Puppet Class: cis_security_hardening::rules::root_gid

Defined in:
manifests/rules/root_gid.pp

Summary

Ensure default group for the root account is GID 0

Overview

The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.

Rationale: Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users.

Examples:

class { 'cis_security_hardening::rules::root_gid':
    enforce => true,
    encrypted_root_password => 'encrypted password',
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • encrypted_root_password (Optional[String]) (defaults to: undef)

    The new root password to be set (has to be encrypted as the OS needs it)



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
# File 'manifests/rules/root_gid.pp', line 24

class cis_security_hardening::rules::root_gid (
  Boolean $enforce                          = false,
  Optional[String] $encrypted_root_password = undef,
) {
  if($enforce) {
    if $encrypted_root_password == undef {
      $data = {
        ensure => present,
        gid    => '0',
      }
    } else {
      $data = {
        ensure   => present,
        gid      => '0',
        password => $encrypted_root_password,
      }
    }
    ensure_resource('user', 'root', $data)
  }
}