The format would make sense to general Puppet users.
Basically, if I say `puppet module install voxpupuli-selinux`, I know that
this means that I need to install the "selinux" module by the
"voxpupuli"
author regardless of how I do it. It provides enough information for a
Puppet user to know what to do.
Technically, we could certainly include a Puppetfile and that would work
quite well. I'll freely admit that most of my patches will come with the
SIMP stack because it was specifically designed to meet these requirements.
That's part of the question, if I can do something with three different
modules, which one do I choose? Also, frankly, does it matter as long as
there's someone that provides care and feeding to the stack (the one
requirement that I would place is that the referenced materials be FOSS
unless there is no other option)?
If multiple rules attempt to download the same module, nothing bad will
happen, the tool simply notes that the module is installed and continues on.
Where this gets slightly hairy is in running multiple individual rules.
Take, for instance, the audit rules. It would be best if they were all
tackled at the same time and a new puppet user may not know that they need
to make their data layer additive instead of running individual commands
multiple times. I'm not entirely sure how to handle this.
Thanks,
Trevor
On Mon, Feb 17, 2020 at 9:08 PM Shawn Wells <shawn(a)redhat.com> wrote:
On 2/17/20 8:31 PM, Trevor Vaughan wrote:
The modules are downloaded separately.
Fundamentally, it would be something like the following:
> # Command
> $ puppet module install voxpupuli-selinux
>
> # Hiera Data
> ---
> selinux::enable: true
>
> # Puppet Code
> include selinux
>
> Alternatively, something like:
>
> # Command
> $ puppet module install voxpupuli-selinux
>
> # Puppet Code
> class { 'selinux': enable => true }
>
What I'm trying to figure out is whether or not this type of thing is OK
as a remediation.
The first form is preferred due to complexities.
Well..... not sure how many community members have enough Puppet
experience to have an opinion or suggestions. Thanks so much for opening
the question on the mailing list though! Hopefully someone does :) Most we
could do is likely ask guiding questions.
- What effect would this have for disconnected environments? If someone is
using Puppet, is it assumed that "puppet module install" goes to some
on-prem location?
- Could/should we put module dependencies into a Puppetfile that gets
included when puppet remediations are built?
- If multiple rules attempt to install the same module, will each "puppet
module install" attempt to redownload the same module? Or will it say
something like "already installed" and continue?
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --