On Wednesday, April 8, 2015 at 4:33:41 PM UTC-5, Scott Jaffa wrote:
>
> John,
>
> Thanks for the detailed reply.  While we aren't in agreement on some of 
> the finer points, it is moot as you've made it quite clear that the listed 
> approaches won't work at a technical level.
> Stepping back, can you suggest a good method by which one could separate 
> out cross organizational (in this case security hardening) parameters in a 
> way that they could be shared across organizations?  
> Assuming the answer, shared or not, for the security layer is hiera, I 
> need to put more thought into the structure.
>
>
You want to harden machine configurations managed via Puppet.  To a large 
extent, that means setting class parameter values that tend to improve 
security; certainly everything you have discussed so far boils down to 
that.  The central work to be performed, then, is to identify which 
parameters of which classes need attention, and to determine what values 
you prefer (for security) for those parameters.  You were already planning 
to do this, at least for Puppet modules used within your organization, and 
it constitutes the vast majority of the work that will be needed.

The remaining question, then, is how to package the hard (parameter, value) 
pairs in such a way that Puppet can apply them, and, preferrably, in a way 
that can usefully be shared among organizations.  If it is not at this 
point obvious to you that this problem is right in the center of Hiera's 
wheelhouse, then I urge you to freshen up your Hiera knowledge and to read 
up on Puppet automatic data binding before you devote any other effort to 
planning this endeavor.  The main thing you need to do is put your hardened 
parameters in a (one) YAML file.  Such a file could easily be shared, and 
those who want to use it -- yourself included -- need only to configure it 
as the data source for a high-priority level of their Hiera hierarchy.  
Class parameter values that are assigned via automatic data binding will 
draw on these data.  Class parameter values that are set by any other means 
were out of reach of any general-purpose scheme to begin with.


John

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5cfa70ea-fe04-4c5d-b1a1-84a3d2f6acd9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to