diff options
-rw-r--r-- | manifests/base.pp | 1 | ||||
-rw-r--r-- | manifests/resources.pp | 4 | ||||
-rw-r--r-- | manifests/subsystem/grsec/paxctl.pp | 11 | ||||
-rw-r--r-- | manifests/subsystem/security.pp | 11 |
4 files changed, 27 insertions, 0 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index 859eccb..ba292fa 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -3,6 +3,7 @@ class nodo::base { include lsb # Then include our subsystems + include nodo::subsystem::security include nodo::subsystem::apt include nodo::subsystem::sudo include nodo::subsystem::locales diff --git a/manifests/resources.pp b/manifests/resources.pp index d885153..8b60ebf 100644 --- a/manifests/resources.pp +++ b/manifests/resources.pp @@ -43,4 +43,8 @@ class nodo::resources { # SSH keys $sshkeys = hiera('sshkeys', {}) create_resources('sshkey', $sshkeys) + + # PaX flags + $pax = hiera('nodo::subsystem::grsec::paxctl', {}) + create_resources('nodo::subsystem::grsec::paxctl', $pax) } diff --git a/manifests/subsystem/grsec/paxctl.pp b/manifests/subsystem/grsec/paxctl.pp new file mode 100644 index 0000000..2b3a843 --- /dev/null +++ b/manifests/subsystem/grsec/paxctl.pp @@ -0,0 +1,11 @@ +define nodo::subsystem::grsec::paxctl( + $file, + $flags, +) +{ + exec { "paxctl-${name}": + command => "/sbin/paxctl -${flags} ${file}", + user => "root", + require => Package['paxtest'], + } +} diff --git a/manifests/subsystem/security.pp b/manifests/subsystem/security.pp new file mode 100644 index 0000000..faf00bb --- /dev/null +++ b/manifests/subsystem/security.pp @@ -0,0 +1,11 @@ +# Basic security measures +class nodo::subsystem::security { + # Ensure a modest permission for this place + # Frameworks like grsecurity might complain otherwise + file { '/usr/local/bin': + ensure => directory, + owner => "root", + group => "root", + mode => "0755", + } +} |