Security Facts Puppet Module (secfacts)
- ReadMe
- Reference
- Changelog
Table of Contents
Description
This puppet module contains custom facts required to determine security compliance on several Linux distributions. These base facts have been abstracted to this module so they can be shared across OS-specific modules.
Some of these custom facts take a long time to execute. It is recommended to update to version 7 or later of the puppet-agent to take advantage of native fact caching. The module provides a way to customize the 'ttls' for some of these "expensive" facts by managing entries in '/etc/puppetlabs/facter/facter.conf'.
The Security Facts module is required for the proper execution of the RHEL 7 and RHEL 8 Puppet modules. It must be installed along with these modules in order for them to function properly.
Setup
Adding the module to an environment is enough to begin collecting facts, but assigning the module to nodes will greatly improve performance. On facter version 4 or later, assigning the module to nodes will enable native fact caching with some "expensive" facts. The time to live for the fact cache can be controlled using module parameters for the respective facts. Under facter 3 and earlier, a confine statement in these "expensive" facts blocks facter execution entirely and instead, cron tasks are scheduled than run locally staged scripts to produce external fact files.
Usage
Assigning the module to nodes should be adequate in most cases. See the reference for details on the custom facts and default caching values.
Operating system specific compliance modules can be written to leverage these facts and avoid duplication of facts across different releases and versions. See the reference for the list of facts available from this module.
Reference
With the exceptions of packages, users, and groups, all facts from the module are named
with the prefix secfacts_ to avoid conflict with custom facts that may be delivered with
other modules. The following facts are included by the module:
secfacts_aide
secfacts_aliases
secfacts_antivirus
secfacts_audisp
secfacts_audit_files
secfacts_audit_space
secfacts_auditd
secfacts_cpuinfo
secfacts_cron
secfacts_crypto_policy
secfacts_dns_client
secfacts_efi_firmware
secfacts_faillock
secfacts_file_hashes
secfacts_file_owner_mode
secfacts_file_stat
secfacts_firewalld
secfacts_gdm
secfacts_gnome
groups
secfacts_grub
secfacts_ipsec_status
secfacts_limits
secfacts_login_defs
secfacts_modprobe
packages
secfacts_pam
secfacts_postfix
secfacts_pwquality
secfacts_removable_media
secfacts_rsyslog
secfacts_selinux
secfacts_shosts
secfacts_shosts_equiv
secfacts_smartcard
secfacts_snmpd
secfacts_ssh
secfacts_sshd
secfacts_sssd
secfacts_sudoers
secfacts_sysctl
secfacts_system_commands
secfacts_system_libraries
secfacts_systemd
secfacts_time_sync
secfacts_unowned_files
secfacts_user_files
secfacts_useradd
users
secfacts_ww_dirs
secfacts_ww_files
secfacts_yum
secfacts_yum_history
Limitations
This module is written for use with the Red Hat OS family but should work across most recent Linux distributions.
Classes
secfacts: Provide custom facts for use by compliance modules
Classes
secfacts
Provide custom facts for use by compliance modules
- Note On facter 4 and higher, fact caching is managed with the "ttls" entry in "facter.conf". Older Puppet agents resort to cron jobs to update external fact files.
Examples
include secfacts
Parameters
The following parameters are available in the secfacts class:
script_dir
Data type: String
The directory where facter scripts will be created when using cron. (/opt/puppetlabs/facter/scripts)
ttls
Data type: Hash
The cache time to live for managed facts. See module hiera for su
cron_schedule
Data type: Hash
A hash of cron resource schedule parameters. Only used with facter 3