Puppet Modules Overview
STIG Remediation & Enforcement with Atlas Puppet Modules
Atlas comes with access to a library of STIG compliance Puppet modules that can be utilized to remediate and enforce STIG vulnerabilities and integrates seamlessly with the Splunk components of the solution. The Puppet modules and the Atlas Splunk Elements for STIG Compliance are designed to work together but can also function completely independently of each other. While it is strongly encouraged that Atlas customers use all components of the STIG Compliance solution together, they can also be used by themselves to provide significant value.
The way that the solution functions is that Puppet is used to enforce and remediate STIG vulnerabilities. Then, through an integration, the resulting compliance data is sent to Splunk for reporting. Once the Atlas Puppet modules are installed in your Puppet implementation and Puppet is executed, a collection of information is created about these assets that are under the enforcement of Puppet.
Atlas Puppet Modules
Atlas currently supports the following STIG Compliance enforcement Puppet modules:
Puppet Compatibility
The Atlas Puppet modules are designed to work with both Puppet open-source and Puppet Enterprise. There are no specific features of the Puppet modules that are dependent on the implementation of Puppet. This means that even if you are not currently using Puppet for configuration management in your environment, you can still deploy an open source version of Puppet and take advantage of the Atlas Puppet modules for STIG remediation.
Every Atlas subscription comes with our Atlas Expertise-On-Demand service. You can use this service to assist you with setting up Puppet and the Atlas STIG modules.
Puppet Module Deployment
This documentation assumes that the reader has some understanding of Puppet concepts and is familiar with implementing Puppet modules and has some experience administering Puppet.
The Atlas Puppet modules can be downloaded from the Atlas customer portal. This is the same portal where you downloaded the Atlas software and obtained your license key. If you need more help with downloading the Puppet modules see the Downloading Atlas documentation.
Puppet modules are essentially system configuration expressed as code that are interpreted by a Puppet agent which applies the configuration described on the target system. The Atlas STIG Compliance Puppet modules are custom developed modules that are specifically designed to enforce STIG vulnerabilities. They are implemented just like any other Puppet module in your environment. However, there are certain things to consider when first deploying these Puppet modules in your environment.
Solution Components
The Atlas STIG Compliance solution for Puppet includes a few components that will be used to achieve the full functionality of the solution. You will only need the components that are required for the functionality that you want to use.
Type | Artifact Name | Usage | Required |
---|---|---|---|
Puppet Module | kgi-rhel7stig-X.X.X.tar.gz | Puppet module to enforce RHEL 7 STIGs | Yes |
Puppet Module | kgi-rhel8stig-X.X.X.tar.gz | Puppet module to enforce RHEL 8 STIGs | Yes |
Puppet Module | kgi-secfacts-X.X.X.tar.gz | Puppet module that is required to collect compliance facts about the target system | Yes |
Puppet Module/Script | kgi-stig_checklist-X.X.X.tar.gz | Puppet module that will deploy a set of scripts that can create STIG checklist files directly from the PuppetDB. Use this to enable the Puppet module integration with Splunk. | No |
Deployment Considerations
- Always test these modules on a development system first! It is important to remember that these STIG modules will make configuration changes to your system. Some of these changes, if applied incorrectly, can make changes that are difficult to reverse. You should first apply these Puppet modules against a development server that is representative of your production systems.
If you have other configuration management or security enforcement tools in place through automation or otherwise there is very good chance that the Puppet modules will conflict with it. This can also cause problems and should be tested in a non-production environment.
Consider a deployment strategy where Puppet is not enforcing anything at first and gradually adding enforcement of vulnerabilities in. This can be easily accomplished with the Atlas Puppet modules using Hiera. You can read more about this in the Managing Enforcement with Hiera section of this page.
Installing the Puppet Modules
Installation of the Atlas Puppet modules for STIG Compliance is done the same way that any other existing Puppet module is deployed. Once you have obtained the Atlas Puppet module code from the Atlas Portal you must install all of the required dependencies and add it to your node classification code. If you use a roles and profiles setup in Puppet, you will add the STIG modules to your profile to tie things together. In general, node classification in Puppet is done many different ways so we will not cover that in this documentation. Puppet's documentation provides excellent guidance for implementing external modules.
Managing Enforcement with Hiera
These Puppet modules are designed to leverage Puppet's Hiera as a means of customizing how these modules are enforced across your infrastructure. It is all too common in a compliance scenario that you cannot enforce certain vulnerability remediation's because it will cause something not to function on the target system. The Atlas STIG compliance Puppet modules are uniquely designed to accommodate this scenario. They allow you to be very targeted in how the vulnerabilities are enforced on each node individually.
Each STIG enforcement module provides three parameters in the init.pp that are Array types. Each array contains a list of vulnerability ids and is used to determine how each vulnerability is enforced. The three arrays in the init.pp of the module are as follows:
Array $vul_id,
Array $exclude = [],
Array #enforce = [],
The rule that the module follows is to include all $vul_id
classes except those contained in $exclude
, but always those in $enforce
. Use the the $exclude
array to define vulnerabilities that you want to exclude from enforcement. This can be done for each node in Hiera as needed. Use the $enforce
array to ensure that these vulnerabilities are always enforced.