Table of Contents

1. Overview
2. Module Description - A Puppet module for managing svckill
3. Setup - The basics of getting started with pupmod-simp-svckill
   • What pupmod-simp-svckill affects
   • Beginning with svckill
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide.

This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:

• When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
• In the future, all SIMP-managed security subsystems will be disabled by default and must be explicitly opted into by administrators. Please review simp/simp_options for details.

Module Description

Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system."

The way svckill works is to fetch all services on the running system and then shutdown and disable any that are not declared in a Puppet manifest (or ignore list/file) somewhere.

Setup

What simp svckill affects

simp/svckill effects ALL services on a given node. If this class is included on a node, all services not declared in a puppet service resource or a svckill ignore list will be disabled and turned off on a system. The following are exceptions:

    A default list of services to ignore is kept in the module's hiera data for
    the parameter svckill::ignore_defaults.  This default list is split over
    several hiera files, grouped as services that are common, services that
    are os family related and services that are version related. The arrays
    are merged and sorted uniquely during catalog compilation.

    These services will not be killed unless they are removed using the knock out
    prefix in the svckill::ignore parameter.

    The following is an example of a hiera entry that will remove a service on
    the svckill::ignore_defaults list and allow svckill to kill this service:

    ---
    svckill::ignore:
       - '--sshd'

Beginning with svckill

You can set up svckill on a node by:

include 'svckill'

Usage

I have a service I don't want puppet to kill on a single node

There are two ways to solve this problem:

Declare the service in puppet:

service { 'myservice':
  ensure => running,
}

or Declare the service in an ignore list in svckill:

svckill::ignore { 'myservice': }

I want to ignore a list of services I deploy in a file

svckill { 'ourservices':
  ignorefiles => '/opt/services',
}

I want to set a list of services allowed in my entire infrascture

site.pp

class { 'svckill':
  ignore => ['A',
             'B',
             'C'
            ],
}

I don't want to kill a service, but I'd like to be alerted when it is running

class { 'svckill':
  ignore => 'A',
  mode   => 'warning',
}

Reference

Please refer to the REFERENCE.md.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our Contribution Guide.

Visit the project homepage on GitHub, and look at our issues on JIRA.

Reference

Table of Contents

Classes

• svckill: Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system." The
• svckill::ignore::collector: Build the default ignore file used by the svckill::ignore define.

Defined types

• svckill::ignore: Ensure that service $name will not be killed by svckill

Resource types

• svckill: Disables all services (recognized by the 'service' resource) that are not defined in your Puppet manifests or listed. Any services listed in

Classes

svckill

Svckill is a system that attempts to run with the security best practice that "No unnecessary services should be running on the system."

The way svckill works is to fetch all services on the running system and then shutdown and disable any that are not declared in a Puppet manifest (or ignore list/file) somewhere.

By default, the services defined in hiera by svckill::ignore_defaults will never be killed by svckill.

You may override the default ignore list in hiera, with the use of a knockout prefix '--'. For example, to remove sshd from the default whitelist:

svckill::ignore:

• '--sshd'

Parameters

The following parameters are available in the svckill class:

• enable
• ignore
• ignore_defaults
• ignore_files
• mode
• verbose

enable

Data type: Boolean

Enable svckill on the system

Default value: true

ignore

Data type: Array[String]

A list of services to never kill

Default value: []

ignore_defaults

Data type: Array[String]

An internal list of embedded services to never kill

Default value: []

ignore_files

Data type: Array[Stdlib::Absolutepath]

A list of files that contain services to never kill, one per line

• You can add your own files here if you wish to use an alternate ignore list
• The file specified in default_ignore_file will always be used but is fully managed by puppet

Default value: []

mode

Data type: Enum['enforcing','warning']

The strategy svckill should use when it encounters undeclared services.

• If set to enforcing, will actually shut down and disable all services not listed in your manifests or the exclusion file.

• If set to warning, will only report on what would happen without actually making the changes to the system. attempted to kill

Default value: 'warning'

verbose

Data type: Boolean

Report on exactly what svckill attempted to kill

• If false, it will only report on the number of services that it attempted to kill

Default value: true

svckill::ignore::collector

Build the default ignore file used by the svckill::ignore define.

