-
Notifications
You must be signed in to change notification settings - Fork 32
/
init.pp
174 lines (164 loc) · 8.45 KB
/
init.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# @summary CIS Hardening Module
#
# @api public
#
# @param include_rules Which rules to include
# @param exclude_rules Which rules to exclude
# @param exclude_x_window_packages Which X window packages to exclude from removal
# @param grub_config_files Grub configuration
# @param su_group The default group for sudo rights
# @param time_servers Array of valid NTP Time servers
# @param host_allow_rules Specifies which IP addresses are permitted to connect to the host
# @param host_deny_rules Specifies which IP addresses are not permitted to connect to the host
# @param logging_host Which host should logging be sent to
# @param exclude_logs What logs files to exclude from management
# @param is_logging_host Is this host a logging host
# @param max_log_file Maximum log file
# @param max_auth_tries How many authorization attempts to allow
# @param max_sessions How many SSH sessions to allow
# @param max_startups How many SSH startups to allow
# @param time_sync Which NTP program to use
# @param mta Which Mail Transfer program to use
# @param mac Which Mandatory Access Control to use
# @param ipv6_enabled Should ipv6 be enabled
# @param approved_ciphers Which SSH Ciphers are approved for use
# @param approved_kex Which SSH Key Exchange algorithms are approved for use.
# @param approved_mac_algorithms Which SSH MAC algorigthms are approved for use
# @param client_alive_interval Client alive interval to use
# @param client_alive_count_max Maximum specificed client alive count
# @param login_grace_time Login grace time
# @param allow_users Which users to allow
# @param update_command Command used to update OS packages
# @param allow_groups Which groups to allow
# @param deny_users Which users to deny
# @param deny_groups Which groups to deny
# @param minlen Minimum length
# @param dcredit D Credit
# @param ucredit U Credit
# @param ocredit O Credit
# @param lcredit L Credit
# @param attempts Number of attempts
# @param lockout_time Amount of time for lockout
# @param past_passwords Number of previous passwords
# @param pass_max_days Password maximum days
# @param pass_min_days Password minimum days
# @param pass_warn_days Password warning days
# @param pass_inactive_days Password inactive days
# @param cron_service Should this system use cron or crond
# @param timeout Number of seconds of inactivity after which a shell terminates.
# @param banner String to be content of /etc/issue, /etc/issue.net (and /etc/motd if $motd not defined)
# @param motd String to be content of /etc/motd. If $banner is defined and $motd is not, $banner becomes content of /etc/motd
# @param auto_restart If an automatic restart should occur when defined classes require a reboot to take effect
# @param workstation_level_1 Workstation level 1 rules for this node
# @param workstation_level_2 Workstation level 2 rules for this node
# @param server_level_1 Server level 1 rules for this node
# @param server_level_2 Server level 2 rules for this node
# @param profile_type Is this node a server or workstation
# @param enforcement_level Enforce level 1 or level 2 rules
# @param auditd_package Auditd package
# @param selinux_mode SElinux mode enforcing or permissive. Defaults to enforcing.
# @param default_firewalld_zone Firewalld zone to default o. Defaults to drop.
#
class secure_linux_cis (
Array[String] $grub_config_files,
Array[String] $host_allow_rules,
Array[String] $host_deny_rules,
String $su_group,
Enum['cron', 'crond'] $cron_service,
Array[Stdlib::Host] $time_servers,
Array[String] $approved_kex,
Array[String] $approved_mac_algorithms,
Enum['workstation', 'server'] $profile_type,
Enum['drop', 'block', 'public', 'external', 'dmz', 'work', 'home', 'internal', 'trusted'] $default_firewalld_zone,
Array[String] $include_rules,
Array[String] $exclude_rules,
Array[String] $exclude_x_window_packages,
Array[String] $workstation_level_1,
Array[String] $workstation_level_2,
Array[String] $server_level_1,
Array[String] $server_level_2,
Boolean $auto_restart,
String $logging_host,
String $update_command,
Boolean $is_logging_host,
Array[Stdlib::Unixpath] $exclude_logs,
String $max_startups,
String $auditd_package,
Enum['ntp', 'chrony', 'systemd-timesuncd'] $time_sync,
Enum['postfix', 'exim', 'none'] $mta,
Enum['selinux', 'apparmor', 'none'] $mac,
Enum['enforcing', 'permissive'] $selinux_mode,
Boolean $ipv6_enabled,
Array[String] $approved_ciphers,
String $banner,
String $motd,
Integer[1, 2] $enforcement_level,
Integer $max_log_file,
Integer[1,4] $max_auth_tries,
Integer[1,10] $max_sessions,
Integer $client_alive_interval,
Integer[0,3] $client_alive_count_max,
Integer $login_grace_time,
Integer $minlen,
Integer $dcredit,
Integer $ucredit,
Integer $ocredit,
Integer $lcredit,
Integer $attempts,
Integer $lockout_time,
Integer $past_passwords,
Integer $pass_max_days,
Integer $pass_min_days,
Integer $pass_warn_days,
Integer $pass_inactive_days,
Integer $timeout,
Array[String] $allow_users,
Array[String] $allow_groups,
Array[String] $deny_users,
Array[String] $deny_groups,
) {
$firewall = 'iptables'
$base_rules = $profile_type ? {
'workstation' => $enforcement_level ? {
1 => $workstation_level_1,
2 => $workstation_level_2,
},
'server' => $enforcement_level ? {
1 => $server_level_1,
2 => $server_level_2,
}
}
# Filesystem disable configuration file
@file { '/etc/modprobe.d/filesystem_disable.conf':
ensure => file,
}
# Storage disable configuration file
@file { '/etc/modprobe.d/storage_disable.conf':
ensure => file,
}
# Build rules to enforce
$base_rules_normalized = $base_rules.map | String $line | {
"secure_linux_cis::rules::${line}"
}
$include_rules_normalized = $include_rules.map | String $line | {
"secure_linux_cis::rules::${line}"
}
$exclude_rules_normalized = $exclude_rules.map | String $line | {
"secure_linux_cis::rules::${line}"
}
$enforced_rules = $base_rules_normalized + $include_rules_normalized - $exclude_rules_normalized
file { '/usr/share/cis_scripts':
ensure => directory,
}
file { '/usr/share/cis_scripts/enforced_rules.txt':
ensure => file,
content => $enforced_rules.join("\n"),
}
file { '/root/scripts':
ensure => directory,
mode => 'u+xr',
}
include $enforced_rules
include secure_linux_cis::reboot
include secure_linux_cis::refresh_mount_options
}