From 651d3ece5e5711c942373438d39380f264d19a1d Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:06:16 +0200
Subject: [PATCH 01/42] Resource 'file' replaced with 'file_line' to avoid
 duplicate declaration errors with
 'ensure_rsyslog_default_file_permissions_are_configured' rule

---
 ...onfigured_to_recieve_logs_from_a_remote_client.pp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp b/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp
index dc65d86c..81646340 100644
--- a/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp
+++ b/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp
@@ -4,28 +4,32 @@
 #
 class secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client {
   $facts['rsyslog_configuration_files'].each | String $path | {
-    file { "Remove ModLoad on ${path}":
+    file_line { "Remove ModLoad on ${path}":
       ensure => absent,
       path   => $path,
       match  => '^\s*$ModLoad\s+imtcp',
+      match_for_absence => true,
     }
 
-    file { "Remove InputTCPServerRun on ${path}":
+    file_line { "Remove InputTCPServerRun on ${path}":
       ensure => absent,
       path   => $path,
       match  => '^\s*$InputTCPServerRun',
+      match_for_absence => true,
     }
 
-    file { "Remove module imtcp load on ${path}":
+    file_line { "Remove module imtcp load on ${path}":
       ensure => absent,
       path   => $path,
       match  => '^\s*module(load="imtcp")',
+      match_for_absence => true,
     }
 
-    file { "Remove input imtcp on ${path}":
+    file_line { "Remove input imtcp on ${path}":
       ensure => absent,
       path   => $path,
       match  => '^\s*input(\s+type="imtcp"\s+port="514"\s+)',
+      match_for_absence => true,
     }
   }
 }

From 878e88b4abff18dbea257caeba8c170e9434f07c Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:19:07 +0200
Subject: [PATCH 02/42] Disabled rules description fixed for the last Hiera

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 058a6527..142f6db2 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,9 @@ As of enforcement for the Redhat 7 OS, there are 223 CIS rules that are either e
 
 ```yaml
 # hieradata/common.yaml
-secure_linux_cis::rules::ensure_mounting_of_squashfs_filesystems_is_disabled::enforced: false
+secure_linux_cis::exclude_rules:
+  - ensure_mounting_of_squashfs_filesystems_is_disabled
+  - ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
 ```
 
 ### Enabling rules with Hiera (Not applicable to 3.0.0 descriptive based 'rules' .pp files)

From 972dc6f9f0095f9810f773f513e9a92e61adba95 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:44:56 +0200
Subject: [PATCH 03/42] Rocky Linux 8 rules added

---
 data/os/Rocky/version/8.yaml | 746 +++++++++++++++++++++++++++++++++++
 1 file changed, 746 insertions(+)
 create mode 100644 data/os/Rocky/version/8.yaml

diff --git a/data/os/Rocky/version/8.yaml b/data/os/Rocky/version/8.yaml
new file mode 100644
index 00000000..d099e729
--- /dev/null
+++ b/data/os/Rocky/version/8.yaml
@@ -0,0 +1,746 @@
+---
+secure_linux_cis::server_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::server_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files

From a70f7c849753f2cdba4d7e55fdef765b13d9bed9 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:45:04 +0200
Subject: [PATCH 04/42] Rocky Linux 9 rules added

---
 data/os/Rocky/version/9.yaml | 797 +++++++++++++++++++++++++++++++++++
 1 file changed, 797 insertions(+)
 create mode 100644 data/os/Rocky/version/9.yaml

diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
new file mode 100644
index 00000000..7f503ea0
--- /dev/null
+++ b/data/os/Rocky/version/9.yaml
@@ -0,0 +1,797 @@
+---
+secure_linux_cis::server_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::server_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xorg_x11_server_common_is_not_installed
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gnome_display_manager_is_removed
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files

From c3b19f68bc3fad00ee89653292e30175cfe5cff7 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:45:42 +0200
Subject: [PATCH 05/42] RHEL9 Linux initial rules added

---
 data/os/RedHat/version/9.yaml | 797 ++++++++++++++++++++++++++++++++++
 1 file changed, 797 insertions(+)
 create mode 100644 data/os/RedHat/version/9.yaml

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
new file mode 100644
index 00000000..7f503ea0
--- /dev/null
+++ b/data/os/RedHat/version/9.yaml
@@ -0,0 +1,797 @@
+---
+secure_linux_cis::server_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::server_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_setroubleshoot_is_not_installed
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xorg_x11_server_common_is_not_installed
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_1:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_no_unconfined_services_exist
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+secure_linux_cis::workstation_level_2:
+- ensure_mounting_of_cramfs_filesystems_is_disabled
+- ensure_mounting_of_squashfs_filesystems_is_disabled
+- ensure_mounting_of_udf_filesystems_is_disabled
+- ensure_tmp_is_a_separate_partition
+- ensure_nodev_option_set_on_tmp_partition
+- ensure_noexec_option_set_on_tmp_partition
+- ensure_nosuid_option_set_on_tmp_partition
+- ensure_separate_partition_exists_for_var
+- ensure_nodev_option_set_on_var_partition
+- ensure_noexec_option_set_on_var_partition
+- ensure_nosuid_option_set_on_var_partition
+- ensure_separate_partition_exists_for_var_tmp
+- ensure_noexec_option_set_on_var_tmp_partition
+- ensure_nosuid_option_set_on_var_tmp_partition
+- ensure_nodev_option_set_on_var_tmp_partition
+- ensure_separate_partition_exists_for_var_log
+- ensure_nodev_option_set_on_var_log_partition
+- ensure_noexec_option_set_on_var_log_partition
+- ensure_nosuid_option_set_on_var_log_partition
+- ensure_separate_partition_exists_for_var_log_audit
+- ensure_noexec_option_set_on_var_log_audit_partition
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_nosuid_option_set_on_var_log_audit_partition
+- ensure_separate_partition_exists_for_home
+- ensure_nodev_option_set_on_home_partition
+- ensure_nosuid_option_set_on_home_partition
+- ensure_usrquota_option_set_on_home_partition
+- ensure_grpquota_option_set_on_home_partition
+- ensure_separate_partition_exists_for_dev_shm
+- ensure_nodev_option_set_on_dev_shm_partition
+- ensure_noexec_option_set_on_dev_shm_partition
+- ensure_nosuid_option_set_on_dev_shm_partition
+- disable_automounting
+- disable_usb_storage
+- ensure_gpgcheck_is_globally_activated
+- ensure_aide_is_installed
+- ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
+- ensure_filesystem_integrity_is_regularly_checked
+- ensure_bootloader_password_is_set
+- ensure_permissions_on_bootloader_config_are_configured
+- ensure_authentication_is_required_when_booting_into_rescue_mode
+- ensure_core_dump_storage_is_disabled
+- ensure_core_dump_backtraces_are_disabled
+- ensure_address_space_layout_randomization_aslr_is_enabled
+- ensure_selinux_is_installed
+- ensure_selinux_policy_is_configured
+- ensure_the_selinux_mode_is_not_disabled
+- ensure_the_selinux_mode_is_enforcing
+- ensure_no_unconfined_services_exist
+- ensure_the_mcs_translation_service_mcstrans_is_not_installed
+- ensure_message_of_the_day_is_configured_properly
+- ensure_local_login_warning_banner_is_configured_properly
+- ensure_remote_login_warning_banner_is_configured_properly
+- ensure_permissions_on_etc_motd_are_configured
+- ensure_permissions_on_etc_issue_are_configured
+- ensure_permissions_on_etc_issue_net_are_configured
+- ensure_gnome_display_manager_is_removed
+- ensure_gdm_login_banner_is_configured
+- ensure_gdm_disable_user_list_option_is_enabled
+- ensure_gdm_screen_locks_when_the_user_is_idle
+- ensure_last_logged_in_user_display_is_disabled
+- ensure_xdmcp_is_not_enabled
+- ensure_automatic_mounting_of_removable_media_is_disabled
+- ensure_system_wide_crypto_policy_is_not_legacy
+- ensure_time_synchronization_is_in_use
+- ensure_chrony_is_configured
+- ensure_xinetd_is_not_installed
+- ensure_avahi_server_is_not_installed
+- ensure_cups_is_not_installed
+- ensure_dhcp_server_is_not_installed
+- ensure_dns_server_is_not_installed
+- ensure_ftp_server_is_not_installed
+- ensure_vsftp_server_is_not_installed
+- ensure_tftp_server_is_not_installed
+- ensure_a_web_server_is_not_installed
+- ensure_samba_is_not_installed
+- ensure_http_proxy_server_is_not_installed
+- ensure_net_snmp_is_not_installed
+- ensure_nis_server_is_not_installed
+- ensure_telnet_server_is_not_installed
+- ensure_dnsmasq_is_not_installed
+- ensure_mail_transfer_agent_is_configured_for_local_only_mode
+- ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
+- ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
+- ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
+- ensure_nis_client_is_not_installed
+- ensure_rsh_client_is_not_installed
+- ensure_talk_client_is_not_installed
+- ensure_telnet_client_is_not_installed
+- ensure_ldap_client_is_not_installed
+- ensure_tftp_client_is_not_installed
+- ensure_sctp_is_disabled
+- ensure_dccp_is_disabled
+- ensure_wireless_interfaces_are_disabled
+- ensure_ip_forwarding_is_disabled
+- ensure_packet_redirect_sending_is_disabled
+- ensure_source_routed_packets_are_not_accepted
+- ensure_icmp_redirects_are_not_accepted
+- ensure_secure_icmp_redirects_are_not_accepted
+- ensure_suspicious_packets_are_logged
+- ensure_broadcast_icmp_requests_are_ignored
+- ensure_bogus_icmp_responses_are_ignored
+- ensure_reverse_path_filtering_is_enabled
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_packages_are_installed
+- ensure_nftables_is_not_installed_with_iptables
+- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
+- ensure_iptables_loopback_traffic_is_configured
+- ensure_iptables_rules_exist_for_all_open_ports
+- ensure_iptables_default_deny_firewall_policy
+- ensure_iptables_rules_are_saved
+- ensure_iptables_is_enabled_and_active
+- ensure_auditd_is_installed
+- ensure_auditd_service_is_enabled
+- ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
+- ensure_audit_backlog_limit_is_sufficient
+- ensure_audit_log_storage_size_is_configured
+- ensure_audit_logs_are_not_automatically_deleted
+- ensure_system_is_disabled_when_audit_logs_are_full
+- ensure_changes_to_system_administration_scope_sudoers_is_collected
+- ensure_actions_as_another_user_are_always_logged
+- ensure_events_that_modify_the_sudo_log_file_are_collected
+- ensure_events_that_modify_date_and_time_information_are_collected
+- ensure_events_that_modify_the_systems_network_environment_are_collected
+- ensure_use_of_privileged_commands_are_collected
+- ensure_unsuccessful_file_access_attempts_are_collected
+- ensure_events_that_modify_user_group_information_are_collected
+- ensure_discretionary_access_control_permission_modification_events_are_collected
+- ensure_successful_file_system_mounts_are_collected
+- ensure_session_initiation_information_is_collected
+- ensure_login_and_logout_events_are_collected
+- ensure_file_deletion_events_by_users_are_collected
+- ensure_events_that_modify_the_systems_mandatory_access_controls_are_collected
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chcon_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_setfacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_chacl_command_are_recorded
+- ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
+- ensure_kernel_module_loading_unloading_and_modification_is_collected
+- ensure_the_audit_configuration_is_immutable
+- ensure_rsyslog_is_installed
+- ensure_rsyslog_service_is_enabled
+- ensure_rsyslog_default_file_permissions_are_configured
+- ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_is_not_configured_to_recieve_logs_from_a_remote_client
+- ensure_journald_service_is_enabled
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_journald_is_configured_to_write_logfiles_to_persistent_disk
+- ensure_permissions_on_all_logfiles_are_configured
+- ensure_cron_daemon_is_enabled
+- ensure_permissions_on_etc_crontab_are_configured
+- ensure_permissions_on_etc_cron_hourly_are_configured
+- ensure_permissions_on_etc_cron_daily_are_configured
+- ensure_permissions_on_etc_cron_weekly_are_configured
+- ensure_permissions_on_etc_cron_monthly_are_configured
+- ensure_permissions_on_etc_cron_d_are_configured
+- ensure_cron_is_restricted_to_authorized_users
+- ensure_at_is_restricted_to_authorized_users
+- ensure_permissions_on_etc_ssh_sshd_config_are_configured
+- ensure_permissions_on_ssh_private_host_key_files_are_configured
+- ensure_permissions_on_ssh_public_host_key_files_are_configured
+- ensure_ssh_access_is_limited
+- ensure_ssh_loglevel_is_appropriate
+- ensure_ssh_pam_is_enabled
+- ensure_ssh_root_login_is_disabled
+- ensure_ssh_hostbasedauthentication_is_disabled
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_ssh_permituserenvironment_is_disabled
+- ensure_ssh_ignorerhosts_is_enabled
+- ensure_ssh_allowtcpforwarding_is_disabled
+- ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_warning_banner_is_configured
+- ensure_ssh_maxstartups_is_configured
+- ensure_ssh_logingracetime_is_set_to_one_minute_or_less
+- ensure_ssh_idle_timeout_interval_is_configured
+- ensure_sudo_is_installed
+- ensure_sudo_commands_use_pty
+- ensure_sudo_log_file_exists
+- ensure_users_must_provide_password_for_escalation
+- ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally
+- ensure_sudo_authentication_timeout_is_configured_correctly
+- ensure_access_to_the_su_command_is_restricted
+- ensure_authselect_includes_with_faillock
+- ensure_password_creation_requirements_are_configured
+- ensure_lockout_for_failed_password_attempts_is_configured
+- ensure_password_reuse_is_limited
+- ensure_all_users_last_password_change_date_is_in_the_past
+- ensure_system_accounts_are_secured
+- ensure_sticky_bit_is_set_on_all_world_writable_directories
+- ensure_permissions_on_etc_passwd_are_configured
+- ensure_permissions_on_etc_shadow_are_configured
+- ensure_permissions_on_etc_group_are_configured
+- ensure_permissions_on_etc_gshadow_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_shadow_dash_are_configured
+- ensure_permissions_on_etc_passwd_dash_are_configured
+- ensure_permissions_on_etc_gshadow_dash_are_configured
+- ensure_no_world_writable_files_exist
+- ensure_no_unowned_files_or_directories_exist
+- ensure_no_ungrouped_files_or_directories_exist
+- ensure_password_fields_are_not_empty
+- ensure_all_groups_in_etc_passwd_exist_in_etc_group
+- ensure_no_duplicate_uids_exist
+- ensure_no_duplicate_gids_exist
+- ensure_no_duplicate_user_names_exist
+- ensure_no_duplicate_group_names_exist
+- ensure_root_path_integrity
+- ensure_all_users_home_directories_exist
+- ensure_users_own_their_home_directories
+- ensure_users_dot_files_are_not_group_or_world_writable
+- ensure_users_netrc_files_are_not_group_or_world_accessible
+- ensure_no_users_have_forward_files
+- ensure_no_users_have_netrc_files
+- ensure_no_users_have_rhosts_files
+- ensure_nodev_option_set_on_var_log_audit_partition
+- ensure_selinux_is_not_disabled_in_bootloader_configuration
+- ensure_vsftp_server_is_not_installed
+- ensure_tcp_syn_cookies_is_enabled
+- ensure_iptables_is_enabled_and_active
+- ensure_successful_file_system_mounts_are_collected
+- ensure_journald_is_configured_to_compress_large_log_files
+- ensure_ssh_permitemptypasswords_is_disabled
+- ensure_password_reuse_is_limited
+- ensure_no_duplicate_user_names_exist
+- ensure_no_users_have_rhosts_files

From 09a3abfed2f47db23c55843349a9fc31e1ce922f Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Wed, 28 Jun 2023 08:46:40 +0200
Subject: [PATCH 06/42] New rules for RHEL/Rocky 9 added

---
 manifests/rules/ensure_dnsmasq_is_not_installed.pp   |  9 +++++++++
 .../ensure_separate_partition_exists_for_dev_shm.pp  | 12 ++++++++++++
 ...ensure_xorg_x11_server_common_is_not_installed.pp | 10 ++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 manifests/rules/ensure_dnsmasq_is_not_installed.pp
 create mode 100644 manifests/rules/ensure_separate_partition_exists_for_dev_shm.pp
 create mode 100644 manifests/rules/ensure_xorg_x11_server_common_is_not_installed.pp

diff --git a/manifests/rules/ensure_dnsmasq_is_not_installed.pp b/manifests/rules/ensure_dnsmasq_is_not_installed.pp
new file mode 100644
index 00000000..c8d547ba
--- /dev/null
+++ b/manifests/rules/ensure_dnsmasq_is_not_installed.pp
@@ -0,0 +1,9 @@
+# @api private
+#
+# @summary Ensure dnsmasq is not installed 
+#
+class secure_linux_cis::rules::ensure_dnsmasq_is_not_installed {
+  package { 'dnsmasq':
+    ensure => absent,
+  }
+}
diff --git a/manifests/rules/ensure_separate_partition_exists_for_dev_shm.pp b/manifests/rules/ensure_separate_partition_exists_for_dev_shm.pp
new file mode 100644
index 00000000..d2ce879b
--- /dev/null
+++ b/manifests/rules/ensure_separate_partition_exists_for_dev_shm.pp
@@ -0,0 +1,12 @@
+# @api private
+#
+# @summary Ensure separate partition exists for /home 
+#
+class secure_linux_cis::rules::ensure_separate_partition_exists_for_dev_shm {
+  unless $facts['mountpoints']['/dev/shm'] {
+    notify { 'mdevshm':
+      message  => 'Not in compliance with CIS 3 (Scored). There is not a seperate partition for /dev/shm',
+      loglevel => 'warning',
+    }
+  }
+}
diff --git a/manifests/rules/ensure_xorg_x11_server_common_is_not_installed.pp b/manifests/rules/ensure_xorg_x11_server_common_is_not_installed.pp
new file mode 100644
index 00000000..7abde664
--- /dev/null
+++ b/manifests/rules/ensure_xorg_x11_server_common_is_not_installed.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure xorg-x11-server-common is not installed
+#
+class secure_linux_cis::rules::ensure_xorg_x11_server_common_is_not_installed {
+  package { 'xorg-x11-server-common':
+    ensure   => absent,
+  }
+}
+

From 2b3f0e5267adfa14c67cd95fcac5c1abe24348d0 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Thu, 29 Jun 2023 04:03:59 +0200
Subject: [PATCH 07/42] package_configuration info added

---
 data/osfamily/RedHat/version/9.yaml | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 data/osfamily/RedHat/version/9.yaml

diff --git a/data/osfamily/RedHat/version/9.yaml b/data/osfamily/RedHat/version/9.yaml
new file mode 100644
index 00000000..d5e6bbe5
--- /dev/null
+++ b/data/osfamily/RedHat/version/9.yaml
@@ -0,0 +1,2 @@
+---
+secure_linux_cis::rules::ensure_gpgcheck_is_globally_activated::package_configuration: /etc/dnf/dnf.conf

From 9e5e6c43b7e225f57178d2659e84ff96cd415678 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Thu, 29 Jun 2023 05:53:52 +0200
Subject: [PATCH 08/42] Added Rule Ensure 'audit log files are mode 0640 or
 less permissive'

---
 data/os/RedHat/version/9.yaml                         |  2 ++
 data/os/Rocky/version/9.yaml                          |  2 ++
 ...udit_log_files_are_mode_0640_or_less_permissive.pp | 11 +++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 manifests/rules/ensure_audit_log_files_are_mode_0640_or_less_permissive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 7f503ea0..27b5adaf 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -316,6 +316,7 @@ secure_linux_cis::server_level_2:
 - ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
+- ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -710,6 +711,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
+- ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 7f503ea0..27b5adaf 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -316,6 +316,7 @@ secure_linux_cis::server_level_2:
 - ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
+- ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -710,6 +711,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_successful_and_unsuccessful_attempts_to_use_the_usermod_command_are_recorded
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
+- ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/manifests/rules/ensure_audit_log_files_are_mode_0640_or_less_permissive.pp b/manifests/rules/ensure_audit_log_files_are_mode_0640_or_less_permissive.pp
new file mode 100644
index 00000000..0343281e
--- /dev/null
+++ b/manifests/rules/ensure_audit_log_files_are_mode_0640_or_less_permissive.pp
@@ -0,0 +1,11 @@
+# @api private
+#
+# @summary Ensure audit log files are mode 0640 or less permissive
+#
+class secure_linux_cis::rules::ensure_audit_log_files_are_mode_0640_or_less_permissive {
+  exec { 'Ensure audit log files are mode 0640 or less permissive':
+    command => 'find $(dirname $(awk -F"=" \'/^\s*log_file/ {print $2}\' /etc/audit/auditd.conf | xargs)) -type f \( ! -perm 600 -a ! -perm 0400 -a ! -perm 0200 -a ! -perm 0000 -a ! -perm 0640 -a ! -perm 0440 -a ! -perm 0040 \) -exec chmod u-x,g-wx,o-rwx {} +',
+    unless  => 'test -z `stat -Lc "%n %#a" "$(dirname $(awk -F"=" \'/^\s*log_file\s*=\s*/ {print $2}\' /etc/audit/auditd.conf | xargs))"/* | grep -Pv \'^\h*\H+\h+(0600|0400|0200|0000|0640|0440|0040)\b\'`',
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+  }
+}

From aa931f070c88231ce098c9166e1138ca76a1810f Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Thu, 29 Jun 2023 18:38:44 +0200
Subject: [PATCH 09/42] Added benchmark 'Ensure the audit log directory is 0750
 or more restrictive'

---
 data/os/RedHat/version/9.yaml                         |  2 ++
 data/os/Rocky/version/9.yaml                          |  2 ++
 ...audit_log_directory_is_0750_or_more_restrictive.pp | 11 +++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 manifests/rules/ensure_the_audit_log_directory_is_0750_or_more_restrictive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 27b5adaf..8c2012ee 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -317,6 +317,7 @@ secure_linux_cis::server_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -712,6 +713,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 27b5adaf..8c2012ee 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -317,6 +317,7 @@ secure_linux_cis::server_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -712,6 +713,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/manifests/rules/ensure_the_audit_log_directory_is_0750_or_more_restrictive.pp b/manifests/rules/ensure_the_audit_log_directory_is_0750_or_more_restrictive.pp
new file mode 100644
index 00000000..0f7192df
--- /dev/null
+++ b/manifests/rules/ensure_the_audit_log_directory_is_0750_or_more_restrictive.pp
@@ -0,0 +1,11 @@
+# @api private
+#
+# @summary Ensure the audit log directory is 0750 or more restrictive
+#
+class secure_linux_cis::rules::ensure_the_audit_log_directory_is_0750_or_more_restrictive {
+  exec { 'Ensure the audit log directory is 0750 or more restrictive':
+    command => 'chmod g-w,o-rwx "$(dirname $( awk -F"=" \'/^\s*log_file\s*=\s*/ {print $2}\' /etc/audit/auditd.conf))"',
+    unless  => 'test -z `stat -Lc "%n %a" "$(dirname $( awk -F"=" \'/^\s*log_file\s*=\s*/ {print $2}\' /etc/audit/auditd.conf))" | grep -Pv --  \'^\h*\H+\h+([0,5,7][0,5]0)\'`',
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+  }
+}

From 8e03e76e945bfac765b1f397fb008a26210f7327 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs@yahoo.de>
Date: Sun, 16 Jul 2023 20:36:31 +0200
Subject: [PATCH 10/42] Added Hiera for RedHat 9 and Rocky 9

---
 data/os/RedHat/version/9.yaml | 2 ++
 data/os/Rocky/version/9.yaml  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 8c2012ee..750d9106 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -317,6 +317,7 @@ secure_linux_cis::server_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_only_authorized_users_own_audit_log_files  
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
@@ -713,6 +714,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 8c2012ee..4d9e128f 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -317,6 +317,7 @@ secure_linux_cis::server_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
@@ -713,6 +714,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
+- ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled

From 3c650189d26a1842f1c02136f24b93b924fc2a00 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Fri, 14 Jul 2023 17:56:36 +0200
Subject: [PATCH 11/42] Added 'Ensure audit configuration files are 640 or more
 restrictive'

---
 data/os/RedHat/version/9.yaml                         |  2 ++
 data/os/Rocky/version/9.yaml                          |  2 ++
 ...configuration_files_are_640_or_more_restrictive.pp | 11 +++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 manifests/rules/ensure_audit_configuration_files_are_640_or_more_restrictive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 750d9106..926650a3 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -319,6 +319,7 @@ secure_linux_cis::server_level_2:
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_only_authorized_users_own_audit_log_files  
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
+- ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -716,6 +717,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
+- ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 4d9e128f..6bf3d6c9 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -319,6 +319,7 @@ secure_linux_cis::server_level_2:
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
+- ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -716,6 +717,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
+- ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/manifests/rules/ensure_audit_configuration_files_are_640_or_more_restrictive.pp b/manifests/rules/ensure_audit_configuration_files_are_640_or_more_restrictive.pp
new file mode 100644
index 00000000..fedc3aa8
--- /dev/null
+++ b/manifests/rules/ensure_audit_configuration_files_are_640_or_more_restrictive.pp
@@ -0,0 +1,11 @@
+# @api private
+#
+# @summary Ensure audit configuration files are 640 or more restrictive
+#
+class secure_linux_cis::rules::ensure_audit_configuration_files_are_640_or_more_restrictive {
+  exec { 'Ensure audit configuration files are 640 or more restrictive':
+    command => 'find /etc/audit/ -type f \( -name "*.conf" -o -name "*.rules" \) -exec chmod u-x,g-wx,o-rwx {} +',
+    unless  => 'test -z `find /etc/audit/ -type f \( -name "*.conf" -o -name "*.rules" \) -exec stat -Lc "%n %a" {} + | grep -Pv -- \'^\h*\H+\h*([0,2,4,6][0,4]0)\h*$\' | grep -Pv --  \'^\h*\H+\h+([0,2,4,6][0,4]0)\'`',
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+  }
+}

From 1bc17a65d5f724db3d36004880f59272473c3b15 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Fri, 14 Jul 2023 18:13:27 +0200
Subject: [PATCH 12/42] Added rule 'Ensure audit tools are 755 or more
 restrictive'

---
 data/os/RedHat/version/9.yaml                         |  2 ++
 data/os/Rocky/version/9.yaml                          |  2 ++
 .../ensure_audit_tools_are_755_or_more_restrictive.pp | 11 +++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 manifests/rules/ensure_audit_tools_are_755_or_more_restrictive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 926650a3..c25de2f6 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -320,6 +320,7 @@ secure_linux_cis::server_level_2:
 - ensure_only_authorized_users_own_audit_log_files  
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
+- ensure_audit_tools_are_755_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -718,6 +719,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
+- ensure_audit_tools_are_755_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 6bf3d6c9..50b7d26c 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -320,6 +320,7 @@ secure_linux_cis::server_level_2:
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
+- ensure_audit_tools_are_755_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -718,6 +719,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_only_authorized_users_own_audit_log_files
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
+- ensure_audit_tools_are_755_or_more_restrictive
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/manifests/rules/ensure_audit_tools_are_755_or_more_restrictive.pp b/manifests/rules/ensure_audit_tools_are_755_or_more_restrictive.pp
new file mode 100644
index 00000000..b2428900
--- /dev/null
+++ b/manifests/rules/ensure_audit_tools_are_755_or_more_restrictive.pp
@@ -0,0 +1,11 @@
+# @api private
+#
+# @summary Ensure audit tools are 755 or more restrictive
+#
+class secure_linux_cis::rules::ensure_audit_tools_are_755_or_more_restrictive {
+  exec { 'Ensure audit tools are 755 or more restrictive':
+    command => 'chmod go-w /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules',
+    unless  => 'test -z `stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/augenrules | grep -Pv -- \'^\h*\H+\h+([0-7][0,1,4,5][0,1,4,5])\h*$\'`',
+    path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+  }
+}

From 9d24342bce8b8d35fa2a059f6912cfac715453d5 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Fri, 14 Jul 2023 18:54:11 +0200
Subject: [PATCH 13/42] Rule added 'Ensure SSH X11 forwarding is disabled'

---
 data/os/RedHat/version/9.yaml                 |  3 +++
 data/os/Rocky/version/9.yaml                  |  3 +++
 .../ensure_ssh_x11_forwarding_is_disabled.pp  | 25 +++++++++++++++++++
 3 files changed, 31 insertions(+)
 create mode 100644 manifests/rules/ensure_ssh_x11_forwarding_is_disabled.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index c25de2f6..fac937fa 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -321,6 +321,7 @@ secure_linux_cis::server_level_2:
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_audit_tools_are_755_or_more_restrictive
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -533,6 +534,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_ssh_permituserenvironment_is_disabled
 - ensure_ssh_ignorerhosts_is_enabled
 - ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_ssh_warning_banner_is_configured
 - ensure_ssh_maxstartups_is_configured
 - ensure_ssh_logingracetime_is_set_to_one_minute_or_less
@@ -720,6 +722,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_audit_tools_are_755_or_more_restrictive
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 50b7d26c..07d1c69d 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -321,6 +321,7 @@ secure_linux_cis::server_level_2:
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_audit_tools_are_755_or_more_restrictive
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -575,6 +576,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
+- ensure_ssh_x11_forwarding_is_disabled
 secure_linux_cis::workstation_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -720,6 +722,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_audit_tools_are_755_or_more_restrictive
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
diff --git a/manifests/rules/ensure_ssh_x11_forwarding_is_disabled.pp b/manifests/rules/ensure_ssh_x11_forwarding_is_disabled.pp
new file mode 100644
index 00000000..77652f9d
--- /dev/null
+++ b/manifests/rules/ensure_ssh_x11_forwarding_is_disabled.pp
@@ -0,0 +1,25 @@
+# @api private
+#
+# @summary Ensure SSH X11 forwarding is disabled
+#
+class secure_linux_cis::rules::ensure_ssh_x11_forwarding_is_disabled {
+  include secure_linux_cis::sshd_service
+
+  file_line { 'ensure ssh x11 forwarding is disabled':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => 'X11Forwarding no',
+    match  => '^X11Forwarding',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+
+  file_line { 'ensure ssh x11 forwarding is disabled on per-user basis':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => '	X11Forwarding no',
+    match  => '^[\\s]+X11Forwarding',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+}

From e4d2fc6fc7edad7eed08395b789ed794ed70a959 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Fri, 14 Jul 2023 19:20:38 +0200
Subject: [PATCH 14/42] Rules added 'Ensure SSH MaxAuthTries is set to 4 or
 less' and 'Ensure SSH MaxSessions is set to 10 or less'

---
 data/os/RedHat/version/9.yaml                 |  8 ++++++
 data/os/Rocky/version/9.yaml                  |  8 ++++++
 ...re_ssh_maxauthtries_is_set_to_4_or_less.pp | 25 +++++++++++++++++++
 ...re_ssh_maxsessions_is_set_to_10_or_less.pp | 25 +++++++++++++++++++
 4 files changed, 66 insertions(+)
 create mode 100644 manifests/rules/ensure_ssh_maxauthtries_is_set_to_4_or_less.pp
 create mode 100644 manifests/rules/ensure_ssh_maxsessions_is_set_to_10_or_less.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index fac937fa..6c3e767f 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -32,6 +32,8 @@ secure_linux_cis::server_level_1:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -214,6 +216,8 @@ secure_linux_cis::server_level_2:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -438,6 +442,8 @@ secure_linux_cis::workstation_level_1:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -617,6 +623,8 @@ secure_linux_cis::workstation_level_2:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 07d1c69d..cefaa04b 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -32,6 +32,8 @@ secure_linux_cis::server_level_1:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -214,6 +216,8 @@ secure_linux_cis::server_level_2:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -438,6 +442,8 @@ secure_linux_cis::workstation_level_1:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
@@ -617,6 +623,8 @@ secure_linux_cis::workstation_level_2:
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
 - ensure_filesystem_integrity_is_regularly_checked
 - ensure_bootloader_password_is_set
+- ensure_ssh_maxauthtries_is_set_to_4_or_less
+- ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
 - ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
diff --git a/manifests/rules/ensure_ssh_maxauthtries_is_set_to_4_or_less.pp b/manifests/rules/ensure_ssh_maxauthtries_is_set_to_4_or_less.pp
new file mode 100644
index 00000000..fc24698d
--- /dev/null
+++ b/manifests/rules/ensure_ssh_maxauthtries_is_set_to_4_or_less.pp
@@ -0,0 +1,25 @@
+# @api private
+#
+# @summary Ensure SSH MaxAuthTries is set to 4 or less
+#
+class secure_linux_cis::rules::ensure_ssh_maxauthtries_is_set_to_4_or_less {
+  include secure_linux_cis::sshd_service
+
+  file_line { 'ensure ssh maxauthtries is set to 4 or less':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => 'MaxAuthTries 4',
+    match  => '^MaxAuthTries\\s+([5-9]|[1-9][0-9]+)',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+
+  file_line { 'ensure ssh maxauthtries is set to 4 or less on per-user basis':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => '	MaxAuthTries 4',
+    match  => '^[\\s]+MaxAuthTries\\s+([5-9]|[1-9][0-9]+)',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+}
diff --git a/manifests/rules/ensure_ssh_maxsessions_is_set_to_10_or_less.pp b/manifests/rules/ensure_ssh_maxsessions_is_set_to_10_or_less.pp
new file mode 100644
index 00000000..762f6fe0
--- /dev/null
+++ b/manifests/rules/ensure_ssh_maxsessions_is_set_to_10_or_less.pp
@@ -0,0 +1,25 @@
+# @api private
+#
+# @summary Ensure SSH MaxSessions is set to 10 or less
+#
+class secure_linux_cis::rules::ensure_ssh_maxsessions_is_set_to_10_or_less {
+  include secure_linux_cis::sshd_service
+
+  file_line { 'ensure ssh maxsessions is set to 10 or less':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => 'MaxSessions 10',
+    match  => '^MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+
+  file_line { 'ensure ssh maxsessions is set to 10 or less on per-user basis':
+    ensure => present,
+    path   => '/etc/ssh/sshd_config',
+    line   => '	MaxSessions 10',
+    match  => '^[\\s]+MaxSessions\\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)',
+    multiple  => true,
+    notify => Class['secure_linux_cis::sshd_service'],
+  }
+}

From e229e658492eeb684214541058391a2014d03932 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Sun, 16 Jul 2023 20:22:13 +0200
Subject: [PATCH 15/42] Added Rule 'Ensure users must provide password for
 escalation'

