search

dev-sec / puppet-os-hardening

This puppet module provides numerous security-related configurations, providing all-round base protection.
http://dev-sec.io/
Apache License 2.0
280 stars 101 forks source link

disabled_services should be stopped too #224

Closed igalic closed 4 years ago

igalic commented 4 years ago

Describe the bug

Disabling a service does not guarantee that the service will be stopped. In the case of systemd it even leads to inconsistencies that need to be addressed in the service provider, see: https://github.com/puppetlabs/puppet/blob/5.5.x/lib/puppet/provider/service/systemd.rb#L37-L48

# This helper ensures that the enable state cache is always reset
# after a systemctl enable operation. A particular service state is not guaranteed
# after such an operation, so the cache must be emptied to prevent inconsistencies
# in the provider's believed state of the service and the actual state.

Expected behavior

I would expect this module to stop disabled services.

Actual behavior

Services are left running until a reboot of the machine.

mcgege commented 4 years ago

fixed with #226