Puppet Class: cis_security_hardening::rules::overlayfs
- Defined in:
- manifests/rules/overlayfs.pp
Summary
Ensure overlayfs kernel module is not availableOverview
The overlay filesystem combines multiple different directories into a single directory. It is commonly used for containers and package management systems. The overlayfs filesystem type allows one, usually read-write, directory tree to be overlaid onto another, read-only directory tree.
Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.
21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
# File 'manifests/rules/overlayfs.pp', line 21
class cis_security_hardening::rules::overlayfs (
Boolean $enforce = false,
) {
if $enforce {
case $facts['os']['name'].downcase() {
'rocky', 'almalinux', 'centos': {
kmod::install { 'overlay':
command => '/bin/false',
}
kmod::blacklist { 'overlay': }
}
'redhat': {
if $facts['os']['release']['major'] > '7' {
kmod::install { 'overlay':
command => '/bin/false',
}
kmod::blacklist { 'overlay': }
} else {
kmod::install { 'overlay':
command => '/bin/true',
}
}
}
'debian': {
if $facts['os']['release']['major'] > '10' {
kmod::install { 'overlay':
command => '/bin/false',
}
kmod::blacklist { 'overlay': }
} else {
kmod::install { 'overlay':
command => '/bin/true',
}
}
}
'ubuntu': {
if $facts['os']['release']['major'] >= '20' {
kmod::install { 'overlay':
command => '/bin/false',
}
kmod::blacklist { 'overlay': }
} else {
kmod::install { 'overlay':
command => '/bin/true',
}
}
}
default: {
kmod::install { 'overlay':
command => '/bin/true',
}
}
}
}
}
|