From 1d3593693d283db965b6a182e46401e483d2968f Mon Sep 17 00:00:00 2001
From: Brent Clark <brent.clark@xneelo.com>
Date: Fri, 21 Jan 2022 21:21:10 +0200
Subject: [PATCH 1/3] Disable some network protocols that typically are not
 used.

Signed-off-by: Brent Clark <brent.clark@xneelo.com>
---
 manifests/modules.pp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/manifests/modules.pp b/manifests/modules.pp
index dfa64d6..4e85647 100644
--- a/manifests/modules.pp
+++ b/manifests/modules.pp
@@ -11,6 +11,7 @@
 class os_hardening::modules (
   Array $disable_filesystems =
     ['cramfs','freevxfs','jffs2','hfs','hfsplus','squashfs','udf'],
+  Array $disable_network_protocol = ['dccp','sctp','rds','tipc'],
 ) {
 
   # Disable unused filesystems (os-10)
@@ -22,5 +23,12 @@
     content => template('os_hardening/disable_fs.erb'),
   }
 
+  file { '/etc/modprobe.d/dev-sec-net-protocols.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0440',
+    content => template('os_hardening/disable_net_protocols.erb'),
+  }
 }
 

From 7de5a868f4e9e4e9121d7384628ff151e54263fb Mon Sep 17 00:00:00 2001
From: Brent Clark <brent.clark@xneelo.com>
Date: Fri, 21 Jan 2022 21:22:16 +0200
Subject: [PATCH 2/3] Added template

Signed-off-by: Brent Clark <brent.clark@xneelo.com>
---
 templates/disable_net_protocols.erb | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 templates/disable_net_protocols.erb

diff --git a/templates/disable_net_protocols.erb b/templates/disable_net_protocols.erb
new file mode 100644
index 0000000..f503e37
--- /dev/null
+++ b/templates/disable_net_protocols.erb
@@ -0,0 +1,7 @@
+# MANAGED BY PUPPET
+# Puppet os_hardening: 
+
+<% @disable_network_protocol.each do |protocol| -%>
+install <%= fs %> /bin/true
+<% end -%>
+

From 89dfe229141c24000e571f5c84b17d3c8f475680 Mon Sep 17 00:00:00 2001
From: Brent Clark <brent.clark@xneelo.com>
Date: Fri, 21 Jan 2022 21:38:44 +0200
Subject: [PATCH 3/3] Fix fs to typo

Signed-off-by: Brent Clark <brent.clark@xneelo.com>
---
 templates/disable_net_protocols.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/disable_net_protocols.erb b/templates/disable_net_protocols.erb
index f503e37..3ce1022 100644
--- a/templates/disable_net_protocols.erb
+++ b/templates/disable_net_protocols.erb
@@ -2,6 +2,6 @@
 # Puppet os_hardening: 
 
 <% @disable_network_protocol.each do |protocol| -%>
-install <%= fs %> /bin/true
+install <%= protocol %> /bin/true
 <% end -%>