Center for Internet Security Linux Benchmark implementation for PuppetLabs
Puppet Shell Ruby HTML
Clone or download
Pull request Compare This branch is 8 commits ahead, 1 commit behind arildjensen:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Build Status


This module implements the Center for Internet Security (CIS) Security Configuration Benchmark for:

  • Amazon Linux 2014.09
  • Red Hat Enterprise Linux 6 v.1.4.0
  • Red Hat Enterprise Linux 7 v.1.1.0

Each scored control has been implemented as a class or a custom fact.


Please either:


The class cis::el6all or cis::el7all will enforce all the controls for either RHEL6 or RHEL7. If you wish to deviate please look for the el6all.pp or el7all.pp file and use that as a template. Note that some of the scored controls not able to be written in Puppet code have been implemented as custom facts using Facter. Controls labeled "not scored" by the benchmark are not included.

Also note that there are three subclasses in the cis module:

  • cis::linuxcontrols (implements the specific controls with a general name, e.g. cis::linuxcontrols::c0001, allowing for future re-use)
  • cis::el6 (maps directly to a specific CIS control for RHEL6, e.g. cis::el6::1_1_17 for control 1.1.17 in the benchmark)
  • cis::el7 (maps directly to a specific CIS control for RHEL7, e.g. cis::el6::4_7 for control 4.7 in the benchmark)
  • cis::awslinux (maps directly to a specific CIS control for AWS Linux)

User-Controlled Settings

Some of the settings, such as which log server to use, can be specified by the user. Below is a sample hiera file containing all the current configurable settings:

cis::logserver: 'syslog.localdomain'
  - ntp1
  - ntp2
  - ntp3
  hour: 6
  minute: 30


Written by Arild Jensen with source code repository at

Release History

  • 0.2.1 - Added Apache 2.0 license
  • 0.2.0 - Added comments and implemented hiera support for some of the settings.
  • 0.1.0 - Initial release