devsnack/control-repo
1
0
Fork 0
Code Releases Activity

Adding compliance classes

Browse Source
This commit is contained in:
maju6406 2018-09-14 09:46:46 -07:00
parent 9d932f8d64
commit d5c259a7b9
7 changed files with 110 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

1
.gitignore vendored
View File

@ -3,3 +3,4 @@ hieradata/nodes/example-puppet-master.yaml
site/.DS_Store site/.DS_Store
site/profile/.DS_Store site/profile/.DS_Store
site/.DS_Store site/.DS_Store
.DS_Store

6
site/profile/manifests/baseline_hipaa.pp Normal file
View File

@ -0,0 +1,6 @@
#
class profile::baseline_hipaa {
include ::profile::compliance::hipaa
}

5
site/profile/manifests/compliance/cis.pp Normal file
View File

@ -0,0 +1,5 @@
class profile::compliance::cis {
include ::demo_cis
}

11
site/profile/manifests/compliance/hipaa.pp Normal file
View File

@ -0,0 +1,11 @@
class profile::compliance::hipaa {
case $::osfamily {
'windows': {
include ::profile::compliance::hipaa::windows
}
default: {
include ::profile::compliance::hipaa::linux
}
}
}

36
site/profile/manifests/compliance/hipaa/linux.pp Normal file
View File

@ -0,0 +1,36 @@
class profile::compliance::hipaa::linux {
# HIPAA Administrative Simplification Regulation Text
# https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf?language=es
# 164.312 Technical safeguards
# (i) Unique user identification (Required)
# Ensure only known accounts are on the system, purge any unmanaged accounts otherwise.
resources {'user':
purge => true,
unless_system_user => true,
unless_uid => ['1010'],
}
# (iii) Automatic logoff (Addressable)
# Set time limit for active but idle ssh sessions: 10 minutes
# Set login grace time to 60
class{'::ssh':
permit_root_login => 'no',
sshd_client_alive_count_max => '10',
sshd_client_alive_interval => '60',
sshd_config_login_grace_time => '60',
}
# Add Auditd configuration
class{'::auditd':
main_rules => [
'-a always,exit -F path=/etc/passwd -F perm=wa -F key=accounts',
'-a always,exit -F path=/etc/gshadow -F perm=wa -F key=accounts',
],
}
}

51
site/profile/manifests/compliance/hipaa/windows.pp Normal file
View File

@ -0,0 +1,51 @@
class profile::compliance::hipaa::windows {
# HIPAA Administrative Simplification Regulation Text
# https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf?language=es
# 164.312 Technical safeguards
# (i) Unique user identification (Required)
# Ensure only known accounts are on the system, purge any unmanaged accounts otherwise.
user { 'Local Admin 1':
ensure => present,
groups => ['Administrators'],
}
user { 'Local Admin 2':
ensure => present,
groups => ['Administrators'],
}
#Purge any unmanaged users.
purge { 'user':
unless => [
[ 'name', '==', 'Administrator' ],
[ 'name', '==', 'Guest' ],
[ 'name', '==', 'Local Admin 1' ],
[ 'name', '==', 'Local Admin 2' ],
]
}
# (iii) Automatic logoff (Addressable)
# NOTE: Local Group Policy Editor tool does not show these settings as 'Enabled' but they do work.
# Set time limit for active but idle Remote Desktop Services sessions: 10 minutes
registry_value { 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime':
type => dword,
data => '0x000927c0',
notify => Reboot['after_run'],
}
# Set time limit for disconnected sessions: 5 minutes
registry_value { 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime':
type => dword,
data => '0x000493e0',
notify => Reboot['after_run'],
}
# Reboot is required for registry keys above if they are remediated/altered.
reboot { 'after_run':
apply => finished,
}
}