Puppet Class: cis_security_hardening::rules::kptr_restrict

Defined in:
manifests/rules/kptr_restrict.pp

Summary

Ensure the operating system restricts exposed kernel pointer addresses access

Overview

The operating system must restrict exposed kernel pointer addresses access. Rationale: It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.

Examples:

class { 'cis_security_hardening::rules::kptr_restrict':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'manifests/rules/kptr_restrict.pp', line 19

class cis_security_hardening::rules::kptr_restrict (
  Boolean $enforce = false,
) {
  if $enforce {
    sysctl {
      'kernel.kptr_restrict':
        ensure    => present,
        permanent => 'yes',
        value     => '1',
        notify    => Exec['reload-sysctl-system'],
    }
  }
}