Puppet Class: r_profile::lockdown::at

Defined in:
manifests/lockdown/at.pp

Overview

R_profile::Lockdown::At

Restrict access to the ‘at` daemon by managing the at.allow and at.deny files

Parameters:

  • ensure (Boolean) (defaults to: hiera('r_profile::lockdown::at::ensure', false))

    true to enable lockdown of ‘at` otherwise false



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'manifests/lockdown/at.pp', line 6

class r_profile::lockdown::at(
  Boolean $ensure = hiera('r_profile::lockdown::at::ensure', false),
) {

  case $facts['os']['family'] {
    "RedHat": {
      $at_deny  = '/etc/at.deny'
      $at_allow = '/etc/at.allow'
      $add_root = false
    }
    "AIX": {
      $at_deny  = "/var/adm/cron/at.deny"
      $at_allow = "/var/adm/cron/at.allow"
      $add_root = true
    }
    "Solaris": {
      $at_deny  = "/etc/cron.d/at.deny"
      $at_allow = "/etc/cron.d/at.allow"
      $add_root = true
    }
    default:{
      fail("Class ${name} does not support ${facts['os']['family']} yet")
    }
  }

  if $ensure {
    file { $at_deny:
      ensure => absent,
    }

    # by creating this file, only users listed (and root!) will be able to
    # schedule at jobs
    file { $at_allow:
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0600',
    }

    if $add_root {
      file_line { "${at_allow}_user_root":
        ensure => present,
        line   => "root",
        path   => $at_allow,
      }
    }
  }
}