From 6a10906110a915a0a662566b5b400b7afe69c668 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 9 Feb 2017 18:53:21 -0200
Subject: Updates grsec config, adding nodo::subsystem::security and
 nodo::subsystem::grsec::paxctl

---
 manifests/base.pp                   |  1 +
 manifests/resources.pp              |  4 ++++
 manifests/subsystem/grsec/paxctl.pp | 11 +++++++++++
 manifests/subsystem/security.pp     | 11 +++++++++++
 4 files changed, 27 insertions(+)
 create mode 100644 manifests/subsystem/grsec/paxctl.pp
 create mode 100644 manifests/subsystem/security.pp

(limited to 'manifests')

diff --git a/manifests/base.pp b/manifests/base.pp
index 859eccb..ba292fa 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -3,6 +3,7 @@ class nodo::base {
   include lsb
 
   # Then include our subsystems
+  include nodo::subsystem::security
   include nodo::subsystem::apt
   include nodo::subsystem::sudo
   include nodo::subsystem::locales
diff --git a/manifests/resources.pp b/manifests/resources.pp
index d885153..8b60ebf 100644
--- a/manifests/resources.pp
+++ b/manifests/resources.pp
@@ -43,4 +43,8 @@ class nodo::resources {
   # SSH keys
   $sshkeys = hiera('sshkeys', {})
   create_resources('sshkey', $sshkeys)
+
+  # PaX flags
+  $pax = hiera('nodo::subsystem::grsec::paxctl', {})
+  create_resources('nodo::subsystem::grsec::paxctl', $pax)
 }
diff --git a/manifests/subsystem/grsec/paxctl.pp b/manifests/subsystem/grsec/paxctl.pp
new file mode 100644
index 0000000..2b3a843
--- /dev/null
+++ b/manifests/subsystem/grsec/paxctl.pp
@@ -0,0 +1,11 @@
+define nodo::subsystem::grsec::paxctl(
+  $file,
+  $flags,
+)
+{
+  exec { "paxctl-${name}":
+    command => "/sbin/paxctl -${flags} ${file}",
+    user    => "root",
+    require => Package['paxtest'],
+  }
+}
diff --git a/manifests/subsystem/security.pp b/manifests/subsystem/security.pp
new file mode 100644
index 0000000..faf00bb
--- /dev/null
+++ b/manifests/subsystem/security.pp
@@ -0,0 +1,11 @@
+# Basic security measures
+class nodo::subsystem::security {
+  # Ensure a modest permission for this place
+  # Frameworks like grsecurity might complain otherwise
+  file { '/usr/local/bin':
+    ensure  => directory,
+    owner   => "root",
+    group   => "root",
+    mode    => "0755",
+  }
+}
-- 
cgit v1.2.3