Release notes for Linux
Review the release notes to learn about updates and resolved issues in Security Compliance Enforcement (SCE) for Linux. You can also review the Known issues and limitations.
v2.3.0
Released 10 December 2024
Support for CentOS 7, which has reached end of life (EOL), is discontinued in this release. In addition, this release resolves issues to help ensure that chrony time synchronization works as designed on the Ubuntu Linux 20.04 operating system.
Resolved issues
-
Resolved several issues related to chrony time synchronization on the Ubuntu Linux 20.04 operating system. The following issues occurred in SCE for Linux v2.2.1:
-
The chrony time servers specified by users failed to load because of a missing include directive. The issue was resolved by adding the missing directive to the
chrony.conf
file. -
When users added chrony time servers to the configuration, existing time servers remained unaffected. As a result, user-specified and default time servers were active simultaneously. To resolve the issue, a new top-level parameter,
fully_manage_timeservers
, was introduced. When this parameter is set totrue
, SCE removes all time servers except for those explicitly configured by the user. If you specifytrue
, you must configure at least one time server to ensure that chrony works as expected. The default parameter setting isfalse
. -
After the chrony time servers specified by users were updated, SCE for Linux did not reload the servers. This issue occurred because the version of the chronyc program shipped with Ubuntu Linux 20.04 does not have a
reload_sources
option. To ensure that chrony time servers are reloaded, SCE for Linux was updated to restart the chrony service automatically. -
Scan failures occurred because of a missing
sce_chrony.sources
file. The missing file is now added. -
A STIG control was enforced even though a CIS Benchmark was specified. The STIG control was
Ensure the SSH daemon does not allow authentication using known host's authentication
. The issue occurred because, in thesce_linux::utils::packages::ssh
class, theignore_user_known_hosts
parameter was set toyes
by default. To resolve the issue, the default parameter value was changed toundef
, and the parameter was made optional. This update does not require any configuration changes by the user.
-
-
Resolved an issue related to the GnuTLS Transport Layer Security Library, which is used by client applications to start secure sessions. In SCE for Linux v2.2.0, the
exec
resourcesce_gnutls_version
was enforced during each Puppet run, even when not necessary. The issue is resolved to prevent unnecessary activity.
Deprecations
The CentOS 7 operating system reached EOL in June 2024. Support for CentOS 7 is discontinued starting with the SCE for Linux v2.3.0 release. If you configured SCE to enforce Center for Internet Security (CIS) controls on the CentOS 7 operating system, and you are now planning a transition to a different operating system and different CIS Benchmark, you might have to update the configuration to avoid operational issues.
v2.2.1
Released 12 November 2024
SCE for Linux v2.2.1 replaces legacy facts, which were deprecated in Puppet 8, and resolves an issue with password enforcement on Red Hat Enterprise Linux (RHEL) 8 systems. The release also resolves issues for users of DISA STIG controls on RHEL 7 systems.
New features and enhancements
Updates were introduced to replace facts deprecated in Puppet 8. In SCE for Linux v2.2.1, several providers were updated to ensure that current facts are used as arguments in their constraint methods. This update does not change the functionality of the providers. However, the update helps to prevent issues in environments where code is scanned to prevent legacy fact use.
Resolved issues
-
Resolved an issue related to password enforcement on RHEL 8 systems. In SCE for Linux v2.2.0, STIG Control V-230364 did not correctly enforce the minimum lifetime requirement for passwords. In SCE for Linux v2.2.1, the control enforces a minimum password lifetime of 24 hours. This setting helps to secure systems by preventing repeated password changes in a short period.
-
Resolved issues for users of US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) controls on RHEL 7 operating systems:
-
Previously, STIG Control V-204449 was incorrectly set to a default value of bin/true. Now, the control is set to bin/false to disable the use of USB mass storage. This setting helps to prevent the introduction of unknown devices into a system.
-
Previously, STIG Control V-204450 was set to bin/true. Now, the control is set to bin/false to ensure that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required. Disabling DCCP helps to protect systems against exploitation of possible flaws in protocol implementation.
-
Deprecations
The CentOS 7 operating system reached end of life (EOL) in June 2024. SCE support for CentOS 7 will be discontinued in a future release.
v2.2.0
Released 15 October 2024
With SCE for Linux v2.2.0, you can enforce a higher level of security on Ubuntu Linux systems and apply updated DISA STIG security standards to Red Hat Enterprise Linux (RHEL) 8 systems. This release also simplifies common tasks such as setting parameters and specifying audit permissions, and resolves several user-reported issues.
New features and enhancements
-
SCE for Linux supports the following Center for Internet Security (CIS) Benchmarks:
-
Ubuntu Linux 22.04, v2.0.0, Level 2 - Server
-
Ubuntu Linux 20.04, v2.0.1, Level 2 – Server
-
-
SCE for Linux supports an updated US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG standard was upgraded from RHEL 8 STIG, Version 1, Release 11, to Version 1, Release 14. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 14.
-
You can now use Hiera Automatic Parameter Lookup (APL) to override any parameter implemented by a resource used by SCE for Linux. When you specify parameters with APL, you override the values set in control configurations and the parameter defaults set by Hiera at the SCE module level. For more information about APL, see Automatic lookup of class parameters.
-
You can now reference a new topic, Run tasks and plans, to learn about the tasks and plans that are available to SCE for Linux users. In some cases, you can run tasks or plans to facilitate the manual configuration of CIS controls. In addition, the Reference section on Puppet Forge is updated to indicate which controls can be used with tasks and plans.
-
Usability improvements were implemented for the Bolt plan
linux_users_and_groups
. The plan is used to enforce user-specific and group-specific security settings on all applicable users and groups in a system. Error handling was improved for the tasks in the plan to help provide detailed information in case of failures. Many errors now have non-blocking status to ensure that other aspects of the plan continue to function even when minor errors are detected.
Resolved issues
-
Resolved an issue related to audit log files. Starting with this release, /var/log/audit/audit.log file permissions are managed in the same way as all other files in the /var/log/audit directory.
-
Resolved an issue in the automatically generated reference topics in SCE for Linux v2.1.0. For some parameters in some controls, more than one default value was listed. The issue is fixed to ensure that only one default value is listed.
-
Resolved a password issue on RHEL 8 operating systems. By default, CIS control 5.3.3.4.1 - Ensure pam_unix does not include nullok - is set to 'true'. This setting applies to the pluggable authentication module (PAM) and helps to prevent users with blank passwords from accessing systems. In previous releases, this control was not enforced as expected. The issue is now resolved to ensure that users can enforce their specified setting with the CIS control and can use the
remove_nullok
parameter in thepassword_creation_requirement
resource to ensure that any instances ofnullok
are removed from PAMpassword-auth
andsystem-auth
configuration files. -
Resolved an issue affecting the grub2 bootloader password. Previously, the password was sometimes hashed incorrectly, which caused it to be nonfunctional. The issue is corrected to help ensure that the password is always hashed correctly and can be used to provide an extra layer of protection for systems.
-
Resolved compilation errors sometimes seen by users running SCE with Puppet Enterprise 2021.7.8 and 2021.7.9. Error messages were generated because the
filter_map
method could not be found in the JRuby version included in Puppet Enterprise. To prevent the compilation errors, Ruby code was updated in SCE. -
Resolved an issue related to journald, a service that collects and stores log data. On Ubuntu Linux 22.04 systems, scan failures were seen because storage was not configured for journald. SCE for Linux now specifies the persistent setting for journald storage to resolve the issue.
