Release notes

Review the release notes to learn about updates and resolved issues in the Compliance Enforcement Module (CEM) for Linux.

v1.6.1

Released 16 May 2023

Fixed
  • Fixed an issue that occasionally caused compliance scan failures for users who applied Center for Internet Security (CIS) controls in a Red Hat Enterprise Linux (RHEL) 7 environment. The issue occurred because CIS Control 4.1.15 ‘Ensure system administrator command executions sudo are collected’ did not apply auditd configuration entries. The issue is fixed to ensure that scans run as expected.
  • Fixed an issue that prevented CIS Control 4.1.3.7 ‘Ensure unsuccessful file access attempts are collected’ from being enforced. The issue affected users on RHEL 8, AlmaLinux 8, and Oracle Linux 8 systems. The control is now enforced to ensure that information is collected about unsuccessful attempts to access files. These unsuccessful attempts can indicate that an unauthorized user or process is trying to gain access to the system.
  • Fixed an error that could cause system operations to halt unexpectedly for users on RHEL 7. The issue was caused by an incorrect default setting for CIS Control 4.1.2.3 ‘Ensure system is disabled when audit logs are full.’ The incorrect default setting could cause system operations to halt when disk space for audit logs runs low. The control is now correctly enforced as recommended by CIS: when disk space runs low, an email is sent to the address specified by the 'action_mail_acct' parameter.
  • Implemented a fix to help ensure that the use of privileged programs is monitored on all partitions on RHEL 7 operating systems. Previously, CIS Control 4.1.3.10 ‘Ensure use of privileged commands is collected’ was not fully enforced. The control was only partially enforced because the find command did not descend into all partitions. The fix helps to ensure that all partitions are monitored so that unauthorized use of privileged programs is detected.
  • Fixed an issue that occasionally caused the 10-cem_priv_commands.rules file to be blank. This issue affected users on RHEL operating systems. The issue is fixed to ensure that CEM operates as expected when the user specifies a value of true for the audit_privileged_commands option:
    • If privileged commands exist, the 10-cem_priv_commands.rules file displays the audit rule for that control.
    • If privileged commands do not exist or the privileged commands are ignored, a 10-cem_priv_commands.rules file is not created.
  • Fixed an issue that caused a failure to remove the Automatic Bug Reporting Tool (ABRT). In CEM for Linux v1.6.0, when the remove_automatic_bug_report_tools class was specified to remove ABRT, the tool remained installed. The problem is resolved to ensure that ABRT packages can be removed based on the class specification without further user intervention.

