Skip to content

Commit

Permalink
Review and publish release 1.1.0. See changes at README
Browse files Browse the repository at this point in the history
  • Loading branch information
Marco Túlio R Braga committed Jan 25, 2016
1 parent 7d3819d commit 63228da
Show file tree
Hide file tree
Showing 12 changed files with 271 additions and 126 deletions.
39 changes: 37 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@

1. [Overview](#1-overview)
2. [Profiles](#2-profiles)
* [Linux](#21-linux)
* [NMS - Network Management Systems](#22-nms)
* [Linux](#21-linux)
* [NMS - Network Management Systems](#22-nms)
* [Security](#23-security)
3. [Limitations](#3-limitations)
4. [Development](#4-development)
5. [Release Notes](#5-release-notes)
Expand Down Expand Up @@ -82,6 +83,35 @@ See [module description](https://forge.puppetlabs.com/mtulio/zabbix)
class { 'profiles::nms::zabbix_agent' : }
```

### 2.3 Security

#### 2.3.1 DNS Sec

##### Description

Profile to configure DNS server on a Linux System

##### Dependencies

Module ['DNSsec'](https://forge.puppetlabs.com/mtulio/dnssec)

##### Files

See [module description](https://forge.puppetlabs.com/mtulio/dnssec)

##### Usage

* Configure DNS server (BIND9) using DNSsec. Script will sign all zones under directory /var/named/chroot/var/named/master/zones/ with prefix 'db.'. Remember to keep keys on sub directory 'keys/':

```
include profiles
class {'profiles::security::dns':
server_type => 'master',
dnssec_enabled => 'yes',
}
```


## 3. Limitations

OS compatibility:
Expand All @@ -95,6 +125,11 @@ See project page at https://github.com/mtulio/puppet-mod-profiles

## 5. Release Notes

[1.1.0] <--
* Review code layout of Linux profile
* Create a class to manage users [add/remove]
* Add DNS profiles [security/dns]

[1.0.0]
* Add Profile Linux [base and sshd configuration]
* Add Profile Zabbix
Expand Down
2 changes: 1 addition & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@
class profiles (
$gb_pool = undef,
$gb_repo_base = undef,
) { }
) inherits profiles::params { }
163 changes: 103 additions & 60 deletions manifests/linux.pp
Original file line number Diff line number Diff line change
@@ -1,11 +1,34 @@
# == Class: profiles Linux
#
# == Class: profiles linux
#
class profiles::linux (
$security_level = 'basic',
$gb_repo_base = $gb_repo_base,
$gb_pool = $gb_pool,
) inherits profiles {
$security_level = 'basic',
$repo_base = undef,
$pool = udnef,

if $gb_repo_base == undef or $gb_pool == undef {
## Linux->NTP Options ##
$gb_ntp_server = $profiles::params::gb_ntp_server,

## Linux->RESOLV_CONF options ##
$gb_resconf_ns = $profiles::params::gb_resconf_ns,
$gb_resconf_opts = $profiles::params::gb_resconf_opts,

## Linux->TIMEZONE ##
$gb_timezone = $profiles::params::gb_timezone,

## Zabbix->Agent ##
$gb_zabbix_a_server = $gb_zabbix_a_server,

## SSH->sshd_config ##
$gb_sshd_usr_lc_en = $profiles::params::gb_sshd_usr_lc_en,
$gb_sshd_usr_name_ens = $profiles::params::gb_sshd_usr_name_ens,
$gb_sshd_usr_password = $profiles::params::gb_sshd_usr_password,
$gb_sshd_perm_root_lg = $profiles::params::gb_sshd_perm_root_lg,
$gb_sshd_allow_users = $profiles::params::gb_sshd_allow_users,
$gb_sshd_bannerpath = $profiles::params::gb_sshd_bannerpath,
) inherits profiles::params {

if $repo_base == undef or $pool == undef {
$default_config = 'yes'
}

Expand All @@ -14,61 +37,72 @@
class { '::profiles::linux::users': }

#######################
#> puppet linux module: mtulio/linux
##> Require: puppet module install mtulio-linux
#> Module required [mtulio-linux]: puppet module install mtulio-linux

###> Config linux->HOSTS
class { '::linux::base::hosts' : }
