From 75dca322e378b62e16f76db777d3188689bd89b7 Mon Sep 17 00:00:00 2001 From: David Pearson Date: Wed, 18 Dec 2024 14:10:21 +0000 Subject: [PATCH 1/3] adopt augeasproviders_sysctl module replace outdated fiddyspence-sysctl module remove permanent parameter which doesnt exist in augeasproviders_sysctl --- manifests/rules/dac_on_hardlinks.pp | 7 +++---- manifests/rules/dac_on_symlinks.pp | 7 +++---- manifests/rules/disable_core_dumps.pp | 7 +++---- manifests/rules/disable_ip_forwarding.pp | 10 ++++------ manifests/rules/disable_ipv6.pp | 10 ++++------ manifests/rules/disable_packet_redirect.pp | 10 ++++------ manifests/rules/dmesg_restrict.pp | 7 +++---- manifests/rules/enable_aslr.pp | 5 ++--- .../rules/enable_reverse_path_filtering.pp | 10 ++++------ manifests/rules/enable_tcp_syn_cookies.pp | 5 ++--- manifests/rules/icmp_redirects.pp | 20 ++++++++----------- .../rules/ignore_bogus_icmp_responses.pp | 5 ++--- manifests/rules/ignore_icmp_broadcast.pp | 5 ++--- manifests/rules/ipv6_router_advertisements.pp | 10 ++++------ manifests/rules/kexec_load_disabled.pp | 7 +++---- manifests/rules/kptr_restrict.pp | 7 +++---- manifests/rules/log_suspicious_packets.pp | 10 ++++------ manifests/rules/net_bpf_jit_harden.pp | 7 +++---- manifests/rules/perf_event_paranoid.pp | 7 +++---- manifests/rules/ptrace_scope.pp | 7 +++---- manifests/rules/restrict_core_dumps.pp | 5 ++--- manifests/rules/secure_icmp_redirects.pp | 10 ++++------ manifests/rules/source_routed_packets.pp | 20 ++++++++----------- manifests/rules/unprivileged_bpf_disabled.pp | 7 +++---- manifests/rules/user_namespaces.pp | 7 +++---- metadata.json | 4 ++-- 26 files changed, 89 insertions(+), 127 deletions(-) diff --git a/manifests/rules/dac_on_hardlinks.pp b/manifests/rules/dac_on_hardlinks.pp index 265db675..baa6dee5 100644 --- a/manifests/rules/dac_on_hardlinks.pp +++ b/manifests/rules/dac_on_hardlinks.pp @@ -40,10 +40,9 @@ if $enforce { sysctl { 'fs.protected_hardlinks': - ensure => present, - permanent => 'yes', - value => 1, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 1, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/dac_on_symlinks.pp b/manifests/rules/dac_on_symlinks.pp index 1071c341..aca1b2a6 100644 --- a/manifests/rules/dac_on_symlinks.pp +++ b/manifests/rules/dac_on_symlinks.pp @@ -43,10 +43,9 @@ if $enforce { sysctl { 'fs.protected_symlinks': - ensure => present, - permanent => 'yes', - value => 1, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 1, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/disable_core_dumps.pp b/manifests/rules/disable_core_dumps.pp index 678e273a..efe971d3 100644 --- a/manifests/rules/disable_core_dumps.pp +++ b/manifests/rules/disable_core_dumps.pp @@ -23,10 +23,9 @@ if $enforce { sysctl { 'kernel.core_pattern': - ensure => present, - permanent => 'yes', - value => '|/bin/false', - notify => Exec['reload-sysctl-system'], + ensure => present, + value => '|/bin/false', + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/disable_ip_forwarding.pp b/manifests/rules/disable_ip_forwarding.pp index 8e14abe1..0bd1a068 100644 --- a/manifests/rules/disable_ip_forwarding.pp +++ b/manifests/rules/disable_ip_forwarding.pp @@ -22,16 +22,14 @@ if $enforce { sysctl { 'net.ipv4.ip_forward': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } if fact('network6') { sysctl { 'net.ipv6.conf.all.forwarding': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/disable_ipv6.pp b/manifests/rules/disable_ipv6.pp index ed2f389b..644fac9f 100644 --- a/manifests/rules/disable_ipv6.pp +++ b/manifests/rules/disable_ipv6.pp @@ -25,14 +25,12 @@ if fact('network6') != undef { sysctl { 'net.ipv6.conf.all.disable_ipv6': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } sysctl { 'net.ipv6.conf.default.disable_ipv6': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/disable_packet_redirect.pp b/manifests/rules/disable_packet_redirect.pp index f06ec9cf..2ba02d84 100644 --- a/manifests/rules/disable_packet_redirect.pp +++ b/manifests/rules/disable_packet_redirect.pp @@ -24,15 +24,13 @@ if $enforce { sysctl { 'net.ipv4.conf.all.send_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv4.conf.default.send_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/dmesg_restrict.pp b/manifests/rules/dmesg_restrict.pp index b0055ef6..6cde8275 100644 --- a/manifests/rules/dmesg_restrict.pp +++ b/manifests/rules/dmesg_restrict.pp @@ -35,10 +35,9 @@ if $enforce { sysctl { 'kernel.dmesg_restrict': - ensure => present, - permanent => 'yes', - value => 1, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 1, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/enable_aslr.pp b/manifests/rules/enable_aslr.pp index fd67a6b1..7d07d2ea 100644 --- a/manifests/rules/enable_aslr.pp +++ b/manifests/rules/enable_aslr.pp @@ -22,9 +22,8 @@ ) { if $enforce { sysctl { 'kernel.randomize_va_space': - ensure => present, - permanent => 'yes', - value => 2, + ensure => present, + value => 2, } } } diff --git a/manifests/rules/enable_reverse_path_filtering.pp b/manifests/rules/enable_reverse_path_filtering.pp index dcfff0ae..1dc2f7b6 100644 --- a/manifests/rules/enable_reverse_path_filtering.pp +++ b/manifests/rules/enable_reverse_path_filtering.pp @@ -29,15 +29,13 @@ if $enforce { sysctl { 'net.ipv4.conf.all.rp_filter': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } sysctl { 'net.ipv4.conf.default.rp_filter': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/enable_tcp_syn_cookies.pp b/manifests/rules/enable_tcp_syn_cookies.pp index c63a6ff7..151d2940 100644 --- a/manifests/rules/enable_tcp_syn_cookies.pp +++ b/manifests/rules/enable_tcp_syn_cookies.pp @@ -31,9 +31,8 @@ if $enforce { sysctl { 'net.ipv4.tcp_syncookies': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/icmp_redirects.pp b/manifests/rules/icmp_redirects.pp index 0bc3b801..8f9bff49 100644 --- a/manifests/rules/icmp_redirects.pp +++ b/manifests/rules/icmp_redirects.pp @@ -26,29 +26,25 @@ if $enforce { sysctl { 'net.ipv4.conf.all.accept_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv4.conf.default.accept_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } if fact('network6') != undef { sysctl { 'net.ipv6.conf.all.accept_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv6.conf.default.accept_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/ignore_bogus_icmp_responses.pp b/manifests/rules/ignore_bogus_icmp_responses.pp index 7608e354..b3d80fc2 100644 --- a/manifests/rules/ignore_bogus_icmp_responses.pp +++ b/manifests/rules/ignore_bogus_icmp_responses.pp @@ -24,9 +24,8 @@ if $enforce { sysctl { 'net.ipv4.icmp_ignore_bogus_error_responses': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/ignore_icmp_broadcast.pp b/manifests/rules/ignore_icmp_broadcast.pp index 067edc7d..7967bca8 100644 --- a/manifests/rules/ignore_icmp_broadcast.pp +++ b/manifests/rules/ignore_icmp_broadcast.pp @@ -27,9 +27,8 @@ if $enforce { sysctl { 'net.ipv4.icmp_echo_ignore_broadcasts': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/ipv6_router_advertisements.pp b/manifests/rules/ipv6_router_advertisements.pp index 