{ "name": "index", "description": "The official (default) index of modules for CFEngine Build", "type": "index", "index": { "all-packages-upgraded": { "alias": "upgrade-all-packages" }, "allow-all-hosts": { "description": "Allows all hosts / IP addresses to connect and fetch policy.", "tags": ["management", "experimental"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "85f9aec38783b5a4dac4777ffa9d17fde5054d14", "subdirectory": "management/allow-all-hosts", "steps": ["json def.json def.json"] }, "allow-hosts": { "description": "Allows specific hosts (by IP / subnet) to connect and fetch policy.", "tags": ["management", "security", "experimental"], "repo": "https://github.com/olehermanse/cfengine-allow-hosts", "by": "https://github.com/olehermanse", "version": "0.0.2", "commit": "620b4a523d82cb3b50a429b2f8d3511c7efa219c", "steps": ["input ./input.json def.json"], "input": [ { "type": "list", "namespace": "default", "bundle": "def", "variable": "acl", "label": "Allowed hosts", "subtype": { "type": "string", "label": "IP / subnet", "question": "IP / subnet to allow" }, "while": "Do you want to specify more IPs / subnets?" } ] }, "ansible": { "alias": "promise-type-ansible" }, "autorun": { "description": "Enables autorun functionality.", "tags": ["supported", "management"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.1", "commit": "c3b7329b240cf7ad062a0a64ee8b607af2cb912a", "subdirectory": "management/autorun", "steps": ["json def.json def.json"] }, "autorun-bundles": { "description": "Enables autorun functionality.", "tags": ["supported", "management"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "e5a43450cf272fe84d4727a33d431c98ffb58bbc", "subdirectory": "management/autorun-bundles", "steps": ["json def.json def.json"] }, "autorun-inputs": { "description": "Enables autorun functionality.", "tags": ["supported", "management"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "e5a43450cf272fe84d4727a33d431c98ffb58bbc", "subdirectory": "management/autorun-inputs", "steps": ["json def.json def.json"] }, "bash-lib": { "alias": "library-for-promise-types-in-bash" }, "cfengine-supported": { "description": "Adds reporting data (inventory) for the support status for the current version of CFEngine.", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-supported", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "6a09cc850423a063533ffe19e9066753952b9d8d", "steps": [ "copy ./inventory-cfengine-version-support-status.cf services/cfengine-supported/", "json ./cfbs/def.json def.json" ] }, "cir": { "alias": "client-initiated-reporting" }, "client-initiated": { "alias": "client-initiated-reporting" }, "client-initiated-reporting": { "description": "Enables client initiated reporting and disable pull collection.", "tags": ["experimental", "reporting"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/cfengine", "version": "0.1.1", "commit": "c3b7329b240cf7ad062a0a64ee8b607af2cb912a", "subdirectory": "reporting/client-initiated-reporting", "steps": ["json def.json def.json"] }, "compliance-report-imports": { "name": "compliance-report-imports", "description": "Used by other modules to import compliance reports to Mission Portal.", "tags": ["experimental", "cfengine-enterprise"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.10", "commit": "1afe01806fb18e764f904eda6e3cc49f9c9ff3dd", "subdirectory": "compliance-report-imports", "dependencies": ["autorun"], "steps": ["copy ./compliance-report-imports.cf services/autorun/"] }, "compliance-report-lynis": { "description": "Compliance report with Lynis checks.", "tags": ["experimental", "security", "compliance"], "repo": "https://github.com/nickanderson/cfengine-lynis", "by": "https://github.com/nickanderson", "version": "3.1.1", "commit": "70bdf7be29c890d3bf162a8fe993e8d12eb61388", "subdirectory": "compliance-reports", "dependencies": ["compliance-report-imports", "lynis"], "steps": [ "copy ./generated-compliance-report.json .no-distrib/compliance-report-definitions/lynis-compliance-report.json" ] }, "compliance-report-os-is-vendor-supported": { "name": "compliance-report-os-is-vendor-supported", "description": "Compliance report definition for checking if the current OS version is supported by the vendor.", "tags": ["experimental", "compliance-report", "cfengine-enterprise"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.4", "commit": "d828be6de5b73b0058e4367c2ab09bda1cf035ca", "subdirectory": "compliance-report-os-is-vendor-supported", "dependencies": ["compliance-report-imports"], "steps": [ "copy ./os-is-vendor-supported.json .no-distrib/compliance-report-definitions/os-is-vendor-supported.json" ] }, "conditional-installer": { "description": "Allows you to specify packages you want installed and conditions for where you want them installed, as well as a list of packages you generally want uninstalled.", "tags": ["security", "management", "experimental"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "e6c731a9aead018e1c4895f6b77249fa417aa4bd", "subdirectory": "security/conditional-installer", "steps": [ "copy main.cf services/cfbs/modules/conditional-installer/main.cf", "input ./input.json def.json", "bundles conditional_installer:main", "policy_files services/cfbs/modules/conditional-installer/main.cf" ], "input": [ { "type": "string", "variable": "packages_to_uninstall", "namespace": "conditional_installer", "bundle": "main", "label": "Uninstall", "question": "Which package(s) would you like to be uninstalled?" }, { "type": "list", "variable": "packages_to_install", "namespace": "conditional_installer", "bundle": "main", "label": "Install", "subtype": [ { "key": "packages", "type": "string", "label": "Package(s)", "question": "Package(s) to install" }, { "key": "condition", "type": "string", "label": "Condition", "question": "Condition for where to install" }, { "key": "why", "type": "string", "label": "Why", "question": "Why?", "default": "Unknown" } ], "while": "Do you want to specify more packages to be installed?" } ] }, "cron-access": { "description": "Limits access to cron-related files in /etc by setting user, group, and permission bits.