[ale] Working with Puppet (Was: Re: checking for interest for a free intro class "Introduction to Automating Linux System Administration using CFEngine 3")
George Allen
glallen01 at gmail.com
Thu Feb 16 15:18:13 EST 2012
This was another, similar project: http://oss.tresys.com/projects/clip
Has a RHEL kickstart to apply the following:
• Director of Central Intelligence Directive 6/3 “Protecting Sensitive
Compartmented Information within Information Systems” (DCID 6/3)
Protection Level 4 (PL4)
• National Security Systems (NSS) Instruction 1253 “Security Controls
Catalog for National Security Systems” High Impact requirements
• Department of Defense (DoD) Instruction Number 8500.2 “Information
Assurance (IA) Implementation” MAC I Classified requirements
• Defense Information System Agency (DISA) Information Assurance
Support Environment (IASE) Security Technical Implementation Guides
(STIG) Unix V5R1
Haven't tried it yet. Attempted to feed the kickstart link from here:
http://oss.tresys.com/projects/clip/wiki/GettingStarted into CentOS...
but it turns out I don't know anything about RedHat/Centos or
rpm/yum... it was actually easier for me to play with freebsd the
other day than when I was banging my head against yum, having grown up
on solaris, slackware and debian.
On Thu, Feb 16, 2012 at 2:40 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> Cool!
>
> I used a series of postinstall kickstart scripts that accomplished the
> security lockdown when I was at GTRI. I did not write them but was happy to
> see the powers that be that performed security analysis were very happy with
> their output. That entire process should be fairly easy to dump into puppet
> for change control.
>
> When I left, RHEL6 was under development for similar treatment.
>
>
> On Thu, Feb 16, 2012 at 2:17 PM, George Allen <glallen01 at gmail.com> wrote:
>>
>> There is a project on Forge.mil to build configs for Puppet to apply
>> the DISA STIGs and NSA Guides. So far they're only setup to apply to a
>> RHEL 5.x box from what I understand, and I haven't played with them
>> yet... but I would definitely like to start learning puppet as soon as
>> I get some time.
>>
>> On Tue, Feb 14, 2012 at 1:38 PM, mike at trausch.us <mike at trausch.us> wrote:
>> > On 02/14/2012 09:56 AM, mike at trausch.us wrote:
>> >> I am finding myself somewhat happy with it. I'm still allergic to
>> >> things written in Ruby, of course. If there were a drop-in Puppet
>> >> clone
>> >> in Python, I'd be all over that like white on rice, and I may not stay
>> >> with puppet forever, but for the time being, I am rather liking it. I
>> >> have a master on Linode, a server here at the house, and a VM on my
>> >> desktop that I am using to play with it for the time being.
>> >
>> > At this point, I have a working setup that manages SSH and NTP
>> > configuration (yeah, I know, stupid easy for those who do Puppet in
>> > their sleep) for both Gentoo and Debian systems, including handling some
>> > interesting differences between the two distributions.
>> >
>> > One thing that I am finding that is annoying is that it seems that you
>> > can say things like "debian" in selectors, but if you use a regex it
>> > refuses to allow it (because it won't match "Debian"). There is a bug
>> > in Puppet's Redmine instance (#3229), but it seems to have been
>> > summarily closed without action.
>> >
>> > It seems that the "case" command matches case-insensitive whereas
>> > selectors using regular expressions do not. Of course a character class
>> > can be used to work around that, but I don't see a way to tell Puppet's
>> > regular expression system to simply match case-insensitive.
>> >
>> > I think that it may be possible for me to Puppet-ize my production
>> > domain within the next day or two. That in itself is fascinating to me.
>> >
>> > One thing I would like to do, though I haven't quite figured out how it
>> > would fit into Puppet's framework, would be to enforce certain types of
>> > policy, like "ensure that all systems have run their updates once per
>> > week". There are other ways of doing that, of course, but I think it'd
>> > be nice to have _all_ my configuration in a single system, and not just
>> > most of it.
>> >
>> > Another thing I would like to be able to do is somehow give Puppet a
>> > whitelist of packages that are allowed to be on various systems, such
>> > that any package that (a) isn't in the whitelist and (b) isn't a
>> > dependency of something in the whitelist will be removed by Puppet
>> > automagically.
>> >
>> > Both of the last two things, though, seem to be outside of the scope of
>> > Puppet's capabilities.
>> >
>> > --- Mike
>> >
>> > --
>> > A man who reasons deliberately, manages it better after studying Logic
>> > than he could before, if he is sincere about it and has common sense.
>> > --- Carveth Read, “Logic”
>> >
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>
>
>
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - 2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
More information about the Ale
mailing list