Module: security::tcpwrappers
Purpose: This module configures TCP Wrappers on CentOS 6 and Solaris 10 hosts with Hiera.
Notes: This module does some pretty fancy things. It uses Hiera to provide lookup for the $hostsallow and $hostsdeny variables, and interfaces with inetadm and svccfg on Solaris. Let’s look at hiera.yaml first.
File: /etc/puppet/hiera.yaml
|
1 2 3 4 5 6 7 8 9 |
--- :backends: - yaml :yaml: :datadir: /etc/puppet/hieradata :hierarchy: - %{::clientcert} - %{::operatingsystem} - common |
As you can see, we first check the %{::clientcert}, then the %{::operatingsystem} before falling back to common. So, essentially you have hostname-specific control if you need it.
Under /etc/puppet/hieradata, I have the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[root@centosa hieradata]# cat centosa.local.yaml --- security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-centosa.local" security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-centosa.local" [root@centosa hieradata]# cat common.yaml --- security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-common" security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-common" [root@centosa hieradata]# cat Solaris.yaml --- security::tcpwrappers::hostsallow: "puppet:///modules/security/etc/hosts.allow-solaris" security::tcpwrappers::hostsdeny: "puppet:///modules/security/etc/hosts.deny-solaris" |
Host centosa.local would use centosa.local.yaml (due to %{::clientcert} in the hierarchy) and pull the values in for security::tcpwrappers::hostsallow and security::tcpwrappers::hostsdeny from that file. Host centosb.local would fall through to common.yaml (unless there was a %{::clientcert}.yaml or Centos.yaml), and a Solaris host would use Solaris.yaml.
File: security/manifests/tcpwrappers.pp
Notes: Uses Hiera to copy in appropriate files. On Solaris, it configures inetd-controlled services to use TCP Wrappers via inetadm, and enables TCP Wrappers for the RPC portmapping service via svccfg.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# class security::tcpwrappers # Set up tcpwrappers on Solaris and CentOS hosts class security::tcpwrappers ( $hostsallow = "", $hostsdeny = "" ) { file { '/etc/hosts.allow' : owner => 'root', group => 'root', mode => '0644', source => $hostsallow } file { '/etc/hosts.deny' : owner => 'root', group => 'root', mode => '0644', source => $hostsdeny } case $::operatingsystem { 'CentOS' : { # nothing else to do, files are in place } 'Solaris' : { # set up inetd-controlled services for tcp_wrappers exec { '/usr/sbin/inetadm -M tcp_wrappers=TRUE' : unless => '/usr/sbin/inetadm -p | /bin/grep tcp_wrappers=TRUE' } # enable TCP wrappers for RPC portmapping service exec { '/usr/sbin/svccfg -s svc:/network/rpc/bind setprop config/enable_tcpwrappers=true' : unless => '/usr/sbin/svccfg -s svc:/network/rpc/bind listprop config/enable_tcpwrappers | /bin/grep true', notify => Service['svc:/network/rpc/bind'] } # need the service defined here so we can notify it service { 'svc:/network/rpc/bind' : ensure => running, enable => true } } default : { fail( 'OS unsupported by security::tcp_wrappers class' ) } } } |