Release notes
Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Linux.
v1.4.3
Released 15 December 2022
Fixed- Fixed an issue that resulted in catalog compilation errors on the Red Hat Enterprise Linux (RHEL) 7 operating system. The issue,
caused by a duplicate instance of control V-204450 in the YAML file, resulted in
error messages like the
following:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, CEM: cem_create_resources: failed resource: class
- Fixed an issue related to Center for Internet Security (CIS) Control 4.1.3.6 in
a RHEL 8 environment. When Control 4.1.3.6 is
enabled, privileged programs are monitored to determine whether unauthorized
users are trying to gain access. However, when Control 4.1.3.6 was enabled on
systems using the Postfix mail transfer agent, two
setuid
binary files (postdrop
andpostqueue
) were not being added to theauditd
monitor list. The issue is corrected so that scans can run successfully. - Fixed an issue related to CIS Control 1.5.3 in a RHEL environment. Control 1.5.3 is designed to ensure that address space layout randomization (ASLR) is enabled. ASLR randomly arranges the address space of data areas in processes to help protect system security. Enforcement for Control 1.5.3 was available in a RHEL 7 environment but was missing from RHEL 8. The control is now available to RHEL 8 users.
- Fixed an issue that affects users of the RHEL 7 operating system and pertains to control V-204444. When enabled, the control helps to prevent non-privileged users from initiating privileged functions such as disabling, circumventing, or altering security safeguards. However, after a system administrator specified the privileged users (resources) for control V-204444 and scans were run, the Puppet agent overwrote the resource list on each run. The issue is fixed to ensure that the resource list is not overwritten.
- Fixed an issue that caused scan failures for CIS Control 4.1.16, ‘Ensure kernel module loading and unloading is collected,’ in a RHEL 7 environment. When this control is enforced, the process of loading and unloading kernel modules is monitored to help detect unauthorized access to the system. Users of RHEL 7 found that Control 4.1.16 failed scans even when the control was correctly configured. The issue is corrected so that scans can run successfully.
v1.4.2
Released 8 November 2022
Added- Added the ability to configure multiple
rsyslog
remote hosts to CEM for Linux. In previous releases, only single remote hosts were fully configurable. This software update simplifies the process of using thersyslog
software utility to forward logs to remote servers. - Added an audit script for the V-204392 control, which is included in a Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG control helps to ensure that file permissions, ownership, and group membership of system files and commands match vendor values. You can use the new audit script to troubleshoot issues related to the control.
- Updated the Advanced Intrusion Detection Environment (AIDE) utility class to add
support for the
cron
scheduling utility. As a result, AIDE scans can be scheduled by using acron
task rather thansystemd
timers. - Updated CEM for Linux to ensure that the
nullok
option cannot be included in thesystem-auth
file. Thenullok
option determines whether users can access a service with a blank password. This software update is designed to prevent unauthorized access to the system.
- Fixed an issue that prevented certificates from being checked for Public Key Infrastructure (PKI) authentication. This software update affects users who are enforcing DISA STIG controls on a Red Hat Enterprise Linux (RHEL) operating system.
- Fixed an issue to help ensure that any new password must contain at least 8 characters that differ from the previous password. This software update affects users who are enforcing DISA STIG controls on a RHEL operating system.
- Fixed an issue related to the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark 2.0.0, Control 3.3.2: Ensure ICMP redirects are not accepted. This software update helps to ensure that the control is enforced so that Internet Control and Error Message Protocol redirects are prevented.
- Fixed an issue that caused the
cem_semanage
fact to run and log errors on an unsupported operating system, RHEL 6.semanage
is a Security-Enhanced Linux (SELinux) management tool. - Fixed an issue that caused catalog compilation errors when users selected the Network Time Protocol (NTP) synchronization service.
v1.4.1
Released 24 October 2022
Fixed- Fixed an issue that prevented the
cem_mount_info
fact from resolving on Puppet Enterprise (PE) versions 2019.x.x. The issue prompted the following error message:
To resolve the issue, you can install CEM Linux v1.4.1. To help avoid the issue, you can install the latest version of PE.Facter: error while resolving custom facts...
v1.4.0
Released 20 October 2022
- Support for the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 7:
- For the first time, CEM supports a Security Technical Implementation Guide (STIG) standard developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government.
- For the RHEL 7 operating system, STIG
can be enabled by adding the following Hiera data to the control repository:
cem_linux::benchmark: 'stig'
- STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3
and their associated “public,” “sensitive,” and “classified”
profiles. STIG controls can be configured with their vulnerability
ID
(V-nnn)
or rule ID(SV-nnn)
. - To support STIG controls that require information audits, new Bolt tasks were added.
- The following new Facter facts were
added:
cem_mount_info
,cem_nfs_exports
,cem_semanage
, andcem_sssd_domains
. - For a list of supported STIG controls and configurations, see the CEM Linux Reference.
- The product documentation was revised to improve usability and retrievability:
- The changelog was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The changelog was renamed to Release notes.