---
 .plan_cache.json                              |   2 +-
 .task_cache.json                              |   2 +-
 Puppetfile                                    |  61 ++--
 bolt-debug.log                                | 329 ++++++------------
 bolt-project.yaml                             |   1 +
 ...rs_must_provide_password_for_escalation.pp |   7 +-
 6 files changed, 145 insertions(+), 257 deletions(-)

diff --git a/.plan_cache.json b/.plan_cache.json
index fcb99fbd..fdbad3f8 100644
--- a/.plan_cache.json
+++ b/.plan_cache.json
@@ -1 +1 @@
-{"aggregate::count":{"name":"aggregate::count","description":"Run a task, command, or script on targets and aggregate the results as\na count of targets for each value of a key.","parameters":{"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with script and task."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The path to the script to run. Mutually exclusive with command and task."},"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The list of targets to run the action on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"A hash of parameters and options to pass to the `run_*` function\nassociated with the action (e.g. run_task)."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/aggregate","private":false,"summary":"Run a task, command, or script on targets and aggregate the results as\na count of targets for each value of a key.","docstring":"This plan accepts an action and a list of targets. The action can be the name\nof a task, a script, or a command to run. It will run the action on the\ntargets and aggregate the key/value pairs in each Result into a hash, mapping\nthe keys to a hash of each distinct value and how many targets returned that\nvalue for the key."},"aggregate::targets":{"name":"aggregate::targets","description":"Run a task, command, or script on targets and aggregate the results as\nthe list of targets for each value of a key in the results.","parameters":{"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with script and task."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The path to the script to run. Mutually exclusive with command and task."},"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The list of targets to run the action on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"A hash of parameters and options to pass to the `run_*` function\nassociated with the action (e.g. run_task)."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/aggregate","private":false,"summary":"Run a task, command, or script on targets and aggregate the results as\nthe list of targets for each value of a key in the results.","docstring":"This plan accepts an action and a list of targets. The action can be the name\nof a task, a script, or a command to run. It will run the action on the\ntargets and aggregate the key/value pairs in each Result into a hash, mapping\nthe keys to a hash of each distinct value and a list of targets returning that\nvalue."},"canary":{"name":"canary","description":"Run a task, command or script on canary targets before running it on all targets.","parameters":{"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with task and script."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The script to run. Mutually exclusive with task and command."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The target to run on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"The parameters to use for the task."},"canary_size":{"type":"Integer","sensitive":false,"default_value":"1","description":"How many targets to use in the canary group."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/canary","private":false,"summary":"Run a task, command or script on canary targets before running it on all targets.","docstring":"This plan accepts a action and a $targets parameter. The action can be the name\nof a task, a script or a command to run. It will run the action on a canary\ngroup of targets and only continue to the rest of the targets if it succeeds on\nall canaries. This returns a ResultSet object with a Result for every target.\nAny skipped targets will have a 'canary/skipped-target' error kind."},"facts":{"name":"facts","description":"A plan that retrieves facts and stores in the inventory for the\nspecified targets.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"List of targets to retrieve the facts for."}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that retrieves facts and stores in the inventory for the\nspecified targets.","docstring":null},"facts::external":{"name":"facts::external","description":"A plan that generates external facts based on the provided modulepath and\nsets facts on specified targets.","parameters":{"path":{"type":"String","sensitive":false,"description":"The path to the directory on localhost containing external facts"},"targets":{"type":"TargetSpec","sensitive":false,"description":"The targest the collect and set facts on"}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that generates external facts based on the provided modulepath and\nsets facts on specified targets.","docstring":null},"facts::info":{"name":"facts::info","description":"A plan that prints basic OS information for the specified targets. It first\nruns the facts task to retrieve facts from the targets, then compiles the\ndesired OS information from the os fact value of each targets. This plan primarily\nprovides readable formatting, and ignores targets that error.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"List of the targets for which to print the OS information."}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that prints basic OS information for the specified targets. It first\nruns the facts task to retrieve facts from the targets, then compiles the\ndesired OS information from the os fact value of each targets. This plan primarily\nprovides readable formatting, and ignores targets that error.","docstring":null},"lvm::expand":{"name":"lvm::expand","description":"lvm::expand\n\nThis plan implements an opinionated method for expanding storage on servers\nthat use LVM. If this doesn't fit your needs, simply tie the tasks together\nin some way that does.","parameters":{"server":{"type":"String","sensitive":false,"description":"The target for the plan"},"volume_group":{"type":"String","sensitive":false,"description":"The volume group to which the logical volume belongs"},"logical_volume":{"type":"String","sensitive":false,"description":"The logical volume which is to be expanded"},"additional_size":{"type":"String","sensitive":false,"description":"How much size to add to the LV. This should be\nspecified in LVM format i.e. \"200m\" or \"2.5g\""},"disks":{"type":"Array[String]","sensitive":false,"default_value":"[]","description":"Any physical disks that should be added to the volume group as\npart of the expand process"},"resize_fs":{"type":"Boolean","sensitive":false,"default_value":"true","description":"Wheather or not to resize the filesystem"}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm","private":false,"summary":null,"docstring":"lvm::expand\n\nThis plan implements an opinionated method for expanding storage on servers\nthat use LVM. If this doesn't fit your needs, simply tie the tasks together\nin some way that does."},"ntp::acceptance::pe_agent":{"name":"ntp::acceptance::pe_agent","description":"Install PE","parameters":{},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/ntp","private":false,"summary":"Install PE","docstring":"Install PE Agent"},"ntp::acceptance::pe_server":{"name":"ntp::acceptance::pe_server","description":"Install PE Server","parameters":{"version":{"type":"Optional[String]","sensitive":false,"default_value":"'2019.8.5'"},"pe_settings":{"type":"Optional[Hash]","sensitive":false,"default_value":"{ password => 'puppetlabs' }"}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/ntp","private":false,"summary":"Install PE Server","docstring":"Install PE Server"},"ntp::acceptance::provision_integration":{"name":"ntp::acceptance::provision_integration","description":"Provisions machines","parameters":{"image":{"type":"Optional[String]","sensitive":false,"default_value":"'centos-7'"},"provision_type":{"type":"Optional[String]","sensitive":false,"default_value":"'provision_service'"}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/ntp","private":false,"summary":"Provisions machines","docstring":"Provisions machines for integration testing"},"puppet_agent::run":{"name":"puppet_agent::run","description":"Starts a Puppet agent run on the specified targets.\nNote: This plan may cause issues when run in Puppet Enterprise.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to start a Puppet agent run on."}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent","private":false,"summary":null,"docstring":"Starts a Puppet agent run on the specified targets.\nNote: This plan may cause issues when run in Puppet Enterprise."},"puppet_connect::test_input_data":{"name":"puppet_connect::test_input_data","description":"Tests that the provided Puppet Connect input data is complete, meaning that all consuming inventory targets are connectable.\nYou should run this plan with the following command:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data\nwhere /path/to/input_data.yaml is the path to the input_data.yaml file containing the key-value input for the\npuppet_connect_data plugin. If the plan fails on some targets, then you can use Bolt's --rerun option to rerun the plan on\njust the failed targets:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data --rerun failure\nNote that this plan should only be used as part of the copy-pastable \"test input data\" workflow specified in the Puppet\nConnect docs.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"default_value":"'all'","description":"The set of targets to test. Usually this should be 'all', the default."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/puppet_connect","private":false,"summary":"Tests that the provided Puppet Connect input data is complete, meaning that all consuming inventory targets are connectable.\nYou should run this plan with the following command:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data\nwhere /path/to/input_data.yaml is the path to the input_data.yaml file containing the key-value input for the\npuppet_connect_data plugin. If the plan fails on some targets, then you can use Bolt's --rerun option to rerun the plan on\njust the failed targets:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data --rerun failure\nNote that this plan should only be used as part of the copy-pastable \"test input data\" workflow specified in the Puppet\nConnect docs.","docstring":"the targets. Note that this query currently consists of running the 'echo'\ncommand."},"puppetdb_fact":{"name":"puppetdb_fact","description":"Collect facts for the specified targets from PuppetDB and store them\non the Targets.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to collect facts for."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/puppetdb_fact","private":false,"summary":"Collect facts for the specified targets from PuppetDB and store them\non the Targets.","docstring":"This plan accepts a list of targets to collect facts for from the configured\nPuppetDB connection. After collecting facts, they are stored on each target's\nTarget object. The updated facts can then be accessed using `$target.facts`."},"reboot":{"name":"reboot","description":"Reboots targets and waits for them to be available again.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"Targets to reboot."},"message":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"Message to log with the reboot (for platforms that support it)."},"reboot_delay":{"type":"Integer[1]","sensitive":false,"default_value":"1","description":"How long (in seconds) to wait before rebooting. Defaults to 1."},"disconnect_wait":{"type":"Integer[0]","sensitive":false,"default_value":"10","description":"How long (in seconds) to wait before checking whether the server has rebooted. Defaults to 10."},"reconnect_timeout":{"type":"Integer[0]","sensitive":false,"default_value":"180","description":"How long (in seconds) to attempt to reconnect before giving up. Defaults to 180."},"retry_interval":{"type":"Integer[0]","sensitive":false,"default_value":"1","description":"How long (in seconds) to wait between retries. Defaults to 1."},"fail_plan_on_errors":{"type":"Boolean","sensitive":false,"default_value":"true","description":"Raise an error if any targets do not successfully reboot. Defaults to true."}},"module":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot","private":false,"summary":null,"docstring":"Reboots targets and waits for them to be available again."},"secure_env_vars":{"name":"secure_env_vars","description":"Run a command or script with sensitive environment variables.\nEnvironment variables are loaded from the BOLT_ENV_VARS environment\nvariable, which is a JSON object mapping environment variable names\nto values.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to run the command or script on."},"command":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"The command to run."},"script":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"The script to run. This can be either a relative path, absolute path, or a file from a module."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/secure_env_vars","private":false,"summary":null,"docstring":"Run a command or script with sensitive environment variables.\nEnvironment variables are loaded from the BOLT_ENV_VARS environment\nvariable, which is a JSON object mapping environment variable names\nto values."},"secure_linux_cis":{"name":"secure_linux_cis","description":null,"parameters":{"targets":{"type":"TargetSpec","sensitive":false},"time_servers":{"type":"Array[Stdlib::Host]","sensitive":false,"default_value":"['time.google.com']"},"profile_type":{"type":"Enum['workstation', 'server']","sensitive":false,"default_value":"'server'"}},"module":"/Users/bryanbelanger/projects/secure_linux_cis","private":false,"summary":null,"docstring":null,"file":{"mtime":"2022-11-15 23:44:07 -0500","path":"/Users/bryanbelanger/projects/secure_linux_cis/plans/init.pp"}},"terraform::apply":{"name":"terraform::apply","description":null,"parameters":{"dir":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state_out":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"var":{"type":"Optional[Hash]","sensitive":false,"default_value":"undef"},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"return_output":{"type":"Optional[Boolean]","sensitive":false,"default_value":"false"}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform","private":false,"summary":null,"docstring":null},"terraform::destroy":{"name":"terraform::destroy","description":null,"parameters":{"dir":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state_out":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"var":{"type":"Optional[Hash]","sensitive":false,"default_value":"undef"},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform","private":false,"summary":null,"docstring":null}}
\ No newline at end of file
+{"aggregate::count":{"name":"aggregate::count","description":"Run a task, command, or script on targets and aggregate the results as\na count of targets for each value of a key.","parameters":{"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with script and task."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The path to the script to run. Mutually exclusive with command and task."},"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The list of targets to run the action on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"A hash of parameters and options to pass to the `run_*` function\nassociated with the action (e.g. run_task)."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/aggregate","private":false,"summary":"Run a task, command, or script on targets and aggregate the results as\na count of targets for each value of a key.","docstring":"This plan accepts an action and a list of targets. The action can be the name\nof a task, a script, or a command to run. It will run the action on the\ntargets and aggregate the key/value pairs in each Result into a hash, mapping\nthe keys to a hash of each distinct value and how many targets returned that\nvalue for the key."},"aggregate::targets":{"name":"aggregate::targets","description":"Run a task, command, or script on targets and aggregate the results as\nthe list of targets for each value of a key in the results.","parameters":{"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with script and task."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The path to the script to run. Mutually exclusive with command and task."},"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The list of targets to run the action on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"A hash of parameters and options to pass to the `run_*` function\nassociated with the action (e.g. run_task)."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/aggregate","private":false,"summary":"Run a task, command, or script on targets and aggregate the results as\nthe list of targets for each value of a key in the results.","docstring":"This plan accepts an action and a list of targets. The action can be the name\nof a task, a script, or a command to run. It will run the action on the\ntargets and aggregate the key/value pairs in each Result into a hash, mapping\nthe keys to a hash of each distinct value and a list of targets returning that\nvalue."},"canary":{"name":"canary","description":"Run a task, command or script on canary targets before running it on all targets.","parameters":{"task":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The name of the task to run. Mutually exclusive with command and script."},"command":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The command to run. Mutually exclusive with task and script."},"script":{"type":"Optional[String[0]]","sensitive":false,"default_value":"undef","description":"The script to run. Mutually exclusive with task and command."},"targets":{"type":"TargetSpec","sensitive":false,"description":"The target to run on."},"params":{"type":"Hash[String, Data]","sensitive":false,"default_value":"{}","description":"The parameters to use for the task."},"canary_size":{"type":"Integer","sensitive":false,"default_value":"1","description":"How many targets to use in the canary group."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/canary","private":false,"summary":"Run a task, command or script on canary targets before running it on all targets.","docstring":"This plan accepts a action and a $targets parameter. The action can be the name\nof a task, a script or a command to run. It will run the action on a canary\ngroup of targets and only continue to the rest of the targets if it succeeds on\nall canaries. This returns a ResultSet object with a Result for every target.\nAny skipped targets will have a 'canary/skipped-target' error kind."},"facts":{"name":"facts","description":"A plan that retrieves facts and stores in the inventory for the\nspecified targets.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"List of targets to retrieve the facts for."}},"module":"/root/test/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that retrieves facts and stores in the inventory for the\nspecified targets.","docstring":null},"facts::external":{"name":"facts::external","description":"A plan that generates external facts based on the provided modulepath and\nsets facts on specified targets.","parameters":{"path":{"type":"String","sensitive":false,"description":"The path to the directory on localhost containing external facts"},"targets":{"type":"TargetSpec","sensitive":false,"description":"The targest the collect and set facts on"}},"module":"/root/test/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that generates external facts based on the provided modulepath and\nsets facts on specified targets.","docstring":null},"facts::info":{"name":"facts::info","description":"A plan that prints basic OS information for the specified targets. It first\nruns the facts task to retrieve facts from the targets, then compiles the\ndesired OS information from the os fact value of each targets. This plan primarily\nprovides readable formatting, and ignores targets that error.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"List of the targets for which to print the OS information."}},"module":"/root/test/secure_linux_cis/.modules/facts","private":false,"summary":"A plan that prints basic OS information for the specified targets. It first\nruns the facts task to retrieve facts from the targets, then compiles the\ndesired OS information from the os fact value of each targets. This plan primarily\nprovides readable formatting, and ignores targets that error.","docstring":null},"lvm::expand":{"name":"lvm::expand","description":"lvm::expand\n\nThis plan implements an opinionated method for expanding storage on servers\nthat use LVM. If this doesn't fit your needs, simply tie the tasks together\nin some way that does.","parameters":{"server":{"type":"String","sensitive":false,"description":"The target for the plan"},"volume_group":{"type":"String","sensitive":false,"description":"The volume group to which the logical volume belongs"},"logical_volume":{"type":"String","sensitive":false,"description":"The logical volume which is to be expanded"},"additional_size":{"type":"String","sensitive":false,"description":"How much size to add to the LV. This should be\nspecified in LVM format i.e. \"200m\" or \"2.5g\""},"disks":{"type":"Array[String]","sensitive":false,"default_value":"[]","description":"Any physical disks that should be added to the volume group as\npart of the expand process"},"resize_fs":{"type":"Boolean","sensitive":false,"default_value":"true","description":"Wheather or not to resize the filesystem"}},"module":"/root/test/secure_linux_cis/.modules/lvm","private":false,"summary":null,"docstring":"lvm::expand\n\nThis plan implements an opinionated method for expanding storage on servers\nthat use LVM. If this doesn't fit your needs, simply tie the tasks together\nin some way that does."},"ntp::acceptance::pe_agent":{"name":"ntp::acceptance::pe_agent","description":"Install PE","parameters":{},"module":"/root/test/secure_linux_cis/.modules/ntp","private":false,"summary":"Install PE","docstring":"Install PE Agent"},"ntp::acceptance::pe_server":{"name":"ntp::acceptance::pe_server","description":"Install PE Server","parameters":{"version":{"type":"Optional[String]","sensitive":false,"default_value":"'2019.8.5'"},"pe_settings":{"type":"Optional[Hash]","sensitive":false,"default_value":"{ password => 'puppetlabs' }"}},"module":"/root/test/secure_linux_cis/.modules/ntp","private":false,"summary":"Install PE Server","docstring":"Install PE Server"},"ntp::acceptance::provision_integration":{"name":"ntp::acceptance::provision_integration","description":"Provisions machines","parameters":{"image":{"type":"Optional[String]","sensitive":false,"default_value":"'centos-7'"},"provision_type":{"type":"Optional[String]","sensitive":false,"default_value":"'provision_service'"}},"module":"/root/test/secure_linux_cis/.modules/ntp","private":false,"summary":"Provisions machines","docstring":"Provisions machines for integration testing"},"puppet_agent::run":{"name":"puppet_agent::run","description":"Starts a Puppet agent run on the specified targets.\nNote: This plan may cause issues when run in Puppet Enterprise.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to start a Puppet agent run on."}},"module":"/root/test/secure_linux_cis/.modules/puppet_agent","private":false,"summary":null,"docstring":"Starts a Puppet agent run on the specified targets.\nNote: This plan may cause issues when run in Puppet Enterprise."},"puppet_connect::test_input_data":{"name":"puppet_connect::test_input_data","description":"Tests that the provided Puppet Connect input data is complete, meaning that all consuming inventory targets are connectable.\nYou should run this plan with the following command:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data\nwhere /path/to/input_data.yaml is the path to the input_data.yaml file containing the key-value input for the\npuppet_connect_data plugin. If the plan fails on some targets, then you can use Bolt's --rerun option to rerun the plan on\njust the failed targets:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data --rerun failure\nNote that this plan should only be used as part of the copy-pastable \"test input data\" workflow specified in the Puppet\nConnect docs.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"default_value":"'all'","description":"The set of targets to test. Usually this should be 'all', the default."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/puppet_connect","private":false,"summary":"Tests that the provided Puppet Connect input data is complete, meaning that all consuming inventory targets are connectable.\nYou should run this plan with the following command:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data\nwhere /path/to/input_data.yaml is the path to the input_data.yaml file containing the key-value input for the\npuppet_connect_data plugin. If the plan fails on some targets, then you can use Bolt's --rerun option to rerun the plan on\njust the failed targets:\n    PUPPET_CONNECT_INPUT_DATA=/path/to/input_data.yaml bolt plan run puppet_connect::test_input_data --rerun failure\nNote that this plan should only be used as part of the copy-pastable \"test input data\" workflow specified in the Puppet\nConnect docs.","docstring":"the targets. Note that this query currently consists of running the 'echo'\ncommand."},"puppetdb_fact":{"name":"puppetdb_fact","description":"Collect facts for the specified targets from PuppetDB and store them\non the Targets.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to collect facts for."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/puppetdb_fact","private":false,"summary":"Collect facts for the specified targets from PuppetDB and store them\non the Targets.","docstring":"This plan accepts a list of targets to collect facts for from the configured\nPuppetDB connection. After collecting facts, they are stored on each target's\nTarget object. The updated facts can then be accessed using `$target.facts`."},"reboot":{"name":"reboot","description":"Reboots targets and waits for them to be available again.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"Targets to reboot."},"message":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"Message to log with the reboot (for platforms that support it)."},"reboot_delay":{"type":"Integer[1]","sensitive":false,"default_value":"1","description":"How long (in seconds) to wait before rebooting. Defaults to 1."},"disconnect_wait":{"type":"Integer[0]","sensitive":false,"default_value":"10","description":"How long (in seconds) to wait before checking whether the server has rebooted. Defaults to 10."},"reconnect_timeout":{"type":"Integer[0]","sensitive":false,"default_value":"180","description":"How long (in seconds) to attempt to reconnect before giving up. Defaults to 180."},"retry_interval":{"type":"Integer[0]","sensitive":false,"default_value":"1","description":"How long (in seconds) to wait between retries. Defaults to 1."},"fail_plan_on_errors":{"type":"Boolean","sensitive":false,"default_value":"true","description":"Raise an error if any targets do not successfully reboot. Defaults to true."}},"module":"/root/test/secure_linux_cis/.modules/reboot","private":false,"summary":null,"docstring":"Reboots targets and waits for them to be available again."},"secure_env_vars":{"name":"secure_env_vars","description":"Run a command or script with sensitive environment variables.\nEnvironment variables are loaded from the BOLT_ENV_VARS environment\nvariable, which is a JSON object mapping environment variable names\nto values.","parameters":{"targets":{"type":"TargetSpec","sensitive":false,"description":"The targets to run the command or script on."},"command":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"The command to run."},"script":{"type":"Optional[String]","sensitive":false,"default_value":"undef","description":"The script to run. This can be either a relative path, absolute path, or a file from a module."}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/secure_env_vars","private":false,"summary":null,"docstring":"Run a command or script with sensitive environment variables.\nEnvironment variables are loaded from the BOLT_ENV_VARS environment\nvariable, which is a JSON object mapping environment variable names\nto values."},"secure_linux_cis":{"name":"secure_linux_cis","description":null,"parameters":{"targets":{"type":"TargetSpec","sensitive":false},"time_servers":{"type":"Array[Stdlib::Host]","sensitive":false,"default_value":"['time.google.com']"},"profile_type":{"type":"Enum['workstation', 'server']","sensitive":false,"default_value":"'server'"}},"module":"/root/test/secure_linux_cis","private":false,"summary":null,"docstring":null,"file":{"mtime":"2023-07-14 16:14:46 +0200","path":"/root/test/secure_linux_cis/plans/init.pp"}},"terraform::apply":{"name":"terraform::apply","description":null,"parameters":{"dir":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state_out":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"var":{"type":"Optional[Hash]","sensitive":false,"default_value":"undef"},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"return_output":{"type":"Optional[Boolean]","sensitive":false,"default_value":"false"}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform","private":false,"summary":null,"docstring":null},"terraform::destroy":{"name":"terraform::destroy","description":null,"parameters":{"dir":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"state_out":{"type":"Optional[String[1]]","sensitive":false,"default_value":"undef"},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"},"var":{"type":"Optional[Hash]","sensitive":false,"default_value":"undef"},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","sensitive":false,"default_value":"undef"}},"module":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform","private":false,"summary":null,"docstring":null}}
\ No newline at end of file
diff --git a/.task_cache.json b/.task_cache.json
index cde71174..7127f1e7 100644
--- a/.task_cache.json
+++ b/.task_cache.json
@@ -1 +1 @@
-{"apt":{"name":"apt","files":[{"name":"init.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/apt/tasks/init.rb","mtime":"2022-11-16 21:41:14 -0500"}],"metadata":{"description":"Allows you to perform apt-get functions","input_method":"stdin","parameters":{"action":{"description":"Action to perform with apt-get","type":"Enum[update, upgrade, dist-upgrade, autoremove]"}}}},"exec":{"name":"exec","files":[{"name":"init.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/exec/tasks/init.rb","mtime":"2022-11-16 21:41:15 -0500"},{"name":"windows.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/exec/tasks/windows.ps1","mtime":"2022-11-16 21:41:15 -0500"},{"name":"linux.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/exec/tasks/linux.sh","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Executes an arbitrary shell command on the target system","input_method":"stdin","parameters":{"command":{"description":"The command to run, including all arguments","type":"String[1]"},"interleave":{"description":"Interleave the stdout and stderr streams.(default: true)","type":"Optional[Variant[Boolean, Enum['true','false']]]"},"failonfail":{"description":"Should the task fail if the command exits nonzero.(default: true)","type":"Optional[Variant[Boolean, Enum['true','false']]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment"}],"extensions":{"discovery":{"friendlyName":"Run a shell command","type":["host"]}}}},"facts":{"name":"facts","files":[{"name":"ruby.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts/tasks/ruby.rb","mtime":"2022-11-16 21:41:14 -0500"},{"name":"powershell.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts/tasks/powershell.ps1","mtime":"2022-11-16 21:41:14 -0500"},{"name":"bash.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts/tasks/bash.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Gather system facts","parameters":{},"implementations":[{"name":"ruby.rb","requirements":["puppet-agent"],"files":["ruby_task_helper/files/task_helper.rb"],"input_method":"stdin"},{"name":"powershell.ps1","requirements":["powershell"],"input_method":"environment"},{"name":"bash.sh","requirements":["shell"],"input_method":"environment"}]}},"http_request":{"name":"http_request","files":[{"name":"init.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/http_request/tasks/init.rb","mtime":"2022-08-15 17:21:34 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Make a HTTP or HTTPS request.","input_method":"stdin","parameters":{"base_url":{"description":"The fully qualified URL scheme to make requests to.","type":"String[1]"},"body":{"description":"The request body. If json_endpoint is true, must be able representable as JSON. If json_endpoint is false, must be a string.","type":"Optional[Data]"},"cacert":{"description":"An absolute path to the CA certificate.","type":"Optional[String[1]]"},"cert":{"description":"An absolute path to the client certificate.","type":"Optional[String[1]]"},"follow_redirects":{"description":"If true, automatically follows redirects.","type":"Boolean","default":true},"headers":{"description":"A map of headers to add to the payload.","type":"Optional[Hash[String, String]]"},"json_endpoint":{"description":"If true, parses the request and response bodies as JSON and sets the Content-Type header to application/json.","type":"Boolean","default":false},"key":{"description":"An absolute path to the RSA keypair.","type":"Optional[String[1]]"},"max_redirects":{"description":"The maximum number of redirects to follow when follow_redirects is true.","type":"Integer[1]","default":20},"method":{"description":"The HTTP method to use.","type":"Enum[delete, get, post, put, patch]","default":"get"},"path":{"description":"The path to append to the base_url.","type":"Optional[String[1]]"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"lvm::ensure_lv":{"name":"lvm::ensure_lv","files":[{"name":"ensure_lv.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/ensure_lv.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Ensures settings on a logical volume using the type & provider","input_method":"stdin","parameters":{"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"name":{"description":"The name of the logical volume.  This is the unqualified name and will be automatically added to the volume group's device path (e.g., '/dev/$vg/$lv').","type":"String[1]"},"volume_group":{"description":"The volume group name associated with this logical volume","type":"Optional[String[1]]"},"size":{"description":"The size of the logical volume. Set to undef to use all available space","type":"Optional[Pattern[/^[0-9]+(\\.[0-9]+)?[KMGTPEkmgtpe]/]]"},"extents":{"description":"The number of logical extents to allocate for the new logical volume. Set to undef to use all available space","type":"Optional[Pattern[/^\\d+(%(?:vg|pvs|free|origin)?)?$/]]"},"persistent":{"description":"Set to true to make the block device persistent","type":"Optional[Boolean]"},"thinpool":{"description":"Set to true to create a thin pool or to pool name to create thin volume","type":"Optional[Boolean]"},"poolmetadatasize":{"description":"Change the size of logical volume pool metadata","type":"Optional[Pattern[/^[0-9]+(\\.[0-9]+)?[KMGTPEkmgtpe]/]]"},"minor":{"description":"Set the minor number","type":"Optional[Integer[0,255]]"},"type":{"description":"Configures the logical volume type","type":"Optional[String[1]]"},"range":{"description":"Sets the inter-physical volume allocation policy. AIX only","type":"Optional[Enum[maximum,minimum]]"},"stripes":{"description":"The number of stripes to allocate for the new logical volume","type":"Optional[Integer]"},"stripesize":{"description":"The stripesize to use for the new logical volume","type":"Optional[Integer]"},"readahead":{"description":"The readahead count to use for the new logical volume","type":"Optional[String]"},"resize_fs":{"description":"Whether or not to resize the underlying filesystem when resizing the logical volume","type":"Optional[Boolean]"},"mirror":{"description":"The number of mirrors of the volume","type":"Optional[Integer[0,4]]"},"mirrorlog":{"description":"How to store the mirror log","type":"Optional[Enum[core,disk,mirrored]]"},"alloc":{"description":"Selects the allocation policy when a command needs to allocate Physical Extents from the Volume Group","type":"Optional[Enum[anywhere,contiguous,cling,inherit,normal]]"},"no_sync":{"description":"An optimization in lvcreate, at least on Linux"},"region_size":{"description":"A mirror is divided into regions of this size (in MB), the mirror log uses this granularity to track which regions are in sync. CAN NOT BE CHANGED on already mirrored volume. Take your mirror size in terabytes and round up that number to the next power of 2, using that number as the -R argument.","type":"Optional[Integer]"}}}},"lvm::ensure_pv":{"name":"lvm::ensure_pv","files":[{"name":"ensure_pv.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/ensure_pv.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Ensures settings on a physical volumes using the type & provider","input_method":"stdin","parameters":{"name":{"description":"The name of the physical volume","type":"String[1]"},"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"unless_vg":{"description":"Do not do anything if the VG already exists.  The value should be the name of the volume group to check for.","type":"Optional[String]"},"force":{"description":"Force the creation without any confirmation","type":"Optional[Boolean]"}}}},"lvm::ensure_vg":{"name":"lvm::ensure_vg","files":[{"name":"ensure_vg.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/ensure_vg.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Ensures settings on a volume group using the type & provider","input_method":"stdin","parameters":{"name":{"description":"The name of the volume group","type":"String[1]"},"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"createonly":{"description":"If set to true the volume group will be created if it does not exist. If the volume group does exist no action will be taken","type":"Optional[Boolean]"},"followsymlinks":{"description":"If set to true all current and wanted values of the physical_volumes property will be followed to their real files on disk if they are in fact symlinks. This is useful to have Puppet determine what the actual PV device is if the property value is a symlink, like '/dev/disk/by-path/xxxx -> ../../sda'","type":"Optional[Boolean]"},"physical_volumes":{"description":"The list of physical volumes to be included in the volume group","type":"Array[String]"}}}},"lvm::extend_lv":{"name":"lvm::extend_lv","files":[{"name":"extend_lv.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/extend_lv.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Extends a logical volume","input_method":"stdin","parameters":{"size":{"description":"Intended size or 'full'","type":"String[1]"},"logical_volume":{"description":"Name of the logical volume to extend","type":"String[1]"},"volume_group":{"description":"Name of the volume group on which the logical volume resides","type":"String[1]"}}}},"lvm::extend_vg":{"name":"lvm::extend_vg","files":[{"name":"extend_vg.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/extend_vg.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Adds physical volumes to a volume group","input_method":"stdin","parameters":{"volume_group":{"description":"The name of the volume group","type":"String[1]"},"physical_volumes":{"description":"The list of physical volumes to be included in the volume group","type":"Array[String]"}}}},"lvm::mount_lv":{"name":"lvm::mount_lv","files":[{"name":"mount_lv.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm/tasks/mount_lv.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Mounts a logical volume","input_method":"stdin","parameters":{"volume_group":{"description":"The name of the volume group","type":"String[1]"},"logical_volume":{"description":"The name of the logical_volume to mount","type":"String[1]"},"mountpoint":{"description":"Where to mount the logical volume","type":"String[1]"},"fstype":{"description":"The mount type. Valid values depend on the operating system. This is a required option.","type":"String"},"options":{"description":"A single string containing options for the mount, as they would appear in fstab on Linux. For many platforms this is a comma-delimited string","type":"Optional[String]"},"atboot":{"description":"Whether to mount the mount at boot. Not all platforms support this.","type":"Optional[Boolean]"},"owner":{"description":"Owner for the mountpoint","type":"Optional[String]"},"group":{"description":"Group for the mountpoint","type":"Optional[String]"},"mode":{"description":"Permissions for the mountpoint","type":"Optional[String]"}}}},"package":{"name":"package","files":[{"name":"init.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/tasks/init.rb","mtime":"2022-11-16 21:41:14 -0500"},{"name":"windows.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/tasks/windows.ps1","mtime":"2022-11-16 21:41:14 -0500"},{"name":"linux.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/tasks/linux.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"package/files/common.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/files/common.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"package/files/apt.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/files/apt.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"package/files/yum.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/files/yum.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"package/files/zypper.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/package/files/zypper.sh","mtime":"2022-11-16 21:41:14 -0500"}],"metadata":{"description":"Manage and inspect the state of packages","input_method":"stdin","parameters":{"action":{"description":"The operation (install, status, uninstall and upgrade) to perform on the package.","type":"Enum[install, status, uninstall, upgrade]"},"name":{"description":"The name of the package to be manipulated.","type":"String[1]"},"version":{"description":"Version numbers must match the full version to install, including release if the provider uses a release moniker. Ranges or semver patterns are not accepted except for the gem package provider. For example, to install the bash package from the rpm bash-4.1.2-29.el6.x86_64.rpm, use the string '4.1.2-29.el6'.","type":"Optional[String[1]]"},"manager_options":{"description":"options to be sent to the package manager","type":"Optional[String[1]]"},"provider":{"description":"The provider to use to manage or inspect the package, defaults to the system package manager. Only used when the 'puppet-agent' feature is available on the target so we can leverage Puppet.","type":"Optional[String[1]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment","files":["package/files/common.sh","package/files/apt.sh","package/files/yum.sh","package/files/zypper.sh"]}],"extensions":{"discovery":{"friendlyName":"Manage package","type":["package"]}}}},"pkcs7::secret_createkeys":{"name":"pkcs7::secret_createkeys","files":[{"name":"secret_createkeys.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/pkcs7/tasks/secret_createkeys.rb","mtime":"2022-08-15 17:21:34 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Create a key pair","input_method":"stdin","parameters":{"force":{"type":"Boolean","description":"Whether to overwrite an existing key pair","default":false},"keysize":{"type":"Integer","description":"The size of the key to generate","default":2048},"private_key":{"type":"String","description":"Path to the private key","default":"keys/private_key.pkcs7.pem"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"pkcs7::secret_decrypt":{"name":"pkcs7::secret_decrypt","files":[{"name":"secret_decrypt.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/pkcs7/tasks/secret_decrypt.rb","mtime":"2022-08-15 17:21:34 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Decrypt sensitive data with pkcs7","input_method":"stdin","parameters":{"encrypted_value":{"type":"String","description":"The ciphertext to decrypt"},"private_key":{"type":"String","description":"Path to the private key","default":"keys/private_key.pkcs7.pem"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"pkcs7::secret_encrypt":{"name":"pkcs7::secret_encrypt","files":[{"name":"secret_encrypt.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/pkcs7/tasks/secret_encrypt.rb","mtime":"2022-08-15 17:21:34 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Encrypt sensitive data with pkcs7","input_method":"stdin","parameters":{"plaintext_value":{"type":"String","description":"The plaintext to encrypt"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"puppet_agent::delete_local_filebucket":{"name":"puppet_agent::delete_local_filebucket","files":[{"name":"delete_local_filebucket.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/delete_local_filebucket.rb","mtime":"2022-11-16 21:41:15 -0500"},{"name":"puppet_agent/files/rb_task_helper.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/files/rb_task_helper.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Removes the local filebucket","parameters":{"force":{"description":"ignore nonexistent files and errors","type":"Optional[Boolean]"}},"files":["puppet_agent/files/rb_task_helper.rb"]}},"puppet_agent::facts_diff":{"name":"puppet_agent::facts_diff","files":[{"name":"facts_diff.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/facts_diff.rb","mtime":"2022-11-16 21:41:15 -0500"},{"name":"puppet_agent/files/rb_task_helper.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/files/rb_task_helper.rb","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Run the Puppet agent facts diff action","parameters":{"exclude":{"description":"Regex used to exclude specific facts from diff","type":"Optional[String]"}},"files":["puppet_agent/files/rb_task_helper.rb"]}},"puppet_agent::install":{"name":"puppet_agent::install","files":[{"name":"install_shell.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/install_shell.sh","mtime":"2022-11-16 21:41:15 -0500"},{"name":"install_powershell.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/install_powershell.ps1","mtime":"2022-11-16 21:41:15 -0500"},{"name":"facts/tasks/bash.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/facts/tasks/bash.sh","mtime":"2022-11-16 21:41:14 -0500"}],"metadata":{"description":"Install the Puppet agent package","parameters":{"version":{"description":"The version of puppet-agent to install (defaults to latest when no agent is installed)","type":"Optional[String]"},"collection":{"description":"The Puppet collection to install from (defaults to puppet, which maps to the latest collection released)","type":"Optional[Enum[puppet6, puppet7, puppet, puppet6-nightly, puppet7-nightly, puppet-nightly]]"},"yum_source":{"description":"The source location to find yum repos (defaults to yum.puppet.com)","type":"Optional[String]"},"apt_source":{"description":"The source location to find apt repos (defaults to apt.puppet.com)","type":"Optional[String]"},"mac_source":{"description":"The source location to find mac packages (defaults to downloads.puppet.com)","type":"Optional[String]"},"windows_source":{"description":"The source location to find windows packages (defaults to downloads.puppet.com)","type":"Optional[String]"},"install_options":{"description":"optional install arguments to the windows installer (defaults to REINSTALLMODE=\"amus\")","type":"Optional[String]"},"stop_service":{"description":"Whether to stop the puppet agent service after install","type":"Optional[Boolean]"},"retry":{"description":"The number of retries in case of network connectivity failures","type":"Optional[Integer]","default":5}},"implementations":[{"name":"install_shell.sh","requirements":["shell"],"files":["facts/tasks/bash.sh"],"input_method":"environment"},{"name":"install_powershell.ps1","requirements":["powershell"]}],"supports_noop":true}},"puppet_agent::version":{"name":"puppet_agent::version","files":[{"name":"version_shell.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/version_shell.sh","mtime":"2022-11-16 21:41:15 -0500"},{"name":"version_powershell.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent/tasks/version_powershell.ps1","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Get the version of the Puppet agent package installed. Returns nothing if none present.","parameters":{},"implementations":[{"name":"version_shell.sh","requirements":["shell"],"input_method":"environment"},{"name":"version_powershell.ps1","requirements":["powershell"]}]}},"puppet_conf":{"name":"puppet_conf","files":[{"name":"init.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/puppet_conf/tasks/init.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Inspect puppet agent configuration settings","input_method":"stdin","parameters":{"action":{"description":"The operation (get, set, delete) to perform on the configuration setting","type":"Enum[get, set, delete]"},"section":{"description":"The section of the config file. Defaults to main","type":"Optional[String[1]]"},"setting":{"description":"The name of the config entry to set/get","type":"String[1]"},"value":{"description":"The value you are setting. Only required for set","type":"Optional[String[1]]"}}}},"reboot":{"name":"reboot","files":[{"name":"init.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot/tasks/init.rb","mtime":"2022-11-16 21:41:15 -0500"},{"name":"nix.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot/tasks/nix.sh","mtime":"2022-11-16 21:41:15 -0500"},{"name":"win.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot/tasks/win.ps1","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Reboots a machine","supports_noop":false,"input_method":"stdin","parameters":{"timeout":{"description":"Timeout before shutdown (seconds); enforces a minimum of 3s","type":"Optional[Variant[Pattern[/^[0-9]*$/],Integer]]"},"message":{"description":"Shutdown message for systems that support it","type":"Optional[Pattern[/^[^|&]*$/]]"},"shutdown_only":{"description":"Only shut the machine down, do not reboot","type":"Optional[Boolean]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"nix.sh","requirements":["shell"],"input_method":"environment"},{"name":"win.ps1","requirements":["powershell"],"input_method":"powershell"}]}},"reboot::last_boot_time":{"name":"reboot::last_boot_time","files":[{"name":"last_boot_time_nix.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot/tasks/last_boot_time_nix.sh","mtime":"2022-11-16 21:41:15 -0500"},{"name":"last_boot_time_win.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot/tasks/last_boot_time_win.ps1","mtime":"2022-11-16 21:41:15 -0500"}],"metadata":{"description":"Gets the last boot time of a Linux or Windows system","implementations":[{"name":"last_boot_time_nix.sh","requirements":["shell"]},{"name":"last_boot_time_win.ps1","requirements":["powershell"]}]}},"service":{"name":"service","files":[{"name":"init.rb","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/service/tasks/init.rb","mtime":"2022-11-16 21:41:14 -0500"},{"name":"windows.ps1","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/service/tasks/windows.ps1","mtime":"2022-11-16 21:41:14 -0500"},{"name":"linux.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/service/tasks/linux.sh","mtime":"2022-11-16 21:41:14 -0500"},{"name":"service/files/common.sh","path":"/Users/bryanbelanger/projects/secure_linux_cis/.modules/service/files/common.sh","mtime":"2022-11-16 21:41:14 -0500"}],"metadata":{"description":"Manage and inspect the state of services","input_method":"stdin","parameters":{"action":{"description":"The operation (start, stop, restart, enable, disable, status) to perform on the service.","type":"Enum[start, stop, restart, enable, disable, status]"},"name":{"description":"The name of the service to operate on.","type":"String[1]"},"force":{"description":"Force a Windows service to restart even if it has dependent services. This parameter is passed for Windows services only.","type":"Optional[Boolean]"},"provider":{"description":"The provider to use to manage or inspect the service, defaults to the system service manager. Only used when the 'puppet-agent' feature is available on the target so we can leverage Puppet.","type":"Optional[String[1]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment","files":["service/files/common.sh"]}],"extensions":{"discovery":{"friendlyName":"Manage service","type":["host"]}}}},"terraform::apply":{"name":"terraform::apply","files":[{"name":"apply.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/tasks/apply.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/lib/cli_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Apply an HCL manifest","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\". Path is relative to \"dir\""},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Resource to target. Operation will be limited to this resource and its dependencies. Accepts a single resource string or an array of resources"},"var":{"type":"Optional[Hash]","description":"Set Terraform variables, expects a hash with key value pairs representing variables and values."},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Set variables in the Terraform configuration from a file. Path is relative to \"dir\". Accepts a single var-file path or an array of paths"},"state_out":{"type":"Optional[String[1]]","description":"Path to write state to that is different than \"state\". This can be used to preserve the old state."}}}},"terraform::destroy":{"name":"terraform::destroy","files":[{"name":"destroy.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/tasks/destroy.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/lib/cli_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Destroy resources managed with Terraform","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\", Path is relative to \"dir\""},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Resource to target. Operation will be limited to this resource and its dependencies. Accepts a single resource string or an array of resources"},"var":{"type":"Optional[Hash]","description":"Set Terraform variables, expects a hash with key value pairs representing variables and values."},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Set variables in the Terraform configuration from a file. Path is relative to \"dir\". Accepts a single var-file path or an array of paths"},"state_out":{"type":"Optional[String[1]]","description":"Path to write state to that is different than \"state\". This can be used to preserve the old state."}}}},"terraform::initialize":{"name":"terraform::initialize","files":[{"name":"initialize.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/tasks/initialize.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/lib/cli_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"Initialize a Terraform project directory","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."}}}},"terraform::output":{"name":"terraform::output","files":[{"name":"output.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/tasks/output.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2022-08-15 17:21:35 -0400"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules/terraform/lib/cli_helper.rb","mtime":"2022-08-15 17:21:35 -0400"}],"metadata":{"description":"JSON representation of Terraform outputs","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\", Path is relative to \"dir\""}}}}}
\ No newline at end of file
+{"apt":{"name":"apt","files":[{"name":"init.rb","path":"/root/test/secure_linux_cis/.modules/apt/tasks/init.rb","mtime":"2023-07-14 16:30:02 +0200"}],"metadata":{"description":"Allows you to perform apt-get functions","input_method":"stdin","parameters":{"action":{"description":"Action to perform with apt-get","type":"Enum[update, upgrade, dist-upgrade, autoremove]"}}}},"exec":{"name":"exec","files":[{"name":"init.rb","path":"/root/test/secure_linux_cis/.modules/exec/tasks/init.rb","mtime":"2023-07-14 16:29:59 +0200"},{"name":"windows.ps1","path":"/root/test/secure_linux_cis/.modules/exec/tasks/windows.ps1","mtime":"2023-07-14 16:29:59 +0200"},{"name":"linux.sh","path":"/root/test/secure_linux_cis/.modules/exec/tasks/linux.sh","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Executes an arbitrary shell command on the target system","input_method":"stdin","parameters":{"command":{"description":"The command to run, including all arguments","type":"String[1]"},"interleave":{"description":"Interleave the stdout and stderr streams.(default: true)","type":"Optional[Variant[Boolean, Enum['true','false']]]"},"failonfail":{"description":"Should the task fail if the command exits nonzero.(default: true)","type":"Optional[Variant[Boolean, Enum['true','false']]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment"}],"extensions":{"discovery":{"friendlyName":"Run a shell command","type":["host"]}}}},"facts":{"name":"facts","files":[{"name":"ruby.rb","path":"/root/test/secure_linux_cis/.modules/facts/tasks/ruby.rb","mtime":"2023-07-14 16:30:02 +0200"},{"name":"powershell.ps1","path":"/root/test/secure_linux_cis/.modules/facts/tasks/powershell.ps1","mtime":"2023-07-14 16:30:02 +0200"},{"name":"bash.sh","path":"/root/test/secure_linux_cis/.modules/facts/tasks/bash.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Gather system facts","parameters":{},"implementations":[{"name":"ruby.rb","requirements":["puppet-agent"],"files":["ruby_task_helper/files/task_helper.rb"],"input_method":"stdin"},{"name":"powershell.ps1","requirements":["powershell"],"input_method":"environment"},{"name":"bash.sh","requirements":["shell"],"input_method":"environment"}]}},"http_request":{"name":"http_request","files":[{"name":"init.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/http_request/tasks/init.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Make a HTTP or HTTPS request.","input_method":"stdin","parameters":{"base_url":{"description":"The fully qualified URL scheme to make requests to.","type":"String[1]"},"body":{"description":"The request body. If json_endpoint is true, must be able representable as JSON. If json_endpoint is false, must be a string.","type":"Optional[Data]"},"cacert":{"description":"An absolute path to the CA certificate.","type":"Optional[String[1]]"},"cert":{"description":"An absolute path to the client certificate.","type":"Optional[String[1]]"},"follow_redirects":{"description":"If true, automatically follows redirects.","type":"Boolean","default":true},"headers":{"description":"A map of headers to add to the payload.","type":"Optional[Hash[String, String]]"},"json_endpoint":{"description":"If true, parses the request and response bodies as JSON and sets the Content-Type header to application/json.","type":"Boolean","default":false},"key":{"description":"An absolute path to the RSA keypair.","type":"Optional[String[1]]"},"max_redirects":{"description":"The maximum number of redirects to follow when follow_redirects is true.","type":"Integer[1]","default":20},"method":{"description":"The HTTP method to use.","type":"Enum[delete, get, post, put, patch]","default":"get"},"path":{"description":"The path to append to the base_url.","type":"Optional[String[1]]"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"lvm::ensure_lv":{"name":"lvm::ensure_lv","files":[{"name":"ensure_lv.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/ensure_lv.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Ensures settings on a logical volume using the type & provider","input_method":"stdin","parameters":{"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"name":{"description":"The name of the logical volume.  This is the unqualified name and will be automatically added to the volume group's device path (e.g., '/dev/$vg/$lv').","type":"String[1]"},"volume_group":{"description":"The volume group name associated with this logical volume","type":"Optional[String[1]]"},"size":{"description":"The size of the logical volume. Set to undef to use all available space","type":"Optional[Pattern[/^[0-9]+(\\.[0-9]+)?[KMGTPEkmgtpe]/]]"},"extents":{"description":"The number of logical extents to allocate for the new logical volume. Set to undef to use all available space","type":"Optional[Pattern[/^\\d+(%(?:vg|pvs|free|origin)?)?$/]]"},"persistent":{"description":"Set to true to make the block device persistent","type":"Optional[Boolean]"},"thinpool":{"description":"Set to true to create a thin pool or to pool name to create thin volume","type":"Optional[Boolean]"},"poolmetadatasize":{"description":"Change the size of logical volume pool metadata","type":"Optional[Pattern[/^[0-9]+(\\.[0-9]+)?[KMGTPEkmgtpe]/]]"},"minor":{"description":"Set the minor number","type":"Optional[Integer[0,255]]"},"type":{"description":"Configures the logical volume type","type":"Optional[String[1]]"},"range":{"description":"Sets the inter-physical volume allocation policy. AIX only","type":"Optional[Enum[maximum,minimum]]"},"stripes":{"description":"The number of stripes to allocate for the new logical volume","type":"Optional[Integer]"},"stripesize":{"description":"The stripesize to use for the new logical volume","type":"Optional[Integer]"},"readahead":{"description":"The readahead count to use for the new logical volume","type":"Optional[String]"},"resize_fs":{"description":"Whether or not to resize the underlying filesystem when resizing the logical volume","type":"Optional[Boolean]"},"mirror":{"description":"The number of mirrors of the volume","type":"Optional[Integer[0,4]]"},"mirrorlog":{"description":"How to store the mirror log","type":"Optional[Enum[core,disk,mirrored]]"},"alloc":{"description":"Selects the allocation policy when a command needs to allocate Physical Extents from the Volume Group","type":"Optional[Enum[anywhere,contiguous,cling,inherit,normal]]"},"no_sync":{"description":"An optimization in lvcreate, at least on Linux"},"region_size":{"description":"A mirror is divided into regions of this size (in MB), the mirror log uses this granularity to track which regions are in sync. CAN NOT BE CHANGED on already mirrored volume. Take your mirror size in terabytes and round up that number to the next power of 2, using that number as the -R argument.","type":"Optional[Integer]"}}}},"lvm::ensure_pv":{"name":"lvm::ensure_pv","files":[{"name":"ensure_pv.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/ensure_pv.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Ensures settings on a physical volumes using the type & provider","input_method":"stdin","parameters":{"name":{"description":"The name of the physical volume","type":"String[1]"},"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"unless_vg":{"description":"Do not do anything if the VG already exists.  The value should be the name of the volume group to check for.","type":"Optional[String]"},"force":{"description":"Force the creation without any confirmation","type":"Optional[Boolean]"}}}},"lvm::ensure_vg":{"name":"lvm::ensure_vg","files":[{"name":"ensure_vg.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/ensure_vg.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Ensures settings on a volume group using the type & provider","input_method":"stdin","parameters":{"name":{"description":"The name of the volume group","type":"String[1]"},"ensure":{"description":"Present or absent","type":"Enum[present,absent]"},"createonly":{"description":"If set to true the volume group will be created if it does not exist. If the volume group does exist no action will be taken","type":"Optional[Boolean]"},"followsymlinks":{"description":"If set to true all current and wanted values of the physical_volumes property will be followed to their real files on disk if they are in fact symlinks. This is useful to have Puppet determine what the actual PV device is if the property value is a symlink, like '/dev/disk/by-path/xxxx -> ../../sda'","type":"Optional[Boolean]"},"physical_volumes":{"description":"The list of physical volumes to be included in the volume group","type":"Array[String]"}}}},"lvm::extend_lv":{"name":"lvm::extend_lv","files":[{"name":"extend_lv.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/extend_lv.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Extends a logical volume","input_method":"stdin","parameters":{"size":{"description":"Intended size or 'full'","type":"String[1]"},"logical_volume":{"description":"Name of the logical volume to extend","type":"String[1]"},"volume_group":{"description":"Name of the volume group on which the logical volume resides","type":"String[1]"}}}},"lvm::extend_vg":{"name":"lvm::extend_vg","files":[{"name":"extend_vg.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/extend_vg.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Adds physical volumes to a volume group","input_method":"stdin","parameters":{"volume_group":{"description":"The name of the volume group","type":"String[1]"},"physical_volumes":{"description":"The list of physical volumes to be included in the volume group","type":"Array[String]"}}}},"lvm::mount_lv":{"name":"lvm::mount_lv","files":[{"name":"mount_lv.rb","path":"/root/test/secure_linux_cis/.modules/lvm/tasks/mount_lv.rb","mtime":"2023-07-14 16:29:59 +0200"}],"metadata":{"description":"Mounts a logical volume","input_method":"stdin","parameters":{"volume_group":{"description":"The name of the volume group","type":"String[1]"},"logical_volume":{"description":"The name of the logical_volume to mount","type":"String[1]"},"mountpoint":{"description":"Where to mount the logical volume","type":"String[1]"},"fstype":{"description":"The mount type. Valid values depend on the operating system. This is a required option.","type":"String"},"options":{"description":"A single string containing options for the mount, as they would appear in fstab on Linux. For many platforms this is a comma-delimited string","type":"Optional[String]"},"atboot":{"description":"Whether to mount the mount at boot. Not all platforms support this.","type":"Optional[Boolean]"},"owner":{"description":"Owner for the mountpoint","type":"Optional[String]"},"group":{"description":"Group for the mountpoint","type":"Optional[String]"},"mode":{"description":"Permissions for the mountpoint","type":"Optional[String]"}}}},"package":{"name":"package","files":[{"name":"init.rb","path":"/root/test/secure_linux_cis/.modules/package/tasks/init.rb","mtime":"2023-07-14 16:30:02 +0200"},{"name":"windows.ps1","path":"/root/test/secure_linux_cis/.modules/package/tasks/windows.ps1","mtime":"2023-07-14 16:30:02 +0200"},{"name":"linux.sh","path":"/root/test/secure_linux_cis/.modules/package/tasks/linux.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"package/files/common.sh","path":"/root/test/secure_linux_cis/.modules/package/files/common.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"package/files/apt.sh","path":"/root/test/secure_linux_cis/.modules/package/files/apt.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"package/files/yum.sh","path":"/root/test/secure_linux_cis/.modules/package/files/yum.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"package/files/zypper.sh","path":"/root/test/secure_linux_cis/.modules/package/files/zypper.sh","mtime":"2023-07-14 16:30:02 +0200"}],"metadata":{"description":"Manage and inspect the state of packages","input_method":"stdin","parameters":{"action":{"description":"The operation (install, status, uninstall and upgrade) to perform on the package.","type":"Enum[install, status, uninstall, upgrade]"},"name":{"description":"The name of the package to be manipulated.","type":"String[1]"},"version":{"description":"Version numbers must match the full version to install, including release if the provider uses a release moniker. Ranges or semver patterns are not accepted except for the gem package provider. For example, to install the bash package from the rpm bash-4.1.2-29.el6.x86_64.rpm, use the string '4.1.2-29.el6'.","type":"Optional[String[1]]"},"manager_options":{"description":"options to be sent to the package manager","type":"Optional[String[1]]"},"provider":{"description":"The provider to use to manage or inspect the package, defaults to the system package manager. Only used when the 'puppet-agent' feature is available on the target so we can leverage Puppet.","type":"Optional[String[1]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment","files":["package/files/common.sh","package/files/apt.sh","package/files/yum.sh","package/files/zypper.sh"]}],"extensions":{"discovery":{"friendlyName":"Manage package","type":["package"]}}}},"pkcs7::secret_createkeys":{"name":"pkcs7::secret_createkeys","files":[{"name":"secret_createkeys.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/pkcs7/tasks/secret_createkeys.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Create a key pair","input_method":"stdin","parameters":{"force":{"type":"Boolean","description":"Whether to overwrite an existing key pair","default":false},"keysize":{"type":"Integer","description":"The size of the key to generate","default":2048},"private_key":{"type":"String","description":"Path to the private key","default":"keys/private_key.pkcs7.pem"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"pkcs7::secret_decrypt":{"name":"pkcs7::secret_decrypt","files":[{"name":"secret_decrypt.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/pkcs7/tasks/secret_decrypt.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Decrypt sensitive data with pkcs7","input_method":"stdin","parameters":{"encrypted_value":{"type":"String","description":"The ciphertext to decrypt"},"private_key":{"type":"String","description":"Path to the private key","default":"keys/private_key.pkcs7.pem"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"pkcs7::secret_encrypt":{"name":"pkcs7::secret_encrypt","files":[{"name":"secret_encrypt.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/pkcs7/tasks/secret_encrypt.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Encrypt sensitive data with pkcs7","input_method":"stdin","parameters":{"plaintext_value":{"type":"String","description":"The plaintext to encrypt"},"public_key":{"type":"String","description":"Path to the public key","default":"keys/public_key.pkcs7.pem"}},"files":["ruby_task_helper/files/task_helper.rb"]}},"puppet_agent::delete_local_filebucket":{"name":"puppet_agent::delete_local_filebucket","files":[{"name":"delete_local_filebucket.rb","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/delete_local_filebucket.rb","mtime":"2023-07-14 16:30:00 +0200"},{"name":"puppet_agent/files/rb_task_helper.rb","path":"/root/test/secure_linux_cis/.modules/puppet_agent/files/rb_task_helper.rb","mtime":"2023-07-14 16:30:00 +0200"}],"metadata":{"description":"Removes the local filebucket","parameters":{"force":{"description":"ignore nonexistent files and errors","type":"Optional[Boolean]"}},"files":["puppet_agent/files/rb_task_helper.rb"]}},"puppet_agent::facts_diff":{"name":"puppet_agent::facts_diff","files":[{"name":"facts_diff.rb","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/facts_diff.rb","mtime":"2023-07-14 16:30:00 +0200"},{"name":"puppet_agent/files/rb_task_helper.rb","path":"/root/test/secure_linux_cis/.modules/puppet_agent/files/rb_task_helper.rb","mtime":"2023-07-14 16:30:00 +0200"}],"metadata":{"description":"Run the Puppet agent facts diff action","parameters":{"exclude":{"description":"Regex used to exclude specific facts from diff","type":"Optional[String]"}},"files":["puppet_agent/files/rb_task_helper.rb"]}},"puppet_agent::install":{"name":"puppet_agent::install","files":[{"name":"install_shell.sh","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/install_shell.sh","mtime":"2023-07-14 16:30:00 +0200"},{"name":"install_powershell.ps1","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/install_powershell.ps1","mtime":"2023-07-14 16:30:00 +0200"},{"name":"facts/tasks/bash.sh","path":"/root/test/secure_linux_cis/.modules/facts/tasks/bash.sh","mtime":"2023-07-14 16:30:02 +0200"}],"metadata":{"description":"Install the Puppet agent package","parameters":{"version":{"description":"The version of puppet-agent to install (defaults to latest when no agent is installed)","type":"Optional[String]"},"collection":{"description":"The Puppet collection to install from (defaults to puppet, which maps to the latest collection released)","type":"Optional[Enum[puppet6, puppet7, puppet, puppet6-nightly, puppet7-nightly, puppet-nightly]]"},"yum_source":{"description":"The source location to find yum repos (defaults to yum.puppet.com)","type":"Optional[String]"},"apt_source":{"description":"The source location to find apt repos (defaults to apt.puppet.com)","type":"Optional[String]"},"mac_source":{"description":"The source location to find mac packages (defaults to downloads.puppet.com)","type":"Optional[String]"},"windows_source":{"description":"The source location to find windows packages (defaults to downloads.puppet.com)","type":"Optional[String]"},"install_options":{"description":"optional install arguments to the windows installer (defaults to REINSTALLMODE=\"amus\")","type":"Optional[String]"},"stop_service":{"description":"Whether to stop the puppet agent service after install","type":"Optional[Boolean]"},"retry":{"description":"The number of retries in case of network connectivity failures","type":"Optional[Integer]","default":5}},"implementations":[{"name":"install_shell.sh","requirements":["shell"],"files":["facts/tasks/bash.sh"],"input_method":"environment"},{"name":"install_powershell.ps1","requirements":["powershell"]}],"supports_noop":true}},"puppet_agent::version":{"name":"puppet_agent::version","files":[{"name":"version_shell.sh","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/version_shell.sh","mtime":"2023-07-14 16:30:00 +0200"},{"name":"version_powershell.ps1","path":"/root/test/secure_linux_cis/.modules/puppet_agent/tasks/version_powershell.ps1","mtime":"2023-07-14 16:30:00 +0200"}],"metadata":{"description":"Get the version of the Puppet agent package installed. Returns nothing if none present.","parameters":{},"implementations":[{"name":"version_shell.sh","requirements":["shell"],"input_method":"environment"},{"name":"version_powershell.ps1","requirements":["powershell"]}]}},"puppet_conf":{"name":"puppet_conf","files":[{"name":"init.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/puppet_conf/tasks/init.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Inspect puppet agent configuration settings","input_method":"stdin","parameters":{"action":{"description":"The operation (get, set, delete) to perform on the configuration setting","type":"Enum[get, set, delete]"},"section":{"description":"The section of the config file. Defaults to main","type":"Optional[String[1]]"},"setting":{"description":"The name of the config entry to set/get","type":"String[1]"},"value":{"description":"The value you are setting. Only required for set","type":"Optional[String[1]]"}}}},"reboot":{"name":"reboot","files":[{"name":"init.rb","path":"/root/test/secure_linux_cis/.modules/reboot/tasks/init.rb","mtime":"2023-07-14 16:30:00 +0200"},{"name":"nix.sh","path":"/root/test/secure_linux_cis/.modules/reboot/tasks/nix.sh","mtime":"2023-07-14 16:30:00 +0200"},{"name":"win.ps1","path":"/root/test/secure_linux_cis/.modules/reboot/tasks/win.ps1","mtime":"2023-07-14 16:30:00 +0200"}],"metadata":{"description":"Reboots a machine","supports_noop":false,"input_method":"stdin","parameters":{"timeout":{"description":"Timeout before shutdown (seconds); enforces a minimum of 3s","type":"Optional[Variant[Pattern[/^[0-9]*$/],Integer]]"},"message":{"description":"Shutdown message for systems that support it","type":"Optional[Pattern[/^[^|&]*$/]]"},"shutdown_only":{"description":"Only shut the machine down, do not reboot","type":"Optional[Boolean]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"nix.sh","requirements":["shell"],"input_method":"environment"},{"name":"win.ps1","requirements":["powershell"],"input_method":"powershell"}]}},"reboot::last_boot_time":{"name":"reboot::last_boot_time","files":[{"name":"last_boot_time_nix.sh","path":"/root/test/secure_linux_cis/.modules/reboot/tasks/last_boot_time_nix.sh","mtime":"2023-07-14 16:30:00 +0200"},{"name":"last_boot_time_win.ps1","path":"/root/test/secure_linux_cis/.modules/reboot/tasks/last_boot_time_win.ps1","mtime":"2023-07-14 16:30:00 +0200"}],"metadata":{"description":"Gets the last boot time of a Linux or Windows system","implementations":[{"name":"last_boot_time_nix.sh","requirements":["shell"]},{"name":"last_boot_time_win.ps1","requirements":["powershell"]}]}},"service":{"name":"service","files":[{"name":"init.rb","path":"/root/test/secure_linux_cis/.modules/service/tasks/init.rb","mtime":"2023-07-14 16:30:02 +0200"},{"name":"windows.ps1","path":"/root/test/secure_linux_cis/.modules/service/tasks/windows.ps1","mtime":"2023-07-14 16:30:02 +0200"},{"name":"linux.sh","path":"/root/test/secure_linux_cis/.modules/service/tasks/linux.sh","mtime":"2023-07-14 16:30:02 +0200"},{"name":"service/files/common.sh","path":"/root/test/secure_linux_cis/.modules/service/files/common.sh","mtime":"2023-07-14 16:30:02 +0200"}],"metadata":{"description":"Manage and inspect the state of services","input_method":"stdin","parameters":{"action":{"description":"The operation (start, stop, restart, enable, disable, status) to perform on the service.","type":"Enum[start, stop, restart, enable, disable, status]"},"name":{"description":"The name of the service to operate on.","type":"String[1]"},"force":{"description":"Force a Windows service to restart even if it has dependent services. This parameter is passed for Windows services only.","type":"Optional[Boolean]"},"provider":{"description":"The provider to use to manage or inspect the service, defaults to the system service manager. Only used when the 'puppet-agent' feature is available on the target so we can leverage Puppet.","type":"Optional[String[1]]"}},"implementations":[{"name":"init.rb","requirements":["puppet-agent"]},{"name":"windows.ps1","requirements":["powershell"],"input_method":"powershell"},{"name":"linux.sh","requirements":["shell"],"input_method":"environment","files":["service/files/common.sh"]}],"extensions":{"discovery":{"friendlyName":"Manage service","type":["host"]}}}},"terraform::apply":{"name":"terraform::apply","files":[{"name":"apply.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/tasks/apply.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/lib/cli_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Apply an HCL manifest","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\". Path is relative to \"dir\""},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Resource to target. Operation will be limited to this resource and its dependencies. Accepts a single resource string or an array of resources"},"var":{"type":"Optional[Hash]","description":"Set Terraform variables, expects a hash with key value pairs representing variables and values."},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Set variables in the Terraform configuration from a file. Path is relative to \"dir\". Accepts a single var-file path or an array of paths"},"state_out":{"type":"Optional[String[1]]","description":"Path to write state to that is different than \"state\". This can be used to preserve the old state."}}}},"terraform::destroy":{"name":"terraform::destroy","files":[{"name":"destroy.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/tasks/destroy.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/lib/cli_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Destroy resources managed with Terraform","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\", Path is relative to \"dir\""},"target":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Resource to target. Operation will be limited to this resource and its dependencies. Accepts a single resource string or an array of resources"},"var":{"type":"Optional[Hash]","description":"Set Terraform variables, expects a hash with key value pairs representing variables and values."},"var_file":{"type":"Optional[Variant[String[1], Array[String[1]]]]","description":"Set variables in the Terraform configuration from a file. Path is relative to \"dir\". Accepts a single var-file path or an array of paths"},"state_out":{"type":"Optional[String[1]]","description":"Path to write state to that is different than \"state\". This can be used to preserve the old state."}}}},"terraform::initialize":{"name":"terraform::initialize","files":[{"name":"initialize.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/tasks/initialize.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/lib/cli_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"Initialize a Terraform project directory","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."}}}},"terraform::output":{"name":"terraform::output","files":[{"name":"output.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/tasks/output.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"ruby_task_helper/files/task_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/ruby_task_helper/files/task_helper.rb","mtime":"2023-03-13 21:15:33 +0100"},{"name":"terraform/lib/cli_helper.rb","path":"/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules/terraform/lib/cli_helper.rb","mtime":"2023-03-13 21:15:33 +0100"}],"metadata":{"description":"JSON representation of Terraform outputs","files":["ruby_task_helper/files/task_helper.rb","terraform/lib/cli_helper.rb"],"input_method":"stdin","parameters":{"dir":{"type":"Optional[String[1]]","description":"Path to Terraform project directory. Path is relative to CWD, unless an absolute path is specified."},"state":{"type":"Optional[String[1]]","description":"Path to read and save state. Defaults to \"terraform.tfstate\", Path is relative to \"dir\""}}}}}
\ No newline at end of file
diff --git a/Puppetfile b/Puppetfile
index 1df71dd6..035d9222 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -4,34 +4,35 @@
 # The following directive installs modules to the managed moduledir.
 moduledir '.modules'
 
