Class consoleperms::consoleperms
In: /tmp/puppet/modules/consoleperms/manifests/init.pp
Parent:

Module: consoleperms

Class: consoleperms

Description:

        This class hardens what a console user can do.

Defines:

        None

LinuxGuide:

        2.3.1.1
        2.2.2.1
        2.3.3.4

CCERef#:

        CCE-4209-3

Resources

Resources

Exec["Restrict ConsoleDevice Access"]
   command => "sed -i 's/^/#&/g' /etc/security/console.perms.d/50-default.perms"
   user => root
   onlyif => "grep -E '^' /etc/security/console.perms.d/50-default.perms"

GuideSection 2.2.2.1 Restrict console device access Comment out each line that starts with <console> or <xconsole>

File["/etc/securetty"]
   owner => "root"
   group => "root"
   mode => 600
   source => "puppet:///modules/consoleperms/securetty"

GuideSection 2.3.1.1 CCE-3820-8 CCE-3485-0, CCE-4111-1, CCE-4256-4 Restrict console device access

File["/etc/security/console.perms"]
   owner => "root"
   group => "root"
   mode => 644
   source => "puppet:///modules/consoleperms/console.perms"

Replace the console.perms file with a more strict one

File["/usr/sbin/userhelper"]
   ensure => present
   require => Group[usergroup]
   group => usergroup
   mode => 4710
Group["usergroup"]
   ensure => present

GuideSection 2.3.3.4 restrict userhelper to console users

[Validate]