Puppet Class: tcpwrappers

Defined in:
manifests/init.pp

Overview

Tcpwrappers

Mange tcpwrappers by either taking ownership of specific directives with file_line or by replacing the entire file content.

Examples:

managing specific rules

class { "tcpwrappers":
  rules_allow => [
    { "sshd" => "1.1.1.1" },
    { "nrpe" => "2.2.2.2" },
    { "ALL"  => "localhost"},
  ]
  rules_deny  => [
    { "ALL"  => "ALL"},
  ]
}

managing entire file content

class { "tcpwrappers":
  hosts_allow_content => "sshd: ALL"
  hosts_deny_content  =>
    "# entire content of
    the file will be replaced"
}

hiera data equivalent

tcpwrappers::rules_allow:
  - sshd: "1.1.1.1"
  - nrpe: "2.2.2.2"
  - ALL: "localhost"
tcpwrappers::rules_deny: |
  # managed by puppet
  ALL: ALL

Parameters:

  • warning_message (String) (defaults to: "# managed by puppet")

    Header to place at the top of each file if managing specific directives

  • rules_allow (Array[Hash[String, String]]) (defaults to: [])

    List of rules to apply to /etc/hosts.allow (see above)

  • rules_deny (Array[Hash[String, String]]) (defaults to: [])

    List of rules to apply to /etc/hosts.deny (see above)

  • hosts_allow_content (Variant[String, Boolean]) (defaults to: false)

    Replace the entire content of /etc/hosts.allow with this string (overrides rules_allow)

  • hosts_deny_content (Variant[String, Boolean]) (defaults to: false)

    Replace the entire content of /etc/hosts.deny with this string (overrides rules_deny)



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'manifests/init.pp', line 44

class tcpwrappers(
  String $warning_message                  = "# managed by puppet",
  Array[Hash[String, String]] $rules_allow = [],
  Array[Hash[String, String]] $rules_deny  = [],
  Variant[String, Boolean] $hosts_allow_content = false,
  Variant[String, Boolean] $hosts_deny_content = false,
) {


  # hosts.allow
  if $hosts_allow_content {
    $_hosts_allow_content = $hosts_allow_content
  } else {
    $_hosts_allow_content = undef

    fm_prepend {"/etc/hosts.allow":
      ensure => present,
      data   => $warning_message,
    }

    $rules_allow.each |$rule| {
      $rule.each |$key, $value| {
        # fixme needs to eliminate multi matches not replace them all with the same thing!
        file_line { "/etc/hosts.allow rule ${key}=>${value}":
          path     => "/etc/hosts.allow",
          line     => "${key}: ${value}",
          match    => "^${key}",
          multiple => true,
        }
      }
    }
  }

  # hosts.deny
  if $hosts_deny_content {
    $_hosts_deny_content = $hosts_deny_content
  } else {
    $_hosts_deny_content = undef


    fm_prepend {"/etc/hosts.deny":
      ensure => present,
      data   => $warning_message,
    }

    $rules_deny.each |$rule| {
      $rule.each |$key, $value| {
        # fixme needs to eliminate multi matches not replace them all with the same thing!
        file_line { "/etc/hosts.deny rule ${key}=>${value}":
          path     => "/etc/hosts.deny",
          line     => "${key}: ${value}",
          match    => "^${key}",
          multiple => true,
        }
      }
    }
  }

  file { "/etc/hosts.allow":
    ensure  => file,
    owner   => "root",
    group   => "root",
    mode    => "0644",
    content => $_hosts_allow_content,
  }

  file { "/etc/hosts.deny":
    ensure  => file,
    owner   => "root",
    group   => "root",
    mode    => "0644",
    content => $_hosts_deny_content,
  }


}