Permalink
Browse files

add /etc/security management cookbook

  • Loading branch information...
1 parent d46435a commit b26bf26043603ab90a3706a5cb67068c3f72b181 @jsierles committed Aug 18, 2011
Showing with 70 additions and 0 deletions.
  1. +9 −0 security/attributes/security.rb
  2. +5 −0 security/recipes/default.rb
  3. +56 −0 security/templates/default/limits.conf.erb
@@ -0,0 +1,9 @@
+default.security[:limits][:global_soft][:user] = "*"
+default.security[:limits][:global_soft][:type] = "soft"
+default.security[:limits][:global_soft][:item] = "nofile"
+default.security[:limits][:global_soft][:value] = 262144
+
+default.security[:limits][:global_hard][:user] = "*"
+default.security[:limits][:global_hard][:type] = "hard"
+default.security[:limits][:global_hard][:item] = "nofile"
+default.security[:limits][:global_hard][:value] = 262144
@@ -0,0 +1,5 @@
+template "/etc/security/limits.conf" do
+ owner "root"
+ group "root"
+ mode 0644
+end
@@ -0,0 +1,56 @@
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - an user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open files
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit (KB)
+# - maxlogins - max number of logins for this user
+# - maxsyslogins - max number of logins on the system
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+# - sigpending - max number of pending signals
+# - msgqueue - max memory used by POSIX message queues (bytes)
+# - nice - max nice priority allowed to raise to values: [-20, 19]
+# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#ftp - chroot /ftp
+#@student - maxlogins 4
+
+<% @node[:security][:limits].each do |name, limit| %>
+# <%= name %>
+<%= limit[:user] %> <%= limit[:type] %> <%= limit[:item] %> <%= limit[:value] %>
+<% end %>
+# End of file

0 comments on commit b26bf26

Please sign in to comment.