Is noop
ing the controls which are to be monitored the best way to go? Seems the most conventional / straightforward.
Anyhow, as an operator of a fleet of systems I want to be able to set which CIS sections / controls are to be enforced, and which are to be monitored.
How might this look?
class os_compliance::rule::password_history (
Enum['enforce','monitor'] $mode = 'monitor',
) {
if $mode == 'monitor' {
noop()
}
local_security_policy { 'Enforce password history':
ensure => present,
policy_value => String($password_history),
}
}
and
class os_compliance::apply (
$rulesets = [],
) {
$rulesets.each |$ruleset| {
lookup("os_compliance::ruleset::${ruleset}").each |$rule, $mode| {
$rule_class = lookup("os_compliance::rule_alias::${rule}")
class { "os_compliance::rule::${rule_class}":
mode => $mode,
}
}
}
}
with all the data about which the contents of each CIS benchmark, and which rules correspond to which cis control numbers in hiera:
os_compliance::apply::rulesets:
'cis-l1-ms-windows-2012r2-2.3.0'
os_compliance::ruleset::cis-l1-ms-windows-2012r2-2.3.0:
cis_1.1.1: enforce
cis_1.1.2: monitor
cis_1.1.3: enforce
os_compliance::ruleset::cis-l1-ms-windows-2008r2-3.1.0:
cis_1.1.1: monitor
cis_1.1.2: monitor
cis_1.1.3: monitor
os_compliance::rule_alias::cis_1.1.1: password_history
os_compliance::rule_alias::cis_1.1.2: maximum_password_age