The format would make sense to general Puppet users.

Basically, if I say `puppet module install voxpupuli-selinux`, I know that this means that I need to install the "selinux" module by the "voxpupuli" author regardless of how I do it. It provides enough information for a Puppet user to know what to do.

Technically, we could certainly include a Puppetfile and that would work quite well. I'll freely admit that most of my patches will come with the SIMP stack because it was specifically designed to meet these requirements.

That's part of the question, if I can do something with three different modules, which one do I choose? Also, frankly, does it matter as long as there's someone that provides care and feeding to the stack (the one requirement that I would place is that the referenced materials be FOSS unless there is no other option)?

If multiple rules attempt to download the same module, nothing bad will happen, the tool simply notes that the module is installed and continues on.

Where this gets slightly hairy is in running multiple individual rules. Take, for instance, the audit rules. It would be best if they were all tackled at the same time and a new puppet user may not know that they need to make their data layer additive instead of running individual commands multiple times. I'm not entirely sure how to handle this.

Thanks,

Trevor

On Mon, Feb 17, 2020 at 9:08 PM Shawn Wells <shawn@redhat.com> wrote:

On 2/17/20 8:31 PM, Trevor Vaughan wrote:

The modules are downloaded separately.

Fundamentally, it would be something like the following:

# Command

$ puppet module install voxpupuli-selinux

# Hiera Data

---

selinux::enable: true

# Puppet Code

include selinux

Alternatively, something like:

# Command

$ puppet module install voxpupuli-selinux

# Puppet Code

class { 'selinux': enable => true }

What I'm trying to figure out is whether or not this type of thing is OK as a remediation.

The first form is preferred due to complexities.

Well..... not sure how many community members have enough Puppet experience to have an opinion or suggestions. Thanks so much for opening the question on the mailing list though! Hopefully someone does :) Most we could do is likely ask guiding questions.

- What effect would this have for disconnected environments? If someone is using Puppet, is it assumed that "puppet module install" goes to some on-prem location?
- Could/should we put module dependencies into a Puppetfile that gets included when puppet remediations are built?
- If multiple rules attempt to install the same module, will each "puppet module install" attempt to redownload the same module? Or will it say something like "already installed" and continue?

_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org