-
Resolved an issue that was causing scan failures related to the Gnome Desktop Manager (GDM) banner message. Previously, configurations that enabled and specified these banner messages were in separate files, but the CIS controls attempted to detect the configurations in a single file. To resolve the issue, both configurations were moved to the same file, and rarely used GDM parameters were deprecated. During Puppet runs, users of the rarely used parameters will now see deprecation notices and reconfiguration instructions.
-
Resolved an issue related to screen locks for Gnome Desktop Manager (GDM) users. According to CIS recommendations, screen locks should be enforced during periods of inactivity to help prevent unauthorized access to unattended systems. In SCE for Linux v2.1.0 on Ubuntu 22.04, however, the screen locks were not enforced by default. The default setting was updated to provide enforcement.
-
Resolved an issue related to the Postfix mail transfer agent. Based on CIS and STIG recommendations, Postfix either should not be installed or, if installed, should be restricted to local emails or configured to prevent connections from unknown or untrusted networks. Previously, some controls were enforced by installing Postfix if it was not installed and then configuring Postfix to meet requirements. Now, the controls are enforced only if Postfix is installed. The following controls are affected:
-
On RHEL 7, STIG Control V-204619
-
On RHEL 8, STIG Control V-230550
-
On Ubuntu Linux 20.04, CIS Control 'Ensure mail transfer agent is configured for local-only mode'
-
On Ubuntu Linux 22.04, CIS Control 'Ensure mail transfer agent is configured for local-only mode'
-
Deprecations
The CentOS 7 operating system reached end of life (EOL) in June 2024. SCE support for CentOS 7 will be discontinued in a future release.
v2.1.0
Released 13 August 2024
With SCE for Linux v2.1.0, you can now enforce security controls on a broader range of operating systems. SCE now enforces the following Center for Internet Security (CIS) Benchmarks: AlmaLinux 9, v1.0.0; Rocky Linux 9, v1.0.0; and Ubuntu 22.04, v2.0.0. You can also enforce updated CIS benchmarks on Red Hat Enterprise Linux (RHEL) 7 and Oracle Linux 7 operating systems.
New features and enhancements
-
The CIS AlmaLinux 9 Benchmark v1.0.0 is supported at Server Levels 1 and 2.
-
The CIS Rocky Linux 9 Benchmark v1.0.0 is supported at Server Levels 1 and 2.
-
The CIS Ubuntu 22.04 Benchmark v2.0.0 is supported at Server Level 1.
-
The CIS RHEL 7 Benchmark v4.0.0 is supported at Server Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 .
-
The CIS Oracle Linux 7 Benchmark v4.0.0 is supported at Server Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Oracle Linux 7 Benchmark v4.0.0.
-
You can now enjoy more flexibility when specifying CIS or STIG controls to enforce. Starting with this release, you can apply both the
only
andignore
keys in a single configuration file. If both keys are used, SCE first applies theonly
key to narrow the scope, and then applies theignore
key to exclude specific controls from that group. For more information, see Enforce and ignore controls within a single configuration. -
An update was introduced to improve usability of the
vlock
utility, which locks virtual console sessions to prevent unauthorized access. Previously, ifvlock
locked a sudo shell session, the user was prompted for the root account password. Now, users can specify a setting in thecontrol_config
hash to prompt for the non-sudo account password, as shown in the following example:set -g lock-command 'if [ -z "$SUDO_USER" ];then vlock;else sudo -u $SUDO_USER vlock;fi'
-
You can now use new parameters to modify the permissions and ownership of the
/var/log/audit/
directory, where audit logs are stored. Previously, the directory permissions were hard-coded when enforcing certain controls. Now, the directory permissions are fully configurable. To find detailed information about parameters for the controls that you are enforcing, see the Reference tab on Puppet Forge. -
An update was introduced to support more flexibility in assigning mount options. With this update, if
/tmp
is a mounted directory using a file system other than the Temporary File System (tmpfs
), thenoexec
,nosuid
, andnodev
options will be directly assigned to the file system in/etc/fstab
. If/tmp
is mounted usingtmpfs
, or if no mount for/tmp
exists, systemd is used to mount/tmp
with thetmpfs
file system, as in previous releases. To restore the previous behavior, you can set the parameterforce_tmpfs
totrue
on the controls that manage/tmp
mount options.
Resolved issues
-
Resolved an issue that occurred when configuring custom firewall rules in SCE for Linux. The issue generated error messages about dependency cycles. The issue is resolved, and the documentation is updated to provide a custom configuration example. See Configure the firewall type.
-
Resolved an issue to ensure that the process of specifying permissions for audit files works as designed. Previously, any specified audit permissions were applied only to the configuration (
.conf
) files in theetc/audit
directory. With this update, all configuration files in theetc/audit
directory and subdirectories will have permissions set. -
Fixed a defect that could disrupt SSH connectivity on some nodes. Previously, because of an incorrect default value, the
SSH_USE_STRONG_RNG=32
setting in the/etc/sysconfig/sshd
file was applied to systems that did not require this setting. The default value has been fixed, and this setting will no longer be applied to all systems. -
Fixed an audit rule issue that caused Puppet run failures in rare circumstances. The issue occurred when controls enforced
auditd
rules for privileged commands. Depending on a node's file system configurations, the Linuxfind
command would fail when attempting to enumerate privileged command binaries from mounted file systems. Starting with this release, if thefind
command fails, error messages are sent to thepuppetserver
log, but the Puppet run continues and other controls are enforced.
Deprecations
The CentOS 7 operating system is end of life (EOL). SCE support for CentOS 7 will be discontinued in a future release.
v2.0.0
Released 7 May 2024
In this release, the Compliance Enforcement Modules are renamed to Security Compliance Enforcement (SCE). The new name highlights the capability to enforce secure configurations for IT infrastructures based on internationally recognized standards. In addition, SCE for Linux expands the scope of enforcement by introducing a new operating system, Ubuntu Linux 20.04, and by enforcing an updated CIS Benchmark, v3.0.0, on Red Hat Enterprise Linux (RHEL) 8 systems.
New features and enhancements
- As part of the name change, the module is now available on Puppet Forge under the following name:
sce_linux
. If you have an active subscription to the Compliance Enforcement Modules (CEM), you are automatically granted access to the sce_linux and sce_windows modules.CEM modules remain on Puppet Forge in a deprecated state for subscribers who want to continue using CEM for the time being, and CEM documentation remains available at Introducing the Compliance Enforcement Modules. - In the documentation, configuration examples are updated to replace
cem_linux
withsce_linux
. See Configuring SCE. -
After an upgrade to SCE for Linux v2.0.0, you must delete extraneous files from earlier versions. See Clean up the system after an upgrade to SCE v2.0.0.
-
To take advantage of fixes and improvements in Puppet modules, SCE for Linux now supports the latest versions of its Puppet module dependencies:
-
puppetlabs/stdlib: ≥ 4.13.1 < 10.0.0 (except for 9.0.x, 9.1.x, and 9.2.x, which are not supported)
-
puppetlabs/concat: ≥ 6.4.0 < 10.0.0
-
puppetlabs/inifile: ≥ 1.6.0 < 7.0.0
-
puppetlabs/augeas_core: ≥ 1.1.1 < 2.0.0
-
puppetlabs/firewall: ≥ 5.0.0 < 9.0.0
-
puppet/firewalld: ≥ 4.5.0 < 6.0.0
-
puppet/logrotate: ≥ 5.0.0 < 8.0.0
-
puppet/selinux: ≥ 3.2.0 < 5.0.0
-
puppet/systemd: ≥ 3.5.0 < 7.0.0
To avoid operational issues, do not use earlier module versions.