###> Config NTPDATE: linux->NTPDATE
class { '::linux::base::ntpdate' :
ntpserver => $gb_ntp_server,
}

###> Config linux->TIMEZONE
class { '::linux::base::timezone' :
timezone => $gb_timezone,
}

###> Config linux->MOTD
if $default_config == 'yes' {

###> Config linux->MOTD
class { '::linux::base::motd' : }
}
else {
class { '::linux::base::motd' :
template => "${gb_repo_base}/motd/pool_${gb_pool}/motd.erb",
}
}

###> Config linux->NTPDATE
class { '::linux::base::ntpdate' :
ntpserver => 'a.ntp.br',
}
###> Config linux->HOSTS
class { '::linux::base::hosts' : }

###> Config linux->RESOLV.CONF
if $default_config == 'yes' {
###> Config linux->RESOLV.CONF
class { '::linux::base::resolv_conf' :
nameservers => ['10.0.2.3','8.8.8.8','201.67.222.222'],
domainname => $::domain,
nameservers => $gb_resconf_ns,
options => $gb_resconf_opts,
}

###> Config linux->SUDOERS
class { '::linux::base::sudoers' : }

##> SSH->sshd_config
$sshd_banner = 'yes'
$sshd_banner_path = 'ssh/sshd_banner_example_pt-br'
}
else {
class { '::linux::base::resolv_conf' :
template => "${gb_repo_base}/resolv_conf/resolv.conf.erb",
}
}

###> Config linux->TIMEZONE
class { '::linux::base::timezone' :
timezone => 'America/Sao_Paulo',
}

###> Config linux->SUDOERS
if $default_config == 'yes' {
class { '::linux::base::sudoers' : }
###> Config linux->MOTD
class { '::linux::base::motd' :
template => "${repo_base}/motd/pool_default/motd.erb",
}

###> Config linux->HOSTS
class { '::linux::base::hosts' :
#template => "${repo_base}/hosts/hosts.erb",
}

} else {
###> Config linux->RESOLV.CONF
class { '::linux::base::resolv_conf' :
template => "${repo_base}/resolv_conf/resolv.conf.erb",
}

###> Config linux->SUDOERS
class { '::linux::base::sudoers' :
template => "${gb_repo_base}/sudoers/sudoers",
template => "${repo_base}/sudoers/sudoers",
}

##> SSH->sshd_config
$sshd_banner = 'yes'
$sshd_banner_path = "${repo_base}/ssh/sshd/mte_mensagem"
}


### linux_Security
case $security_level {
'basic': {
notice('Disable all security options')
#include profiles::linux::sec_basic
#> disable selinux
#> disable iptables

###> Config linux->SELINUX
Expand All @@ -78,8 +112,6 @@
}
'high' : {
notice('Enable all security options')
#include profiles::linux::sec_high
#> enable selinux
#> enable iptables
#> enable audit

Expand All @@ -97,24 +129,35 @@
}

#######################
#> Module: ssh
## Test 1
#class { '::ssh::sshd_config': }

## Test 2
#class { '::ssh::sshd_config':
# permitrootlogin => 'yes',
# allow_users => 'root prod',
#}
# SSHd_config class - Test 3: Ensure Local User, block root login

## Test 3
class { '::ssh::sshd_config':
user_local_enable => 'yes',
user_name_ensure => 'lmtulio',
user_password => '$6$GpTlgkVr$CHLWoyzd4fGD/c4eG2A5JnR8HvsrUF0sGnHrpumysSsJRW5laOfMrvuYX3qjlLriQXGQVHqLq8UIpOxe9Wz2C1', # admin@123
permitrootlogin => 'yes',
allow_users => 'root ltulio',
#> Module required [mtulio-ssh]:
## Class: SSH->sshd_config
if $sshd_banner == 'yes' {
file { $gb_sshd_bannerpath:
path => $gb_sshd_bannerpath,
source => "puppet:///modules/${sshd_banner_path}",
owner => 'root',
group => 'root',
mode => '0755',
}
class { '::ssh::sshd_config':
user_local_enable => $gb_sshd_usr_lc_en,
user_name_ensure => $gb_sshd_usr_name_ens,
user_password => $gb_sshd_usr_password,
permitrootlogin => $gb_sshd_perm_root_lg,
allow_groups => $gb_sshd_allow_groups,
bannerpath => $gb_sshd_bannerpath,
}
}
else {
class { '::ssh::sshd_config':
user_local_enable => $gb_sshd_usr_lc_en,
user_name_ensure => $gb_sshd_usr_name_ens,
user_password => $gb_sshd_usr_password,
permitrootlogin => $gb_sshd_perm_root_lg,
allow_groups => $gb_sshd_allow_groups,
}
}


}