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "e5b64e3bf390b3b27e0efce29af9a1c354ed54f1", "subdirectory": "security/cron-access", "steps": [ "copy cron-access.cf services/cfbs/modules/cron-access/cron-access.cf", "bundles cron_access", "policy_files services/cfbs/modules/cron-access/cron-access.cf" ] }, "cve-2021-3156-sudo": { "description": "Reporting data (inventory) and remediaton for CVE-2021-3156, a heap overflow in sudo that allows privilege escalation.", "tags": ["supported", "security", "cve", "sudo"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "029ec4eac0d3d9b3bf7c8dc361db71f4796fc101", "subdirectory": "cves/cve-2021-3156-sudo", "steps": [ "copy ./cve-2021-3156-sudo.cf services/security-hardening/cves/cve-2021-3156-sudo/", "json cfbs/def.json def.json" ] }, "cve-2021-44228-log4j": { "description": "Leverages yahoo/check-log4j to scan for files potentially vulnerable to CVE-2021-44228, which allows arbitrary code execution.", "tags": ["supported", "security", "cve", "inventory"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.2.0", "commit": "bdc7a16c6e52ff44149eb2abfd510fcee12dd2c1", "subdirectory": "cves/cve-2021-44228-log4j", "steps": [ "copy ./cve-2021-44228-log4j-inventory-log4shell.cf services/security-hardening/cves/cve-2021-44228-log4j/", "json cfbs/def.json def.json" ] }, "default-encrypt-method-sha512": { "description": "Sets the default password hashing algorithm to SHA-512 (encrypt_method in the /etc/login.defs file).", "tags": ["supported", "security"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.3", "commit": "124b01041a3d45010ac20912338795e81e2a06fe", "subdirectory": "default-encrypt-method-sha512", "steps": [ "json cfbs/def.json def.json", "copy policy/default-encrypt-method-sha512.cf services/security-hardening/default-encrypt-method-sha512/default-encrypt-method-sha512.cf" ] }, "delete-files": { "description": "Allows you to specify a list of files you want deleted on hosts in your infrastructure. When this module is deployed as part of your policy set, every time CFEngine runs, it will check if those files exist, and delete them if they do.", "tags": ["supported", "management"], "repo": "https://github.com/nickanderson/cfengine-delete-files", "by": "https://github.com/nickanderson", "version": "2.0.0", "commit": "84cce7c5653b6a5f2b5a28ebb33c697ffc676dd4", "steps": [ "copy delete-files.cf services/cfbs/modules/delete-files/delete-files.cf", "input delete-files/input.json def.json", "bundles delete_files:delete_files", "policy_files services/cfbs/modules/delete-files/delete-files.cf" ], "input": [ { "type": "list", "variable": "files", "namespace": "delete_files", "bundle": "delete_files", "label": "Files", "subtype": [ { "key": "path", "type": "string", "label": "Path", "question": "Path to file" }, { "key": "why", "type": "string", "label": "Why", "question": "Why should this file be deleted?", "default": "Unknown" } ], "while": "Specify another file you want deleted on your hosts?" } ] }, "delete-home-dotrhosts": { "description": "Ensures that ~/.rhosts files are not present, as they present a security risk.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "9a28d03dbb1f62401c9b4c898524f8304f93fd19", "subdirectory": "security/delete-home-dotrhosts", "steps": [ "copy policy/main.cf services/cfbs/delete-home-dotrhosts/", "policy_files services/cfbs/delete-home-dotrhosts/", "bundles delete_home_dotrhosts:main" ] }, "delete-home-dotshosts": { "description": "Ensures that ~/.shosts files are not present, as they present a security risk.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/nickanderson", "version": "0.0.4", "commit": "8bb6e0703139ffc979159b7a2d2750f08b80b497", "subdirectory": "security/delete-home-dotshosts", "steps": [ "copy policy/main.cf services/cfbs/delete-home-dotshots/", "policy_files services/cfbs/delete-home-dotshots/", "bundles delete_home_dotshosts:main" ] }, "demo": { "description": "Enables convenient and insecure settings for demoing CFEngine.", "tags": ["management", "experimental"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "05bf5e5b1c014018a7b93a524e035c1a21bcffa4", "subdirectory": "management/demo", "dependencies": ["autorun", "every-minute"], "steps": ["json def.json def.json"] }, "disable-prelinking": { "description": "Disables prelinking.", "tags": ["supported", "security"], "repo": "https://github.com/larsewi/cfengine-prelinking-disabled", "by": "https://github.com/larsewi", "version": "1.0.3", "commit": "4b309622404e6a6e989989a229fe780bec029de5", "dependencies": ["autorun"], "steps": [ "copy ./disable_prelinking.cf services/autorun/disable_prelinking.cf" ] }, "disable-recommendations": { "description": "Disable all recommendations emitted from the Masterfiles Policy Framework (MPF).", "tags": ["supported", "management"], "repo": "https://github.com/cfengine/modules/", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "b3af8bf726c66ee7f190fdb6884f100ad91082e8", "subdirectory": "management/disable-recommendations", "steps": ["json def.json def.json"] }, "disable-automatic-key-trust": { "description": "Makes the hub / policy server stop accepting new keys automatically.", "subdirectory": "management/disable-automatic-key-trust", "version": "1.0.0", "commit": "5fed175857e2fd6a65e1d0f74ab2dddd30653e2c", "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "tags": ["management", "security", "supported"], "steps": ["json def.json def.json"] }, "enable-aslr": { "description": "Ensures that Address space layout randomization (ASLR) is enabled on the system.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/craigcomstock", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/enable-aslr", "steps": [ "copy enable-aslr.cf services/cfbs/modules/enable-aslr/enable-aslr.cf", "bundles enable_aslr", "policy_files services/cfbs/modules/enable-aslr/enable-aslr.cf" ] }, "etc-issue-access": { "description": "Limits access to the /etc/issue file by setting user, group, and permission bits.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "36ff5729aeba97d72bdadfdb53bb4cc19c81f900", "subdirectory": "security/etc-issue-access", "steps": [ "copy etc-issue-access.cf services/cfbs/modules/etc-issue-access/etc-issue-access.cf", "bundles etc_issue_access", "policy_files services/cfbs/modules/etc-issue-access/etc-issue-access.cf" ] }, "etc-issue-content": { "description": "Manages the content of /etc/issue and provides limited inventory of it's content.", "tags": ["supported", "security", "compliance", "inventory"], "repo": "https://github.com/nickanderson/cfengine-etc_issue_content", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "7fe7ba868ca5d2ad1a39311d85af6fbb27ee77a8", "steps": [ "copy main.cf services/cfbs/modules/etc-issue-content/main.cf", "bundles etc_issue_content:main", "policy_files services/cfbs/modules/etc-issue-content/main.cf", "input etc-issue-content/input.json def.json" ], "input": [ { "type": "string", "variable": "body", "namespace": "etc_issue_content", "bundle": "main", "label": "Text", "question": "What is the content that should be in /etc/issue?" } ] }, "etc-motd-access": { "description": "Limits access to the /etc/motd file by setting user, group, and permission bits.