Puppet Class: usbguard

Defined in:
manifests/init.pp

Summary

Install and configure usbguard

Overview

usbguard

Examples:

include ::usbguard

pass rules class param

class { 'usbguard':
  rules => [
    'allow with-interface equals { 08:*:* }',
    'reject with-interface all-of { 08:*:* 03:00:* }',
  ],
}

Parameters:

  • manage_package (Boolean) (defaults to: true)

    Should the module manage the package or not

  • manage_service (Boolean) (defaults to: true)

    Should the module manage the service or not

  • manage_rules_file (Boolean) (defaults to: true)

    Should the module manage the rules file or not. If set to false usbguard::rule will not manage the rules and also rules passed by the rules param of this class will be ignored.

  • package_name (String) (defaults to: 'usbguard')

    Name of the package containing usbguard

  • service_name (String) (defaults to: 'usbguard')

    Name of the service.

  • service_ensure (Enum['running', 'stopped']) (defaults to: 'running')

    Should the service be running or stopped. Stopped will also disable the service.

  • daemon_audit_file_path (String) (defaults to: '/var/log/usbguard/usbguard-audit.log')

    Path to the usbguard audit log file. AuditFilePath setting of usbguard-daemon.conf

  • daemon_device_rules_with_port (Boolean) (defaults to: false)

    DeviceRulesWithPort setting of usbguard-daemon.conf

  • daemon_implicit_policy_target (Enum['allow', 'block', 'reject']) (defaults to: 'block')

    ImplicitPolicyTarget setting of usbguard-daemon.conf

  • daemon_ipc_allowed_groups (Array[String]) (defaults to: [ 'wheel' ])

    IPCAllowedGroups setting of usbguard-daemon.conf

  • daemon_ipc_allowed_users (Array[String]) (defaults to: ['root'])

    IPCAllowedUsers setting of usbguard-daemon.conf

  • daemon_present_controller_policy (Enum['allow','block','reject','keep','apply-policy']) (defaults to: 'keep')

    PresentControllerPolicy setting of usbguard-daemon.conf

  • daemon_present_device_policy (Enum['allow','block','reject','keep','apply-policy']) (defaults to: 'apply-policy')

    PresentDevicePolicy setting of usbguard-daemon.conf

  • daemon_rule_file (String) (defaults to: '/etc/usbguard/rules-managed-by-puppet.conf')

    Path to the rules file. RuleFile setting of usbguard-daemon.conf

  • rules (Optional[Array[String]]) (defaults to: undef)

    Array of strings with rules to pass to usbguard::rule



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'manifests/init.pp', line 43

class usbguard(
  Boolean $manage_service = true,
  Boolean $manage_package  = true,
  Boolean $manage_rules_file  = true,
  String  $package_name = 'usbguard',
  String  $service_name = 'usbguard',
  Enum['running', 'stopped'] $service_ensure = 'running',

  # usbguard-daemon.conf settings settings
  String $daemon_audit_file_path = '/var/log/usbguard/usbguard-audit.log',
  Boolean $daemon_device_rules_with_port = false,
  Enum['allow', 'block', 'reject'] $daemon_implicit_policy_target = 'block',
  Array[String] $daemon_ipc_allowed_groups = [ 'wheel' ],
  Array[String] $daemon_ipc_allowed_users = ['root'],
  Enum['allow','block','reject','keep','apply-policy'] $daemon_present_controller_policy = 'keep',
  Enum['allow','block','reject','keep','apply-policy'] $daemon_present_device_policy= 'apply-policy',
  String $daemon_rule_file = '/etc/usbguard/rules-managed-by-puppet.conf',

  # rules to provide by hiera/lookup or as class param
  Optional[Array[String]] $rules = undef,
) {
  contain ::usbguard::install
  contain ::usbguard::config
  contain ::usbguard::service

  Class['::usbguard::install']
  -> Class['::usbguard::config']
  ~> Class['::usbguard::service']

  if $rules != undef {
    $rules.each |$rule| {
      ::usbguard::rule { $rule: }
    }
  }
}