-
-
CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1 is supported at Level 1.
-
CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0 is supported at Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0.
-
CIS AlmaLinux OS 8 Benchmark v3.0.0 is supported at Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS AlmaLinux OS 8 Benchmark v3.0.0.
-
CIS Oracle Linux 8 Benchmark v3.0.0 is supported at Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Oracle Linux 8 Benchmark v3.0.0.
-
CIS Rocky Linux 8 Benchmark v2.0.0 is supported at Levels 1 and 2. For details about the controls that were added, removed, and updated, see Control updates introduced for CIS Rocky Linux 8 Benchmark v2.0.0.
-
The process by which SCE creates audit rules for privileged commands was changed to improve operational efficiency. Previously, the
cem_files_setuid
fact enumerated all privileged commands on a node and returned an array of audit rules that were used to create rules on the system. In rare circumstances, thecem_files_setuid
fact grew to an extent that negatively impacted Puppet performance. For more information about the changes, see Configure audit rules for privileged commands. -
You can use three new tasks to audit CIS controls:
-
The
audit_journald_logs_to_rsyslog
task can be used to audit Control 5.1.2.5
The control monitors the'
Ensure journald is not configured to send logs to rsyslog.'
/etc/systemd/journald.conf
file to help ensure that logs are not forwarded to the rsyslog utility. -
The
audit_journald_log_rotation
task can be used to audit Control 5.1.2.6
The control monitors the'
Ensure journald log rotation is configured per site policy.'
/etc/systemd/journald.conf
file to ensure that logs are rotated according to site policy. -
The
audit_approved_services_listening
task can be used to audit Control 2.2.22
The control lists all TCP and UDP listening network sockets to help ensure that only authorized services listen on a system.'
Ensure only approved services are listening on a network.'
-
-
You can use a new Puppet Bolt® task,
delete_files
, to delete extraneous files and directories on a target system. After you upgrade the module and run Puppet, you can run thedelete_files
task to remove extraneous files from the/etc/sysctl.d/
directory. For more information, see the Results section in Upgrade the module. -
An update was introduced to help prevent unauthorized persons from using wireless devices to access systems. A new fact,
sce_wireless_kernel_mods
, was added to help ensure that Control 3.1.2'Ensure_wireless_interfaces_are_disabled'
can be effectively enforced. The new fact enumerates the kernel modules that are associated with any wireless network interfaces detected on a node. -
An update was introduced to detect whether Internet Protocol Version 6 (IPv6) is enabled on a system to reduce security risks. A new Facter fact,
sce_ipv6_enabled
, was added to ensure that CIS Control 3.1.1'Ensure IPv6 status is identified'
can be enforced.
Resolved issues
-
Fixed an issue to help protect RHEL 8 systems from unauthorized access. Specifically, an option name was corrected to ensure that Security Technical Implementation Guide (STIG) Control V-257258 is enforced. By default, the control ensures that management sessions that are left unattended for 15 minutes are logged out to prevent unauthorized access.
-
Fixed an issue to improve the security of the
auditd
service, which collects and writes audit files. In previous releases, the service listened on Transmission Control Protocol (TCP) port 60 by default even when the user had not configured listening. In this release, the default value is removed to help ensure that auditd listens only when configured. -
Fixed an issue related to the Advanced Intrusion Detection Environment (AIDE) utility class. The order of resources in the utility class was corrected to ensure that the
aide.conf
configuration file is available before theaide --init
command is run. When the command is run, the utility validates the directories and files listed in theaide.conf
file. The fix helps to ensure that the utility runs as designed to validate file integrity and detect unauthorized access. -
Fixed a rare issue that could affect users with non-default module configurations. Previously, if permissions were being managed using a path with wildcard characters and an empty root directory, corrective changes might be reported for every Puppet run, even though no changes occurred. The behavior has been corrected in the custom type and provider used to manage file permissions.
v1.9.1
Released 8 February 2024
CEM for Linux v1.9.1 improves operational efficiency by correcting an issue where Puppet runs fail prematurely in certain scenarios. Furthermore, this release enhances security safeguards by correcting issues that could have prevented three Security Technical Implementation Guide (STIG) controls from being enforced as intended.
Fixed- Fixed an issue that could potentially cause Puppet runs to fail prematurely on Red Hat Enterprise Linux (RHEL) 8
systems. The issue is related to the Facter fact
cem_mount_info
, which can fail to resolve when home directories cannot be determined for a user on a system. The fix helps to ensure that the correct default directory is used, and the fact resolves successfully. - Fixed the default value for STIG Control V-230270 to help prevent kernel
profiling by unauthorized users. The kernel parameter
kernel.perf_event_paranoid
is now set to a default value of2
to help prevent attackers from gaining system information. - Fixed an issue that could cause incorrect failure reports for STIG Control
V-230281. The control helps to ensure that the RHEL operating system removes previously installed software components when
updated versions are installed. In CEM, the
specified default value of
true
was changed toTrue
to ensure that the control works as designed. - Fixed the default value for STIG Control V-230494. The control helps to protect
the security of systems by disabling the Asynchronous Transfer Mode (ATM)
protocol. The default value was changed from
ATM
toatm
so that the control works as designed and helps to protect systems from exploitation.
v1.9.0
Released 14 December 2023
CEM for Linux v1.9.0 introduces extended coverage with support for two new operating systems -- Red Hat Enterprise Linux (RHEL) 9 and Oracle Linux 9. This release also improves operational efficiency by introducing an automated audit process and instant access to audited controls for result review.
Added- Introduced support for the RHEL 9 operating system. You can now enforce the Center for Internet Security (CIS) RHEL 9 Benchmarks, Levels 1 and 2, to help ensure a secure configuration for your RHEL 9 nodes.
- Introduced support for the Oracle Linux 9 operating system. You can now protect your Oracle Linux 9 nodes by enforcing the CIS Benchmarks at Levels 1 and 2.
- To improve the efficiency of the auditing process, you can now run a single Puppet Bolt plan that includes 40 audit tasks. The Bolt
plan,
run_audit
, can be run on one or more specified nodes to verify their configuration. Afterward, the Bolt log file provides a list of audited controls and detailed results. You can still run audit tasks separately, as supported in earlier releases.
- To help ensure compatibility between CEM for Linux and Puppet
8, the range of supported versions for the Puppet
Labs®
firewall
module was changed. The firewall module must be at version 5.0 or later, but earlier than 6.0.
v1.8.0
Released 24 October 2023
Added- Introduced support for enforcing Center for Internet Security (CIS) Benchmarks on the Rocky Linux operating system. With CEM for Linux v1.8.0, you can enforce the CIS Rocky Linux 8 Benchmarks, Levels 1 and 2. In this way, you can help to secure your Rocky Linux system and reduce the manual overhead associated with solution configuration.
- Added controls to help enhance security on Red Hat Enterprise Linux (RHEL) 8, AlmaLinux 8, and Oracle Linux 8 systems. The following controls
can now be enforced:
- Control 2.3.2 helps to ensure that remote shell (rsh) clients are not installed. The rsh program presents a security vulnerability because users who run rsh commands risk exposing their user credentials.
