[Puppet Users] How do I check content of a file in puppet

On Thu, Dec 27, 2012 at 11:15:14AM -0800, pdiddy wrote:
How do I check content of a file in puppet?
ex: I want to see if "PermitRootLogin" is "no" in /etc/ssh/sshd_config
file (RHEL). If it's "yes" i want to show it on compliance report. For now
I don't want make any changes to the sshd_config file through puppet.
Here is something I have:
define line($file, $line, $ensure = 'present') {
$line = "PermitRootLogin no"
$file = "/etc/ssh/sshd_config"
case $ensure {
default : { err ( "unknown ensure value ${ensure}" ) }
present: {
warning/flag code:
unless => "/bin/grep '${line}' '${file}'"
}
}
}

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
[1]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

References

Visible links
1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J

On Thursday, December 27, 2012 2:52:31 PM UTC-5, Christopher Wood wrote:

You might be better off putting together a custom fact about this. Then
you can check fact(s) on the host(s) without trying to
manage-but-not-manage something inside puppet.

On Thu, Dec 27, 2012 at 12:01:08PM -0800, pdiddy wrote:
Understood, but is it possible to get it done via puppet? I've management
requirement.

On Thursday, December 27, 2012 2:52:31 PM UTC-5, Christopher Wood wrote:

You might be better off putting together a custom fact about this. Then
you can check fact(s) on the host(s) without trying to
manage-but-not-manage something inside puppet.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
[6]https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

References

Visible links
1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
2. javascript:
3. javascript:
4. http://groups.google.com/group/puppet-users?hl=en
5. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
6. https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J

On 28/12/2012, at 7:23, Christopher Wood wrote:

Metaphorically, your management is asking you to drive nails with a screwdriver. The right tool for the job here is facter, not puppet. (And puppet already uses facter, so your management apparently doesn't understand the stack here.) While this is ultimately their problem, it sounds like you have to act as an enabler in order to keep your job and buy your groceries. Anyway, on to the helpful stuff!

I have no idea what sort of thing is in this compliance report. I will assume that it is checking which hosts have successfully completed a puppet agent run. To deliberately fail this in your scenario I might:

-write a script which checks the value of PermitRootLogin
-script should exit with a non-zero status if the value is undesired
-package this script in a deb (or rpm on your platform)
-use puppet to distribute my deb everywhere
-use an exec to run the script

Then you will see the same style of failure as if you ran this:

$ puppet apply -e 'exec { "/bin/false": }'
err: /Stage[main]//Exec[/bin/false]/returns: change from notrun to 0 failed: /bin/false returned 1 instead of one of [0] at line 1
notice: Finished catalog run in 0.08 seconds

And that means the host is non-compliant.

Another item on my original point: ensure your communications with management on this matter are all documented via email. When they finally figure out how much technical debt they are accruing you will not wish to be left holding their bag.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

On Fri, Dec 28, 2012 at 08:19:02AM +1100, Denmat wrote:
Hi,

Couldn't he run --noop as a scanner for hosts out of compliance and then when one is found, run normal puppet run (obviously you don't have to run in noop and just run normal runs and monitor reports).

That way management can see that non compliant host are being made compliant ( a much more useful report one would think).

So the solution would be to describe the state of the sshd_config file the way it should be and enforce that.

Reporting options on that are normal puppet reports.

Cheers,
Den
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

On 12/27/2012 03:01 PM, pdiddy wrote:
Understood, but is it possible to get it done via puppet? I've management
requirement.

On Thursday, December 27, 2012 10:27:53 PM UTC, Jason Edgecombe wrote:

Yes, you can do what you want if you already have a puppet master
(server) in your puppet environment, but you may need configure or
install some add-ons.

All puppet installations include a tool called "facter". Facter gathers
various facts or data about your systems. The system can be configured
to sent this data back to the puppet server. Various puppet add-ons
offer the ability to create reports based on the data that was sent back
to the server. For you needs, you will likely need to write a custom fact.

Here are some links that might be helpful:

Info on facter:
http://puppetlabs.com/blog/facter-part-1-facter-101/

How to do custom facts:
http://docs.puppetlabs.com/guides/custom_facts.html

Puppet reporting:
http://docs.puppetlabs.com/guides/reporting.html

If you don't use a puppet server, then I think there are other options
for gathering the reporting data.

Sincerely,
Jason


P.S. My apologies to other posters, but I didn't see a clear answer to
the question.
puppet.

On Friday, December 28, 2012 7:36:31 AM UTC-5, Keiran Sweet wrote:

Hi,
Although I've never used it, this does sound like a task for the auditing
functionality that was added into Puppet 2.6.
Some information about it can be found here:
http://puppetlabs.com/blog/all-about-auditing-with-puppet/

You may also find the Puppet enterprise documentation on audit and
compliance of some use, as it uses the audit metaparams to achieve this
functionality.
http://docs.puppetlabs.com/pe/2.7/compliance_basics.html

From what I understand, you can build your own
auditing/reporting/compliance tool using your existing puppet framework and
a modified report processor that fits your needs.

Hope this helps.

K

On Friday, December 28, 2012 10:11:16 AM UTC-5, pdiddy wrote:

Thanks everyone, I will look into these options...I will write back in few
days...

On Wednesday, January 2, 2013 11:05:41 AM UTC-5, pdiddy wrote:

When I build the server I make sure it meets all the compliance
requirements (ex: PermitRootLogin, login banner). However, I would like to
double check those compliance requirements on daily basis through Puppet
(in case someone has changed them). This is an audit requirement.

I was able to write custom facts and now I see "PermitRootLogin" and
"login banner" values in node "inventory" list.

I was trying to create same report using following link, but it's not
working
http://puppetlabs.com/blog/when-puppet-reports-part-2/

dir structure
------------------------------------------
[[email protected] modules]# pwd
/opt/puppet/share/puppet/modules
[[email protected] modules]# ls -ltR compliance_report
compliance_report:
total 12
-rw-r--r-- 1 peadmin games 154 Jan 2 10:47 Modulefile
drwxr-xr-x 2 peadmin games 4096 Jan 2 10:40 manifests
drwxr-xr-x 3 peadmin games 4096 Jan 2 10:25 lib

compliance_report/manifests:
total 4
-rw-r--r-- 1 peadmin games 467 Jan 2 10:40 init.pp

compliance_report/lib:
total 4
drwxr-xr-x 3 peadmin games 4096 Jan 2 10:25 puppet

compliance_report/lib/puppet:
total 4
drwxr-xr-x 2 peadmin games 4096 Jan 2 10:25 reports

compliance_report/lib/puppet/reports:
total 0
-------------------------------------------------------------------

On Friday, January 4, 2013 7:21:19 AM UTC-8, pdiddy wrote:

Any thoughts guys...