Douglas Garstang <doug.garst...@gmail.com> writes:
> I am trying to write a module for tripwire. I need to push out the
> twcfg.txt and twpol.txt files only if the tw.cfg and tw.pol files do not
> currently exist.
> How can do I this with File{}? I'm can't seem to find a way to do it.
> In general times, how can you deploy file A only when file B does not
> exist?
> And... tripwire... what a mess. I am trying to use push out the site
> key, then use several Exec{}'s to generate the local key, and encrypt
> tw.cfg from twcfg.txt and tw.pol from twpol.txt. Hence the need to only
> deploy the source files only if the encrypted files are gone.
I think that if you're installing Tripwire policy files on local disk, I
would take a step back and see if you have a better design available.
Tripwire is the poster child for something that really wants a read-only
network file system. You want to only be able to update the files in one
place that requires secure access, and then have all your systems read the
signed database files from that one place but not have the ability to
change them.
You can simulate most of the protection that you get from that by having
Puppet actively monitor things like the local keys and warn you if the
attacker just changes keys so that they can initialize a new database, but
I think it's easier to just put it on a network file system in the first
place.
Doing Tripwire properly is generally hard anyway, since you need a way of
doing the system verification run that the attacker can't just replace
with a cron job that mails you a copy of a clean report, although to some
extent you can rely on lazy attackers who don't find things like that.
--
Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