- Control 2.3.3 helps to ensure that the Linux
talk
client is not installed.Talk
software makes it possible for users to send and receive messages using unencrypted protocols. - Control 5.6.1.4 helps to ensure that inactive user accounts are locked automatically within 30 days of password expiration. Inactive accounts present a vulnerability because users are not logging in to check for failed login attempts and other anomalies.
- Added controls to help enhance security on Oracle Linux 7 systems. The following controls
can now be enforced:
- Control 1.4.1 ensures that a bootloader password is set. A user who restarts a system must enter a password before setting command-line boot parameters. This restriction helps to prevent unauthorized users from undermining system security.
- Control 1.4.2 ensures that permissions are specified for the
grub
configuration file, which contains information about boot settings and passwords for unlocking boot options. This restriction helps to prevent unauthorized users from viewing and changing boot parameters. - Control 1.6.1.2 ensures that Security-Enhanced Linux (SELinux) is enabled at boot time
and is not overridden by
grub
boot parameters. - Control 4.1.1.3 ensures that processes are audited even if they are
running before the
auditd
service is started. Audit events must be recorded to detect potential malicious activity. - Control 4.1.2.4 helps to ensure that the audit backlog limit is
sufficient to prevent audit records from being lost. If records from the
auditd
service are lost, malicious activity could go undetected.
- Fixed an issue related to data protection in log files. The CIS Oracle Linux 8 Benchmark v2.0.0 includes Control 4.2.3, which requires the configuration of access permissions for log files. Previously, the control enforced access permissions only for non-hidden log files. With the fix, access permissions are enforced for both non-hidden and hidden log files.
v1.7.1
Released 29 September 2023
Fixed- Fixed the command that automatically generates the Reference section on Puppet Forge. The section now includes information about the Security Technical Implementation Guide (STIG) controls that are enforced by CEM for Linux.
v1.7.0
Released 28 September 2023
Added- An update was implemented in the
cem_mount_info
fact to help ensure that Puppet runs successfully. (Thecem_mount_info
fact uses thehomedir_mounts
function to determine the home directory mount paths from all mounted file systems. Previously, if thehomedir_mounts
function failed to return a value, the fact would have no value for home directories, and subsequent Puppet runs using the fact could fail. Now, if thehomedir_mounts
function fails to detect a value, the function verifies whether the/home
directory is mounted and is a valid directory. If so, the function returns a value of/home
.)
- This release includes updates that are designed to enhance security on Red Hat Enterprise Linux (RHEL) systems. By upgrading to CEM for Linux
v1.7.0, you can enforce the latest US Defense Information Systems Agency (DISA)
Security Technical Implementation Guide (STIG) standards and reduce the manual
overhead associated with solution configuration:
- For the RHEL 8 operating system, the DISA STIG standard was upgraded from Red Hat Enterprise Linux 8 STIG, Version 1, Release 8, to Version 1, Release 11. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 8 STIG, Version 1, Release 11.
- For the RHEL 7 operating system, the DISA STIG standard was upgraded from Red Hat Enterprise Linux 7 STIG, Version 3, Release 8, to Version 3, Release 12. For information about controls that were added or changed, see Control updates introduced for Red Hat Enterprise Linux 7 STIG, Version 3, Release 12.
- The documentation now provides more detailed upgrade instructions, including preparation steps that you can take to help ensure a smooth upgrade. See Upgrading SCE.
- Fixed an issue related to communication security on RHEL 8 systems. STIG Control V-230507 is designed to disable the use of Bluetooth communication technologies because communications transmitted over Bluetooth can be intercepted. Previously, Bluetooth was not fully disabled. In this release, Bluetooth is fully disabled.
- Fixed an issue that could cause erroneous scan failures for users enforcing STIG
Control V-204563. The STIG control ensures that audit records are generated when
the
kmod
command is run to manage kernel modules. The audit rule for kernel module loading was fixed to prevent the erroneous scan failures. - Fixed an issue that could cause scan failures for users enforcing STIG Control
V-204579. The control is designed to enforce a timeout on RHEL 7 systems after a
session is terminated or after 15 minutes of command-line inactivity by the
user. The content of the timeout script,
999-tmout.sh
, was updated to align with the STIG control. - Fixed an issue that could cause scan failures for users enforcing STIG Control
V-204605. The control helps to ensure that the date and time of the previous
logon is displayed at the next logon. In the
cem_linux::utils::postlogin
utility class, you can specify theprune_pam_lastlog
parameter to remove the silent option from thepam_lastlog.so
module entries. In this way, you can help to prevent erroneous scan failures. - Fixed an issue that caused a failure to set kernel parameter values. This issue
occurred when kernel parameter values contained valid shell operators, such as
|
. Specifically, when the STIG profile attempted to setkernel.core_patterns = |/bin/false
, no value was set:Copykernel.core_patterns =
- Fixed an issue that could cause non-idempotent Puppet agent runs in which the resources related
to
grub
bootloader arguments are reset during each run. With the fix,grub
bootloader kernel arguments that are managed by thecem_grub_args
custom resource type are now correctly persisted to thegrub
configuration file. - Fixed an issue that prevented some user-specified configuration options from being applied. The issue affected only some parameters on some controls.
v1.6.3
Released 10 August 2023
Fixed- Fixed an issue that caused Puppet run failures.
The issue occurred when CEM for Linux set
grub2
bootloader arguments on systems that had"non linux entry"
kernel entries on thegrubby --info=ALL
command. The issue affected users on all supported Linux operating systems.
v1.6.2
Released 8 August 2023
Added- The CEM for Linux code is updated to help ensure compatibility with Puppet 8. Compatibility with earlier Puppet releases remains unchanged.
- A default setting was changed to help ensure that audit logs are encrypted
before being offloaded to a remote system. This change affects users who
implement the US Defense Information Systems Agency (DISA) Security Technical
Implementation Guide (STIG) standard on Red Hat Enterprise Linux (RHEL) 8 operating systems. Because the
default setting for STIG Control V-230478 is now
true
, the GNU Privacy Guard (GnuPG) utility is installed by default and theauditd
service is enabled to help protect audit logs from unauthorized access.
- Fixed an issue related to audit backlogs on RHEL 8 operating systems. The issue arose because Center for Internet Security (CIS) Control 4.1.1.4 was not enforced. The control helps to ensure that a sufficient number of audit records are retained in the backlog on system startup so that users can detect potential malicious activity. Starting with CEM for Linux v1.6.2, users can choose whether to enable CIS Control 4.1.1.4. If enabled, the control is enforced.
- Fixed an issue that affected users who enforce the DISA STIG standard on RHEL 8 operating systems. STIG Control V-230307
is designed to implement the
nodev
mount option to prevent unauthorized access from untrusted file systems. Previously, the control did not work as designed because thenodev
option was not applied. The issue is fixed to help ensure that the control works as expected. - Fixed an issue related to the Security-Enhanced Linux (SELinux) architecture, which controls system access. In previous releases, when a user changed the SELinux security setting, the change went into effect after a system restart. Starting with CEM for Linux v1.6.2, a user can specify that the updated setting is enforced immediately, and the change goes into effect. A user can also specify that the updated setting is enforced only after a system restart.
v1.6.1
Released 16 May 2023
Fixed- Fixed an issue that occasionally caused compliance scan failures for users who
applied Center for Internet Security (CIS) controls in a Red Hat Enterprise Linux (RHEL) 7 environment. The issue occurred
because CIS Control 4.1.15
did not apply'
Ensure system administrator command executions sudo are collected'
auditd
configuration entries. The issue is fixed to ensure that scans run as expected. - Fixed an issue that prevented CIS Control 4.1.3.7
from being enforced. The issue affected users on RHEL 8, AlmaLinux 8, and Oracle Linux 8 systems. The control is now enforced to ensure that information is collected about unsuccessful attempts to access files. These unsuccessful attempts can indicate that an unauthorized user or process is trying to gain access to the system.'
