parryb
commented
2 years ago Argh! Git has not recorded my file name changes for the hiera data.
Closed parryb closed 2 years ago
parryb
commented
2 years ago Argh! Git has not recorded my file name changes for the hiera data.
parryb
commented
2 years ago Agreed, lower case would be better. I had the same thoughts when writing the fix, although I don't think it's possible to downcase facts in hiera.
parryb
commented
2 years ago There is a currently ticket raised to enable functionality to normalize case in hiera.
parryb
commented
2 years ago The alternative would be to write your own OS name fact based on the facter fact which is downcased.
The cis_security_hardening documentation doesn't mention about effort to set up hiera data to get the module working out of box. Because currently the module as it stands does not work on download from forge. You have to move the data out or modify the hiera.conf to get the module to compile and work.
I think you should also suggest that customization of the rules set should be done at the environment level, i.e. /etc/puppetlabs/code/environment/
It took a long time to figure out why the module was not compiling and running and with manual intervention it will be difficult to keep up with updates as they can't be automatically.
tom-krieger
commented
2 years ago You can always overwrite the module configuration from the Puppet environments hiera data. That's best practice. And the module contains a complete security benchmark which you always have to customize to your needs. For example nit everyone can have selinux switched on or cn have a noexec flag on /var partition.
I have a CIS configuration for all my hosts in my control repository. And you can use hiera capabilities to merge the configuration e. g. from common, os-specific, datacenter-specific, host-specific configurations.
I add a fact _cis_security_hardening.osnamelc in my current feature branch. I will try to merge this until end of the week.
tom-krieger
commented
2 years ago Btw. can you please tell me what the problems have been with the default config of the module and not compiling? I would like to have a look at that to fix these things.
parryb
commented
2 years ago Btw. can you please tell me what the problems have been with the default config of the module and not compiling? I would like to have a look at that to fix these things.
There is a duplicate declaration of firewalld service (firewalld_service.pp) between your module and the puppetlabs firewall (redhat.pp) also one with Package[iptables-services] and the same Puppetlabs/firewall (redhat.pp).
It can be worked around by disabling the cis_security_hardening functionality.
tom-krieger
commented
2 years ago Included in release 0.7.7, so I close this one.
I have updated hiera.yaml to use the OS name and renamed the hiera data files in data/cis to reflect what facter returns. I don't know all of the exact names for every Linux you support but have completed RedHat, AlmaLinux, CentOS and Ubuntu.