From d5c259a7b91a0f3e94a5624de8a5b10076a76c45 Mon Sep 17 00:00:00 2001 From: maju6406 Date: Fri, 14 Sep 2018 09:46:46 -0700 Subject: [PATCH] Adding compliance classes --- .DS_Store | Bin 6148 -> 6148 bytes .gitignore | 1 + site/profile/manifests/baseline_hipaa.pp | 6 +++ site/profile/manifests/compliance/cis.pp | 5 ++ site/profile/manifests/compliance/hipaa.pp | 11 ++++ .../manifests/compliance/hipaa/linux.pp | 36 +++++++++++++ .../manifests/compliance/hipaa/windows.pp | 51 ++++++++++++++++++ 7 files changed, 110 insertions(+) create mode 100644 site/profile/manifests/baseline_hipaa.pp create mode 100644 site/profile/manifests/compliance/cis.pp create mode 100644 site/profile/manifests/compliance/hipaa.pp create mode 100644 site/profile/manifests/compliance/hipaa/linux.pp create mode 100644 site/profile/manifests/compliance/hipaa/windows.pp diff --git a/.DS_Store b/.DS_Store index 038597a2064929cc7874db42c99188b11b802879..3a37a203fc85b6bb283c146a9502cde50e1268af 100644 GIT binary patch delta 440 zcmZoMXfc=|#>B!ku~2NHo}wrl0|Nsi1A_nqLmERWLoq`MLvd31=0xV@%)uZjPKI2D zM20+uOl0Zef~1`MB%ticq=KBx;t~Uc>x@jyEUawo92^|n9K77I!5R7G!6k_$rNvH( zMbThhW=d*O;^YZTPW1taB^gPHMVy?R9Gvk264liv=H@yIM&`z~Ittb1<_0zS|rjvW6J|I5A;# delta 272 zcmZoMXfc=|#>B)qu~2NHo}wrV0|Nsi1A_nqLjgkxLvc!Ra!ykI#=_-{j4YESS&f3e zBo*Xj7MBxs9R5uQa%WCYKHG9s|Wy@C_f@op{IvorIp)`y-yjhg( m6XV8)M@*a9Iruq%{@pCd@tt`xzlb9TNDWXQ%jO7?HOv4xH$!*; diff --git a/.gitignore b/.gitignore index 2f0d0a6..cfd7db4 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ hieradata/nodes/example-puppet-master.yaml site/.DS_Store site/profile/.DS_Store site/.DS_Store +.DS_Store diff --git a/site/profile/manifests/baseline_hipaa.pp b/site/profile/manifests/baseline_hipaa.pp new file mode 100644 index 0000000..fae81b9 --- /dev/null +++ b/site/profile/manifests/baseline_hipaa.pp @@ -0,0 +1,6 @@ +# +class profile::baseline_hipaa { + + include ::profile::compliance::hipaa + +} diff --git a/site/profile/manifests/compliance/cis.pp b/site/profile/manifests/compliance/cis.pp new file mode 100644 index 0000000..f1041ee --- /dev/null +++ b/site/profile/manifests/compliance/cis.pp @@ -0,0 +1,5 @@ +class profile::compliance::cis { + + include ::demo_cis + +} diff --git a/site/profile/manifests/compliance/hipaa.pp b/site/profile/manifests/compliance/hipaa.pp new file mode 100644 index 0000000..58aed83 --- /dev/null +++ b/site/profile/manifests/compliance/hipaa.pp @@ -0,0 +1,11 @@ +class profile::compliance::hipaa { + + case $::osfamily { + 'windows': { + include ::profile::compliance::hipaa::windows + } + default: { + include ::profile::compliance::hipaa::linux + } + } +} diff --git a/site/profile/manifests/compliance/hipaa/linux.pp b/site/profile/manifests/compliance/hipaa/linux.pp new file mode 100644 index 0000000..3b0093c --- /dev/null +++ b/site/profile/manifests/compliance/hipaa/linux.pp @@ -0,0 +1,36 @@ +class profile::compliance::hipaa::linux { + + # HIPAA Administrative Simplification Regulation Text + # https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf?language=es + + # 164.312 Technical safeguards + # (i) Unique user identification (Required) + + # Ensure only known accounts are on the system, purge any unmanaged accounts otherwise. + resources {'user': + purge => true, + unless_system_user => true, + unless_uid => ['1010'], + } + + # (iii) Automatic logoff (Addressable) + # Set time limit for active but idle ssh sessions: 10 minutes + # Set login grace time to 60 + class{'::ssh': + permit_root_login => 'no', + sshd_client_alive_count_max => '10', + sshd_client_alive_interval => '60', + sshd_config_login_grace_time => '60', + } + + # Add Auditd configuration + class{'::auditd': + main_rules => [ + '-a always,exit -F path=/etc/passwd -F perm=wa -F key=accounts', + '-a always,exit -F path=/etc/gshadow -F perm=wa -F key=accounts', + ], + } + + + +} diff --git a/site/profile/manifests/compliance/hipaa/windows.pp b/site/profile/manifests/compliance/hipaa/windows.pp new file mode 100644 index 0000000..70a41f0 --- /dev/null +++ b/site/profile/manifests/compliance/hipaa/windows.pp @@ -0,0 +1,51 @@ +class profile::compliance::hipaa::windows { + + # HIPAA Administrative Simplification Regulation Text + # https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf?language=es + + # 164.312 Technical safeguards + # (i) Unique user identification (Required) + + # Ensure only known accounts are on the system, purge any unmanaged accounts otherwise. + user { 'Local Admin 1': + ensure => present, + groups => ['Administrators'], + } + + user { 'Local Admin 2': + ensure => present, + groups => ['Administrators'], + } + + #Purge any unmanaged users. + purge { 'user': + unless => [ + [ 'name', '==', 'Administrator' ], + [ 'name', '==', 'Guest' ], + [ 'name', '==', 'Local Admin 1' ], + [ 'name', '==', 'Local Admin 2' ], + ] + } + + # (iii) Automatic logoff (Addressable) + # NOTE: Local Group Policy Editor tool does not show these settings as 'Enabled' but they do work. + + # Set time limit for active but idle Remote Desktop Services sessions: 10 minutes + registry_value { 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime': + type => dword, + data => '0x000927c0', + notify => Reboot['after_run'], + } + + # Set time limit for disconnected sessions: 5 minutes + registry_value { 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime': + type => dword, + data => '0x000493e0', + notify => Reboot['after_run'], + } + + # Reboot is required for registry keys above if they are remediated/altered. + reboot { 'after_run': + apply => finished, + } +}