Skip to main content
Version: Atlas v3.12

STIG Checklist Generator Puppet Module

Table of Contents

  1. Description
  2. Setup
  3. Usage
  4. Splunk integration
  5. Limitations
  6. Support


This utility generates STIG checklist files by pulling data from puppetdb. It requires KGI STIG module(s) to be deployed to the target node(s) because the modules collect facts that supply the status of the respective STIG findings. An optional YAML file may be used to override checklist fields that would otherwise be populated by the automation data. This module is also used to enable the Puppet and Splunk integration for the STIG Compliance solution. This module will install and configure all of the components that are needed on a target node. This should be deployed to a Linux based machine running RHEL 7/8 or CentOS.


What stig_checklist affects

The module will install the 'python-requests' and 'PyYAML' packages that are used to make connections to the puppetdb API endpoints. The installation directory is defined by the 'install_dir' parameter and is where the remaining files will be installed. Ensure the parent directory already exists (or manage it as a separate puppet resource).

Files that are installed under the 'install_dir':

  • - The script that generates STIG checklist files

  • config.yaml - This file configures the URL for puppetdb

  • templates - Subdirectory that contains "blank" STIG checklist files used as templates

  • overrides - Subdirectory contains optional YAML files to override automation findings in reports.

  • checklists - Subdirectory that will contain generated checklist files. This directory will only be managed by Puppet when $splunk_integration is true, and in this case the directory owner will be set to $splunk_user. When Splunk integration is not enabled the '' script will create the 'checklists' subdirectory if it is not present.

  • processed - Subdirectory that is only managed by Puppet when Splunk integration is enabled. The Splunk TA will move files here from "checklists" after parsing the data and sending to Splunk.

Setup Requirements

Puppet server infrastructure is required, including puppetdb. One or more STIG modules from KGI must be deployed and run at least once on the target node(s) so the report data is available in puppetdb.

This utility itself must be run from a managed puppet node because it relies on the puppet certificate to authenticate with puppetdb. Ensure any host firewall running on puppetdb is configured to permit access from the node being used to generate checklists, or just run the utility on the puppetdb host directly.


When running reports with Puppet Enterprise where the reporting node is not puppetdb server, you may (depending on your configuration) need to add the certificate for the reporting node(s) to '/etc/puppetlabs/puppetdb/certificate-allowlist'. Changing this file requires restarting the 'puppetdb' service.


You will likely need to assign the 'puppetdb_url' parameter when deploying the module. This is the path that the reporting node will use to access puppetdb, and defaults to 'https://puppet:8081'.

The default installation directory is '/opt/stig_checklist', but this may be changed with the 'install_dir' parameter. Note that when using the "splunkforwarder" module with the optional TA support to index STIG checklists into Splunk that "${install_dir}/checklists" should be the source directory, and "${install_dir}/processed" should be the destination.

class { 'stig_checklist':
puppetdb_url => '',

Once the module has been applied to a node you can generate STIG checklists for any puppet node that has supported KGI STIG modules assigned. Generate a report by referencing the target node by the full certificate name as used by puppet:

cd /opt/stig_checklist
./ -n

Alternatively, you can generate checklist for all nodes using '-a' or '--all'. This will request all nodes from puppetdb that have a supported STIG module assigned and build a checklist file for each one:

cd /opt/stig_checklist
./ -a

Splunk integration

Set the 'splunk_integration' parameter to true to enable integration with Splunk. This is normally only required to be set for a single node that will generate reports for all managed nodes. The reporting node should also have the "splunkforwarder" Puppet modules installed and configured to use the TA for STIG indexing. See that module's documentation for details.


This has been tested on CentOS/RedHat 7 but should work from most other Linux distributions.