我正在尝试更新一些在RHEL机器上禁用CAD的Puppet清单.
现在我正在使用systemd上的顶级方式:masking(即链接到/ dev / null)
- $ctrlaltdel_process = '/usr/bin/logger -p security.info "Control-Alt-Delete pressed"'
- # Every version of RHEL has a different way of doing this! :)
- case $::operatingsystemmajrelease {
- '4','5': {
- augeas { 'disable-inittab-ctrlaltdel':
- context => '/files/etc/inittab',lens => 'inittab.lns',incl => '/etc/inittab',changes => "set *[action = 'ctrlaltdel']/process '${ctrlaltdelprocess}'",}
- }
- '6': {
- file { '/etc/init/control-alt-delete.conf':
- ensure => file,content => $ctrlaltdel_process,}
- }
- '7': {
- file { '/etc/systemd/system/ctrl-alt-del.target':
- ensure => 'link',target => '/dev/null',}
- }
- default: {
- fail("Module ${module_name} is not supported on this ${::operatingsystemmajrelease}")
- }
- }
正如您所看到的,在其他系统上,我实际上正在编写一个安全日志,说CAD已被按下,但我不会用systemd机器来获取它.
我喜欢在日志中实际拥有陷阱的想法,以便我们可以追踪人们是否正在这样做.
解决方法
- # ctrl-alt-del.target
- [Unit]
- DefaultDependencies=no # Do not affect the system through dependencies
- Requires=ctrl-alt-del.service
- StopWhenUneeded=yes
- # ctrl-alt-del.service
- [Service]
- DefaultDependencies=no # Do not affect the system through dependencies
- Type=oneshot
- ExecStart=/usr/bin/logger -p security.info "Control-Alt-Delete pressed"
