Forge Home

svckill

Disables all services that are not controlled by Puppet.

13,755 downloads

1,085 latest version

3.1 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 3.7.0 (latest)
  • 3.6.2
  • 3.6.1
  • 3.6.0
  • 3.5.0
  • 3.4.0
  • 3.3.1
  • 3.3.0
  • 3.2.6
  • 3.2.5
  • 3.2.4
  • 3.2.3
  • 3.2.2
  • 3.2.1
  • 3.2.0
  • 1.1.4
  • 1.1.3
released Jul 9th 2021
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet >= 6.22.1 < 8.0.0
  • , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'simp-svckill', '3.7.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-svckill
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-svckill --version 3.7.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: simp, svckill

Documentation

simp/svckill — version 3.7.0 Jul 9th 2021

License CII Best Practices Puppet Forge Puppet Forge Downloads Build Status

Table of Contents

  1. Overview
  2. Module Description - A Puppet module for managing svckill
  3. Setup - The basics of getting started with pupmod-simp-svckill
  4. Usage - Configuration options and additional functionality
  5. Reference - An under-the-hood peek at what the module is doing and how
  6. Limitations - OS compatibility, etc.
  7. Development - Guide for contributing to the module

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

  • When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
  • In the future, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp/simp_options for details.

Module Description

Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system."

The way svckill works is to fetch all services on the running system and then shutdown and disable any that are not declared in a Puppet manifest (or ignore list/file) somewhere.

Setup

What simp svckill affects

simp/svckill effects ALL services on a given node. If this class is included on a node, all services not declared in a puppet service resource or a svckill ignore list will be disabled and turned off on a system. The following are exceptions:

    A default list of services to ignore is kept in the module's hiera data for
    the parameter svckill::ignore_defaults.  This default list is split over
    several hiera files, grouped as services that are common, services that
    are os family related and services that are version related. The arrays
    are merged and sorted uniquely during catalog compilation.

    These services will not be killed unless they are removed using the knock out
    prefix in the svckill::ignore parameter.

    The following is an example of a hiera entry that will remove a service on
    the svckill::ignore_defaults list and allow svckill to kill this service:

    ---
    svckill::ignore:
       - '--sshd'

Beginning with svckill

You can set up svckill on a node by:

include 'svckill'

Usage

I have a service I don't want puppet to kill on a single node

There are two ways to solve this problem:

Declare the service in puppet:

service { 'myservice':
  ensure => running,
}

or Declare the service in an ignore list in svckill:

svckill::ignore { 'myservice': }

I want to ignore a list of services I deploy in a file

svckill { 'ourservices':
  ignorefiles => '/opt/services',
}

I want to set a list of services allowed in my entire infrascture

site.pp

class { 'svckill':
  ignore => ['A',
             'B',
             'C'
            ],
}

I don't want to kill a service, but I'd like to be alerted when it is running

class { 'svckill':
  ignore => 'A',
  mode   => 'warning',
}

Reference

Please refer to the REFERENCE.md.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

Visit the project homepage on GitHub, and look at our issues on JIRA.