Ensure unsuccessful file access attempts are collected'
- Fixed an error that could cause system operations to halt unexpectedly for users
on RHEL 7. The issue was caused by an incorrect
default setting for CIS Control 4.1.2.3
The incorrect default setting could cause system operations to halt when disk space for audit logs runs low. The control is now correctly enforced as recommended by CIS: when disk space runs low, an email is sent to the address specified by the'
Ensure system is disabled when audit logs are full.'
action_mail_acct
parameter. - Implemented a fix to help ensure that the use of privileged programs is
monitored on all partitions on RHEL 7 operating
systems. Previously, CIS Control 4.1.3.10
was not fully enforced. The control was only partially enforced because the'
Ensure use of privileged commands is collected'
find
command did not descend into all partitions. The fix helps to ensure that all partitions are monitored so that unauthorized use of privileged programs is detected. - Fixed an issue that occasionally caused the
10-cem_priv_commands.rules
file to be blank. This issue affected users on RHEL operating systems. The issue is fixed to ensure that the module operates as expected when the user specifies a value oftrue
for theaudit_privileged_commands
option:- If privileged commands exist, the
10-cem_priv_commands.rules
file displays the audit rule for that control. - If privileged commands do not exist or the privileged commands are
ignored, a
10-cem_priv_commands.rules
file is not created.
- If privileged commands exist, the
- Fixed an issue that caused a failure to remove the Automatic Bug Reporting Tool
(ABRT). In CEM for Linux v1.6.0, when the
remove_automatic_bug_report_tools
class was specified to remove ABRT, the tool remained installed. The problem is resolved to ensure that ABRT packages can be removed based on the class specification without further user intervention.
v1.6.0
Released 28 March 2023
Added- Enforcement of Center for Internet Security (CIS) Benchmarks on three new
operating systems:
- CIS Benchmark for AlmaLinux 8, v2.0.0, levels 1 and 2
- CIS Benchmark for Oracle Linux 7, v3.1.1, levels 1 and 2
- CIS Benchmark for Oracle Linux 8, v2.0.0, levels 1 and 2
- For users who enforce the US Defense Information Systems Agency (DISA) Security
Technical Implementation Guide (STIG) standard on Red Hat Enterprise Linux (RHEL) operating systems, the module now supports several controls that are
designed to secure graphical user interfaces (GUIs). The following new GUI
controls are enforced:
- Control V-204397 - 'The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon'
- Control V-204398 - 'The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces'
- Control V-204399 - 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface'
- Control V-204400 - 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface'
- Control V-204402 - 'The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces'
- Control V-204403 - 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface'
- Control V-204404 - 'The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated'
- Control V-204432 - 'The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface'
- Control V-204433 - 'The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system'
- Control V-204456 - 'The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface'
- Control V-214937 - 'The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface'
- Control V-219059 - 'The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required'
- Control V-251718 - 'The graphical display manager must not be the default target on RHEL 8 unless approved'
- Control V-230530 - 'The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed'
- Control V-230553 - 'The graphical display manager must not be installed on RHEL 8 unless approved'
- Control V-244519 - 'RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon'
- Control V-244535 - 'RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated'
- Control V-244536 - RHEL 8 must disable the user list at logon for graphical user interfaces.
- Control V-244538 - 'RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface'
- Control V-244539 - 'RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface'
- Control V-230347 - 'RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions'
- Control V-230351 - 'RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed'
- Control V-230352 - 'RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity'
- Control V-230354 - 'RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface'
- Control V-230329 - 'Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed'
- Control V-230226 - 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon'
- Control V-204393 - 'The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon'
- Control V-204394 - 'The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon'
- Control V-204396 - 'The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures'
- The ability to enable controls that are designed to secure a GNOME desktop
environment. Users who enforce the DISA STIG standard on a RHEL 7 or 8 operating system can set the
top-level
manage_gnome
option totrue
to enforce all relevant controls in a GNOME desktop environment. Users who enforce CIS controls in RHEL 7 or 8 or CentOS environments must also specifymanage_gnome=true
to enable controls for GNOME. For CIS users, the following GNOME controls are added:- 1.8.1 - 'Ensure GNOME Display Manager is removed'
- 1.8.2 - 'Ensure GDM login banner is configured'
- 1.8.3 - 'Ensure last logged in user display is disabled'
- 1.8.4 - 'Ensure XDCMP is not enabled'
- 1.8.5 - 'Ensure automatic mounting of removable media is disabled'
- The implementation for DISA STIG Control V-204600 was changed to ensure that the
StrictModes=yes
setting is explicitly applied to the Secure Shell (SSH) configuration. This setting helps to protect SSH keys. If file system permissions for SSH keys are too lax, SSH authentication fails. The change affects users who enforce DISA STIG in a RHEL 7 environment.
- An issue that caused invalid permissions to be assigned to the audit directory. This issue affected users who enforced the DISA STIG standard on RHEL operating systems. The issue was related to STIG Control V-230471, which helps to ensure that only users with sufficient permissions can specify which events will be audited. The correct permissions are now set on the audit directory.
- An issue that prevented proper enforcement of STIG Controls V-204614 and V-204615, which are designed to prevent man-in-the-middle attacks. The controls are enforced on RHEL systems to specify whether redirect messages sent with the Internet Control Message Protocol (ICMP) using Internet Control version 4 (IPv4) can be accepted. This issue is corrected to ensure that the ICMP redirect messages are disabled by default for both IPv4 and IPv6.
- A CEM configuration issue for users who enforce
the DISA STIG standard in a RHEL 8 environment.
In CEM for Linux
v1.5.0, the base class
cem_linux::utils::packages::linux::sudo
was not included for STIG use in thedata/RedHat/RedHat/8.yaml
file. The omission resulted in additional configuration steps for some users. The YAML file is now updated to include the missingsudo
class. - A scan issue for users who enforce the DISA STIG standard on RHEL operating systems. Previously, Controls V-204427 (5.4.12) and V-204428 (5.4.13) were reported as failing in Puppet Comply. Failures were reported even when CEM appeared to correctly enforce the controls. These controls help to protect systems against unauthorized access by limiting the number of failed login attempts. Scans for the controls now report accurate results.
v1.5.2
Released 9 March 2023
Fixed- An issue that prevented the CEM for Linux v1.5.1 reference topics from being displayed on Puppet Forge. With the v1.5.2 release, the Reference tab is restored.
v1.5.1
Released 7 March 2023
Changed- A change was introduced to simplify configuration in Red Hat Enterprise Linux (RHEL) 8 environments where the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard is enforced. The update applies to DISA STIG control V-230339, which is designed to limit login attempts and thus help to prevent brute-force attacks. The default directory where login failure records are kept can now be changed.
- An issue that prevented the OpenSSH server process from starting on RHEL 8 systems. The issue affected users who
enforced the DISA STIG standard. When a value of
FUTURE
was set for cryptographic policies to help prevent malware attacks, the OpenSSH process failed with the following error message:Extra argument FUTURE.
