diff --git a/manifests/init.pp b/manifests/init.pp index a00b59c..9b1dab4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -100,13 +100,6 @@ # system environment configuration # there may be differences when using kvm/lxc vs metal - # sysctl configuration doesn't work in docker: - $configure_sysctl = ( - $system_environment != 'lxc' and - $system_environment != 'docker' and - $enable_sysctl_config - ) - # Defaults for specific platforms case $::osfamily { 'Debian','Suse': { @@ -208,8 +201,9 @@ dry_run_on_unknown => $dry_run_on_unknown, } - if $configure_sysctl { + if $enable_sysctl_config { class { 'os_hardening::sysctl': + system_environment => $system_environment, enable_module_loading => $enable_module_loading, load_modules => $load_modules, cpu_vendor => $cpu_vendor, diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp index 84f0d13..50d8cab 100644 --- a/manifests/sysctl.pp +++ b/manifests/sysctl.pp @@ -10,6 +10,7 @@ # Configures Kernel Parameters via sysctl # class os_hardening::sysctl ( + String $system_environment = 'default', Boolean $enable_module_loading = true, Array $load_modules = [], String $cpu_vendor = 'intel', @@ -194,47 +195,48 @@ # * **64** - signalling of processes (term, kill, oom-kill) # * **128** - reboot/poweroff # * **256** - nicing of all RT tasks - if $enable_sysrq { - $limited_sysrq = String(4 + 16 + 32 + 64 + 128) - sysctl { 'kernel.sysrq': value => $limited_sysrq } - } else { - sysctl { 'kernel.sysrq': value => '0' } - } - - # Enable stack protection by randomizing kernel va space - if $enable_stack_protection { - sysctl { 'kernel.randomize_va_space': value => '2' } - } else { - sysctl { 'kernel.randomize_va_space': value => '0' } - } - # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information. - sysctl { 'fs.suid_dumpable': value => String(bool2num($enable_core_dump)) } + if $system_environment != 'lxc' and $system_environment != 'docker' { + if $enable_sysrq { + $limited_sysrq = String(4 + 16 + 32 + 64 + 128) + sysctl { 'kernel.sysrq': value => $limited_sysrq } + } else { + sysctl { 'kernel.sysrq': value => '0' } + } - # configure for module hardening - # if modules cannot be loaded at runtime, they must all - # be pre-configured in initramfs - if $enable_module_loading == false { - case $::operatingsystem { - debian, ubuntu, cumuluslinux: { - file { '/etc/initramfs-tools/modules': - ensure => file, - content => template('os_hardening/modules.erb'), - owner => 'root', - group => 'root', - mode => '0400', - notify => Exec['update-initramfs'], - } - - exec { 'update-initramfs': - command => '/usr/sbin/update-initramfs -u', - refreshonly => true, - } - } - default: { - # TODO + # Enable stack protection by randomizing kernel va space + if $enable_stack_protection { + sysctl { 'kernel.randomize_va_space': value => '2' } + } else { + sysctl { 'kernel.randomize_va_space': value => '0' } + } + # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information. + sysctl { 'fs.suid_dumpable': value => String(bool2num($enable_core_dump)) } + + # configure for module hardening + # if modules cannot be loaded at runtime, they must all + # be pre-configured in initramfs + if $enable_module_loading == false { + case $::operatingsystem { + debian, ubuntu, cumuluslinux: { + file { '/etc/initramfs-tools/modules': + ensure => file, + content => template('os_hardening/modules.erb'), + owner => 'root', + group => 'root', + mode => '0400', + notify => Exec['update-initramfs'], + } + + exec { 'update-initramfs': + command => '/usr/sbin/update-initramfs -u', + refreshonly => true, + } + } + default: { + # TODO + } } } } - }