-mod 'puppetlabs/package', '2.3.0'
-mod 'puppetlabs/service', '2.3.0'
-mod 'herculesteam/augeasproviders_sysctl', '2.6.2'
-mod 'puppet/augeasproviders_pam', '3.0.1'
-mod 'puppet/augeasproviders_core', '3.2.0'
-mod 'puppetlabs/facts', '1.4.0'
-mod 'puppetlabs/apt', '8.5.0'
-mod 'camptocamp/augeas', '1.9.0'
-mod 'puppet/alternatives', '4.1.0'
-mod 'puppet/firewalld', '4.5.1'
-mod 'puppet/kmod', '3.2.0'
-mod 'puppet/logrotate', '6.1.0'
-mod 'puppet/postfix', '3.0.0'
-mod 'puppet/selinux', '3.4.1'
-mod 'puppet/systemd', '3.10.0'
-mod 'puppetlabs/augeas_core', '1.2.0'
-mod 'puppetlabs/concat', '7.2.0'
-mod 'puppetlabs/firewall', '3.5.0'
-mod 'puppetlabs/inifile', '5.3.0'
-mod 'puppetlabs/mailalias_core', '1.1.0'
-mod 'puppetlabs/ntp', '9.1.1'
-mod 'puppetlabs/puppet_agent', '4.12.1'
-mod 'puppetlabs/reboot', '4.2.0'
-mod 'puppetlabs/stdlib', '6.6.0'
-mod 'ubeek/auditd', '1.0.3'
-mod 'puppetlabs/mount_core', '1.1.0'
-mod 'puppet/cron', '3.0.0'
-mod 'puppet/augeasproviders_grub', '4.0.0'
-mod 'puppet/augeasproviders_shellvar', '5.0.0'
-mod 'puppetlabs/lvm', '1.4.0'
+mod 'puppet/chrony', '3.0.0'
 mod 'puppetlabs/exec', '2.2.0'
+mod 'puppetlabs/lvm', '1.4.0'
+mod 'puppet/augeasproviders_shellvar', '5.0.0'
+mod 'puppet/augeasproviders_grub', '4.0.0'
+mod 'puppet/cron', '3.0.0'
+mod 'puppetlabs/mount_core', '1.1.0'
+mod 'ubeek/auditd', '1.0.3'
+mod 'puppetlabs/stdlib', '6.6.0'
+mod 'puppetlabs/reboot', '4.2.0'
+mod 'puppetlabs/puppet_agent', '4.12.1'
+mod 'puppetlabs/ntp', '9.1.1'
+mod 'puppetlabs/mailalias_core', '1.1.0'
+mod 'puppetlabs/inifile', '5.3.0'
+mod 'puppetlabs/firewall', '3.5.0'
+mod 'puppetlabs/concat', '7.2.0'
+mod 'puppetlabs/augeas_core', '1.2.0'
+mod 'puppet/systemd', '3.10.0'
+mod 'puppet/selinux', '3.4.1'
+mod 'puppet/postfix', '3.0.0'
+mod 'puppet/logrotate', '6.1.0'
+mod 'puppet/kmod', '3.2.0'
+mod 'puppet/firewalld', '4.5.1'
+mod 'puppet/alternatives', '4.1.0'
+mod 'camptocamp/augeas', '1.9.0'
+mod 'puppetlabs/apt', '8.5.0'
+mod 'puppetlabs/facts', '1.4.0'
+mod 'puppet/augeasproviders_core', '3.2.0'
+mod 'puppet/augeasproviders_pam', '3.0.1'
+mod 'herculesteam/augeasproviders_sysctl', '2.6.2'
+mod 'puppetlabs/service', '2.3.0'
+mod 'puppetlabs/package', '2.3.0'
diff --git a/bolt-debug.log b/bolt-debug.log
index 1bfd0ea5..fa2aba5f 100644
--- a/bolt-debug.log
+++ b/bolt-debug.log
@@ -1,225 +1,106 @@
-2022-11-16T21:41:13.415279 INFO   [main] [Bolt::Logger] Loaded project from '/Users/bryanbelanger/projects/secure_linux_cis'
-2022-11-16T21:41:13.450707 DEBUG  [main] [Bolt::Executor] Started with 100 max thread(s)
-2022-11-16T21:41:13.868836 DEBUG  [main] [Bolt::PAL] Loading modules from /opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/bolt-modules:/Users/bryanbelanger/projects/secure_linux_cis/modules:/Users/bryanbelanger/projects/secure_linux_cis/.modules:/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.26.1/modules
-2022-11-16T21:41:13.869147 DEBUG  [main] [Bolt::Inventory] Tried to load inventory from /Users/bryanbelanger/projects/secure_linux_cis/inventory.yaml, but the file does not exist
-2022-11-16T21:41:14.223472 INFO   [main] [Bolt::R10KLogProxy] Using Puppetfile '/Users/bryanbelanger/projects/secure_linux_cis/Puppetfile'
-2022-11-16T21:41:14.223600 DEBUG  [main] [Bolt::R10KLogProxy] Using moduledir '/Users/bryanbelanger/projects/secure_linux_cis/.modules'
-2022-11-16T21:41:14.226955 DEBUG  [main] [Bolt::R10KLogProxy] Updating modules with 4 threads
-2022-11-16T21:41:14.228611 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/package
-2022-11-16T21:41:14.238895 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/service
-2022-11-16T21:41:14.239495 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_sysctl
-2022-11-16T21:41:14.239628 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_pam
-2022-11-16T21:41:14.391135 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of herculesteam-augeasproviders_sysctl-2.6.2 tarball
-2022-11-16T21:41:14.391207 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/herculesteam-augeasproviders_sysctl-2.6.2/tarball/herculesteam-augeasproviders_sysctl-2.6.2.tar.gz matches checksum
-2022-11-16T21:41:14.393710 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/herculesteam-augeasproviders_sysctl-2.6.2/tarball/herculesteam-augeasproviders_sysctl-2.6.2.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_sysctl (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-wutgj/herculesteam-augeasproviders_sysctl-2.6.2)
-2022-11-16T21:41:14.399720 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-service-2.3.0 tarball
-2022-11-16T21:41:14.399823 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-service-2.3.0/tarball/puppetlabs-service-2.3.0.tar.gz matches checksum
-2022-11-16T21:41:14.400816 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-package-2.3.0 tarball
-2022-11-16T21:41:14.400920 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-package-2.3.0/tarball/puppetlabs-package-2.3.0.tar.gz matches checksum
-2022-11-16T21:41:14.401913 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-service-2.3.0/tarball/puppetlabs-service-2.3.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/service (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-19hu4kl/puppetlabs-service-2.3.0)
-2022-11-16T21:41:14.402379 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-package-2.3.0/tarball/puppetlabs-package-2.3.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/package (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-11d1y5z/puppetlabs-package-2.3.0)
-2022-11-16T21:41:14.406322 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-augeasproviders_pam-3.0.1 tarball
-2022-11-16T21:41:14.406572 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_pam-3.0.1/tarball/puppet-augeasproviders_pam-3.0.1.tar.gz matches checksum
-2022-11-16T21:41:14.408144 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_pam-3.0.1/tarball/puppet-augeasproviders_pam-3.0.1.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_pam (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1fy01g8/puppet-augeasproviders_pam-3.0.1)
-2022-11-16T21:41:14.429029 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-augeasproviders_pam-3.0.1", "puppet-augeasproviders_pam-3.0.1/CHANGELOG.md", "puppet-augeasproviders_pam-3.0.1/HISTORY.md", "puppet-augeasproviders_pam-3.0.1/LICENSE", "puppet-augeasproviders_pam-3.0.1/README.md", "puppet-augeasproviders_pam-3.0.1/lib", "puppet-augeasproviders_pam-3.0.1/lib/puppet", "puppet-augeasproviders_pam-3.0.1/lib/puppet/provider", "puppet-augeasproviders_pam-3.0.1/lib/puppet/provider/pam", "puppet-augeasproviders_pam-3.0.1/lib/puppet/provider/pam/augeas.rb", "puppet-augeasproviders_pam-3.0.1/lib/puppet/type", "puppet-augeasproviders_pam-3.0.1/lib/puppet/type/pam.rb", "puppet-augeasproviders_pam-3.0.1/metadata.json"]
-2022-11-16T21:41:14.430039 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_core
-2022-11-16T21:41:14.455460 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-service-2.3.0", "puppetlabs-service-2.3.0/.github", "puppetlabs-service-2.3.0/.github/workflows", "puppetlabs-service-2.3.0/.github/workflows/auto_release.yml", "puppetlabs-service-2.3.0/.github/workflows/labeller.yml", "puppetlabs-service-2.3.0/.github/workflows/nightly.yml", "puppetlabs-service-2.3.0/.github/workflows/pr_test.yml", "puppetlabs-service-2.3.0/.github/workflows/release.yml", "puppetlabs-service-2.3.0/.github/workflows/spec.yml", "puppetlabs-service-2.3.0/.github/workflows/stale.yml", "puppetlabs-service-2.3.0/.gitpod.Dockerfile", "puppetlabs-service-2.3.0/.gitpod.yml", "puppetlabs-service-2.3.0/.pmtignore", "puppetlabs-service-2.3.0/.rubocop_todo.yml", "puppetlabs-service-2.3.0/CHANGELOG.md", "puppetlabs-service-2.3.0/CODEOWNERS", "puppetlabs-service-2.3.0/CONTRIBUTING.md", "puppetlabs-service-2.3.0/HISTORY.md", "puppetlabs-service-2.3.0/LICENSE", "puppetlabs-service-2.3.0/NOTICE", "puppetlabs-service-2.3.0/README.md", "puppetlabs-service-2.3.0/REFERENCE.md", "puppetlabs-service-2.3.0/data", "puppetlabs-service-2.3.0/data/common.yaml", "puppetlabs-service-2.3.0/files", "puppetlabs-service-2.3.0/files/common.sh", "puppetlabs-service-2.3.0/hiera.yaml", "puppetlabs-service-2.3.0/metadata.json", "puppetlabs-service-2.3.0/pdk.yaml", "puppetlabs-service-2.3.0/provision.yaml", "puppetlabs-service-2.3.0/tasks", "puppetlabs-service-2.3.0/tasks/init.json", "puppetlabs-service-2.3.0/tasks/init.rb", "puppetlabs-service-2.3.0/tasks/linux.json", "puppetlabs-service-2.3.0/tasks/linux.sh", "puppetlabs-service-2.3.0/tasks/windows.json", "puppetlabs-service-2.3.0/tasks/windows.ps1"]
-2022-11-16T21:41:14.456071 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/facts
-2022-11-16T21:41:14.458735 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-package-2.3.0", "puppetlabs-package-2.3.0/.github", "puppetlabs-package-2.3.0/.github/workflows", "puppetlabs-package-2.3.0/.github/workflows/auto_release.yml", "puppetlabs-package-2.3.0/.github/workflows/labeller.yml", "puppetlabs-package-2.3.0/.github/workflows/nightly.yml", "puppetlabs-package-2.3.0/.github/workflows/pr_test.yml", "puppetlabs-package-2.3.0/.github/workflows/release.yml", "puppetlabs-package-2.3.0/.github/workflows/spec.yml", "puppetlabs-package-2.3.0/.github/workflows/stale.yml", "puppetlabs-package-2.3.0/.gitpod.Dockerfile", "puppetlabs-package-2.3.0/.gitpod.yml", "puppetlabs-package-2.3.0/.pmtignore", "puppetlabs-package-2.3.0/.rubocop_todo.yml", "puppetlabs-package-2.3.0/CHANGELOG.md", "puppetlabs-package-2.3.0/CODEOWNERS", "puppetlabs-package-2.3.0/CONTRIBUTING.md", "puppetlabs-package-2.3.0/HISTORY.md", "puppetlabs-package-2.3.0/LICENSE", "puppetlabs-package-2.3.0/NOTICE", "puppetlabs-package-2.3.0/README.md", "puppetlabs-package-2.3.0/REFERENCE.md", "puppetlabs-package-2.3.0/data", "puppetlabs-package-2.3.0/data/common.yaml", "puppetlabs-package-2.3.0/files", "puppetlabs-package-2.3.0/files/apt.sh", "puppetlabs-package-2.3.0/files/common.sh", "puppetlabs-package-2.3.0/files/yum.sh", "puppetlabs-package-2.3.0/files/zypper.sh", "puppetlabs-package-2.3.0/hiera.yaml", "puppetlabs-package-2.3.0/metadata.json", "puppetlabs-package-2.3.0/pdk.yaml", "puppetlabs-package-2.3.0/provision.yaml", "puppetlabs-package-2.3.0/tasks", "puppetlabs-package-2.3.0/tasks/init.json", "puppetlabs-package-2.3.0/tasks/init.rb", "puppetlabs-package-2.3.0/tasks/linux.json", "puppetlabs-package-2.3.0/tasks/linux.sh", "puppetlabs-package-2.3.0/tasks/windows.json", "puppetlabs-package-2.3.0/tasks/windows.ps1"]
-2022-11-16T21:41:14.459233 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/apt
-2022-11-16T21:41:14.459634 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["herculesteam-augeasproviders_sysctl-2.6.2", "herculesteam-augeasproviders_sysctl-2.6.2/.coveralls.yml", "herculesteam-augeasproviders_sysctl-2.6.2/.fixtures.yml", "herculesteam-augeasproviders_sysctl-2.6.2/.github", "herculesteam-augeasproviders_sysctl-2.6.2/.github/FUNDING.yml", "herculesteam-augeasproviders_sysctl-2.6.2/.gitignore", "herculesteam-augeasproviders_sysctl-2.6.2/.gitmodules", "herculesteam-augeasproviders_sysctl-2.6.2/.sync.yml", "herculesteam-augeasproviders_sysctl-2.6.2/.travis.sh", "herculesteam-augeasproviders_sysctl-2.6.2/.travis.yml", "herculesteam-augeasproviders_sysctl-2.6.2/CHANGELOG.md", "herculesteam-augeasproviders_sysctl-2.6.2/Gemfile", "herculesteam-augeasproviders_sysctl-2.6.2/LICENSE", "herculesteam-augeasproviders_sysctl-2.6.2/README.md", "herculesteam-augeasproviders_sysctl-2.6.2/Rakefile", "herculesteam-augeasproviders_sysctl-2.6.2/lib", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet/provider", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet/provider/sysctl", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet/provider/sysctl/augeas.rb", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet/type", "herculesteam-augeasproviders_sysctl-2.6.2/lib/puppet/type/sysctl.rb", "herculesteam-augeasproviders_sysctl-2.6.2/metadata.json", "herculesteam-augeasproviders_sysctl-2.6.2/spec", "herculesteam-augeasproviders_sysctl-2.6.2/spec/acceptance", "herculesteam-augeasproviders_sysctl-2.6.2/spec/acceptance/nodesets", "herculesteam-augeasproviders_sysctl-2.6.2/spec/acceptance/nodesets/default.yml", "herculesteam-augeasproviders_sysctl-2.6.2/spec/acceptance/sysctl_spec.rb", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl/augeas", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl/augeas/broken", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl/augeas/empty", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl/augeas/full", "herculesteam-augeasproviders_sysctl-2.6.2/spec/fixtures/unit/puppet/provider/sysctl/augeas/small", "herculesteam-augeasproviders_sysctl-2.6.2/spec/spec.opts", "herculesteam-augeasproviders_sysctl-2.6.2/spec/spec_helper.rb", "herculesteam-augeasproviders_sysctl-2.6.2/spec/spec_helper_acceptance.rb", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet/provider", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet/provider/sysctl", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet/provider/sysctl/augeas_spec.rb", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet/type", "herculesteam-augeasproviders_sysctl-2.6.2/spec/unit/puppet/type/sysctl_spec.rb"]
-2022-11-16T21:41:14.460037 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeas
-2022-11-16T21:41:14.496236 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-augeasproviders_core-3.2.0 tarball
-2022-11-16T21:41:14.496298 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_core-3.2.0/tarball/puppet-augeasproviders_core-3.2.0.tar.gz matches checksum
-2022-11-16T21:41:14.497226 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_core-3.2.0/tarball/puppet-augeasproviders_core-3.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_core (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1airu4w/puppet-augeasproviders_core-3.2.0)
-2022-11-16T21:41:14.509999 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-augeasproviders_core-3.2.0", "puppet-augeasproviders_core-3.2.0/CHANGELOG.md", "puppet-augeasproviders_core-3.2.0/HISTORY.md", "puppet-augeasproviders_core-3.2.0/LICENSE", "puppet-augeasproviders_core-3.2.0/README.md", "puppet-augeasproviders_core-3.2.0/lib", "puppet-augeasproviders_core-3.2.0/lib/puppet", "puppet-augeasproviders_core-3.2.0/lib/puppet/feature", "puppet-augeasproviders_core-3.2.0/lib/puppet/feature/augeas.rb", "puppet-augeasproviders_core-3.2.0/lib/puppet/provider", "puppet-augeasproviders_core-3.2.0/lib/puppet/provider/augeasprovider", "puppet-augeasproviders_core-3.2.0/lib/puppet/provider/augeasprovider/default.rb", "puppet-augeasproviders_core-3.2.0/lib/puppet/type", "puppet-augeasproviders_core-3.2.0/lib/puppet/type/augeasprovider.rb", "puppet-augeasproviders_core-3.2.0/metadata.json"]
-2022-11-16T21:41:14.511415 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/alternatives
-2022-11-16T21:41:14.545053 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-facts-1.4.0 tarball
-2022-11-16T21:41:14.545101 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-facts-1.4.0/tarball/puppetlabs-facts-1.4.0.tar.gz matches checksum
-2022-11-16T21:41:14.546128 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-facts-1.4.0/tarball/puppetlabs-facts-1.4.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/facts (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1o09i2z/puppetlabs-facts-1.4.0)
-2022-11-16T21:41:14.550688 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of camptocamp-augeas-1.9.0 tarball
-2022-11-16T21:41:14.550966 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/camptocamp-augeas-1.9.0/tarball/camptocamp-augeas-1.9.0.tar.gz matches checksum
-2022-11-16T21:41:14.553183 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/camptocamp-augeas-1.9.0/tarball/camptocamp-augeas-1.9.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeas (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-138si7i/camptocamp-augeas-1.9.0)
-2022-11-16T21:41:14.556011 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-apt-8.5.0 tarball
-2022-11-16T21:41:14.556320 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-apt-8.5.0/tarball/puppetlabs-apt-8.5.0.tar.gz matches checksum
-2022-11-16T21:41:14.559374 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-apt-8.5.0/tarball/puppetlabs-apt-8.5.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/apt (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-lc5n9f/puppetlabs-apt-8.5.0)
-2022-11-16T21:41:14.587788 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-alternatives-4.1.0 tarball
-2022-11-16T21:41:14.587910 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-alternatives-4.1.0/tarball/puppet-alternatives-4.1.0.tar.gz matches checksum
-2022-11-16T21:41:14.589116 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-alternatives-4.1.0/tarball/puppet-alternatives-4.1.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/alternatives (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1eaczy/puppet-alternatives-4.1.0)
-2022-11-16T21:41:14.615883 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-alternatives-4.1.0", "puppet-alternatives-4.1.0/CHANGELOG.md", "puppet-alternatives-4.1.0/HISTORY.md", "puppet-alternatives-4.1.0/LICENSE", "puppet-alternatives-4.1.0/README.md", "puppet-alternatives-4.1.0/lib", "puppet-alternatives-4.1.0/lib/puppet", "puppet-alternatives-4.1.0/lib/puppet/provider", "puppet-alternatives-4.1.0/lib/puppet/provider/alternative_entry", "puppet-alternatives-4.1.0/lib/puppet/provider/alternative_entry/chkconfig.rb", "puppet-alternatives-4.1.0/lib/puppet/provider/alternative_entry/dpkg.rb", "puppet-alternatives-4.1.0/lib/puppet/provider/alternatives", "puppet-alternatives-4.1.0/lib/puppet/provider/alternatives/chkconfig.rb", "puppet-alternatives-4.1.0/lib/puppet/provider/alternatives/dpkg.rb", "puppet-alternatives-4.1.0/lib/puppet/type", "puppet-alternatives-4.1.0/lib/puppet/type/alternative_entry.rb", "puppet-alternatives-4.1.0/lib/puppet/type/alternatives.rb", "puppet-alternatives-4.1.0/metadata.json"]
-2022-11-16T21:41:14.616800 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/firewalld
-2022-11-16T21:41:14.650728 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-facts-1.4.0", "puppetlabs-facts-1.4.0/.fixtures.yml", "puppetlabs-facts-1.4.0/.gitattributes", "puppetlabs-facts-1.4.0/.gitignore", "puppetlabs-facts-1.4.0/.pdkignore", "puppetlabs-facts-1.4.0/.pmtignore", "puppetlabs-facts-1.4.0/.rspec", "puppetlabs-facts-1.4.0/.rubocop.yml", "puppetlabs-facts-1.4.0/.rubocop_todo.yml", "puppetlabs-facts-1.4.0/.sync.yml", "puppetlabs-facts-1.4.0/.travis.yml", "puppetlabs-facts-1.4.0/CHANGELOG.md", "puppetlabs-facts-1.4.0/CODEOWNERS", "puppetlabs-facts-1.4.0/CODE_OF_CONDUCT.md", "puppetlabs-facts-1.4.0/CONTRIBUTING.md", "puppetlabs-facts-1.4.0/Gemfile", "puppetlabs-facts-1.4.0/LICENSE", "puppetlabs-facts-1.4.0/README.md", "puppetlabs-facts-1.4.0/Rakefile", "puppetlabs-facts-1.4.0/lib", "puppetlabs-facts-1.4.0/lib/puppet", "puppetlabs-facts-1.4.0/lib/puppet/functions", "puppetlabs-facts-1.4.0/lib/puppet/functions/facts", "puppetlabs-facts-1.4.0/lib/puppet/functions/facts/group_by.rb", "puppetlabs-facts-1.4.0/metadata.json", "puppetlabs-facts-1.4.0/plans", "puppetlabs-facts-1.4.0/plans/external.pp", "puppetlabs-facts-1.4.0/plans/info.pp", "puppetlabs-facts-1.4.0/plans/init.pp", "puppetlabs-facts-1.4.0/spec", "puppetlabs-facts-1.4.0/spec/acceptance", "puppetlabs-facts-1.4.0/spec/acceptance/init_spec.rb", "puppetlabs-facts-1.4.0/spec/acceptance/linux_spec.rb", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/centos-7-x64.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/centos7-pooler.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/debian-8-x64.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/default.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/docker", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/docker/centos-7.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/docker/debian-8.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/docker/ubuntu-14.04.yml", "puppetlabs-facts-1.4.0/spec/acceptance/nodesets/windows32-pooler.yml", "puppetlabs-facts-1.4.0/spec/acceptance/windows_spec.rb", "puppetlabs-facts-1.4.0/spec/default_facts.yml", "puppetlabs-facts-1.4.0/spec/fixtures", "puppetlabs-facts-1.4.0/spec/fixtures/configs", "puppetlabs-facts-1.4.0/spec/fixtures/configs/empty.yml", "puppetlabs-facts-1.4.0/spec/fixtures/configs/invalid.yml", "puppetlabs-facts-1.4.0/spec/fixtures/configs/puppetdb.yml", "puppetlabs-facts-1.4.0/spec/fixtures/inventory", "puppetlabs-facts-1.4.0/spec/fixtures/inventory/empty.yml", "puppetlabs-facts-1.4.0/spec/fixtures/inventory/invalid.yml", "puppetlabs-facts-1.4.0/spec/fixtures/keys", "puppetlabs-facts-1.4.0/spec/fixtures/keys/id_rsa", "puppetlabs-facts-1.4.0/spec/fixtures/keys/id_rsa.pub", "puppetlabs-facts-1.4.0/spec/fixtures/scripts", "puppetlabs-facts-1.4.0/spec/fixtures/scripts/success.sh", "puppetlabs-facts-1.4.0/spec/functions", "puppetlabs-facts-1.4.0/spec/functions/group_by_spec.rb", "puppetlabs-facts-1.4.0/spec/plans", "puppetlabs-facts-1.4.0/spec/plans/info_spec.rb", "puppetlabs-facts-1.4.0/spec/plans/init_spec.rb", "puppetlabs-facts-1.4.0/spec/spec_helper.rb", "puppetlabs-facts-1.4.0/spec/spec_helper_acceptance.rb", "puppetlabs-facts-1.4.0/tasks", "puppetlabs-facts-1.4.0/tasks/bash.json", "puppetlabs-facts-1.4.0/tasks/bash.sh", "puppetlabs-facts-1.4.0/tasks/init.json", "puppetlabs-facts-1.4.0/tasks/powershell.json", "puppetlabs-facts-1.4.0/tasks/powershell.ps1", "puppetlabs-facts-1.4.0/tasks/ruby.json", "puppetlabs-facts-1.4.0/tasks/ruby.rb"]
-2022-11-16T21:41:14.651600 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/kmod
-2022-11-16T21:41:14.654308 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["camptocamp-augeas-1.9.0/", "camptocamp-augeas-1.9.0/checksums.json", "camptocamp-augeas-1.9.0/README.md", "camptocamp-augeas-1.9.0/lib/", "camptocamp-augeas-1.9.0/lib/puppet/", "camptocamp-augeas-1.9.0/lib/puppet/functions/", "camptocamp-augeas-1.9.0/lib/puppet/functions/augeas.rb", "camptocamp-augeas-1.9.0/Gemfile", "camptocamp-augeas-1.9.0/data/", "camptocamp-augeas-1.9.0/data/common.yaml", "camptocamp-augeas-1.9.0/Rakefile", "camptocamp-augeas-1.9.0/hiera.yaml", "camptocamp-augeas-1.9.0/spec/", "camptocamp-augeas-1.9.0/spec/functions/", "camptocamp-augeas-1.9.0/spec/functions/augeas_spec.rb", "camptocamp-augeas-1.9.0/spec/spec_helper.rb", "camptocamp-augeas-1.9.0/spec/classes/", "camptocamp-augeas-1.9.0/spec/classes/augeas_spec.rb", "camptocamp-augeas-1.9.0/spec/defines/", "camptocamp-augeas-1.9.0/spec/defines/augeas_lens_spec.rb", "camptocamp-augeas-1.9.0/spec/acceptance/", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-12.04-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-7-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-16.04.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-6.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-7-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-6-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.04-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-15.04.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-7-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-8-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-7.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.10.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-15.04-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-6-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-5.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.10-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-7-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.10-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.04-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-7.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-15.10.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-15.04-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-12.04.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.04-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-8-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-10.04-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-6-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-5-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-8.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-6-x86_64-vagrant.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-7-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-6-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-6.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-7-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-14.04.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/debian-8-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/centos-6-x86_64-docker.yml", "camptocamp-augeas-1.9.0/spec/acceptance/nodesets/ubuntu-12.04-x86_64-openstack.yml", "camptocamp-augeas-1.9.0/spec/spec_helper_local.rb", "camptocamp-augeas-1.9.0/spec/default_facts.yml", "camptocamp-augeas-1.9.0/LICENSE", "camptocamp-augeas-1.9.0/appveyor.yml", "camptocamp-augeas-1.9.0/metadata.json", "camptocamp-augeas-1.9.0/manifests/", "camptocamp-augeas-1.9.0/manifests/packages.pp", "camptocamp-augeas-1.9.0/manifests/init.pp", "camptocamp-augeas-1.9.0/manifests/params.pp", "camptocamp-augeas-1.9.0/manifests/lens.pp", "camptocamp-augeas-1.9.0/manifests/files.pp", "camptocamp-augeas-1.9.0/CHANGELOG.md"]
-2022-11-16T21:41:14.654958 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/logrotate
-2022-11-16T21:41:14.665345 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-apt-8.5.0", "puppetlabs-apt-8.5.0/.github", "puppetlabs-apt-8.5.0/.github/workflows", "puppetlabs-apt-8.5.0/.github/workflows/auto_release.yml", "puppetlabs-apt-8.5.0/.github/workflows/labeller.yml", "puppetlabs-apt-8.5.0/.github/workflows/nightly.yml", "puppetlabs-apt-8.5.0/.github/workflows/pr_test.yml", "puppetlabs-apt-8.5.0/.github/workflows/release.yml", "puppetlabs-apt-8.5.0/.github/workflows/spec.yml", "puppetlabs-apt-8.5.0/.github/workflows/stale.yml", "puppetlabs-apt-8.5.0/.gitpod.Dockerfile", "puppetlabs-apt-8.5.0/.gitpod.yml", "puppetlabs-apt-8.5.0/.rubocop_todo.yml", "puppetlabs-apt-8.5.0/CHANGELOG.md", "puppetlabs-apt-8.5.0/CODEOWNERS", "puppetlabs-apt-8.5.0/CONTRIBUTING.md", "puppetlabs-apt-8.5.0/HISTORY.md", "puppetlabs-apt-8.5.0/LICENSE", "puppetlabs-apt-8.5.0/MAINTAINERS.md", "puppetlabs-apt-8.5.0/NOTICE", "puppetlabs-apt-8.5.0/README.md", "puppetlabs-apt-8.5.0/REFERENCE.md", "puppetlabs-apt-8.5.0/data", "puppetlabs-apt-8.5.0/data/common.yaml", "puppetlabs-apt-8.5.0/examples", "puppetlabs-apt-8.5.0/examples/backports.pp", "puppetlabs-apt-8.5.0/examples/builddep.pp", "puppetlabs-apt-8.5.0/examples/debian_testing.pp", "puppetlabs-apt-8.5.0/examples/debian_unstable.pp", "puppetlabs-apt-8.5.0/examples/disable_keys.pp", "puppetlabs-apt-8.5.0/examples/fancy_progress.pp", "puppetlabs-apt-8.5.0/examples/force.pp", "puppetlabs-apt-8.5.0/examples/hold.pp", "puppetlabs-apt-8.5.0/examples/key.pp", "puppetlabs-apt-8.5.0/examples/pin.pp", "puppetlabs-apt-8.5.0/examples/ppa.pp", "puppetlabs-apt-8.5.0/examples/release.pp", "puppetlabs-apt-8.5.0/examples/source.pp", "puppetlabs-apt-8.5.0/examples/unattended_upgrades.pp", "puppetlabs-apt-8.5.0/hiera.yaml", "puppetlabs-apt-8.5.0/lib", "puppetlabs-apt-8.5.0/lib/facter", "puppetlabs-apt-8.5.0/lib/facter/apt_reboot_required.rb", "puppetlabs-apt-8.5.0/lib/facter/apt_update_last_success.rb", "puppetlabs-apt-8.5.0/lib/facter/apt_updates.rb", "puppetlabs-apt-8.5.0/lib/puppet", "puppetlabs-apt-8.5.0/lib/puppet/provider", "puppetlabs-apt-8.5.0/lib/puppet/provider/apt_key", "puppetlabs-apt-8.5.0/lib/puppet/provider/apt_key/apt_key.rb", "puppetlabs-apt-8.5.0/lib/puppet/type", "puppetlabs-apt-8.5.0/lib/puppet/type/apt_key.rb", "puppetlabs-apt-8.5.0/manifests", "puppetlabs-apt-8.5.0/manifests/backports.pp", "puppetlabs-apt-8.5.0/manifests/conf.pp", "puppetlabs-apt-8.5.0/manifests/init.pp", "puppetlabs-apt-8.5.0/manifests/key.pp", "puppetlabs-apt-8.5.0/manifests/mark.pp", "puppetlabs-apt-8.5.0/manifests/params.pp", "puppetlabs-apt-8.5.0/manifests/pin.pp", "puppetlabs-apt-8.5.0/manifests/ppa.pp", "puppetlabs-apt-8.5.0/manifests/setting.pp", "puppetlabs-apt-8.5.0/manifests/source.pp", "puppetlabs-apt-8.5.0/manifests/update.pp", "puppetlabs-apt-8.5.0/metadata.json", "puppetlabs-apt-8.5.0/pdk.yaml", "puppetlabs-apt-8.5.0/provision.yaml", "puppetlabs-apt-8.5.0/readmes", "puppetlabs-apt-8.5.0/readmes/README_ja_JP.md", "puppetlabs-apt-8.5.0/tasks", "puppetlabs-apt-8.5.0/tasks/init.json", "puppetlabs-apt-8.5.0/tasks/init.rb", "puppetlabs-apt-8.5.0/templates", "puppetlabs-apt-8.5.0/templates/15update-stamp.epp", "puppetlabs-apt-8.5.0/templates/_conf_header.epp", "puppetlabs-apt-8.5.0/templates/_header.epp", "puppetlabs-apt-8.5.0/templates/auth_conf.epp", "puppetlabs-apt-8.5.0/templates/pin.pref.epp", "puppetlabs-apt-8.5.0/templates/proxy.epp", "puppetlabs-apt-8.5.0/templates/source.list.epp", "puppetlabs-apt-8.5.0/types", "puppetlabs-apt-8.5.0/types/auth_conf_entry.pp", "puppetlabs-apt-8.5.0/types/proxy.pp", "puppetlabs-apt-8.5.0/types/proxy_per_host.pp"]
-2022-11-16T21:41:14.665717 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/postfix
-2022-11-16T21:41:14.686313 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-firewalld-4.5.1 tarball
-2022-11-16T21:41:14.686376 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-firewalld-4.5.1/tarball/puppet-firewalld-4.5.1.tar.gz matches checksum
-2022-11-16T21:41:14.687360 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-firewalld-4.5.1/tarball/puppet-firewalld-4.5.1.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/firewalld (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1j3y90/puppet-firewalld-4.5.1)
-2022-11-16T21:41:14.725379 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-kmod-3.2.0 tarball
-2022-11-16T21:41:14.725423 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-kmod-3.2.0/tarball/puppet-kmod-3.2.0.tar.gz matches checksum
-2022-11-16T21:41:14.726458 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-kmod-3.2.0/tarball/puppet-kmod-3.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/kmod (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-10biq2w/puppet-kmod-3.2.0)
-2022-11-16T21:41:14.729220 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-logrotate-6.1.0 tarball
-2022-11-16T21:41:14.729269 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-logrotate-6.1.0/tarball/puppet-logrotate-6.1.0.tar.gz matches checksum
-2022-11-16T21:41:14.730213 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-logrotate-6.1.0/tarball/puppet-logrotate-6.1.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/logrotate (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1nxk6ng/puppet-logrotate-6.1.0)
-2022-11-16T21:41:14.738043 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-postfix-3.0.0 tarball
-2022-11-16T21:41:14.738156 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-postfix-3.0.0/tarball/puppet-postfix-3.0.0.tar.gz matches checksum
-2022-11-16T21:41:14.739309 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-postfix-3.0.0/tarball/puppet-postfix-3.0.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/postfix (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-12rigxb/puppet-postfix-3.0.0)
-2022-11-16T21:41:14.761339 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-kmod-3.2.0", "puppet-kmod-3.2.0/CHANGELOG.md", "puppet-kmod-3.2.0/HISTORY.md", "puppet-kmod-3.2.0/LICENSE", "puppet-kmod-3.2.0/README.md", "puppet-kmod-3.2.0/REFERENCE.md", "puppet-kmod-3.2.0/hiera.yaml", "puppet-kmod-3.2.0/lib", "puppet-kmod-3.2.0/lib/facter", "puppet-kmod-3.2.0/lib/facter/kmod.rb", "puppet-kmod-3.2.0/manifests", "puppet-kmod-3.2.0/manifests/alias.pp", "puppet-kmod-3.2.0/manifests/blacklist.pp", "puppet-kmod-3.2.0/manifests/init.pp", "puppet-kmod-3.2.0/manifests/install.pp", "puppet-kmod-3.2.0/manifests/load.pp", "puppet-kmod-3.2.0/manifests/option.pp", "puppet-kmod-3.2.0/manifests/setting.pp", "puppet-kmod-3.2.0/metadata.json", "puppet-kmod-3.2.0/templates", "puppet-kmod-3.2.0/templates/redhat.modprobe.erb"]
-2022-11-16T21:41:14.762140 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/selinux
-2022-11-16T21:41:14.777113 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-logrotate-6.1.0", "puppet-logrotate-6.1.0/CHANGELOG.md", "puppet-logrotate-6.1.0/CONTRIBUTORS", "puppet-logrotate-6.1.0/HISTORY.md", "puppet-logrotate-6.1.0/LICENSE", "puppet-logrotate-6.1.0/README.md", "puppet-logrotate-6.1.0/REFERENCE.md", "puppet-logrotate-6.1.0/files", "puppet-logrotate-6.1.0/files/.gitkeep", "puppet-logrotate-6.1.0/manifests", "puppet-logrotate-6.1.0/manifests/conf.pp", "puppet-logrotate-6.1.0/manifests/config.pp", "puppet-logrotate-6.1.0/manifests/cron.pp", "puppet-logrotate-6.1.0/manifests/defaults.pp", "puppet-logrotate-6.1.0/manifests/hourly.pp", "puppet-logrotate-6.1.0/manifests/init.pp", "puppet-logrotate-6.1.0/manifests/install.pp", "puppet-logrotate-6.1.0/manifests/params.pp", "puppet-logrotate-6.1.0/manifests/rule.pp", "puppet-logrotate-6.1.0/manifests/rules.pp", "puppet-logrotate-6.1.0/metadata.json", "puppet-logrotate-6.1.0/templates", "puppet-logrotate-6.1.0/templates/etc", "puppet-logrotate-6.1.0/templates/etc/cron", "puppet-logrotate-6.1.0/templates/etc/cron/logrotate.erb", "puppet-logrotate-6.1.0/templates/etc/logrotate.conf.erb", "puppet-logrotate-6.1.0/templates/etc/logrotate.d", "puppet-logrotate-6.1.0/templates/etc/logrotate.d/rule.erb", "puppet-logrotate-6.1.0/types", "puppet-logrotate-6.1.0/types/commands.pp", "puppet-logrotate-6.1.0/types/every.pp", "puppet-logrotate-6.1.0/types/path.pp", "puppet-logrotate-6.1.0/types/size.pp"]
-2022-11-16T21:41:14.777700 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/systemd
-2022-11-16T21:41:14.784893 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-firewalld-4.5.1", "puppet-firewalld-4.5.1/CHANGELOG.md", "puppet-firewalld-4.5.1/Gemfile", "puppet-firewalld-4.5.1/HISTORY.md", "puppet-firewalld-4.5.1/LICENSE", "puppet-firewalld-4.5.1/README.md", "puppet-firewalld-4.5.1/REFERENCE.md", "puppet-firewalld-4.5.1/Rakefile", "puppet-firewalld-4.5.1/Vagrantfile", "puppet-firewalld-4.5.1/examples", "puppet-firewalld-4.5.1/examples/test.pp", "puppet-firewalld-4.5.1/functions", "puppet-firewalld-4.5.1/functions/safe_filename.pp", "puppet-firewalld-4.5.1/lib", "puppet-firewalld-4.5.1/lib/facter", "puppet-firewalld-4.5.1/lib/facter/firewalld_version.rb", "puppet-firewalld-4.5.1/lib/puppet", "puppet-firewalld-4.5.1/lib/puppet/provider", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_custom_service", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_custom_service/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_chain", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_chain/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_passthrough", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_passthrough/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_purge", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_purge/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_rule", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_direct_rule/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_ipset", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_ipset/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_port", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_port/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_rich_rule", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_rich_rule/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_service", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_service/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_zone", "puppet-firewalld-4.5.1/lib/puppet/provider/firewalld_zone/firewall_cmd.rb", "puppet-firewalld-4.5.1/lib/puppet/type", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_custom_service.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_direct_chain.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_direct_passthrough.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_direct_purge.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_direct_rule.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_ipset.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_port.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_rich_rule.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_service.rb", "puppet-firewalld-4.5.1/lib/puppet/type/firewalld_zone.rb", "puppet-firewalld-4.5.1/manifests", "puppet-firewalld-4.5.1/manifests/custom_service.pp", "puppet-firewalld-4.5.1/manifests/init.pp", "puppet-firewalld-4.5.1/manifests/reload", "puppet-firewalld-4.5.1/manifests/reload/complete.pp", "puppet-firewalld-4.5.1/manifests/reload.pp", "puppet-firewalld-4.5.1/metadata.json", "puppet-firewalld-4.5.1/rakelib", "puppet-firewalld-4.5.1/rakelib/simp.rake", "puppet-firewalld-4.5.1/spec", "puppet-firewalld-4.5.1/spec/acceptance", "puppet-firewalld-4.5.1/spec/acceptance/nodesets", "puppet-firewalld-4.5.1/spec/acceptance/nodesets/default.yml", "puppet-firewalld-4.5.1/spec/acceptance/suites", "puppet-firewalld-4.5.1/spec/acceptance/suites/default", "puppet-firewalld-4.5.1/spec/acceptance/suites/default/00_default_spec.rb", "puppet-firewalld-4.5.1/spec/classes", "puppet-firewalld-4.5.1/spec/classes/init_spec.rb", "puppet-firewalld-4.5.1/spec/classes/reload", "puppet-firewalld-4.5.1/spec/classes/reload/complete_spec.rb", "puppet-firewalld-4.5.1/spec/classes/reload_spec.rb", "puppet-firewalld-4.5.1/spec/defines", "puppet-firewalld-4.5.1/spec/defines/custom_service_spec.rb", "puppet-firewalld-4.5.1/spec/fixtures", "puppet-firewalld-4.5.1/spec/fixtures/hiera", "puppet-firewalld-4.5.1/spec/fixtures/hiera/hiera.yaml", "puppet-firewalld-4.5.1/spec/fixtures/hieradata", "puppet-firewalld-4.5.1/spec/fixtures/hieradata/common.yaml", "puppet-firewalld-4.5.1/spec/functions", "puppet-firewalld-4.5.1/spec/functions/safe_filename_spec.rb", "puppet-firewalld-4.5.1/spec/spec_helper.rb", "puppet-firewalld-4.5.1/spec/spec_helper_acceptance.rb", "puppet-firewalld-4.5.1/spec/unit", "puppet-firewalld-4.5.1/spec/unit/facter", "puppet-firewalld-4.5.1/spec/unit/facter/firewalld_version_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet", "puppet-firewalld-4.5.1/spec/unit/puppet/provider", "puppet-firewalld-4.5.1/spec/unit/puppet/provider/firewalld_custom_service_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/provider/firewalld_ipset_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/provider/firewalld_rich_rule_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/provider/firewalld_zone_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_custom_service_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_direct_chain_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_direct_passthrough_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_direct_rule_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_ipset_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_port_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_rich_rule_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_service_spec.rb", "puppet-firewalld-4.5.1/spec/unit/puppet/type/firewalld_zone_spec.rb"]
-2022-11-16T21:41:14.785353 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeas_core
-2022-11-16T21:41:14.807844 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-postfix-3.0.0", "puppet-postfix-3.0.0/CHANGELOG.md", "puppet-postfix-3.0.0/HISTORY.md", "puppet-postfix-3.0.0/LICENSE", "puppet-postfix-3.0.0/README.md", "puppet-postfix-3.0.0/data", "puppet-postfix-3.0.0/data/common.yaml", "puppet-postfix-3.0.0/data/os", "puppet-postfix-3.0.0/data/os/Alpine.yaml", "puppet-postfix-3.0.0/data/os/FreeBSD.yaml", "puppet-postfix-3.0.0/data/os/Solaris.yaml", "puppet-postfix-3.0.0/data/osfamily", "puppet-postfix-3.0.0/data/osfamily/Debian", "puppet-postfix-3.0.0/data/osfamily/Debian/etch.yaml", "puppet-postfix-3.0.0/data/osfamily/Debian/lenny.yaml", "puppet-postfix-3.0.0/data/osfamily/Debian/sarge.yaml", "puppet-postfix-3.0.0/data/osfamily/Debian.yaml", "puppet-postfix-3.0.0/data/osfamily/RedHat", "puppet-postfix-3.0.0/data/osfamily/RedHat/4.yaml", "puppet-postfix-3.0.0/data/osfamily/RedHat/5.yaml", "puppet-postfix-3.0.0/data/osfamily/RedHat/6.yaml", "puppet-postfix-3.0.0/data/osfamily/RedHat/9.yaml", "puppet-postfix-3.0.0/data/osfamily/RedHat.yaml", "puppet-postfix-3.0.0/data/osfamily/Suse", "puppet-postfix-3.0.0/data/osfamily/Suse/11.yaml", "puppet-postfix-3.0.0/data/osfamily/Suse.yaml", "puppet-postfix-3.0.0/examples", "puppet-postfix-3.0.0/examples/init.pp", "puppet-postfix-3.0.0/files", "puppet-postfix-3.0.0/files/lenses", "puppet-postfix-3.0.0/files/lenses/postfix_canonical.aug", "puppet-postfix-3.0.0/files/lenses/postfix_transport.aug", "puppet-postfix-3.0.0/files/lenses/postfix_virtual.aug", "puppet-postfix-3.0.0/files/lenses/test_postfix_canonical.aug", "puppet-postfix-3.0.0/files/lenses/test_postfix_transport.aug", "puppet-postfix-3.0.0/files/lenses/test_postfix_virtual.aug", "puppet-postfix-3.0.0/files/main.cf", "puppet-postfix-3.0.0/hiera.yaml", "puppet-postfix-3.0.0/manifests", "puppet-postfix-3.0.0/manifests/augeas.pp", "puppet-postfix-3.0.0/manifests/canonical.pp", "puppet-postfix-3.0.0/manifests/conffile.pp", "puppet-postfix-3.0.0/manifests/config.pp", "puppet-postfix-3.0.0/manifests/files.pp", "puppet-postfix-3.0.0/manifests/hash.pp", "puppet-postfix-3.0.0/manifests/init.pp", "puppet-postfix-3.0.0/manifests/ldap.pp", "puppet-postfix-3.0.0/manifests/mailalias.pp", "puppet-postfix-3.0.0/manifests/mailman.pp", "puppet-postfix-3.0.0/manifests/map.pp", "puppet-postfix-3.0.0/manifests/mta.pp", "puppet-postfix-3.0.0/manifests/packages.pp", "puppet-postfix-3.0.0/manifests/params.pp", "puppet-postfix-3.0.0/manifests/satellite.pp", "puppet-postfix-3.0.0/manifests/service.pp", "puppet-postfix-3.0.0/manifests/transport.pp", "puppet-postfix-3.0.0/manifests/virtual.pp", "puppet-postfix-3.0.0/metadata.json", "puppet-postfix-3.0.0/templates", "puppet-postfix-3.0.0/templates/conffile.erb", "puppet-postfix-3.0.0/templates/master.cf.FreeBSD.erb", "puppet-postfix-3.0.0/templates/master.cf.SLES11.2.erb", "puppet-postfix-3.0.0/templates/master.cf.SLES11.3.erb", "puppet-postfix-3.0.0/templates/master.cf.SLES11.4.erb", "puppet-postfix-3.0.0/templates/master.cf.SLES12.2.erb", "puppet-postfix-3.0.0/templates/master.cf.SLES12.3.erb", "puppet-postfix-3.0.0/templates/master.cf.Solaris.erb", "puppet-postfix-3.0.0/templates/master.cf.common.erb", "puppet-postfix-3.0.0/templates/master.cf.debian.erb", "puppet-postfix-3.0.0/templates/master.cf.redhat.erb", "puppet-postfix-3.0.0/templates/master.cf.sles.erb", "puppet-postfix-3.0.0/templates/postfix-ldap-aliases.cf.erb"]
-2022-11-16T21:41:14.808199 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/concat
-2022-11-16T21:41:14.838613 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-selinux-3.4.1 tarball
-2022-11-16T21:41:14.838661 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-selinux-3.4.1/tarball/puppet-selinux-3.4.1.tar.gz matches checksum
-2022-11-16T21:41:14.839558 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-selinux-3.4.1/tarball/puppet-selinux-3.4.1.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/selinux (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-v3jerb/puppet-selinux-3.4.1)
-2022-11-16T21:41:14.859492 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-systemd-3.10.0 tarball
-2022-11-16T21:41:14.859954 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-systemd-3.10.0/tarball/puppet-systemd-3.10.0.tar.gz matches checksum
-2022-11-16T21:41:14.863245 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-systemd-3.10.0/tarball/puppet-systemd-3.10.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/systemd (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-svhg40/puppet-systemd-3.10.0)
-2022-11-16T21:41:14.863776 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-augeas_core-1.2.0 tarball
-2022-11-16T21:41:14.863932 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-augeas_core-1.2.0/tarball/puppetlabs-augeas_core-1.2.0.tar.gz matches checksum
-2022-11-16T21:41:14.865096 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-augeas_core-1.2.0/tarball/puppetlabs-augeas_core-1.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeas_core (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1ybeilh/puppetlabs-augeas_core-1.2.0)
-2022-11-16T21:41:14.894911 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-concat-7.2.0 tarball
-2022-11-16T21:41:14.894985 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-concat-7.2.0/tarball/puppetlabs-concat-7.2.0.tar.gz matches checksum
-2022-11-16T21:41:14.896065 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-concat-7.2.0/tarball/puppetlabs-concat-7.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/concat (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1qafzkn/puppetlabs-concat-7.2.0)
-2022-11-16T21:41:14.914874 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-augeas_core-1.2.0", "puppetlabs-augeas_core-1.2.0/.github", "puppetlabs-augeas_core-1.2.0/.github/workflows", "puppetlabs-augeas_core-1.2.0/.github/workflows/auto_release.yml", "puppetlabs-augeas_core-1.2.0/.github/workflows/daily_unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-augeas_core-1.2.0/.github/workflows/release.yml", "puppetlabs-augeas_core-1.2.0/.github/workflows/static_code_analysis.yaml", "puppetlabs-augeas_core-1.2.0/.github/workflows/unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-augeas_core-1.2.0/.github/workflows/unit_tests_with_released_puppet_gem.yaml", "puppetlabs-augeas_core-1.2.0/CHANGELOG.md", "puppetlabs-augeas_core-1.2.0/CODEOWNERS", "puppetlabs-augeas_core-1.2.0/LICENSE", "puppetlabs-augeas_core-1.2.0/README.md", "puppetlabs-augeas_core-1.2.0/REFERENCE.md", "puppetlabs-augeas_core-1.2.0/lib", "puppetlabs-augeas_core-1.2.0/lib/puppet", "puppetlabs-augeas_core-1.2.0/lib/puppet/feature", "puppetlabs-augeas_core-1.2.0/lib/puppet/feature/augeas.rb", "puppetlabs-augeas_core-1.2.0/lib/puppet/provider", "puppetlabs-augeas_core-1.2.0/lib/puppet/provider/augeas", "puppetlabs-augeas_core-1.2.0/lib/puppet/provider/augeas/augeas.rb", "puppetlabs-augeas_core-1.2.0/lib/puppet/type", "puppetlabs-augeas_core-1.2.0/lib/puppet/type/augeas.rb", "puppetlabs-augeas_core-1.2.0/lib/puppet_x", "puppetlabs-augeas_core-1.2.0/lib/puppet_x/augeas", "puppetlabs-augeas_core-1.2.0/lib/puppet_x/augeas/util", "puppetlabs-augeas_core-1.2.0/lib/puppet_x/augeas/util/parser.rb", "puppetlabs-augeas_core-1.2.0/locales", "puppetlabs-augeas_core-1.2.0/locales/config.yaml", "puppetlabs-augeas_core-1.2.0/locales/ja", "puppetlabs-augeas_core-1.2.0/locales/ja/puppetlabs-augeas_core.po", "puppetlabs-augeas_core-1.2.0/locales/puppetlabs-augeas_core.pot", "puppetlabs-augeas_core-1.2.0/metadata.json", "puppetlabs-augeas_core-1.2.0/pdk.yaml", "puppetlabs-augeas_core-1.2.0/readmes", "puppetlabs-augeas_core-1.2.0/readmes/README_ja_JP.md"]
-2022-11-16T21:41:14.915766 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/firewall
