Puppet Class: security_baseline::rules::redhat::sec_prelink

Defined in:
manifests/rules/redhat/sec_prelink.pp

Summary

Ensure prelink is disabled (Scored)

Overview

prelinkis a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way that the time needed for the dynamic linker to perform relocations at startup significantly decreases.

Rationale: The prelinking feature can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.

Examples:

class security_baseline::rules::redhat::sec_prelink {
    enforce => true,
    message => 'Test',
    log_level => 'info'
}

Parameters:

  • enforce (Boolean) (defaults to: true)

    Enforce the rule or just test and log

  • message (String) (defaults to: '')

    Message to print into the log

  • log_level (String) (defaults to: '')

    The log_level for the above message



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
# File 'manifests/rules/redhat/sec_prelink.pp', line 30

class security_baseline::rules::redhat::sec_prelink (
  Boolean $enforce = true,
  String $message = '',
  String $log_level = ''
) {
  if($enforce) {

    if($facts['security_baseline']['packages_installed']['prelink']) {
      ensure_packages(['prelink'], {
        ensure => 'purged',
      })
      exec { 'reset prelink':
        command => 'prelink -ua',
        path    => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'],
        onlyif  => 'test -f /sbin/prelink',
        before  => Package['prelink'],
      }
    }
  } else {
    if($facts['security_baseline']['packages_installed']['prelink']) {
      echo { 'prelink':
        message  => $message,
        loglevel => $log_level,
        withpath => false,
      }
    }
  }
}