enables or disables talk services.
ntp_service_restrictions'[ '-4 default kod nomodify notrap nopeer noquery', '-6 default kod nomodify notrap nopeer noquery', '127.0.0.1', '-6 ::1' ]Array[String]configure_timeConfigures NTP restrict statements.
rexec'disabled'Enum['enabled','disabled']Enables or disables rexec services.
rhnsd'disabled'Enum['enabled','disabled']Enables or disables Red Hat Network Services.
rlogin'disabled'Enum['enabled','disabled']Enables or disables rlogin services.
rpcbind'disabled'Enum['enabled','disabled']nfs,nfs_serverEnables or disables RPC portmapper service.
rsh'disabled'Enum['enabled','disabled']Enables or disables rsh services.
rsyncd'disabled'Enum['enabled','disabled']Enables or disables rsync services.
rsyslog_conf'puppet:///modules/cisecurity/rsyslog/rsyslog.conf'Stringconfigure_rsyslogProvides the source location for the /etc/rsyslog.conf file. It is recommended you reconfigure this setting to some kind of master file to be distributed to all nodes or devise another mechanism to ensure log settings are properly configured.
rsyslog_remote_servers[ { 'host' => 'log.domain.com', 'port' => 514 } ]Array[Hash[String, Integer]]Configures what loghosts to send syslog messages to.
slapd'disabled'Enum['enabled','disabled']Enables or disables LDAP services.
smb'disabled'Enum['enabled','disabled']Enables or disables Samba services.
snmpd'disabled'Enum['enabled','disabled']Enables or disables SNMP services.
sshd_allowed_groups[ ]Array[String]configure_sshdLogin is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.
sshd_allowed_users'[ ]'Array[String]configure_sshdLogin is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.
sshd_banner_file'/etc/issue.net'Stringconfigure_sshdProvides the location where SSH will send the login banner from.
sshd_client_alive_count_max'4'Stringconfigure_sshdSets the number of client alive messages sshd will send without receiving messages back from the client.
sshd_client_alive_interval'300'Stringconfigure_sshdSets the timeout interval (in seconds) after which if no data has been received from the client will force sshd to send a message through the encrypted channel to request a response from the client.
sshd_denied_groups'[ ]'Array[String]configure_sshdLogin is disallowed for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized.
sshd_denied_users'[ ]'Array[String]configure_sshdLogin is disallowed for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized.
sshd_hostbased_authenticaton'no'Enum['yes','no']configure_sshdSpecifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed.
sshd_ignore_rhosts'yes'Enum['yes','no'configure_sshdSpecifies that .rhosts and .shosts will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
sshd_login_grace_time'60'Stringconfigure_sshdAmount of time (in seconds) when the server disconnects if the user has not successfully logged in.
sshd_log_level'INFO'Enum['DEBUG','DEBUG1','DEBUG2','DEBUG3','ERROR','FATAL','INFO','QUIET','VERBOSE']configure_sshdSets the verbosity level that is used when logging messages.
sshd_max_auth_tries'4'Stringconfigure_sshdSpecifies the maximum number of authentication attempts permitted per connection.
sshd_permit_empty_passwords'no'Enum['yes','no']configure_sshdSpecifies whether the server allows login to accounts with empty password strings.
sshd_permit_root_login'no'Enum['yes','no']configure_sshdSpecifies whether root can log in directly with ssh.
sshd_permitted_ciphers'[ 'aes256-ctr', aes192-ctr', 'aes128-ctr', 'aes256-gcm@openssh.com', 'aes128-gcm@openssh.com', 'chacha20-poly1305@openssh.com' ]Array[String]configure_sshd, sshd_protocolSpecifies the ciphers allowed for protocol version 2.
sshd_permitted_macs[ 'hmac-sha2-512-etm@openssh.com', 'hmac-sha2-256-etm@openssh.com', 'umac-128-etm@openssh.com', 'hmac-sha2-512', 'hmac-sha2-256', 'umac-128@openssh.com', 'curve25519-sha256@libssh.org', 'diffie-hellman-group-exchange-sha256' ]Array[String]configure_sshd, sshd_protocolSpecifies the available MAC (message authentication code) algorithms allowed for protocol version 2.
sshd_permit_user_environment'no'Enum['yes','no']configure_sshdSpecifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed.
sshd_protocol'2'Stringconfigure_sshdSpecifies the protocol versions sshd supports.
sshd_x11_forwarding'no'Enum['yes','no']configure_sshdSpecifies whether X11 forwarding is permitted.
squid'disabled'Enum['enabled','disabled']Enables or disables HTTP Proxy services.
telnet'disabled'Enum['enabled','disabled']Enables or disables telnet server services.
tftp'disabled'Enum['enabled','disabled']Enables or disables TFTP server services.
time_dgram'disabled'Enum['enabled','disabled']inetdEnables or disables time services through (x)inetd super server. Do not confuse this parameter with ntpd and chrony.
time_service_provider'ntp'Enum['ntp','chrony']configure_timeControls whether the system will use ntpd or chrony.
time_service_servers'[ '0.rhel.pool.ntp.org', '1.rhel.pool.ntp.org', '2.rhel.pool.ntp.org', '3.rhel.pool.ntp.org' ]'Array[String]configure_timeProvides a list of time servers to synchronize with.
time_stream'disabled'Enum['enabled','disabled']inetdEnables or disables time services through (x)ientd super server. Do not confuse this parameter with ntpd or chrony.
vsftpd'disabled'Enum['enabled','disabled']Enables or disables FTP server services.
ypserv'disabled'Enum['enabled','disabled']Enables or disables NIS server services.
This module has been tested on RHEL 6 and 7 and it “should” work on CentOS 6 and 7 but no testing has been performed.
Please use GitHub to file an issue if you run into problems with the module.
If you can patch the bugs you find or want to add features and functionality, please create a pull request.