NCSA Common Puppet Profiles - configure standard security audits
- Description
- Setup - The basics of getting started with profile_audit
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This profile installs and configures security auditing functionality used by NCSA's Security Operations.
- access for qualys user
- custom root equivalence reporting script
- (Optional) Logging of user processes and open network connections to syslog
Include profile_audit in a puppet profile file:
include ::profile_audit
No paramters are required to be set. The default paramters should work for most NCSA deployments out of the box.
But in order to enable qualys scanning, at a minimum you will need to set the following parameters:
profile_audit::qualys::enabled: trueprofile_audit::qualys::ssh_authorized_keyfor thequalysuser.
Refer to https://wiki.ncsa.illinois.edu/display/SecOps/Qualys+Authenticated+Scanning+Host+setup to find existing public keys for projects and how to request new ones.
Logging of user processes and open network connections is disabled by default. To turn that on set profile_audit::enable_net_process_log: true. See REFERENCE.md for any customizations if needed.
Qualys historically had issues on Redhat servers running an EUS release, where Qualys would not realize the server was running an EUS version and would instead report out-of-date packages based on the latest release. In April 2024 Qualys fixed this issue in "VULSIG version VULNSIGS-2.6.33-2".
In the past this profile module had a work around to give fake output from the 'subscription-manager' command to Qualys on systems running EUS. This is no longer needed and has been removed in the latest version.
See: REFERENCE.md
This module depends on the following modules:
- https://forge.puppet.com/modules/puppetlabs/firewall
- https://github.com/ncsa/puppet-pam_access
- https://github.com/ncsa/puppet-sshd
- https://forge.puppet.com/modules/saz/sudo
- https://github.com/ncsa/puppet-rhsm
This Common Puppet Profile is managed by NCSA for internal usage.