We have some Puppet remediations, and even some puppet templates, so you can check them out - run
find . -name '*PUPPET*' find . -name '*.pp'
in the project root.
I feel that this is similar to Ansible remediations, in which case we ship playbooks, assuming that respective modules are available for the consumer of that remediation, or that they know what to do to get them (in case of Ansible that would be to upgrade to the supported version).
I am not sure about Puppet, but your original question about
self-contained remediations looks differently now - I think that
mentioning somewhere what are the prerequisites could do the trick
(e.g. something like Puppet>=6.0 with this and that modules
installed). In other words, I wouldn't try to produce Bash that
would install that module and then run that remediation - I would
leave the prerequisite to the sysadmin.
The modules are downloaded separately.
Fundamentally, it would be something like the following:
# Command
$ puppet module install voxpupuli-selinux
# Hiera Data---selinux::enable: true
# Puppet Codeinclude selinux
Alternatively, something like:
# Command$ puppet module install voxpupuli-selinux
# Puppet Codeclass { 'selinux': enable => true }
What I'm trying to figure out is whether or not this type of thing is OK as a remediation.
The first form is preferred due to complexities.
Thanks,
Trevor
On Mon, Feb 17, 2020 at 5:20 PM Shawn Wells <shawn@redhat.com> wrote:
On 2/17/20 5:06 PM, Gabe Alford wrote:
> Are they modules default in Puppet or are they custom or downloaded
> separately? If they are default in a standard Puppet install, it
> should be no problem as that is what we do with Ansible tasks.
And if they're custom, there are always the jinja templates. For example:
https://github.com/ComplianceAsCode/content/blob/master/shared/macros-ansible.jinja
https://github.com/ComplianceAsCode/content/blob/master/shared/macros-bash.jinja
_______________________________________________
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org
To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org