Merge pull request #313 from flepoutre/puppet8

🔨 refactor module for puppet8
Thanks to flepoutre !

manifests/blacklist_files.pp

@@ -7,7 +7,6 @@
 # Remove SUID and SGID bits from a given file
 
 define os_hardening::blacklist_files {
-
   exec { "remove suid/sgid bit from ${name}":
     command => "/bin/chmod ug-s ${name}",
     # the following checks if we are operating on a file
@@ -16,6 +15,4 @@
     # (isFile(x) && isSuid(x)) || (isFile(x) && isSgid(x))
     onlyif  => "/usr/bin/test -f ${name} -a -u ${name} -o -f ${name} -a -g ${name}",
   }
-
 }
-

manifests/grub.pp

@@ -9,15 +9,22 @@
 #
 # Hardens the grub config
 #
+# @param enable
+#
+# @param user
+#
+# @param password_hash
+#
+# @param boot_without_password
+#
 class os_hardening::grub (
-  Boolean $enable                = false,
-  String  $user                  = 'root',
-  String  $password_hash         = '',
-  Boolean $boot_without_password = true,
+  Boolean $enable                 = false,
+  String  $user                   = 'root',
+  Optional[String] $password_hash = undef,
+  Boolean $boot_without_password  = true,
 ) {
-
-  case $::operatingsystem {
-    debian, ubuntu, cumuluslinux: {
+  case $facts['os']['name'] {
+    'debian', 'ubuntu', 'cumuluslinux': {
       $grub_cfg = '/boot/grub/grub.cfg'
       $grub_cmd = '/usr/sbin/grub-mkconfig'
     }
@@ -65,6 +72,4 @@
     command     => "${grub_cmd} -o ${grub_cfg}",
     refreshonly => true,
   }
-
 }
-

manifests/init.pp

@@ -9,10 +9,149 @@
 #
 # Pulls in all manifests for os_hardening.
 #
+# @param system_environment
+#
+# @param pe_environment
+#
+# @param extra_user_paths
+#
+# @param umask
+#
+# @param maildir
+#
+# @param usergroups
+#
+# @param sys_uid_min
+#
+# @param sys_gid_min
+#
+# @param password_max_age
+#
+# @param password_min_age
+#
+# @param password_warn_age
+#
+# @param login_retries
+#
+# @param login_timeout
+#
+# @param chfn_restrict
+#
+# @param allow_login_without_home
+#
+# @param allow_change_user
+#
+# @param manage_home_permissions
+#
+# @param manage_log_permissions
+#
+# @param manage_cron_permissions
+#
+# @param manage_system_users
+#
+# @param ignore_users
+#
+# @param ignore_home_users
+#
+# @param ignore_restrict_log_dir
+#
+# @param ignore_files_in_folder_to_restrict
+#
+# @param folders_to_restrict
+#
+# @param ignore_max_files_warnings
+#
+# @param restrict_log_dir
+#
+# @param recurselimit
+#
+# @param passwdqc_enabled
+#
+# @param auth_retries
+#
+# @param auth_lockout_time
+#
+# @param passwdqc_options
+#
+# @param manage_pam_unix
+#
+# @param enable_pw_history
+#
+# @param pw_remember_last
+#
+# @param only_root_may_su
+#
+# @param root_ttys
+#
+# @param whitelist
+#
+# @param blacklist
+#
+# @param remove_from_unknown
+#
+# @param dry_run_on_unknown
+#
+# @param enable_module_loading
+#
+# @param load_modules
+#
+# @param disable_filesystems
+#
+# @param cpu_vendor
+#
+# @param icmp_ratelimit
+#
+# @param desktop_enabled
+#
+# @param enable_ipv4_forwarding
+#
+# @param manage_ipv6
+#
+# @param enable_ipv6
+#
+# @param enable_ipv6_forwarding
+#
+# @param arp_restricted
+#
+# @param arp_ignore_samenet
+#
+# @param enable_sysrq
+#
+# @param enable_core_dump
+#
+# @param enable_stack_protection
+#
+# @param enable_rpfilter
+#
+# @param rpfilter_loose
+#
+# @param enable_log_martians
+#
+# @param unwanted_packages
+#
+# @param wanted_packages
+#
+# @param disabled_services
+#
+# @param enable_grub_hardening
+#
+# @param grub_user
+#
+# @param grub_password_hash
+#
+# @param boot_without_password
+#
+# @param enable_sysctl_config
+#
+# @param system_umask
+#
+# @param shadow_group
+#
+# @param shadow_mode
+#
 class os_hardening (
   String            $system_environment                 = 'default',
   Boolean           $pe_environment                     = false,
-
   Array             $extra_user_paths                   = [],
   Optional[String]  $umask                              = undef,
   Optional[String]  $maildir                            = undef,
@@ -24,9 +163,8 @@
   Integer           $password_warn_age                  = 7,
   Integer           $login_retries                      = 5,
   Integer           $login_timeout                      = 60,
-  String            $chfn_restrict                      = '',
+  Optional[String]  $chfn_restrict                      = undef,
   Boolean           $allow_login_without_home           = false,
-
   Boolean           $allow_change_user                  = false,
   Boolean           $manage_home_permissions            = false,
   Boolean           $manage_log_permissions             = false,
@@ -36,13 +174,10 @@
   Array             $ignore_home_users                  = [],
   Array             $ignore_restrict_log_dir            = [],
   Array             $ignore_files_in_folder_to_restrict = [],
-  Array             $folders_to_restrict                =
-    ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'],
+  Array             $folders_to_restrict                = ['/usr/local/games','/usr/local/sbin','/usr/local/bin','/usr/bin','/usr/sbin','/sbin','/bin'],
   Boolean           $ignore_max_files_warnings          = false,
-  Array             $restrict_log_dir                   =
-    ['/var/log/'],
+  Array             $restrict_log_dir                   = ['/var/log/'],
   Integer           $recurselimit                       = 5,
-
   Boolean           $passwdqc_enabled                   = true,
   Integer           $auth_retries                       = 5,
   Integer           $auth_lockout_time                  = 600,
@@ -51,20 +186,14 @@
   Boolean           $enable_pw_history                  = true,
   Integer           $pw_remember_last                   = 5,
   Boolean           $only_root_may_su                   = false,
-
-  Array             $root_ttys                          =
-    ['console','tty1','tty2','tty3','tty4','tty5','tty6'],
-
+  Array             $root_ttys                          = ['console','tty1','tty2','tty3','tty4','tty5','tty6'],
   Array             $whitelist                          = [],
   Array             $blacklist                          = [],
   Boolean           $remove_from_unknown                = false,
   Boolean           $dry_run_on_unknown                 = false,
-
   Boolean           $enable_module_loading              = true,
   Array             $load_modules                       = [],
-  Array             $disable_filesystems                =
-    ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'],
-
+  Array             $disable_filesystems                = ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'],
   String            $cpu_vendor                         = 'intel',
   String            $icmp_ratelimit                     = '100',
   Boolean           $desktop_enabled                    = false,
@@ -80,24 +209,18 @@
   Boolean           $enable_rpfilter                    = true,
   Boolean           $rpfilter_loose                     = false,
   Boolean           $enable_log_martians                = true,
-
   Array             $unwanted_packages                  = [],
   Array             $wanted_packages                    = [],
   Array             $disabled_services                  = [],
-
   Boolean           $enable_grub_hardening              = false,
   String            $grub_user                          = 'root',
-  String            $grub_password_hash                 = '',
+  Optional[String]  $grub_password_hash                 = undef,
   Boolean           $boot_without_password              = true,
-
   Boolean           $enable_sysctl_config               = true,
-
   Optional[String]  $system_umask                       = undef,
-
   Optional[String]  $shadow_group                       = undef,
   Optional[String]  $shadow_mode                        = undef,
 ) {
-
   # Prepare
   # -------
 