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "2c54a98a05bb0315c7a5b9b2edf17a629f151563", "subdirectory": "security/etc-motd-access", "steps": [ "copy etc-motd-access.cf services/cfbs/modules/etc-motd-access/etc-motd-access.cf", "bundles etc_motd_access", "policy_files services/cfbs/modules/etc-motd-access/etc-motd-access.cf" ] }, "every-minute": { "description": "Makes policy fetching, evaluation, and reporting happen every minute.", "tags": ["management", "experimental"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0-1", "commit": "74b6776ca4e120285f9c44e68ccf79eef84accfd", "subdirectory": "management/every-minute", "steps": ["json def.json def.json"] }, "file-permissions": { "description": "Manages file permissions, allowing you to specify permission bits for different paths.", "tags": ["management"], "repo": "https://github.com/nickanderson/cfengine-file-permissions", "by": "https://github.com/nickanderson", "version": "0.2.0", "commit": "b307d1b2b002dc7e32d29702f3fddc6d4832c9ec", "steps": [ "copy file-permissions.cf services/cfbs/modules/file-permissions/file-permissions.cf", "input file-permissions/input.json def.json", "bundles file_permissions:file_permissions", "policy_files services/cfbs/modules/file-permissions/file-permissions.cf" ], "input": [ { "type": "list", "variable": "files", "namespace": "file_permissions", "bundle": "file_permissions", "label": "Files", "subtype": [ { "key": "path", "type": "string", "label": "Path", "question": "Path to file" }, { "key": "mode", "type": "string", "label": "Permissions", "question": "Permission bits (octal)", "default": "600" }, { "key": "why", "type": "string", "label": "Why", "question": "Why do these permissions matter?", "default": "Unknown" } ], "while": "Manage permission of another file?" } ] }, "ftp-server-not-installed": { "alias": "uninstall-ftp" }, "git": { "alias": "promise-type-git" }, "groups": { "alias": "promise-type-groups" }, "http": { "alias": "promise-type-http" }, "install-aide": { "description": "Ensures the AIDE (Advanced Intrusion Detection Environment) software is installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "0.0.1", "commit": "9bb26f99ba377f85f7211d05bf54e71d89711d1a", "subdirectory": "security/install-aide", "steps": [ "copy install-aide.cf services/cfbs/modules/install-aide/install-aide.cf", "bundles install_aide", "policy_files services/cfbs/modules/install-aide/install-aide.cf" ] }, "inventory-clamav": { "description": "Adds reporting data (inventory) for useful information from ClamAV (version, definitions version, definitions date).", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-inventory-clamav", "by": "https://github.com/nickanderson", "version": "1.1.0", "commit": "b7de8aed5fba718a88ca008c09fabd152c56df24", "steps": [ "copy policy/main.cf services/inventory-clamav/main.cf", "json cfbs/def.json def.json" ] }, "inventory-etc-hosts": { "description": "Adds reporting data (inventory) for entries from the /etc/hosts file.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-inventory-etc-hosts", "by": "https://github.com/nickanderson", "version": "0.1.3", "commit": "c4cac4bfa0f2c0a6caf83517dcaaaf17e70808a0", "steps": [ "copy policy/main.cf services/inventory-etc-hosts/main.cf", "json cfbs/def.json def.json" ] }, "inventory-etc-login-defs": { "name": "inventory-etc-login-defs", "description": "Adds reporting data (inventory) for useful bits from the /etc/login.defs file.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-inventory-etc-login-defs", "by": "https://github.com/nickanderson", "version": "0.0.4", "commit": "37670ddd6a92022e895ac191b821e4de6794ac34", "steps": [ "copy ./inventory-etc-login-defs.cf services/inventory-etc-login-defs/inventory-etc-login-defs.cf", "json cfbs/def.json def.json" ] }, "inventory-fips-mode-setup": { "description": "Adds reporting data (inventory) for the status of fips-mode-setup.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-inventory-fips-mode-setup", "by": "https://github.com/nickanderson", "version": "0.1.2", "commit": "e6eb16c5d25ccfc96ae763480643189a5f474f69", "steps": [ "copy policy/main.cf services/inventory-fips-mode-setup/main.cf", "json augments.json def.json" ] }, "inventory-kernel-boot-params": { "description": "Adds reporting data (inventory) for kernel parameters set during system boot.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-inventory-kernel-boot-params", "by": "https://github.com/nickanderson", "version": "0.1.2", "commit": "ab79409970b97831cfb9552d98ca6a8f455e11d4", "steps": [ "copy policy/main.cf services/inventory-kernel-boot-params/main.cf", "json augments.json def.json" ] }, "inventory-kernel-settings-sysctl-conf": { "description": "Adds reporting data (inventory) for settings from the /etc/sysctl.conf file.", "tags": ["inventory", "kernel"], "repo": "https://github.com/nickanderson/cfengine-sysctl", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "69149b9d15874c4f584441cd40019a79a92ad8f2", "subdirectory": "policy/inventory-kernel-settings-sysctl-conf", "steps": [ "copy ./main.cf services/inventory-kernel-settings-sysctl-conf/", "copy ./README.org services/inventory-kernel-settings-sysctl-conf/", "json ./cfbs/def.json def.json" ] }, "inventory-kernel-settings-sysctl-current": { "description": "Adds reporting data (inventory) for sysctl settings current state.", "tags": ["inventory", "kernel", "experimental"], "repo": "https://github.com/nickanderson/cfengine-sysctl", "by": "https://github.com/nickanderson", "version": "1.0.0", "commit": "69149b9d15874c4f584441cd40019a79a92ad8f2", "subdirectory": "policy/inventory-kernel-settings-sysctl-current", "steps": [ "copy ./main.cf services/inventory-kernel-settings-sysctl-current/", "copy ./README.org services/inventory-kernel-settings-sysctl-current/", "json ./cfbs/def.json def.json" ] }, "inventory-lastlog": { "description": "Adds reporting data (inventory) for users who have logged in and when.", "tags": ["inventory", "experimental"], "repo": "https://github.com/nickanderson/cfengine-inventory-lastlog", "by": "https://github.com/nickanderson", "version": "0.1.1", "commit": "7436a6ca9d1a159e6083768b9c06d9b1cbb189a0", "steps": [ "copy policy/main.cf services/inventory-lastlog/", "json cfbs/def.json def.json" ] }, "inventory-local-groups": { "name": "inventory-local-groups", "description": "Adds reporting data (inventory) for the local groups on the system.", "tags": ["inventory", "supported"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "633fdc37f6369461fcd866ad69eb84cd9feb595c", "subdirectory": "inventory-local-groups", "dependencies": ["library-parsed-local-groups"], "steps": [ "copy ./inventory-local-groups.cf services/local-groups/inventory-local-groups/", "json cfbs/def.json def.json" ] }, "inventory-local-users": { "description": "Adds reporting data (inventory) for the local users on the system with their attributes.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.4", "commit": "3b50be1e5ab09578109921b8f287603b37811350", "subdirectory": "inventory_passwd_users_all", "dependencies": ["library-parsed-local-users"], "steps": [ "copy ./inventory_passwd_users_all.cf services/local-users/inventory_passwd_users_all/", "json cfbs/def.json def.json" ] }, "inventory-local-users-locked": { "name": "inventory-local-users-locked", "description": "Adds reporting data (inventory) for the local users on the system that are locked.", "tags": ["supported", "inventory"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.4", "commit": "3b50be1e5ab09578109921b8f287603b37811350", "subdirectory": "inventory_passwd_users_locked", "dependencies": ["library-parsed-local-users"], "steps": [ "copy ./inventory_passwd_users_locked.cf services/local-users/inventory_passwd_users_locked/", "json cfbs/def.json def.json" ] }, "inventory-local-users-non-root-has-uid-0": { "description": "Adds reporting data (inventory) for the non-root users that have uid 0.", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.5", "commit": "fef5d94170f8119eda8f5bf8316acf5896fbac22", "subdirectory": "inventory_non_root_users_with_uid_zero", "dependencies": ["library-parsed-local-users"], "steps": [ "copy ./inventory-non-root-users-with-uid-zero.cf services/local-users/inventory_non_root_users_with_uid_zero/inventory-non-root-users-with-uid-zero.cf", "json cfbs/def.json def.json" ] }, "inventory-local-users-password-empty": { "name": "inventory-local-users-password-empty", "description": "Adds reporting data (inventory) for the local users on the system that do not have a password set.", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.4", "commit": "3b50be1e5ab09578109921b8f287603b37811350", "subdirectory": "inventory_passwd_users_password_empty", "dependencies": ["library-parsed-local-users"], "steps": [ "copy ./inventory_passwd_users_password_empty.cf services/local-users/inventory_passwd_users_password_empty/", "json cfbs/def.json def.json" ] }, "inventory-local-users-password-hashing-algorithm": { "name": "inventory-local-users-password-hashing-algorithm", "description": "Adds reporting data (inventory) for password hashing algorithms in use by local users.", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.4", "commit": "3b50be1e5ab09578109921b8f287603b37811350", "subdirectory": "inventory_passwd_users_password_hashing_algorithm", "dependencies": ["library-parsed-local-users"], "steps": [ "copy ./inventory_local_user_pw_hashing_algorithm.cf services/local-users/inventory_passwd_users_password_hashing_algorithm/", "json cfbs/def.json def.json" ] }, "inventory-local-users-unhashed-password": { "alias": "inventory-unshadowed-users" }, "inventory-openssl-versions": { "description": "Adds an inventory attribute containing all versions of OpenSSL found on the system.", "tags": ["inventory", "security", "experimental"], "repo": "https://github.com/olehermanse/cfengine-inventory-openssl-versions", "by": "https://github.com/olehermanse", "version": "0.2.0", "commit": "5c22bfafb037fa96ab59574ef0da3b161167d883", "steps": [ "copy inventory-openssl-versions.cf services/cfbs/modules/inventory-openssl-versions/inventory-openssl-versions.cf", "policy_files services/cfbs/modules/inventory-openssl-versions/inventory-openssl-versions.cf", "bundles inventory_openssl_versions:inventory_openssl_versions" ] }, "inventory-physical-memory": { "description": "Inventory information about physical memory.", "tags": ["inventory"], "repo": "https://github.com/nickanderson/cfengine-inventory-physical-memory", "by": "https://github.com/nickanderson", "version": "0.0.3", "commit": "e26f77fdc0f5d83d290180c73d7feeed45051358", "steps": [ "copy ./policy/main.cf services/cfbs/inventory-physical-memory/main.cf", "policy_files services/cfbs/inventory-physical-memory/main.cf", "bundles inventory_physical_memory:main" ] }, "inventory-ssh-host-key-fingerprints": { "description": "Adds reporting data (inventory) for the SSH host key fingerprints.", "tags": ["inventory", "security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-ssh", "by": "https://github.com/nickanderson", "version": "0.0.2", "commit": "dbd948d795a32b29dcbfad54d9f16326f485d094", "subdirectory": "policy/inventory/host-key-fingerprints", "steps": [ "copy ./inventory-ssh-host-key-fingerprints.cf services/ssh/inventory/host-key-fingerprints/inventory-ssh-host-key-fingerprints.cf", "json cfbs/def.json def.json" ] }, "inventory-sudoers": { "description": "Adds reporting data (inventory) for users with sudo access.", "tags": ["supported", "inventory", "security", "sudo"], "repo": "https://github.com/nickanderson/cfengine-inventory-sudoers", "by": "https://github.com/nickanderson", "version": "1.0.3", "commit": "7f6be96d4b8e759de3463facbd3144c8b22cdc78", "steps": [ "copy ./policy/main.cf services/inventory-sudoers/main.cf", "json ./cfbs/def.json def.json" ] }, "inventory-systemd": { "description": "Adds reporting data (inventory) for interesting things from systemd.", "tags": ["supported", "inventory", "systemd"], "repo": "https://github.com/nickanderson/cfengine-inventory-systemd", "by": "https://github.com/nickanderson", "version": "0.1.0", "commit": "4b9c0708173d3b5f0855a76063781e2258465788", "steps": [ "copy ./policy/main.cf services/inventory-systemd/main.cf", "json cfbs/def.json def.json" ] }, "inventory-unshadowed-users": { "description": "Adds reporting data (inventory) on local users in /etc/passwd not using /etc/shadow for their password.", "tags": ["supported", "inventory", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/nickanderson", "version": "1.0.2", "commit": "cff9325f0b12e914fead75c7b30092b0d91cee64", "subdirectory": "security/inventory-unshadowed-users", "dependencies": ["library-parsed-local-users"], "steps": [ "copy policy/main.cf services/cfbs/inventory-unshadowed-users/", "policy_files services/cfbs/inventory-unshadowed-users/", "bundles inventory_unshadowed_users:main" ] }, "inventory-writable-directories-in-root-path": { "description": "Reporting data (inventory) directories in root's $PATH that are world or group writable.", "tags": ["supported", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-writable-directories-in-root-path", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "11fe0552d0cfde9d7280c629cea18cb0e2fd2a8b", "subdirectory": "inventory-writable-directories-in-root-path", "steps": [ "copy ./inventory-world-group-writable-root-path.cf services/world-writable-directories-in-root-path/", "json ./cfbs/def.json def.json" ] }, "inventory-yum-update-info": { "description": "Adds information about security updates from 'yum updateinfo' to inventory.