v1.6.0

Released 28 March 2023

Added
  • Enforcement of Center for Internet Security (CIS) Benchmarks on three new operating systems:
    • CIS Benchmark for AlmaLinux 8, v2.0.0, levels 1 and 2
    • CIS Benchmark for Oracle Linux 7, v3.1.1, levels 1 and 2
    • CIS Benchmark for Oracle Linux 8, v2.0.0, levels 1 and 2
  • For users who enforce the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard on Red Hat Enterprise Linux (RHEL) operating systems, CEM now supports several controls that are designed to secure graphical user interfaces (GUIs). The following new GUI controls are enforced:
    • Control V-204397 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
    • Control V-204398 - The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
    • Control V-204399 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
    • Control V-204400 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.
    • Control V-204402 - The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
    • Control V-204403 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
    • Control V-204404 - The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
    • Control V-204432 - The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
    • Control V-204433 - The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.
    • Control V-204456 - The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.
    • Control V-214937 - The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
    • Control V-219059 - The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
    • Control V-251718 - The graphical display manager must not be the default target on RHEL 8 unless approved.
    • Control V-230530 - The x86 Ctrl-Alt-Delete key sequence in RHEL 8 must be disabled if a graphical user interface is installed.
    • Control V-230553 - The graphical display manager must not be installed on RHEL 8 unless approved.
    • Control V-244519 - RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
    • Control V-244535 - RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated.
    • Control V-244536 - RHEL 8 must disable the user list at logon for graphical user interfaces.
    • Control V-244538 - RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
    • Control V-244539 - RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
    • Control V-230347 - RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
    • Control V-230351 - RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed.
    • Control V-230352 - RHEL 8 must automatically lock graphical user sessions after 15 minutes of inactivity.
    • Control V-230354 - RHEL 8 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
    • Control V-230329 - Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
    • Control V-230226 - RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
    • Control V-204393 - The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
    • Control V-204394 - The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
    • Control V-204396 - The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
  • The ability to enable controls that are designed to secure a GNOME desktop environment. Users who enforce the DISA STIG standard on a RHEL 7 or 8 operating system can set the top-level manage_gnome option to true to enforce all relevant controls in a GNOME desktop environment. Users who enforce CIS controls in RHEL 7 or 8 or CentOS environments must also specify manage_gnome=true to enable controls for GNOME. For CIS users, the following GNOME controls are added:
    • 1.8.1 - Ensure GNOME Display Manager is removed
    • 1.8.2 - Ensure GDM login banner is configured
    • 1.8.3 - Ensure last logged in user display is disabled
    • 1.8.4 - Ensure XDCMP is not enabled
    • 1.8.5 - Ensure automatic mounting of removable media is disabled
Changed
  • The implementation for DISA STIG Control V-204600 was changed to ensure that the StrictModes=yes setting is explicitly applied to the Secure Shell (SSH) configuration. This setting helps to protect SSH keys. If file system permissions for SSH keys are too lax, SSH authentication fails. The change affects users who enforce DISA STIG in a RHEL 7 environment.
Fixed
  • An issue that caused invalid permissions to be assigned to the audit directory. This issue affected users who enforced the DISA STIG standard on RHEL operating systems. The issue was related to STIG Control V-230471, which helps to ensure that only users with sufficient permissions can specify which events will be audited. The correct permissions are now set on the audit directory.
  • An issue that prevented proper enforcement of STIG Controls V-204614 and V-204615, which are designed to prevent man-in-the-middle attacks. The controls are enforced on RHEL systems to specify whether redirect messages sent with the Internet Control Message Protocol (ICMP) using Internet Control version 4 (IPv4) can be accepted. This issue is corrected to ensure that the ICMP redirect messages are disabled by default for both IPv4 and IPv6.
  • A CEM configuration issue for users who enforce the DISA STIG standard in a RHEL 8 environment. In CEM for Linux v1.5.0, the base class cem_linux::utils::packages::linux::sudo was not included for STIG use in the data/RedHat/RedHat/8.yaml file. The omission resulted in additional configuration steps for some users. The YAML file is now updated to include the missing sudo class.
  • A scan issue for users who enforce the DISA STIG standard on RHEL operating systems. Previously, Controls V-204427 (5.4.12) and V-204428 (5.4.13) were reported as failing in Puppet Comply. Failures were reported even when CEM appeared to correctly enforce the controls. These controls help to protect systems against unauthorized access by limiting the number of failed login attempts. Scans for the controls now report accurate results.

v1.5.2

Released 9 March 2023

Fixed
  • An issue that prevented the CEM for Linux v1.5.1 reference topics from being displayed on Puppet Forge. With the v1.5.2 release, the Reference tab is restored. The topics on the Reference tab for v1.5.2 are applicable to both the v1.5.2 and v1.5.1 releases.

v1.5.1

Released 7 March 2023

Changed
  • A change was introduced to simplify configuration in Red Hat Enterprise Linux (RHEL) 8 environments where the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard is enforced. The update applies to DISA STIG control V-230339, which is designed to limit login attempts and thus help to prevent brute-force attacks. The default directory where login failure records are kept can now be changed.
Fixed
  • An issue that prevented the OpenSSH server process from starting on RHEL 8 systems. The issue affected users who enforced the DISA STIG standard. When a value of FUTURE was set for cryptographic policies to help prevent malware attacks, the OpenSSH process failed with the following error message:
    Extra argument FUTURE.
  • An issue that prevented users from running the system account task from the Puppet Enterprise (PE) console. Previously, attempts to run the task resulted in error messages about missing metadata. With the fix applied, users can run the cem_linux::system_account task from the PE console to view system accounts.
  • An issue that caused an error message pertaining to the audit.rules file. The issue was seen on RHEL operating systems after an upgrade to CEM for Linux v1.5.0. The following error message was issued:
    Could not stat /etc/audit/rules.d/audit.rules

    To resolve the issue, the CEM for Linux module was updated to reference all existing files in /etc/audit/rules.d/ directory.

