On Sat, Apr 24, 2010 at 4:27 PM, Russ Allbery <r...@stanford.edu> wrote:
> Douglas Garstang <doug.garst...@gmail.com> writes:
>
>> I am trying to write a module for tripwire. I need to push out the
>> twcfg.txt and twpol.txt files only if the tw.cfg and tw.pol files do not
>> currently exist.
>
>> How can do I this with File{}? I'm can't seem to find a way to do it.
>> In general times, how can you deploy file A only when file B does not
>> exist?
>
>> And... tripwire... what a mess. I am trying to use push out the site
>> key, then use several Exec{}'s to generate the local key, and encrypt
>> tw.cfg from twcfg.txt and tw.pol from twpol.txt. Hence the need to only
>> deploy the source files only if the encrypted files are gone.
>
> I think that if you're installing Tripwire policy files on local disk, I
> would take a step back and see if you have a better design available.
> Tripwire is the poster child for something that really wants a read-only
> network file system. You want to only be able to update the files in one
> place that requires secure access, and then have all your systems read the
> signed database files from that one place but not have the ability to
> change them.
A read-only network file system... Well, all I can think of there that
would be appropriate would be sshfs. Having never implemented it, I'm
not sure what's involved in that. I'm not sure why a read-only file
system is required though. What's wrong with puppet managing the
files?
>
> You can simulate most of the protection that you get from that by having
> Puppet actively monitor things like the local keys and warn you if the
> attacker just changes keys so that they can initialize a new database, but
> I think it's easier to just put it on a network file system in the first
> place.
Still don't understand why a network read-only file system is better
than puppet.
>
> Doing Tripwire properly is generally hard anyway, since you need a way of
> doing the system verification run that the attacker can't just replace
> with a cron job that mails you a copy of a clean report, although to some
> extent you can rely on lazy attackers who don't find things like that.
PCI compliance doesn't go into details. The whole thing is a crock of
shit really. Installation of tripwire was one of the requirements on
the list of 10,000 or so, so that's what I am trying to implement.
Then again, so was anti-virus software on Linux...
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