-2022-11-16T21:41:14.934497 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-selinux-3.4.1", "puppet-selinux-3.4.1/CHANGELOG.md", "puppet-selinux-3.4.1/LICENSE", "puppet-selinux-3.4.1/README.md", "puppet-selinux-3.4.1/REFERENCE.md", "puppet-selinux-3.4.1/data", "puppet-selinux-3.4.1/data/common.yaml", "puppet-selinux-3.4.1/data/os", "puppet-selinux-3.4.1/data/os/Debian", "puppet-selinux-3.4.1/data/os/Debian/Debian", "puppet-selinux-3.4.1/data/os/Debian/Debian/10.yaml", "puppet-selinux-3.4.1/data/os/Debian.yaml", "puppet-selinux-3.4.1/data/os/RedHat", "puppet-selinux-3.4.1/data/os/RedHat/Amazon.yaml", "puppet-selinux-3.4.1/data/os/RedHat/CentOS", "puppet-selinux-3.4.1/data/os/RedHat/CentOS/5.yaml", "puppet-selinux-3.4.1/data/os/RedHat/CentOS/6.yaml", "puppet-selinux-3.4.1/data/os/RedHat/CentOS/7.yaml", "puppet-selinux-3.4.1/data/os/RedHat/OracleLinux", "puppet-selinux-3.4.1/data/os/RedHat/OracleLinux/5.yaml", "puppet-selinux-3.4.1/data/os/RedHat/OracleLinux/6.yaml", "puppet-selinux-3.4.1/data/os/RedHat/OracleLinux/7.yaml", "puppet-selinux-3.4.1/data/os/RedHat/RedHat", "puppet-selinux-3.4.1/data/os/RedHat/RedHat/5.yaml", "puppet-selinux-3.4.1/data/os/RedHat/RedHat/6.yaml", "puppet-selinux-3.4.1/data/os/RedHat/RedHat/7.yaml", "puppet-selinux-3.4.1/data/os/RedHat/Scientific", "puppet-selinux-3.4.1/data/os/RedHat/Scientific/5.yaml", "puppet-selinux-3.4.1/data/os/RedHat/Scientific/6.yaml", "puppet-selinux-3.4.1/data/os/RedHat/Scientific/7.yaml", "puppet-selinux-3.4.1/data/os/RedHat.yaml", "puppet-selinux-3.4.1/examples", "puppet-selinux-3.4.1/examples/disable.pp", "puppet-selinux-3.4.1/examples/enable.pp", "puppet-selinux-3.4.1/examples/enable_and_targeted.pp", "puppet-selinux-3.4.1/examples/fcontext.pp", "puppet-selinux-3.4.1/examples/fcontext_equals.pp", "puppet-selinux-3.4.1/examples/minimal.pp", "puppet-selinux-3.4.1/examples/mls.pp", "puppet-selinux-3.4.1/examples/module.pp", "puppet-selinux-3.4.1/examples/targeted.pp", "puppet-selinux-3.4.1/files", "puppet-selinux-3.4.1/files/selinux_build_module_simple.sh", "puppet-selinux-3.4.1/hiera.yaml", "puppet-selinux-3.4.1/lib", "puppet-selinux-3.4.1/lib/facter", "puppet-selinux-3.4.1/lib/facter/selinux_python_command.rb", "puppet-selinux-3.4.1/lib/puppet", "puppet-selinux-3.4.1/lib/puppet/provider", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_fcontext", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_fcontext/semanage.rb", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_fcontext_equivalence", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_fcontext_equivalence/semanage.rb", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_permissive", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_permissive/semanage.rb", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_port", "puppet-selinux-3.4.1/lib/puppet/provider/selinux_port/semanage.rb", "puppet-selinux-3.4.1/lib/puppet/type", "puppet-selinux-3.4.1/lib/puppet/type/selinux_fcontext.rb", "puppet-selinux-3.4.1/lib/puppet/type/selinux_fcontext_equivalence.rb", "puppet-selinux-3.4.1/lib/puppet/type/selinux_permissive.rb", "puppet-selinux-3.4.1/lib/puppet/type/selinux_port.rb", "puppet-selinux-3.4.1/lib/puppet_x", "puppet-selinux-3.4.1/lib/puppet_x/voxpupuli", "puppet-selinux-3.4.1/lib/puppet_x/voxpupuli/selinux", "puppet-selinux-3.4.1/lib/puppet_x/voxpupuli/selinux/semanage_ports.py", "puppet-selinux-3.4.1/manifests", "puppet-selinux-3.4.1/manifests/boolean.pp", "puppet-selinux-3.4.1/manifests/build.pp", "puppet-selinux-3.4.1/manifests/config.pp", "puppet-selinux-3.4.1/manifests/exec_restorecon.pp", "puppet-selinux-3.4.1/manifests/fcontext", "puppet-selinux-3.4.1/manifests/fcontext/equivalence.pp", "puppet-selinux-3.4.1/manifests/fcontext.pp", "puppet-selinux-3.4.1/manifests/init.pp", "puppet-selinux-3.4.1/manifests/module.pp", "puppet-selinux-3.4.1/manifests/package.pp", "puppet-selinux-3.4.1/manifests/permissive.pp", "puppet-selinux-3.4.1/manifests/port.pp", "puppet-selinux-3.4.1/manifests/refpolicy_package.pp", "puppet-selinux-3.4.1/metadata.json", "puppet-selinux-3.4.1/test-acceptance-with-vagrant"]
-2022-11-16T21:41:14.935572 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/inifile
-2022-11-16T21:41:14.946038 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-concat-7.2.0", "puppetlabs-concat-7.2.0/.github", "puppetlabs-concat-7.2.0/.github/workflows", "puppetlabs-concat-7.2.0/.github/workflows/auto_release.yml", "puppetlabs-concat-7.2.0/.github/workflows/labeller.yml", "puppetlabs-concat-7.2.0/.github/workflows/nightly.yml", "puppetlabs-concat-7.2.0/.github/workflows/pr_test.yml", "puppetlabs-concat-7.2.0/.github/workflows/release.yml", "puppetlabs-concat-7.2.0/.github/workflows/spec.yml", "puppetlabs-concat-7.2.0/.github/workflows/stale.yml", "puppetlabs-concat-7.2.0/.gitpod.Dockerfile", "puppetlabs-concat-7.2.0/.gitpod.yml", "puppetlabs-concat-7.2.0/CHANGELOG.md", "puppetlabs-concat-7.2.0/CODEOWNERS", "puppetlabs-concat-7.2.0/CONTRIBUTING.md", "puppetlabs-concat-7.2.0/HISTORY.md", "puppetlabs-concat-7.2.0/LICENSE", "puppetlabs-concat-7.2.0/NOTICE", "puppetlabs-concat-7.2.0/README.md", "puppetlabs-concat-7.2.0/REFERENCE.md", "puppetlabs-concat-7.2.0/data", "puppetlabs-concat-7.2.0/data/common.yaml", "puppetlabs-concat-7.2.0/examples", "puppetlabs-concat-7.2.0/examples/format.pp", "puppetlabs-concat-7.2.0/examples/fragment.pp", "puppetlabs-concat-7.2.0/examples/init.pp", "puppetlabs-concat-7.2.0/hiera.yaml", "puppetlabs-concat-7.2.0/lib", "puppetlabs-concat-7.2.0/lib/puppet", "puppetlabs-concat-7.2.0/lib/puppet/type", "puppetlabs-concat-7.2.0/lib/puppet/type/concat_file.rb", "puppetlabs-concat-7.2.0/lib/puppet/type/concat_fragment.rb", "puppetlabs-concat-7.2.0/manifests", "puppetlabs-concat-7.2.0/manifests/fragment.pp", "puppetlabs-concat-7.2.0/manifests/init.pp", "puppetlabs-concat-7.2.0/metadata.json", "puppetlabs-concat-7.2.0/provision.yaml", "puppetlabs-concat-7.2.0/readmes", "puppetlabs-concat-7.2.0/readmes/README_ja_JP.md"]
-2022-11-16T21:41:14.946548 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/mailalias_core
-2022-11-16T21:41:14.956063 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-systemd-3.10.0", "puppet-systemd-3.10.0/CHANGELOG.md", "puppet-systemd-3.10.0/HISTORY.md", "puppet-systemd-3.10.0/LICENSE", "puppet-systemd-3.10.0/README.md", "puppet-systemd-3.10.0/REFERENCE.md", "puppet-systemd-3.10.0/data", "puppet-systemd-3.10.0/data/Archlinux.yaml", "puppet-systemd-3.10.0/data/Debian-10.yaml", "puppet-systemd-3.10.0/data/Debian-11.yaml", "puppet-systemd-3.10.0/data/Debian-8.yaml", "puppet-systemd-3.10.0/data/Debian-9.yaml", "puppet-systemd-3.10.0/data/Fedora.yaml", "puppet-systemd-3.10.0/data/Gentoo.yaml", "puppet-systemd-3.10.0/data/RedHat-7.yaml", "puppet-systemd-3.10.0/data/RedHat-8.yaml", "puppet-systemd-3.10.0/data/RedHat-9.yaml", "puppet-systemd-3.10.0/data/SLES-12.yaml", "puppet-systemd-3.10.0/data/SLES-15.yaml", "puppet-systemd-3.10.0/data/Ubuntu-16.04.yaml", "puppet-systemd-3.10.0/data/Ubuntu-18.04.yaml", "puppet-systemd-3.10.0/data/Ubuntu-20.04.yaml", "puppet-systemd-3.10.0/data/VirtuozzoLinux-7.yaml", "puppet-systemd-3.10.0/functions", "puppet-systemd-3.10.0/functions/escape.pp", "puppet-systemd-3.10.0/hiera.yaml", "puppet-systemd-3.10.0/lib", "puppet-systemd-3.10.0/lib/facter", "puppet-systemd-3.10.0/lib/facter/systemd.rb", "puppet-systemd-3.10.0/lib/puppet", "puppet-systemd-3.10.0/lib/puppet/functions", "puppet-systemd-3.10.0/lib/puppet/functions/systemd", "puppet-systemd-3.10.0/lib/puppet/functions/systemd/systemd_escape.rb", "puppet-systemd-3.10.0/lib/puppet/provider", "puppet-systemd-3.10.0/lib/puppet/provider/loginctl_user", "puppet-systemd-3.10.0/lib/puppet/provider/loginctl_user/ruby.rb", "puppet-systemd-3.10.0/lib/puppet/type", "puppet-systemd-3.10.0/lib/puppet/type/loginctl_user.rb", "puppet-systemd-3.10.0/manifests", "puppet-systemd-3.10.0/manifests/coredump.pp", "puppet-systemd-3.10.0/manifests/daemon_reload.pp", "puppet-systemd-3.10.0/manifests/dropin_file.pp", "puppet-systemd-3.10.0/manifests/init.pp", "puppet-systemd-3.10.0/manifests/install.pp", "puppet-systemd-3.10.0/manifests/journald.pp", "puppet-systemd-3.10.0/manifests/logind.pp", "puppet-systemd-3.10.0/manifests/machine_info.pp", "puppet-systemd-3.10.0/manifests/modules_load.pp", "puppet-systemd-3.10.0/manifests/modules_loads.pp", "puppet-systemd-3.10.0/manifests/network.pp", "puppet-systemd-3.10.0/manifests/networkd.pp", "puppet-systemd-3.10.0/manifests/oomd.pp", "puppet-systemd-3.10.0/manifests/resolved.pp", "puppet-systemd-3.10.0/manifests/service_limits.pp", "puppet-systemd-3.10.0/manifests/system.pp", "puppet-systemd-3.10.0/manifests/timer.pp", "puppet-systemd-3.10.0/manifests/timesyncd.pp", "puppet-systemd-3.10.0/manifests/tmpfile.pp", "puppet-systemd-3.10.0/manifests/tmpfiles.pp", "puppet-systemd-3.10.0/manifests/udev", "puppet-systemd-3.10.0/manifests/udev/rule.pp", "puppet-systemd-3.10.0/manifests/udevd.pp", "puppet-systemd-3.10.0/manifests/unit_file.pp", "puppet-systemd-3.10.0/metadata.json", "puppet-systemd-3.10.0/templates", "puppet-systemd-3.10.0/templates/limits.erb", "puppet-systemd-3.10.0/templates/udev_conf.epp", "puppet-systemd-3.10.0/templates/udev_rule.epp", "puppet-systemd-3.10.0/types", "puppet-systemd-3.10.0/types/coredumpsettings.pp", "puppet-systemd-3.10.0/types/dropin.pp", "puppet-systemd-3.10.0/types/journaldsettings", "puppet-systemd-3.10.0/types/journaldsettings/ensure.pp", "puppet-systemd-3.10.0/types/journaldsettings.pp", "puppet-systemd-3.10.0/types/logindsettings", "puppet-systemd-3.10.0/types/logindsettings/ensure.pp", "puppet-systemd-3.10.0/types/logindsettings.pp", "puppet-systemd-3.10.0/types/machineinfosettings.pp", "puppet-systemd-3.10.0/types/oomdsettings.pp", "puppet-systemd-3.10.0/types/servicelimits.pp", "puppet-systemd-3.10.0/types/unit.pp"]
-2022-11-16T21:41:14.956482 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/ntp
-2022-11-16T21:41:15.008022 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-firewall-3.5.0 tarball
-2022-11-16T21:41:15.008083 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-firewall-3.5.0/tarball/puppetlabs-firewall-3.5.0.tar.gz matches checksum
-2022-11-16T21:41:15.011781 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-firewall-3.5.0/tarball/puppetlabs-firewall-3.5.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/firewall (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1jnpm6h/puppetlabs-firewall-3.5.0)
-2022-11-16T21:41:15.012498 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-inifile-5.3.0 tarball
-2022-11-16T21:41:15.012694 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-inifile-5.3.0/tarball/puppetlabs-inifile-5.3.0.tar.gz matches checksum
-2022-11-16T21:41:15.013689 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-inifile-5.3.0/tarball/puppetlabs-inifile-5.3.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/inifile (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-14mnu1r/puppetlabs-inifile-5.3.0)
-2022-11-16T21:41:15.020009 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-mailalias_core-1.1.0 tarball
-2022-11-16T21:41:15.020147 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-mailalias_core-1.1.0/tarball/puppetlabs-mailalias_core-1.1.0.tar.gz matches checksum
-2022-11-16T21:41:15.021243 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-mailalias_core-1.1.0/tarball/puppetlabs-mailalias_core-1.1.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/mailalias_core (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-17unnup/puppetlabs-mailalias_core-1.1.0)
-2022-11-16T21:41:15.040487 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-ntp-9.1.1 tarball
-2022-11-16T21:41:15.040568 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-ntp-9.1.1/tarball/puppetlabs-ntp-9.1.1.tar.gz matches checksum
-2022-11-16T21:41:15.041954 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-ntp-9.1.1/tarball/puppetlabs-ntp-9.1.1.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/ntp (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1twts21/puppetlabs-ntp-9.1.1)
-2022-11-16T21:41:15.065322 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-mailalias_core-1.1.0", "puppetlabs-mailalias_core-1.1.0/.github", "puppetlabs-mailalias_core-1.1.0/.github/workflows", "puppetlabs-mailalias_core-1.1.0/.github/workflows/auto_release.yml", "puppetlabs-mailalias_core-1.1.0/.github/workflows/daily_unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-mailalias_core-1.1.0/.github/workflows/release.yml", "puppetlabs-mailalias_core-1.1.0/.github/workflows/static_code_analysis.yaml", "puppetlabs-mailalias_core-1.1.0/.github/workflows/unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-mailalias_core-1.1.0/.github/workflows/unit_tests_with_released_puppet_gem.yaml", "puppetlabs-mailalias_core-1.1.0/CHANGELOG.md", "puppetlabs-mailalias_core-1.1.0/CODEOWNERS", "puppetlabs-mailalias_core-1.1.0/LICENSE", "puppetlabs-mailalias_core-1.1.0/README.md", "puppetlabs-mailalias_core-1.1.0/REFERENCE.md", "puppetlabs-mailalias_core-1.1.0/data", "puppetlabs-mailalias_core-1.1.0/data/common.yaml", "puppetlabs-mailalias_core-1.1.0/hiera.yaml", "puppetlabs-mailalias_core-1.1.0/lib", "puppetlabs-mailalias_core-1.1.0/lib/puppet", "puppetlabs-mailalias_core-1.1.0/lib/puppet/provider", "puppetlabs-mailalias_core-1.1.0/lib/puppet/provider/mailalias", "puppetlabs-mailalias_core-1.1.0/lib/puppet/provider/mailalias/aliases.rb", "puppetlabs-mailalias_core-1.1.0/lib/puppet/type", "puppetlabs-mailalias_core-1.1.0/lib/puppet/type/mailalias.rb", "puppetlabs-mailalias_core-1.1.0/locales", "puppetlabs-mailalias_core-1.1.0/locales/config.yaml", "puppetlabs-mailalias_core-1.1.0/locales/puppetlabs-mailalias_core.pot", "puppetlabs-mailalias_core-1.1.0/metadata.json", "puppetlabs-mailalias_core-1.1.0/pdk.yaml"]
-2022-11-16T21:41:15.066315 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent
-2022-11-16T21:41:15.085038 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-inifile-5.3.0", "puppetlabs-inifile-5.3.0/.github", "puppetlabs-inifile-5.3.0/.github/workflows", "puppetlabs-inifile-5.3.0/.github/workflows/auto_release.yml", "puppetlabs-inifile-5.3.0/.github/workflows/labeller.yml", "puppetlabs-inifile-5.3.0/.github/workflows/nightly.yml", "puppetlabs-inifile-5.3.0/.github/workflows/pr_test.yml", "puppetlabs-inifile-5.3.0/.github/workflows/release.yml", "puppetlabs-inifile-5.3.0/.github/workflows/spec.yml", "puppetlabs-inifile-5.3.0/.github/workflows/stale.yml", "puppetlabs-inifile-5.3.0/.gitpod.Dockerfile", "puppetlabs-inifile-5.3.0/.gitpod.yml", "puppetlabs-inifile-5.3.0/CHANGELOG.md", "puppetlabs-inifile-5.3.0/CODEOWNERS", "puppetlabs-inifile-5.3.0/CONTRIBUTING.md", "puppetlabs-inifile-5.3.0/HISTORY.md", "puppetlabs-inifile-5.3.0/LICENSE", "puppetlabs-inifile-5.3.0/NOTICE", "puppetlabs-inifile-5.3.0/README.md", "puppetlabs-inifile-5.3.0/REFERENCE.md", "puppetlabs-inifile-5.3.0/data", "puppetlabs-inifile-5.3.0/data/common.yaml", "puppetlabs-inifile-5.3.0/examples", "puppetlabs-inifile-5.3.0/examples/ini_setting.pp", "puppetlabs-inifile-5.3.0/examples/ini_subsetting.pp", "puppetlabs-inifile-5.3.0/hiera.yaml", "puppetlabs-inifile-5.3.0/lib", "puppetlabs-inifile-5.3.0/lib/puppet", "puppetlabs-inifile-5.3.0/lib/puppet/functions", "puppetlabs-inifile-5.3.0/lib/puppet/functions/create_ini_settings.rb", "puppetlabs-inifile-5.3.0/lib/puppet/functions/inifile", "puppetlabs-inifile-5.3.0/lib/puppet/functions/inifile/create_ini_settings.rb", "puppetlabs-inifile-5.3.0/lib/puppet/provider", "puppetlabs-inifile-5.3.0/lib/puppet/provider/ini_setting", "puppetlabs-inifile-5.3.0/lib/puppet/provider/ini_setting/ruby.rb", "puppetlabs-inifile-5.3.0/lib/puppet/provider/ini_subsetting", "puppetlabs-inifile-5.3.0/lib/puppet/provider/ini_subsetting/ruby.rb", "puppetlabs-inifile-5.3.0/lib/puppet/type", "puppetlabs-inifile-5.3.0/lib/puppet/type/ini_setting.rb", "puppetlabs-inifile-5.3.0/lib/puppet/type/ini_subsetting.rb", "puppetlabs-inifile-5.3.0/lib/puppet/util", "puppetlabs-inifile-5.3.0/lib/puppet/util/external_iterator.rb", "puppetlabs-inifile-5.3.0/lib/puppet/util/ini_file", "puppetlabs-inifile-5.3.0/lib/puppet/util/ini_file/section.rb", "puppetlabs-inifile-5.3.0/lib/puppet/util/ini_file.rb", "puppetlabs-inifile-5.3.0/lib/puppet/util/setting_value.rb", "puppetlabs-inifile-5.3.0/metadata.json", "puppetlabs-inifile-5.3.0/pdk.yaml", "puppetlabs-inifile-5.3.0/provision.yaml"]
-2022-11-16T21:41:15.085892 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot
-2022-11-16T21:41:15.098244 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-firewall-3.5.0", "puppetlabs-firewall-3.5.0/.github", "puppetlabs-firewall-3.5.0/.github/workflows", "puppetlabs-firewall-3.5.0/.github/workflows/auto_release.yml", "puppetlabs-firewall-3.5.0/.github/workflows/labeller.yml", "puppetlabs-firewall-3.5.0/.github/workflows/nightly.yml", "puppetlabs-firewall-3.5.0/.github/workflows/pr_test.yml", "puppetlabs-firewall-3.5.0/.github/workflows/release.yml", "puppetlabs-firewall-3.5.0/.github/workflows/spec.yml", "puppetlabs-firewall-3.5.0/.github/workflows/stale.yml", "puppetlabs-firewall-3.5.0/.gitpod.Dockerfile", "puppetlabs-firewall-3.5.0/.gitpod.yml", "puppetlabs-firewall-3.5.0/.nodeset.yml", "puppetlabs-firewall-3.5.0/CHANGELOG.md", "puppetlabs-firewall-3.5.0/CODEOWNERS", "puppetlabs-firewall-3.5.0/CONTRIBUTING.md", "puppetlabs-firewall-3.5.0/HISTORY.md", "puppetlabs-firewall-3.5.0/LICENSE", "puppetlabs-firewall-3.5.0/NOTICE", "puppetlabs-firewall-3.5.0/README.md", "puppetlabs-firewall-3.5.0/REFERENCE.md", "puppetlabs-firewall-3.5.0/data", "puppetlabs-firewall-3.5.0/data/common.yaml", "puppetlabs-firewall-3.5.0/hiera.yaml", "puppetlabs-firewall-3.5.0/lib", "puppetlabs-firewall-3.5.0/lib/facter", "puppetlabs-firewall-3.5.0/lib/facter/ip6tables_version.rb", "puppetlabs-firewall-3.5.0/lib/facter/iptables_persistent_version.rb", "puppetlabs-firewall-3.5.0/lib/facter/iptables_version.rb", "puppetlabs-firewall-3.5.0/lib/puppet", "puppetlabs-firewall-3.5.0/lib/puppet/provider", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewall", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewall/ip6tables.rb", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewall/iptables.rb", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewall.rb", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewallchain", "puppetlabs-firewall-3.5.0/lib/puppet/provider/firewallchain/iptables_chain.rb", "puppetlabs-firewall-3.5.0/lib/puppet/type", "puppetlabs-firewall-3.5.0/lib/puppet/type/firewall.rb", "puppetlabs-firewall-3.5.0/lib/puppet/type/firewallchain.rb", "puppetlabs-firewall-3.5.0/lib/puppet/util", "puppetlabs-firewall-3.5.0/lib/puppet/util/firewall.rb", "puppetlabs-firewall-3.5.0/lib/puppet/util/ipcidr.rb", "puppetlabs-firewall-3.5.0/manifests", "puppetlabs-firewall-3.5.0/manifests/init.pp", "puppetlabs-firewall-3.5.0/manifests/linux", "puppetlabs-firewall-3.5.0/manifests/linux/archlinux.pp", "puppetlabs-firewall-3.5.0/manifests/linux/debian.pp", "puppetlabs-firewall-3.5.0/manifests/linux/gentoo.pp", "puppetlabs-firewall-3.5.0/manifests/linux/redhat.pp", "puppetlabs-firewall-3.5.0/manifests/linux.pp", "puppetlabs-firewall-3.5.0/manifests/params.pp", "puppetlabs-firewall-3.5.0/metadata.json", "puppetlabs-firewall-3.5.0/pdk.yaml", "puppetlabs-firewall-3.5.0/provision.yaml"]
-2022-11-16T21:41:15.098763 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/stdlib
-2022-11-16T21:41:15.115386 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-ntp-9.1.1", "puppetlabs-ntp-9.1.1/.github", "puppetlabs-ntp-9.1.1/.github/workflows", "puppetlabs-ntp-9.1.1/.github/workflows/auto_release.yml", "puppetlabs-ntp-9.1.1/.github/workflows/integration_test.yml", "puppetlabs-ntp-9.1.1/.github/workflows/labeller.yml", "puppetlabs-ntp-9.1.1/.github/workflows/nightly.yml", "puppetlabs-ntp-9.1.1/.github/workflows/pr_test.yml", "puppetlabs-ntp-9.1.1/.github/workflows/release.yml", "puppetlabs-ntp-9.1.1/.github/workflows/spec.yml", "puppetlabs-ntp-9.1.1/.github/workflows/stale.yml", "puppetlabs-ntp-9.1.1/.gitpod.Dockerfile", "puppetlabs-ntp-9.1.1/.gitpod.yml", "puppetlabs-ntp-9.1.1/.rubocop_todo.yml", "puppetlabs-ntp-9.1.1/CHANGELOG.md", "puppetlabs-ntp-9.1.1/CODEOWNERS", "puppetlabs-ntp-9.1.1/CONTRIBUTING.md", "puppetlabs-ntp-9.1.1/HISTORY.md", "puppetlabs-ntp-9.1.1/LICENSE", "puppetlabs-ntp-9.1.1/NOTICE", "puppetlabs-ntp-9.1.1/README.md", "puppetlabs-ntp-9.1.1/REFERENCE.md", "puppetlabs-ntp-9.1.1/data", "puppetlabs-ntp-9.1.1/data/AIX-family.yaml", "puppetlabs-ntp-9.1.1/data/Amazon.yaml", "puppetlabs-ntp-9.1.1/data/Archlinux-family.yaml", "puppetlabs-ntp-9.1.1/data/Debian-family.yaml", "puppetlabs-ntp-9.1.1/data/Fedora.yaml", "puppetlabs-ntp-9.1.1/data/FreeBSD-family.yaml", "puppetlabs-ntp-9.1.1/data/Gentoo-family.yaml", "puppetlabs-ntp-9.1.1/data/OpenSuSE.yaml", "puppetlabs-ntp-9.1.1/data/RedHat-family.yaml", "puppetlabs-ntp-9.1.1/data/SLES-10.yaml", "puppetlabs-ntp-9.1.1/data/SLES-12.yaml", "puppetlabs-ntp-9.1.1/data/SLES-15.yaml", "puppetlabs-ntp-9.1.1/data/Solaris-10.yaml", "puppetlabs-ntp-9.1.1/data/Solaris-11.yaml", "puppetlabs-ntp-9.1.1/data/Solaris-family.yaml", "puppetlabs-ntp-9.1.1/data/Suse-family.yaml", "puppetlabs-ntp-9.1.1/data/common.yaml", "puppetlabs-ntp-9.1.1/examples", "puppetlabs-ntp-9.1.1/examples/init.pp", "puppetlabs-ntp-9.1.1/hiera.yaml", "puppetlabs-ntp-9.1.1/manifests", "puppetlabs-ntp-9.1.1/manifests/config.pp", "puppetlabs-ntp-9.1.1/manifests/init.pp", "puppetlabs-ntp-9.1.1/manifests/install.pp", "puppetlabs-ntp-9.1.1/manifests/service.pp", "puppetlabs-ntp-9.1.1/metadata.json", "puppetlabs-ntp-9.1.1/pdk.yaml", "puppetlabs-ntp-9.1.1/plans", "puppetlabs-ntp-9.1.1/plans/acceptance", "puppetlabs-ntp-9.1.1/plans/acceptance/pe_agent.pp", "puppetlabs-ntp-9.1.1/plans/acceptance/pe_server.pp", "puppetlabs-ntp-9.1.1/plans/acceptance/provision_integration.pp", "puppetlabs-ntp-9.1.1/provision.yaml", "puppetlabs-ntp-9.1.1/readmes", "puppetlabs-ntp-9.1.1/readmes/README_ja_JP.md", "puppetlabs-ntp-9.1.1/templates", "puppetlabs-ntp-9.1.1/templates/keys.epp", "puppetlabs-ntp-9.1.1/templates/ntp.conf.epp", "puppetlabs-ntp-9.1.1/templates/step-tickers.epp", "puppetlabs-ntp-9.1.1/types", "puppetlabs-ntp-9.1.1/types/key_id.pp", "puppetlabs-ntp-9.1.1/types/poll_interval.pp"]
-2022-11-16T21:41:15.115729 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/auditd
-2022-11-16T21:41:15.142999 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-puppet_agent-4.12.1 tarball
-2022-11-16T21:41:15.143044 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-puppet_agent-4.12.1/tarball/puppetlabs-puppet_agent-4.12.1.tar.gz matches checksum
-2022-11-16T21:41:15.144273 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-puppet_agent-4.12.1/tarball/puppetlabs-puppet_agent-4.12.1.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/puppet_agent (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-pkjnmc/puppetlabs-puppet_agent-4.12.1)
-2022-11-16T21:41:15.164022 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-reboot-4.2.0 tarball
-2022-11-16T21:41:15.164081 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-reboot-4.2.0/tarball/puppetlabs-reboot-4.2.0.tar.gz matches checksum
-2022-11-16T21:41:15.164970 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-reboot-4.2.0/tarball/puppetlabs-reboot-4.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/reboot (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1orkicj/puppetlabs-reboot-4.2.0)
-2022-11-16T21:41:15.208523 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-stdlib-6.6.0 tarball
-2022-11-16T21:41:15.208613 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-stdlib-6.6.0/tarball/puppetlabs-stdlib-6.6.0.tar.gz matches checksum
-2022-11-16T21:41:15.210697 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-stdlib-6.6.0/tarball/puppetlabs-stdlib-6.6.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/stdlib (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-mqni9w/puppetlabs-stdlib-6.6.0)
-2022-11-16T21:41:15.220777 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-reboot-4.2.0", "puppetlabs-reboot-4.2.0/.github", "puppetlabs-reboot-4.2.0/.github/pull_request_template.md", "puppetlabs-reboot-4.2.0/.github/workflows", "puppetlabs-reboot-4.2.0/.github/workflows/auto_release.yml", "puppetlabs-reboot-4.2.0/.github/workflows/labeller.yml", "puppetlabs-reboot-4.2.0/.github/workflows/nightly.yml", "puppetlabs-reboot-4.2.0/.github/workflows/pr_test.yml", "puppetlabs-reboot-4.2.0/.github/workflows/release.yml", "puppetlabs-reboot-4.2.0/.github/workflows/spec.yml", "puppetlabs-reboot-4.2.0/.github/workflows/stale.yml", "puppetlabs-reboot-4.2.0/.gitpod.Dockerfile", "puppetlabs-reboot-4.2.0/.gitpod.yml", "puppetlabs-reboot-4.2.0/CHANGELOG.md", "puppetlabs-reboot-4.2.0/CODEOWNERS", "puppetlabs-reboot-4.2.0/CONTRIBUTING.md", "puppetlabs-reboot-4.2.0/HISTORY.md", "puppetlabs-reboot-4.2.0/LICENSE", "puppetlabs-reboot-4.2.0/NOTICE", "puppetlabs-reboot-4.2.0/README.md", "puppetlabs-reboot-4.2.0/REFERENCE.md", "puppetlabs-reboot-4.2.0/data", "puppetlabs-reboot-4.2.0/data/common.yaml", "puppetlabs-reboot-4.2.0/examples", "puppetlabs-reboot-4.2.0/examples/sample.pp", "puppetlabs-reboot-4.2.0/hiera.yaml", "puppetlabs-reboot-4.2.0/lib", "puppetlabs-reboot-4.2.0/lib/puppet", "puppetlabs-reboot-4.2.0/lib/puppet/provider", "puppetlabs-reboot-4.2.0/lib/puppet/provider/reboot", "puppetlabs-reboot-4.2.0/lib/puppet/provider/reboot/linux.rb", "puppetlabs-reboot-4.2.0/lib/puppet/provider/reboot/posix.rb", "puppetlabs-reboot-4.2.0/lib/puppet/provider/reboot/windows.rb", "puppetlabs-reboot-4.2.0/lib/puppet/type", "puppetlabs-reboot-4.2.0/lib/puppet/type/reboot.rb", "puppetlabs-reboot-4.2.0/metadata.json", "puppetlabs-reboot-4.2.0/pdk.yaml", "puppetlabs-reboot-4.2.0/plans", "puppetlabs-reboot-4.2.0/plans/init.pp", "puppetlabs-reboot-4.2.0/provision.yaml", "puppetlabs-reboot-4.2.0/tasks", "puppetlabs-reboot-4.2.0/tasks/init.json", "puppetlabs-reboot-4.2.0/tasks/init.rb", "puppetlabs-reboot-4.2.0/tasks/last_boot_time.json", "puppetlabs-reboot-4.2.0/tasks/last_boot_time_nix.json", "puppetlabs-reboot-4.2.0/tasks/last_boot_time_nix.sh", "puppetlabs-reboot-4.2.0/tasks/last_boot_time_win.json", "puppetlabs-reboot-4.2.0/tasks/last_boot_time_win.ps1", "puppetlabs-reboot-4.2.0/tasks/nix.json", "puppetlabs-reboot-4.2.0/tasks/nix.sh", "puppetlabs-reboot-4.2.0/tasks/win.json", "puppetlabs-reboot-4.2.0/tasks/win.ps1"]
-2022-11-16T21:41:15.221872 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/mount_core
-2022-11-16T21:41:15.228682 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of ubeek-auditd-1.0.3 tarball
-2022-11-16T21:41:15.228808 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/ubeek-auditd-1.0.3/tarball/ubeek-auditd-1.0.3.tar.gz matches checksum
-2022-11-16T21:41:15.229933 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/ubeek-auditd-1.0.3/tarball/ubeek-auditd-1.0.3.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/auditd (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-vevde5/ubeek-auditd-1.0.3)
-2022-11-16T21:41:15.248916 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["ubeek-auditd-1.0.3", "ubeek-auditd-1.0.3/CHANGELOG.md", "ubeek-auditd-1.0.3/README.md", "ubeek-auditd-1.0.3/data", "ubeek-auditd-1.0.3/data/common.yaml", "ubeek-auditd-1.0.3/debug.log", "ubeek-auditd-1.0.3/hiera.yaml", "ubeek-auditd-1.0.3/manifests", "ubeek-auditd-1.0.3/manifests/config.pp", "ubeek-auditd-1.0.3/manifests/init.pp", "ubeek-auditd-1.0.3/manifests/install.pp", "ubeek-auditd-1.0.3/manifests/service.pp", "ubeek-auditd-1.0.3/metadata.json", "ubeek-auditd-1.0.3/pdk.yaml", "ubeek-auditd-1.0.3/templates", "ubeek-auditd-1.0.3/templates/auditd.conf.erb", "ubeek-auditd-1.0.3/templates/auditd.rules.erb"]
-2022-11-16T21:41:15.249454 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/cron
-2022-11-16T21:41:15.307974 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-puppet_agent-4.12.1", "puppetlabs-puppet_agent-4.12.1/.github", "puppetlabs-puppet_agent-4.12.1/.github/workflows", "puppetlabs-puppet_agent-4.12.1/.github/workflows/auto_release.yml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/daily_unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/release.yml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/static_code_analysis.yaml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/task_acceptance_tests.yaml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-puppet_agent-4.12.1/.github/workflows/unit_tests_with_released_puppet_gem.yaml", "puppetlabs-puppet_agent-4.12.1/.rubocop_todo.yml", "puppetlabs-puppet_agent-4.12.1/CHANGELOG.md", "puppetlabs-puppet_agent-4.12.1/CODEOWNERS", "puppetlabs-puppet_agent-4.12.1/CODE_OF_CONDUCT.md", "puppetlabs-puppet_agent-4.12.1/CONTRIBUTING.md", "puppetlabs-puppet_agent-4.12.1/DEVELOPERS.md", "puppetlabs-puppet_agent-4.12.1/HISTORY.md", "puppetlabs-puppet_agent-4.12.1/LICENSE", "puppetlabs-puppet_agent-4.12.1/NOTICE", "puppetlabs-puppet_agent-4.12.1/README.md", "puppetlabs-puppet_agent-4.12.1/REFERENCE.md", "puppetlabs-puppet_agent-4.12.1/acceptance", "puppetlabs-puppet_agent-4.12.1/acceptance/Gemfile", "puppetlabs-puppet_agent-4.12.1/acceptance/README.md", "puppetlabs-puppet_agent-4.12.1/acceptance/Rakefile", "puppetlabs-puppet_agent-4.12.1/acceptance/files", "puppetlabs-puppet_agent-4.12.1/acceptance/files/uninstall.ps1", "puppetlabs-puppet_agent-4.12.1/acceptance/helpers.rb", "puppetlabs-puppet_agent-4.12.1/acceptance/options.rb", "puppetlabs-puppet_agent-4.12.1/acceptance/pre_suite", "puppetlabs-puppet_agent-4.12.1/acceptance/pre_suite/00_master_setup.rb", "puppetlabs-puppet_agent-4.12.1/acceptance/tests", "puppetlabs-puppet_agent-4.12.1/acceptance/tests/test_upgrade_puppet5_to_puppet6.rb", "puppetlabs-puppet_agent-4.12.1/acceptance/tests/test_upgrade_puppet6_to_puppet7.rb", "puppetlabs-puppet_agent-4.12.1/bolt_plugin.json", "puppetlabs-puppet_agent-4.12.1/data", "puppetlabs-puppet_agent-4.12.1/data/common.yaml", "puppetlabs-puppet_agent-4.12.1/docker", "puppetlabs-puppet_agent-4.12.1/docker/bin", "puppetlabs-puppet_agent-4.12.1/docker/bin/helpers", "puppetlabs-puppet_agent-4.12.1/docker/bin/helpers/run-upgrade.sh", "puppetlabs-puppet_agent-4.12.1/docker/bin/upgrade.sh", "puppetlabs-puppet_agent-4.12.1/docker/bin/versions.sh", "puppetlabs-puppet_agent-4.12.1/docker/centos", "puppetlabs-puppet_agent-4.12.1/docker/centos/Dockerfile", "puppetlabs-puppet_agent-4.12.1/docker/centos/Dockerfile.versions", "puppetlabs-puppet_agent-4.12.1/docker/deploy.pp", "puppetlabs-puppet_agent-4.12.1/docker/rocky", "puppetlabs-puppet_agent-4.12.1/docker/rocky/Dockerfile", "puppetlabs-puppet_agent-4.12.1/docker/rocky/Dockerfile.versions", "puppetlabs-puppet_agent-4.12.1/docker/ubuntu", "puppetlabs-puppet_agent-4.12.1/docker/ubuntu/Dockerfile", "puppetlabs-puppet_agent-4.12.1/docker/ubuntu/Dockerfile.versions", "puppetlabs-puppet_agent-4.12.1/docker/upgrade.pp", "puppetlabs-puppet_agent-4.12.1/examples", "puppetlabs-puppet_agent-4.12.1/examples/init.pp", "puppetlabs-puppet_agent-4.12.1/files", "puppetlabs-puppet_agent-4.12.1/files/.gitkeep", "puppetlabs-puppet_agent-4.12.1/files/GPG-KEY-puppet", "puppetlabs-puppet_agent-4.12.1/files/GPG-KEY-puppet-20250406", "puppetlabs-puppet_agent-4.12.1/files/helpers.ps1", "puppetlabs-puppet_agent-4.12.1/files/install_puppet.ps1", "puppetlabs-puppet_agent-4.12.1/files/prerequisites_check.ps1", "puppetlabs-puppet_agent-4.12.1/files/rb_task_helper.rb", "puppetlabs-puppet_agent-4.12.1/files/solaris_start_puppet.sh", "puppetlabs-puppet_agent-4.12.1/hiera.yaml", "puppetlabs-puppet_agent-4.12.1/lib", "puppetlabs-puppet_agent-4.12.1/lib/facter", "puppetlabs-puppet_agent-4.12.1/lib/facter/env_temp_variable.rb", "puppetlabs-puppet_agent-4.12.1/lib/facter/mco_config.rb", "puppetlabs-puppet_agent-4.12.1/lib/facter/puppet_agent_appdata.rb", "puppetlabs-puppet_agent-4.12.1/lib/facter/puppet_agent_pid.rb", "puppetlabs-puppet_agent-4.12.1/lib/facter/settings.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet", "puppetlabs-puppet_agent-4.12.1/lib/puppet/functions", "puppetlabs-puppet_agent-4.12.1/lib/puppet/functions/any_resources_of_type.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/parser", "puppetlabs-puppet_agent-4.12.1/lib/puppet/parser/functions", "puppetlabs-puppet_agent-4.12.1/lib/puppet/parser/functions/uri_host_from_string.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/parser/functions/windows_msi_installargs.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/parser/functions/windows_native_path.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/provider", "puppetlabs-puppet_agent-4.12.1/lib/puppet/provider/puppet_agent_end_run", "puppetlabs-puppet_agent-4.12.1/lib/puppet/provider/puppet_agent_end_run/puppet_agent_end_run.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/provider/puppet_agent_upgrade_error", "puppetlabs-puppet_agent-4.12.1/lib/puppet/provider/puppet_agent_upgrade_error/puppet_agent_upgrade_error.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/type", "puppetlabs-puppet_agent-4.12.1/lib/puppet/type/puppet_agent_end_run.rb", "puppetlabs-puppet_agent-4.12.1/lib/puppet/type/puppet_agent_upgrade_error.rb", "puppetlabs-puppet_agent-4.12.1/locales", "puppetlabs-puppet_agent-4.12.1/locales/config.yaml", "puppetlabs-puppet_agent-4.12.1/manifests", "puppetlabs-puppet_agent-4.12.1/manifests/configure.pp", "puppetlabs-puppet_agent-4.12.1/manifests/init.pp", "puppetlabs-puppet_agent-4.12.1/manifests/install", "puppetlabs-puppet_agent-4.12.1/manifests/install/darwin.pp", "puppetlabs-puppet_agent-4.12.1/manifests/install/solaris.pp", "puppetlabs-puppet_agent-4.12.1/manifests/install/suse.pp", "puppetlabs-puppet_agent-4.12.1/manifests/install/windows.pp", "puppetlabs-puppet_agent-4.12.1/manifests/install.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/aix.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/darwin.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/debian.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/redhat.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/solaris.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/suse.pp", "puppetlabs-puppet_agent-4.12.1/manifests/osfamily/windows.pp", "puppetlabs-puppet_agent-4.12.1/manifests/params.pp", "puppetlabs-puppet_agent-4.12.1/manifests/prepare", "puppetlabs-puppet_agent-4.12.1/manifests/prepare/package.pp", "puppetlabs-puppet_agent-4.12.1/manifests/prepare/puppet_config.pp", "puppetlabs-puppet_agent-4.12.1/manifests/prepare.pp", "puppetlabs-puppet_agent-4.12.1/manifests/service.pp", "puppetlabs-puppet_agent-4.12.1/metadata.json", "puppetlabs-puppet_agent-4.12.1/pdk.yaml", "puppetlabs-puppet_agent-4.12.1/plans", "puppetlabs-puppet_agent-4.12.1/plans/run.pp", "puppetlabs-puppet_agent-4.12.1/task_spec", "puppetlabs-puppet_agent-4.12.1/task_spec/.fixtures.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/Rakefile", "puppetlabs-puppet_agent-4.12.1/task_spec/spec", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/init_spec.rb", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/centos-7-x64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker/centos-7.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker/debian-8.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker/rocky-8.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker/ubuntu-14.04.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/docker/ubuntu-18.04.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/osx1011-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/osx1012-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/osx1013-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/osx1014-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/rocky-8-x64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/sles11-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/sles12-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/windows10ent-32.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/acceptance/nodesets/windows10ent-64.yml", "puppetlabs-puppet_agent-4.12.1/task_spec/spec/spec_helper_acceptance.rb", "puppetlabs-puppet_agent-4.12.1/tasks", "puppetlabs-puppet_agent-4.12.1/tasks/delete_local_filebucket.json", "puppetlabs-puppet_agent-4.12.1/tasks/delete_local_filebucket.rb", "puppetlabs-puppet_agent-4.12.1/tasks/facts_diff.json", "puppetlabs-puppet_agent-4.12.1/tasks/facts_diff.rb", "puppetlabs-puppet_agent-4.12.1/tasks/install.json", "puppetlabs-puppet_agent-4.12.1/tasks/install_powershell.json", "puppetlabs-puppet_agent-4.12.1/tasks/install_powershell.ps1", "puppetlabs-puppet_agent-4.12.1/tasks/install_shell.json", "puppetlabs-puppet_agent-4.12.1/tasks/install_shell.sh", "puppetlabs-puppet_agent-4.12.1/tasks/run.json", "puppetlabs-puppet_agent-4.12.1/tasks/run.rb", "puppetlabs-puppet_agent-4.12.1/tasks/version.json", "puppetlabs-puppet_agent-4.12.1/tasks/version_powershell.json", "puppetlabs-puppet_agent-4.12.1/tasks/version_powershell.ps1", "puppetlabs-puppet_agent-4.12.1/tasks/version_shell.json", "puppetlabs-puppet_agent-4.12.1/tasks/version_shell.sh", "puppetlabs-puppet_agent-4.12.1/templates", "puppetlabs-puppet_agent-4.12.1/templates/.gitkeep", "puppetlabs-puppet_agent-4.12.1/templates/do_install.sh.erb", "puppetlabs-puppet_agent-4.12.1/templates/osx_install.sh.erb", "puppetlabs-puppet_agent-4.12.1/templates/solaris_install.sh.erb", "puppetlabs-puppet_agent-4.12.1/types", "puppetlabs-puppet_agent-4.12.1/types/arch.pp", "puppetlabs-puppet_agent-4.12.1/types/config.pp", "puppetlabs-puppet_agent-4.12.1/types/config_setting.pp"]
-2022-11-16T21:41:15.308462 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_grub
-2022-11-16T21:41:15.316462 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-mount_core-1.1.0 tarball
-2022-11-16T21:41:15.316517 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-mount_core-1.1.0/tarball/puppetlabs-mount_core-1.1.0.tar.gz matches checksum
-2022-11-16T21:41:15.318625 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-mount_core-1.1.0/tarball/puppetlabs-mount_core-1.1.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/mount_core (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-43lctq/puppetlabs-mount_core-1.1.0)
-2022-11-16T21:41:15.321408 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-cron-3.0.0 tarball
-2022-11-16T21:41:15.321540 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-cron-3.0.0/tarball/puppet-cron-3.0.0.tar.gz matches checksum
-2022-11-16T21:41:15.323801 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-cron-3.0.0/tarball/puppet-cron-3.0.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/cron (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1g6pd1/puppet-cron-3.0.0)
-2022-11-16T21:41:15.362243 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-mount_core-1.1.0", "puppetlabs-mount_core-1.1.0/.github", "puppetlabs-mount_core-1.1.0/.github/workflows", "puppetlabs-mount_core-1.1.0/.github/workflows/auto_release.yml", "puppetlabs-mount_core-1.1.0/.github/workflows/daily_unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-mount_core-1.1.0/.github/workflows/release.yml", "puppetlabs-mount_core-1.1.0/.github/workflows/static_code_analysis.yaml", "puppetlabs-mount_core-1.1.0/.github/workflows/unit_tests_with_nightly_puppet_gem.yaml", "puppetlabs-mount_core-1.1.0/.github/workflows/unit_tests_with_released_puppet_gem.yaml", "puppetlabs-mount_core-1.1.0/CHANGELOG.md", "puppetlabs-mount_core-1.1.0/CODEOWNERS", "puppetlabs-mount_core-1.1.0/LICENSE", "puppetlabs-mount_core-1.1.0/README.md", "puppetlabs-mount_core-1.1.0/REFERENCE.md", "puppetlabs-mount_core-1.1.0/data", "puppetlabs-mount_core-1.1.0/data/common.yaml", "puppetlabs-mount_core-1.1.0/hiera.yaml", "puppetlabs-mount_core-1.1.0/lib", "puppetlabs-mount_core-1.1.0/lib/puppet", "puppetlabs-mount_core-1.1.0/lib/puppet/provider", "puppetlabs-mount_core-1.1.0/lib/puppet/provider/mount", "puppetlabs-mount_core-1.1.0/lib/puppet/provider/mount/parsed.rb", "puppetlabs-mount_core-1.1.0/lib/puppet/provider/mount.rb", "puppetlabs-mount_core-1.1.0/lib/puppet/type", "puppetlabs-mount_core-1.1.0/lib/puppet/type/mount.rb", "puppetlabs-mount_core-1.1.0/locales", "puppetlabs-mount_core-1.1.0/locales/config.yaml", "puppetlabs-mount_core-1.1.0/locales/ja", "puppetlabs-mount_core-1.1.0/locales/ja/puppetlabs-mount_core.po", "puppetlabs-mount_core-1.1.0/locales/puppetlabs-mount_core.pot", "puppetlabs-mount_core-1.1.0/metadata.json", "puppetlabs-mount_core-1.1.0/pdk.yaml", "puppetlabs-mount_core-1.1.0/readmes", "puppetlabs-mount_core-1.1.0/readmes/README_ja_JP.md"]
-2022-11-16T21:41:15.363005 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_shellvar
-2022-11-16T21:41:15.381402 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-cron-3.0.0", "puppet-cron-3.0.0/CHANGELOG.md", "puppet-cron-3.0.0/HISTORY.md", "puppet-cron-3.0.0/LICENSE", "puppet-cron-3.0.0/README.md", "puppet-cron-3.0.0/REFERENCE.md", "puppet-cron-3.0.0/data", "puppet-cron-3.0.0/data/common.yaml", "puppet-cron-3.0.0/data/os", "puppet-cron-3.0.0/data/os/Gentoo.yaml", "puppet-cron-3.0.0/data/os/RedHat", "puppet-cron-3.0.0/data/os/RedHat/5.yaml", "puppet-cron-3.0.0/data/os/RedHat.yaml", "puppet-cron-3.0.0/hiera.yaml", "puppet-cron-3.0.0/manifests", "puppet-cron-3.0.0/manifests/daily.pp", "puppet-cron-3.0.0/manifests/hourly.pp", "puppet-cron-3.0.0/manifests/init.pp", "puppet-cron-3.0.0/manifests/install.pp", "puppet-cron-3.0.0/manifests/job", "puppet-cron-3.0.0/manifests/job/multiple.pp", "puppet-cron-3.0.0/manifests/job.pp", "puppet-cron-3.0.0/manifests/monthly.pp", "puppet-cron-3.0.0/manifests/service.pp", "puppet-cron-3.0.0/manifests/weekly.pp", "puppet-cron-3.0.0/metadata.json", "puppet-cron-3.0.0/templates", "puppet-cron-3.0.0/templates/.gitkeep", "puppet-cron-3.0.0/templates/crontab.epp", "puppet-cron-3.0.0/templates/job.erb", "puppet-cron-3.0.0/templates/multiple.erb", "puppet-cron-3.0.0/templates/users.epp", "puppet-cron-3.0.0/types", "puppet-cron-3.0.0/types/date.pp", "puppet-cron-3.0.0/types/deb_version.pp", "puppet-cron-3.0.0/types/environment.pp", "puppet-cron-3.0.0/types/hour.pp", "puppet-cron-3.0.0/types/job_ensure.pp", "puppet-cron-3.0.0/types/jobname.pp", "puppet-cron-3.0.0/types/minute.pp", "puppet-cron-3.0.0/types/mode.pp", "puppet-cron-3.0.0/types/month.pp", "puppet-cron-3.0.0/types/monthname.pp", "puppet-cron-3.0.0/types/package_ensure.pp", "puppet-cron-3.0.0/types/package_state.pp", "puppet-cron-3.0.0/types/rpm_version.pp", "puppet-cron-3.0.0/types/run_parts.pp", "puppet-cron-3.0.0/types/second.pp", "puppet-cron-3.0.0/types/service_enable.pp", "puppet-cron-3.0.0/types/service_ensure.pp", "puppet-cron-3.0.0/types/special.pp", "puppet-cron-3.0.0/types/user.pp", "puppet-cron-3.0.0/types/weekday.pp", "puppet-cron-3.0.0/types/weekdayname.pp"]
-2022-11-16T21:41:15.381936 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm
-2022-11-16T21:41:15.388819 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-augeasproviders_grub-4.0.0 tarball
-2022-11-16T21:41:15.388916 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_grub-4.0.0/tarball/puppet-augeasproviders_grub-4.0.0.tar.gz matches checksum
-2022-11-16T21:41:15.389752 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_grub-4.0.0/tarball/puppet-augeasproviders_grub-4.0.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_grub (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1kr592h/puppet-augeasproviders_grub-4.0.0)
-2022-11-16T21:41:15.411994 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-augeasproviders_grub-4.0.0", "puppet-augeasproviders_grub-4.0.0/CHANGELOG.md", "puppet-augeasproviders_grub-4.0.0/LICENSE", "puppet-augeasproviders_grub-4.0.0/README.md", "puppet-augeasproviders_grub-4.0.0/REFERENCE.md", "puppet-augeasproviders_grub-4.0.0/lib", "puppet-augeasproviders_grub-4.0.0/lib/facter", "puppet-augeasproviders_grub-4.0.0/lib/facter/augeasprovider_grub_version.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_config", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_config/grub2.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_menuentry", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_menuentry/grub2.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_user", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/grub_user/grub2.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/kernel_parameter", "puppet-augeasproviders_grub-4.0.0/lib/puppet/provider/kernel_parameter/grub2.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/type", "puppet-augeasproviders_grub-4.0.0/lib/puppet/type/grub_config.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/type/grub_menuentry.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/type/grub_user.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppet/type/kernel_parameter.rb", "puppet-augeasproviders_grub-4.0.0/lib/puppetx", "puppet-augeasproviders_grub-4.0.0/lib/puppetx/augeasproviders_grub", "puppet-augeasproviders_grub-4.0.0/lib/puppetx/augeasproviders_grub/util.rb", "puppet-augeasproviders_grub-4.0.0/metadata.json"]
-2022-11-16T21:41:15.412416 INFO   [] [Bolt::R10KLogProxy] Deploying module to /Users/bryanbelanger/projects/secure_linux_cis/.modules/exec
-2022-11-16T21:41:15.446529 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-augeasproviders_shellvar-5.0.0 tarball
-2022-11-16T21:41:15.446589 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_shellvar-5.0.0/tarball/puppet-augeasproviders_shellvar-5.0.0.tar.gz matches checksum
-2022-11-16T21:41:15.447341 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppet-augeasproviders_shellvar-5.0.0/tarball/puppet-augeasproviders_shellvar-5.0.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/augeasproviders_shellvar (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-fieiyx/puppet-augeasproviders_shellvar-5.0.0)
-2022-11-16T21:41:15.459308 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-lvm-1.4.0 tarball
-2022-11-16T21:41:15.459371 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-lvm-1.4.0/tarball/puppetlabs-lvm-1.4.0.tar.gz matches checksum
-2022-11-16T21:41:15.461514 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-lvm-1.4.0/tarball/puppetlabs-lvm-1.4.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/lvm (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-1imlp5s/puppetlabs-lvm-1.4.0)
-2022-11-16T21:41:15.470355 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-augeasproviders_shellvar-5.0.0", "puppet-augeasproviders_shellvar-5.0.0/CHANGELOG.md", "puppet-augeasproviders_shellvar-5.0.0/HISTORY.md", "puppet-augeasproviders_shellvar-5.0.0/LICENSE", "puppet-augeasproviders_shellvar-5.0.0/README.md", "puppet-augeasproviders_shellvar-5.0.0/REFERENCE.md", "puppet-augeasproviders_shellvar-5.0.0/data", "puppet-augeasproviders_shellvar-5.0.0/data/common.yaml", "puppet-augeasproviders_shellvar-5.0.0/hiera.yaml", "puppet-augeasproviders_shellvar-5.0.0/lib", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet/provider", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet/provider/shellvar", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet/provider/shellvar/augeas.rb", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet/type", "puppet-augeasproviders_shellvar-5.0.0/lib/puppet/type/shellvar.rb", "puppet-augeasproviders_shellvar-5.0.0/metadata.json"]
-2022-11-16T21:41:15.471439 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10160 exiting: queue empty
-2022-11-16T21:41:15.481076 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppetlabs-exec-2.2.0 tarball