  • An issue that caused a failure to audit sudo log files. When events pertaining to a sudo log file are collected, system administrators can review the events to detect whether unauthorized commands were run. The issue, which affected users on RHEL 8 systems, was caused by a failure to enforce Center for Internet Security (CIS) Control 4.1.3.3. The control is now enforced.
  • A failure to enable GNU Privacy Guard (GPG) checks for downloaded packages on RHEL 8 operating systems. CIS Benchmark Control 1.2.3 ("Ensure gpgcheck is globally activated") is designed to ensure that downloaded packages from the RPM package management tool are checked. However, these checks failed to occur because the repo_files parameter associated with the CIS control does not specify the YUM files that are used to manage RHEL packages. The fix ensures that GPG checks will be enabled on a per-repository basis for each file that is listed in the repo_files parameter.
  • An issue that can cause configuration problems in RHEL 8 environments where DISA STIG standards are enforced. Because of the issue, the following top-level parameters for the Grub2 bootloader could not be set: cem_linux::regenerate_grub2_config, cem_linux::set_grub2_password, cem_linux::grub2_superuser, and cem_linux::grub2_superuser_password. The issue was resolved to ensure that the parameters can be set, and the values are applied.
  • A configuration issue that affects the security of messages when DISA STIG standards are applied in a RHEL 8 environment. The issue pertains to STIG control V-230245, which is designed to ensure that unauthorized persons cannot access system messages. Security is enforced by setting a permissions mode for access to the /var/log/messages file. The issue occurred because the resource data for STIG control V-230245 specified a value of directory instead of file. The issue was fixed to ensure that permissions are set for the messages file. The fix also ensures that a /var/log/messages directory is not created inadvertently.
  • An issue that can cause configuration problems for users who attempt to enforce the DISA STIG standard in a RHEL 8 environment. The issue was caused by extraneous text in the cem_linux/manifests/utils/bootloader/grub2/fips.pp file. The extraneous text, a Universal Unique Identifier of 6484, is now removed.

v1.5.0

Released 14 February 2023

Added
  • Enforcement of the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 8 operating systems:
    • The Security Technical Implementation Guide (STIG) standard was developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government. On RHEL 8, the following DISA STIG standard is supported: Red Hat Enterprise Linux 8 STIG, Version 1, Release 8.
    • For the RHEL 8 operating system, STIG can be enabled by adding the following Hiera data to the control repository:
      cem_linux::benchmark: 'stig'
    • STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3 and their associated “public,” “sensitive,” and “classified” profiles. STIG controls can be configured with their vulnerability ID (V-nnn) or rule ID (SV-nnn).
    • For a list of supported STIG controls and configurations, see the CEM Linux Reference.
  • New top-level configuration option, disable_package_gpgcheck. By enabling this option, you disable GNU Privacy Guard (GPG) checks of downloaded packages. Disabling GPG checks can be helpful in rare cases if you enable more stringent system encryption standards, such as the Federal Information Processing Standards (FIPS). These standards can introduce stricter criteria than are normally available for GPG package signatures. If GPG and more stringent criteria are applied simultaneously, package downloads can fail. Specify the disable_package_gpgcheck=true setting only when necessary. Enabling this option can make your infrastructure less secure.
Fixed
  • An error that occasionally prevented system startups and that caused failures of the Internet Control Message Protocol (ICMP) was resolved. The error was identified in the Puppet manifest file disable_icmp_redirects.pp, which specifies whether messages sent with ICMP can be redirected. In the file, extraneous text is now commented out.
  • An issue with the cem::utils::boot_fstab_entry class was fixed to help ensure that Puppet runs would not overwrite user-specified settings.

