aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/profile/base/securetty.pp46
-rw-r--r--releasenotes/notes/securetty-6a10eefd601e45ca.yaml6
-rw-r--r--spec/classes/tripleo_profile_base_securetty_spec.rb72
-rw-r--r--templates/securetty/securetty.erb4
4 files changed, 128 insertions, 0 deletions
diff --git a/manifests/profile/base/securetty.pp b/manifests/profile/base/securetty.pp
new file mode 100644
index 0000000..a04c559
--- /dev/null
+++ b/manifests/profile/base/securetty.pp
@@ -0,0 +1,46 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::securetty
+#
+# Sets securetty Parameters
+#
+# === Parameters
+#
+# [*step*]
+# (Optional) The current step in deployment. See tripleo-heat-templates
+# for more details.
+# Defaults to hiera('step')
+#
+# [*tty_list*]
+# Hash of values for /etc/securetty console
+# Defaults to hiera('securetty::tty_list')
+#
+class tripleo::profile::base::securetty (
+ $step = hiera('step'),
+ $tty_list = hiera('tty_list)', []),
+) {
+ if $step >=1 {
+ $ttys = join( $tty_list, "\n")
+
+ file { '/etc/securetty':
+ ensure => file,
+ content => template( 'tripleo/securetty/securetty.erb' ),
+ owner => 'root',
+ group => 'root',
+ mode => '0600'
+ }
+ }
+}
diff --git a/releasenotes/notes/securetty-6a10eefd601e45ca.yaml b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
new file mode 100644
index 0000000..e5cfcf5
--- /dev/null
+++ b/releasenotes/notes/securetty-6a10eefd601e45ca.yaml
@@ -0,0 +1,6 @@
+---
+features:
+ - |
+ Allows granular level of control over the `/etc/securetty` file.
+ By allowing operators to specify the values in securetty, they
+ can improve security by limiting root console access.
diff --git a/spec/classes/tripleo_profile_base_securetty_spec.rb b/spec/classes/tripleo_profile_base_securetty_spec.rb
new file mode 100644
index 0000000..c57d8be
--- /dev/null
+++ b/spec/classes/tripleo_profile_base_securetty_spec.rb
@@ -0,0 +1,72 @@
+# Copyright 2017 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo::profile::base::securetty
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::securetty' do
+
+ shared_examples_for 'tripleo::profile::base::securetty' do
+
+ context 'with defaults step 1' do
+ let(:params) {{ :step => 1 }}
+ it { is_expected.to contain_class('tripleo::profile::base::securetty') }
+ it {
+ is_expected.to contain_file('/etc/securetty').with(
+ :content => ["# Managed by Puppet / TripleO Heat Templates",
+ "# A list of TTYs, from which root can log in",
+ "# see `man securetty` for reference",
+ "",
+ ""].join("\n"),
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600')
+ }
+ end
+
+ context 'it should configure securtty' do
+ let(:params) {{
+ :step => 1,
+ :tty_list => ['console', 'tty1', 'tty2', 'tty3', 'tty4', 'tty5', 'tty6']
+ }}
+
+ it 'should configure securetty values' do
+ is_expected.to contain_file('/etc/securetty').with(
+ :owner => 'root',
+ :group => 'root',
+ :mode => '0600',
+ )
+ .with_content(/console/)
+ .with_content(/tty1/)
+ .with_content(/tty2/)
+ .with_content(/tty3/)
+ .with_content(/tty4/)
+ .with_content(/tty5/)
+ .with_content(/tty6/)
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let (:facts) {
+ facts
+ }
+ it_behaves_like 'tripleo::profile::base::securetty'
+ end
+ end
+end
diff --git a/templates/securetty/securetty.erb b/templates/securetty/securetty.erb
new file mode 100644
index 0000000..c8c7b90
--- /dev/null
+++ b/templates/securetty/securetty.erb
@@ -0,0 +1,4 @@
+# Managed by Puppet / TripleO Heat Templates
+# A list of TTYs, from which root can log in
+# see `man securetty` for reference
+<%= @ttys %>