I did look at the existing material and it was more bash-esque than
Puppet-centric in most cases.
I'll try to get a PR together and we can go from there but I think you've
answered my question to the point where I have confidence that it won't be
wasted work.
Thanks,
Trevor
On Thu, Feb 20, 2020 at 10:04 AM Matěj Týč <matyc(a)redhat.com> wrote:
We have some Puppet remediations, and even some puppet templates, so
you
can check them out - run
find . -name '*PUPPET*'
find . -name '*.pp'
in the project root.
I feel that this is similar to Ansible remediations, in which case we ship
playbooks, assuming that respective modules are available for the consumer
of that remediation, or that they know what to do to get them (in case of
Ansible that would be to upgrade to the supported version).
I am not sure about Puppet, but your original question about
self-contained remediations looks differently now - I think that mentioning
somewhere what are the prerequisites could do the trick (e.g. something
like Puppet>=6.0 with this and that modules installed). In other words, I
wouldn't try to produce Bash that would install that module and then run
that remediation - I would leave the prerequisite to the sysadmin.
On 18. 02. 20 2:31, Trevor Vaughan wrote:
The modules are downloaded separately.
Fundamentally, it would be something like the following:
> # Command
> $ puppet module install voxpupuli-selinux
>
> # Hiera Data
> ---
> selinux::enable: true
>
> # Puppet Code
> include selinux
>
> Alternatively, something like:
>
> # Command
> $ puppet module install voxpupuli-selinux
>
> # Puppet Code
> class { 'selinux': enable => true }
>
What I'm trying to figure out is whether or not this type of thing is OK
as a remediation.
The first form is preferred due to complexities.
Thanks,
Trevor
On Mon, Feb 17, 2020 at 5:20 PM Shawn Wells <shawn(a)redhat.com> wrote:
>
> On 2/17/20 5:06 PM, Gabe Alford wrote:
> > Are they modules default in Puppet or are they custom or downloaded
> > separately? If they are default in a standard Puppet install, it
> > should be no problem as that is what we do with Ansible tasks.
>
>
> And if they're custom, there are always the jinja templates. For example:
>
>
>
>
https://github.com/ComplianceAsCode/content/blob/master/shared/macros-ans...
>
>
>
https://github.com/ComplianceAsCode/content/blob/master/shared/macros-bas...
> _______________________________________________
> scap-security-guide mailing list --
> scap-security-guide(a)lists.fedorahosted.org
> To unsubscribe send an email to
> scap-security-guide-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
>
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
_______________________________________________
scap-security-guide mailing list -- scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --