|
- {%- from "linux/map.jinja" import system, cron with context %}
-
- {%- if cron.get('enabled', false) %}
-
- cron_packages:
- pkg.installed:
- - names: {{ cron.pkgs }}
-
- cron_services:
- service.running:
- - enable: true
- - names: {{ cron.services }}
- - require:
- - pkg: cron_packages
- {%- if grains.get('noservices') %}
- - onlyif: /bin/false
- {%- endif %}
-
- {%- set allow_users = [] %}
- {%- for user_name, user_params in cron.get('user', {}).items() %}
- {%- set user_enabled = user_params.get('enabled', false) and
- system.get('user', {}).get(
- user_name, {'enabled': true}).get('enabled', true) %}
- {%- if user_enabled %}
- {%- do allow_users.append(user_name) %}
- {%- endif %}
- {%- endfor %}
-
- etc_cron_allow:
- {%- if allow_users %}
- file.managed:
- - name: /etc/cron.allow
- - template: jinja
- - source: salt://linux/files/cron_users.jinja
- - user: root
- - group: root
- - mode: 0600
- - defaults:
- users: {{ allow_users | yaml }}
- - require:
- - cron_packages
- {%- else %}
- file.absent:
- - name: /etc/cron.allow
- {%- endif %}
-
- {#
- /etc/cron.deny should be absent to comply with
- CIS 5.1.8 Ensure at/cron is restricted to authorized users
- #}
- etc_cron_deny:
- file.absent:
- - name: /etc/cron.deny
-
- etc_crontab:
- file.managed:
- - name: /etc/crontab
- - user: root
- - group: root
- - mode: 0600
- - replace: False
- - require:
- - cron_packages
-
- etc_cron_dirs:
- file.directory:
- - names:
- - /etc/cron.d
- - /etc/cron.daily
- - /etc/cron.hourly
- - /etc/cron.monthly
- - /etc/cron.weekly
- - user: root
- - group: root
- - dir_mode: 0600
- - recurse:
- - ignore_files
- - require:
- - cron_packages
-
- {%- else %}
-
- fake_linux_system_cron:
- test.nop:
- - comment: Fake state to satisfy 'require sls:linux.system.cron'
-
- {%- endif %}
|