--- /dev/null
+# This class defines the procps service which is notified by base::sysctl
+class base::procps {
+ service { 'procps':
+ hasstatus => false,
+ status => '/bin/true',
+ }
+}
--- /dev/null
+define base::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
+ include base::procps
+
+ case $ensure {
+ present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
+ absent: {}
+ default: { fail ( "Unknown ensure value: '$ensure'" ) }
+ }
+
+ if $::kernel == $target {
+ file {
+ "/etc/sysctl.d/${name}.conf":
+ ensure => $ensure,
+ owner => root,
+ group => root,
+ mode => '0644',
+ content => "${key} = ${value}\n",
+ notify => Service['procps']
+ }
+ }
+}
# set mmap_min_addr to 4096 to mitigate
# Linux NULL-pointer dereference exploits
- site::sysctl { 'mmap_min_addr':
+ base::sysctl { 'mmap_min_addr':
ensure => absent
}
- site::sysctl { 'perf_event_paranoid':
+ base::sysctl { 'perf_event_paranoid':
key => 'kernel.perf_event_paranoid',
value => '2',
}
- site::sysctl { 'puppet-vfs_cache_pressure':
+ base::sysctl { 'puppet-vfs_cache_pressure':
key => 'vm.vfs_cache_pressure',
value => '10',
}
# https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
- site::sysctl { 'unprivileged_bpf_disabled':
+ base::sysctl { 'unprivileged_bpf_disabled':
key => 'kernel.unprivileged_bpf_disabled',
value => '1',
}
class debian_org::radvd {
- site::sysctl { 'dsa-accept-ra-default':
+ base::sysctl { 'dsa-accept-ra-default':
key => 'net.ipv6.conf.default.accept_ra',
value => 0,
}
- site::sysctl { 'dsa-accept-ra-all':
+ base::sysctl { 'dsa-accept-ra-all':
key => 'net.ipv6.conf.all.accept_ra',
value => 0,
}
# so filtering needs to happen here.
if $::hostname in [grnet-node01,grnet-node02] {
- site::sysctl { 'puppet-vm_dirty_bytes':
+ base::sysctl { 'puppet-vm_dirty_bytes':
key => 'vm.dirty_bytes',
value => '1073741824',
}
- site::sysctl { 'puppet-vm_dirty_background_bytes':
+ base::sysctl { 'puppet-vm_dirty_background_bytes':
key => 'vm.dirty_background_bytes',
value => '268435456',
}
$nodeinfo = nodeinfo($::fqdn)
$allnodeinfo = allnodeinfo('sshRSAHostKey ipHostNumber', 'purpose mXRecord physicalHost purpose')
$roles = hiera('roles')
-
- service { 'procps':
- hasstatus => false,
- status => '/bin/true',
- }
-
}
+++ /dev/null
-define site::sysctl ($key='', $value='', $target='Linux', $ensure = present) {
- include site
- case $ensure {
- present: { if ($key == "" or $value == "") { fail ( "Need to provide key and value" )} }
- absent: {}
- default: { fail ( "Unknown ensure value: '$ensure'" ) }
- }
-
- if $::kernel == $target {
- file {
- "/etc/sysctl.d/${name}.conf":
- ensure => $ensure,
- owner => root,
- group => root,
- mode => '0644',
- content => "${key} = ${value}\n",
- notify => Service['procps']
- }
- }
-}
projects / mirror / dsa-puppet.git / commitdiff