From ad7b893a791f030a40520daa7b054bc78dde8ef6 Mon Sep 17 00:00:00 2001 From: flepoutre <84913246+flepoutre@users.noreply.github.com> Date: Mon, 13 Nov 2023 13:13:39 +0000 Subject: [PATCH] puppet8 --- manifests/blacklist_files.pp | 3 - manifests/grub.pp | 23 +- manifests/init.pp | 172 ++++++++++++--- manifests/limits.pp | 5 +- manifests/login_defs.pp | 31 ++- manifests/minimize_access.pp | 335 ++++++++++++++++------------- manifests/modules.pp | 8 +- manifests/pam.pp | 32 ++- manifests/profile.pp | 5 +- manifests/securetty.pp | 5 +- manifests/services.pp | 8 +- manifests/suid_sgid.pp | 11 +- manifests/sysctl.pp | 46 +++- manifests/umask.pp | 8 +- templates/login.defs.erb | 2 +- test/fixtures/manifests.do/site.pp | 5 +- test/fixtures/manifests/site.pp | 7 +- 17 files changed, 461 insertions(+), 245 deletions(-) diff --git a/manifests/blacklist_files.pp b/manifests/blacklist_files.pp index 676471f..0b6e306 100644 --- a/manifests/blacklist_files.pp +++ b/manifests/blacklist_files.pp @@ -7,7 +7,6 @@ # Remove SUID and SGID bits from a given file define os_hardening::blacklist_files { - exec { "remove suid/sgid bit from ${name}": command => "/bin/chmod ug-s ${name}", # the following checks if we are operating on a file @@ -16,6 +15,4 @@ # (isFile(x) && isSuid(x)) || (isFile(x) && isSgid(x)) onlyif => "/usr/bin/test -f ${name} -a -u ${name} -o -f ${name} -a -g ${name}", } - } - diff --git a/manifests/grub.pp b/manifests/grub.pp index 2d4b857..009e20b 100644 --- a/manifests/grub.pp +++ b/manifests/grub.pp @@ -9,15 +9,22 @@ # # Hardens the grub config # +# @param enable +# +# @param user +# +# @param password_hash +# +# @param boot_without_password +# class os_hardening::grub ( - Boolean $enable = false, - String $user = 'root', - String $password_hash = '', - Boolean $boot_without_password = true, + Boolean $enable = false, + String $user = 'root', + Optional[String] $password_hash = undef, + Boolean $boot_without_password = true, ) { - - case $::operatingsystem { - debian, ubuntu, cumuluslinux: { + case $facts['os']['name'] { + 'debian', 'ubuntu', 'cumuluslinux': { $grub_cfg = '/boot/grub/grub.cfg' $grub_cmd = '/usr/sbin/grub-mkconfig' } @@ -65,6 +72,4 @@ command => "${grub_cmd} -o ${grub_cfg}", refreshonly => true, } - } - diff --git a/manifests/init.pp b/manifests/init.pp index 6d1aa4a..2dcd3f4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -9,10 +9,149 @@ # # Pulls in all manifests for os_hardening. # +# @param system_environment +# +# @param pe_environment +# +# @param extra_user_paths +# +# @param umask +# +# @param maildir +# +# @param usergroups +# +# @param sys_uid_min +# +# @param sys_gid_min +# +# @param password_max_age +# +# @param password_min_age +# +# @param password_warn_age +# +# @param login_retries +# +# @param login_timeout +# +# @param chfn_restrict +# +# @param allow_login_without_home +# +# @param allow_change_user +# +# @param manage_home_permissions +# +# @param manage_log_permissions +# +# @param manage_cron_permissions +# +# @param manage_system_users +# +# @param ignore_users +# +# @param ignore_home_users +# +# @param ignore_restrict_log_dir +# +# @param ignore_files_in_folder_to_restrict +# +# @param folders_to_restrict +# +# @param ignore_max_files_warnings +# +# @param restrict_log_dir +# +# @param recurselimit +# +# @param passwdqc_enabled +# +# @param auth_retries +# +# @param auth_lockout_time +# +# @param passwdqc_options +# +# @param manage_pam_unix +# +# @param enable_pw_history +# +# @param pw_remember_last +# +# @param only_root_may_su +# +# @param root_ttys +# +# @param whitelist +# +# @param blacklist +# +# @param remove_from_unknown +# +# @param dry_run_on_unknown +# +# @param enable_module_loading +# +# @param load_modules +# +# @param disable_filesystems +# +# @param cpu_vendor +# +# @param icmp_ratelimit +# +# @param