Puppet Class: cis_security_hardening::services

Defined in:
manifests/services.pp

Summary

Services

Overview

Several exec resources needed from multiple classes.

Examples:

include cis_security_hardening::services


8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
# File 'manifests/services.pp', line 8

class cis_security_hardening::services {
  $rel = fact('os') ? {
    undef   => '',
    default => fact('operatingsystemmajrelease')
  }
  $osfamily = fact('osfamily') ? {
    undef   => 'unknown',
    default => fact('osfamily').downcase()
  }
  if ($rel <= '6') and ($osfamily == 'redhat') {
    exec { 'reload-sshd':
      command     => 'service sshd reload',
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      refreshonly => true,
    }
  } else {
    exec { 'reload-sshd':
      command     => 'systemctl reload sshd',
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      refreshonly => true,
    }
  }

  exec { 'reload-rsyslog':
    command     => 'pkill -HUP rsyslog',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-rsyslogd':
    command     => 'pkill -HUP rsyslogd',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-syslog-ng':
    command     => 'pkill -HUP syslog-ng',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'authselect-apply-changes':
    command     => 'authselect apply-changes',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'systemd-daemon-reload':
    command     => 'systemctl daemon-reload',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'save iptables rules':
    command     => 'service iptables save',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    unless      => 'test -z "$(grep -e AlmaLinux -e Rocky /etc/redhat-release 2>/dev/null)"',
    refreshonly => true,
  }

  exec { 'authconfig-apply-changes':
    command     => 'authconfig --updateall',
    path        => ['/sbin','/usr/sbin'],
    refreshonly => true,
  }

  exec { 'grub2-mkconfig':
    command     => 'grub2-mkconfig -o /boot/grub2/grub.cfg',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }

  exec { 'reload-sysctl-system':
    command     => 'sysctl --system',
    path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
    refreshonly => true,
  }
}