UPDATE

This repository is no longer in use by the Puppet SE Team, and will be official Archived on Friday, July 1st. It will then be deleted on Friday, July 15th. If you are using any of the included code in any way, please take efforts to preserver your access to the code at your earlier convenience.

Thanks! - The Puppetlabs SE Team

bolt_compliance

Table of Contents

1. Description
2. Setup - The basics of getting started with bolt_compliance
   • What bolt_compliance affects
   • Setup requirements
   • Beginning with bolt_compliance
3. Usage - Configuration options and additional functionality
4. Limitations - OS compatibility, etc.

Description

An example module showing how to implement CIS compliance testing tasks and plans which can send the output to Splunk.

Setup

Install the bolt_compliance module

puppet module install puppetlabs-stdlib
mkdir ~/modules
cd ~/modules
git clone https://github.com/timidri/bolt_compliance.git
cd bolt_compliance

Install python requirements

pip install -r requirements.txt

Configure Splunk

To use bolt_compliance, you need to create a Splunk HTTP Event Collector token in a Splunk Enterprise instance available to you. See Splunk HEC Service for guidance.

Then, create a configuration file inventory.yaml:

cp inventory-default.yaml inventory.yaml

and configure the Splunk HEC endpoint and token there.

Usage

To run a compliance plan, make sure you have some CentOS or Red Hat 7 nodes configured in the inventory.yaml. Then, you can run the plan as follows:

bolt plan run bolt_compliance::run --params '{"controls": ["1_1_2", "5_1_1"]}' -n all

to perform both available control checks on all the configured nodes.

To run a plan using the benchmark yaml specification in rhel7-cis-1.yaml, do:

bolt plan run bolt_compliance::run_yaml --params '{"benchmarks": ["rhel7-cis-1"]}' -n all

Limitations

The examples are for PoC / educational purposes only and only work on RHEL7 target nodes.