Puppet Class: lsys::cron

Inherits:
lsys::params
Defined in:
manifests/cron.pp

Summary

Basic crond management (packages/services)

Overview

Basic crond management (packages/services)

Examples:

include lsys::cron

Parameters:

  • manage_package (Boolean) (defaults to: true)

    Whether to manage cron daemon package or not

  • package_ensure (String) (defaults to: 'installed')

    Ensure property to pass to resource Package for cron daemon

  • package_name (String) (defaults to: $lsys::params::cron_package_name)

    Real cron daemon package name (either cronie or vixie-cron)

  • enable_monit (Boolean) (defaults to: false)

    Whether to monitor crond service with Monit or not

  • enable_hardening (Boolean) (defaults to: false)
  • file_system_hardening (Boolean) (defaults to: true)
  • users_allow (Array[String]) (defaults to: ['root']) 


19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'manifests/cron.pp', line 19

class lsys::cron (
  Boolean $manage_package = true,
  String  $package_ensure = 'installed',
  String  $package_name = $lsys::params::cron_package_name,
  Boolean $enable_monit = false,
  Boolean $enable_hardening = false,
  Boolean $file_system_hardening = true,
  Array[String] $users_allow = ['root'],
) inherits lsys::params {
  if $enable_hardening {
    $manage_users_allow = true

    # Running cron jobs can be allowed or disallowed for different users. For
    # this purpose, use the cron.allow and cron.deny files. If the cron.allow
    # file exists, a user must be listed in it to be allowed to use cron. If
    # the cron.allow file does not exist but the cron.deny file does exist,
    # then a user must not be listed in the cron.deny file in order to use cron.
    # If neither of these files exists, only the super user is allowed to use
    # cron.
    file { '/etc/cron.deny':
      ensure => absent,
    }

    # FS hardening
    if $file_system_hardening {
      file {
        '/etc/anacrontab':      mode => '0600';
        '/etc/crontab':         mode => '0600';
        '/var/spool/anacron':   mode => '0750';
        '/var/spool/cron':      mode => '0700';
        '/var/spool/cron/root': mode => '0600';
        '/usr/sbin/crond':      mode => '0750';
      }
    }
  }
  else {
    $manage_users_allow = false
  }

  #  forge.puppet.com/puppet/cron
  class { 'cron':
    manage_service     => true,
    manage_package     => false,
    manage_users_allow => $manage_users_allow,
    users_allow        => $users_allow,
    manage_users_deny  => false,
  }

  class { 'lsys::cron::cronjobs_directory': }
  class { 'lsys::cron::service':
    enable_monit => $enable_monit,
  }

  if $manage_package {
    package { 'cron':
      ensure   => $package_ensure,
      name     => $package_name,
      # provider yum can remove package with all circular dependencies
      provider => 'yum',
      before   => [
        Class['lsys::cron::cronjobs_directory'],
        Class['lsys::cron::service'],
      ],
    }
  }
}