Puppet Class: psick::hardening

Defined in:: manifests/hardening.pp

Overview

This class manages the general hardening of a system. It just provides, as params, the names of the classes to include in order to manage specific hardening activities.

psick::hardening::pam_class: '::psick::hardening::pam'
psick::hardening::packages_class: '::psick::hardening::packages'
psick::hardening::services_class: '::psick::hardening::services'
psick::hardening::tcpwrappers_class: '::psick::hardening::tcpwrappers'
psick::hardening::suid_class: '::psick::hardening::suid_sgid'
psick::hardening::users_class: '::psick::hardening::users_sgid'
psick::hardening::securetty_class: '::psick::hardening::securetty'
psick::hardening::network_class: '::psick::hardening::network'

Examples:

Define all the available hardening classes. Set a class name to an

empty string to avoid to include it

Parameters:

pam_class (String) (defaults to: '') —

Name of the class to include to manage PAM
packages_class (String) (defaults to: '') —

Name of the class where are defined packages to remove
services_class (String) (defaults to: '') —

Name of the class to include re defined services to stop
securetty_class (String) (defaults to: '') —

Name of the class where /etc/securetty is managed
tcpwrappers_class (String) (defaults to: '') —

Name of the class to include to manage TCP wrappers
suid_class (String) (defaults to: '') —

Name of the class to include to remove SUID but from execs
users_class (String) (defaults to: '') —

Name of the class to manage users
network_class (String) (defaults to: '') —

Name of the class where some network hardening is done
manage (Boolean) (defaults to: $psick::manage) —

If to actually manage any resource in this class. If false no resource is managed. Default value is taken from main psick class.
noop_manage (Boolean) (defaults to: $psick::noop_manage) —

If to use the noop() function for all the resources provided by this class. If this is true the noop function is called with $noop_value argument. This overrides any other noop setting (either set on client’s puppet.conf or by noop() function in main psick class). Default from psick class.
noop_value (Boolean) (defaults to: $psick::noop_value) —

The value to pass to noop() function if noop_manage is true. It applies to all the resources (and classes) declared in this class If true: noop metaparamenter is set to true, resources are not applied If false: noop metaparameter is set to false, and any eventual noop setting is overridden: resources are always applied. Default from psick class.

# File 'manifests/hardening.pp', line 37

class psick::hardening (

  String $pam_class         = '', # lint:ignore:params_empty_string_assignment
  String $packages_class    = '', # lint:ignore:params_empty_string_assignment
  String $services_class    = '', # lint:ignore:params_empty_string_assignment
  String $tcpwrappers_class = '', # lint:ignore:params_empty_string_assignment
  String $suid_class        = '', # lint:ignore:params_empty_string_assignment
  String $users_class       = '', # lint:ignore:params_empty_string_assignment
  String $securetty_class   = '', # lint:ignore:params_empty_string_assignment
  String $network_class     = '', # lint:ignore:params_empty_string_assignment

  Boolean $manage           = $psick::manage,
  Boolean $noop_manage      = $psick::noop_manage,
  Boolean $noop_value       = $psick::noop_value,

) {
  if $manage {
    if $noop_manage {
      noop($noop_value)
    }

    if $pam_class != '' {
      contain $pam_class
    }

    if $packages_class != '' {
      contain $packages_class
    }

    if $services_class != '' {
      contain $services_class
    }

    if $tcpwrappers_class != '' {
      contain $tcpwrappers_class
    }

    if $suid_class != '' {
      contain $suid_class
    }

    if $users_class != '' {
      contain $users_class
    }

    if $securetty_class != '' {
      contain $securetty_class
    }

    if $network_class != '' {
      contain $network_class
    }
  }
}