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/vpodzime/cfengine-security-hardening", "by": "https://github.com/vpodzime", "version": "0.0.1", "commit": "c89da2dbdf2f8a4baf7b6646d2e15e98a00ff365", "subdirectory": "inventory-yum-update-info", "dependencies": ["autorun"], "steps": [ "copy ./inventory_yum_update_info.cf services/autorun/inventory_yum_update_info.cf" ] }, "kernel-settings-sysctl-conf": { "description": "Manages settings in the /etc/sysctl.conf file.", "tags": ["management", "kernel"], "repo": "https://github.com/nickanderson/cfengine-sysctl", "by": "https://github.com/nickanderson", "version": "1.0.1", "commit": "00ca2759e6dcdb346152c4f6f9a7f52f5401aacc", "subdirectory": "policy/kernel-settings-sysctl-conf", "steps": [ "copy ./main.cf services/kernel-settings-sysctl-conf/", "copy ./README.org services/kernel-settings-sysctl-conf/", "json ./cfbs/def.json def.json" ] }, "lib-fim": { "alias": "library-file-integrity-monitoring" }, "lib-sshd-config": { "alias": "library-sshd-config" }, "library-file-integrity-monitoring": { "description": "Monitors key files for changes.", "tags": ["library", "experimental"], "repo": "https://github.com/nickanderson/cfengine-file_integrity_monitoring", "by": "https://github.com/nickanderson", "version": "0.1.2", "commit": "8afb5e4f482c4d1564cfe56263bc8e38c33741ca", "steps": [ "copy policy/monitor_file_paths_tagged_all_changes.cf services/file_integrity_monitoring/", "json cfbs/def.json def.json" ] }, "library-for-promise-types-in-bash": { "description": "Library enabling promise types implemented in bash.", "tags": ["supported", "library"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/Lex-2008", "version": "0.1.2", "commit": "99017f2d952c9e7fddaf3aac1be19061cb23c0d6", "subdirectory": "libraries/bash", "steps": ["copy cfengine.sh modules/promises/"] }, "library-for-promise-types-in-python": { "description": "Library enabling promise types implemented in python.", "tags": ["supported", "library"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/cfengine", "version": "0.2.2", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "libraries/python", "steps": ["copy cfengine.py modules/promises/"] }, "library-parsed-local-groups": { "name": "library-parsed-local-groups", "description": "Parses local group from the /etc/group file on the system.", "tags": ["supported", "library"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "3028f74671c0bd8c8668a5b18245191439b0bad9", "subdirectory": "parsed_etc_group", "steps": [ "copy ./parsed_etc_group.cf services/local-groups/parsed_etc_group/", "json cfbs/def.json def.json" ] }, "library-parsed-local-users": { "name": "library-parsed-local-users", "description": "Parses local users from /etc/passwd on the system with their attributes from /etc/shadow.", "tags": ["supported", "library"], "repo": "https://github.com/nickanderson/cfengine-local_users", "by": "https://github.com/nickanderson", "version": "2.0.5", "commit": "ede282c34083ab807543aa734b1142228ab98993", "subdirectory": "parsed_etc_passwd_shadow", "steps": [ "copy ./parsed_etc_passwd_shadow.cf services/local-users/parsed_etc_passwd_shadow/", "json cfbs/def.json def.json" ] }, "library-sshd-config": { "description": "Library used by other modules to manage sshd configuration.", "tags": ["library", "security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-ssh", "by": "https://github.com/nickanderson", "version": "0.1.0", "commit": "abff34c08bf27af56c4c3939bbb6f848eac7fb8d", "subdirectory": "modules/library-sshd-config", "steps": [ "copy ./global-key-values.cf services/library-sshd-config/", "json cfbs/def.json def.json" ] }, "lynis": { "description": "Automates the installation, running, and reporting of CISOfy's lynis system audits.", "tags": ["security", "compliance"], "repo": "https://github.com/nickanderson/cfengine-lynis", "by": "https://github.com/nickanderson", "version": "3.1.1", "commit": "70bdf7be29c890d3bf162a8fe993e8d12eb61388", "steps": [ "copy policy/main.cf services/lynis/main.cf", "json cfbs/def.json def.json" ] }, "maintainers-in-motd": { "description": "Add maintainer and purpose information from CMDB to /etc/motd", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/craigcomstock", "version": "0.0.1", "commit": "89629690fe265556e1ae4eb9127e42fb9525c9f5", "subdirectory": "security/maintainers-in-motd", "steps": [ "copy ./maintainers-in-motd.cf services/cfbs/modules/maintainers-in-motd.cf", "policy_files services/cfbs/modules/maintainers-in-motd.cf", "bundles maintainers_in_motd" ] }, "masterfiles": { "description": "Official CFEngine Masterfiles Policy Framework (MPF).", "tags": ["supported", "base"], "repo": "https://github.com/cfengine/masterfiles", "by": "https://github.com/cfengine", "version": "3.21.4", "commit": "80374429aa8d9f1d5afe952727ae5659caf5e9ef", "steps": [ "run EXPLICIT_VERSION=3.21.4 EXPLICIT_RELEASE=1 ./prepare.sh -y", "copy ./ ./" ] }, "migrate2rocky": { "description": "Unattended migration of CentOS 8 hosts to Rocky Linux.", "tags": ["experimental"], "repo": "https://github.com/nickanderson/cfengine-migrate2rocky", "by": "https://github.com/nickanderson", "version": "0.1.0", "commit": "332dc89a479503bede5ca986092d2b95ad183129", "dependencies": ["promise-type-git"], "steps": [ "copy policy/main.cf services/migrate2rocky/main.cf", "json augments.json def.json" ] }, "mpf": { "alias": "masterfiles" }, "ntp-maxpoll": { "description": "Ensures that maxpoll is configured (to 10 by default).", "tags": ["supported", "security", "management"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.3", "commit": "e2519214e8a29c7f37a36ca8a4beec687712448d", "subdirectory": "ntp-maxpoll", "steps": [ "copy ./ntp-maxpoll.cf services/security-hardening/ntp-maxpoll/", "json cfbs/def.json def.json" ] }, "openldap-server-not-installed": { "alias": "uninstall-openldap-server" }, "packages-allowlist": { "description": "Reports on and optionally removes software installed by the platforms default package module (e.g. yum, apt_get) that is not in an explicit allow list.", "tags": ["management", "inventory", "security"], "repo": "https://github.com/nickanderson/cfengine-packages-allowlist", "by": "https://github.com/nickanderson", "version": "0.0.7", "commit": "93bfbb81491d00e62ac5e46cd4f5dfb907a0ec6c", "steps": [ "copy main.cf services/cfbs/modules/packages-allowlist/main.cf", "bundles packages_allowlist:state", "policy_files services/cfbs/modules/packages-allowlist/main.cf", "input packages_allowlist/input.json def.json" ], "input": [ { "type": "string", "namespace": "packages_allowlist", "bundle": "state", "variable": "enforcement", "label": "Uninstall