- An issue that prevented users from running the system account task from the Puppet Enterprise (PE) console. Previously, attempts to run
the task resulted in error messages about missing metadata. With the fix
applied, users can run the
cem_linux::system_account
task from the PE console to view system accounts. - An issue that caused an error message pertaining to the
audit.rules
file. The issue was seen on RHEL operating systems after an upgrade to CEM for Linux v1.5.0. The following error message was issued:Could not stat /etc/audit/rules.d/audit.rules
To resolve the issue, the CEM for Linux module was updated to reference all existing files in
/etc/audit/rules.d/
directory. - An issue that caused a failure to audit
sudo
log files. When events pertaining to asudo
log file are collected, system administrators can review the events to detect whether unauthorized commands were run. The issue, which affected users on RHEL 8 systems, was caused by a failure to enforce Center for Internet Security (CIS) Control 4.1.3.3. The control is now enforced. - A failure to enable GNU Privacy Guard (GPG) checks for downloaded packages on
RHEL 8 operating systems. CIS Benchmark
Control 1.2.3 (
'Ensure gpgcheck is globally activated'
) is designed to ensure that downloaded packages from the RPM package management tool are checked. However, these checks failed to occur because therepo_files
parameter associated with the CIS control does not specify the YUM files that are used to manage RHEL packages. The fix ensures that GPG checks will be enabled on a per-repository basis for each file that is listed in therepo_files
parameter. - An issue that can cause configuration problems in RHEL 8 environments where DISA STIG standards are
enforced. Because of the issue, the following top-level parameters for the
Grub2
bootloader could not be set:cem_linux::regenerate_grub2_config
,cem_linux::set_grub2_password
,cem_linux::grub2_superuser
, andcem_linux::grub2_superuser_password
. The issue was resolved to ensure that the parameters can be set, and the values are applied. - A configuration issue that affects the security of messages when DISA STIG
standards are applied in a RHEL 8 environment.
The issue pertains to STIG control V-230245, which is designed to ensure that
unauthorized persons cannot access system messages. Security is enforced by
setting a permissions mode for access to the
/var/log/messages
file. The issue occurred because the resource data for STIG control V-230245 specified a value ofdirectory
instead offile
. The issue was fixed to ensure that permissions are set for themessages
file. The fix also ensures that a/var/log/messages
directory is not created inadvertently. - An issue that can cause configuration problems for users who attempt to enforce
the DISA STIG standard in a RHEL 8 environment.
The issue was caused by extraneous text in the
cem_linux/manifests/utils/bootloader/grub2/fips.pp
file. The extraneous text, a Universal Unique Identifier of 6484, is now removed.
v1.5.0
Released 14 February 2023
Added- Enforcement of the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 8 operating systems:
- The Security Technical Implementation Guide (STIG) standard was developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government. On RHEL 8, the following DISA STIG standard is supported: Red Hat Enterprise Linux 8 STIG, Version 1, Release 8.
- For the RHEL 8 operating system, STIG can
be enabled by adding the following Hiera
data to the control
repository:Copy
cem_linux::benchmark: 'stig'
- STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3 and
their associated “public,” “sensitive,” and “classified” profiles. STIG
controls can be configured with their vulnerability ID
(V-nnn)
or rule ID(SV-nnn)
. - For a list of supported STIG controls and configurations, see the Reference.
- New top-level configuration option,
disable_package_gpgcheck
. By enabling this option, you disable GNU Privacy Guard (GPG) checks of downloaded packages. Disabling GPG checks can be helpful in rare cases if you enable more stringent system encryption standards, such as the Federal Information Processing Standards (FIPS). These standards can introduce stricter criteria than are normally available for GPG package signatures. If GPG and more stringent criteria are applied simultaneously, package downloads can fail. Specify thedisable_package_gpgcheck=true
setting only when necessary. Enabling this option can make your infrastructure less secure.
- An error that occasionally prevented system startups and that caused failures of the Internet Control Message Protocol (ICMP) was resolved. The error was identified in the Puppet manifest file disable_icmp_redirects.pp, which specifies whether messages sent with ICMP can be redirected. In the file, extraneous text is now commented out.
- An issue with the
cem::utils::boot_fstab_entry
class was fixed to help ensure that Puppet runs would not overwrite user-specified settings.
v1.4.3
Released 15 December 2022
Fixed- Fixed an issue that resulted in catalog compilation errors on the Red Hat Enterprise Linux (RHEL) 7 operating system. The issue,
caused by a duplicate instance of control V-204450 in the YAML file, resulted in
error messages like the
following:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, CEM: cem_create_resources: failed resource: class
- Fixed an issue related to Center for Internet Security (CIS) Control 4.1.3.6 in
a RHEL 8 environment. When Control 4.1.3.6 is
enabled, privileged programs are monitored to determine whether unauthorized
users are trying to gain access. However, when Control 4.1.3.6 was enabled on
systems using the Postfix mail transfer agent, two
setuid
binary files (postdrop
andpostqueue
) were not being added to theauditd
monitor list. The issue is corrected so that scans can run successfully. - Fixed an issue related to CIS Control 1.5.3 in a RHEL environment. Control 1.5.3 is designed to ensure that address space layout randomization (ASLR) is enabled. ASLR randomly arranges the address space of data areas in processes to help protect system security. Enforcement for Control 1.5.3 was available in a RHEL 7 environment but was missing from RHEL 8. The control is now available to RHEL 8 users.
- Fixed an issue that affects users of the RHEL 7 operating system and pertains to Control V-204444. When enabled, the control helps to prevent non-privileged users from initiating privileged functions such as disabling, circumventing, or altering security safeguards. However, after a system administrator specified the privileged users (resources) for Control V-204444 and scans were run, the Puppet agent overwrote the resource list on each run. The issue is fixed to ensure that the resource list is not overwritten.
- Fixed an issue that caused scan failures for CIS Control 4.1.16,
'
Ensure kernel module loading and unloading is collected,' in a RHEL 7 environment. When this control is enforced, the process of loading and unloading kernel modules is monitored to help detect unauthorized access to the system. Users of RHEL 7 found that Control 4.1.16 failed scans even when the control was correctly configured. The issue is corrected so that scans can run successfully.
v1.4.2
Released 8 November 2022
Added- Added the ability to configure multiple
rsyslog
remote hosts. In previous releases, only single remote hosts were fully configurable. This software update simplifies the process of using thersyslog
software utility to forward logs to remote servers. - Added an audit script for the Control V-204392, which is included in a Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG control helps to ensure that file permissions, ownership, and group membership of system files and commands match vendor values. You can use the new audit script to troubleshoot issues related to the control.
- Updated the Advanced Intrusion Detection Environment (AIDE) utility class to add
support for the
cron
scheduling utility. As a result, AIDE scans can be scheduled by using acron
task rather thansystemd
timers. - Updated CEM for Linux to ensure that the
nullok
option cannot be included in thesystem-auth
file. Thenullok
option determines whether users can access a service with a blank password. This software update is designed to prevent unauthorized access to the system.
- Fixed an issue that prevented certificates from being checked for Public Key Infrastructure (PKI) authentication. This software update affects users who are enforcing DISA STIG controls on a Red Hat Enterprise Linux (RHEL) operating system.
- Fixed an issue to help ensure that any new password must contain at least 8 characters that differ from the previous password. This software update affects users who are enforcing DISA STIG controls on a RHEL operating system.
- Fixed an issue related to the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark 2.0.0, Control 3.3.2: 'Ensure ICMP redirects are not accepted.' This software update helps to ensure that the control is enforced so that Internet Control and Error Message Protocol redirects are prevented.