desktop_enabled +# +# @param enable_ipv4_forwarding +# +# @param manage_ipv6 +# +# @param enable_ipv6 +# +# @param enable_ipv6_forwarding +# +# @param arp_restricted +# +# @param arp_ignore_samenet +# +# @param enable_sysrq +# +# @param enable_core_dump +# +# @param enable_stack_protection +# +# @param enable_rpfilter +# +# @param rpfilter_loose +# +# @param enable_log_martians +# +# @param unwanted_packages +# +# @param wanted_packages +# +# @param disabled_services +# +# @param enable_grub_hardening +# +# @param grub_user +# +# @param grub_password_hash +# +# @param boot_without_password +# +# @param enable_sysctl_config +# +# @param system_umask +# +# @param shadow_group +# +# @param shadow_mode +# class os_hardening ( String $system_environment = 'default', Boolean $pe_environment = false, - Array $extra_user_paths = [], Optional[String] $umask = undef, Optional[String] $maildir = undef, @@ -24,9 +163,8 @@ Integer $password_warn_age = 7, Integer $login_retries = 5, Integer $login_timeout = 60, - String $chfn_restrict = '', + Optional[String] $chfn_restrict = undef, Boolean $allow_login_without_home = false, - Boolean $allow_change_user = false, Boolean $manage_home_permissions = false, Boolean $manage_log_permissions = false, @@ -36,13 +174,10 @@ Array $ignore_home_users = [], Array $ignore_restrict_log_dir = [], Array $ignore_files_in_folder_to_restrict = [], - Array $folders_to_restrict = - ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'], + Array $folders_to_restrict = ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'], Boolean $ignore_max_files_warnings = false, - Array $restrict_log_dir = - ['/var/log/'], + Array $restrict_log_dir = ['/var/log/'], Integer $recurselimit = 5, - Boolean $passwdqc_enabled = true, Integer $auth_retries = 5, Integer $auth_lockout_time = 600, @@ -51,20 +186,14 @@ Boolean $enable_pw_history = true, Integer $pw_remember_last = 5, Boolean $only_root_may_su = false, - - Array $root_ttys = - ['console','tty1','tty2','tty3','tty4','tty5','tty6'], - + Array $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6'], Array $whitelist = [], Array $blacklist = [], Boolean $remove_from_unknown = false, Boolean $dry_run_on_unknown = false, - Boolean $enable_module_loading = true, Array $load_modules = [], - Array $disable_filesystems = - ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'], - + Array $disable_filesystems = ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'], String $cpu_vendor = 'intel', String $icmp_ratelimit = '100', Boolean $desktop_enabled = false, @@ -80,24 +209,18 @@ Boolean $enable_rpfilter = true, Boolean $rpfilter_loose = false, Boolean $enable_log_martians = true, - Array $unwanted_packages = [], Array $wanted_packages = [], Array $disabled_services = [], - Boolean $enable_grub_hardening = false, String $grub_user = 'root', - String $grub_password_hash = '', + Optional[String] $grub_password_hash = undef, Boolean $boot_without_password = true, - Boolean $enable_sysctl_config = true, - Optional[String] $system_umask = undef, - Optional[String] $shadow_group = undef, Optional[String] $shadow_mode = undef, ) { - # Prepare # ------- @@ -112,7 +235,7 @@ ) # Defaults for specific platforms - case $::osfamily { + case $facts['os']['family'] { 'Debian','Suse': { $def_umask = '027' $def_sys_uid_min = 100 @@ -151,7 +274,6 @@ $folders_to_restrict_int = $folders_to_restrict } - # Install # ------- class { 'os_hardening::limits': diff --git a/manifests/limits.pp b/manifests/limits.pp index b29bb26..2eaaf41 100644 --- a/manifests/limits.pp +++ b/manifests/limits.pp @@ -11,10 +11,11 @@ # # * disable core dumps # +# @param enable_core_dump +# class os_hardening::limits ( Boolean $enable_core_dump = false, ) { - if $enable_core_dump == false { file { '/etc/security/limits.d/10.hardcore.conf': ensure => file, @@ -28,6 +29,4 @@ ensure => absent, } } - } - diff --git a/manifests/login_defs.pp b/manifests/login_defs.pp index eb5e96b..ef039c5 100644 --- a/manifests/login_defs.pp +++ b/manifests/login_defs.pp @@ -9,6 +9,32 @@ # # Configures PAM # +# @param extra_user_paths +# +# @param umask +# +# @param maildir +# +# @param usergroups +# +# @param sys_uid_min +# +# @param sys_gid_min +# +# @param password_max_age +# +# @param password_min_age +# +# @param password_warn_age +# +# @param login_retries +# +# @param login_timeout +# +# @param chfn_restrict +# +# @param allow_login_without_home +# class os_hardening::login_defs ( Array $extra_user_paths = [], String $umask = '027', @@ -21,10 +47,9 @@ Integer $password_warn_age = 7, Integer $login_retries = 5, Integer $login_timeout = 60, - String $chfn_restrict = '', + Optional[String] $chfn_restrict = undef, Boolean $allow_login_without_home = false, ) { - # prepare all variables $additional_user_paths = join($extra_user_paths, ':') @@ -39,6 +64,4 @@ group => 'root', mode => '0444', } - } - diff --git a/manifests/minimize_access.pp b/manifests/minimize_access.pp index fceeb5d..445f353 100644 --- a/manifests/minimize_access.pp +++ b/manifests/minimize_access.pp @@ -9,6 +9,38 @@ # # Configures profile.conf. # +# @param allow_change_user +# +# @param ignore_max_files_warnings +# +# @param manage_home_permissions +# +# @param manage_log_permissions +# +# @param manage_cron_permissions +# +# @param manage_system_users +# +# @param always_ignore_users +# +# @param ignore_users +# +# @param ignore_home_users +# +# @param ignore_restrict_log_dir +# +# @param ignore_files_in_folder_to_restrict +# +# @param folders_to_restrict +# +# @param restrict_log_dir +# +# @param shadowgroup +# +# @param shadowmode +# +# @param recurselimit +# class os_hardening::minimize_access ( Boolean $allow_change_user = false, Boolean $ignore_max_files_warnings = false, @@ -16,27 +48,23 @@ Boolean $manage_log_permissions = false, Boolean $manage_cron_permissions = false, Boolean $manage_system_users = true, - Array $always_ignore_users = - ['root','sync','shutdown','halt'], + Array $always_ignore_users = ['root','sync','shutdown','halt'], Array $ignore_users = [], Array $ignore_home_users = [], Array $ignore_restrict_log_dir = [], Array $ignore_files_in_folder_to_restrict = [], - Array $folders_to_restrict = - ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'], - Array $restrict_log_dir = - ['/var/log/'], + Array $folders_to_restrict = ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'], + Array $restrict_log_dir = ['/var/log/'], String $shadowgroup = 'root', String $shadowmode = '0600', Integer $recurselimit = 5, ) { - - case $::operatingsystem { - redhat, fedora: { + case $facts['os']['name'] { + 'redhat', 'fedora': { $nologin_path = '/sbin/nologin' $shadow_path = ['/etc/shadow', '/etc/gshadow'] } - debian, ubuntu, cumuluslinux: { + 'debian', 'ubuntu', 'cumuluslinux': { $nologin_path = '/usr/sbin/nologin' $shadow_path = ['/etc/shadow', '/etc/gshadow'] } @@ -54,16 +82,16 @@ } else { $use_max_files = 0 } - case $::aio_agent_version { + case $facts['aio_agent_version'] { /^6/: { - if versioncmp($::aio_agent_version, '6.23.0') >= 0 { + if versioncmp($facts['aio_agent_version'], '6.23.0') >= 0 { $apply_max_files = true } else { $apply_max_files = false } } /^7/: { - if versioncmp($::aio_agent_version, '7.7.0') >= 0 { + if versioncmp($facts['aio_agent_version'], '7.7.0') >= 0 { $apply_max_files = true } else { $apply_max_files = false @@ -78,169 +106,168 @@ # this prevents changing any system-wide command from normal users if $apply_max_files { ensure_resources ('file', - { $folders_to_restrict => { - ensure => directory, - ignore => $ignore_files_in_folder_to_restrict, - links => follow, - mode => 'go-w', - recurse => true, - recurselimit => $recurselimit, - selinux_ignore_defaults => true, - max_files => $use_max_files, - } + { $folders_to_restrict => { + ensure => directory, + ignore => $ignore_files_in_folder_to_restrict, + links => follow, + mode => 'go-w', + recurse => true, + recurselimit => $recurselimit, + selinux_ignore_defaults => true, + max_files => $use_max_files, + } }) } else { # Original pre the introduction of max_files in puppet-agent 6.23.0/7.70 ensure_resources ('file', - { $folders_to_restrict => { - ensure => directory, - ignore => $ignore_files_in_folder_to_restrict, - links => follow, - mode => 'go-w', - recurse => true, - recurselimit => $recurselimit, - selinux_ignore_defaults => true, - } + { $folders_to_restrict => { + ensure => directory, + ignore => $ignore_files_in_folder_to_restrict, + links => follow, + mode => 'go-w', + recurse => true, + recurselimit => $recurselimit, + selinux_ignore_defaults => true, + } }) } -# Added users with homes - $homes_users = split($::home_users, ',') + # Added users with homes + $homes_users = split($facts['home_users'], ',') -# added ignore these homes + # added ignore these homes $target_home_users = difference($homes_users, $ignore_home_users) -# added homes to restrict -if $manage_home_permissions == true { - ensure_resources ('file', - { $target_home_users => { - ensure => directory, - links => follow, - mode => 'g-w,o-rwx', - recurse => true, - recurselimit => $recurselimit, - } - }) -} - -# ensure log folders have right permissions -if $manage_log_permissions == true { - ensure_resources ('file', - { $restrict_log_dir => { - ensure => directory, - ignore => $ignore_restrict_log_dir, - links => follow, - mode => 'g-wx,o-rwx', - recurse => true, - recurselimit => $recurselimit, - } - }) -} + # added homes to restrict + if $manage_home_permissions == true { + ensure_resources ('file', + { $target_home_users => { + ensure => directory, + links => follow, + mode => 'g-w,o-rwx', + recurse => true, + recurselimit => $recurselimit, + } + }) + } -# ensure crontab have right permissions -if $manage_cron_permissions == true { + # ensure log folders have right permissions + if $manage_log_permissions == true { + ensure_resources ('file', + { $restrict_log_dir => { + ensure => directory, + ignore => $ignore_restrict_log_dir, + links => follow, + mode => 'g-wx,o-rwx', + recurse => true, + recurselimit => $recurselimit, + } + }) + } - $cronfiles = [ '/etc/anacrontab', '/etc/crontab' ] - $cronfiles.each |String $cronfile| { - if ($::existing[$cronfile]) { - file { $cronfile: - ensure => file, - mode => 'og-rwx', - owner => 'root', - group => 'root', + # ensure crontab have right permissions + if $manage_cron_permissions == true { + $cronfiles = ['/etc/anacrontab', '/etc/crontab'] + $cronfiles.each |String $cronfile| { + if ($facts['existing'][$cronfile]) { + file { $cronfile: + ensure => file, + mode => 'og-rwx', + owner => 'root', + group => 'root', + } } } - } -# ensure cron hourly have right permissions - ensure_resources ('file', - { '/etc/cron.hourly' => { - ensure => directory, - mode => 'og-rwx', - owner => 'root', - group => 'root', - links => follow, - recurse => true, - recurselimit => $recurselimit, - } - }) + # ensure cron hourly have right permissions + ensure_resources ('file', + { '/etc/cron.hourly' => { + ensure => directory, + mode => 'og-rwx', + owner => 'root', + group => 'root', + links => follow, + recurse => true, + recurselimit => $recurselimit, + } + }) -# ensure cron daily have right permissions - ensure_resources ('file', - { '/etc/cron.daily' => { - ensure => directory, - mode => 'og-rwx', - owner => 'root', - group => 'root', - links => follow, - recurse => true, - recurselimit => $recurselimit, - } - }) + # ensure cron daily have right permissions + ensure_resources ('file', + { '/etc/cron.daily' => { + ensure => directory, + mode => 'og-rwx', + owner => 'root', + group => 'root', + links => follow, + recurse => true, + recurselimit => $recurselimit, + } + }) -# ensure cron weekly have right permissions - ensure_resources ('file', - { '/etc/cron.weekly' => { - ensure => directory, - mode => 'og-rwx', - owner => 'root', - group => 'root', - links => follow, - recurse => true, - recurselimit => $recurselimit, - } - }) + # ensure cron weekly have right permissions + ensure_resources ('file', + { '/etc/cron.weekly' => { + ensure => directory, + mode => 'og-rwx', + owner => 'root', + group => 'root', + links => follow, + recurse => true, + recurselimit => $recurselimit, + } + }) -# ensure cron monthly have right permissions - ensure_resources ('file', - { '/etc/cron.monthly' => { - ensure => directory, - mode => 'og-rwx', - owner => 'root', - group => 'root', - links => follow, - recurse => true, - recurselimit => $recurselimit, - } - }) + # ensure cron monthly have right permissions + ensure_resources ('file', + { '/etc/cron.monthly' => { + ensure => directory, + mode => 'og-rwx', + owner => 'root', + group => 'root', + links => follow, + recurse => true, + recurselimit => $recurselimit, + } + }) -# ensure cron.d have right permissions - ensure_resources ('file', - { '/etc/cron.d' => { - ensure => directory, - mode => 'og-rwx', - owner => 'root', - group => 'root', - links => follow, - recurse => true, - recurselimit => $recurselimit, - } - }) + # ensure cron.d have right permissions + ensure_resources ('file', + { '/etc/cron.d' => { + ensure => directory, + mode => 'og-rwx', + owner => 'root', + group => 'root', + links => follow, + recurse => true, + recurselimit => $recurselimit, + } + }) -# ensure cron.deny and at.deny is absent - file { '/etc/cron.deny': - ensure => absent, - } + # ensure cron.deny and at.deny is absent + file { '/etc/cron.deny': + ensure => absent, + } - file { '/etc/at.deny': - ensure => absent, - } + file { '/etc/at.deny': + ensure => absent, + } -# ensure cron.allow is there - file { '/etc/cron.allow': - ensure => present, - owner => 'root', - group => 'root', - mode => 'og-rwx', - } + # ensure cron.allow is there + file { '/etc/cron.allow': + ensure => file, + owner => 'root', + group => 'root', + mode => 'og-rwx', + } -# ensure at.allow is there - file { '/etc/at.allow': - ensure => present, - owner => 'root', - group => 'root', - mode => 'og-rwx', + # ensure at.allow is there + file { '/etc/at.allow': + ensure => file, + owner => 'root', + group => 'root', + mode => 'og-rwx', + } } -} # shadow must only be accessible to user root file { $shadow_path: @@ -271,7 +298,7 @@ if $manage_system_users == true { # retrieve system users through custom fact - $system_users = split($::retrieve_system_users, ',') + $system_users = split($facts['retrieve_system_users'], ',') # build array of usernames we need to verify/change $ignore_users_arr = union($always_ignore_users, $ignore_users) diff --git a/manifests/modules.pp b/manifests/modules.pp index dfa64d6..7e0b6cf 100644 --- a/manifests/modules.pp +++ b/manifests/modules.pp @@ -8,11 +8,11 @@ # # Manage Kernel Modules # +# @param disable_filesystems +# class os_hardening::modules ( - Array $disable_filesystems = - ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'], + Array $disable_filesystems = ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'], ) { - # Disable unused filesystems (os-10) file { '/etc/modprobe.d/dev-sec.conf': ensure => file, @@ -21,6 +21,4 @@ mode => '0440', content => template('os_hardening/disable_fs.erb'), } - } - diff --git a/manifests/pam.pp b/manifests/pam.pp index d20d2ba..b708a00 100644 --- a/manifests/pam.pp +++ b/manifests/pam.pp @@ -9,6 +9,22 @@ # # Configures PAM # +# @param passwdqc_enabled +# +# @param auth_retries +# +# @param auth_lockout_time +# +# @param