-2022-11-16T21:41:15.481141 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /Users/bryanbelanger/.r10k/cache/puppetlabs-exec-2.2.0/tarball/puppetlabs-exec-2.2.0.tar.gz matches checksum
-2022-11-16T21:41:15.482026 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /Users/bryanbelanger/.r10k/cache/puppetlabs-exec-2.2.0/tarball/puppetlabs-exec-2.2.0.tar.gz to /Users/bryanbelanger/projects/secure_linux_cis/.modules/exec (with tmpdir /var/folders/yv/g3_82jt10sx_58ny34d73vlm0000gn/T/d20221116-11731-kcdv65/puppetlabs-exec-2.2.0)
-2022-11-16T21:41:15.520906 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-stdlib-6.6.0", "puppetlabs-stdlib-6.6.0/.devcontainer", "puppetlabs-stdlib-6.6.0/.devcontainer/Dockerfile", "puppetlabs-stdlib-6.6.0/.devcontainer/devcontainer.json", "puppetlabs-stdlib-6.6.0/.github", "puppetlabs-stdlib-6.6.0/.github/workflows", "puppetlabs-stdlib-6.6.0/.github/workflows/nightly.yml", "puppetlabs-stdlib-6.6.0/.github/workflows/pr_test.yml", "puppetlabs-stdlib-6.6.0/.gitpod.Dockerfile", "puppetlabs-stdlib-6.6.0/.gitpod.yml", "puppetlabs-stdlib-6.6.0/.rubocop_todo.yml", "puppetlabs-stdlib-6.6.0/.ruby-version", "puppetlabs-stdlib-6.6.0/CHANGELOG.md", "puppetlabs-stdlib-6.6.0/CODEOWNERS", "puppetlabs-stdlib-6.6.0/CONTRIBUTING.md", "puppetlabs-stdlib-6.6.0/Gemfile_puppet5", "puppetlabs-stdlib-6.6.0/Gemfile_puppet6", "puppetlabs-stdlib-6.6.0/HISTORY.md", "puppetlabs-stdlib-6.6.0/LICENSE", "puppetlabs-stdlib-6.6.0/NOTICE", "puppetlabs-stdlib-6.6.0/README.md", "puppetlabs-stdlib-6.6.0/README_DEVELOPER.markdown", "puppetlabs-stdlib-6.6.0/README_SPECS.markdown", "puppetlabs-stdlib-6.6.0/REFERENCE.md", "puppetlabs-stdlib-6.6.0/RELEASE_PROCESS.markdown", "puppetlabs-stdlib-6.6.0/data", "puppetlabs-stdlib-6.6.0/data/common.yaml", "puppetlabs-stdlib-6.6.0/examples", "puppetlabs-stdlib-6.6.0/examples/file_line.pp", "puppetlabs-stdlib-6.6.0/examples/has_interface_with.pp", "puppetlabs-stdlib-6.6.0/examples/has_ip_address.pp", "puppetlabs-stdlib-6.6.0/examples/has_ip_network.pp", "puppetlabs-stdlib-6.6.0/examples/init.pp", "puppetlabs-stdlib-6.6.0/functions", "puppetlabs-stdlib-6.6.0/functions/ensure.pp", "puppetlabs-stdlib-6.6.0/hiera.yaml", "puppetlabs-stdlib-6.6.0/lib", "puppetlabs-stdlib-6.6.0/lib/facter", "puppetlabs-stdlib-6.6.0/lib/facter/package_provider.rb", "puppetlabs-stdlib-6.6.0/lib/facter/pe_version.rb", "puppetlabs-stdlib-6.6.0/lib/facter/puppet_settings.rb", "puppetlabs-stdlib-6.6.0/lib/facter/root_home.rb", "puppetlabs-stdlib-6.6.0/lib/facter/service_provider.rb", "puppetlabs-stdlib-6.6.0/lib/facter/util", "puppetlabs-stdlib-6.6.0/lib/facter/util/puppet_settings.rb", "puppetlabs-stdlib-6.6.0/lib/puppet", "puppetlabs-stdlib-6.6.0/lib/puppet/functions", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/deprecation.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/fact.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_a.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_absolute_path.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_array.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_float.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_ip_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_ipv4_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_ipv6_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_numeric.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/is_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/length.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/merge.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/os_version_gte.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/parsehocon.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/seeded_rand_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/sprintf_hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/stdlib", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/stdlib/end_with.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/stdlib/extname.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/stdlib/ip_in_range.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/stdlib/start_with.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/to_json.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/to_json_pretty.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/to_yaml.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/type_of.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_absolute_path.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_array.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_integer.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_ip_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_ipv4_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_ipv6_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_legacy.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_numeric.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_re.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_slength.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/functions/validate_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/abs.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/any2array.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/any2bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/assert_private.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/base64.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/basename.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/bool2num.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/bool2str.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/camelcase.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/capitalize.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/ceiling.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/chomp.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/chop.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/clamp.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/concat.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/convert_base.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/count.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/deep_merge.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/defined_with_params.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/delete.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/delete_at.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/delete_regex.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/delete_undef_values.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/delete_values.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/deprecation.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/difference.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/dig.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/dig44.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/dirname.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/dos2unix.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/downcase.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/empty.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/enclose_ipv6.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/ensure_packages.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/ensure_resource.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/ensure_resources.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/flatten.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/floor.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/fqdn_rand_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/fqdn_rotate.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/fqdn_uuid.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/get_module_path.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/getparam.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/getvar.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/glob.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/grep.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/has_interface_with.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/has_ip_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/has_ip_network.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/has_key.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/intersection.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_absolute_path.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_array.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_domain_name.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_email_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_float.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_function_available.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_integer.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_ip_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_ipv4_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_ipv6_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_mac_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_numeric.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/is_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/join.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/join_keys_to_values.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/keys.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/load_module_metadata.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/loadjson.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/loadyaml.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/lstrip.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/max.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/member.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/merge.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/min.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/num2bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/parsejson.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/parseyaml.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/pick.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/pick_default.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/prefix.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/private.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/pry.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/pw_hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/range.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/regexpescape.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/reject.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/reverse.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/round.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/rstrip.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/seeded_rand.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/shell_escape.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/shell_join.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/shell_split.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/shuffle.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/size.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/sort.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/squeeze.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/str2bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/str2saltedpbkdf2.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/str2saltedsha512.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/strip.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/suffix.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/swapcase.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/time.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/to_bytes.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/try_get_value.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/type.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/type3x.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/union.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/unique.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/unix2dos.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/upcase.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/uriescape.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_absolute_path.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_array.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_augeas.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_bool.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_cmd.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_domain_name.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_email_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_hash.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_integer.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_ip_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_ipv4_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_ipv6_address.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_numeric.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_re.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_slength.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_string.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/values.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/values_at.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/parser/functions/zip.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/provider", "puppetlabs-stdlib-6.6.0/lib/puppet/provider/file_line", "puppetlabs-stdlib-6.6.0/lib/puppet/provider/file_line/ruby.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/type", "puppetlabs-stdlib-6.6.0/lib/puppet/type/anchor.rb", "puppetlabs-stdlib-6.6.0/lib/puppet/type/file_line.rb", "puppetlabs-stdlib-6.6.0/locales", "puppetlabs-stdlib-6.6.0/locales/config.yaml", "puppetlabs-stdlib-6.6.0/locales/ja", "puppetlabs-stdlib-6.6.0/locales/ja/puppetlabs-stdlib.po", "puppetlabs-stdlib-6.6.0/locales/puppetlabs-stdlib.pot", "puppetlabs-stdlib-6.6.0/manifests", "puppetlabs-stdlib-6.6.0/manifests/init.pp", "puppetlabs-stdlib-6.6.0/manifests/stages.pp", "puppetlabs-stdlib-6.6.0/metadata.json", "puppetlabs-stdlib-6.6.0/provision.yaml", "puppetlabs-stdlib-6.6.0/readmes", "puppetlabs-stdlib-6.6.0/readmes/README_ja_JP.md", "puppetlabs-stdlib-6.6.0/types", "puppetlabs-stdlib-6.6.0/types/absolutepath.pp", "puppetlabs-stdlib-6.6.0/types/base32.pp", "puppetlabs-stdlib-6.6.0/types/base64.pp", "puppetlabs-stdlib-6.6.0/types/compat", "puppetlabs-stdlib-6.6.0/types/compat/absolute_path.pp", "puppetlabs-stdlib-6.6.0/types/compat/array.pp", "puppetlabs-stdlib-6.6.0/types/compat/bool.pp", "puppetlabs-stdlib-6.6.0/types/compat/float.pp", "puppetlabs-stdlib-6.6.0/types/compat/hash.pp", "puppetlabs-stdlib-6.6.0/types/compat/integer.pp", "puppetlabs-stdlib-6.6.0/types/compat/ip_address.pp", "puppetlabs-stdlib-6.6.0/types/compat/ipv4.pp", "puppetlabs-stdlib-6.6.0/types/compat/ipv6.pp", "puppetlabs-stdlib-6.6.0/types/compat/numeric.pp", "puppetlabs-stdlib-6.6.0/types/compat/re.pp", "puppetlabs-stdlib-6.6.0/types/compat/string.pp", "puppetlabs-stdlib-6.6.0/types/datasize.pp", "puppetlabs-stdlib-6.6.0/types/ensure", "puppetlabs-stdlib-6.6.0/types/ensure/file", "puppetlabs-stdlib-6.6.0/types/ensure/file/directory.pp", "puppetlabs-stdlib-6.6.0/types/ensure/file/file.pp", "puppetlabs-stdlib-6.6.0/types/ensure/file/link.pp", "puppetlabs-stdlib-6.6.0/types/ensure/file.pp", "puppetlabs-stdlib-6.6.0/types/ensure/service.pp", "puppetlabs-stdlib-6.6.0/types/filemode.pp", "puppetlabs-stdlib-6.6.0/types/filesource.pp", "puppetlabs-stdlib-6.6.0/types/fqdn.pp", "puppetlabs-stdlib-6.6.0/types/host.pp", "puppetlabs-stdlib-6.6.0/types/httpstatus.pp", "puppetlabs-stdlib-6.6.0/types/httpsurl.pp", "puppetlabs-stdlib-6.6.0/types/httpurl.pp", "puppetlabs-stdlib-6.6.0/types/ip", "puppetlabs-stdlib-6.6.0/types/ip/address", "puppetlabs-stdlib-6.6.0/types/ip/address/nosubnet.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v4", "puppetlabs-stdlib-6.6.0/types/ip/address/v4/cidr.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v4/nosubnet.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v4.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/alternative.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/cidr.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/compressed.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/full.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/nosubnet", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/nosubnet/alternative.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/nosubnet/compressed.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/nosubnet/full.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6/nosubnet.pp", "puppetlabs-stdlib-6.6.0/types/ip/address/v6.pp", "puppetlabs-stdlib-6.6.0/types/ip/address.pp", "puppetlabs-stdlib-6.6.0/types/mac.pp", "puppetlabs-stdlib-6.6.0/types/objectstore", "puppetlabs-stdlib-6.6.0/types/objectstore/gsuri.pp", "puppetlabs-stdlib-6.6.0/types/objectstore/s3uri.pp", "puppetlabs-stdlib-6.6.0/types/objectstore.pp", "puppetlabs-stdlib-6.6.0/types/port", "puppetlabs-stdlib-6.6.0/types/port/dynamic.pp", "puppetlabs-stdlib-6.6.0/types/port/ephemeral.pp", "puppetlabs-stdlib-6.6.0/types/port/privileged.pp", "puppetlabs-stdlib-6.6.0/types/port/registered.pp", "puppetlabs-stdlib-6.6.0/types/port/unprivileged.pp", "puppetlabs-stdlib-6.6.0/types/port/user.pp", "puppetlabs-stdlib-6.6.0/types/port.pp", "puppetlabs-stdlib-6.6.0/types/syslogfacility.pp", "puppetlabs-stdlib-6.6.0/types/unixpath.pp", "puppetlabs-stdlib-6.6.0/types/windowspath.pp", "puppetlabs-stdlib-6.6.0/types/yes_no.pp"]
-2022-11-16T21:41:15.522030 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10180 exiting: queue empty
-2022-11-16T21:41:15.522530 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-exec-2.2.0", "puppetlabs-exec-2.2.0/.github", "puppetlabs-exec-2.2.0/.github/workflows", "puppetlabs-exec-2.2.0/.github/workflows/auto_release.yml", "puppetlabs-exec-2.2.0/.github/workflows/labeller.yml", "puppetlabs-exec-2.2.0/.github/workflows/nightly.yml", "puppetlabs-exec-2.2.0/.github/workflows/pr_test.yml", "puppetlabs-exec-2.2.0/.github/workflows/release.yml", "puppetlabs-exec-2.2.0/.github/workflows/spec.yml", "puppetlabs-exec-2.2.0/.github/workflows/stale.yml", "puppetlabs-exec-2.2.0/.gitpod.Dockerfile", "puppetlabs-exec-2.2.0/.gitpod.yml", "puppetlabs-exec-2.2.0/.pmtignore", "puppetlabs-exec-2.2.0/.rubocop_todo.yml", "puppetlabs-exec-2.2.0/CHANGELOG.md", "puppetlabs-exec-2.2.0/CODEOWNERS", "puppetlabs-exec-2.2.0/CONTRIBUTING.md", "puppetlabs-exec-2.2.0/HISTORY.md", "puppetlabs-exec-2.2.0/LICENSE", "puppetlabs-exec-2.2.0/NOTICE", "puppetlabs-exec-2.2.0/README.md", "puppetlabs-exec-2.2.0/REFERENCE.md", "puppetlabs-exec-2.2.0/data", "puppetlabs-exec-2.2.0/data/common.yaml", "puppetlabs-exec-2.2.0/hiera.yaml", "puppetlabs-exec-2.2.0/metadata.json", "puppetlabs-exec-2.2.0/pdk.yaml", "puppetlabs-exec-2.2.0/provision.yaml", "puppetlabs-exec-2.2.0/tasks", "puppetlabs-exec-2.2.0/tasks/init.json", "puppetlabs-exec-2.2.0/tasks/init.rb", "puppetlabs-exec-2.2.0/tasks/linux.json", "puppetlabs-exec-2.2.0/tasks/linux.sh", "puppetlabs-exec-2.2.0/tasks/windows.json", "puppetlabs-exec-2.2.0/tasks/windows.ps1"]
-2022-11-16T21:41:15.523717 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10200 exiting: queue empty
-2022-11-16T21:41:15.565855 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppetlabs-lvm-1.4.0", "puppetlabs-lvm-1.4.0/.autotest", "puppetlabs-lvm-1.4.0/.puppet-lint.rc", "puppetlabs-lvm-1.4.0/.rubocop_todo.yml", "puppetlabs-lvm-1.4.0/.sync.yml", "puppetlabs-lvm-1.4.0/CHANGELOG.md", "puppetlabs-lvm-1.4.0/HISTORY.md", "puppetlabs-lvm-1.4.0/LICENSE", "puppetlabs-lvm-1.4.0/README.md", "puppetlabs-lvm-1.4.0/REFERENCE.md", "puppetlabs-lvm-1.4.0/data", "puppetlabs-lvm-1.4.0/data/common.yaml", "puppetlabs-lvm-1.4.0/functions", "puppetlabs-lvm-1.4.0/functions/bytes_to_size.pp", "puppetlabs-lvm-1.4.0/functions/size_to_bytes.pp", "puppetlabs-lvm-1.4.0/hiera.yaml", "puppetlabs-lvm-1.4.0/lib", "puppetlabs-lvm-1.4.0/lib/facter", "puppetlabs-lvm-1.4.0/lib/facter/logical_volumes.rb", "puppetlabs-lvm-1.4.0/lib/facter/lvm_support.rb", "puppetlabs-lvm-1.4.0/lib/facter/physical_volumes.rb", "puppetlabs-lvm-1.4.0/lib/facter/volume_groups.rb", "puppetlabs-lvm-1.4.0/lib/puppet", "puppetlabs-lvm-1.4.0/lib/puppet/provider", "puppetlabs-lvm-1.4.0/lib/puppet/provider/filesystem", "puppetlabs-lvm-1.4.0/lib/puppet/provider/filesystem/aix.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/filesystem/lvm.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/logical_volume", "puppetlabs-lvm-1.4.0/lib/puppet/provider/logical_volume/aix.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/logical_volume/lvm.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/physical_volume", "puppetlabs-lvm-1.4.0/lib/puppet/provider/physical_volume/aix.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/physical_volume/lvm.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/volume_group", "puppetlabs-lvm-1.4.0/lib/puppet/provider/volume_group/aix.rb", "puppetlabs-lvm-1.4.0/lib/puppet/provider/volume_group/lvm.rb", "puppetlabs-lvm-1.4.0/lib/puppet/type", "puppetlabs-lvm-1.4.0/lib/puppet/type/filesystem.rb", "puppetlabs-lvm-1.4.0/lib/puppet/type/logical_volume.rb", "puppetlabs-lvm-1.4.0/lib/puppet/type/physical_volume.rb", "puppetlabs-lvm-1.4.0/lib/puppet/type/volume_group.rb", "puppetlabs-lvm-1.4.0/lib/puppet_x", "puppetlabs-lvm-1.4.0/lib/puppet_x/lvm", "puppetlabs-lvm-1.4.0/lib/puppet_x/lvm/output.rb", "puppetlabs-lvm-1.4.0/manifests", "puppetlabs-lvm-1.4.0/manifests/init.pp", "puppetlabs-lvm-1.4.0/manifests/logical_volume.pp", "puppetlabs-lvm-1.4.0/manifests/physical_volume.pp", "puppetlabs-lvm-1.4.0/manifests/volume.pp", "puppetlabs-lvm-1.4.0/manifests/volume_group.pp", "puppetlabs-lvm-1.4.0/metadata.json", "puppetlabs-lvm-1.4.0/plans", "puppetlabs-lvm-1.4.0/plans/expand.pp", "puppetlabs-lvm-1.4.0/tasks", "puppetlabs-lvm-1.4.0/tasks/ensure_fs.json", "puppetlabs-lvm-1.4.0/tasks/ensure_fs.rb", "puppetlabs-lvm-1.4.0/tasks/ensure_lv.json", "puppetlabs-lvm-1.4.0/tasks/ensure_lv.rb", "puppetlabs-lvm-1.4.0/tasks/ensure_pv.json", "puppetlabs-lvm-1.4.0/tasks/ensure_pv.rb", "puppetlabs-lvm-1.4.0/tasks/ensure_vg.json", "puppetlabs-lvm-1.4.0/tasks/ensure_vg.rb", "puppetlabs-lvm-1.4.0/tasks/extend_lv.json", "puppetlabs-lvm-1.4.0/tasks/extend_lv.rb", "puppetlabs-lvm-1.4.0/tasks/extend_vg.json", "puppetlabs-lvm-1.4.0/tasks/extend_vg.rb", "puppetlabs-lvm-1.4.0/tasks/mount_lv.json", "puppetlabs-lvm-1.4.0/tasks/mount_lv.rb", "puppetlabs-lvm-1.4.0/tests", "puppetlabs-lvm-1.4.0/tests/beaker", "puppetlabs-lvm-1.4.0/tests/beaker/configs", "puppetlabs-lvm-1.4.0/tests/beaker/configs/aix-71-spec.yml", "puppetlabs-lvm-1.4.0/tests/beaker/configs/fusion.yml", "puppetlabs-lvm-1.4.0/tests/beaker/configs/redhat-6-64mda.yml", "puppetlabs-lvm-1.4.0/tests/beaker/lib", "puppetlabs-lvm-1.4.0/tests/beaker/lib/lvm_helper.rb", "puppetlabs-lvm-1.4.0/tests/beaker/pre-suite", "puppetlabs-lvm-1.4.0/tests/beaker/pre-suite/00_pe_install.rb", "puppetlabs-lvm-1.4.0/tests/beaker/pre-suite/01_lvm_module_install.rb", "puppetlabs-lvm-1.4.0/tests/beaker/pre-suite/02_add_extra_hdd.rb", "puppetlabs-lvm-1.4.0/tests/beaker/test_run_scripts", "puppetlabs-lvm-1.4.0/tests/beaker/test_run_scripts/integration_tests.sh", "puppetlabs-lvm-1.4.0/tests/beaker/test_run_scripts/integration_tests_aix.sh", "puppetlabs-lvm-1.4.0/tests/beaker/tests", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix/create_lv_with_param_max_range.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix/create_lv_with_param_min_range.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix/create_lv_with_param_type.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix/create_physical_volume_on_aix.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/aix/create_volume_group_on_aix.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_filesystem_non-existing-format.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_filesystem_with_ensure_property_ext2.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_filesystem_with_param_fs_type_ext4.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_filesystem_with_param_name_ext3.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_filesystem_with_param_options.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_alloc.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_extents.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_initial_size.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_no_sync.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_readahead.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_region_size.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_size_is_minsize.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_stripes.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_param_stripesize.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_property_mirror.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_with_property_mirrorlog.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_lv_without_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_pv_param_unless_vg.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_pv_w_param_force.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_pv_with_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_pv_wo_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_param_createonly.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_property_logical_volumes.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_property_physical_volumes.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_w_2_physical_volumes.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_w_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/create_vg_wo_param_name.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/remove_lv.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/remove_pv.rb", "puppetlabs-lvm-1.4.0/tests/beaker/tests/remove_vg.rb"]
-2022-11-16T21:41:15.566280 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10220 exiting: queue empty
-2022-11-16T21:41:15.568648 DEBUG  [main] [Bolt::R10KLogProxy] No unmanaged contents in /Users/bryanbelanger/projects/secure_linux_cis/.modules, nothing to purge
-2022-11-16T21:41:16.223640 WARN   [main] [Puppet] Enum parameters must be identifiers or strings
+2023-07-14T16:31:08.327957 INFO   [main] [Bolt::Logger] Loaded project from '/root/test/secure_linux_cis'
+2023-07-14T16:31:08.376490 DEBUG  [main] [Bolt::Executor] Started with 100 max thread(s)
+2023-07-14T16:31:08.993975 DEBUG  [main] [Bolt::PAL] Loading modules from /opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/bolt-modules:/root/test/secure_linux_cis/modules:/root/test/secure_linux_cis/.modules:/opt/puppetlabs/bolt/lib/ruby/gems/2.7.0/gems/bolt-3.27.1/modules
+2023-07-14T16:31:08.994399 DEBUG  [main] [Bolt::Inventory] Tried to load inventory from /root/test/secure_linux_cis/inventory.yaml, but the file does not exist
+2023-07-14T16:31:09.391354 INFO   [main] [Bolt::R10KLogProxy] Using Puppetfile '/root/test/secure_linux_cis/Puppetfile'
+2023-07-14T16:31:09.391472 DEBUG  [main] [Bolt::R10KLogProxy] Using moduledir '/root/test/secure_linux_cis/.modules'
+2023-07-14T16:31:09.398606 DEBUG  [main] [Bolt::R10KLogProxy] Updating modules with 4 threads
+2023-07-14T16:31:09.400636 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/chrony
+2023-07-14T16:31:09.410547 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/exec
+2023-07-14T16:31:09.410969 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/lvm
+2023-07-14T16:31:09.411210 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeasproviders_shellvar
+2023-07-14T16:31:09.411431 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeasproviders_grub
+2023-07-14T16:31:09.411637 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/cron
+2023-07-14T16:31:09.411891 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/mount_core
+2023-07-14T16:31:09.412011 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/auditd
+2023-07-14T16:31:09.412607 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/reboot
+2023-07-14T16:31:09.412865 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/puppet_agent
+2023-07-14T16:31:09.413187 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/ntp
+2023-07-14T16:31:09.413476 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/mailalias_core
+2023-07-14T16:31:09.412345 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/stdlib
+2023-07-14T16:31:09.417921 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/inifile
+2023-07-14T16:31:09.418151 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/firewall
+2023-07-14T16:31:09.418511 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/concat
+2023-07-14T16:31:09.418761 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeas_core
+2023-07-14T16:31:09.418948 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/systemd
+2023-07-14T16:31:09.419152 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/selinux
+2023-07-14T16:31:09.419486 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/postfix
+2023-07-14T16:31:09.419684 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/logrotate
+2023-07-14T16:31:09.419881 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/kmod
+2023-07-14T16:31:09.420084 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/firewalld
+2023-07-14T16:31:09.420275 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/alternatives
+2023-07-14T16:31:09.420514 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeas
+2023-07-14T16:31:09.420712 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/apt
+2023-07-14T16:31:09.420911 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/facts
+2023-07-14T16:31:09.421118 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeasproviders_core
+2023-07-14T16:31:09.421309 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeasproviders_pam
+2023-07-14T16:31:09.421588 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/augeasproviders_sysctl
+2023-07-14T16:31:09.421804 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/service
+2023-07-14T16:31:09.422045 INFO   [] [Bolt::R10KLogProxy] Deploying module to /root/test/secure_linux_cis/.modules/package
+2023-07-14T16:31:09.422355 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10280 exiting: queue empty
+2023-07-14T16:31:09.422577 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10300 exiting: queue empty
+2023-07-14T16:31:09.422909 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10320 exiting: queue empty
+2023-07-14T16:31:09.646037 DEBUG  [] [Bolt::R10KLogProxy] Using cached copy of puppet-chrony-3.0.0 tarball
+2023-07-14T16:31:09.646099 DEBUG  [] [Bolt::R10KLogProxy] Verifying that /root/.r10k/cache/puppet-chrony-3.0.0/tarball/puppet-chrony-3.0.0.tar.gz matches checksum
+2023-07-14T16:31:09.647165 DEBUG  [] [Bolt::R10KLogProxy] Unpacking /root/.r10k/cache/puppet-chrony-3.0.0/tarball/puppet-chrony-3.0.0.tar.gz to /root/test/secure_linux_cis/.modules/chrony (with tmpdir /tmp/d20230714-13924-1xss5rf/puppet-chrony-3.0.0)
+2023-07-14T16:31:09.695870 DEBUG  [] [Bolt::R10KLogProxy] Valid files unpacked: ["puppet-chrony-3.0.0", "puppet-chrony-3.0.0/CHANGELOG.md", "puppet-chrony-3.0.0/CONTRIBUTORS", "puppet-chrony-3.0.0/HISTORY.md", "puppet-chrony-3.0.0/LICENSE", "puppet-chrony-3.0.0/README.md", "puppet-chrony-3.0.0/REFERENCE.md", "puppet-chrony-3.0.0/data", "puppet-chrony-3.0.0/data/Archlinux.yaml", "puppet-chrony-3.0.0/data/Gentoo.yaml", "puppet-chrony-3.0.0/data/RedHat", "puppet-chrony-3.0.0/data/RedHat/9.yaml", "puppet-chrony-3.0.0/data/RedHat.yaml", "puppet-chrony-3.0.0/data/Suse.yaml", "puppet-chrony-3.0.0/examples", "puppet-chrony-3.0.0/examples/init.pp", "puppet-chrony-3.0.0/functions", "puppet-chrony-3.0.0/functions/server_array_to_hash.pp", "puppet-chrony-3.0.0/hiera.yaml", "puppet-chrony-3.0.0/manifests", "puppet-chrony-3.0.0/manifests/config.pp", "puppet-chrony-3.0.0/manifests/init.pp", "puppet-chrony-3.0.0/manifests/install.pp", "puppet-chrony-3.0.0/manifests/service.pp", "puppet-chrony-3.0.0/metadata.json", "puppet-chrony-3.0.0/templates", "puppet-chrony-3.0.0/templates/chrony.conf.epp", "puppet-chrony-3.0.0/templates/chrony.keys.epp", "puppet-chrony-3.0.0/types", "puppet-chrony-3.0.0/types/servers.pp"]
+2023-07-14T16:31:09.696201 DEBUG  [] [Bolt::R10KLogProxy] Module thread 10340 exiting: queue empty
+2023-07-14T16:31:09.698995 DEBUG  [main] [Bolt::R10KLogProxy] No unmanaged contents in /root/test/secure_linux_cis/.modules, nothing to purge
+2023-07-14T16:31:10.669714 WARN   [main] [Puppet] Enum parameters must be identifiers or strings
    (file & line not available)
-2022-11-16T21:41:16.580093 INFO   [main] [Puppet] Generating Puppet resource types.
-2022-11-16T21:41:16.627749 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/alternative_entry.pp' using 'pcore' format.
-2022-11-16T21:41:16.669755 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/alternatives.pp' using 'pcore' format.
-2022-11-16T21:41:16.718645 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/apt_key.pp' using 'pcore' format.
-2022-11-16T21:41:16.771255 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/augeas.pp' using 'pcore' format.
-2022-11-16T21:41:16.808097 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/augeasprovider.pp' using 'pcore' format.
-2022-11-16T21:41:16.840057 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/grub_config.pp' using 'pcore' format.
-2022-11-16T21:41:16.885007 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/grub_menuentry.pp' using 'pcore' format.
-2022-11-16T21:41:16.918806 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/grub_user.pp' using 'pcore' format.
-2022-11-16T21:41:16.968804 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/kernel_parameter.pp' using 'pcore' format.
-2022-11-16T21:41:17.018624 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/pam.pp' using 'pcore' format.
-2022-11-16T21:41:17.064481 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/shellvar.pp' using 'pcore' format.
-2022-11-16T21:41:17.099752 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/sysctl.pp' using 'pcore' format.
-2022-11-16T21:41:17.212027 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/concat_file.pp' using 'pcore' format.
-2022-11-16T21:41:17.234146 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/concat_fragment.pp' using 'pcore' format.
-2022-11-16T21:41:17.988995 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewall.pp' using 'pcore' format.
-2022-11-16T21:41:18.029819 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewallchain.pp' using 'pcore' format.
-2022-11-16T21:41:18.062821 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_custom_service.pp' using 'pcore' format.
-2022-11-16T21:41:18.092098 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_direct_chain.pp' using 'pcore' format.
-2022-11-16T21:41:18.122401 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_direct_passthrough.pp' using 'pcore' format.
-2022-11-16T21:41:18.183157 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_direct_purge.pp' using 'pcore' format.
-2022-11-16T21:41:18.187435 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_direct_rule.pp' using 'pcore' format.
-2022-11-16T21:41:18.224394 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_ipset.pp' using 'pcore' format.
-2022-11-16T21:41:18.253411 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_port.pp' using 'pcore' format.
-2022-11-16T21:41:18.285391 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_rich_rule.pp' using 'pcore' format.
-2022-11-16T21:41:18.313443 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_service.pp' using 'pcore' format.
-2022-11-16T21:41:18.346535 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/firewalld_zone.pp' using 'pcore' format.
-2022-11-16T21:41:18.381216 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/ini_setting.pp' using 'pcore' format.
-2022-11-16T21:41:18.416382 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/ini_subsetting.pp' using 'pcore' format.
-2022-11-16T21:41:18.469276 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/filesystem.pp' using 'pcore' format.
-2022-11-16T21:41:18.514832 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/logical_volume.pp' using 'pcore' format.
-2022-11-16T21:41:18.547387 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/physical_volume.pp' using 'pcore' format.
-2022-11-16T21:41:18.581736 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/volume_group.pp' using 'pcore' format.
-2022-11-16T21:41:18.614709 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/mailalias.pp' using 'pcore' format.
-2022-11-16T21:41:18.664975 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/mount.pp' using 'pcore' format.
-2022-11-16T21:41:18.695134 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/puppet_agent_end_run.pp' using 'pcore' format.
-2022-11-16T21:41:18.725061 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/puppet_agent_upgrade_error.pp' using 'pcore' format.
-2022-11-16T21:41:18.774324 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/reboot.pp' using 'pcore' format.
-2022-11-16T21:41:18.819523 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selinux_fcontext.pp' using 'pcore' format.
-2022-11-16T21:41:18.851470 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selinux_fcontext_equivalence.pp' using 'pcore' format.
-2022-11-16T21:41:18.882445 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selinux_permissive.pp' using 'pcore' format.
-2022-11-16T21:41:18.980007 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selinux_port.pp' using 'pcore' format.
-2022-11-16T21:41:19.004368 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/anchor.pp' using 'pcore' format.
-2022-11-16T21:41:19.042499 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/file_line.pp' using 'pcore' format.
-2022-11-16T21:41:19.073973 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/loginctl_user.pp' using 'pcore' format.
-2022-11-16T21:41:19.116464 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/cron.pp' using 'pcore' format.
-2022-11-16T21:41:19.156219 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/host.pp' using 'pcore' format.
-2022-11-16T21:41:19.207373 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/scheduled_task.pp' using 'pcore' format.
-2022-11-16T21:41:19.237704 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selboolean.pp' using 'pcore' format.
-2022-11-16T21:41:19.267913 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/selmodule.pp' using 'pcore' format.
-2022-11-16T21:41:19.304118 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/ssh_authorized_key.pp' using 'pcore' format.
-2022-11-16T21:41:19.339079 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/sshkey.pp' using 'pcore' format.
-2022-11-16T21:41:19.403177 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/yumrepo.pp' using 'pcore' format.
-2022-11-16T21:41:19.441012 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/zfs.pp' using 'pcore' format.
-2022-11-16T21:41:19.478089 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/zpool.pp' using 'pcore' format.
-2022-11-16T21:41:19.521239 INFO   [main] [Puppet] Generating '/Users/bryanbelanger/projects/secure_linux_cis/.resource_types/zone.pp' using 'pcore' format.
+2023-07-14T16:31:11.244370 INFO   [main] [Puppet] Generating Puppet resource types.
+2023-07-14T16:31:11.334346 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/cron.pp' using 'pcore' format.
+2023-07-14T16:31:11.360107 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/host.pp' using 'pcore' format.
+2023-07-14T16:31:11.408161 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/scheduled_task.pp' using 'pcore' format.
+2023-07-14T16:31:11.430592 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selboolean.pp' using 'pcore' format.
+2023-07-14T16:31:11.456509 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selmodule.pp' using 'pcore' format.
+2023-07-14T16:31:11.490055 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/ssh_authorized_key.pp' using 'pcore' format.
+2023-07-14T16:31:11.514729 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/sshkey.pp' using 'pcore' format.
+2023-07-14T16:31:11.569120 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/yumrepo.pp' using 'pcore' format.
+2023-07-14T16:31:11.600092 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/zfs.pp' using 'pcore' format.
+2023-07-14T16:31:11.625177 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/zpool.pp' using 'pcore' format.
+2023-07-14T16:31:11.657805 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/zone.pp' using 'pcore' format.
+2023-07-14T16:31:11.711879 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/alternative_entry.pp' using 'pcore' format.
+2023-07-14T16:31:11.761056 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/alternatives.pp' using 'pcore' format.
+2023-07-14T16:31:11.803913 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/apt_key.pp' using 'pcore' format.
+2023-07-14T16:31:11.840057 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/augeas.pp' using 'pcore' format.
+2023-07-14T16:31:11.865843 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/augeasprovider.pp' using 'pcore' format.
+2023-07-14T16:31:11.888690 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/grub_config.pp' using 'pcore' format.
+2023-07-14T16:31:11.929796 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/grub_menuentry.pp' using 'pcore' format.
+2023-07-14T16:31:11.957359 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/grub_user.pp' using 'pcore' format.
+2023-07-14T16:31:11.981906 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/kernel_parameter.pp' using 'pcore' format.
+2023-07-14T16:31:12.011471 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/pam.pp' using 'pcore' format.
+2023-07-14T16:31:12.041425 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/shellvar.pp' using 'pcore' format.
+2023-07-14T16:31:12.067453 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/sysctl.pp' using 'pcore' format.
+2023-07-14T16:31:12.169717 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/concat_file.pp' using 'pcore' format.
+2023-07-14T16:31:12.183310 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/concat_fragment.pp' using 'pcore' format.
+2023-07-14T16:31:13.561331 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewall.pp' using 'pcore' format.
+2023-07-14T16:31:13.595902 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewallchain.pp' using 'pcore' format.
+2023-07-14T16:31:13.625049 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_custom_service.pp' using 'pcore' format.
+2023-07-14T16:31:13.652141 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_direct_chain.pp' using 'pcore' format.
+2023-07-14T16:31:13.677511 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_direct_passthrough.pp' using 'pcore' format.
+2023-07-14T16:31:13.728673 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_direct_purge.pp' using 'pcore' format.
+2023-07-14T16:31:13.734471 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_direct_rule.pp' using 'pcore' format.
+2023-07-14T16:31:13.765450 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_ipset.pp' using 'pcore' format.
+2023-07-14T16:31:13.790665 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_port.pp' using 'pcore' format.
+2023-07-14T16:31:13.818185 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_rich_rule.pp' using 'pcore' format.
+2023-07-14T16:31:13.839618 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_service.pp' using 'pcore' format.
+2023-07-14T16:31:13.873627 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/firewalld_zone.pp' using 'pcore' format.
+2023-07-14T16:31:13.909440 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/ini_setting.pp' using 'pcore' format.
+2023-07-14T16:31:13.943209 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/ini_subsetting.pp' using 'pcore' format.
+2023-07-14T16:31:14.007982 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/filesystem.pp' using 'pcore' format.
+2023-07-14T16:31:14.055428 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/logical_volume.pp' using 'pcore' format.
+2023-07-14T16:31:14.080131 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/physical_volume.pp' using 'pcore' format.
+2023-07-14T16:31:14.108727 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/volume_group.pp' using 'pcore' format.
+2023-07-14T16:31:14.135868 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/mailalias.pp' using 'pcore' format.
+2023-07-14T16:31:14.216259 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/mount.pp' using 'pcore' format.
+2023-07-14T16:31:14.258306 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/puppet_agent_end_run.pp' using 'pcore' format.
+2023-07-14T16:31:14.310758 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/puppet_agent_upgrade_error.pp' using 'pcore' format.
+2023-07-14T16:31:14.390350 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/reboot.pp' using 'pcore' format.
+2023-07-14T16:31:14.445556 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selinux_fcontext.pp' using 'pcore' format.
+2023-07-14T16:31:14.466540 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selinux_fcontext_equivalence.pp' using 'pcore' format.
+2023-07-14T16:31:14.490207 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selinux_permissive.pp' using 'pcore' format.
+2023-07-14T16:31:14.561036 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/selinux_port.pp' using 'pcore' format.
+2023-07-14T16:31:14.574756 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/anchor.pp' using 'pcore' format.
+2023-07-14T16:31:14.619411 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/file_line.pp' using 'pcore' format.
+2023-07-14T16:31:14.642921 INFO   [main] [Puppet] Generating '/root/test/secure_linux_cis/.resource_types/loginctl_user.pp' using 'pcore' format.
diff --git a/bolt-project.yaml b/bolt-project.yaml
index 946c1276..ff575813 100644
--- a/bolt-project.yaml
+++ b/bolt-project.yaml
@@ -30,3 +30,4 @@ modules:
 - puppetlabs/service
 - puppetlabs/exec
 - puppetlabs/package
+- puppet/chrony
diff --git a/manifests/rules/ensure_users_must_provide_password_for_escalation.pp b/manifests/rules/ensure_users_must_provide_password_for_escalation.pp
index 6bb48fda..072d3939 100644
--- a/manifests/rules/ensure_users_must_provide_password_for_escalation.pp
+++ b/manifests/rules/ensure_users_must_provide_password_for_escalation.pp
@@ -3,5 +3,10 @@
 # @summary Ensure users must provide password for escalation 
 #
 class secure_linux_cis::rules::ensure_users_must_provide_password_for_escalation {
-  # TODO
+  exec { 'Ensure users must provide password for escalation':
+    command   => "/usr/bin/grep -rl '^[^#].*NOPASSWD:' /etc/sudoers /etc/sudoers.d/ | xargs sed -ri '/^#/! s/(\\s+)NOPASSWD:/\\1PASSWD:/g'",
+    onlyif    => "/usr/bin/grep -rq '^[^#].*NOPASSWD:' /etc/sudoers /etc/sudoers.d/",
+    logoutput => true,
+  }
+
 }

