Puppet Class: cis_security_hardening::rules::xdmcp_config

Defined in:
manifests/rules/xdmcp_config.pp

Summary

Ensure XDCMP is not enabled

Overview

X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays

Rationale: XDMCP is inherently insecure.

* XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a user
* XDMCP is vulnerable to man-in-the-middle attacks. This may allow an attacker to steal the credentials
  of legitimate users by impersonating the XDMCP server.

Examples:

class { 'cis_security_hardening::rules::xdmcp_config':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule.



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'manifests/rules/xdmcp_config.pp', line 23

class cis_security_hardening::rules::xdmcp_config (
  Boolean $enforce = false,
) {
  $xdcmp = fact('cis_security_hardening.xdcmp')

  if  $enforce and $xdcmp != undef and $xdcmp {
    $file = $facts['os']['name'].downcase() ? {
      'rocky'     => '/etc/gdm/custom.conf',
      'almalinux' => '/etc/gdm/custom.conf',
      'redhat'    => '/etc/gdm/custom.conf',
      'centos'    => '/etc/gdm/custom.conf',
      default     => '/etc/gdm3/custom.conf',
    }

    file_line { 'remove enable':
      ensure            => absent,
      path              => $file,
      match             => 'Enable=true',
      match_for_absence => true,
    }
  }
}