Adds nodo::subsystem::grsec

author Silvio Rhatto <rhatto@riseup.net>

Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)

committer Silvio Rhatto <rhatto@riseup.net>

Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)
author Silvio Rhatto <rhatto@riseup.net>
Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)
committer Silvio Rhatto <rhatto@riseup.net>
Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)
diff --git a/manifests/subsystem/grsec.pp b/manifests/subsystem/grsec.pp

new file mode 100644 (file)

index 0000000..185454f
--- /dev/null
+++ b/manifests/subsystem/grsec.pp
@@ -0,0 +1,11 @@
+class nodo::subsystem::grsec {
+  include nodo::utils::security::grsec
+
+  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.rwxmap_logging':
+    value => 0,
+  }
+
+  nodo::subsystem::sysctl::entry { 'kernel.grsecurity.grsec_lock':
+    value => 1,
+  }
+}
diff --git a/manifests/utils/security/grsec.pp b/manifests/utils/security/grsec.pp

new file mode 100644 (file)

index 0000000..c978088
--- /dev/null
+++ b/manifests/utils/security/grsec.pp
@@ -0,0 +1,13 @@
+class nodo::utils::security::grsec {
+  package { [
+    # The package with the specific image version might not be used
+    # but right now apt is complaining of unmet dependencies when
+    # trying to install only the metapackage maybe because both are
+    # on jessie-backports. This might chance in the near future.
+    'linux-image-4.7.0-1-grsec-amd64',
+    'linux-image-grsec-amd64',
+    'paxtest',
+  ]:
+    ensure => present,
+  }
+}
author	Silvio Rhatto <rhatto@riseup.net>
	Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)
committer	Silvio Rhatto <rhatto@riseup.net>
	Thu, 29 Dec 2016 13:04:38 +0000 (11:04 -0200)
manifests/subsystem/grsec.pp	[new file with mode: 0644]	patch \| blob
manifests/utils/security/grsec.pp	[new file with mode: 0644]	patch \| blob