Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
Stephen K. Potter
What makes Linux security unique? What special considerations does Linux have across security standards like those set by The Center for Internet Security (CIS)? Every OS has their own unique considerations, and Linux is no different. We’ll also explore how Puppet can fit within your broader Linux security plan to help make hardening Linux that much easier.
Linux is an incredibly flexible operating system — it’s modular and most of its popular distributions are open source. This means that Linux security can be custom-built for your particular organizational needs around compliance and security.
Linux was created in 1991 by Linus Torvalds, a 21-year-old computer science student who wrote the operating system kernel to create a free and open-source alternative of the MINIX operating system, which was based on the design of Unix.
Today, Linux is installed on more than 85% of smartphones and there are more than 600 active Linux distributions, or distros as they are known in Linux circles (source). This is a testament to the flexibility and modularity of the original design — a modularity that we will tie into security needs today.
To understand what makes Linux security unique, it’s important to understand how many different flavors there are for Linux — it makes up an entire family tree of different variations on the original OS. Click here to see that family tree visualized. While each of these variations of Linux share a core foundation, it’s important to consider security that can work with different members of the same family tree.
Linux does come with some built-in kernel security defenses like firewalls and the Linux Kernel Lockdown configuration option – and while this makes it unique, it still requires the same security rigor as any other OS.
One of the best ways to maintain security and keep your organization safe is to stay compliant with the latest regulations — easier said than done.
We’ll review the popular, and comprehensive, CIS benchmarks as a starting point, plus examine best practices created after a recent US executive order — all globally applicable, and the best place to begin for Linux.
The Center for Internet Security (CIS) has established critical, community-sourced compliance standards for different operating systems, including Linux. These globally recognized baseline configurations were created to protect your systems, data, and users from external threats and IT risk. The CIS standards specific to Linux address things like root privilege issues — a common entry point for exploitation, and other access concerns.
Ensuring that your specific branch of Linux adheres to CIS benchmarks is a critical step in preventing cyberattacks and keeping your data secure.
In 2021, the White House issued an executive order that required the National Institute of Standards and Technology (NIST) to create a set of best practices for software security.
The resulting documents from this order addressed concerns around a lack of visibility from software providers about their products which could compromise security in government systems. Ultimately, it meant that vendors needed to be more accountable for the software that they provided.
SBOM stands for “Software Bill of Materials,” defines a nested inventory of all the pieces which make up software components for visibility into elements like package name, version, known security vulnerabilities, and more.
An SBOM should accomplish the following:
How does this tie in with Linux? Since the Linux OS is modular, having visibility into the modules that are cross used can help make you smarter about known vulnerabilities. It also allows you to react swiftly when a vulnerability is found — and this visibility benefits software consumers, no matter the use case.
The foundations of strong Linux security are supported by initiatives like SBOM and the security standards published by CIS, but here’s where you will need to start thinking about your organization’s individual needs.
Standard benchmarks like those from CIS will include security tactics that cover basics that are broadly applicable across Linux, which include recommendations like:
You’re not just protecting data when you implement strong security practices — you’re also maintaining uptime and system reliability across your entire system. The flexibility of Linux makes it widely used for a reason, and for those same reasons, it is a popular target for malware developers. Your reputation, your customer’s information, and the functionality of the entire org are on the line every day.
Puppet is unique for handling pieces of your security plan as it can abstract the type of Linux that you are running and allow you to write one domain-specific language (DSL). Puppet takes care of the differences so you can manage continuous compliance, patching, and access management across servers without missing a beat.
Puppet agents are open source — they can interpret commands across different branches of Linux automatically. No matter what script you need to write for security, Puppet’s abstraction layer knows what you’re trying to accomplish.
Puppet is a portable part of the Linux family tree, making sure that you have consistency and remain in compliance at scale. You won’t have to start code from scratch each time you have enforce something new across your environment.
See for yourself how Puppet works in your Linux OS — our free trial includes 10 nodes to get you started:
TRY PUPPET FOR LINUX
Senior Manager of Sales Engineering, Puppet by Perforce
Stephen K. Potter is a Senior Manager of Sales Engineering for Puppet by Perforce