Manage /etc/sysctl.d/grsec.conf at nodo::subsystem::grsec

author: Silvio Rhatto <rhatto@riseup.net> 2017-03-09 11:01:47 -0300
committer: Silvio Rhatto <rhatto@riseup.net> 2017-03-09 11:01:47 -0300
commit: 31fb7797293dd3244a48503ff579e8a755c25e87 (patch)
tree: a8ad99995989c6e1e4d5b30aa72c2b8ae409f80b /manifests/subsystem
parent: 0ed40a837c25bf2c22eb04ec9ad1ae676c0d6e28 (diff)
download: puppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.gz
puppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.bz2
1 files changed, 11 insertions, 0 deletions
diff --git a/manifests/subsystem/grsec.pp b/manifests/subsystem/grsec.pp
index 9cc8ba6..7b90002 100644
--- a/manifests/subsystem/grsec.pp
+++ b/manifests/subsystem/grsec.pp
@@ -11,6 +11,17 @@ class nodo::subsystem::grsec {
     value => 0,
   }
 
+  # We ship a custom grsec.conf that does not handle kernel.grsecurity.grsec_lock
+  # so we can manage or own sysctl configs.
+  # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810920
+  file { "/etc/sysctl.d/grsec.conf":
+    owner   => "root",
+    group   => "root",
+    mode    => 0644,
+    ensure  => $ensure,
+    source  => "puppet:///modules/nodo/etc/sysctl.d/grsec.conf",
+  }
+
   # Old configs
   file { [ '/etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf', '/etc/sysctl.d/kernel.grsecurity.grsec_lock.conf' ]:
     ensure => absent,
author	Silvio Rhatto <rhatto@riseup.net>	2017-03-09 11:01:47 -0300
committer	Silvio Rhatto <rhatto@riseup.net>	2017-03-09 11:01:47 -0300
commit	31fb7797293dd3244a48503ff579e8a755c25e87 (patch)
tree	a8ad99995989c6e1e4d5b30aa72c2b8ae409f80b /manifests/subsystem
parent	0ed40a837c25bf2c22eb04ec9ad1ae676c0d6e28 (diff)
download	puppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.gz puppet-nodo-31fb7797293dd3244a48503ff579e8a755c25e87.tar.bz2