- The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The CEM topics can now be viewed on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
- The Reference, Tasks, and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
- To facilitate the implementation of DISA STIG standards, new parameters were introduced for some resources. The new parameters do not affect default configurations and are backward compatible with previous user configurations. All parameters are documented in the CEM Linux Reference.
- Fixed an issue that caused the
auditd
service to restart multiple times. The problem was caused by an incorrect sequence when setting a rule for immutable configuration. - Fixed an issue that caused catalog compilations to fail although the specified configuration was valid. The failures occurred when certain time-server options were specified for the chrony implementation of the Network Time Protocol.
v1.3.2
Released 8 September 2022
- The
Ensure core dump storage is disabled
andEnsure core dump backtraces are disabled
controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems. - Added a new enforcement mode,
disabled
, so that you can disable Security Enhanced Linux (SELinux) in your environment.
- The
Ensure audit log is disabled when audit logs are full
control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations. - To simplify configuration, the
ntp
andchrony
classes were combined into thetimesync
class.
- The
Disable USB Storage
control is updated to work as designed. - The regular expression for matching Linux username patterns is updated to accept capital letters.
- Rules in the
/etc/auditd/rules.d
directory are now loaded by using theaugenrules --load
command. This fix helps to ensure that all rule files within the directory are loaded into the kernel. - Fixed the per-resource ordering process by using the correct metaparameter
before
instead ofsubscribe
. - Fixed a parsing error for
chrony
that caused catalog compilation failures. - Fixed a command injection vulnerability that could occur when unsanitized
user input was used in the
command
,onlyif
, orunless
parameters of anexec
resource. - Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
- Fixed the
cem_systemctl
feature to return a result offalse
without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines. - Fixed an issue with the
cem_mta
fact that caused errors in RHEL 6.
v1.3.1
Released 18 August 2022
- Controls that configure
journald
now properly configure thejournald.conf
file. - The
cem_coredump
fact will no longer attempt to resolve on nodes that do not supportsystemctl
. - The
cem_grub_cfg
fact will now identify the correctGRUB2
configuration file on Red Hat Enterprise Linux (RHEL). - The Center for Internet Security (CIS)-specific parameters
enable_systemd_journal
andenable_nopasswd_sudo_prune
now function correctly. - Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM for Linux to v1.3.0.
- Fixed invalid default parameter values that caused catalog compilation
failures when enforcing the control
ensure_password_creation_requirements_are_configured
. - Fixed a duplicate resource defaults statement that caused catalog
compilation failures when selecting
ntp
as the time synchronization service.
v1.3.0
Released 3 August 2022
- The core architecture for the module has changed. These changes should be
transparent to the user. However, using Hiera
automatic parameter lookup to set configurations directly on classes in the
cem_linux::benchmarks::controls::*
namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data. - For more information on the new architecture, see Configuring CEM.
- The Reference: Benchmarks and controls was revised to improve usability. Sample configurations are provided for each supported control.
- Added proper containment to the
cem_coredump
fact so that it will no longer run on operating systems that do not support it. - Fixed how Network Time Protocol (NTP) options are handled. This fix resolves failures that occurred when using certain timeserver options.
v1.2.0
Released 24 May 2022
- Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
- Updated the CIS RHEL 8 benchmark to version 2.0.0.
- Removed support for CentOS 8 because the operating system has reached End of Life (EOL). CEM for Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
- Fixed an issue that prevented the
coredump
configuration setting from being properly enforced. Now, you can use the module to configure core dumps. - Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.
v1.1.4
Released 25 March 2022
- Updated the
audit_user_homedir
task to prevent the task from modifying permissions on top-level directories:/boot
,/boot/
,/etc
,/lib
,/lib64
,/proc
,/proc/
,/home
,/opt
,/tmp
,/var
, and/srv/
. Theaudit_user_homedir
task can still modify permissions on subdirectories within the listed directories, except for/boot
and/proc
. - In the
audit_user_homedir
task, addedrtkit
to the list of ignored usernames. Becausertkit
is a system user, CIS states that the home directory permissions forrtkit
should not be audited.
v1.1.3
Released 24 March 2022
- Fixed a bug in the
audit_user_homedir
task to prevent the inadvertent modification of permissions onbin
directories:/bin
,/sbin
,/usr/bin
, and/usr/sbin
.
v1.1.2
Released 16 March 2022
- Added a section to the CEM Reference about configuring
chrony/ntp
time servers.
- Expanded the range of versions in the
metadata.json
file so that users can install the latest modules to meet dependency requirements.
- Fixed a bug in the
cem_linux::utils::timesync
configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization. - Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
- Fixed a bug relating to unsupported options in the
auditd
config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for theauditd
service.
v1.1.1
Released 25 January 2022
- Fixed an issue related to non-idempotent resources when managing permissions
for the
Grub2
bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.
v1.1.0
Released 14 December 2021
- Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux (RHEL) 8 Server Level 2 recommendations.