From 9de12ef30f8da88a766d538d4a7672be59109920 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Sun, 16 Jul 2023 20:31:18 +0200
Subject: [PATCH 16/42] Fixed rule: 'Ensure re-authentication for privilege
 escalation is not disabled globally'

---
 ..._for_privilege_escalation_is_not_disabled_globally.pp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp b/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
index 12e0f900..733f7000 100644
--- a/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
+++ b/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
@@ -1,7 +1,12 @@
 # @api private
 #
-# @summary Ensure re-authentication for privilege escalation is not disabled globally 
+# @summary Ensure re-authentication for privilege escalation is not disabled globally
 #
 class secure_linux_cis::rules::ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally {
-  # TODO
+  exec { 'Ensure re-authentication for privilege escalation is not disabled globally':
+    command   => "/usr/bin/grep -rl '^[^#].*\!authenticate' /etc/sudoers /etc/sudoers.d/ | xargs sed -ri '/^#/! s/(\\s+)\!authenticate/\\1authenticate/g'",
+    onlyif    => "/usr/bin/grep -rq '^[^#].*\!authenticate' /etc/sudoers /etc/sudoers.d/",
+    logoutput => true,
+  }
+
 }

From 411133ddef6f9dda188f1d6483efe9f4c3c2f32d Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Sun, 23 Jul 2023 11:34:38 +0200
Subject: [PATCH 17/42] Rule 'Ensure sudo authentication timeout is configured
 correctly' implemented