- Fixed an issue that caused the
cem_semanage
fact to run and log errors on an unsupported operating system, RHEL 6.semanage
is a Security-Enhanced Linux (SELinux) management tool. - Fixed an issue that caused catalog compilation errors when users selected the Network Time Protocol (NTP) synchronization service.
v1.4.1
Released 24 October 2022
Fixed- Fixed an issue that prevented the
cem_mount_info
fact from resolving on Puppet Enterprise (PE) versions 2019.x.x. The issue prompted the following error message:Facter: error while resolving custom facts...
To resolve the issue, you can install CEM for Linux v1.4.1 or later. To help avoid the issue, you can install the latest version of PE.
v1.4.0
Released 20 October 2022
Added
- Support for the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 7:
- For the first time, CEM for Linux supports a Security Technical Implementation Guide (STIG) standard developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government. On RHEL 7, the following DISA STIG standard is supported: Red Hat Enterprise Linux 7 STIG, Version 3, Release 8.
- For the RHEL 7 operating system, STIG
can be enabled by adding the following Hiera data to the control repository:
Copy
cem_linux::benchmark: 'stig'
- STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3
and their associated “public,” “sensitive,” and “classified”
profiles. STIG controls can be configured with their vulnerability
ID
(V-nnn)
or rule ID(SV-nnn)
. - To support STIG controls that require information audits, new Puppet Bolt tasks were added.
- The following new Facter facts were
added:
cem_mount_info
,cem_nfs_exports
,cem_semanage
, andcem_sssd_domains
. - For a list of supported STIG controls and configurations, see the Reference.
Changed
- The product documentation was revised to improve usability and retrievability:
- The changelog was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The changelog was renamed to release notes.
- The readme file was transformed into a series of topics with a structure similar to other Puppet documentation.
- The Reference, Tasks, and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
- To facilitate the implementation of DISA STIG standards, new parameters were introduced for some resources. The new parameters do not affect default configurations and are backward compatible with previous user configurations. All parameters are documented in the Reference.
Fixed
- Fixed an issue that caused the
auditd
service to restart multiple times. The problem was caused by an incorrect sequence when setting a rule for immutable configuration. - Fixed an issue that caused catalog compilations to fail although the specified configuration was valid. The failures occurred when certain time-server options were specified for the chrony implementation of the Network Time Protocol.
v1.3.2
Released 8 September 2022
Added
- The
'Ensure core dump storage is disabled'
and'Ensure core dump backtraces are disabled'
controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled
, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
- The
'Ensure audit log is disabled when audit logs are full'
control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntp
andchrony
classes were combined into thetimesync
class.
Fixed
- The
'Disable USB Storage'
control is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.d
directory are now loaded by using theaugenrules --load
command. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct metaparameter
before
instead ofsubscribe
. - Fixed a parsing error for
chrony
that caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when unsanitized
user input was used in the
command
,onlyif
, orunless
parameters of anexec
resource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctl
feature to return a result offalse
without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mta
fact that caused errors in RHEL 6.
v1.3.1
Released 18 August 2022
Fixed
- Controls that configure
journald
now properly configure thejournald.conf
file. - The
cem_coredump
fact will no longer attempt to resolve on nodes that do not supportsystemctl
. - The
cem_grub_cfg
fact will now identify the correctGRUB2
configuration file on Red Hat Enterprise Linux (RHEL). - The Center for Internet Security (CIS)-specific parameters
enable_systemd_journal
andenable_nopasswd_sudo_prune
now function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM for Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
'Ensure_password_creation_requirements_are_configured.'
- Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntp
as the time synchronization service.
v1.3.0
Released 3 August 2022
Changed
- The core architecture for the module has changed. These changes should be
transparent to the user. However, using Hiera automatic parameter lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*
namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. For more information on the new architecture, see Configuring SCE. - The Reference was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
- Added proper containment to the
cem_coredump
fact so that it will no longer run on operating systems that do not support it. - Fixed how Network Time Protocol (NTP) options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0
Released 24 May 2022
Added
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached End of Life (EOL). CEM for Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
- Fixed an issue that prevented the
coredump
configuration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4
Released 25 March 2022
Changed
- Updated the
audit_user_homedir
task to prevent the task from modifying permissions on top-level directories:/boot
,/boot/
,/etc
,/lib
,/lib64
,/proc
,/proc/
,/home
,/opt
,/tmp
,/var
, and/srv/
. Theaudit_user_homedir
task can still modify permissions on subdirectories within the listed directories, except for/boot
and/proc
. - In the
audit_user_homedir
task, addedrtkit
to the list of ignored usernames. Becausertkit
is a system user, CIS states that the home directory permissions forrtkit
should not be audited.
v1.1.3
Released 24 March 2022
Fixed
- Fixed a bug in the
audit_user_homedir
task to prevent the inadvertent modification of permissions onbin
directories:/bin
,/sbin
,/usr/bin
, and/usr/sbin
.
v1.1.2
Released 16 March 2022
Added
- Added a section to the Reference about configuring
chrony/ntp
time servers.
Changed
- Expanded the range of versions in the
metadata.json
file so that users can install the latest modules to meet dependency requirements.
Fixed
- Fixed a bug in the
cem_linux::utils::timesync
configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditd
config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditd
service.
v1.1.1
Released 25 January 2022
Fixed
- Fixed an issue related to non-idempotent resources when managing permissions
for the
Grub2
bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0
Released 14 December 2021
Added
- Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux (RHEL) 8 Server Level 2 recommendations.
- Updates related to bootloader configurations. Configurations, including
password settings, can now be managed through the CEM module on systems that use the
grub2
bootloader. You can also opt in to automatically regenerate the bootloader config files after changes are made. - Permissions management for log files in the
/var/log directory
is now available in the CEM module. Previously, you had to run a Puppet Bolt task to manage permissions for log files. Because this feature is now supported natively, the Puppet Bolt taskcem_linux::logfile_permissions
was removed. - Added a new fact,
cem_grub_cfg
. This fact contains information related to generalgrub
configuration on the machine.
Changed
- Replaced the
camptocamp-systemd
module with the supportedpuppet-systemd
module. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemd
module v3.5.0 or later. - The
cem_uefi_boot
fact was changed tocem_efi
and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply.
v1.0.0
Released 28 September 2021
This is the initial public release of CEM for Linux.
Known issues and limitations
The current release includes known issues and limitations. In most cases, workarounds are provided.
Security Compliance Management scan issues
During a Security Compliance Management scan, you might see errors about CIS or STIG controls that are not enforced. These error messages are triggered by bugs in the Security Compliance Management console. SCE does correctly enforce these settings.
The following scan errors might be reported:
- Red Hat Enterprise Linux (RHEL) 8 STIG, Version 1:
V-230333: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- No action is required.
V-230334: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- No action is required.
V-230345: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
No action is required.
V-244533: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.
No action is required.
V-244534: RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
No action is required.
- RHEL 8 CIS Benchmark v2.0.0:
- 1.4.2 - Ensure permissions on bootloader are configured
- On EFI systems, the script that was run by the SCM console did not locate the correct
grub
file path. Permissions are set correctly by SCE. No action is required.
- On EFI systems, the script that was run by the SCM console did not locate the correct
- 1.4.1 - Ensure bootloader password is set
- On EFI systems, the script that was run by the SCM console did not locate the correct
grub
file path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Set a bootloader password.
