tom-krieger / cis_security_hardening

Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.
Apache License 2.0
19 stars 13 forks source link

umask_setting.pp makes pam changes even if authselect::enforce is set to false #76

Closed landrypm closed 10 months ago

landrypm commented 10 months ago

While I am using cis_security_hardening for most tasks I do still rely on other puppet modules for other tasks. On my system I use a separate module to manage authselect configuration. I have

cis_security_hardening::rules::authselect::enforce: false

in my params file but umask_setting.pp still attempts to make changes to pam.d files.

I solved the issue by enclosing the

$services.each |$srv| {

loop in umask_setting.pp within a if clause:

$authselect_enforce = fact('cis_security_hardening.authselect.enforce')
if $authselect_enforce {
       $services.each |$srv| {
       ...
       }
}
tom-krieger commented 10 months ago

I include this in version v0.9.2 but in a slightlt different way.

landrypm commented 10 months ago

Thanks

-- Patrick Landry


From: Thomas Krieger @.> Sent: Sunday, January 28, 2024 2:35:28 PM To: tom-krieger/cis_security_hardening @.> Cc: Patrick M Landry @.>; Author @.> Subject: Re: [tom-krieger/cis_security_hardening] umask_setting.pp makes pam changes even if authselect::enforce is set to false (Issue #76)

CAUTION: This email originated from outside of UL Lafayette. Do not click links or open attachments unless you recognize the sender and know the content is safe.

I include this in version v0.9.2 but in a slightlt different way.

— Reply to this email directly, view it on GitHubhttps://github.com/tom-krieger/cis_security_hardening/issues/76#issuecomment-1913714559, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHRT4WAZXEQUY36YXO2TFX3YQ2ZBBAVCNFSM6AAAAABCLDEPTWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTG4YTINJVHE. You are receiving this because you authored the thread.Message ID: @.***>