Puppet Class: cis_security_hardening::services

Defined in:
manifests/services.pp

Summary

Services

Overview

Several exec resources needed from multiple classes.

Examples:

include cis_security_hardening::services

Parameters:

  • time_until_reboot (Integer) (defaults to: 60)

    Time to wait until system is rebooted if required. Time in seconds.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'manifests/services.pp', line 11

class cis_security_hardening::services (
  Integer $time_until_reboot = 60,
) {
  $rel = fact('os') ? {
    undef   => '',
    default => fact('operatingsystemmajrelease')
  }
  $osfamily = fact('osfamily') ? {
    undef   => 'unknown',
    default => fact('osfamily').downcase()
  }
  if ($rel <= '6') and ($osfamily == 'redhat') {
    exec { 'reload-sshd':
      command     => 'service sshd reload',
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      refreshonly => true,
    }
  } else {
    exec { 'reload-sshd':
      command     => 'systemctl reload sshd',
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      refreshonly => true,
    }
  }

  exec { 'reload-rsyslog':
    command     => 'pkill -HUP rsyslog',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-rsyslogd':
    command     => 'pkill -HUP rsyslogd',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-syslog-ng':
    command     => 'pkill -HUP syslog-ng',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'authselect-apply-changes':
    command     => 'authselect apply-changes',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'systemd-daemon-reload':
    command     => 'systemctl daemon-reload',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'save iptables rules':
    command     => 'service iptables save',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    unless      => 'test -z "$(grep -e AlmaLinux -e Rocky /etc/redhat-release 2>/dev/null)"',
    refreshonly => true,
  }

  exec { 'authconfig-apply-changes':
    command     => 'authconfig --updateall',
    path        => ['/sbin','/usr/sbin'],
    refreshonly => true,
  }

  exec { 'grub2-mkconfig':
    command     => 'grub2-mkconfig -o /boot/grub2/grub.cfg',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-sysctl-system':
    command     => 'sysctl --system',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  reboot { 'after_run':
    timeout => $time_until_reboot,
    message => 'forced reboot by Puppet',
    apply   => 'finished',
  }
}