Puppet Class: security_baseline::rules::common::sec_udf

Defined in:
manifests/rules/common/sec_udf.pp

Summary

Ensure mounting of udf filesystems is disabled (Scored)

Overview

The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Examples:

class security_baseline::rules::common::sec_udf {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
# File 'manifests/rules/common/sec_udf.pp', line 30

class security_baseline::rules::common::sec_udf (
  Boolean $enforce  = true,
  String $message   = '',
  String $log_level = ''
) {
  if $enforce {
    kmod::install { 'udf':
      command => '/bin/true',
    }
  } else {
    if($facts['security_baseline']['kernel_modules']['udf']) {
      echo { 'udf':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}