Skip to main content
Version: Atlas v3.9

Security Facts Puppet Module (secfacts)

Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Reference
  5. Limitations
  6. Development

Description

This puppet module contains custom facts required to determine security compliance on several Linux distributions. These base facts have been abstracted to this module so they can be shared across OS-specific modules.

Some of these custom facts take a long time to execute. It is recommended to update to version 7 or later of the puppet-agent to take advantage of native fact caching. The module provides a way to customize the 'ttls' for some of these "expensive" facts by managing entries in '/etc/puppetlabs/facter/facter.conf'.

caution

The Security Facts module is required for the proper execution of the RHEL 7 and RHEL 8 Puppet modules. It must be installed along with these modules in order for them to function properly.

Setup

Adding the module to an environment is enough to begin collecting facts, but assigning the module to nodes will greatly improve performance. On facter version 4 or later, assigning the module to nodes will enable native fact caching with some "expensive" facts. The time to live for the fact cache can be controlled using module parameters for the respective facts. Under facter 3 and earlier, a confine statement in these "expensive" facts blocks facter execution entirely and instead, cron tasks are scheduled than run locally staged scripts to produce external fact files.

Usage

Assigning the module to nodes should be adequate in most cases. See the reference for details on the custom facts and default caching values.

Operating system specific compliance modules can be written to leverage these facts and avoid duplication of facts across different releases and versions. See the reference for the list of facts available from this module.

Reference

With the exceptions of packages, users, and groups, all facts from the module are named with the prefix secfacts_ to avoid conflict with custom facts that may be delivered with other modules. The following facts are included by the module:

  • secfacts_aide

  • secfacts_aliases

  • secfacts_antivirus

  • secfacts_audisp

  • secfacts_audit_files

  • secfacts_audit_space

  • secfacts_auditd

  • secfacts_cpuinfo

  • secfacts_cron

  • secfacts_crypto_policy

  • secfacts_dns_client

  • secfacts_efi_firmware

  • secfacts_faillock

  • secfacts_file_hashes

  • secfacts_file_owner_mode

  • secfacts_file_stat

  • secfacts_firewalld

  • secfacts_gdm

  • secfacts_gnome

  • groups

  • secfacts_grub

  • secfacts_ipsec_status

  • secfacts_limits

  • secfacts_login_defs

  • secfacts_modprobe

  • packages

  • secfacts_pam

  • secfacts_postfix

  • secfacts_pwquality

  • secfacts_removable_media

  • secfacts_rsyslog

  • secfacts_selinux

  • secfacts_shosts

  • secfacts_shosts_equiv

  • secfacts_smartcard

  • secfacts_snmpd

  • secfacts_ssh

  • secfacts_sshd

  • secfacts_sssd

  • secfacts_sudoers

  • secfacts_sysctl

  • secfacts_system_commands

  • secfacts_system_libraries

  • secfacts_systemd

  • secfacts_time_sync

  • secfacts_unowned_files

  • secfacts_user_files

  • secfacts_useradd

  • users

  • secfacts_ww_dirs

  • secfacts_ww_files

  • secfacts_yum

  • secfacts_yum_history

Limitations

This module is written for use with the Red Hat OS family but should work across most recent Linux distributions.