Puppet users - May 2008 - The UNIX security baseline as a Puppet exercise

So I finally have my puppetmaster server up and running - everything
checked into svn, etc.  So I decided taking our UNIX baseline doc and
converting to a puppet manifest would be a good exercise.  Some of
them are quite easy in puppet, and some SHOULD be easy, but my
n00bness is stumping me:

1.4	BL00015– Verify DNS name resolution and hostfile
All UNIX servers must have their localhost address and hostname listed
in the local
Hosts file.  DNS resolution only is not acceptable.

[All]
Verify loopback (localhost) address and hostname address are listed
in /etc/hosts.

#BL00015 - verify DNS and hostfile name resolution
file { "/etc/hosts" :
        owner => "root",
        mode => 644,
        content => "$ipaddress\w+$hostname\w+$fqdn",
        ensure => present,
}

but I am not sure of my content type line... is that right?  if it
doesn''t match how to append a line like that?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 5/20/2008 10:15 AM, Jeff Leggett wrote:
> 1.4	BL00015– Verify DNS name resolution and hostfile
> All UNIX servers must have their localhost address and hostname listed
> in the local
> Hosts file.  DNS resolution only is not acceptable.
> 
> [All]
> Verify loopback (localhost) address and hostname address are listed
> in /etc/hosts.
> 
> #BL00015 - verify DNS and hostfile name resolution
> file { "/etc/hosts" :
>         owner => "root",
>         mode => 644,
>         content => "$ipaddress\w+$hostname\w+$fqdn",
>         ensure => present,
> }
> 
> but I am not sure of my content type line... is that right?  if it
> doesn''t match how to append a line like that?
It''ll work, but not necessarily the exact way you want. As given in 
http://reductivelabs.com/trac/puppet/wiki/TypeReference#file , the 
content parameter specifies the entire content of a file as a string, 
similar to how source specifies the entire content of a file as an ERB 
template or a literal source file. It''s not a regex match of any kind.

In the above case, you''d end up with a one-line hosts file with the 
client''s IP, hostname, and FQDN. The \w+ may work, but I''d
replace them
with literal spaces or \t for a tab. A better version might be:

   content => "127.0.0.1 localhost\n${ipaddress} ${hostname}
${fqdn}\n"

assuming you don''t need any IPv6 entries. Those could be added as well,
but the content string would start getting unwieldy, and would be best 
migrated to an ERB template.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 20 May 2008, Jeff Leggett wrote:
> So I finally have my puppetmaster server up and running - everything
> checked into svn, etc. 
congrats :)
> #BL00015 - verify DNS and hostfile name resolution
> file { "/etc/hosts" :
>         owner => "root",
>         mode => 644,
>         content => "$ipaddress\w+$hostname\w+$fqdn",
>         ensure => present,
> }
>
> but I am not sure of my content type line... is that right?  if it
> doesn''t match how to append a line like that?
Take a look at http://reductivelabs.com/trac/puppet/wiki/TypeReference#host


Regards, DavidS



- -- 
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIMvS+/Pp1N6Uzh0URAjdTAKCjFE7y3/FHl+awLUNVOje2G6Sr/ACfXJcP
xpY9ZtEuLA8idQs+74KBoIk=ykFD
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Cool.  So this:?

#BL00015 - verify DNS and hostfile name resolution
host { "$hostname" :
        ip => $ipaddress
        alias => $fqdn
        ensure => present,
        target => "/etc/hosts"
}

host { "localhost" :
        ip => "127.0.0.1",
        alias => "localhot.localdomain",
        ensure => present,
        target => "/etc/hosts"
}

On May 20, 11:56 am, David Schmitt <da...@schmitt.edv-bus.at>
wrote:
>
> Take a look athttp://reductivelabs.com/trac/puppet/wiki/TypeReference#host
>
>
On May 20, 11:56 am, David Schmitt <da...@schmitt.edv-bus.at>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tuesday 20 May 2008, Jeff Leggett wrote:
>
> > So I finally have my puppetmaster server up and running - everything
> > checked into svn, etc.
>
> congrats :)
>
> > #BL00015 - verify DNS and hostfile name resolution
> > file { "/etc/hosts" :
> >         owner => "root",
> >         mode => 644,
> >         content => "$ipaddress\w+$hostname\w+$fqdn",
> >         ensure => present,
> > }
>
> > but I am not sure of my content type line... is that right?  if it
> > doesn''t match how to append a line like that?
>
> Take a look athttp://reductivelabs.com/trac/puppet/wiki/TypeReference#host
>
> Regards, DavidS
>
> - --
> The primary freedom of open source is not the freedom from cost, but the
free-
> dom to shape software to do what you want. This freedom is /never/
exercised
> without cost, but is available /at all/ only by accepting the very
different
> costs associated with open source, costs not in money, but in time and
effort.
> - --http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIMvS+/Pp1N6Uzh0URAjdTAKCjFE7y3/FHl+awLUNVOje2G6Sr/ACfXJcP
> xpY9ZtEuLA8idQs+74KBoIk> =ykFD
> -----END PGP SIGNATURE-----
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
> Cool.  So this:?
> 
> #BL00015 - verify DNS and hostfile name resolution
> host { "$hostname" :
>         ip => $ipaddress
>         alias => $fqdn
>         ensure => present,
>         target => "/etc/hosts"
> }
> 
> host { "localhost" :
>         ip => "127.0.0.1",
>         alias => "localhot.localdomain",
>         ensure => present,
>         target => "/etc/hosts"
> }
yeah looks fine :)

would you be interested in publishing this unix security baseline as a
module or a set of modules? besides the cis security benchmark thing,
this is another thing how unix hosts should be set up in a safe manner,
and it would be nice to have people sharing their work on that. I''d
also
like to help with that if I can in any way. However doing all on my own,
is somehow too much at the moment.