v1.4.3

Released 15 December 2022

Fixed
  • Fixed an issue that resulted in catalog compilation errors on the Red Hat Enterprise Linux (RHEL) 7 operating system. The issue, caused by a duplicate instance of control V-204450 in the YAML file, resulted in error messages like the following:
    Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server 
Error: Evaluation Error: Error while evaluating a Function Call, CEM: 
cem_create_resources: failed  
resource: class
  • Fixed an issue related to Center for Internet Security (CIS) Control 4.1.3.6 in a RHEL 8 environment. When Control 4.1.3.6 is enabled, privileged programs are monitored to determine whether unauthorized users are trying to gain access. However, when Control 4.1.3.6 was enabled on systems using the Postfix mail transfer agent, two setuid binary files (postdrop and postqueue) were not being added to the auditd monitor list. The issue is corrected so that scans can run successfully.
  • Fixed an issue related to CIS Control 1.5.3 in a RHEL environment. Control 1.5.3 is designed to ensure that address space layout randomization (ASLR) is enabled. ASLR randomly arranges the address space of data areas in processes to help protect system security. Enforcement for Control 1.5.3 was available in a RHEL 7 environment but was missing from RHEL 8. The control is now available to RHEL 8 users.
  • Fixed an issue that affects users of the RHEL 7 operating system and pertains to control V-204444. When enabled, the control helps to prevent non-privileged users from initiating privileged functions such as disabling, circumventing, or altering security safeguards. However, after a system administrator specified the privileged users (resources) for control V-204444 and scans were run, the Puppet agent overwrote the resource list on each run. The issue is fixed to ensure that the resource list is not overwritten.
  • Fixed an issue that caused scan failures for CIS Control 4.1.16, ‘Ensure kernel module loading and unloading is collected,’ in a RHEL 7 environment. When this control is enforced, the process of loading and unloading kernel modules is monitored to help detect unauthorized access to the system. Users of RHEL 7 found that Control 4.1.16 failed scans even when the control was correctly configured. The issue is corrected so that scans can run successfully.

v1.4.2

Released 8 November 2022

Added
  • Added the ability to configure multiple rsyslog remote hosts to CEM for Linux. In previous releases, only single remote hosts were fully configurable. This software update simplifies the process of using the rsyslog software utility to forward logs to remote servers.
  • Added an audit script for the V-204392 control, which is included in a Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) standard. The DISA STIG control helps to ensure that file permissions, ownership, and group membership of system files and commands match vendor values. You can use the new audit script to troubleshoot issues related to the control.
Changed
  • Updated the Advanced Intrusion Detection Environment (AIDE) utility class to add support for the cron scheduling utility. As a result, AIDE scans can be scheduled by using a cron task rather than systemd timers.
  • Updated CEM for Linux to ensure that the nullok option cannot be included in the system-auth file. The nullok option determines whether users can access a service with a blank password. This software update is designed to prevent unauthorized access to the system.
Fixed
  • Fixed an issue that prevented certificates from being checked for Public Key Infrastructure (PKI) authentication. This software update affects users who are enforcing DISA STIG controls on a Red Hat Enterprise Linux (RHEL) operating system.
  • Fixed an issue to help ensure that any new password must contain at least 8 characters that differ from the previous password. This software update affects users who are enforcing DISA STIG controls on a RHEL operating system.
  • Fixed an issue related to the Center for Internet Security (CIS) Red Hat Enterprise Linux 8 Benchmark 2.0.0, Control 3.3.2: Ensure ICMP redirects are not accepted. This software update helps to ensure that the control is enforced so that Internet Control and Error Message Protocol redirects are prevented.
  • Fixed an issue that caused the cem_semanage fact to run and log errors on an unsupported operating system, RHEL 6. semanage is a Security-Enhanced Linux (SELinux) management tool.
  • Fixed an issue that caused catalog compilation errors when users selected the Network Time Protocol (NTP) synchronization service.

v1.4.1

Released 24 October 2022

Fixed
  • Fixed an issue that prevented the cem_mount_info fact from resolving on Puppet Enterprise (PE) versions 2019.x.x. The issue prompted the following error message: 
    Facter: error while resolving custom facts...
    To resolve the issue, you can install CEM Linux v1.4.1. To help avoid the issue, you can install the latest version of PE.