---
 ...udo_authentication_timeout_is_configured_correctly.pp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/manifests/rules/ensure_sudo_authentication_timeout_is_configured_correctly.pp b/manifests/rules/ensure_sudo_authentication_timeout_is_configured_correctly.pp
index 2eea3fe2..1b6b90dd 100644
--- a/manifests/rules/ensure_sudo_authentication_timeout_is_configured_correctly.pp
+++ b/manifests/rules/ensure_sudo_authentication_timeout_is_configured_correctly.pp
@@ -1,7 +1,12 @@
 # @api private
 #
-# @summary Ensure sudo authentication timeout is configured correctly 
+# @summary Ensure sudo authentication timeout is configured correctly
 #
 class secure_linux_cis::rules::ensure_sudo_authentication_timeout_is_configured_correctly {
-  # TODO
+  exec { 'Ensure sudo authentication timeout is configured correctly':
+    command   => "/usr/bin/grep -rl '^[^#].*NOPASSWD:' /etc/sudoers /etc/sudoers.d/ | xargs sed -ri '/^#/! s/(\\s+)NOPASSWD:/\\1PASSWD:/g'",
+    onlyif    => "/usr/bin/grep -rq '^[^#].*NOPASSWD:' /etc/sudoers /etc/sudoers.d/",
+    logoutput => true,
+  }
+
 }

From 47cb417b37e26ce710e587bdf1112633bdb860af Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Sun, 23 Jul 2023 12:19:42 +0200
Subject: [PATCH 18/42] Added Rule 'Ensure password hashing algorithm is
 SHA-512 or yescrypt'

---
 data/os/RedHat/version/9.yaml                 |  6 +++--
 data/os/Rocky/version/9.yaml                  |  6 +++--
 ...ashing_algorithm_is_sha_512_or_yescrypt.sh | 16 ++++++++++++
 ...ashing_algorithm_is_sha_512_or_yescrypt.pp | 26 +++++++++++++++++++
 4 files changed, 50 insertions(+), 4 deletions(-)
 create mode 100644 files/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.sh
 create mode 100644 manifests/rules/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 6c3e767f..58a2a981 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -149,6 +149,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -372,6 +373,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -407,7 +409,6 @@ secure_linux_cis::server_level_2:
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
-- ensure_password_reuse_is_limited
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 secure_linux_cis::workstation_level_1:
@@ -555,6 +556,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -777,6 +779,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -813,6 +816,5 @@ secure_linux_cis::workstation_level_2:
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
-- ensure_password_reuse_is_limited
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index cefaa04b..186f44a5 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -149,6 +149,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -372,6 +373,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -407,7 +409,6 @@ secure_linux_cis::server_level_2:
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
-- ensure_password_reuse_is_limited
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 secure_linux_cis::workstation_level_1:
@@ -554,6 +555,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -777,6 +779,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_creation_requirements_are_configured
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
+- ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -813,6 +816,5 @@ secure_linux_cis::workstation_level_2:
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
-- ensure_password_reuse_is_limited
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
diff --git a/files/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.sh b/files/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.sh
new file mode 100644
index 00000000..0e16fb6d
--- /dev/null
+++ b/files/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash 
+{ 
+    if [ -f /etc/authselect/authselect.conf ]; then
+        for fn in system-auth password-auth; do 
+            file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn" 
+            if ! grep -Pq -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so(\h+[^#\n\r]+)?\h+sha512\b.*$' "$file"; then 
+                if grep -Pq -- '^\h*password\h+(requisite|required|sufficient)\h+pam_unix\.so(\h+[^#\n\r]+)?\h+(md5|blowfish|bigcrypt|sha256|yescrypt)\b.*$' "$file"; then 
+                    sed -ri 's/(md5|blowfish|bigcrypt|sha256|yescrypt)/sha512/' "$file" 
+                else 
+                    sed -ri 's/(^\s*password\s+(requisite|required|sufficient)\s+pam_unix.so\s+)(.*)$/\1sha512 \3/' "$file" 
+                fi 
+                authselect apply-changes 
+            fi 
+        done
+    fi
+}
diff --git a/manifests/rules/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.pp b/manifests/rules/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.pp
new file mode 100644
index 00000000..6698796b
--- /dev/null
+++ b/manifests/rules/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.pp
@@ -0,0 +1,26 @@
+# @api private
+#
+# @summary Ensure password hashing algorithm is SHA-512 or yescrypt
+#
+class secure_linux_cis::rules::ensure_password_hashing_algorithm_is_sha_512_or_yescrypt (
+    String $crypt_style_login_defs = 'SHA512',
+    String $encrypt_method_libuser_conf = 'sha512',
+
+) {
+  file_line { 'Ensure ENCRYPT_METHOD set properly':
+    path  => '/etc/login.defs',
+    match => '^\s*ENCRYPT_METHOD\s+',
+    line  => "ENCRYPT_METHOD $crypt_style_login_defs",
+  }
+  file_line { 'ensure crypt_style is set to sha512 in /etc/libuser.conf':
+    ensure => present,
+    path   => '/etc/libuser.conf',
+    match  => '^\s*crypt_style\s*=',
+    line   => "crypt_style = $encrypt_method_libuser_conf",
+    multiple  => true,
+  }
+  exec { "Ensure password hashing algorithm is SHA-512 or yescrypt":
+    command   => "/usr/share/cis_scripts/ensure_password_hashing_algorithm_is_sha_512_or_yescrypt.sh",
+    logoutput => true,
+  }
+}

From cd084641b2a383477ada3ee6236e271ae6abe97d Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 14:55:24 +0200
Subject: [PATCH 19/42] Added Rule 'Ensure local interactive user home
 directories are mode 750 or more restrictive'

---
 data/os/RedHat/version/9.yaml                       |  4 ++++
 data/os/Rocky/version/9.yaml                        |  8 ++++++--
 ..._directories_are_mode_750_or_more_restrictive.sh | 13 +++++++++++++
 ..._directories_are_mode_750_or_more_restrictive.pp | 10 ++++++++++
 4 files changed, 33 insertions(+), 2 deletions(-)
 create mode 100644 files/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh
 create mode 100644 manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 58a2a981..543a8c06 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -150,6 +150,7 @@ secure_linux_cis::server_level_1:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -374,6 +375,7 @@ secure_linux_cis::server_level_2:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -557,6 +559,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -780,6 +783,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 186f44a5..543a8c06 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -150,6 +150,7 @@ secure_linux_cis::server_level_1:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -322,7 +323,7 @@ secure_linux_cis::server_level_2:
 - ensure_kernel_module_loading_unloading_and_modification_is_collected
 - ensure_the_audit_configuration_is_immutable
 - ensure_audit_log_files_are_mode_0640_or_less_permissive
-- ensure_only_authorized_users_own_audit_log_files
+- ensure_only_authorized_users_own_audit_log_files  
 - ensure_the_audit_log_directory_is_0750_or_more_restrictive
 - ensure_audit_configuration_files_are_640_or_more_restrictive
 - ensure_audit_tools_are_755_or_more_restrictive
@@ -374,6 +375,7 @@ secure_linux_cis::server_level_2:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -541,6 +543,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_ssh_permituserenvironment_is_disabled
 - ensure_ssh_ignorerhosts_is_enabled
 - ensure_system_wide_crypto_policy_is_not_over_ridden
+- ensure_ssh_x11_forwarding_is_disabled
 - ensure_ssh_warning_banner_is_configured
 - ensure_ssh_maxstartups_is_configured
 - ensure_ssh_logingracetime_is_set_to_one_minute_or_less
@@ -556,6 +559,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -584,7 +588,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
-- ensure_ssh_x11_forwarding_is_disabled
 secure_linux_cis::workstation_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -780,6 +783,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_lockout_for_failed_password_attempts_is_configured
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
+- ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
diff --git a/files/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh b/files/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh
new file mode 100644
index 00000000..c2928156
--- /dev/null
+++ b/files/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash 
+{ 
+    perm_mask='0027' 
+    maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )"
+    valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" 
+    awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do 
+        mode=$( stat -L -c '%#a' "$home" ) 
+        if [ $(( $mode & $perm_mask )) -gt 0 ]; then 
+            echo -e "- modifying User $user home directory: \"$home\"\n- removing excessive permissions from current mode of \"$mode\"" 
+            chmod g-w,o-rwx "$home" 
+        fi 
+    done)
+}
diff --git a/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp b/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp
new file mode 100644
index 00000000..01a9399c
--- /dev/null
+++ b/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure local interactive user home directories are mode 750 or more restrictive
+#
+class secure_linux_cis::rules::ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive {
+  exec { "Ensure password hashing algorithm is SHA-512 or yescrypt":
+    command   => "/usr/share/cis_scripts/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh",
+    logoutput => true,
+  }
+}

From d1d342e44c8e2df212502001a6499a740e5f8e4f Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 15:21:38 +0200
Subject: [PATCH 20/42] Typo fix

---
 ...ve_user_home_directories_are_mode_750_or_more_restrictive.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp b/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp
index 01a9399c..983f78b8 100644
--- a/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp
+++ b/manifests/rules/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.pp
@@ -3,7 +3,7 @@
 # @summary Ensure local interactive user home directories are mode 750 or more restrictive
 #
 class secure_linux_cis::rules::ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive {
-  exec { "Ensure password hashing algorithm is SHA-512 or yescrypt":
+  exec { "Ensure local interactive user home directories are mode 750 or more restrictive":
     command   => "/usr/share/cis_scripts/ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive.sh",
     logoutput => true,
   }

From 6df3c83e2f48c38c9badc7877ac73009c6b9357d Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 15:21:57 +0200
Subject: [PATCH 21/42] Rule added: 'Ensure root is the only UID 0 account'

---
 data/os/RedHat/version/9.yaml                          |  4 ++++
 data/os/Rocky/version/9.yaml                           |  4 ++++
 .../rules/ensure_root_is_the_only_uid_0_account.pp     | 10 ++++++++++
 3 files changed, 18 insertions(+)
 create mode 100644 manifests/rules/ensure_root_is_the_only_uid_0_account.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 543a8c06..16d6d662 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -376,6 +377,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -560,6 +562,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -784,6 +787,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 543a8c06..16d6d662 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -376,6 +377,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -560,6 +562,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
@@ -784,6 +787,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
 - ensure_sticky_bit_is_set_on_all_world_writable_directories
diff --git a/manifests/rules/ensure_root_is_the_only_uid_0_account.pp b/manifests/rules/ensure_root_is_the_only_uid_0_account.pp
new file mode 100644
index 00000000..7da6bdae
--- /dev/null
+++ b/manifests/rules/ensure_root_is_the_only_uid_0_account.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure root is the only UID 0 account
+#
+class secure_linux_cis::rules::ensure_root_is_the_only_uid_0_account {
+  exec { "Ensure root is the only UID 0 account":
+    command   => "/usr/bin/sed -i '/^[^:]\+:x:0:/{/^root:/!d}' /etc/passwd",
+    logoutput => true,
+  }
+}

From 91f598f8a6b5c0bc349ebe46af6a1cebc4a7a0b7 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 15:55:13 +0200
Subject: [PATCH 22/42] Rule added: 'Ensure root password is set'

---
 data/os/RedHat/version/9.yaml                  |  4 ++++
 data/os/Rocky/version/9.yaml                   |  4 ++++
 lib/facter/root_password_empty.rb              |  8 ++++++++
 manifests/rules/ensure_root_password_is_set.pp | 12 ++++++++++++
 4 files changed, 28 insertions(+)
 create mode 100644 lib/facter/root_password_empty.rb
 create mode 100644 manifests/rules/ensure_root_password_is_set.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 16d6d662..e7f364ff 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -377,6 +378,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -562,6 +564,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -787,6 +790,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 16d6d662..e7f364ff 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -377,6 +378,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -562,6 +564,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
@@ -787,6 +790,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
 - ensure_system_accounts_are_secured
diff --git a/lib/facter/root_password_empty.rb b/lib/facter/root_password_empty.rb
new file mode 100644
index 00000000..a7cc4584
--- /dev/null
+++ b/lib/facter/root_password_empty.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# root_password_empty.rb
+
+Facter.add('root_password_empty') do
+  confine kernel: 'Linux'
+  setcode "egrep '^root:' /etc/shadow | awk -F: \'($2 == \"\" ) { print $1 \" does not have a password \"}\'"
+end
diff --git a/manifests/rules/ensure_root_password_is_set.pp b/manifests/rules/ensure_root_password_is_set.pp
new file mode 100644
index 00000000..43ac71be
--- /dev/null
+++ b/manifests/rules/ensure_root_password_is_set.pp
@@ -0,0 +1,12 @@
+# @api private
+#
+# @summary Ensure root password is set
+#
+class secure_linux_cis::rules::ensure_root_password_is_set {
+  if $facts['root_password_empty'] {
+    notify { 'root_pass_emp':
+      message  => 'Not in compliance with CIS (Scored). Root passwort is empty (check fact root_password_empty is set)',
+      loglevel => 'warning',
+    }
+  }
+}

From 1c9a5d6ef523927d9ea5c98c2714a013b179a6f1 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 16:18:22 +0200
Subject: [PATCH 23/42] Added rule: 'Ensure a single firewall configuration
 utility is in use'

---
 data/os/RedHat/version/9.yaml                 |  4 ++
 data/os/Rocky/version/9.yaml                  |  4 ++
 ...irewall_configuration_utility_is_in_use.sh | 46 +++++++++++++++++++
 ...irewall_configuration_utility_is_in_use.pp | 10 ++++
 4 files changed, 64 insertions(+)
 create mode 100755 files/ensure_a_single_firewall_configuration_utility_is_in_use.sh
 create mode 100644 manifests/rules/ensure_a_single_firewall_configuration_utility_is_in_use.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index e7f364ff..e392dfd4 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -378,6 +379,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -564,6 +566,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -790,6 +793,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index e7f364ff..e392dfd4 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -378,6 +379,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -564,6 +566,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
@@ -790,6 +793,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
 - ensure_all_users_last_password_change_date_is_in_the_past
diff --git a/files/ensure_a_single_firewall_configuration_utility_is_in_use.sh b/files/ensure_a_single_firewall_configuration_utility_is_in_use.sh
new file mode 100755
index 00000000..48d76587
--- /dev/null
+++ b/files/ensure_a_single_firewall_configuration_utility_is_in_use.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash 
+{ 
+    l_output="" l_output2="" l_fwd_status="" l_nft_status="" l_fwutil_status="" 
+    # Determine FirewallD utility Status 
+    rpm -q firewalld > /dev/null 2>&1 && l_fwd_status="$(systemctl is-enabled firewalld.service):$(systemctl is-active firewalld.service)" 
+    # Determine NFTables utility Status 
+    rpm -q nftables > /dev/null 2>&1 && l_nft_status="$(systemctl is-enabled nftables.service):$(systemctl is-active nftables.service)" 
+    l_fwutil_status="$l_fwd_status:$l_nft_status" 
+    case $l_fwutil_status in 
+        enabled:active:masked:inactive|enabled:active:disabled:inactive)
+            echo -e "\n - FirewallD utility is in use, enabled and active\n - NFTables utility is correctly disabled or masked and inactive\n - no remediation required" ;; 
+        masked:inactive:enabled:active|disabled:inactive:enabled:active) 
+            echo -e "\n - NFTables utility is in use, enabled and active\n - FirewallD utility is correctly disabled or masked and inactive\n - no remediation required" ;; 
+        enabled:active:enabled:active) 
+            echo -e "\n - Both FirewallD and NFTables utilities are enabled and active\n - stopping and masking NFTables utility" 
+            systemctl stop nftables && systemctl --now mask nftables ;;
+        enabled:*:enabled:*) 
+            echo -e "\n - Both FirewallD and NFTables utilities are enabled\n - remediating" 
+            if [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "inactive" ]; then 
+                echo " - masking NFTables utility" 
+                systemctl stop nftables && systemctl --now mask nftables 
+            elif [ "$(awk -F: '{print $4}' <<< "$l_fwutil_status")" = "active" ] && [ "$(awk -F: '{print $2}' <<< "$l_fwutil_status")" = "inactive" ]; then 
+                echo " - masking FirewallD utility" 
+                systemctl stop firewalld && systemctl --now mask firewalld 
+            fi ;; 
+        *:active:*:active) 
+            echo -e "\n - Both FirewallD and NFTables utilities are active\n - remediating" 
+            if [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" != "enabled" ]; then 
+                echo " - stopping and masking NFTables utility" 
+                systemctl stop nftables && systemctl --now mask nftables 
+            elif [ "$(awk -F: '{print $3}' <<< "$l_fwutil_status")" = "enabled" ] && [ "$(awk -F: '{print $1}' <<< "$l_fwutil_status")" != "enabled" ]; then 
+                echo " - stopping and masking FirewallD utility" 
+                systemctl stop firewalld && systemctl --now mask firewalld 
+            fi ;; 
+        :enabled:active) 
+            echo -e "\n - NFTables utility is in use, enabled, and active\n - FirewallD package is not installed\n - no remediation required" ;; 
+        :) 
+            echo -e "\n - Neither FirewallD or NFTables is installed.\n - remediating\n - installing NFTables" 
+            dnf -q install nftables ;; 
+        *:*:) 
+            echo -e "\n - NFTables package is not installed on the system\n - remediating\n - installing NFTables" 
+            dnf -q install nftables ;; 
+        *) 
+            echo -e "\n - Unable to determine firewall state" ;;
+    esac
+}
diff --git a/manifests/rules/ensure_a_single_firewall_configuration_utility_is_in_use.pp b/manifests/rules/ensure_a_single_firewall_configuration_utility_is_in_use.pp
new file mode 100644
index 00000000..8a616ec7
--- /dev/null
+++ b/manifests/rules/ensure_a_single_firewall_configuration_utility_is_in_use.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure a single firewall configuration utility is in use
+#
+class secure_linux_cis::rules::ensure_a_single_firewall_configuration_utility_is_in_use {
+  exec { "Ensure a single firewall configuration utility is in use":
+    command   => "/usr/share/cis_scripts/ensure_a_single_firewall_configuration_utility_is_in_use.sh",
+    logoutput => true,
+  }
+}

From b4ce8a9a7eccdb8395d67ea76f98d2a26a8a4c10 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 21:54:25 +0200
Subject: [PATCH 24/42] Added rule: 'Ensure host based firewall loopback
 traffic is configured'

---
 ...firewall_loopback_traffic_is_configured.sh | 49 +++++++++++++++++++
 ...firewall_loopback_traffic_is_configured.pp | 10 ++++
 2 files changed, 59 insertions(+)
 create mode 100755 files/ensure_host_based_firewall_loopback_traffic_is_configured.sh
 create mode 100644 manifests/rules/ensure_host_based_firewall_loopback_traffic_is_configured.pp

diff --git a/files/ensure_host_based_firewall_loopback_traffic_is_configured.sh b/files/ensure_host_based_firewall_loopback_traffic_is_configured.sh
new file mode 100755
index 00000000..707a4742
--- /dev/null
+++ b/files/ensure_host_based_firewall_loopback_traffic_is_configured.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash 
+{ 
+    l_hbfw="" 
+    if systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+        echo -e "\n - Error - Both FirewallD and NFTables are enabled\n - Please follow recommendation: \"Ensure a single firewall configuration utility is in use\"" 
+    elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+        echo -e "\n - Error - Neither FirewallD or NFTables is enabled\n - Please follow recommendation: \"Ensure a single firewall configuration utility is in use\"" 
+    else 
+        if systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+            echo -e "\n - FirewallD is in use on the system" && l_hbfw="fwd" 
+        elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+            echo -e "\n - NFTables is in use on the system" && l_hbfw="nft" 
+        fi 
+        l_ipsaddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -P -- 'ip\h+saddr')" 
+        if ! nft list ruleset | awk '/hook\s+input\s+/,/\}\s*(#.*)?$/' | grep -Pq -- '\H+\h+"lo"\h+accept'; then 
+            echo -e "\n - Enabling input to accept for loopback address" 
+            if [ "$l_hbfw" = "fwd" ]; then 
+                firewall-cmd --permanent --zone=trusted --add-interface=lo 
+                firewall-cmd --reload 
+            elif [ "$l_hbfw" = "nft" ]; then 
+                nft add rule inet filter input iif lo accept 
+            fi 
+        fi 
+        if ! grep -Pq -- 'ip\h+saddr\h+127\.0\.0\.0\/8\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ipsaddr" && ! grep -Pq -- 'ip\h+daddr\h+\!\=\h+127\.0\.0\.1\h+ip\h+saddr\h+127\.0\.0\.1\h+drop' <<< "$l_ipsaddr"; then 
+            echo -e "\n - Setting IPv4 network traffic from loopback address to drop" 
+            if [ "$l_hbfw" = "fwd" ]; then 
+                firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' 
+                firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop' 
+                firewall-cmd --reload 
+            elif [ "$l_hbfw" = "nft" ]; then 
+                nft create rule inet filter input ip saddr 127.0.0.0/8 counter drop 
+            fi 
+        fi 
+
+        if grep -Pq -- '^\h*0\h*$' /sys/module/ipv6/parameters/disable; then 
+            l_ip6saddr="$(nft list ruleset | awk '/filter_IN_public_deny|hook input/,/}/' | grep 'ip6 saddr')" 
+            if ! grep -Pq 'ip6\h+saddr\h+::1\h+(counter\h+packets\h+\d+\h+bytes\h+\d+\h+)?drop' <<< "$l_ip6saddr" && ! grep -Pq -- 'ip6\h+daddr\h+\!=\h+::1\h+ip6\h+saddr\h+::1\h+drop' <<< "$l_ip6saddr"; then 
+                echo -e "\n - Setting IPv6 network traffic from loopback address to drop" 
+                if [ "$l_hbfw" = "fwd" ]; then 
+                    firewall-cmd --permanent --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop' 
+                    firewall-cmd --permanent --zone=trusted --add-rich-rule='rule family=ipv6 source address="::1" destination not address="::1" drop' 
+                    firewall-cmd --reload 
+                elif [ "$l_hbfw" = "nft" ]; then 
+                    nft add rule inet filter input ip6 saddr ::1 counter drop 
+                fi 
+            fi 
+        fi 
+    fi 
+}
diff --git a/manifests/rules/ensure_host_based_firewall_loopback_traffic_is_configured.pp b/manifests/rules/ensure_host_based_firewall_loopback_traffic_is_configured.pp
new file mode 100644
index 00000000..de9e23d7
--- /dev/null
+++ b/manifests/rules/ensure_host_based_firewall_loopback_traffic_is_configured.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure host based firewall loopback traffic is configured
+#
+class secure_linux_cis::rules::ensure_host_based_firewall_loopback_traffic_is_configured {
+  exec { "Ensure host based firewall loopback traffic is configured":
+    command   => "/usr/share/cis_scripts/ensure_host_based_firewall_loopback_traffic_is_configured.sh",
+    logoutput => true,
+  }
+}

From 03b6cfe215b9b7f9a4dbb21f778a23843d11562b Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 22:08:06 +0200
Subject: [PATCH 25/42] File rights fixed

---
 files/ensure_a_single_firewall_configuration_utility_is_in_use.sh | 0
 .../ensure_host_based_firewall_loopback_traffic_is_configured.sh  | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 mode change 100755 => 100644 files/ensure_a_single_firewall_configuration_utility_is_in_use.sh
 mode change 100755 => 100644 files/ensure_host_based_firewall_loopback_traffic_is_configured.sh

diff --git a/files/ensure_a_single_firewall_configuration_utility_is_in_use.sh b/files/ensure_a_single_firewall_configuration_utility_is_in_use.sh
old mode 100755
new mode 100644
diff --git a/files/ensure_host_based_firewall_loopback_traffic_is_configured.sh b/files/ensure_host_based_firewall_loopback_traffic_is_configured.sh
old mode 100755
new mode 100644

From 172f97df4c6369b61e835251caa5912ca743f027 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 22:08:31 +0200
Subject: [PATCH 26/42] Rule
 ensure_host_based_firewall_loopback_traffic_is_configured added

---
 data/os/RedHat/version/9.yaml | 4 ++++
 data/os/Rocky/version/9.yaml  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index e392dfd4..a8b3dd82 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -379,6 +380,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -566,6 +568,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -793,6 +796,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index e392dfd4..a8b3dd82 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -379,6 +380,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -566,6 +568,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account
@@ -793,6 +796,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
 - ensure_root_is_the_only_uid_0_account

From 34f97ac9f66b396943b613db9ffd1bf3c7dcb438 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 22:11:07 +0200
Subject: [PATCH 27/42] Rule Added: 'Ensure at least one nftables table exists'

---
 data/os/RedHat/version/9.yaml                 |  4 ++++
 data/os/Rocky/version/9.yaml                  |  4 ++++
 ...sure_at_least_one_nftables_table_exists.sh | 23 +++++++++++++++++++
 ...sure_at_least_one_nftables_table_exists.pp | 10 ++++++++
 4 files changed, 41 insertions(+)
 create mode 100644 files/ensure_at_least_one_nftables_table_exists.sh
 create mode 100644 manifests/rules/ensure_at_least_one_nftables_table_exists.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index a8b3dd82..39d9924f 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -380,6 +381,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -568,6 +570,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -796,6 +799,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index a8b3dd82..39d9924f 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -380,6 +381,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -568,6 +570,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
@@ -796,6 +799,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
 - ensure_root_password_is_set
diff --git a/files/ensure_at_least_one_nftables_table_exists.sh b/files/ensure_at_least_one_nftables_table_exists.sh
new file mode 100644
index 00000000..1b851e26
--- /dev/null
+++ b/files/ensure_at_least_one_nftables_table_exists.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash 
+{ 
+    l_hbfw="" 
+    if systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+        echo -e "\n - Error - Both FirewallD and NFTables are enabled\n - Please follow recommendation: \"Ensure a single firewall configuration utility is in use\"" 
+    elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+        echo -e "\n - Error - Neither FirewallD or NFTables is enabled\n - Please follow recommendation: \"Ensure a single firewall configuration utility is in use\"" 
+    else 
+        if systemctl is-enabled firewalld.service | grep -q 'enabled' && ! systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+            echo -e "\n - FirewallD is in use on the system" && l_hbfw="fwd" 
+            if ! nft list tables | grep -Pq -- 'table'; then 
+                echo -e "\n - No tables found, create table firewalld"
+                nft create table inet firewalld
+            fi
+        elif ! systemctl is-enabled firewalld.service | grep -q 'enabled' && systemctl is-enabled nftables.service | grep -q 'enabled'; then 
+            echo -e "\n - NFTables is in use on the system" && l_hbfw="nft" 
+            if ! nft list tables | grep -Pq -- 'table'; then 
+                echo -e "\n - No tables found, create table filter"
+                nft create table inet filter
+            fi
+        fi 
+    fi 
+}
diff --git a/manifests/rules/ensure_at_least_one_nftables_table_exists.pp b/manifests/rules/ensure_at_least_one_nftables_table_exists.pp
new file mode 100644
index 00000000..7c94d55b
--- /dev/null
+++ b/manifests/rules/ensure_at_least_one_nftables_table_exists.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure at least one nftables table exists
+#
+class secure_linux_cis::rules::ensure_at_least_one_nftables_table_exists {
+  exec { "Ensure at least one nftables table exists":
+    command   => "/usr/share/cis_scripts/ensure_at_least_one_nftables_table_exists.sh",
+    logoutput => true,
+  }
+}