- Updates related to bootloader configurations. Configurations, including
password settings, can now be managed through the CEM module on systems that use the
grub2
bootloader. You can also opt in to automatically regenerate the bootloader config files after changes are made. For details, see the CEM for Linux readme file. - Permissions management for log files in the
/var/log directory
is now available in the module. Previously, you had to run a Bolt task to manage permissions for log files. Because this feature is now supported natively, the Bolt taskcem_linux::logfile_permissions
was removed. - Added a new fact,
cem_grub_cfg
. This fact contains information related to generalgrub
configuration on the machine.
- Replaced the
camptocamp-systemd
module with the supportedpuppet-systemd
module. To help ensure compatibility, you must update your Puppetfile to use thepuppet-systemd
module v3.5.0 or later. - The
cem_uefi_boot
fact was changed tocem_efi
and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
- When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.
v1.0.0
Released 28 September 2021
This is the initial public release of CEM for Linux.
Known issues and limitations
The current release includes known issues and limitations. In most cases, workarounds are provided.
Comply scan issues
During a Comply scan, you might see errors about Center for Internet Security (CIS) recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM does correctly enforce these settings.
-
Red Hat Enterprise Linux (RHEL) Benchmark v2.0.0:
- 1.4.2 - Ensure permissions on bootloader are configured
- On EFI systems, the script that was run by the CIS-CAT Pro
Assessor did not locate the correct
grub
file path. Permissions are set correctly by CEM. No action is required.
- On EFI systems, the script that was run by the CIS-CAT Pro
Assessor did not locate the correct
- 1.4.1 - Ensure bootloader password is set
- On EFI systems, the script that was run by the CIS-CAT Pro
Assessor did not locate the correct
grub
file path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Set a bootloader password.
- On EFI systems, the script that was run by the CIS-CAT Pro
Assessor did not locate the correct
- 4.1.2.3 Ensure system is disabled when audit logs are full
- This is set to
halt
by CEM. The CIS-CAT Pro Assessor incorrectly shows this as a scan failure. No action is required.
- This is set to
- 4.1.3.19 Ensure kernel module loading unloading and modification is
collected - init_module
- The control is correctly enforced by CEM. The CIS-CAT Pro Assessor incorrectly shows this as a scan failure. No action is required.
- 5.2.18 Ensure SSH MaxSessions is set to 10 or less
- This is set to 10 by default. The CIS-CAT Pro Assessor incorrectly shows this as a scan failure. The scanner is looking for <=4 instead of <=10. No action is required.
- 1.4.2 - Ensure permissions on bootloader are configured
General issues and limitations
- Multifactor controls and configurations are outside the scope of CEM for Linux. However, you can set up multifactor authentication for an infrastructure that is protected by CEM for Linux by implementing a network authentication system. For example, you can set up one-time password authentication on the client side by following the instructions in Setting up multi-factor authentication on Linux systems.
- If you are enforcing the DISA STIG standard on the RHEL 7 operating system, the V-204392 auditing control is not working as designed. The control is missing a script that audits file permissions, ownership, and group membership of system files and commands. As a workaround, you can audit file permissions manually.
- Starting with v1.3.0, CEM for Linux implements a new architecture. If
you upgrade CEM from v1.2.0 or earlier to
v1.3.0 or later, and you encounter errors, try restarting the
pe-puppetserver
service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server. - You cannot use the
iolog_dir
option to specify a directory for sudo log files. If you attempt to use theiolog_dir
option in thesudoers
file to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in CEM. - CEM cannot create file system partitions. This limitation can cause certain scanner checks to fail.
-
CEM cannot set permissions on removable media
partitions. To set the required permissions on these partitions, ensure that
nodev,nosuid,noexec
exists in the options portion of/etc/fstab
for the partition. - Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by CEM. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that CEM cannot manage this feature.
- To comply with CIS recommendations, you must prevent root users from logging
onto the system console. Because this action requires knowledge of the site, you
must configure this control manually by removing entries in
/etc/securetty
for consoles that are not in secure locations. -
CEM does not enforce
authselect
controls for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that you do not enforce this control. CEM includes a Bolt task,audit_authselect,
to audit these controls. - You can configure the
ensure_nodev_option_set_on_home_partition
control only if the/home
setting is mounted on its own partition. Puppet does not create a partition for/home
. - If your system is running on Red Hat Enterprise Linux 8:
- The
ensure_nis_server_is_not_installed
control is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. If you enforceensure_nis_server_is_not_installed
, you must also enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. - The
ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
control is dependent onensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
. If you do not enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
, you must also not enforceensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked
. - The
ensure_the_running_and_on_disk_configuration_is_the_same
control is always enforced ifauditd
is managed by CEM.
- The
- The
ensure_users_must_provide_password_for_escalation
control is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removingNOPASSWD:
from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration optionenable_nopasswd_sudo_prune
to true. - If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
- The
ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
control is dependent onensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
. If you enforceensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked
, you must also enforceensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked
.
- The
- The
disable_wireless_interfaces
control requires that you install the NetworkManager package and that the service is running.