STIG Checklist Generator Puppet Module

ReadMe

Table of Contents

1. Description
2. Setup
   • What stig_checklist affects
   • Setup requirements
3. Usage
4. Splunk integration
5. Limitations
6. Support

Description

This utility generates STIG checklist files by pulling data from puppetdb. It requires KGI STIG module(s) to be deployed to the target node(s) because the modules collect facts that supply the status of the respective STIG findings. An optional YAML file may be used to override checklist fields that would otherwise be populated by the automation data. This module is also used to enable the Puppet and Splunk integration for the STIG Compliance solution. This module will install and configure all of the components that are needed on a target node. This should be deployed to a Linux based machine running RHEL 7/8 or CentOS.

Setup

What stig_checklist affects

The module will install the 'python-requests' and 'PyYAML' packages that are used to make connections to the puppetdb API endpoints. The installation directory is defined by the 'install_dir' parameter and is where the remaining files will be installed. Ensure the parent directory already exists (or manage it as a separate puppet resource).

Files that are installed under the 'install_dir':

• checklist.py - The script that generates STIG checklist files

• config.yaml - This file configures the URL for puppetdb

• templates - Subdirectory that contains "blank" STIG checklist files used as templates

• overrides - Subdirectory contains optional YAML files to override automation findings in reports.

• checklists - Subdirectory that will contain generated checklist files. This directory will only be managed by Puppet when $splunk_integration is true, and in this case the directory owner will be set to $splunk_user. When Splunk integration is not enabled the 'checklist.py' script will create the 'checklists' subdirectory if it is not present.

• processed - Subdirectory that is only managed by Puppet when Splunk integration is enabled. The Splunk TA will move files here from "checklists" after parsing the data and sending to Splunk.

Setup Requirements

Puppet server infrastructure is required, including puppetdb. One or more STIG modules from KGI must be deployed and run at least once on the target node(s) so the report data is available in puppetdb.

This utility itself must be run from a managed puppet node because it relies on the puppet certificate to authenticate with puppetdb. Ensure any host firewall running on puppetdb is configured to permit access from the node being used to generate checklists, or just run the utility on the puppetdb host directly.

note

When running reports with Puppet Enterprise where the reporting node is not puppetdb server, you may (depending on your configuration) need to add the certificate for the reporting node(s) to '/etc/puppetlabs/puppetdb/certificate-allowlist'. Changing this file requires restarting the 'puppetdb' service.

Usage

You will likely need to assign the 'puppetdb_url' parameter when deploying the module. This is the path that the reporting node will use to access puppetdb, and defaults to 'https://puppet:8081'.

The default installation directory is '/opt/stig_checklist', but this may be changed with the 'install_dir' parameter. Note that when using the "splunkforwarder" module with the optional TA support to index STIG checklists into Splunk that "${install_dir}/checklists" should be the source directory, and "${install_dir}/processed" should be the destination.

@example
  class { 'stig_checklist':
    puppetdb_url => 'https://puppetdb.mydomain.com:8081',
  }

Once the module has been applied to a node you can generate STIG checklists for any puppet node that has supported KGI STIG modules assigned. Generate a report by referencing the target node by the full certificate name as used by puppet:

cd /opt/stig_checklist
./checklist.py -n mynode.mydomain.com

Alternatively, you can generate checklist for all nodes using '-a' or '--all'. This will request all nodes from puppetdb that have a supported STIG module assigned and build a checklist file for each one:

cd /opt/stig_checklist
./checklist.py -a

Splunk integration

Set the 'splunk_integration' parameter to true to enable integration with Splunk. This is normally only required to be set for a single node that will generate reports for all managed nodes. The reporting node should also have the "splunkforwarder" Puppet modules installed and configured to use the TA for STIG indexing. See that module's documentation for details.

Limitations

This has been tested on CentOS/RedHat 7 but should work from most other Linux distributions.

Reference

Table of Contents

Classes

• stig_checklist: Install STIG checklist generation components

Tasks

• new_ckl: Generate a STIG checklist for a single node or all nodes.

Classes

stig_checklist

Install STIG checklist generation components

Examples

class { 'stig_checklist':
  puppetdb_url => 'https://puppet.mydomain.com:8081',
}

Parameters

The following parameters are available in the stig_checklist class:

• install_dir
• puppetdb_url
• splunk_integration
• stig_report_schedule
• splunk_user
• splunk_group
• report_schedule

install_dir

Data type: String

The directory where reporting components will be installed. The parent directory must exist or the resource will fail. When installing in conjunction with the Atlas Splunk TA, the source directory for the TA should point to "${install_dir}/checklists" and the destination directory should point to "${install_dir}/processed". Defaults to '/opt/stig_checklist'

puppetdb_url

Data type: String

The URL where the puppetdb API endpoints are available.

splunk_integration

Data type: Boolean

Enables a cron job to generate reports for all nodes per the schedule defined by 'report_schedule'. Also ensures that the report files are owned by 'splunk_user' so the TA will be able to process and archive files.

stig_report_schedule

A hash that defines the schedule for reporting STIG data to Splunk. Hash key names are the keywords for a typical 'cron' resource: 'hour', 'minute', 'month', 'monthday', and 'weekday'. Values must be valid for a cron resource. Default schedule is daily at 0230.

splunk_user

Data type: String

When Splunk integration is enabled, the owner of generated reports will be changed to this user to allow the Atlas TA to process and move the checklist files. Default is 'splunk'

splunk_group

Data type: String

When Splunk integration is enabled, the group owner of generated reports will be changed to this user to allow the Atlas TA to process and move the checklist files. Default is 'splunk'

report_schedule

Data type: Hash

Tasks

new_ckl

Generate a STIG checklist for a single node or all nodes.

Supports noop? false

Parameters

node

Data type: String[1]

The target node name, or keyword 'all'.

install_dir

Data type: Optional[String[1]]

The full directory name where 'checklist.py' is installed.

Changelog

Changelog

Release 0.4.0

• Updated to support RHEL7 STIG v3r4
• Updated to support RHEL8 STIG v1r3

Release 0.3.1

• Remove Splunk forwarder support in favor of the module dependency for kgi/splunkforwarder
• Generate and use a new UUID when generating STIG checklists
• When Splunk integration is enabled, manage the data directories and ensure that the file owner of the directories and checklist files is $splunk_user to support the Atlas Splunk TA.

Release 0.3.0

• Updated to support RHEL7 STIG v3r3
• Requires version '0.3.0' of the KGI 'rhel7stig' module
• Refactored "checklist.py" to eliminate duplicate code and reduce calls to puppetdb

Release 0.2.0

• Updated to support RHEL7 STIG v3r2
• Now uses custom facts from puppetdb to populate status and details.
• Requires version '0.2.0' of the KGI 'rhel7stig' module

Release 0.1.0

Initial release with support for RHEL7 STIG v3r1

Bugfixes

N/A

Known Issues

N/A