v1.4.0

Released 20 October 2022

Added
  • Support for the DISA STIG standard on Red Hat Enterprise Linux (RHEL) 7:
    • For the first time, CEM supports a Security Technical Implementation Guide (STIG) standard developed by the US Defense Information Systems Agency (DISA). DISA STIG compliance is required for some infrastructures managed by the US government. On RHEL 7, the following DISA STIG standard is supported: Red Hat Enterprise Linux 7 STIG, Version 3, Release 8.
    • For the RHEL 7 operating system, STIG can be enabled by adding the following Hiera data to the control repository: 
      cem_linux::benchmark: 'stig'
    • STIG supports Mission Assurance Category (MAC) levels 1, 2, and 3 and their associated “public,” “sensitive,” and “classified” profiles. STIG controls can be configured with their vulnerability ID (V-nnn) or rule ID (SV-nnn).
    • To support STIG controls that require information audits, new Bolt tasks were added.
    • The following new Facter facts were added: cem_mount_info, cem_nfs_exports, cem_semanage, and cem_sssd_domains.
    • For a list of supported STIG controls and configurations, see the CEM Linux Reference.
Changed
  • The product documentation was revised to improve usability and retrievability:
    • The changelog was migrated from Puppet Forge to the central location for Puppet documentation, Puppet Docs. The changelog was renamed to Release notes.
    • The readme file was transformed into a series of topics with a structure similar to other Puppet documentation. The CEM topics can now be viewed on Puppet Docs, starting with Introducing the Compliance Enforcement Modules.
    • The Reference, Tasks, and Dependencies documentation, which is generated automatically, remains on Puppet Forge.
  • To facilitate the implementation of DISA STIG standards, new parameters were introduced for some resources. The new parameters do not affect default configurations and are backward compatible with previous user configurations. All parameters are documented in the CEM Linux Reference.
Fixed
  • Fixed an issue that caused the auditd service to restart multiple times. The problem was caused by an incorrect sequence when setting a rule for immutable configuration.
  • Fixed an issue that caused catalog compilations to fail although the specified configuration was valid. The failures occurred when certain time-server options were specified for the chrony implementation of the Network Time Protocol.

v1.3.2

Released 8 September 2022

Added
  • The Ensure core dump storage is disabled and Ensure core dump backtraces are disabled controls are now enforced on Red Hat Enterprise Linux (RHEL) 8 systems.
  • Added a new enforcement mode, disabled, so that you can disable Security Enhanced Linux (SELinux) in your environment.
Changed
  • The Ensure audit log is disabled when audit logs are full control is updated to halt the machine when the audit log is full. This change helps to ensure better compliance with Center for Internet Security (CIS) recommendations.
  • To simplify configuration, the ntp and chrony classes were combined into the timesync class.
Fixed
  • The Disable USB Storage control is updated to work as designed.
  • The regular expression for matching Linux username patterns is updated to accept capital letters.
  • Rules in the /etc/auditd/rules.d directory are now loaded by using the augenrules --load command. This fix helps to ensure that all rule files within the directory are loaded into the kernel.
  • Fixed the per-resource ordering process by using the correct metaparameter before instead of subscribe.
  • Fixed a parsing error for chrony that caused catalog compilation failures.
  • Fixed a command injection vulnerability that could occur when unsanitized user input was used in the command, onlyif, or unless parameters of an exec resource.
  • Fixed an issue with the permissions of Secure Shell (SSH) host private keys to ensure that the permissions are sufficiently restrictive.
  • Fixed the cem_systemctl feature to return a result of false without error messages in Puppet run logs when the feature is evaluated on Microsoft Windows machines.
  • Fixed an issue with the cem_mta fact that caused errors in RHEL 6.

