Puppet Class: cis_security_hardening::rules::root_gid

Defined in:
manifests/rules/root_gid.pp

Summary

Ensure default group for the root account is GID 0

Overview

The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.

Rationale: Using GID 0 for the root account helps prevent root -owned files from accidentally becoming accessible to non-privileged users.

Examples:

class { 'cis_security_hardening::rules::root_gid':
    enforce => true,
    encrypted_root_password => 'encrypted password',
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule

  • encrypted_root_password (Optional[String]) (defaults to: undef)

    The nre root password o be set (has to be encrypted as the OS needs it)



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
 
# File 'manifests/rules/root_gid.pp', line 24

class cis_security_hardening::rules::root_gid (
  Boolean $enforce                          = false,
  Optional[String] $encrypted_root_password = undef,
) {
  if($enforce) {
    if $encrypted_root_password == undef {
      $data = {
        ensure => present,
        gid    => '0',
      }
    } else {
      $data = {
        ensure   => present,
        gid      => '0',
        password => $encrypted_root_password,
      }
    }
    ensure_resource('user', 'root', $data)
  }
}