not allowed packages (disabled|enabled)", "question": "Would you like to enable enforcement for packages-allowlist? (disabled|enabled)" }, { "type": "list", "namespace": "packages_allowlist", "bundle": "state", "variable": "allowed", "label": "Packages", "subtype": { "type": "string", "label": "Package name", "question": "What package name would you like to allow?" }, "while": "Do you want to allow another package?" } ] }, "packages-allowlist-snapshot": { "description": "Allows you to snapshot which packages are installed on a system, and then enforce that list, uninstalling or giving warnings when other packages appear.", "tags": ["management", "inventory", "security", "experimental"], "repo": "https://github.com/olehermanse/cfengine-packages-allowlist-snapshot", "by": "https://github.com/olehermanse", "version": "0.0.2", "commit": "30efc502f56f82b1576ed67bda9275b43222d90b", "steps": [ "copy main.cf services/cfbs/modules/packages-allowlist-snapshot/main.cf", "bundles packages_allowlist_snapshot:entry_point", "policy_files services/cfbs/modules/packages-allowlist-snapshot/main.cf", "input packages-allowlist-snapshot/input.json def.json" ], "input": [ { "type": "string", "namespace": "packages_allowlist_snapshot", "bundle": "state", "variable": "mode", "label": "Mode", "question": "What mode should the module be in? (init|warn|enforce)" } ] }, "prelinking-disabled": { "alias": "disable-prelinking" }, "promise-type-ansible": { "description": "Promise type to run ansible playbooks.", "tags": ["supported", "promise-type"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/tranchitella", "version": "0.2.2", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "promise-types/ansible", "dependencies": ["library-for-promise-types-in-python"], "steps": [ "copy ansible_promise.py modules/promises/", "append enable.cf services/init.cf" ] }, "promise-type-docker-compose": { "description": "Promise type to manage containers using docker compose", "tags": ["promise-type", "docker", "experimental"], "repo": "https://github.com/basvandervlies/scl_modules", "by": "https://github.com/basvandervlies", "version": "1.1.0", "commit": "d3b3aed55b90df5bb33b652532f8d17cf74b5e96", "subdirectory": "promise-types/docker_compose", "dependencies": ["library-for-promise-types-in-bash"], "steps": [ "copy docker_compose.sh modules/promises/docker_compose.sh", "append enable.cf services/init.cf" ] }, "promise-type-git": { "description": "Promise type to manage git repos.", "tags": ["supported", "promise-type"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/tranchitella", "version": "0.2.3", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "promise-types/git", "dependencies": ["library-for-promise-types-in-python"], "steps": [ "copy git.py modules/promises/", "append enable.cf services/init.cf" ] }, "promise-type-groups": { "description": "Experimental promise type to manage local user groups.", "tags": ["supported", "promise-type", "experimental"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/larsewi", "version": "0.2.4", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "promise-types/groups", "dependencies": ["library-for-promise-types-in-python"], "steps": [ "copy groups.py modules/promises/", "append enable.cf services/init.cf" ] }, "promise-type-http": { "description": "Promise type to perform HTTP(S) requests from policy.", "tags": ["supported", "promise-type", "http"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/vpodzime", "version": "2.0.1", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "promise-types/http", "dependencies": ["library-for-promise-types-in-python"], "steps": [ "copy http_promise_type.py modules/promises/", "append enable.cf services/init.cf" ] }, "promise-type-systemd": { "description": "Promise type to manage systemd services.", "tags": ["supported", "promise-type", "systemd"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/tranchitella", "version": "0.2.3", "commit": "813fb3d172c8db5642ef69cd5e8ef32b264ef275", "subdirectory": "promise-types/systemd", "dependencies": ["library-for-promise-types-in-python"], "steps": [ "copy systemd.py modules/promises/", "append enable.cf services/init.cf" ] }, "python-lib": { "alias": "library-for-promise-types-in-python" }, "root-path-enforce-permissions": { "description": "Enforces that directories in root's $PATH are not world or group writable.", "tags": ["supported", "management", "security"], "repo": "https://github.com/nickanderson/cfengine-writable-directories-in-root-path", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "11fe0552d0cfde9d7280c629cea18cb0e2fd2a8b", "subdirectory": "root-path-enforce-permissions", "dependencies": ["inventory-writable-directories-in-root-path"], "steps": [ "copy ./root-path-enforce-group-other-not-writable.cf services/world-writable-directories-in-root-path/", "json ./cfbs/def.json def.json" ] }, "scl": { "alias": "surf-cfengine-library" }, "ssh-ciphers-strong": { "description": "Ensures that the SSH daemon uses strong ciphers.", "tags": ["security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.4", "commit": "7c5e3638ddcf2ba097644eefe0a3bc9d7f2269e6", "subdirectory": "ssh-ciphers-strong", "dependencies": ["library-sshd-config"], "steps": [ "copy ./ssh-ciphers-strong.cf services/security-hardening/ssh-ciphers-strong/", "json cfbs/def.json def.json" ] }, "ssh-max-auth-tries": { "description": "Limits the maximum authentication attempts (default to 3).", "tags": ["security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.3", "commit": "124b01041a3d45010ac20912338795e81e2a06fe", "subdirectory": "ssh-max-auth-tries", "dependencies": ["library-sshd-config"], "steps": [ "copy ./ssh-max-auth-tries.cf services/security-hardening/ssh-max-auth-tries/", "json cfbs/def.json def.json" ] }, "ssh-permit-empty-passwords-no": { "description": "Ensures that PermitEmptyPasswords is set to no in the sshd configuration.", "tags": ["security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.4", "commit": "705cd6a9c90b691b78a18876f1980d4d16fc9b1c", "subdirectory": "ssh-permit-empty-passwords-no", "dependencies": ["library-sshd-config"], "steps": [ "copy ./ssh-permit-empty-passwords-no.cf services/security-hardening/ssh-permit-empty-passwords-no/", "json cfbs/def.json def.json" ] }, "ssh-permit-root-login-no": { "description": "Ensures that the SSH daemon does not permit logging in as root.", "tags": ["security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.3", "commit": "124b01041a3d45010ac20912338795e81e2a06fe", "subdirectory": "ssh-permit-root-login-no", "dependencies": ["library-sshd-config"], "steps": [ "copy ./ssh-permit-root-login-no.cf services/security-hardening/ssh-permit-root-login-no/", "json cfbs/def.json def.json" ] }, "ssh-protocol-2": { "description": "Ensures that the SSH daemon uses SSH protocol 2.", "tags": ["security", "ssh", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "1.0.3", "commit": "124b01041a3d45010ac20912338795e81e2a06fe", "subdirectory": "ssh-protocol-2", "dependencies": ["library-sshd-config"], "steps": [ "copy ./ssh-protocol-2.cf services/security-hardening/ssh-protocol-2/", "json cfbs/def.json def.json" ] }, "stig-rhel-7": { "description": "Red Hat Enterprise Linux 7 Security Technical Implementation Guide", "tags": ["security", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "f20b82a0f714d5b76fafc1d788ac9b720dea0a03", "subdirectory": "stig/red_hat_enterprise_linux_7", "dependencies": ["compliance-report-imports"], "steps": [ "copy ./compliance-reports/compliance-report.json ./.no-distrib/compliance-report-definitions/red-hat-enterprise-linux-7-security-technical-implementation-guide.json", "copy ./config.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/config.cf", "copy ./V-204392/V-204392.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204392.cf", "copy ./V-204424/V-204424.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204424.cf", "copy ./V-204425/V-204425.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204425.cf", "copy ./V-204502/V-204502.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204502.cf", "copy ./V-204594/V-204594.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204594.cf", "copy ./V-204620/V-204620.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204620.cf", "copy ./V-204621/V-204621.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204621.cf", "copy ./V-204627/V-204627.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204627.cf", "copy ./V-214799/V-214799.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-214799.cf", "copy ./V-204497/V-204497.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204497.cf", "copy ./V-204443/V-204443.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204443.cf", "copy ./V-204442/V-204442.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204442.cf", "copy ./chaos.cf services/cfbs/modules/stig-red-hat-enterprise-linux-7/chaos.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204392.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204424.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204425.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204502.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204594.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204620.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204621.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204627.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-214799.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204497.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204443.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/V-204442.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/chaos.cf", "policy_files services/cfbs/modules/stig-red-hat-enterprise-linux-7/config.cf", "bundles rhel_7_stig:run", "input ./input.json def.json" ], "input": [ { "type": "string", "namespace": "rhel_7_stig", "bundle": "config", "variable": "mode", "label": "Mode", "question": "What mode should the module be in? (warn|enforce)", "default": "warn" }, { "type": "string", "namespace": "rhel_7_stig", "bundle": "config", "variable": "context", "label": "Enabled", "question": "Under which context should this module be enabled?", "default": "centos_7|redhat_7" }, { "type": "list", "namespace": "rhel_7_stig", "bundle": "config", "variable": "exceptions", "label": "Exceptions", "subtype": [ { "key": "id", "type": "string", "label": "Finding ID", "question": "Which finding would you like to add an exception for (e.g.: V-204443)" }, { "key": "why", "type": "string", "label": "Why", "question": "Why is there an exception?", "default": "Unknown" }, { "key": "context", "type": "string", "label": "Context", "question": "Under what context should this be an exception?", "default": "centos_7|redhat_7" } ], "while": "Do you want to add another exception?" } ] }, "sudo-enforce-allowed-users": { "description": "Ensures the following lines 'ALL ALL=(ALL) ALL' and 'ALL ALL=(ALL:ALL) ALL' are not present in the /etc/sudoers.conf file.", "tags": ["security", "management", "sudo", "experimental"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.2", "commit": "ab4f6c01c2f41dfdfef05100eac4c8abf894b74c", "subdirectory": "sudo-enforce-allowed-users", "steps": [ "copy ./sudo-enforce-allowed-users.cf services/security-hardening/sudo-enforce-allowed-users/", "json cfbs/def.json def.json" ] }, "sudo-requires-passwords": { "description": "Ensures that sudo requires password (there are no 'NOPASSWD' in the /etc/sudoers file).", "tags": ["security", "management", "sudo", "experimental"], "repo": "https://github.com/Lex-2008/sudo-requires-passwords", "by": "https://github.com/Lex-2008", "version": "1.0.0", "commit": "ff6108188291ae2e8074d2fa55786e4270e803af", "dependencies": ["autorun"], "steps": [ "copy ./sudo-requires-password.cf services/autorun/sudo-requires-password.cf" ] }, "surf-cfengine-library": { "description": "SURF CFEngine Library (SCL) for building services with json/mustache.", "tags": ["inventory", "lib", "management", "experimental"], "repo": "https://github.com/basvandervlies/cf_surfsara_lib", "by": "https://github.com/basvandervlies", "version": "1.6.0", "commit": "424d9dedb9cb421300aaa20486a3b4bbacf022f0", "dependencies": ["autorun", "promise-type-groups"], "steps": [ "copy ./masterfiles/lib/scl/ lib/scl/", "copy ./masterfiles/services/autorun/scl.cf services/autorun/scl.cf", "copy ./modules/ modules/scl/", "copy ./scl_example.json scl_example.json", "copy ./services/ services/scl/", "copy ./templates/ lib/scl/.git/templates", "json scl_example.json def.json" ] }, "systemd": { "alias": "promise-type-systemd" }, "telnet-server-not-installed": { "alias": "uninstall-telnet-server" }, "tmp-file-age": { "description": "Reporting data (inventory) and removal of old files in the /tmp directory.", "tags": ["supported", "inventory", "management", "security", "tmp"], "repo": "https://github.com/nickanderson/cfengine-security-hardening", "by": "https://github.com/nickanderson", "version": "0.0.1", "commit": "56a7c149f33808db6796de77eff6eb0502c01e61", "subdirectory": "tmp-file-age", "steps": [ "copy ./tmp-file-age.cf services/security-hardening/tmp-file-age/", "json cfbs/def.json def.json" ] }, "tmp-nosuid": { "description": "Makes sure /tmp is mounted with the 