Make ressource-limits a template

[mirror/dsa-puppet.git] / modules / debian-org / manifests / init.pp

diff --git a/modules/debian-org/manifests/init.pp b/modules/debian-org/manifests/init.pp
index 6777085..19fbd60 100644 (file)
--- a/modules/debian-org/manifests/init.pp
+++ b/modules/debian-org/manifests/init.pp
@@ -1,3 +1,21 @@
+define sysctl($key, $value, $ensure=present) {
+    file { "/etc/sysctl.d/$name.conf":
+        ensure  => $ensure,
+        owner   => root,
+        group   => root,
+        mode    => 0644,
+        content => "$key = $value\n",
+        notify  => Exec["procps restart"],
+    }
+}
+
+define set_alternatives($linkto) {
+        exec { "/usr/sbin/update-alternatives --set $name $linkto":
+            unless => "/bin/sh -c '! [ -e $linkto ] || ! [ -e /etc/alternatives/$name ] || ([ -L /etc/alternatives/$name ] && [ /etc/alternatives/$name -ef $linkto ])'"
+        }
+}
+
+
 class debian-org {
    package { "userdir-ldap": ensure => installed;
              "zsh": ensure => installed;
@@ -87,6 +105,17 @@ class debian-org {
         default: {}
    }
 
+   # set mmap_min_addr to 4096 to mitigate
+   # Linux NULL-pointer dereference exploits
+   sysctl { "mmap_min_addr" :
+             key         => "vm.mmap_min_addr",
+             value       => 4096,
+   }
+
+   set_alternatives { "editor":
+           linkto => "/usr/bin/vim.basic",
+   }
+
    exec { "syslog-ng reload":
              path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
              refreshonly => true,
@@ -104,6 +133,10 @@ class debian-org {
              path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
              refreshonly => true,
    }
+   exec { "procps restart":
+             path        => "/etc/init.d:/usr/bin:/usr/sbin:/bin:/sbin",
+             refreshonly => true,
+   }
 }
 
 class debian-proliant inherits debian-org {