From 30445a2065c0816c1e6dced2b43f7abb9ab03942 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 22:50:52 +0200
Subject: [PATCH 28/42] Update for RHEL9

---
 lib/facter/are_legacy_crypto_policies.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/facter/are_legacy_crypto_policies.rb b/lib/facter/are_legacy_crypto_policies.rb
index daa4e557..55b0a507 100644
--- a/lib/facter/are_legacy_crypto_policies.rb
+++ b/lib/facter/are_legacy_crypto_policies.rb
@@ -1,6 +1,6 @@
 Facter.add('are_legacy_crypto_policies') do
   confine osfamily: 'RedHat'
-  confine operatingsystemmajrelease: '8'
+  confine operatingsystemmajrelease: ['8', '9']
 
   setcode do
     File.open('/etc/crypto-policies/config').each do |i|

From f2e6b50a4a41a8a3d119b9f4bac90ae58bc97345 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Mon, 24 Jul 2023 22:51:10 +0200
Subject: [PATCH 29/42] Bugfix for issue #96 'crypto_policy_sshd.rb unexpected
 return'

---
 lib/facter/crypto_policy_sshd.rb                         | 9 ++++++---
 ...nsure_system_wide_crypto_policy_is_not_over_ridden.pp | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/facter/crypto_policy_sshd.rb b/lib/facter/crypto_policy_sshd.rb
index 355a001b..f5b25813 100644
--- a/lib/facter/crypto_policy_sshd.rb
+++ b/lib/facter/crypto_policy_sshd.rb
@@ -1,11 +1,14 @@
 Facter.add('crypto_policy_sshd') do
   confine osfamily: 'RedHat'
-  confine operatingsystemmajrelease: '8'
+  confine operatingsystemmajrelease: ['8', '9']
 
   setcode do
+    code=false
     File.open('/etc/sysconfig/sshd').each do |i|
-      return true if %r{^\s*CRYPTO_POLICY=*$}i.match?(i)
+      if %r{^\s*CRYPTO_POLICY=.*$}i.match?(i) 
+        code=true
+      end
     end
-    false
+    code
   end
 end
diff --git a/manifests/rules/ensure_system_wide_crypto_policy_is_not_over_ridden.pp b/manifests/rules/ensure_system_wide_crypto_policy_is_not_over_ridden.pp
index 1fac75c1..9c9c5b90 100644
--- a/manifests/rules/ensure_system_wide_crypto_policy_is_not_over_ridden.pp
+++ b/manifests/rules/ensure_system_wide_crypto_policy_is_not_over_ridden.pp
@@ -3,7 +3,7 @@
 # @summary Ensure system-wide crypto policy is not over-ridden 
 #
 class secure_linux_cis::rules::ensure_system_wide_crypto_policy_is_not_over_ridden {
-  unless $facts['crypto_policy_sshd'] {
-    warning('System-wide Crypto policy for sshd over-ridden.')
+  if $facts['crypto_policy_sshd'] {
+    alert('System-wide Crypto policy for sshd over-ridden. This is not CIS compliant (Scored)')
   }
 }

From 2037aea7a8395d5231ea290c8be00e0b765c3672 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 25 Jul 2023 14:55:15 +0200
Subject: [PATCH 30/42] Rule Added: 'Ensure default user shell timeout is 900
 seconds or less'

---
 data/os/RedHat/version/9.yaml                          |  4 ++++
 data/os/Rocky/version/9.yaml                           |  4 ++++
 ...efault_user_shell_timeout_is_900_seconds_or_less.sh |  9 +++++++++
 ...efault_user_shell_timeout_is_900_seconds_or_less.pp | 10 ++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
 create mode 100644 manifests/rules/ensure_default_user_shell_timeout_is_900_seconds_or_less.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 39d9924f..6f9910ed 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -381,6 +382,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -570,6 +572,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -799,6 +802,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 39d9924f..6f9910ed 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -381,6 +382,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -570,6 +572,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -799,6 +802,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
diff --git a/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh b/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
new file mode 100644
index 00000000..8610f5e5
--- /dev/null
+++ b/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash 
+{ 
+    # this script just changes inline all the occurences of TMOUT=xxx to TMOUT=yyy where yyy = 900 if yyy > 900
+    # actually cares variable is properly exported as set readonly other manifest: 'ensure_default_user_shell_timeout_is_configured.pp'
+    for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do 
+
+        test -f "$f"  && awk -i inplace 'match($0, /(^|[^\w])TMOUT=([0-9]+)/, capvar) { print (capvar[2] <= 900? $0: gensub(/(^|[^\w])TMOUT=([0-9]+)/, "\\1TMOUT=900", "g")) } !/(^|\s+|[^\w])TMOUT=([0-9]+)/ { print $0 }' $f
+    done 
+}
diff --git a/manifests/rules/ensure_default_user_shell_timeout_is_900_seconds_or_less.pp b/manifests/rules/ensure_default_user_shell_timeout_is_900_seconds_or_less.pp
new file mode 100644
index 00000000..5b0b2a55
--- /dev/null
+++ b/manifests/rules/ensure_default_user_shell_timeout_is_900_seconds_or_less.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure default user shell timeout is 900 seconds or less
+#
+class secure_linux_cis::rules::ensure_default_user_shell_timeout_is_900_seconds_or_less {
+  exec { "Ensure default user shell timeout is 900 seconds or less":
+    command   => "/usr/share/cis_scripts/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh",
+    logoutput => true,
+  }
+}

From 440097780d920919914d465e0f22a16f138b26d4 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 25 Jul 2023 15:14:35 +0200
Subject: [PATCH 31/42] Bugfix in profile files

---
 .../ensure_default_user_shell_timeout_is_900_seconds_or_less.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh b/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
index 8610f5e5..351e1964 100644
--- a/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
+++ b/files/ensure_default_user_shell_timeout_is_900_seconds_or_less.sh
@@ -2,7 +2,7 @@
 { 
     # this script just changes inline all the occurences of TMOUT=xxx to TMOUT=yyy where yyy = 900 if yyy > 900
     # actually cares variable is properly exported as set readonly other manifest: 'ensure_default_user_shell_timeout_is_configured.pp'
-    for f in "$BRC" /etc/profile /etc/profile.d/*.sh ; do 
+    for f in /etc/bashrc /etc/profile /etc/profile.d/*.sh ; do 
 
         test -f "$f"  && awk -i inplace 'match($0, /(^|[^\w])TMOUT=([0-9]+)/, capvar) { print (capvar[2] <= 900? $0: gensub(/(^|[^\w])TMOUT=([0-9]+)/, "\\1TMOUT=900", "g")) } !/(^|\s+|[^\w])TMOUT=([0-9]+)/ { print $0 }' $f
     done 

From bfe739e9c001a4d00ad6a1e190b3ce4948fabd20 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 25 Jul 2023 15:28:46 +0200
Subject: [PATCH 32/42] Rule Added: 'Ensure default user umask is 027 or more
 restrictive'

---
 data/os/RedHat/version/9.yaml                          |  4 ++++
 data/os/Rocky/version/9.yaml                           |  4 ++++
 ...re_default_user_umask_is_027_or_more_restrictive.sh | 10 ++++++++++
 ...re_default_user_umask_is_027_or_more_restrictive.pp | 10 ++++++++++
 4 files changed, 28 insertions(+)
 create mode 100644 files/ensure_default_user_umask_is_027_or_more_restrictive.sh
 create mode 100644 manifests/rules/ensure_default_user_umask_is_027_or_more_restrictive.pp

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 6f9910ed..f922668c 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -382,6 +383,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -572,6 +574,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -802,6 +805,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 6f9910ed..f922668c 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -151,6 +151,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -382,6 +383,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -572,6 +574,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
@@ -802,6 +805,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_reuse_is_limited
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
+- ensure_default_user_umask_is_027_or_more_restrictive
 - ensure_default_user_shell_timeout_is_900_seconds_or_less"
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
diff --git a/files/ensure_default_user_umask_is_027_or_more_restrictive.sh b/files/ensure_default_user_umask_is_027_or_more_restrictive.sh
new file mode 100644
index 00000000..63b02f32
--- /dev/null
+++ b/files/ensure_default_user_umask_is_027_or_more_restrictive.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash 
+{ 
+    for f in /etc/bashrc /etc/profile /etc/profile.d/*.sh ; do 
+
+        # TODO: does not work with symbolic umasks yet
+        test -f "$f"  && awk -i inplace 'match($0, /(^|[^\w])umask\s+([^\s]+)/, capvar) { print (capvar[2] >= 027? $0: gensub(/(^|[^\w])umask\s+([^\s]+)/, "\\1umask 027", "g")) } !/(^|[^\w])umask\s+([^\s]+)/ { print $0 }' $f
+    done 
+
+    awk -i inplace 'match($0, /(^|[^\w])UMASK\s+([^\s]+)/, capvar) { print (capvar[2] >= 027? $0: gensub(/(^|[^\w])UMASK\s+([^\s]+)/, "\\1UMASK 027", "g")) } !/(^|[^\w])UMASK\s+([^\s]+)/ { print $0 }' /etc/login.defs
+}
diff --git a/manifests/rules/ensure_default_user_umask_is_027_or_more_restrictive.pp b/manifests/rules/ensure_default_user_umask_is_027_or_more_restrictive.pp
new file mode 100644
index 00000000..7e48ef45
--- /dev/null
+++ b/manifests/rules/ensure_default_user_umask_is_027_or_more_restrictive.pp
@@ -0,0 +1,10 @@
+# @api private
+#
+# @summary Ensure default user umask is 027 or more restrictive
+#
+class secure_linux_cis::rules::ensure_default_user_umask_is_027_or_more_restrictive {
+  exec { "Ensure default user umask is 027 or more restrictive":
+    command   => "/usr/share/cis_scripts/ensure_default_user_umask_is_027_or_more_restrictive.sh",
+    logoutput => true,
+  }
+}

From 84a801c03b833bacf6ada575cd6633fc2d385148 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 25 Jul 2023 15:38:11 +0200
Subject: [PATCH 33/42] Typo fix

---
 data/os/RedHat/version/9.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index f922668c..185a578e 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -152,7 +152,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -384,7 +384,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -575,7 +575,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -806,7 +806,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use

From 16720d74cc69ce74cb3612fc9c1e3f61b23d3e16 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 15 Aug 2023 12:44:33 +0200
Subject: [PATCH 34/42] Hardening schedule removed

---
 .../rules/ensure_no_legacy_entries_exist_in_etc_group.pp      | 2 +-
 .../rules/ensure_no_legacy_entries_exist_in_etc_shadow.pp     | 2 +-
 .../ensure_permissions_on_etc_cron_weekly_are_configured.pp   | 2 +-
 .../ensure_permissions_on_etc_gshadow__are_configured.pp      | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/manifests/rules/ensure_no_legacy_entries_exist_in_etc_group.pp b/manifests/rules/ensure_no_legacy_entries_exist_in_etc_group.pp
index e187dbeb..3cdfe850 100644
--- a/manifests/rules/ensure_no_legacy_entries_exist_in_etc_group.pp
+++ b/manifests/rules/ensure_no_legacy_entries_exist_in_etc_group.pp
@@ -9,7 +9,7 @@
     if $facts[ 'plus_group' ] {
       notify { 'pg':
         message  => 'Not in compliance with CIS  (Scored). You have "+" entries in /etc/group. Check the plus_group fact for details',#lint:ignore:140chars
-        schedule => 'harden_schedule',
+        #schedule => 'harden_schedule',
         loglevel => 'warning',
       }
     }
diff --git a/manifests/rules/ensure_no_legacy_entries_exist_in_etc_shadow.pp b/manifests/rules/ensure_no_legacy_entries_exist_in_etc_shadow.pp
index d03a1319..adc3386c 100644
--- a/manifests/rules/ensure_no_legacy_entries_exist_in_etc_shadow.pp
+++ b/manifests/rules/ensure_no_legacy_entries_exist_in_etc_shadow.pp
@@ -8,7 +8,7 @@
   if $facts[ 'plus_shadow' ] {
     notify { 'ps':
       message  => 'Not in compliance with CIS  (Scored). You have "+" entries in /etc/shadow. Check the plus_shadow fact for details', #lint:ignore:140chars
-      schedule => 'harden_schedule',
+      #schedule => 'harden_schedule',
       loglevel => 'warning',
     }
   }
diff --git a/manifests/rules/ensure_permissions_on_etc_cron_weekly_are_configured.pp b/manifests/rules/ensure_permissions_on_etc_cron_weekly_are_configured.pp
index d941ec34..e93b7e1a 100644
--- a/manifests/rules/ensure_permissions_on_etc_cron_weekly_are_configured.pp
+++ b/manifests/rules/ensure_permissions_on_etc_cron_weekly_are_configured.pp
@@ -5,7 +5,7 @@
 class secure_linux_cis::rules::ensure_permissions_on_etc_cron_weekly_are_configured {
   file { '/etc/cron.weekly':
     ensure   => directory,
-    schedule => 'harden_schedule',
+    #schedule => 'harden_schedule',
     group    => 'root',
     owner    => 'root',
     mode     => 'og-rwx',
diff --git a/manifests/rules/ensure_permissions_on_etc_gshadow__are_configured.pp b/manifests/rules/ensure_permissions_on_etc_gshadow__are_configured.pp
index e55dca7a..a22ec069 100644
--- a/manifests/rules/ensure_permissions_on_etc_gshadow__are_configured.pp
+++ b/manifests/rules/ensure_permissions_on_etc_gshadow__are_configured.pp
@@ -15,7 +15,7 @@
       'RedHat': {
         file { '/etc/gshadow-':
           ensure   => file,
-          schedule => 'harden_schedule',
+          #schedule => 'harden_schedule',
           owner    => 'root',
           group    => 'root',
           mode     => '0000',
@@ -24,7 +24,7 @@
       'Debian': {
         file { '/etc/gshadow-':
           ensure   => file,
-          schedule => 'harden_schedule',
+          #schedule => 'harden_schedule',
           owner    => 'root',
           group    => 'shadow',
           mode     => '0640',

From c233df2a7fd06184294a005c31f8ed8846e597d4 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 15 Aug 2023 13:46:19 +0200
Subject: [PATCH 35/42] Escaping fixed

---
 ...ing_for_processes_that_start_prior_to_auditd_is_enabled.pp | 2 +-
 ...ation_for_privilege_escalation_is_not_disabled_globally.pp | 4 ++--
 manifests/rules/ensure_root_is_the_only_uid_0_account.pp      | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/manifests/rules/ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled.pp b/manifests/rules/ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled.pp
index 8dc8881f..97cea020 100644
--- a/manifests/rules/ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled.pp
+++ b/manifests/rules/ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled.pp
@@ -7,7 +7,7 @@
   ~> Class['secure_linux_cis']
   exec { 'Ensure auditing for processes that start prior to auditd is enabled':
     command   => "/usr/sbin/grubby --update-kernel ALL --args 'audit=1'",  #lint:ignore:140chars
-    unless    => "/usr/bin/find /boot -type f -name 'grubenv' -exec grep -P 'kernelopts=([^#\n\r]+\h+)?(audit=1)' {} \;",  #lint:ignore:140chars
+    unless    => "/usr/bin/find /boot -type f -name 'grubenv' -exec grep -P 'kernelopts=([^#\\n\\r]+\\h+)?(audit=1)' {} \\;",  #lint:ignore:140chars
     logoutput => true,
   }
 }
diff --git a/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp b/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
index 733f7000..f57301d9 100644
--- a/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
+++ b/manifests/rules/ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally.pp
@@ -4,8 +4,8 @@
 #
 class secure_linux_cis::rules::ensure_re_authentication_for_privilege_escalation_is_not_disabled_globally {
   exec { 'Ensure re-authentication for privilege escalation is not disabled globally':
-    command   => "/usr/bin/grep -rl '^[^#].*\!authenticate' /etc/sudoers /etc/sudoers.d/ | xargs sed -ri '/^#/! s/(\\s+)\!authenticate/\\1authenticate/g'",
-    onlyif    => "/usr/bin/grep -rq '^[^#].*\!authenticate' /etc/sudoers /etc/sudoers.d/",
+    command   => "/usr/bin/grep -rl '^[^#].*\\!authenticate' /etc/sudoers /etc/sudoers.d/ | xargs sed -ri '/^#/! s/(\\s+)\\!authenticate/\\1authenticate/g'",
+    onlyif    => "/usr/bin/grep -rq '^[^#].*\\!authenticate' /etc/sudoers /etc/sudoers.d/",
     logoutput => true,
   }
 
diff --git a/manifests/rules/ensure_root_is_the_only_uid_0_account.pp b/manifests/rules/ensure_root_is_the_only_uid_0_account.pp
index 7da6bdae..4ace7df9 100644
--- a/manifests/rules/ensure_root_is_the_only_uid_0_account.pp
+++ b/manifests/rules/ensure_root_is_the_only_uid_0_account.pp
@@ -4,7 +4,7 @@
 #
 class secure_linux_cis::rules::ensure_root_is_the_only_uid_0_account {
   exec { "Ensure root is the only UID 0 account":
-    command   => "/usr/bin/sed -i '/^[^:]\+:x:0:/{/^root:/!d}' /etc/passwd",
+    command   => "/usr/bin/sed -i '/^[^:]\\+:x:0:/{/^root:/!d}' /etc/passwd",
     logoutput => true,
   }
 }

From facb0f3d4c98eaa22ea5a86b2a16b7db70c9b79b Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 15 Aug 2023 13:57:17 +0200
Subject: [PATCH 36/42] Fix to suppress error message on absent AIDE tools

---
 ...ed_to_protect_the_integrity_of_audit_tools.pp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/manifests/rules/ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools.pp b/manifests/rules/ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools.pp
index 89193f93..fffb3576 100644
--- a/manifests/rules/ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools.pp
+++ b/manifests/rules/ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools.pp
@@ -13,8 +13,18 @@
     /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
     | SYSTEMAUDITRULES
 
-  file { '/etc/aide/aide.conf.d/00-cryptographic-mechanisms.conf':
-    ensure  => file,
-    content => $system_audit_rules,
+  if find_file('/etc/aide') {
+
+    file { '/etc/aide/aide.conf.d':
+      ensure  => directory,
+      recurse => false,
+      owner   => 'root',
+      group   => 'root',
+    }
+
+    file { '/etc/aide/aide.conf.d/00-cryptographic-mechanisms.conf':
+      ensure  => file,
+      content => $system_audit_rules,
+    }
   }
 }

From 7d598e1277ec54e9f9f171f2901c2d7481d3f49d Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 15 Aug 2023 15:04:02 +0200
Subject: [PATCH 37/42] Rule added: Ensure accounts in /etc/passwd use shadowed
 passwords (Automated)

---
 data/os/RedHat/version/9.yaml                        |  4 ++++
 data/os/Rocky/version/9.yaml                         | 12 ++++++++----
 ..._accounts_in_etc_passwd_use_shadowed_passwords.pp |  6 +++++-
 3 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 185a578e..0096c138 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -186,6 +186,7 @@ secure_linux_cis::server_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::server_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -427,6 +428,7 @@ secure_linux_cis::server_level_2:
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::workstation_level_1:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -609,6 +611,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::workstation_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -850,3 +853,4 @@ secure_linux_cis::workstation_level_2:
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index f922668c..0096c138 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -152,7 +152,7 @@ secure_linux_cis::server_level_1:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -186,6 +186,7 @@ secure_linux_cis::server_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::server_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -384,7 +385,7 @@ secure_linux_cis::server_level_2:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -427,6 +428,7 @@ secure_linux_cis::server_level_2:
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::workstation_level_1:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -575,7 +577,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -609,6 +611,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_forward_files
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
 secure_linux_cis::workstation_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -806,7 +809,7 @@ secure_linux_cis::workstation_level_2:
 - ensure_password_hashing_algorithm_is_sha_512_or_yescrypt
 - ensure_local_interactive_user_home_directories_are_mode_750_or_more_restrictive
 - ensure_default_user_umask_is_027_or_more_restrictive
-- ensure_default_user_shell_timeout_is_900_seconds_or_less"
+- ensure_default_user_shell_timeout_is_900_seconds_or_less
 - ensure_at_least_one_nftables_table_exists
 - ensure_host_based_firewall_loopback_traffic_is_configured
 - ensure_a_single_firewall_configuration_utility_is_in_use
@@ -850,3 +853,4 @@ secure_linux_cis::workstation_level_2:
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
+- ensure_accounts_in_etc_passwd_use_shadowed_passwords
diff --git a/manifests/rules/ensure_accounts_in_etc_passwd_use_shadowed_passwords.pp b/manifests/rules/ensure_accounts_in_etc_passwd_use_shadowed_passwords.pp
index 54ac66ed..20b147a9 100644
--- a/manifests/rules/ensure_accounts_in_etc_passwd_use_shadowed_passwords.pp
+++ b/manifests/rules/ensure_accounts_in_etc_passwd_use_shadowed_passwords.pp
@@ -3,5 +3,9 @@
 # @summary Ensure accounts in /etc/passwd use shadowed passwords 
 #
 class secure_linux_cis::rules::ensure_accounts_in_etc_passwd_use_shadowed_passwords {
-  # TODO: fix
+  exec { 'Ensure accounts in /etc/passwd use shadowed passwords':
+    command   => "/usr/bin/sed -e 's/^\\([a-zA-Z0-9_]*\\):[^:]*:/\\1:x:/' -i /etc/passwd",
+    onlyif    => "/usr/bin/egrep -qv '^[^:]+:x:' /etc/passwd",
+    logoutput => true,
+  }
 }

From 105b70f90fa9449aa55388aec742a09940711377 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Tue, 15 Aug 2023 15:16:44 +0200
Subject: [PATCH 38/42] Rule Added: 'Ensure authselect includes with-faillock'

---
 data/os/RedHat/version/9.yaml                               | 4 ++++
 files/ensure_authselect_includes_with_faillock.sh           | 2 ++
 manifests/rules/ensure_authselect_includes_with_faillock.pp | 5 +++++
 3 files changed, 11 insertions(+)
 create mode 100644 files/ensure_authselect_includes_with_faillock.sh

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 0096c138..06333b20 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -187,6 +187,7 @@ secure_linux_cis::server_level_1:
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::server_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -429,6 +430,7 @@ secure_linux_cis::server_level_2:
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_1:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -612,6 +614,7 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_2:
 - ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
@@ -854,3 +857,4 @@ secure_linux_cis::workstation_level_2:
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
diff --git a/files/ensure_authselect_includes_with_faillock.sh b/files/ensure_authselect_includes_with_faillock.sh
new file mode 100644
index 00000000..ceaeb5e4
--- /dev/null
+++ b/files/ensure_authselect_includes_with_faillock.sh
@@ -0,0 +1,2 @@
+
+/usr/bin/authselect enable-feature with-faillock && /usr/bin/authselect apply-changes
diff --git a/manifests/rules/ensure_authselect_includes_with_faillock.pp b/manifests/rules/ensure_authselect_includes_with_faillock.pp
index ab19b6c7..86912a03 100644
--- a/manifests/rules/ensure_authselect_includes_with_faillock.pp
+++ b/manifests/rules/ensure_authselect_includes_with_faillock.pp
@@ -3,4 +3,9 @@
 # @summary Ensure authselect includes with-faillock 
 #
 class secure_linux_cis::rules::ensure_authselect_includes_with_faillock {
+  exec { 'Ensure authselect includes with-faillock':
+    command   => "/usr/share/cis_scripts/ensure_authselect_includes_with_faillock.sh",
+    unless    => "/usr/bin/grep -q pam_faillock.so /etc/pam.d/password-auth /etc/pam.d/system-auth",
+    logoutput => true,
+  }
 }

From 562e510acbd14a37925d585c8c0498052dc4030f Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Thu, 21 Sep 2023 18:05:44 +0200
Subject: [PATCH 39/42] Creation of recursive directories enabled

---
 manifests/rules/ensure_root_path_integrity.pp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/manifests/rules/ensure_root_path_integrity.pp b/manifests/rules/ensure_root_path_integrity.pp
index 77e02d35..6903d3ce 100644
--- a/manifests/rules/ensure_root_path_integrity.pp
+++ b/manifests/rules/ensure_root_path_integrity.pp
@@ -10,6 +10,7 @@
       ensure => directory,
       owner  => 'root',
       mode   => 'go-w',
+      recurse => true,
     }
   }
 }

From f679222bb27e826a3ce16525b2f89c946d35db6b Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Thu, 21 Sep 2023 18:06:06 +0200
Subject: [PATCH 40/42] some legacy benchmarks removed

---
 data/os/RedHat/version/9.yaml | 61 --------------------------------
 data/os/Rocky/version/9.yaml  | 65 +++--------------------------------
 2 files changed, 4 insertions(+), 122 deletions(-)

diff --git a/data/os/RedHat/version/9.yaml b/data/os/RedHat/version/9.yaml
index 06333b20..95167f83 100644
--- a/data/os/RedHat/version/9.yaml
+++ b/data/os/RedHat/version/9.yaml
@@ -1,6 +1,5 @@
 ---
 secure_linux_cis::server_level_1:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
 - ensure_nodev_option_set_on_tmp_partition
 - ensure_noexec_option_set_on_tmp_partition
@@ -25,7 +24,6 @@ secure_linux_cis::server_level_1:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - disable_usb_storage
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
@@ -35,7 +33,6 @@ secure_linux_cis::server_level_1:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -61,7 +58,6 @@ secure_linux_cis::server_level_1:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -73,14 +69,12 @@ secure_linux_cis::server_level_1:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
@@ -97,14 +91,6 @@ secure_linux_cis::server_level_1:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -189,7 +175,6 @@ secure_linux_cis::server_level_1:
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
 - ensure_authselect_includes_with_faillock
 secure_linux_cis::server_level_2:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
 - ensure_mounting_of_udf_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -221,7 +206,6 @@ secure_linux_cis::server_level_2:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
@@ -230,7 +214,6 @@ secure_linux_cis::server_level_2:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -258,7 +241,6 @@ secure_linux_cis::server_level_2:
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
 - ensure_xorg_x11_server_common_is_not_installed
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -270,21 +252,17 @@ secure_linux_cis::server_level_2:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
 - ensure_ldap_client_is_not_installed
 - ensure_tftp_client_is_not_installed
-- ensure_sctp_is_disabled
-- ensure_dccp_is_disabled
 - ensure_wireless_interfaces_are_disabled
 - ensure_ip_forwarding_is_disabled
 - ensure_packet_redirect_sending_is_disabled
@@ -296,14 +274,6 @@ secure_linux_cis::server_level_2:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_auditd_is_installed
 - ensure_auditd_service_is_enabled
 - ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
@@ -423,7 +393,6 @@ secure_linux_cis::server_level_2:
 - ensure_nodev_option_set_on_var_log_audit_partition
 - ensure_vsftp_server_is_not_installed
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_is_enabled_and_active
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
@@ -432,7 +401,6 @@ secure_linux_cis::server_level_2:
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
 - ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_1:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
 - ensure_nodev_option_set_on_tmp_partition
 - ensure_noexec_option_set_on_tmp_partition
@@ -466,7 +434,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -490,7 +457,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_dhcp_server_is_not_installed
 - ensure_dns_server_is_not_installed
 - ensure_ftp_server_is_not_installed
@@ -500,14 +466,12 @@ secure_linux_cis::workstation_level_1:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
@@ -523,14 +487,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -616,7 +572,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
 - ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_2:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
 - ensure_mounting_of_udf_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -648,7 +603,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - disable_usb_storage
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
@@ -658,7 +612,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -684,7 +637,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -696,21 +648,17 @@ secure_linux_cis::workstation_level_2:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
 - ensure_ldap_client_is_not_installed
 - ensure_tftp_client_is_not_installed
-- ensure_sctp_is_disabled
-- ensure_dccp_is_disabled
 - ensure_wireless_interfaces_are_disabled
 - ensure_ip_forwarding_is_disabled
 - ensure_packet_redirect_sending_is_disabled
@@ -722,14 +670,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_auditd_is_installed
 - ensure_auditd_service_is_enabled
 - ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
@@ -850,7 +790,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_selinux_is_not_disabled_in_bootloader_configuration
 - ensure_vsftp_server_is_not_installed
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_is_enabled_and_active
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
diff --git a/data/os/Rocky/version/9.yaml b/data/os/Rocky/version/9.yaml
index 0096c138..95167f83 100644
--- a/data/os/Rocky/version/9.yaml
+++ b/data/os/Rocky/version/9.yaml
@@ -1,6 +1,5 @@
 ---
 secure_linux_cis::server_level_1:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
 - ensure_nodev_option_set_on_tmp_partition
 - ensure_noexec_option_set_on_tmp_partition
@@ -25,7 +24,6 @@ secure_linux_cis::server_level_1:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - disable_usb_storage
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
@@ -35,7 +33,6 @@ secure_linux_cis::server_level_1:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -61,7 +58,6 @@ secure_linux_cis::server_level_1:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -73,14 +69,12 @@ secure_linux_cis::server_level_1:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
@@ -97,14 +91,6 @@ secure_linux_cis::server_level_1:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -187,8 +173,8 @@ secure_linux_cis::server_level_1:
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::server_level_2:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
 - ensure_mounting_of_udf_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -220,7 +206,6 @@ secure_linux_cis::server_level_2:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
 - ensure_cryptographic_mechanisms_are_used_to_protect_the_integrity_of_audit_tools
@@ -229,7 +214,6 @@ secure_linux_cis::server_level_2:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -257,7 +241,6 @@ secure_linux_cis::server_level_2:
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
 - ensure_xorg_x11_server_common_is_not_installed
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -269,21 +252,17 @@ secure_linux_cis::server_level_2:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
 - ensure_ldap_client_is_not_installed
 - ensure_tftp_client_is_not_installed
-- ensure_sctp_is_disabled
-- ensure_dccp_is_disabled
 - ensure_wireless_interfaces_are_disabled
 - ensure_ip_forwarding_is_disabled
 - ensure_packet_redirect_sending_is_disabled
@@ -295,14 +274,6 @@ secure_linux_cis::server_level_2:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_auditd_is_installed
 - ensure_auditd_service_is_enabled
 - ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
@@ -422,15 +393,14 @@ secure_linux_cis::server_level_2:
 - ensure_nodev_option_set_on_var_log_audit_partition
 - ensure_vsftp_server_is_not_installed
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_is_enabled_and_active
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_1:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
 - ensure_nodev_option_set_on_tmp_partition
 - ensure_noexec_option_set_on_tmp_partition
@@ -464,7 +434,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -488,7 +457,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_dhcp_server_is_not_installed
 - ensure_dns_server_is_not_installed
 - ensure_ftp_server_is_not_installed
@@ -498,14 +466,12 @@ secure_linux_cis::workstation_level_1:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
@@ -521,14 +487,6 @@ secure_linux_cis::workstation_level_1:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_rsyslog_is_installed
 - ensure_rsyslog_service_is_enabled
 - ensure_rsyslog_default_file_permissions_are_configured
@@ -612,8 +570,8 @@ secure_linux_cis::workstation_level_1:
 - ensure_no_users_have_netrc_files
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock
 secure_linux_cis::workstation_level_2:
-- ensure_mounting_of_cramfs_filesystems_is_disabled
 - ensure_mounting_of_squashfs_filesystems_is_disabled
 - ensure_mounting_of_udf_filesystems_is_disabled
 - ensure_tmp_is_a_separate_partition
@@ -645,7 +603,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_nodev_option_set_on_dev_shm_partition
 - ensure_noexec_option_set_on_dev_shm_partition
 - ensure_nosuid_option_set_on_dev_shm_partition
-- disable_automounting
 - disable_usb_storage
 - ensure_gpgcheck_is_globally_activated
 - ensure_aide_is_installed
@@ -655,7 +612,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_ssh_maxauthtries_is_set_to_4_or_less
 - ensure_ssh_maxsessions_is_set_to_10_or_less
 - ensure_permissions_on_bootloader_config_are_configured
-- ensure_authentication_is_required_when_booting_into_rescue_mode
 - ensure_core_dump_storage_is_disabled
 - ensure_core_dump_backtraces_are_disabled
 - ensure_address_space_layout_randomization_aslr_is_enabled
@@ -681,7 +637,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_system_wide_crypto_policy_is_not_legacy
 - ensure_time_synchronization_is_in_use
 - ensure_chrony_is_configured
-- ensure_xinetd_is_not_installed
 - ensure_avahi_server_is_not_installed
 - ensure_cups_is_not_installed
 - ensure_dhcp_server_is_not_installed
@@ -693,21 +648,17 @@ secure_linux_cis::workstation_level_2:
 - ensure_samba_is_not_installed
 - ensure_http_proxy_server_is_not_installed
 - ensure_net_snmp_is_not_installed
-- ensure_nis_server_is_not_installed
 - ensure_telnet_server_is_not_installed
 - ensure_dnsmasq_is_not_installed
 - ensure_mail_transfer_agent_is_configured_for_local_only_mode
 - ensure_nfs_utils_is_not_installed_or_the_nfs_server_service_is_masked
 - ensure_rpcbind_is_not_installed_or_the_rpcbind_services_are_masked
 - ensure_rsync_is_not_installed_or_the_rsyncd_service_is_masked
-- ensure_nis_client_is_not_installed
 - ensure_rsh_client_is_not_installed
 - ensure_talk_client_is_not_installed
 - ensure_telnet_client_is_not_installed
 - ensure_ldap_client_is_not_installed
 - ensure_tftp_client_is_not_installed
-- ensure_sctp_is_disabled
-- ensure_dccp_is_disabled
 - ensure_wireless_interfaces_are_disabled
 - ensure_ip_forwarding_is_disabled
 - ensure_packet_redirect_sending_is_disabled
@@ -719,14 +670,6 @@ secure_linux_cis::workstation_level_2:
 - ensure_bogus_icmp_responses_are_ignored
 - ensure_reverse_path_filtering_is_enabled
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_packages_are_installed
-- ensure_nftables_is_not_installed_with_iptables
-- ensure_firewalld_is_either_not_installed_or_masked_with_iptables
-- ensure_iptables_loopback_traffic_is_configured
-- ensure_iptables_rules_exist_for_all_open_ports
-- ensure_iptables_default_deny_firewall_policy
-- ensure_iptables_rules_are_saved
-- ensure_iptables_is_enabled_and_active
 - ensure_auditd_is_installed
 - ensure_auditd_service_is_enabled
 - ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled
@@ -847,10 +790,10 @@ secure_linux_cis::workstation_level_2:
 - ensure_selinux_is_not_disabled_in_bootloader_configuration
 - ensure_vsftp_server_is_not_installed
 - ensure_tcp_syn_cookies_is_enabled
-- ensure_iptables_is_enabled_and_active
 - ensure_successful_file_system_mounts_are_collected
 - ensure_journald_is_configured_to_compress_large_log_files
 - ensure_ssh_permitemptypasswords_is_disabled
 - ensure_no_duplicate_user_names_exist
 - ensure_no_users_have_rhosts_files
 - ensure_accounts_in_etc_passwd_use_shadowed_passwords
+- ensure_authselect_includes_with_faillock

From 05d90e7e7990aaa99a8f188a6516c093117b1330 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Thu, 21 Sep 2023 18:37:14 +0200
Subject: [PATCH 41/42] Workaround for exec errors

---
 ...sure_automatic_mounting_of_removable_media_is_disabled.pp | 5 ++++-
 manifests/rules/ensure_root_path_integrity.pp                | 5 +++++
 manifests/rules/ensure_xdmcp_is_not_enabled.pp               | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/manifests/rules/ensure_automatic_mounting_of_removable_media_is_disabled.pp b/manifests/rules/ensure_automatic_mounting_of_removable_media_is_disabled.pp
index 010ab587..6971fd9a 100644
--- a/manifests/rules/ensure_automatic_mounting_of_removable_media_is_disabled.pp
+++ b/manifests/rules/ensure_automatic_mounting_of_removable_media_is_disabled.pp
@@ -9,13 +9,16 @@
     automount-open=false
     | SYSTEMAUDITRULES
 
+  file { '/etc/dconf/db/local.d/':
+    ensure  => directory,
+  }->
   file { '/etc/dconf/db/local.d/00-media-automount':
     ensure  => file,
     content => $system_audit_rules,
   }
   ~> exec { 'reload mount options':
     refreshonly => true,
-    command     => 'dconf update',
+    command     => 'dconf update && true',
     path        => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
   }
 }
diff --git a/manifests/rules/ensure_root_path_integrity.pp b/manifests/rules/ensure_root_path_integrity.pp
index 6903d3ce..7861dcf7 100644
--- a/manifests/rules/ensure_root_path_integrity.pp
+++ b/manifests/rules/ensure_root_path_integrity.pp
@@ -6,6 +6,11 @@
   $root_path_dirs = split($facts['root_path'], /:/)
 
   $root_path_dirs.each | Stdlib::Absolutepath $path | {
+    exec { "check $path recursively":
+      path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
+      command => "mkdir -p ${path}",
+      creates => $path,
+    }
     file { $path:
       ensure => directory,
       owner  => 'root',
diff --git a/manifests/rules/ensure_xdmcp_is_not_enabled.pp b/manifests/rules/ensure_xdmcp_is_not_enabled.pp
index 944a5575..20767acd 100644
--- a/manifests/rules/ensure_xdmcp_is_not_enabled.pp
+++ b/manifests/rules/ensure_xdmcp_is_not_enabled.pp
@@ -3,6 +3,10 @@
 # @summary Ensure XDMCP is not enabled 
 #
 class secure_linux_cis::rules::ensure_xdmcp_is_not_enabled {
+
+  file { '/etc/gdm':
+    ensure => directory,
+  }->
   file { '/etc/gdm/custom.conf':
     ensure => file,
   }

From 3b1a6d491ad259060b5e0a0ce097d4e7c8b622c4 Mon Sep 17 00:00:00 2001
From: Sergejs Glusnevs <sergejs.glusnevs.removeit@yahoo.de>
Date: Thu, 21 Sep 2023 18:45:45 +0200
Subject: [PATCH 42/42] RHEL/Rocky 9 added to readme

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 142f6db2..0bf9d020 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ This Puppet module implements security controls defined in the Center for Intern
 | RedHat 7     | 3.1.1 |
 | RedHat 8     | 2.0.0 |
 | Rocky 8      | 1.0.0 |
+| RedHat 9     | 1.0.0 |
+| Rocky 9      | 1.0.0 |
 | SLES   15    | 1.1.1 |
 | Ubuntu 18.04 | 2.1.0 |
 | Ubuntu 20.04 | 1.1.0 |