notify => Exec['systemctl daemon-reload'],
}
- file { '/etc/cron.d/dsa-puppet-stuff':
+ concat { '/etc/cron.d/dsa-puppet-stuff': }
+ concat::fragment { 'dsa-puppet-stuff---header':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '000',
+ content => @(EOF)
+ ## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+ SHELL=/bin/bash
+ MAILTO=root
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/nagios/plugins
+ | EOF
+ }
+ concat::fragment { 'dsa-puppet-stuff---all':
+ target => '/etc/cron.d/dsa-puppet-stuff',
+ order => '010',
content => template('debian_org/dsa-puppet-stuff.cron.erb'),
require => Package['debian.org'],
}
mode => '0444',
source => 'puppet:///modules/debian_org/etc.zsh/zprofile',
}
+ file { '/etc/environment':
+ content => "",
+ mode => '0440',
+ }
+ file { '/etc/default/locale':
+ content => "",
+ mode => '0444',
+ }
# set mmap_min_addr to 4096 to mitigate
# Linux NULL-pointer dereference exploits
package { 'irqbalance': ensure => installed }
}
}
+
+
+ # https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
+ site::sysctl { 'unprivileged_bpf_disabled':
+ key => 'kernel.unprivileged_bpf_disabled',
+ value => '1',
+ }
+
+ # Disable kpartx udev rules
+ file { '/etc/udev/rules.d/60-kpartx.rules':
+ ensure => $has_lib_udev_rules_d_60_kpartx_rules ? { true => 'present', default => 'absent' },
+ content => "",
+ mode => '0444',
+ }
}
projects / mirror / dsa-puppet.git / blobdiff