Puppet Class: cis_security_hardening::rules::rsh_client

Defined in:
manifests/rules/rsh_client.pp

Summary

Ensure rsh client is not installed

Overview

The rsh package contains the client commands for the rsh services.

Rationale: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh , rcp and rlogin .

Examples:

class { 'cis_security_hardening::rules::rsh_client':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
 
# File 'manifests/rules/rsh_client.pp', line 22

class cis_security_hardening::rules::rsh_client (
  Boolean $enforce = false,
) {
  if $enforce {
    if $facts['os']['name'].downcase() == 'ubuntu' {
      # rsh-client is virtual and can not be removed as ssh package will be removed as well
      $pkg = 'rsh-client'
    } else {
      $pkg = 'rsh'
      $ensure = $facts['os']['family'].downcase() ? {
        'suse'  => 'absent',
        default => 'purged',
      }
      ensure_packages($pkg, {
          ensure => $ensure,
      })
    }
  }
}