Are you struggling to keep your Linux systems secure? Say goodbye to sleepless nights and hello to linux_secured! Built upon the CIS standards, this ready-made security module makes it faster and easier than ever before to apply best practices for hardening your Linux operating system.

Keep your systems secure with the latest in security controls – linux_secured is designed with an always-updating version of the CIS benchmark to ensure that your systems are constantly up to date with the latest and greatest safety measures.

But linux_secured doesn’t just stop there – it also goes one step further by providing you with a comprehensive report on your system so that you can accurately measure your level of compliance. Rest assured that when you use linux_secured, all of your sensitive data is kept safe from potential threats.

Stop worrying about security and start using the professional, reliable protection of linux_secured today!

We understand the importance of having a security solution that supports all major Linux versions. That is why linux_secured is designed to be compatible with all major Linux distributions, including Red Hat, OracleLinux, Ubuntu, CentOS, Debian, and SUSE. The current version of linux_secured supports Red Hat and OracleLinux. Support for other Linux distributions is planned for Q2 2023.

At this point in time it supports the following CIS benchmarks:

See here for a way to get started with the linux_secured module.

Design goals

The design goals for the linux_secured module are:

  • Easy to apply
  • Easy to skip controls that you don’t want or need
  • Easy to change values that are variable within the CIS benchmark
  • Correlate between the changes Puppet applies and the CIS document.
  • Easy to upgrade to an new CIS version
  • Easy to upgrade to a new Linux version

Let’s go over these design goals.

Easy to apply

Securing your system with the linux_secured module is as easy as adding one line of puppet code to your manifest. In its most basic form:

linux_secured {'host':}

is enough.

Easy to skip controls

The CIS benchmark is very extensive. Applying ALL controls can make your system too secure for your application. The linux_secured module allows you to specify what controls you want to skip. You can for examle use the parameter skip_list

linux_secured::ensure_cis {'host':
  skip_list   => [
    'noexec_option_set_on_var_partition',
    'nosuid_option_set_on_var_partition',
    'separate_partition_exists_for_var_tmp',
   ]

You can also use hiera to skip certain controls. Here is an example of that:

linux_secured::controls::noexec_option_set_on_var_partition:      skip
linux_secured::controls::nosuid_option_set_on_var_partition:      skip
linux_secured::controls::separate_partition_exists_for_var_tmp:   skip

Easy to customize values

For specific controls, the CIS benchmark allows you to specify a value. To be compiant with the CIS benchmark, the specified value must be within a specific range. The linux_secured module supports this. Let’s look at an example. The control selinux_mode_is_not_disabled guards that that selinux is not disabled (as the name states). Buit this means that here are still multiple possible values. It can be set to permissive or it can be set to ‘enforcing’. For the CIS control, both of these values are allowed. The default value the linux_secured module enforces is enforcing, because that is the most secure option. But if you like, you can set it to permissive.

linux_secured::controls::linux_secured::controls::selinux_mode_is_not_disabled::preferred_value:	'premissive'

Is a way to do this.

Correlate Puppet changes to CIS

Although it is excellent that Puppet guards the compliance of your system, it is good to know that when Puppet changes something, WHY it changed something. What was the control that caused this? And preferably, what paragraph in what version of the CIS benchmark states this.

The linux_secured module helps you with this. Here is some example output:

Notice: /Stage[main]/Linux_secured::Oraclelinux8::V2_0_0::P1_1_2_1::Host/Linux_secured::Controls::Tmp_is_a_separate_partition[host]/Mounttab[/tmp]/ensure: created
Notice: /Stage[main]/Linux_secured::Oraclelinux8::V2_0_0::P1_3_1::Host/Linux_secured::Controls::Aide_is_installed[host]/Package[aide]/ensure: created
Notice: /Stage[main]/Linux_secured::Oraclelinux8::V2_0_0::P1_3_1::Host/Linux_secured::Controls::Aide_is_installed[host]/Exec[Initialize AIDE]/returns: executed successfully
Notice: /Stage[main]/Linux_secured::Oraclelinux8::V2_0_0::P1_5_1::Host/Linux_secured::Controls::Core_dump_storage_is_disabled[host]/Ini_setting[Disable core dump storage]/ensure: created
Notice: /Stage[main]/Linux_secured::Oraclelinux8::V2_0_0::P1_5_2::Host/Linux_secured::Controls::Core_dump_backtraces_are_disabled[host]/Ini_setting[Disable core dump backtraces on host]/ensure: created

As you can see all of the messages contain: The system version of the CIS benchmark (e.g. Linux_secured::Oraclelinux8) The document version of the CIS benchmark (e.g. ::V2_0_0) The paragraph in the CIS benchmark (e.g. ::P1_2_1) The name of the control (e.g. Tmp_is_a_separate_partition) This way, you can always see what the reason is for a change.

Upgrade to a new CIS or Linux version

Because the exclusion lists, preferred values, and skip lists, are bound to the name of the control, your customizations will most of the times be compatible with newer versions of a CIS benchmark. So when a newer version comes. You only have to change the doc_version property. Let’s see an example. Let’s say a V2.1.0 for the Redhat_el8 is available.

linux_secured::ensure_cis {'host':
  product_version => 'redhat_el8',
  doc_version => 'V2.1.0'
}

This is enough to start using the new CIS version. Sometimes CIS. Of course you will still have to look if new controls are available that you want to skip or customize. Also, sometimes the value of a configuration item changes. This will cause a new control in the linux_secured module. Let’s look at this in a contrived example.