Puppet Class: security_baseline::rules::common::sec_avahi

Defined in:
manifests/rules/common/sec_avahi.pp

Summary

Ensure Avahi Server is not enabled (Scored)

Overview

Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.

Rationale: Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attack surface.

Examples:

class security_baseline::rules::common::sec_avahi {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'manifests/rules/common/sec_avahi.pp', line 30

class security_baseline::rules::common::sec_avahi (
  Boolean $enforce = true,
  String $message = '',
  String $log_level = ''
) {
  if($enforce) {

    ensure_resource('service', ['avahi-daemon'], {
      ensure => 'stopped',
      enable => false,
    })

  } else {

    if($facts['security_baseline']['services_enabled']['srv_avahi-daemon'] == 'enabled') {
      echo { 'avahi-daemon':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}