Skip to content

Releases: cohdjn/cisecurity

Release 0.7.1

08 Feb 18:26
@cohdjn cohdjn
0.7.1
814054e
Compare
Choose a tag to compare
Release 0.7.1 Latest
Latest

Summary

Contains minor bug fixes. Advice on module dependencies from Release 0.6.1 still apply.

Bug Fixes

  • Fixed creating /boot/grub/grub.conf on an EFI system when none should exist.
  • Added service notification from changes made to sshd_config.
  • Fixed a lint issue that was causing Travis build to fail.
Assets 2
Loading

Release 0.7.0

06 Feb 14:24
@cohdjn cohdjn
0.7.0
bbeb033
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Release 0.7.0

Summary

Contains bug fixes and updates for new release of the CISecurity benchmarks. New and modified variables exist in Hiera so you may need to adjust your settings.

Module Dependencies

  • herculesteam/augeasproviders_grub still has not been updated on the Forge from the PR they merged back in October. I recommend you continue using my GitHub site (https://github.com/cohdjn/augeasproviders_grub) in your Puppetfile or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.

Enhancements

  • The awk script that has been used for external facts has been replaced with a Ruby version provided by jorhett. The manifest has been modified to delete the YAML file that was produced by the awk script so you will have to run the agent twice for the updated facts to be relevant.
  • Added Travis CI to provide build verification.
  • Updated compatibility to work with Puppet 5 (#4).

Hiera Changes for Red Hat 7

  • nfs-server has been renamed to nfs_server due to syntax error thrown during Puppet compile.
  • x11_org has been renamed to xorg_x11 due to change in the benchmark.
  • New variable libselinux added to support Control 1.6.2.
  • New variable configure_rsyslog_host added to support Control 4.2.1.5.
  • New variable configure_shell_timeout and shell_timeout added to support Control 5.4.5.

Hiera Changes for Red Hat 6

  • x11_org has been renamed to xorg_x11 due to change in the benchmark.
  • New variable libselinux added to support Control 1.6.2.
  • New variable configure_shell_timeout and shell_timeout added to support Control 5.4.5.

Bug Fixes

  • Fixed problem when trying to add multiple users to AllowUsers in sshd (#3).
  • Fixed problem when using chrony and disabling ntp (#5).
  • Fixed wrong permissions applied to system files when harden_system_file_perms is enabled.
  • Fixed wrong default value for bootloader_password on Red Hat 6.
Assets 2
Loading

Release 0.6.5

13 Dec 06:33
@cohdjn cohdjn
0.6.5
9912547
Compare
Choose a tag to compare
Release 0.6.5

Summary

Contains more bug fixes. Advice on module dependencies from Release 0.6.1 still apply.

Bug Fixes

  • Fixed custom facts to not try to run subscription-manager on a CentOS system.
  • Fixed logic problem trying to enable services that do not exist on the system.
  • Added logic to check for undef custom facts that do not exist on first run.
  • Fixed bug where duplicate resources are created when remediating a file that has multiple ownership, group ownership, or world writable issues.
Assets 2
Loading

Release 0.6.0

02 Nov 15:46
@cohdjn cohdjn
v0.6.0
bae6607
Compare
Choose a tag to compare
Release 0.6.0

Summary

Contains more bug fixes and enhancements. Advice on module dependencies from Release 0.4.0 still apply.

Bug Fixes

  • Moved removal of at.deny and cron.deny to services module rather than filesystem module.
  • Removed switch statement from facts.d/cisecurity to support older versions of awk/gawk.
  • Added ignored as a valid keyword for service states to avoid duplicate resource statements during catalog compilation. You should use this parameter if you have another class or module that defines the state of a service rather than this one.

Enhancements

  • Added support for RHEL 6. This also adds puppet/firewall to the list of dependencies for this module to work.
Assets 2
Loading

Release 0.5.0

25 Oct 14:30
@cohdjn cohdjn
v0.5.0
5e4cd8d
Compare
Choose a tag to compare
Release 0.5.0

Release 0.5.0

Summary

Contains a few bug fixes and enhancements. Advice on module dependencies from Release 0.4.0 still apply.

Bug Fixes

  • Fixed bad mount options for /tmp.
  • Added EFI detection as an external fact which is used to override whether the vfat filesystem is enabled or disabled. EFI requires a vfat partition to exist and system will not boot without vfat support.
  • Fixed bad variable substitution for root path.
  • Modified external facts to purposely remove double-colons and dots from root path to help deal with root path remediation.
  • Removed kemra102/bash as a dependency for cisecurity and flipped that functionality to use file_line resources instead.

Enhancements

  • Added auditd_admin_space_left, auditd_num_logs, and auditd_space_left parameters to services module to provide a few additional nice to have knobs that can be turned as necessary.
Assets 2
Loading

Release 0.4.0

21 Oct 23:19
@cohdjn cohdjn
v0.4.0
69c7381
Compare
Choose a tag to compare
Release 0.4.0

Summary

Multiple fixes in this release. Pay close attention to the module dependencies!

Module Dependencies

  • The crayfishx/firewalld module has been updated to v3.4.0.
  • I created a fork of herculesteam-augeasproviders_grub that corrects a problem with EFI-based nodes. I recommend you change your Puppetfile to use my GitHub site (https://github.com/cohdjn/augeasproviders_grub) or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.
  • Puppet Labs has an updated version of puppetlabs/stdlib that corrects a problem with pattern matching in file_line resources. I recommend you change your Puppetfile to use their GitHub site (https://github.com/puppetlabs/puppetlabs-stdlib) or install the module from there depending on your environment. Future release will point back to the Forge once the fix has been merged and uploaded.

Bug Fixes

  • Added evaluation of osrelease to submodules. Parameter declaration outside of Hiera breaks miserably when using EPP templates.
  • Fixed problem with file_line resources constantly appending umask to the end of file.

Enhancements

  • Moved log file remediation from exec resource to cron resource to prevent Puppet from always reporting intentional changes on every run. Two new parameters, log_file_perms_cron_start_hour and log_file_perms_cron_start_minute have been added to schedule to your environment.
Assets 2
Loading

Release 0.3.2

18 Oct 14:19
@cohdjn cohdjn
v0.3.2
98b49dd
Compare
Choose a tag to compare
Release 0.3.2

Fixed bad Hiera parameter for home_directories_perm.

Assets 2
Loading

Release 0.3.1

17 Oct 19:51
@cohdjn cohdjn
v0.3.1
8f65601
Compare
Choose a tag to compare
Release 0.3.1

Minor modifications to metadata.json to better Puppet Forge score.

Assets 2
Loading

Release 0.3.0

17 Oct 19:29
@cohdjn cohdjn
v0.3.0
adf306c
Compare
Choose a tag to compare
Release 0.3.0

Finished manual auditing and testing of the module. No rspec tests have been done mostly because it's insanely confusing and I don't have the time to work through the process. If you happen to be a good at doing this, drop me a line because I'd love to to work with you through the process.

Assets 2
Loading

Release 0.2.0

06 Oct 18:34
@cohdjn cohdjn
v0.2.0
f65945a
Compare
Choose a tag to compare
Release 0.2.0 Pre-release
Pre-release

All critical errors from puppet runs have been corrected. Troubleshooting PAM module still needs to happen because the config isn't laid down.

No manual audit validation has been done yet either so there's no guarantee that everything will produce the correct desired state.

Assets 2
Loading