Puppet Class: cis_security_hardening::rules::dnsmasq

Defined in:
manifests/rules/dnsmasq.pp

Summary

Ensure dnsmasq is not installed (Automated)

Overview

dnsmasq is a lightweight tool that provides DNS caching, DNS forwarding and DHCP (Dynamic Host Configuration Protocol) services.

Rationale: Unless a system is specifically designated to act as a DNS caching, DNS forwarding and/or DHCP server, it is recommended that the package be removed to reduce the potential attack surface.

Examples:

class { 'cis_security_hardening::rules::dovecot':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 
# File 'manifests/rules/dnsmasq.pp', line 19

class cis_security_hardening::rules::dnsmasq (
  Boolean $enforce = true,
) {
  if $enforce {
    case $facts['os']['name'].downcase() {
      'redhat', 'centos': {
        ensure_packages(['dnsmasq'], {
            ensure => purged,
        })
      }
      'debian': {
        if $facts['os']['release']['major'] >= '12' {
          ensure_packages(['dnsmasq'], {
              ensure => purged,
          })
        }
      }
      default: {
        # nothing to do yet
      }
    }
  }
}