dev-sec · michaelw · Jun 2, 2021
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -100,13 +100,6 @@
   # system environment configuration
   # there may be differences when using kvm/lxc vs metal
 
-  # sysctl configuration doesn't work in docker:
-  $configure_sysctl = (
-    $system_environment != 'lxc' and
-    $system_environment != 'docker' and
-    $enable_sysctl_config
-  )
-
   # Defaults for specific platforms
   case $::osfamily {
     'Debian','Suse': {
@@ -208,8 +201,9 @@
     dry_run_on_unknown  => $dry_run_on_unknown,
   }
 
-  if $configure_sysctl {
+  if $enable_sysctl_config {
     class { 'os_hardening::sysctl':
+      system_environment      => $system_environment,
       enable_module_loading   => $enable_module_loading,
       load_modules            => $load_modules,
       cpu_vendor              => $cpu_vendor,

diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp
@@ -10,6 +10,7 @@
 # Configures Kernel Parameters via sysctl
 #
 class os_hardening::sysctl (
+  String  $system_environment      = 'default',
   Boolean $enable_module_loading   = true,
   Array   $load_modules            = [],
   String  $cpu_vendor              = 'intel',
@@ -194,47 +195,48 @@
   # * **64** - signalling of processes (term, kill, oom-kill)
   # * **128** - reboot/poweroff
   # * **256** - nicing of all RT tasks
-  if $enable_sysrq {
-    $limited_sysrq = String(4 + 16 + 32 + 64 + 128)
-    sysctl { 'kernel.sysrq': value => $limited_sysrq }
-  } else {
-    sysctl { 'kernel.sysrq': value => '0' }
-  }
-
-  # Enable stack protection by randomizing kernel va space
-  if $enable_stack_protection {
-    sysctl { 'kernel.randomize_va_space': value => '2' }
-  } else {
-    sysctl { 'kernel.randomize_va_space': value => '0' }
-  }
-  # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
-  sysctl { 'fs.suid_dumpable': value => String(bool2num($enable_core_dump)) }
+  if $system_environment != 'lxc' and $system_environment != 'docker' {
+    if $enable_sysrq {
+      $limited_sysrq = String(4 + 16 + 32 + 64 + 128)
+      sysctl { 'kernel.sysrq': value => $limited_sysrq }
+    } else {
+      sysctl { 'kernel.sysrq': value => '0' }
+    }
 
-  # configure for module hardening
-  # if modules cannot be loaded at runtime, they must all
-  # be pre-configured in initramfs
-  if $enable_module_loading == false {
-    case $::operatingsystem {
-      debian, ubuntu, cumuluslinux: {
-        file { '/etc/initramfs-tools/modules':
-          ensure  => file,
-          content => template('os_hardening/modules.erb'),
-          owner   => 'root',
-          group   => 'root',
-          mode    => '0400',
-          notify  => Exec['update-initramfs'],
-        }
-
-        exec { 'update-initramfs':
-          command     => '/usr/sbin/update-initramfs -u',
-          refreshonly => true,
-        }
-      }
-      default: {
-        # TODO
+    # Enable stack protection by randomizing kernel va space
+    if $enable_stack_protection {
+      sysctl { 'kernel.randomize_va_space': value => '2' }
+    } else {
+      sysctl { 'kernel.randomize_va_space': value => '0' }
+    }
+    # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information.
+    sysctl { 'fs.suid_dumpable': value => String(bool2num($enable_core_dump)) }
+
+    # configure for module hardening
+    # if modules cannot be loaded at runtime, they must all
+    # be pre-configured in initramfs
+    if $enable_module_loading == false {
+      case $::operatingsystem {
+	debian, ubuntu, cumuluslinux: {
+	  file { '/etc/initramfs-tools/modules':
+	    ensure  => file,
+	    content => template('os_hardening/modules.erb'),
+	    owner   => 'root',
+	    group   => 'root',
+	    mode    => '0400',
+	    notify  => Exec['update-initramfs'],
+	  }
+
+	  exec { 'update-initramfs':
+	    command     => '/usr/sbin/update-initramfs -u',
+	    refreshonly => true,
+	  }
+	}
+	default: {
+	  # TODO
+	}
       }
     }
   }
-
 }