9551a00d..afb839fe 100644 --- a/manifests/rules/ipv6_router_advertisements.pp +++ b/manifests/rules/ipv6_router_advertisements.pp @@ -23,15 +23,13 @@ if $enforce and fact('network6') != undef { sysctl { 'net.ipv6.conf.all.accept_ra': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv6.conf.default.accept_ra': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/kexec_load_disabled.pp b/manifests/rules/kexec_load_disabled.pp index f7c6a2d1..bc376cc9 100644 --- a/manifests/rules/kexec_load_disabled.pp +++ b/manifests/rules/kexec_load_disabled.pp @@ -27,10 +27,9 @@ if $enforce { sysctl { 'kernel.kexec_load_disabled': - ensure => present, - permanent => 'yes', - value => 1, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 1, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/kptr_restrict.pp b/manifests/rules/kptr_restrict.pp index ce37f70c..880ad90f 100644 --- a/manifests/rules/kptr_restrict.pp +++ b/manifests/rules/kptr_restrict.pp @@ -22,10 +22,9 @@ if $enforce { sysctl { 'kernel.kptr_restrict': - ensure => present, - permanent => 'yes', - value => '1', - notify => Exec['reload-sysctl-system'], + ensure => present, + value => '1', + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/log_suspicious_packets.pp b/manifests/rules/log_suspicious_packets.pp index 1a5bc3da..282a3508 100644 --- a/manifests/rules/log_suspicious_packets.pp +++ b/manifests/rules/log_suspicious_packets.pp @@ -22,15 +22,13 @@ if $enforce { sysctl { 'net.ipv4.conf.all.log_martians': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } sysctl { 'net.ipv4.conf.default.log_martians': - ensure => present, - permanent => 'yes', - value => 1, + ensure => present, + value => 1, } } } diff --git a/manifests/rules/net_bpf_jit_harden.pp b/manifests/rules/net_bpf_jit_harden.pp index d8178d62..a2136056 100644 --- a/manifests/rules/net_bpf_jit_harden.pp +++ b/manifests/rules/net_bpf_jit_harden.pp @@ -26,10 +26,9 @@ if $enforce { sysctl { 'net.core.bpf_jit_harden': - ensure => present, - permanent => 'yes', - value => 2, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 2, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/perf_event_paranoid.pp b/manifests/rules/perf_event_paranoid.pp index 99fb0f0b..84d7d7c0 100644 --- a/manifests/rules/perf_event_paranoid.pp +++ b/manifests/rules/perf_event_paranoid.pp @@ -35,10 +35,9 @@ if $enforce { sysctl { 'kernel.perf_event_paranoid': - ensure => present, - permanent => 'yes', - value => 2, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 2, + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/ptrace_scope.pp b/manifests/rules/ptrace_scope.pp index 46c50b94..319fedc1 100644 --- a/manifests/rules/ptrace_scope.pp +++ b/manifests/rules/ptrace_scope.pp @@ -23,10 +23,9 @@ if $enforce { sysctl { 'kernel.yama.ptrace_scope': - ensure => present, - permanent => 'yes', - value => '1', - notify => Exec['reload-sysctl-system'], + ensure => present, + value => '1', + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/restrict_core_dumps.pp b/manifests/rules/restrict_core_dumps.pp index 759bb9d7..b30b60dc 100644 --- a/manifests/rules/restrict_core_dumps.pp +++ b/manifests/rules/restrict_core_dumps.pp @@ -34,9 +34,8 @@ } sysctl { 'fs.suid_dumpable': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } $installed = fact('cis_security_hardening.systemd-coredump') ? { diff --git a/manifests/rules/secure_icmp_redirects.pp b/manifests/rules/secure_icmp_redirects.pp index 8a9a59e7..1d4cba45 100644 --- a/manifests/rules/secure_icmp_redirects.pp +++ b/manifests/rules/secure_icmp_redirects.pp @@ -25,15 +25,13 @@ if $enforce { sysctl { 'net.ipv4.conf.all.secure_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv4.conf.default.secure_redirects': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/source_routed_packets.pp b/manifests/rules/source_routed_packets.pp index 91e5ebc0..426fc9b8 100644 --- a/manifests/rules/source_routed_packets.pp +++ b/manifests/rules/source_routed_packets.pp @@ -32,29 +32,25 @@ if $enforce { sysctl { 'net.ipv4.conf.all.accept_source_route': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv4.conf.default.accept_source_route': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } if fact('network6') != undef { sysctl { 'net.ipv6.conf.all.accept_source_route': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } sysctl { 'net.ipv6.conf.default.accept_source_route': - ensure => present, - permanent => 'yes', - value => 0, + ensure => present, + value => 0, } } } diff --git a/manifests/rules/unprivileged_bpf_disabled.pp b/manifests/rules/unprivileged_bpf_disabled.pp index 308866d4..e244dec1 100644 --- a/manifests/rules/unprivileged_bpf_disabled.pp +++ b/manifests/rules/unprivileged_bpf_disabled.pp @@ -23,10 +23,9 @@ if $enforce { sysctl { 'kernel.unprivileged_bpf_disabled': - ensure => present, - permanent => 'yes', - value => '1', - notify => Exec['reload-sysctl-system'], + ensure => present, + value => '1', + notify => Exec['reload-sysctl-system'], } } } diff --git a/manifests/rules/user_namespaces.pp b/manifests/rules/user_namespaces.pp index bcc4accd..e67fe0c8 100644 --- a/manifests/rules/user_namespaces.pp +++ b/manifests/rules/user_namespaces.pp @@ -27,10 +27,9 @@ if $enforce { sysctl { 'user.max_user_namespaces': - ensure => present, - permanent => 'yes', - value => 0, - notify => Exec['reload-sysctl-system'], + ensure => present, + value => 0, + notify => Exec['reload-sysctl-system'], } } } diff --git a/metadata.json b/metadata.json index 81d9506c..c59394fd 100644 --- a/metadata.json +++ b/metadata.json @@ -25,8 +25,8 @@ "version_requirement": ">= 0.1.7 < 1.0.0" }, { - "name": "fiddyspence-sysctl", - "version_requirement": ">= 1.1.0 < 2.0.0" + "name": "augeasproviders_sysctl", + "version_requirement": ">= 3.3.0 < 4.0.0" }, { "name": "puppet-augeasproviders_pam", From 9bf25d3628eca9e3b3476683eed60dd9910e1905 Mon Sep 17 00:00:00 2001 From: David Pearson Date: Wed, 18 Dec 2024 16:25:16 +0000 Subject: [PATCH 2/3] adopt augeasproviders_sysctl module replace outdated fiddyspence-sysctl module remove permanent parameter which doesnt exist in augeasproviders_sysctl --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index c59394fd..d51670c2 100644 --- a/metadata.json +++ b/metadata.json @@ -25,7 +25,7 @@ "version_requirement": ">= 0.1.7 < 1.0.0" }, { - "name": "augeasproviders_sysctl", + "name": "puppet_augeasproviders_sysctl", "version_requirement": ">= 3.3.0 < 4.0.0" }, { From 59169ccbde3359e29f574b0397c7d15de93a6348 Mon Sep 17 00:00:00 2001 From: David Pearson Date: Wed, 18 Dec 2024 16:28:22 +0000 Subject: [PATCH 3/3] adopt augeasproviders_sysctl module replace outdated fiddyspence-sysctl module remove permanent parameter which doesnt exist in augeasproviders_sysctl --- metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metadata.json b/metadata.json index d51670c2..71b228b2 100644 --- a/metadata.json +++ b/metadata.json @@ -25,7 +25,7 @@ "version_requirement": ">= 0.1.7 < 1.0.0" }, { - "name": "puppet_augeasproviders_sysctl", + "name": "puppet-augeasproviders_sysctl", "version_requirement": ">= 3.3.0 < 4.0.0" }, {