Puppet Class: cis_security_hardening::rules::rsyncd
- Defined in:
- manifests/rules/rsyncd.pp
Summary
Ensure rsync is not installed or the rsyncd service is maskedOverview
The rsyncd service can be used to synchronize files between systems over network links.
Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication.
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 |
# File 'manifests/rules/rsyncd.pp', line 18
class cis_security_hardening::rules::rsyncd (
Boolean $enforce = false,
) {
if $enforce {
case $facts['os']['family'].downcase() {
'debian': {
ensure_packages(['rsync'], {
ensure => purged,
})
ensure_resource('service', ['rsync'], {
ensure => 'stopped',
enable => false,
})
exec { 'mask rsync daemon':
command => 'systemctl mask rsync',
path => ['/bin', '/usr/bin'],
onlyif => 'test $(systemctl is-enabled rsync) = "enabled"',
}
}
'suse': {
ensure_packages(['rsync'], {
ensure => absent,
})
}
'redhat': {
if($facts['os']['release']['major'] > '6') {
$rsyncd_srv = 'rsyncd'
} else {
$rsyncd_srv = 'rsync'
}
ensure_resource('service', [$rsyncd_srv], {
ensure => 'stopped',
enable => false,
})
}
default: {
# nothing to do yet
}
}
}
}
|