Parameters

The following parameters are available in the svckill::ignore::collector class:

• default_ignore_file

default_ignore_file

Data type: Stdlib::Absolutepath

The path to the ignore file

Default value: '/usr/local/etc/svckill.ignore'

Defined types

svckill::ignore

Ensure that service $name will not be killed by svckill

Parameters

The following parameters are available in the svckill::ignore defined type:

• name

name

Data type: String

The name of the service to prevent being killed

Resource types

svckill

Disables all services (recognized by the 'service' resource) that are not defined in your Puppet manifests or listed.

Any services listed in the $ignorefiles array will be ignored for legacy compatibility.

See the module data to determine what services are ignored by default.

Properties

The following properties are available in the svckill type.

mode

If set to 'enforcing', will actually shut down and disable all services not listed in your manifests or the exclusion file.

If set to 'warning', will only report on what would happen without actually making the changes to the system.

Default: 'warning'

Default value: warning

Parameters

The following parameters are available in the svckill type.

• ignore
• ignorefiles
• name
• provider
• verbose

ignore

An array of services to never kill. Can also accept a regex.

ignorefiles

An array of files containing a list of services to ignore, one per line. Can also accept regexes in the file.

Default value: /usr/local/etc/svckill.ignore

name

namevar

A static name assigned to this type. You can only declare this type of resource once in your node scope.

Default value: svckill

provider

The specific backend to use for this svckill resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

verbose

Valid values: true, false

If set, output all services that were affected by svckill.

Default value: true

• Mon Oct 23 2023 Steven Pritchard steve@sicura.us - 3.11.0

• Add EL9 support

• Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 3.10.0

• [puppetsync] Updates for Puppet 8
  • These updates may include the following:
    • Update Gemfile
    • Add support for Puppet 8
    • Drop support for Puppet 6
    • Update module dependencies

• Wed Aug 23 2023 Steven Pritchard steve@sicura.us - 3.9.0

• Add AlmaLinux 8 support

• Mon Jul 17 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 3.8.0

• Add RockyLinux 8 support

• Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 3.7.0

• Removed support for Puppet 5
• Ensured support for Puppet 7 in requirements and stdlib

• Tue Jun 08 2021 Trevor Vaughan tvaughan@onyxpoint.com - 3.7.0

• Fixed
  • Added 'rngd' to the default services to never be killed
  • Removed obsolete documentation

• Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 3.6.2

• Removed EL6 support

• Wed Sep 16 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.6.1-0

• Puppet changed the service provider to return service units whose state is static. Because of this svckill was trying to kill system processes. This change updates the svckill provider to only add services the list of running services that are known to be in the enabled or disabled state.

• Thu Jan 09 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.6.0-0

• Add EL8 support
• Update the upper bound of simp-simplib to < 5.0.0
• Updated service lists:
  • Moved services that were deprecated in el7 from common list to RedHat-6 list.
  • Moved family_versions under osfamily just to make it neater.
  • Put more comments in the ignore lists for services.
  • Added new el8 services to RedHat-8.yaml
  • Added RedHat subscription manager services to RedHat OS list.

• Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 3.6.0-0

• Support puppetlabs/concat 6.x.

• Thu Jun 13 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 3.5.0-0

• Add v2 compliance_markup data

• Wed Jun 12 2019 Trevor Vaughan tvaughan@onyxpoint.com - 3.4.0-0

• Update CI artifacts
• Remove Puppet 4 support
• Add Puppet 6 support

• Wed Jun 12 2019 Robert Clark rbclark@mitre.org - 3.4.0-0

• Fix error in README regarding proper svckill exception outside of Hiera

• Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 3.3.1-0

• Expanded the upper limit of the concat and stdlib Puppet module versions
• Fixed bad URLs in the README.md

• Tue Oct 02 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 3.3.0-0

• Added Redhat 7.5 services to default service ignore list.
• Updated ruby version to 2.4.4
• Updated Gemfile to ask for puppet 5
• Update badges and contribution guide URL in README.md

• Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 3.3.0-0

• Update Hiera 4 to Hiera 5

• Fri Aug 24 2018 Nick Miller nick.miller@onypoint.com - 3.3.0-0

• Add support for Puppet 5 and OEL

• Fri Jul 27 2018 Liz Nemsick lnemsick.simp@gmail.com - 3.2.6-0

• Add simp_client_bootstrap service to the ignore list. If this is omitted from the ignore list, svckill will kill the bootstrap process of SIMP clients, while they are boostrapping the system.

