Puppet Class: security_baseline::rules::common::sec_vfat

Defined in:
manifests/rules/common/sec_vfat.pp

Summary

Ensure mounting of FAT filesystems is disabled (Scored)

Overview

The FAT filesystem format is primarily used on older windows systems and portable USB drives or flash modules. It comes in three types FAT12 , FAT16 , and FAT32 all of which are supported by the vfat kernel module.

Rationale: Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

Examples:

class security_baseline::rules::common::sec_vfat {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'manifests/rules/common/sec_vfat.pp', line 29

class security_baseline::rules::common::sec_vfat (
  Boolean $enforce = true,
  String $message = '',
  String $log_level = ''
) {
  if $enforce {
    kmod::install { 'vfat':
      command => '/bin/true',
    }
  } else {
    if($facts['security_baseline']['kernel_modules']['vfat']) {
      echo { 'vfat':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}