- On EFI systems, the script that was run by the SCM console did not locate the correct
- 4.1.2.3 Ensure system is disabled when audit logs are full
- This is set to
halt
by SCE. The SCM console incorrectly shows this as a scan failure. No action is required.
- This is set to
- 5.2.18 Ensure SSH MaxSessions is set to 10 or less
- This is set to 10 by default. The SCM console incorrectly shows this as a scan failure. The scanner is looking for <=4 instead of <=10. No action is required.
- 1.4.2 - Ensure permissions on bootloader are configured
- RHEL 8 CIS Benchmark, v3.0.0:
1.3.1 - Ensure bootloader password is set
- The SCM console incorrectly reports a scan failure because the scanner searches for the
user.cfg
file while ignoring the settings in thegrub.cfg
file. Permissions are set correctly by SCE. No action is required.
- The SCM console incorrectly reports a scan failure because the scanner searches for the
- Ubuntu Linux 22.04 CIS Benchmark v2.0.0:
- Ensure GDM disabling automatic mounting of removable media is not overridden.
- If you are using Gnome Desktop Manager (GDM), SCE correctly enforces the control, but a scan error is reported. No action is required.
- Ensure GDM automatic mounting of removable media is disabled.
- If you are using GDM, SCE correctly enforces the control, but a scan error is reported. No action is required.
- Ensure GDM autorun-never is not overridden.
- If you are using GDM, SCE correctly enforces the control, but a scan error is reported. No action is required.
- Ensure GDM disabling automatic mounting of removable media is not overridden.
General issues and limitations
-
If you are running SCE for Linux v2.2.1 on an Ubuntu Linux 22.04 operating system, and you exclude CIS control 1.3.1.2 -
'Ensure AppArmor is enabled in the bootloader configuration'
- from thesce_linux
configuration, you might see error messages with the phrase'Could not autoload puppet.'
To resolve the issue, add the control to thesce_linux
configuration. To enforce the control, add it to theonly
list. -
If you are running SCE for Linux on a RHEL 8 system, you might see an extraneous configuration file, SCE Disable bluetooth kernel module.conf, in the /etc/modprobe.d directory. You can safely delete this file.
-
After you upgrade to SCE for Linux v2.2.0 on Puppet Enterprise versions earlier than 2023.8.0, you might see catalog compilation errors on nodes. The messages might reference Error 500, an undefined reload method, or both. To resolve the issue, restart the pe-puppetserver service. If you are using Continuous Delivery with Puppet Enterprise versions earlier than 2023.8.0, you might have to manually deploy SCE for Linux v2.2.0. Follow the instructions in Deploy code manually.
-
When usernames with uppercase letters are included in the
/etc/sudoers
file and SCE enforces controls to manage sudoers, Puppet runs fail. - If you are using SCE for Linux on a RHEL 9 or Oracle Linux 9 operating system and you
are enforcing a CIS Benchmark that requires
auditd
rules to be loaded, you must manually load theauditd
rules by using the"augenrules --load"
command. In this way, you can meet the requirements ofauditd
controls that requireauditd
rules and help to prevent scan failures. - If you run SCE for Linux on Oracle Linux 7, Oracle Linux 8, or AlmaLinux 8, two Puppet runs might be required to ensure that the required intentional changes, corrective changes, or both are made on the nodes in the infrastructure. Subsequent Puppet runs are idempotent.
- CEM for Linux v1.6.0 and later provides limited support for the System
Security Services Daemon (SSSD), which manages access to remote directory
services and authentication mechanisms. However, the following US Defense
Information Systems Agency (DISA) Security Technical Implementation Guide (STIG)
controls are not implemented:
- Control V-230274 - 'RHEL 8 must implement certificate status checking for multifactor authentication'
- Control V-230372 - 'RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts'
- Control V-230376 - 'RHEL 8 must prohibit the use of cached authentications after one day'
- The DISA STIG standard for RHEL 8 includes
controls that help to manage and secure removable media file systems. Support
for the related controls is currently outside the scope of SCE for Linux. As a result, the following controls are not enforced:
- Control V-230303 - 'RHEL 8 must prevent special devices on file systems that are used with removable media'
- Control V-230304 - 'RHEL 8 must prevent code from being executed on file systems that are used with removable media'
- Control V-230305 - 'RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media'
- The DISA STIG standard for RHEL 8 includes
controls related to the file access policy (
fapolicy
) module, which helps to ensure that only authorized applications can be run on a system. Thefapolicy
module must be configured with caution because improper configuration can result in a non-functional system. Because of the potential risk to system operations, controls related to thefapolicy
module are currently outside the scope of SCE for Linux. The following controls are not enforced:- Control V-230523 - 'The RHEL 8 fapolicy module must be installed'
- Control V-244545 - 'The RHEL 8 fapolicy module must be enabled'
- Control V-244546 - 'The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs'
- Multifactor controls and configurations are outside the scope of SCE for Linux. However, you can set up multifactor authentication for an infrastructure that is protected by SCE for Linux by implementing a network authentication system. For example, you can set up one-time password authentication on the client side by following the instructions in Setting up multi-factor authentication on Linux systems.
- If you are enforcing the DISA STIG standard on the RHEL 7 operating system, the V-204392 auditing control is not working as designed. The control is missing a script that audits file permissions, ownership, and group membership of system files and commands. As a workaround, you can audit file permissions manually.
- You cannot use the
iolog_dir
option to specify a directory for sudo log files. If you attempt to use theiolog_dir
option in thesudoers
file to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in SCE. - SCE cannot create file system partitions. This limitation can cause certain scanner checks to fail.
- SCE cannot set permissions on removable media
partitions. To set the required permissions on these partitions, ensure that
nodev,nosuid,noexec
exists in the options portion of/etc/fstab
for the partition. - Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by SCE. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that SCE cannot manage this feature.
- To comply with CIS recommendations, you must prevent root users from logging
onto the system console. Because this action requires knowledge of the site, you
must configure this control manually by removing entries in
/etc/securetty
for consoles that are not in secure locations. - SCE does not enforce
authselect
controls for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that these controls not be enforced in specific environments. For example, the controls should not be enforced if the node is joined to an Active Directory domain or to Red Hat Identity Management. If you enforceauthselect
controls, you must ignore all other controls that affect authentication and use a predefinedauthselect
profile or manage a custom profile. For more information, see Configure system authentication with the authselect utility. SCE includes a Puppet Bolt task,audit_authselect,
to audit these controls. - You can configure the
ensure_nodev_option_set_on_home_partition
control only if the/home
setting is mounted on its own partition. Puppet does not create a partition for/home
. - If your system is running on Red Hat Enterprise Linux 8:
- The
'ensure_nis_server_is_not_installed'
control is dependent on'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
.' If you enforce'ensure_nis_server_is_not_installed
,' you must also enforce'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
.' - The
'ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked'
control is dependent on'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
.' If you do not enforce'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
,' you must also not enforce'ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
.' - The
'ensure_the_running_and_on_disk_configuration_is_the_same'
control is always enforced ifauditd
is managed by SCE.
- The
- The
'ensure_users_must_provide_password_for_escalation'
control is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removingNOPASSWD:
from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration optionenable_nopasswd_sudo_prune
to true. - If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
- The
'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked'
control is dependent on'ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.'
If you enforce'ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked,'
you must also enforce'ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.'
- The
- The
'disable_wireless_interfaces'
control requires that you install the NetworkManager package and that the service is running.