On Friday, September 4, 2015 at 2:01:28 PM UTC-5, Sean wrote: > > Hi, > > I'm using a module from the Forge to manage auditd rules, the module works > quite well and managing rules is very easy. The hard part is that there's > a requirement to audit use SUID files on each system. With out knowing > exactly what files are SUID on every server in the field, since there are > several linux flavors and versions, I'm finding myself thinking the only > way to accomplish this is to write a custom fact to hold all the SUID files > as an array, then pass the array to the resource creator. I just don't > relish the idea of running a find command from / every 30 minutes. > > Might anyone have any better ideas? >
Ultimately, Puppet relies on the underlying operating system for all services. It cannot provide anything that the OS does not support. Puppet notwithstanding, I am unaware of any mechanism for affirmatively detecting the presence of SUID files (on systems that support them) other than scanning the file system. There are really two parts to the problem, though, as the other responses have highlighted: 1. gathering the data, and 2. communicating the data to Puppet. I am inclined to agree that it would be unwise to install a custom fact whose evaluation involves performing a file system scan, so I agree with the several recommendations to decouple such scans from custom facts. If you use a scheduler to run the scan periodically, however, you can and should use a custom fact to report the results to Puppet. An array-valued fact seems a reasonable vehicle for this. If you wanted to present more data about each SUID file then you could instead use a hash with the file names as keys. You can use Puppet to install and manage a scheduler (e.g. cron) job that performs the scan, and you can audit whether Puppet has to make any changes to that job. You can also audit the (apparent) mtime of the scan results, which can tell you either when last the list of SUID files changed or when last the scanner ran, depending on how you configure the scanning job. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5a7a384b-49e3-4edb-83be-d1848f3c9cba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
