manifests/subsystem/grsec.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

class nodo::subsystem::grsec {
  include nodo::utils::security::grsec
  include nodo::subsystem::grsec::group

  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.grsec_lock':
    order => 'zz',
    value => 1,
  }

  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.rwxmap_logging':
    order => 'xx',
    value => 0,
  }

  # We ship a custom grsec.conf that does not handle kernel.grsecurity.grsec_lock
  # so we can manage or own sysctl configs.
  # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810920
  file { "/etc/sysctl.d/grsec.conf":
    owner   => "root",
    group   => "root",
    mode    => '0644',
    ensure  => $ensure,
    source  => "puppet:///modules/nodo/etc/sysctl.d/grsec.conf",
  }

  # Old configs
  file { [ '/etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf', '/etc/sysctl.d/kernel.grsecurity.grsec_lock.conf' ]:
    ensure => absent,
  }
}