@@ -112,7 +235,7 @@
   )
 
   # Defaults for specific platforms
-  case $::osfamily {
+  case $facts['os']['family'] {
     'Debian','Suse': {
       $def_umask = '027'
       $def_sys_uid_min = 100
@@ -151,7 +274,6 @@
     $folders_to_restrict_int = $folders_to_restrict
   }
 
-
   # Install
   # -------
   class { 'os_hardening::limits':

manifests/limits.pp

@@ -11,10 +11,11 @@
 #
 # * disable core dumps
 #
+# @param enable_core_dump
+#
 class os_hardening::limits (
   Boolean $enable_core_dump = false,
 ) {
-
   if $enable_core_dump == false {
     file { '/etc/security/limits.d/10.hardcore.conf':
       ensure => file,
@@ -28,6 +29,4 @@
       ensure => absent,
     }
   }
-
 }
-

manifests/login_defs.pp

@@ -9,6 +9,32 @@
 #
 # Configures PAM
 #
+# @param extra_user_paths
+#
+# @param umask
+#
+# @param maildir
+#
+# @param usergroups
+#
+# @param sys_uid_min
+#
+# @param sys_gid_min
+#
+# @param password_max_age
+#
+# @param password_min_age
+#
+# @param password_warn_age
+#
+# @param login_retries
+#
+# @param login_timeout
+#
+# @param chfn_restrict
+#
+# @param allow_login_without_home
+#
 class os_hardening::login_defs (
   Array   $extra_user_paths         = [],
   String  $umask                    = '027',
@@ -21,10 +47,9 @@
   Integer $password_warn_age        = 7,
   Integer $login_retries            = 5,
   Integer $login_timeout            = 60,
-  String  $chfn_restrict            = '',
+  Optional[String] $chfn_restrict   = undef,
   Boolean $allow_login_without_home = false,
 ) {
-
   # prepare all variables
   $additional_user_paths = join($extra_user_paths, ':')
 
@@ -39,6 +64,4 @@
     group   => 'root',
     mode    => '0444',
   }
-
 }
-