75 changes: 35 additions & 40 deletions manifests/linux/users.pp
Original file line number Diff line number Diff line change
@@ -1,65 +1,60 @@
# Class: users
#
# This module manages users
# == Class: profiles/linux/users
#
# This module manages users.
#
class profiles::linux::users {

# Default configuration
$default_gid = 'users'
$default_gid = 'infra'
$default_ensure = 'present'
$default_shell = '/bin/bash'
$default_mgm_home = true
$default_pw_mx_ag = '99999'
$default_pw_mi_ag = '0'

#################
# Create groups
group { [$default_gid,'whell','sysadmins']:
ensure => present,
}

################
# Create USERS

## FULL Admin [whell]
user { 'marco.braga':
ensure => $default_ensure,
comment => 'CGI INFRA - Marco Tulio',
name => 'mtulio',
home => '/home/marco.braga',
password => '$6$GpTlgkVr$CHLWoyzd4fGD/c4eG2A5JnR8HvsrUF0sGnHrpumysSsJRW5laOfMrvuYX3qjlLriQXGQVHqLq8UIpOxe9Wz2C1', # admin@123
groups => ['whell','sysadmin'],
gid => $default_gid,
shell => $default_shell,
managehome => $default_mgm_home,
password_max_age => $default_pw_mx_ag,
password_min_age => $default_pw_mi_ag,
user { 'root':
ensure => $default_ensure,
name => 'root',
password => '$6$HaT.I1xv1W09bLSS$d13qlT2Fhd27qNZefcSZUbj3uniH9aztxJSQuUKkCy3Jdj0xyOmoW4j/sOpmlfR/EbWC6fBiPGMNeu9nvSjX//',
}

user { 'admin02':
linux::base::user { 'marco.braga':
ensure => $default_ensure,
comment => 'Sysadmin 02',
name => 'sysadmin02',
home => '/home/sysadmin02',
password => '$6$GpTlgkVr$CHLWoyzd4fGD/c4eG2A5JnR8HvsrUF0sGnHrpumysSsJRW5laOfMrvuYX3qjlLriQXGQVHqLq8UIpOxe9Wz2C1', # admin@123
groups => ['whell','sysadmins'],
comment => 'Marco Tulio',
name => 'marco.braga',
home => '/home/marco.braga',
password => '$6$6rWfmL1I$ZEYGJ8PwiancJAl@QUEQtDWQaeuIpjqT/rbf6QiLdHEE0..TRyuWGYB2DfzuePQeJVpOLEonuRGpJDyB4tWkRB1',
groups => ['wheel','production'],
gid => $default_gid,
shell => $default_shell,
managehome => $default_mgm_home,
manage_home => $default_mgm_home,
password_max_age => $default_pw_mx_ag,
password_min_age => $default_pw_mi_ag,
}

user { 'user01':
ensure => $default_ensure,
comment => 'CGI INFRA - User 01',
name => 'user01',
home => '/home/user01',
password => '$6$GpTlgkVr$CHLWoyzd4fGD/c4eG2A5JnR8HvsrUF0sGnHrpumysSsJRW5laOfMrvuYX3qjlLriQXGQVHqLq8UIpOxe9Wz2C1', # admin@123
gid => $default_gid,
shell => $default_shell,
managehome => $default_mgm_home,
password_max_age => $default_pw_mx_ag,
password_min_age => $default_pw_mi_ag,
################
# Delete USERS
linux::base::user { [
'user1',
'user2'
]:
ensure => 'absent'
}


##################################
# Test
# linux::base::user { ['user1','user3']:
# ensure => 'present',
# gid => $default_gid,
# shell => $default_shell,
# manage_home => $default_mgm_home,
# password_max_age => $default_pw_mx_ag,
# password_min_age => $default_pw_mi_ag,
# }

}
8 changes: 5 additions & 3 deletions manifests/nms/zabbix_agent.pp
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
# == Class: profiles Zabbix
class profiles::nms::zabbix_agent inherits profiles {
class profiles::nms::zabbix_agent (
$gb_zabbix_a_server = $profiles::params::gb_zabbix_a_server,
) inherits profiles::params {
#> Module: zabbix
class {'::zabbix::agent':
opt_use_template => 'yes',
server => 'zabbix.local',
server => $gb_zabbix_a_server,
listen_ip => $::ipaddress,
listen_port => '10050',
start_agents => '2',
start_agents => '3',
}
}
Loading

0 comments on commit 63228da

Please sign in to comment.