Style Guide corrections

dev-sec · Jul 5, 2017 · d335982 · d335982
1 parent cfb7e46
commit d335982
Show file tree

Hide file tree

Showing 10 changed files with 165 additions and 143 deletions.
diff --git a/manifests/blacklist_files.pp b/manifests/blacklist_files.pp
@@ -7,12 +7,15 @@
 # Remove SUID and SGID bits from a given file
 
 define os_hardening::blacklist_files {
-  exec{ "remove suid/sgid bit from ${name}":
+
+  exec { "remove suid/sgid bit from ${name}":
     command => "/bin/chmod ug-s ${name}",
     # the following checks if we are operating on a file
     # and if this file has either SUID or SGID bits set
     # it reads:
     # (isFile(x) && isSuid(x)) || (isFile(x) && isSgid(x))
     onlyif  => "/usr/bin/test -f ${name} -a -u ${name} -o -f ${name} -a -g ${name}",
   }
+
 }
+
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -9,7 +9,7 @@
 #
 # Pulls in all manifests for os_hardening.
 #
-class os_hardening(
+class os_hardening (
   $system_environment       = 'default',
   $allow_core_dumps         = false,
 
@@ -55,6 +55,7 @@
   $enable_stack_protection  = true,
   $enable_rpfilter          = true,
 ) {
+
   # Validate
   # --------
   validate_array($ignore_users)
@@ -72,15 +73,15 @@
   $configure_sysctl = (
     $system_environment != 'lxc' and
     $system_environment != 'docker'
-    )
+  )
 
 
   # Install
   # -------
-  class {'os_hardening::limits':
-    allow_core_dumps         => $allow_core_dumps,
+  class { 'os_hardening::limits':
+    allow_core_dumps => $allow_core_dumps,
   }
-  class {'os_hardening::login_defs':
+  class { 'os_hardening::login_defs':
     extra_user_paths         => $extra_user_paths,
     umask                    => $umask,
     password_max_age         => $password_max_age,
@@ -90,11 +91,11 @@
     chfn_restrict            => $chfn_restrict,
     allow_login_without_home => $allow_login_without_home,
   }
-  class {'os_hardening::minimize_access':
+  class { 'os_hardening::minimize_access':
     allow_change_user => $allow_change_user,
     ignore_users      => $ignore_users,
   }
-  class {'os_hardening::pam':
+  class { 'os_hardening::pam':
     passwdqc_enabled  => $passwdqc_enabled,
     auth_retries      => $auth_retries,
     auth_lockout_time => $auth_lockout_time,
@@ -103,21 +104,21 @@
     enable_pw_history => $enable_pw_history,
     pw_remember_last  => $pw_remember_last,
   }
-  class {'os_hardening::profile':
+  class { 'os_hardening::profile':
     allow_core_dumps => $allow_core_dumps,
   }
-  class {'os_hardening::securetty':
+  class { 'os_hardening::securetty':
     root_ttys => $root_ttys,
   }
-  class {'os_hardening::suid_sgid':
+  class { 'os_hardening::suid_sgid':
     whitelist           => $whitelist,
     blacklist           => $blacklist,
     remove_from_unknown => $remove_from_unknown,
     dry_run_on_unknown  => $dry_run_on_unknown,
   }
 
   if $configure_sysctl {
-    class {'os_hardening::sysctl':
+    class { 'os_hardening::sysctl':
       enable_module_loading   => $enable_module_loading,
       load_modules            => $load_modules,
       cpu_vendor              => $cpu_vendor,
@@ -133,4 +134,6 @@
       enable_rpfilter         => $enable_rpfilter,
     }
   }
+
 }
+
diff --git a/manifests/limits.pp b/manifests/limits.pp
@@ -12,8 +12,9 @@
 # * disable core dumps
 #
 class os_hardening::limits (
-  $allow_core_dumps = false
-){
+  $allow_core_dumps = false,
+) {
+
   if $allow_core_dumps == false {
     file { '/etc/security/limits.d/10.hardcore.conf':
       ensure => file,
@@ -27,4 +28,6 @@
       ensure => absent,
     }
   }
+
 }
+
diff --git a/manifests/login_defs.pp b/manifests/login_defs.pp
@@ -10,25 +10,27 @@
 # Configures PAM
 #
 class os_hardening::login_defs (
-  $extra_user_paths = [],
-  $umask = '027',
-  $password_max_age = 60,
-  $password_min_age = 7,
-  $login_retries = 5,
-  $login_timeout = 60,
-  $chfn_restrict = '',
+  $extra_user_paths         = [],
+  $umask                    = '027',
+  $password_max_age         = 60,
+  $password_min_age         = 7,
+  $login_retries            = 5,
+  $login_timeout            = 60,
+  $chfn_restrict            = '',
   $allow_login_without_home = false,
-){
+) {
+
   # prepare all variables
-  $additional_user_paths = join( $extra_user_paths, ':' )
+  $additional_user_paths = join($extra_user_paths, ':')
 