• Fri Jun 22 2018 Nick Miller nick.miller@onypoint.com - 3.2.6-0

• Update CI assets

• Fri Feb 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 3.2.5-0

• Update upperbound on puppetlabs/concat version to < 5.0.0

• Mon Oct 02 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.2.4-0

• Fix bug in which svckill provider can fail on a server for which there are are no aliased, SystemD services.

• Fri Aug 18 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.2.3-0

• Update concat version in metadata.json & build/rpm_metadata/requires

• Tue Aug 01 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.2.2-0

• Tweak spec tests so will run in docker containers

• Fri Jun 23 2017 Liz Nemsick lnemsick.simp@gmail.com - 3.2.1-0

• Fix bug whereby svckill provider's insync_values? emits 'Unknown failure' message during normal operation.

• Fri Jun 09 2017 Nick Markowski nmarkowski@keywcorp.com - 3.2.1-0

• Implemented simplib::knockout on the ignore list so users can remove items in the default list via hiera.

• Wed Apr 19 2017 Nick Markowski nmarkowski@keywcorp.com - 3.2.1-0

• In the service kill provider, not all services queried by 'Name' with systemctl would return a name. That caused a break in symlink logic, rendering a majority of aliases to remain undetected. Error detection has been added and the symlink logic has been re-worked.

• Thu Mar 23 2017 Trevor Vaughan - 3.2.0-0

• Enabled the new, kinder, svckill by setting the default mode to 'warning'
• Added a svckill::enable parameter to be able to disable svckill from Hiera easily

• Fri Mar 17 2017 Nick Miller, Ryan Russell-Yates, Liz Nemsick - 3.1.1-0

• Add acceptance test for symlinked services
• Flesh out README
• Remove OBE 'pe' requirement from metadata.json
• Update puppet version in .travis.yaml

• Fri Dec 30 2016 Dylan Cochran dylan.cochran@onyxpoint.com - 3.1.0-0

• Use hiera moduledata instead of a hard coded array
• Add ignore for ^pe-.*

• Sat Dec 24 2016 Trevor Vaughan tvaughan@onyxpoint.com - 3.0.0-0

• Updated to use the Puppet Concat module

• Thu Dec 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 3.0.0-0

• Use strongly typed parameters

• Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 2.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0

• Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.

• Thu Jul 07 2016 Nick Markowski nmarkowski@keywcorp.com - 1.1.3-0

• Added missing requires file and updated module to auto-generate lua spec file.

• Tue Jun 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.2-0

• Ensure that calling '::svckill::ignore' does not include '::svckill' by default.

• Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 1.1.1-0

• Updated custom type to remove deprecation warning

• Thu Mar 10 2016 Trevor Vaughan tvaughan@onyxpoint.com - 1.1.0-0

• Added a 'verbose' option to svckill which will enumerate all actions on services if enabled.
• Ensure that all relevant messages are passed back via the 'to_s' method so that PuppetDB can obtain a full report.

• Wed Feb 24 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 1.0.0-6

• Minor linting fixes

• Tue Nov 10 2015 Chris Tessmer chris.tessmer@onypoint.com - 1.0.0-5

• migration to simplib and simpcat (lib/ only)

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-4

• Changed puppet-server requirement to puppet

• Thu Aug 28 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-3

• Fixed a long-standing bug where failing to stop a service would prevent svckill from disabling it.
• Added prefdm to the list of services to never kill.
• Updated to not kill services that have definitions in puppet that are aliased in systemd.

• Thu Jun 19 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-2

• Added support for systemd
• Added support for regex ignore statements
• Had to force the service provider to 'redhat' if it fell back to 'init' otherwise the startup scripts wouldn't be called

• Fri May 09 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-1

• Add 'rc' to the svckill list so that weird race conditions don't render an Upstart-based system unbootable.

• Wed Apr 16 2014 Trevor Vaughan tvaughan@onyxpoint.com - 1.0.0-0

• First release of svckill as its own module.