manifests/filesystem.pp
# Class: toughen::filesystem
#
# Parameters
# ----------
#
# * `tmp_device`
# The /dev path for the fstab /tmp entry
#
# * `tmp_options`
# The options to be provided to the /tmp mountpoint
#
# * `tmp_mode`
# The numerical mode to be set on /tmp
#
# * `var_device`
# The /dev path for the fstab /var entry
#
# * `var_log_device`
# The /dev path for the fstab /var/log entry
#
# * `var_log_audit_device`
# The /dev path for the fstab /var/log/audit entry
#
# * `ramdisk_present`
# Whether there's a ramdisk present at all
#
# * `ramdisk_options`
# The options to be provided to the /dev/shm mountpoint
#
# * `fstype`
# The filesystem in use on e.g. /var, /tmp, etc.
#
# * `usb_disabled`
# Whether to add 'nousb' to the kernel params.
#
# * `restrict_dmesg`
# Whether to restrict access to dmesg.
#
class toughen::filesystem (
$tmp_device = '/dev/mapper/rhel-tmp',
$tmp_options = 'nodev,nosuid,noexec',
$tmp_mode = '1777',
$var_device = '/dev/mapper/rhel-var',
$var_log_device = '/dev/mapper/rhel-var_log',
$var_log_audit_device = '/dev/mapper/rhel-var_log_audit',
$ramdisk_present = false,
$ramdisk_options = 'nodev,nosuid,noexec',
$fstype = 'ext4',
$usb_disabled = false,
$restrict_dmesg = true,
){
validate_re($tmp_options, '^[a-z,]+$')
validate_re($tmp_mode, '\d+')
validate_re($ramdisk_options, '^[a-z,]+$')
file {'/etc/fstab':
owner => root,
group => root,
mode => '0600',
}
mount {'/tmp':
ensure => present,
fstype => $fstype,
options => $tmp_options,
device => $tmp_device,
}
mount { '/var':
ensure => present,
fstype => $fstype,
device => $var_device,
options => 'nodev',
}
mount { '/var/log':
ensure => present,
fstype => $fstype,
device => $var_log_device,
options => 'nodev',
}
mount { '/var/log/audit':
ensure => present,
fstype => $fstype,
device => $var_log_audit_device,
options => 'nodev',
}
mount { '/home':
ensure => present,
fstype => $fstype,
options => 'nodev',
}
mount {'/var/tmp':
ensure => 'mounted',
device => '/tmp',
fstype => 'none',
options => 'rw,nodev,noexec,nosuid,bind',
}
if $ramdisk_present {
mount { '/dev/shm':
ensure => present,
options => $ramdisk_options,
}
}
file {'/tmp':
ensure => directory,
owner => root,
group => root,
mode => $tmp_mode,
}
if $usb_disabled {
kernel_parameter { 'nousb':
ensure => present,
}
}
if $restrict_dmesg {
sysctl { 'kernel.dmesg_restrict':
value => 1
}
}
}