   # set the file
-  file {
-    '/etc/login.defs':
+  file { '/etc/login.defs':
       ensure  => file,
-      content => template( 'os_hardening/login.defs.erb' ),
+      content => template('os_hardening/login.defs.erb'),
       owner   => 'root',
       group   => 'root',
       mode    => '0444',
   }
+
 }
+
diff --git a/manifests/minimize_access.pp b/manifests/minimize_access.pp
@@ -14,7 +14,8 @@
   $always_ignore_users =
     ['root','sync','shutdown','halt'],
   $ignore_users        = [],
-){
+) {
+
   # from which folders to remove public access
   $folders = [
     '/usr/local/sbin',
@@ -27,8 +28,8 @@
   # remove write permissions from path folders ($PATH) for all regular users
   # this prevents changing any system-wide command from normal users
   file { $folders:
-    ensure  => 'directory',
-    links   => 'follow',
+    ensure  => directory,
+    links   => follow,
     mode    => 'go-w',
     recurse => true,
   }
@@ -56,15 +57,15 @@
   if $allow_change_user == false {
     file { '/bin/su':
       ensure => file,
-      links  => 'follow',
+      links  => follow,
       owner  => 'root',
       group  => 'root',
       mode   => '0750',
     }
   } else {
     file { '/bin/su':
       ensure => file,
-      links  => 'follow',
+      links  => follow,
       owner  => 'root',
       group  => 'root',
       mode   => '4755',
@@ -88,3 +89,4 @@
   }
 
 }
+
diff --git a/manifests/pam.pp b/manifests/pam.pp
@@ -10,14 +10,15 @@
 # Configures PAM
 #
 class os_hardening::pam (
-  $passwdqc_enabled = true,
-  $auth_retries = 5,
+  $passwdqc_enabled  = true,
+  $auth_retries      = 5,
   $auth_lockout_time = 600,
-  $passwdqc_options = 'min=disabled,disabled,16,12,8',
-  $manage_pam_unix = false,
+  $passwdqc_options  = 'min=disabled,disabled,16,12,8',
+  $manage_pam_unix   = false,
   $enable_pw_history = false,
-  $pw_remember_last = 5,
-){
+  $pw_remember_last  = 5,
+) {
+
   # prepare package names
   case $::operatingsystem {
     redhat, fedora: {
@@ -40,7 +41,7 @@
   # remove ccreds if not necessary
   package{ 'pam-ccreds':
     ensure => absent,
-    name   => $pam_ccreds
+    name   => $pam_ccreds,
   }
 
   case $::operatingsystem {
@@ -67,7 +68,7 @@
         # configure passwdqc via central module:
         file { $passwdqc_path:
           ensure  => file,
-          content => template( 'os_hardening/pam_passwdqc.erb' ),
+          content => template('os_hardening/pam_passwdqc.erb'),
           owner   => 'root',
           group   => 'root',
           mode    => '0640',
@@ -94,13 +95,13 @@
       #configure tally2
       if $auth_retries > 0 {
         # tally2 is needed for pam
-        package{ 'libpam-modules':
+        package { 'libpam-modules':
           ensure => present,
         }
 
         file { $tally2_path:
           ensure  => file,
-          content => template( 'os_hardening/pam_tally2.erb' ),
+          content => template('os_hardening/pam_tally2.erb'),
           owner   => 'root',
           group   => 'root',
           mode    => '0640',
@@ -117,13 +118,12 @@
       if $manage_pam_unix {
         if $enable_pw_history {
           $pw_history_options = "remember=${pw_remember_last}"
-        }
-        else {
+        } else {
           $pw_history_options = ''
         }
         file { $unix_path:
           ensure  => file,
-          content => template( 'os_hardening/pam_unix.erb' ),
+          content => template('os_hardening/pam_unix.erb'),
           owner   => 'root',
           group   => 'root',
           mode    => '0640',
@@ -144,3 +144,4 @@
   }
 
 }
+
diff --git a/manifests/profile.pp b/manifests/profile.pp
@@ -10,8 +10,9 @@
 # Configures profile.conf.
 #
 class os_hardening::profile (
-  $allow_core_dumps = false
-){
+  $allow_core_dumps = false,
+) {
+
   if $allow_core_dumps == false {
     file { '/etc/profile.d/pinerolo_profile.sh':
       ensure => file,
@@ -25,4 +26,6 @@
       ensure => absent,
     }
   }
+
 }
+
diff --git a/manifests/securetty.pp b/manifests/securetty.pp
@@ -10,14 +10,17 @@
 # Configures securetty.
 #
 class os_hardening::securetty (
-  $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6']
-){
-  $ttys = join( $root_ttys, "\n")
+  $root_ttys = ['console','tty1','tty2','tty3','tty4','tty5','tty6'],
+) {
+
+  $ttys = join($root_ttys, "\n")
   file { '/etc/securetty':
     ensure  => file,
-    content => template( 'os_hardening/securetty.erb' ),
+    content => template('os_hardening/securetty.erb'),
     owner   => 'root',
     group   => 'root',
     mode    => '0400',
   }
+
 }
+