Puppet Class: cis_benchmark::trusty64::logging::rsyslog

Defined in:
manifests/trusty64/logging/rsyslog.pp

Overview



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'manifests/trusty64/logging/rsyslog.pp', line 8

class cis_benchmark::trusty64::logging::rsyslog {
  ## local variables
  $centralized_log_host = 'loghost.example.com'

  ## local variables: stig items
  $cis_4_2_1_1          = $::cis_benchmark::cis_4_2_1_1
  $cis_4_2_1_2          = $::cis_benchmark::cis_4_2_1_2
  $cis_4_2_1_3          = $::cis_benchmark::cis_4_2_1_3
  $cis_4_2_1_4          = $::cis_benchmark::cis_4_2_1_4
  $cis_4_2_1_5          = $::cis_benchmark::cis_4_2_1_5

  ## CIS 4.2.1.1 Ensure logging is configured (Not Scored)
  if ($cis_4_2_1_1) {
    ## ensure rsyslog installed
    package { 'rsyslog':
      ensure            => 'present',
    }

    ## ensure configuration
    file { '/etc/init/rsyslog.conf':
      ensure            => present,
      mode              => '0644',
      owner             => 'root',
      group             => 'root',
      content           => dos2unix(template('cis_benchmark/trusty64/rsyslog/init_rsyslog.conf.erb')),
    }

    ## ensure rsyslog running
    service { 'rsyslog':
      ensure            => true,
      enable            => true,
      require           => Package['rsyslog'],
    }
  }

  ## CIS 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
  if ($cis_4_2_1_3) {
    file { '/etc/rsyslog.conf':
      ensure            => present,
      mode              => '0644',
      owner             => 'root',
      group             => 'root',
      content           => dos2unix(template('cis_benchmark/trusty64/rsyslog/rsyslog.conf.erb')),
    }
  }
  else {
    file { '/etc/rsyslog.conf':
      ensure            => present,
      mode              => '0644',
      owner             => 'root',
      group             => 'root',
    }

    file_line { 'rsyslog-include-config':
      path              => '/etc/rsyslog.conf',
      line              => '$IncludeConfig /etc/rsyslog.d/*.conf',
    }
  }

  ## apply remaining cis stigs
  file { '/etc/rsyslog.d/50-default.conf':
    ensure              => present,
    mode                => '0644',
    owner               => 'root',
    group               => 'root',
    content             => dos2unix(template('cis_benchmark/trusty64/rsyslog/50-default.conf.erb')),
  }

  ## restart rsyslogd
  exec { 'restart-rsyslogd':
      command           => 'pkill -HUP rsyslogd',
      path              => '/usr/bin',
      subscribe         => [
        File['/etc/init/rsyslog.conf'],
        File['/etc/rsyslog.conf'],
        File['/etc/rsyslog.d/50-default.conf'],
      ],
      refreshonly       => true,
  }
}