Hi,
Couldn't he run --noop as a scanner for hosts out of compliance and then when
one is found, run normal puppet run (obviously you don't have to run in noop
and just run normal runs and monitor reports).
That way management can see that non compliant host are being made compliant (
a much more useful report one would think).
So the solution would be to describe the state of the sshd_config file the way
it should be and enforce that.
Reporting options on that are normal puppet reports.
Cheers,
Den
On 28/12/2012, at 7:23, Christopher Wood <christopher_w...@pobox.com> wrote:
> Metaphorically, your management is asking you to drive nails with a
> screwdriver. The right tool for the job here is facter, not puppet. (And
> puppet already uses facter, so your management apparently doesn't understand
> the stack here.) While this is ultimately their problem, it sounds like you
> have to act as an enabler in order to keep your job and buy your groceries.
> Anyway, on to the helpful stuff!
>
> I have no idea what sort of thing is in this compliance report. I will assume
> that it is checking which hosts have successfully completed a puppet agent
> run. To deliberately fail this in your scenario I might:
>
> -write a script which checks the value of PermitRootLogin
> -script should exit with a non-zero status if the value is undesired
> -package this script in a deb (or rpm on your platform)
> -use puppet to distribute my deb everywhere
> -use an exec to run the script
>
> Then you will see the same style of failure as if you ran this:
>
> $ puppet apply -e 'exec { "/bin/false": }'
> err: /Stage[main]//Exec[/bin/false]/returns: change from notrun to 0 failed:
> /bin/false returned 1 instead of one of [0] at line 1
> notice: Finished catalog run in 0.08 seconds
>
> And that means the host is non-compliant.
>
> Another item on my original point: ensure your communications with management
> on this matter are all documented via email. When they finally figure out how
> much technical debt they are accruing you will not wish to be left holding
> their bag.
>
>
> On Thu, Dec 27, 2012 at 12:01:08PM -0800, pdiddy wrote:
>> Understood, but is it possible to get it done via puppet? I've management
>> requirement.
>>
>> On Thursday, December 27, 2012 2:52:31 PM UTC-5, Christopher Wood wrote:
>>
>> You might be better off putting together a custom fact about this. Then
>> you can check fact(s) on the host(s) without trying to
>> manage-but-not-manage something inside puppet.
>>
>> On Thu, Dec 27, 2012 at 11:15:14AM -0800, pdiddy wrote:
>>> How do I check content of a file in puppet?
>>> ex: I want to see if "PermitRootLogin" is "no"
>> in /etc/ssh/sshd_config
>>> file (RHEL). If it's "yes" i want to show it on compliance report.
>> For now
>>> I don't want make any changes to the sshd_config file through
>> puppet.
>>> Here is something I have:
>>> define line($file, $line, $ensure = 'present') {
>>> $line = "PermitRootLogin no"
>>> $file = "/etc/ssh/sshd_config"
>>> case $ensure {
>>> default : { err ( "unknown ensure value ${ensure}" ) }
>>> present: {
>>> warning/flag code:
>>> unless => "/bin/grep '${line}' '${file}'"
>>> }
>>> }
>>> }
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>> Groups
>>> "Puppet Users" group.
>>> To view this discussion on the web visit
>>> [1][1]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J.
>>> To post to this group, send email to [2]puppet...@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>> [3]puppet-users...@googlegroups.com.
>>> For more options, visit this group at
>>> [4]http://groups.google.com/group/puppet-users?hl=en.
>>>
>>> References
>>>
>>> Visible links
>>> 1. [5]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit
>> [6]https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>> References
>>
>> Visible links
>> 1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
>> 2. javascript:
>> 3. javascript:
>> 4. http://groups.google.com/group/puppet-users?hl=en
>> 5. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
>> 6. https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