'nosuid' option.", "tags": ["supported", "security", "compliance", "tmp"], "repo": "https://github.com/vpodzime/cfengine-security-hardening", "by": "https://github.com/vpodzime", "version": "0.0.2", "commit": "5be7c3ef332138b5717231d289bda59449b66d5c", "subdirectory": "tmp-nosuid", "dependencies": ["autorun"], "steps": ["copy ./tmp_nosuid.cf services/autorun/tmp_nosuid.cf"] }, "uninstall-apache": { "description": "Ensures the apache package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-apache", "steps": [ "copy uninstall-apache.cf services/cfbs/modules/uninstall-apache/uninstall-apache.cf", "policy_files services/cfbs/modules/uninstall-apache/uninstall-apache.cf", "bundles uninstall_apache" ] }, "uninstall-bind": { "description": "Ensures the bind package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.1", "commit": "306181850201c60f4b7d379e80a8b1e552bb7f0f", "subdirectory": "security/uninstall-bind", "steps": [ "copy uninstall-bind.cf services/cfbs/modules/uninstall-bind/uninstall-bind.cf", "policy_files services/cfbs/modules/uninstall-bind/uninstall-bind.cf", "bundles uninstall_bind" ] }, "uninstall-dhcp": { "description": "Ensures the dhcp package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-dhcp", "steps": [ "copy uninstall-dhcp.cf services/cfbs/modules/uninstall-dhcp/uninstall-dhcp.cf", "policy_files services/cfbs/modules/uninstall-dhcp/uninstall-dhcp.cf", "bundles uninstall_dhcp" ] }, "uninstall-dovecot": { "description": "Ensures the dovecot package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-dovecot", "steps": [ "copy uninstall-dovecot.cf services/cfbs/modules/uninstall-dovecot/uninstall-dovecot.cf", "policy_files services/cfbs/modules/uninstall-dovecot/uninstall-dovecot.cf", "bundles uninstall_dovecot" ] }, "uninstall-ftp": { "description": "Ensures the ftp server package is not installed on the system(s).", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/craigcomstock/cfengine-security-hardening", "by": "https://github.com/craigcomstock", "version": "0.0.2", "commit": "2ec06ea5e78b0ad39cfde0137e0a8c25a983fae8", "subdirectory": "uninstall-ftp", "dependencies": ["autorun"], "steps": ["copy ./uninstall_ftp.cf services/autorun/uninstall_ftp.cf"] }, "uninstall-openldap-server": { "description": "Ensures the openldap server package is not installed on the system(s).", "tags": ["security", "compliance", "experimental"], "repo": "https://github.com/vpodzime/cfengine-security-hardening", "by": "https://github.com/vpodzime", "version": "0.0.2", "commit": "b0c5d6e9f2a9fb5904cb1eb9cd948ee7907969ea", "subdirectory": "uninstall-openldap-server", "dependencies": ["autorun"], "steps": [ "copy ./openldap_server_policy.cf services/autorun/openldap_server_policy.cf" ] }, "uninstall-packages": { "description": "Uninstalls a list of packages specified by module input.", "tags": ["supported", "security", "management"], "repo": "https://github.com/olehermanse/cfengine-uninstall-packages", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "82dc210c3085c851f5a8bd3498ed915647800ce1", "steps": [ "copy main.cf services/cfbs/modules/uninstall-packages/main.cf", "input uninstall-packages/input.json def.json", "bundles uninstall_packages:uninstall_packages", "policy_files services/cfbs/modules/uninstall-packages/main.cf" ], "input": [ { "type": "list", "variable": "package_names", "namespace": "uninstall_packages", "bundle": "uninstall_packages", "label": "Packages to uninstall", "subtype": [ { "key": "name", "type": "string", "label": "Name", "question": "What is the name in the package manager (apt, yum, etc.)?" }, { "key": "why", "type": "string", "label": "Why", "question": "Why should this package be uninstalled?", "default": "Unknown" } ], "while": "Specify another package you want uninstalled on your hosts?" } ] }, "uninstall-rsh-server": { "description": "Ensure the remote shell (rsh) server package is not installed on the system(s).", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-rsh-server", "steps": [ "copy uninstall-rsh-server.cf services/cfbs/modules/uninstall-rsh-server/uninstall-rsh-server.cf", "bundles uninstall_rsh_server", "policy_files services/cfbs/modules/uninstall-rsh-server/uninstall-rsh-server.cf" ] }, "uninstall-samba": { "description": "Ensures the samba package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-samba", "steps": [ "copy uninstall-samba.cf services/cfbs/modules/uninstall-samba/uninstall-samba.cf", "policy_files services/cfbs/modules/uninstall-samba/uninstall-samba.cf", "bundles uninstall_samba" ] }, "uninstall-squid": { "description": "Ensures the squid package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-squid", "steps": [ "copy uninstall-squid.cf services/cfbs/modules/uninstall-squid/uninstall-squid.cf", "policy_files services/cfbs/modules/uninstall-squid/uninstall-squid.cf", "bundles uninstall_squid" ] }, "uninstall-talk": { "description": "Ensures the talk client and server packages are not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-talk", "steps": [ "copy uninstall-talk.cf services/cfbs/modules/uninstall-talk/uninstall-talk.cf", "bundles uninstall_talk", "policy_files services/cfbs/modules/uninstall-talk/uninstall-talk.cf" ] }, "uninstall-telnet-server": { "description": "Ensures the telnet server package is not installed on the system.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/vpodzime/cfengine-security-hardening", "by": "https://github.com/vpodzime", "version": "0.0.3", "commit": "b0c5d6e9f2a9fb5904cb1eb9cd948ee7907969ea", "subdirectory": "uninstall-telnet-server", "dependencies": ["autorun"], "steps": [ "copy ./telnet_server_policy.cf services/autorun/telnet_server_policy.cf" ] }, "uninstall-xinetd": { "description": "Ensures the xinetd package is not installed.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/cfengine/modules", "by": "https://github.com/olehermanse", "version": "1.0.0", "commit": "6805332200dd48db54c61178c90bf2374c5d8fca", "subdirectory": "security/uninstall-xinetd", "steps": [ "copy uninstall-xinetd.cf services/cfbs/modules/uninstall-xinetd/uninstall-xinetd.cf", "policy_files services/cfbs/modules/uninstall-xinetd/uninstall-xinetd.cf", "bundles uninstall_xinetd" ] }, "upgrade-all-packages": { "description": "Ensures that the package manager data is updated and all upgradeable packages are upgraded.", "tags": ["supported", "security", "compliance"], "repo": "https://github.com/craigcomstock/cfengine-security-hardening", "by": "https://github.com/craigcomstock", "version": "1.0.0", "commit": "e3039050296ec20c7e44b3accba84c146cf6ef69", "subdirectory": "upgrade-all-packages", "dependencies": ["autorun"], "steps": [ "copy ./upgrade_all_packages.cf services/autorun/upgrade_all_packages.cf" ] } } }