v1.3.1

Released 18 August 2022

Fixed
  • Controls that configure journald now properly configure the journald.conf file.
  • The cem_coredump fact will no longer attempt to resolve on nodes that do not support systemctl.
  • The cem_grub_cfg fact will now identify the correct GRUB2 configuration file on Red Hat Enterprise Linux (RHEL).
  • The Center for Internet Security (CIS)-specific parameters enable_systemd_journal and enable_nopasswd_sudo_prune now function correctly.
  • Fixed how Ruby code is loaded during Continuous Delivery for Puppet Enterprise impact analysis. This update fixes a bug that caused impact analysis to fail after upgrading CEM for Linux to v1.3.0.
  • Fixed invalid default parameter values that caused catalog compilation failures when enforcing the control ensure_password_creation_requirements_are_configured.
  • Fixed a duplicate resource defaults statement that caused catalog compilation failures when selecting ntp as the time synchronization service.

v1.3.0

Released 3 August 2022

Changed
  • The core architecture for the module has changed. These changes should be transparent to the user. However, using Hiera automatic parameter lookup to set configurations directly on classes in the cem_linux::benchmarks::controls::* namespace will no longer work. This configuration method was not supported previously, and with the new architecture those classes have been removed and replaced with module Hiera data.
  • For more information on the new architecture, see Configuring CEM.
  • The Reference: Benchmarks and controls was revised to improve usability. Sample configurations are provided for each supported control.
Fixed
  • Added proper containment to the cem_coredump fact so that it will no longer run on operating systems that do not support it.
  • Fixed how Network Time Protocol (NTP) options are handled. This fix resolves failures that occurred when using certain timeserver options.

v1.2.0

Released 24 May 2022

Added
  • Added the Center for Internet Security (CIS) Level 2 Server profile for Red Hat Enterprise Linux (RHEL) 7.
Changed
  • Updated the CIS RHEL 8 benchmark to version 2.0.0.
  • Removed support for CentOS 8 because the operating system has reached End of Life (EOL). CEM for Linux has never supported CentOS Stream, and with non-stream CentOS 8 being EOL, support for it was removed entirely.
Fixed
  • Fixed an issue that prevented the coredump configuration setting from being properly enforced. Now, you can use the module to configure core dumps.
  • Fixed an issue related to file system mount points, which were not properly remounted after changes in mount-option enforcement. This issue prevented certain configuration changes from being applied.

v1.1.4

Released 25 March 2022

Changed
  • Updated the audit_user_homedir task to prevent the task from modifying permissions on top-level directories: /boot, /boot/, /etc, /lib, /lib64, /proc, /proc/, /home, /opt, /tmp, /var, and /srv/. The audit_user_homedir task can still modify permissions on subdirectories within the listed directories, except for /boot and /proc.
  • In the audit_user_homedir task, added rtkit to the list of ignored usernames. Because rtkit is a system user, CIS states that the home directory permissions for rtkit should not be audited.

v1.1.3

Released 24 March 2022

Fixed
  • Fixed a bug in the audit_user_homedir task to prevent the inadvertent modification of permissions on bin directories: /bin, /sbin, /usr/bin, and /usr/sbin.

v1.1.2

Released 16 March 2022

Added
  • Added a section to the CEM Reference about configuring chrony/ntp time servers.
Changed
  • Expanded the range of versions in the metadata.json file so that users can install the latest modules to meet dependency requirements.
Fixed
  • Fixed a bug in the cem_linux::utils::timesync configuration option that caused Puppet run failures when Network Time Protocol (NTP) was selected for time synchronization.
  • Fixed a bug that caused a Puppet run failure during attempts to use a template to provide the Message of the Day (MOTD).
  • Fixed a bug relating to unsupported options in the auditd config template on Red Hat Enterprise Linux (RHEL) 7. The bug caused startup failures for the auditd service.

v1.1.1

Released 25 January 2022

Fixed
  • Fixed an issue related to non-idempotent resources when managing permissions for the Grub2 bootloader configuration. This issue affected Red Hat Enterprise Linux (RHEL) systems that did not use Extensible Firmware Interface (EFI) mode.

v1.1.0

Released 14 December 2021

Added
  • Enforcement for Center for Internet Security (CIS) Red Hat Enterprise Linux (RHEL) 8 Server Level 2 recommendations.
  • Updates related to bootloader configurations. Configurations, including password settings, can now be managed through the CEM module on systems that use the grub2 bootloader. You can also opt in to automatically regenerate the bootloader config files after changes are made. For details, see the CEM for Linux readme file.
  • Permissions management for log files in the /var/log directory is now available in the module. Previously, you had to run a Bolt task to manage permissions for log files. Because this feature is now supported natively, the Bolt task cem_linux::logfile_permissions was removed.
  • Added a new fact, cem_grub_cfg. This fact contains information related to general grub configuration on the machine.
Changed
  • Replaced the camptocamp-systemd module with the supported puppet-systemd module. To help ensure compatibility, you must update your Puppetfile to use the puppet-systemd module v3.5.0 or later.
  • The cem_uefi_boot fact was changed to cem_efi and more information was added to the fact. The new name is more representative because the fact now includes boot and other information.
Restriction
  • When you scan a node with Puppet Comply after applying CEM, some recommendations that are enforced by CEM might be reported as having failed the scan. This issue is due to bugs in the CIS-CAT Pro Assessor that is used by Comply. For more information, see the readme file.

v1.0.0

Released 28 September 2021

This is the initial public release of CEM for Linux.

Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

Comply scan issues

During a Comply scan, you might see errors about Center for Internet Security (CIS) recommended guidelines that are not enforced. These error messages are triggered by bugs in the CIS-CAT Pro Assessor that is bundled with Comply. CEM does correctly enforce these settings.

The following Comply scan errors might be reported:
  • Red Hat Enterprise Linux (RHEL) Benchmark v2.0.0:
    • 1.4.2 - Ensure permissions on bootloader are configured
      • On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct grub file path. Permissions are set correctly by CEM. No action is required.
    • 1.4.1 - Ensure bootloader password is set
      • On EFI systems, the script that was run by the CIS-CAT Pro Assessor did not locate the correct grub file path. It is not mandatory to set a bootloader password. However, if you want to set a password to protect your system against unauthorized startup, follow the instructions in Set a bootloader password.
    • 4.1.2.3 Ensure system is disabled when audit logs are full
      • This is set to halt by CEM. The CIS-CAT Pro Assessor incorrectly shows this as a scan failure. No action is required.
    • 5.2.18 Ensure SSH MaxSessions is set to 10 or less
      • This is set to 10 by default. The CIS-CAT Pro Assessor incorrectly shows this as a scan failure. The scanner is looking for <=4 instead of <=10. No action is required.

