This is probably something that should be addressed via code management or audits, rather than via puppet. It can't really know e intentions, so if someone wants to exec 'rm -fR' it will gleefully let it happen. It's on you to trust your developers and have a pipeline to test things. Canary nodes that can be audited may be a good idea here.
On Thursday, May 19, 2016, Alex Scoble <bloggingit...@gmail.com> wrote: > Problem is that if you don't have a way of limiting where sudo entries can > be made, someone can create a new module and grant themselves full sudo > rights there for a large number of systems. When in a large enterprise such > as ours, there are modules that are created and maintained by teams outside > of the main teams that maintain the bulk of the puppet code. > > I think one possibility we are looking in to is using Teamcity (could also > be done with Jenkins) to check that sudo calls aren't made outside of our > protected sudo module. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com > <javascript:_e(%7B%7D,'cvml','puppet-users%2bunsubscr...@googlegroups.com');> > . > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/5198fce0-fb84-42fe-bc8e-b6c2b48141d3%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/5198fce0-fb84-42fe-bc8e-b6c2b48141d3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Rob Nelson rnels...@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAC76iT8ogdZZ1iP5ebLRkjOeGDZU0-FUn12%2Bu1f1n-h0JLTerA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