passwdqc_options +# +# @param manage_pam_unix +# +# @param enable_pw_history +# +# @param pw_remember_last +# +# @param only_root_may_su +# class os_hardening::pam ( Boolean $passwdqc_enabled = true, Integer $auth_retries = 5, @@ -19,15 +35,14 @@ Integer $pw_remember_last = 5, Boolean $only_root_may_su = false, ) { - # prepare package names - case $::operatingsystem { - redhat, fedora: { + case $facts['os']['name'] { + 'redhat', 'fedora': { $pam_ccreds = 'pam_ccreds' $pam_passwdqc = 'pam_passwdqc' $pam_cracklib = 'pam_cracklib' } - debian, ubuntu, cumuluslinux: { + 'debian', 'ubuntu', 'cumuluslinux': { $pam_ccreds = 'libpam-ccreds' $pam_passwdqc = 'libpam-passwdqc' $pam_cracklib = 'libpam-cracklib' @@ -40,13 +55,13 @@ } # remove ccreds if not necessary - package{ 'pam-ccreds': + package { 'pam-ccreds': ensure => absent, name => $pam_ccreds, } - case $::operatingsystem { - debian, ubuntu, cumuluslinux: { + case $facts['os']['name'] { + 'debian', 'ubuntu', 'cumuluslinux': { # configure paths $passwdqc_path = '/usr/share/pam-configs/passwdqc' $tally2_path = '/usr/share/pam-configs/tally2' @@ -77,7 +92,6 @@ require => Package['pam-passwdqc'], notify => Exec['update-pam'], } - } else { # deactivate passwdqc @@ -154,6 +168,4 @@ # TODO: not supported warning } } - } - diff --git a/manifests/profile.pp b/manifests/profile.pp index 47e12a2..480ab09 100644 --- a/manifests/profile.pp +++ b/manifests/profile.pp @@ -9,10 +9,11 @@ # # Configures profile.conf. # +# @param enable_core_dump +# class os_hardening::profile ( Boolean $enable_core_dump = false, ) { - if $enable_core_dump == false { file { '/etc/profile.d/pinerolo_profile.sh': ensure => file, @@ -26,6 +27,4 @@ ensure => absent, } } - } - diff --git a/manifests/securetty.pp b/manifests/securetty.pp index 5a3d438..34b743f 100644 --- a/manifests/securetty.pp +++ b/manifests/securetty.pp @@ -9,10 +9,11 @@ # # Configures securetty. # +# @param root_ttys +# class os_hardening::securetty ( Array $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6'], ) { - $ttys = join($root_ttys, "\n") file { '/etc/securetty': ensure => file, @@ -21,6 +22,4 @@ group => 'root', mode => '0400', } - } - diff --git a/manifests/services.pp b/manifests/services.pp index f9672b7..8dda3a3 100644 --- a/manifests/services.pp +++ b/manifests/services.pp @@ -9,6 +9,12 @@ # # Configures specific services that do not require a full class of their own # +# @param unwanted_packages +# +# @param wanted_packages +# +# @param disabled_services +# class os_hardening::services ( Array $unwanted_packages = [], Array $wanted_packages = [], @@ -35,6 +41,4 @@ enable => false, } } - } - diff --git a/manifests/suid_sgid.pp b/manifests/suid_sgid.pp index 6e3cba1..336f2e1 100644 --- a/manifests/suid_sgid.pp +++ b/manifests/suid_sgid.pp @@ -9,13 +9,20 @@ # # Minimize SUID and SGID bits. # +# @param whitelist +# +# @param blacklist +# +# @param remove_from_unknown +# +# @param dry_run_on_unknown +# class os_hardening::suid_sgid ( Array $whitelist = [], Array $blacklist = [], Boolean $remove_from_unknown = false, Boolean $dry_run_on_unknown = false, ) { - # suid and sgid blacklists and whitelists # --------------------------------------- # don't change values in the system_blacklist/whitelist @@ -132,6 +139,4 @@ } File['/usr/local/sbin/remove_suids'] -> Exec['remove SUID/SGID bits from unknown'] } - } - diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp index 84f0d13..3d5509d 100644 --- a/manifests/sysctl.pp +++ b/manifests/sysctl.pp @@ -9,6 +9,40 @@ # # Configures Kernel Parameters via sysctl # +# @param enable_module_loading +# +# @param load_modules +# +# @param cpu_vendor +# +# @param icmp_ratelimit +# +# @param desktop_enabled +# +# @param enable_ipv4_forwarding +# +# @param manage_ipv6 +# +# @param enable_ipv6 +# +# @param enable_ipv6_forwarding +# +# @param arp_restricted +# +# @param arp_ignore_samenet +# +# @param enable_sysrq +# +# @param enable_core_dump +# +# @param enable_stack_protection +# +# @param enable_rpfilter +# +# @param rpfilter_loose +# +# @param enable_log_martians +# class os_hardening::sysctl ( Boolean $enable_module_loading = true, Array $load_modules = [], @@ -28,9 +62,8 @@ Boolean $rpfilter_loose = false, Boolean $enable_log_martians = true, ) { - # set variables - if $::architecture == 'amd64' or $::architecture == 'x86_64' { + if $facts['os']['architecture'] == 'amd64' or $facts['os']['architecture'] == 'x86_64' { $x86_64 = true } else { $x86_64 = false @@ -79,7 +112,6 @@ sysctl { 'net.ipv4.conf.all.rp_filter': value => $rpfilter } sysctl { 'net.ipv4.conf.default.rp_filter': value => $rpfilter } - # Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. sysctl { 'net.ipv4.icmp_echo_ignore_broadcasts': value => '1' } @@ -120,7 +152,6 @@ sysctl { 'net.ipv4.conf.all.arp_ignore': value => '0' } } - # Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses: # # * **0** - (default): reply for any local target IP address, configured on any interface @@ -169,7 +200,6 @@ sysctl { 'net.ipv4.conf.all.log_martians': value => String(bool2num($enable_log_martians)) } sysctl { 'net.ipv4.conf.default.log_martians': value => String(bool2num($enable_log_martians)) } - # System # ------ @@ -214,8 +244,8 @@ # if modules cannot be loaded at runtime, they must all # be pre-configured in initramfs if $enable_module_loading == false { - case $::operatingsystem { - debian, ubuntu, cumuluslinux: { + case $facts['os']['name'] { + 'debian', 'ubuntu', 'cumuluslinux': { file { '/etc/initramfs-tools/modules': ensure => file, content => template('os_hardening/modules.erb'), @@ -235,6 +265,4 @@ } } } - } - diff --git a/manifests/umask.pp b/manifests/umask.pp index 6431e98..3e5882e 100644 --- a/manifests/umask.pp +++ b/manifests/umask.pp @@ -9,12 +9,12 @@ # # Configures system umask. # +# @param system_umask +# class os_hardening::umask ( - $system_umask = undef, + Optional[Integer] $system_umask = undef, ) { - if $system_umask != undef { - file { '/etc/profile.d/umask.sh': ensure => file, content => template('os_hardening/umask.sh.erb'), @@ -28,4 +28,4 @@ ensure => absent, } } -} \ No newline at end of file +} diff --git a/templates/login.defs.erb b/templates/login.defs.erb index 220bf93..78fbcf0 100644 --- a/templates/login.defs.erb +++ b/templates/login.defs.erb @@ -126,7 +126,7 @@ LOGIN_TIMEOUT <%= @login_timeout.to_s %> # Which fields may be changed by regular users using chfn - use any combination of letters "frwh" (full name, room number, work phone, home phone). If not defined, no changes are allowed. # For backward compatibility, "yes" = "rwh" and "no" = "frwh". -<% if not @chfn_restrict.empty? %> +<% if @chfn_restrict %> CHFN_RESTRICT <%= @chfn_restrict %> <% end %> diff --git a/test/fixtures/manifests.do/site.pp b/test/fixtures/manifests.do/site.pp index 0b265a2..f888d97 100644 --- a/test/fixtures/manifests.do/site.pp +++ b/test/fixtures/manifests.do/site.pp @@ -1,11 +1,10 @@ # FIX: create module conf dir file { '/etc/modprobe.d/': - ensure => directory, + ensure => directory, } # Apply hardening module -> class { 'os_hardening': - manage_cron_permissions => true, + manage_cron_permissions => true, } - diff --git a/test/fixtures/manifests/site.pp b/test/fixtures/manifests/site.pp index 51cb27c..70399a2 100644 --- a/test/fixtures/manifests/site.pp +++ b/test/fixtures/manifests/site.pp @@ -1,12 +1,11 @@ # FIX: create module conf dir file { '/etc/modprobe.d/': - ensure => directory, + ensure => directory, } # Apply hardening module -> class { 'os_hardening': - manage_cron_permissions => true, - system_environment => 'docker', + manage_cron_permissions => true, + system_environment => 'docker', } -