Puppet Class: cis_security_hardening::rules::disable_prelink

Defined in:

manifests/rules/disable_prelink.pp

Summary

Ensure prelink is disabled

Overview

prelinkis a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.

Rationale: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.

Examples:

class { 'cis_security_hardening::rules::disable_prelink':
    enforce => true,
}

Parameters:

• enforce (Boolean) (defaults to: false) —

  Enforce the rule

# File 'manifests/rules/disable_prelink.pp', line 22

class cis_security_hardening::rules::disable_prelink (
  Boolean $enforce = false,
) {
  if $enforce {
    $ensure = $facts['os']['family'].downcase() ? {
      'suse'   => 'absent',
      default => 'purged',
    }

    ensure_packages(['prelink'], {
        ensure => $ensure,
    })

    exec { 'reset prelink':
      command => 'prelink -ua',
      path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
      onlyif  => 'test -f /sbin/prelink',
      before  => Package['prelink'],
    }
  }
}