aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/base.pp1
-rw-r--r--manifests/resources.pp4
-rw-r--r--manifests/subsystem/grsec/paxctl.pp11
-rw-r--r--manifests/subsystem/security.pp11
4 files changed, 27 insertions, 0 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
index 859eccb..ba292fa 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -3,6 +3,7 @@ class nodo::base {
include lsb
# Then include our subsystems
+ include nodo::subsystem::security
include nodo::subsystem::apt
include nodo::subsystem::sudo
include nodo::subsystem::locales
diff --git a/manifests/resources.pp b/manifests/resources.pp
index d885153..8b60ebf 100644
--- a/manifests/resources.pp
+++ b/manifests/resources.pp
@@ -43,4 +43,8 @@ class nodo::resources {
# SSH keys
$sshkeys = hiera('sshkeys', {})
create_resources('sshkey', $sshkeys)
+
+ # PaX flags
+ $pax = hiera('nodo::subsystem::grsec::paxctl', {})
+ create_resources('nodo::subsystem::grsec::paxctl', $pax)
}
diff --git a/manifests/subsystem/grsec/paxctl.pp b/manifests/subsystem/grsec/paxctl.pp
new file mode 100644
index 0000000..2b3a843
--- /dev/null
+++ b/manifests/subsystem/grsec/paxctl.pp
@@ -0,0 +1,11 @@
+define nodo::subsystem::grsec::paxctl(
+ $file,
+ $flags,
+)
+{
+ exec { "paxctl-${name}":
+ command => "/sbin/paxctl -${flags} ${file}",
+ user => "root",
+ require => Package['paxtest'],
+ }
+}
diff --git a/manifests/subsystem/security.pp b/manifests/subsystem/security.pp
new file mode 100644
index 0000000..faf00bb
--- /dev/null
+++ b/manifests/subsystem/security.pp
@@ -0,0 +1,11 @@
+# Basic security measures
+class nodo::subsystem::security {
+ # Ensure a modest permission for this place
+ # Frameworks like grsecurity might complain otherwise
+ file { '/usr/local/bin':
+ ensure => directory,
+ owner => "root",
+ group => "root",
+ mode => "0755",
+ }
+}