svckill
: Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system." Thesvckill::ignore::collector
: Build the default ignore file used by thesvckill::ignore
define.
svckill::ignore
: Ensure that service$name
will not be killed by svckill
svckill
: Disables all services (recognized by the 'service' resource) that are not defined in your Puppet manifests or listed. Any services listed in
Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system."
The way svckill works is to fetch all services on the running system and then shutdown and disable any that are not declared in a Puppet manifest (or ignore list/file) somewhere.
By default, the services defined in hiera by svckill::ignore_defaults will never be killed by svckill.
You may override the default ignore list in hiera, with the use of a knockout prefix '--'. For example, to remove sshd from the default whitelist:
svckill::ignore:
- '--sshd'
The following parameters are available in the svckill
class:
Data type: Boolean
Enable svckill on the system
Default value: true
Data type: Array[String]
A list of services to never kill
Default value: []
Data type: Array[String]
An internal list of embedded services to never kill
Default value: []
Data type: Array[Stdlib::Absolutepath]
A list of files that contain services to never kill, one per line
- You can add your own files here if you wish to use an alternate ignore list
- The file specified in
default_ignore_file
will always be used but is fully managed by puppet
Default value: []
Data type: Enum['enforcing','warning']
The strategy svckill should use when it encounters undeclared services.
-
If set to
enforcing
, will actually shut down and disable all services not listed in your manifests or the exclusion file. -
If set to
warning
, will only report on what would happen without actually making the changes to the system. attempted to kill
Default value: 'warning'
Data type: Boolean
Report on exactly what svckill
attempted to kill
- If
false
, it will only report on the number of services that it attempted to kill
Default value: true
Build the default ignore file used by the svckill::ignore
define.
The following parameters are available in the svckill::ignore::collector
class:
Data type: Stdlib::Absolutepath
The path to the ignore file
Default value: '/usr/local/etc/svckill.ignore'
Ensure that service $name
will not be killed by svckill
The following parameters are available in the svckill::ignore
defined type:
Data type: String
The name of the service to prevent being killed
Disables all services (recognized by the 'service' resource) that are not defined in your Puppet manifests or listed.
Any services listed in the $ignorefiles array will be ignored for legacy compatibility.
See the module data to determine what services are ignored by default.
The following properties are available in the svckill
type.
If set to 'enforcing', will actually shut down and disable all services not listed in your manifests or the exclusion file.
If set to 'warning', will only report on what would happen without actually making the changes to the system.
Default: 'warning'
Default value: warning
The following parameters are available in the svckill
type.
An array of services to never kill. Can also accept a regex.
An array of files containing a list of services to ignore, one per line. Can also accept regexes in the file.
Default value: /usr/local/etc/svckill.ignore
namevar
A static name assigned to this type. You can only declare this type of resource once in your node scope.
Default value: svckill
The specific backend to use for this svckill
resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Valid values: true
, false
If set, output all services that were affected by svckill.
Default value: true