General issues and limitations

  • If you run CEM for Linux on Oracle Linux 7, Oracle Linux 8, or AlmaLinux 8, two Puppet runs might be required to ensure that the required intentional changes, corrective changes, or both are made on the nodes in the infrastructure. Subsequent Puppet runs are idempotent.
  • CEM for Linux v1.6.0 provides limited support for the System Security Services Daemon (SSSD), which manages access to remote directory services and authentication mechanisms. However, the following US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) controls are not implemented:
    • Control V-230274 - RHEL 8 must implement certificate status checking for multifactor authentication.
    • Control V-230372 - RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.
    • Control V-230376 - RHEL 8 must prohibit the use of cached authentications after one day.
  • The DISA STIG standard for RHEL 8 includes controls that help to manage and secure removable media file systems. Support for the related controls is currently outside the scope of CEM for Linux. As a result, the following controls are not enforced:
    • Control V-230303 - RHEL 8 must prevent special devices on file systems that are used with removable media.
    • Control V-230304 - RHEL 8 must prevent code from being executed on file systems that are used with removable media.
    • Control V-230305 - RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
  • The DISA STIG standard for RHEL 8 includes controls related to the file access policy (fapolicy) module, which helps to ensure that only authorized applications can be run on a system. The fapolicy module must be configured with caution because improper configuration can result in a non-functional system. Because of the potential risk to system operations, controls related to the fapolicy module are currently outside the scope of CEM for Linux. The following controls are not enforced:
    • Control V-230523 - The RHEL 8 fapolicy module must be installed.
    • Control V-244545 - The RHEL 8 fapolicy module must be enabled.
    • Control V-244546 - The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
  • The DISA STIG standard for the RHEL 8 operating system includes Control V-230478, which is designed to ensure that RHEL 8 has the required encryption packages to securely offload audit logs. Control V-230478 checks whether the rsyslog-gnutls encryption package is enabled. Because some users might be using a different encryption package, CEM for Linux has a default value of false for Control V-230478. As a result, the rsyslog-gnutls package is not installed by default.
  • Multifactor controls and configurations are outside the scope of CEM for Linux. However, you can set up multifactor authentication for an infrastructure that is protected by CEM for Linux by implementing a network authentication system. For example, you can set up one-time password authentication on the client side by following the instructions in Setting up multi-factor authentication on Linux systems.
  • If you are enforcing the DISA STIG standard on the RHEL 7 operating system, the V-204392 auditing control is not working as designed. The control is missing a script that audits file permissions, ownership, and group membership of system files and commands. As a workaround, you can audit file permissions manually.
  • Starting with v1.3.0, CEM for Linux implements a new architecture. If you upgrade CEM from v1.2.0 or earlier to v1.3.0 or later, and you encounter errors, try restarting the pe-puppetserver service or restarting or reloading Puppet Server. For instructions, see Restarting Puppet Server.
  • You cannot use the iolog_dir option to specify a directory for sudo log files. If you attempt to use the iolog_dir option in the sudoers file to specify a log directory other than the default, errors are reported by the Augeas program. Augeas is a tool used for configuration editing in CEM.
  • CEM cannot create file system partitions. This limitation can cause certain scanner checks to fail.
  • CEM cannot set permissions on removable media partitions. To set the required permissions on these partitions, ensure that nodev,nosuid,noexec exists in the options portion of /etc/fstab for the partition.
  • Support for the eXecute Disable/No eXecute (XD/NX) hardware feature is dependent on the host kernel and cannot be configured by CEM. If you plan to enable XD/NX support, ensure that you are using up-to-date kernels. If you plan to enable XD/NX support on newer kernels, be aware that CEM cannot manage this feature.
  • To comply with CIS recommendations, you must prevent root users from logging onto the system console. Because this action requires knowledge of the site, you must configure this control manually by removing entries in /etc/securetty for consoles that are not in secure locations.
  • CEM does not enforce authselect controls for CIS 2.0.0 5.4.x on Red Hat Enterprise Linux 8. Enforcement requires site knowledge and can break network authentication. CIS recommends that these controls not be enforced in specific environments. For example, the controls should not be enforced if the node is joined to an Active Directory domain or to Red Hat Identity Management. If you enforce authselect controls, you must ignore all other controls that affect authentication and use a predefined authselect profile or manage a custom profile. For more information, see Options specific to Red Hat Enterprise Linux 8. CEM includes a Bolt task, audit_authselect, to audit these controls.
  • You can configure the ensure_nodev_option_set_on_home_partition control only if the /home setting is mounted on its own partition. Puppet does not create a partition for /home.
  • If your system is running on Red Hat Enterprise Linux 8:
    • The ensure_nis_server_is_not_installed control is dependent on ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked. If you enforce ensure_nis_server_is_not_installed, you must also enforce ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked.
    • The ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked control is dependent on ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked. If you do not enforce ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked, you must also not enforce ensure_nfs_utils_is_not_installed_or_the__nfs_server_service_is_masked.
    • The ensure_the_running_and_on_disk_configuration_is_the_same control is always enforced if auditd is managed by CEM.
  • The ensure_users_must_provide_password_for_escalation control is disabled by default. You might want to enable this control to help ensure CIS compliance. However, a potential risk exists: It is possible that removing NOPASSWD: from sudoers files could invalidate the syntax of those files and break system authentication. If you accept the risk and want to enable this control, set the top-level configuration option enable_nopasswd_sudo_prune to true.
  • If your system is running on Red Hat Enterprise Linux 7 or CentOS 7:
    • The ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked control is dependent on ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked. If you enforce ensure_rpcbind_is_not_installed_or_the__rpcbind_services_are_masked, you must also enforce ensure_nfsutils_is_not_installed_or_the__nfsserver_service_is_masked.
  • The disable_wireless_interfaces control requires that you install the NetworkManager package and that the service is running.