我正在尝试更新一些在 RHEL 机器上禁用 CAD 的 Puppet 清单。
现在我在 systemd 上以最佳方式执行此操作:屏蔽(即链接到 /dev/null)
$ctrlaltdel_process = '/usr/bin/logger -p security.info "Control-Alt-Delete pressed"'
# Every version of RHEL has a different way of doing this! :)
case $::operatingsystemmajrelease {
'4','5': {
augeas { 'disable-inittab-ctrlaltdel':
context => '/files/etc/inittab',
lens => 'inittab.lns',
incl => '/etc/inittab',
changes => "set *[action = 'ctrlaltdel']/process '${ctrlaltdelprocess}'",
}
}
'6': {
file { '/etc/init/control-alt-delete.conf':
ensure => file,
content => $ctrlaltdel_process,
}
}
'7': {
file { '/etc/systemd/system/ctrl-alt-del.target':
ensure => 'link',
target => '/dev/null',
}
}
default: {
fail("Module ${module_name} is not supported on this ${::operatingsystemmajrelease}")
}
}
如您所见,在其他系统上,我实际上正在编写一个安全日志,表明已按下 CAD,但在 systemd 机器上我无法获得该日志。
我喜欢在日志中设置陷阱的想法,这样我们就可以追踪人们是否在这样做。
有人能给我一个 ctrl+alt+delete 的示例 systemd 配置文件来做同样的事情吗?
答案1
# ctrl-alt-del.target
[Unit]
DefaultDependencies=no # Do not affect the system through dependencies
Requires=ctrl-alt-del.service
StopWhenUneeded=yes
# ctrl-alt-del.service
[Service]
DefaultDependencies=no # Do not affect the system through dependencies
Type=oneshot
ExecStart=/usr/bin/logger -p security.info "Control-Alt-Delete pressed"