All notable changes to this project will be documented in this file.
- Fix fotr automatich error reporting in Ubuntu 20.04:
- use flag for package uninstallation
- disable and mask service
- Updated to Ubuntu 20.04 benchmark version 2.0.1
- fix for issue #76: umask setting on Redhat like OSes only if authselect is not enforced
-
Fix for issue #66
-
Fix for issue #70
-
Updated Github action
-
PR #71: Replace legacy facts with modern facts
-
PR #72: Allow for disabling of the sticky world writable and auditd cron jobs. If you have bigger systems where cronjobs collecting file information like for world writable files or auditd privileged commands might be too time consuming you can disable the cronjobs completely. The default value for both jobs in
present.Please note that not running the auditd privileged commands cronjob might result in not monitoring newly installed prvileged commands.
Keep in mind that the cronjobs are only running once a day during night hours.
Thanks to kenyon for the two PRs above.
-
Puppetlabs Firewall module minimal version is now 7.0.0
-
switched from
actionparameter tojumpparameter for iptables -
switched from
providerparameter toprotocolparameter for iptablesNote that this change may affect you IPTables configuration. So please check your configuration before updating to this version.
-
Updated and added some unit tests
- fix for issue #62
- added Ubuntu 22.04 support
- minor bigfixes for Redhat 9
- added Redhat 9 support
- added AlmaLinux 9 support
- added Rocky Linux 9 support
- fix for issue #56 "Permissions on /var/log incorrect". Added module npwalker-recursive_file_permissions for that reason.
- Updated dependencies for stdlib v9 (thanks to
canihavethisonefor the PR)
Note that stdlib v9 is now the minimum version required
- fix for issue #52, write auditd rules in a way the scanner recognices them
- added Debian 11 support
- renamed cronjobs in /etc/cron.d and removed
.cronextension from filenames - added replacement for has_key (deprecated in stdlib and was now removed)
- fix for issue #48, rsyslogd service is now notifed when rsyslogd.conf is changed.
Thanks to Ben Parry - changed to fiddyspence-sysctl module
- omit comments during /etc/fstab reading
- updated dependencies
- fixed nfs fact
- Updated to PDK 2.7
- some linting related to PDK 2.7
- dropped support for puppet 5 and 6
Thanks to @canihavethisone:
- Updated dependencies, removed version from fixtures, added github_changelog_generator to gemfile
- Refactor grub_password.pp to create user.cfg in correct path on RedHat
- ensure all ntp restrict defaults to match CIS requirements
- add type to ntp servers array
- remove default rsyslog server as not required, class will fail if no remote syslog server is defined when remote syslog should be enforced
- changed
remote_log_hostparameter to type Stdlib::Host - sshd permit root login is now configurable
This release changes the default values for
ntp_statsdirandntp_driftfile. Please check your configurations if needed.
- The GRUB boot password is set to
undefand the previous used default password was removed - Fix facts not resolving CentOS in 3 classes
- Make NTP servers optional and raise warning if not provided, also remove hardcoded default ones
- NTP driftfile and NTP statsfile are now defined as Stdlib::Absolutepath with default values set to the same values the puppetlabs-ntp module uses
- added a fact to determine if a system is booted via efi
- fixed handling GRUB configuration for UEFI systems as the grub.cfg in the EFI directory was not updated. The grub.cfg in the EFI is only updated if there are changes to roll out.
- removed old legacy facts
- the predefined GRUB password was removed from Hiera files. If you want to enforce a GRUB bootloader password you must define this password within Hiera. Otherwise the catalog will fail with an error message pointing you to that fact.
- Optout for automatic reboots is now working, new parameter
auto_rebootis available. The default value is set totrue. - SELinux default state is now
enforcing - the service for /tmp filesystem management is now enabled by default
- replaced sysctl module with
thias-sysctl
If some of the defaults changed do not fit for your environment, just copy the parameters configuration into your control repository and set the values suitable for your environment.
This release changes the hiera.yaml configuration to use OS facts to determine the files to load. Keep in mind that the OS names are written in CamelCase and therefore the filenames in the data folder will change.
- changed hiera config to use facts and renamed hiera config files to use camelcase
- Bugfix for /dev/shm fstab entry
- check in crypto policy exec with onlyif for idempotency
- changed default firewall to nftables for Redhat like OSes version 8
- fixed nftables rules handling
- added basic ruleset for nftables
This release changed from herculesteam/augeasproviders_sysctl to fiddyspence/sysctl module. make sure to check your dependencies.
- Replaced herculesteam-augeasproviders_sysctl module by fiddyspence-sysctl module (fix for issue #28)
- removed old modules from .fixtures and metadata.json
Fixed issue #23: nftables resources should be within if !defined
- Solved issue with missing grub passwords in some paramedter files
- use a valid grub password insted of a fake string. See README.md for the default password.
- removed augeaproviders_mounttab module
- Added STIG benchmarks for Redhat 7 and 8
- fixed incorrect publisher for chrony
- changed augeasproviders core, pam, shellvar and grub to the new puppet modules
- removed purplehazech-syslogng dependency
- Added support for Redhat Linux 7 and 8
- Updated documentation
- several minor bug fixes
This release contains some breaking changes to how
authselectis configured. Please check your configuration and test before using in production environments.
Please review the following changes before updating to this version module:
-
This release changes the authselect compliance rules. If you use Rocky Linux 8 or Alma Linux 8 please change your Hiera configuration. All
authselectrelated stuff is consolidated into one rule file. This makes a change in your Hiera configuration necessary. The old configuration looks like this:cis_security_hardening::rules::authselect_profile::enforce: true cis_security_hardening::rules::authselect_profile::custom_profile: cis cis_security_hardening::rules::authselect_profile::base_profile: minimal cis_security_hardening::rules::authselect_profile_select::enforce: true cis_security_hardening::rules::authselect_profile_select::custom_profile: cis cis_security_hardening::rules::authselect_profile_select::profile_options: - with-faillock - without-nullok - with-sudo cis_security_hardening::rules::authselect_with_faillock::enforce: trueThis should be changed into this configuration:
cis_security_hardening::rules::authselect::enforce: true cis_security_hardening::rules::authselect::custom_profile: cis cis_security_hardening::rules::authselect::base_profile: sssd cis_security_hardening::rules::authselect::profile_options: - with-faillock - without-nullok - with-sudo -
This release introduces a fact containing all available features for the slected
authselectprofile. nIf you add a profile option not available a waring message is printed and the configured option will be ignored. -
The PAM configuration rules have been changed to work with
authselect.
Use a cronjob to find suid and sgid binaries to create auditd rules for these binaries.
Enable configuration of automatic reboots for each rule triggering such a reboot.
First published release indludein:
- Added Ubuntu 20.04 STIG benchmark
- Added Rocky 8 benchmark
- Added Alma Linux 8 benchmark
Unpublished release with the following benchmarks:
- CentOS 7
- Debian 10
- Ubuntu 18.04
- Ubuntu 20.04
- Suse Linux 12
- Suse Linux 15
Initial unpublished code transfered from my security_baseline module.