greets pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

When I get ti done I will post... Only 75 pages to go... :P

On May 20, 4:39 pm, Peter Meier <peter.me...@immerda.ch>
wrote:
> Hi
>
>
>
> > Cool.  So this:?
>
> > #BL00015 - verify DNS and hostfile name resolution
> > host { "$hostname" :
> >         ip => $ipaddress
> >         alias => $fqdn
> >         ensure => present,
> >         target => "/etc/hosts"
> > }
>
> > host { "localhost" :
> >         ip => "127.0.0.1",
> >         alias => "localhot.localdomain",
> >         ensure => present,
> >         target => "/etc/hosts"
> > }
>
> yeah looks fine :)
>
> would you be interested in publishing this unix security baseline as a
> module or a set of modules? besides the cis security benchmark thing,
> this is another thing how unix hosts should be set up in a safe manner,
> and it would be nice to have people sharing their work on that.
I''d also
> like to help with that if I can in any way. However doing all on my own,
> is somehow too much at the moment.
>
> greets pete
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

OK, next - verify runlevel is 5 for Dev workstations, 3 for
everything, set the id:5:initdefault: line appropriately based on
that... I don''t see a inittab Type in the reference, and I
don''t wanna
set the entire contents in a a huge string for that one line - sooo
there must be a simple way to in place change a line?  (puppets sed?)


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 5/20/2008 4:50 PM, Jeff Leggett wrote:
> OK, next - verify runlevel is 5 for Dev workstations, 3 for
> everything, set the id:5:initdefault: line appropriately based on
> that... I don''t see a inittab Type in the reference, and I
don''t wanna
> set the entire contents in a a huge string for that one line - sooo
> there must be a simple way to in place change a line?  (puppets sed?)
http://reductivelabs.com/trac/puppet/wiki/Recipes/SimpleText and 
http://groups.google.com/group/puppet-users/browse_thread/thread/74194dbf969067cc/22b89f4e675c1afb
are starting points for the basic replace. However, one could make 
inittab an ERB template, and have the one <%= initdefault %> variable in 
that template get replaced.

If my goal was to make just this one change in the file, regardless of 
whatever else might be in it, I''d do the search/replace. If I wanted to
know *exactly* what the entire contents of the file were on any given 
system, I''d go with the template route.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On May 20, 2008, at 3:28 PM, Mike Renfro wrote:
>
> On 5/20/2008 4:50 PM, Jeff Leggett wrote:
>> OK, next - verify runlevel is 5 for Dev workstations, 3 for
>> everything, set the id:5:initdefault: line appropriately based on
>> that... I don''t see a inittab Type in the reference, and I
don''t
>> wanna
>> set the entire contents in a a huge string for that one line - sooo
>> there must be a simple way to in place change a line?  (puppets sed?)
>
> http://reductivelabs.com/trac/puppet/wiki/Recipes/SimpleText and
>
http://groups.google.com/group/puppet-users/browse_thread/thread/74194dbf969067cc/22b89f4e675c1afb
> are starting points for the basic replace. However, one could make
> inittab an ERB template, and have the one <%= initdefault %>  
> variable in
> that template get replaced.
>
> If my goal was to make just this one change in the file, regardless of
> whatever else might be in it, I''d do the search/replace. If I
wanted
> to
> know *exactly* what the entire contents of the file were on any given
> system, I''d go with the template route.
Better yet, an Augeas lens.  :)

-Blake

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, May 20, 2008 at 03:35:26PM -0700, Blake Barnett
wrote:
> Better yet, an Augeas lens.  :)
I just read the FAQ for Augeas.. is there any support on puppet side to
use that tool?

-- 
Marcin Owsiany <marcin@owsiany.pl>              http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216
 
"Every program in development at MIT expands until it can read mail."
                                                              -- Unknown

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Marcin Owsiany wrote:
> On Tue, May 20, 2008 at 03:35:26PM -0700, Blake Barnett wrote:
>> Better yet, an Augeas lens.  :)
> 
> I just read the FAQ for Augeas.. is there any support on puppet side to
> use that tool?
Not yet - there are Ruby bindings for it, and there has been musings of 
integration to replace the current ParsedFile provider hackery (I love you Luke,
please don''t take offense)
> 
Regards,

AJ

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Guys does this seem right for SSH client config:

# BL00030 - Configure and verify SSH Client
package ( openssl:
        ensure => installed,
        alias => openssl,
}

package { openssh:
        ensure => installed,
        require => Package[openssl],
}

package { openssl-client:
        ensure => installed,
        require =< Package[openssh],
}

file { "/etc/ssh/ssh_config":
        source => "puppet://$server/module/sshd_config" }


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Tue, 2008-05-20 at 15:35 -0700, Blake Barnett wrote:
> 
> On May 20, 2008, at 3:28 PM, Mike Renfro wrote:
> 
> >
> > On 5/20/2008 4:50 PM, Jeff Leggett wrote:
> >> OK, next - verify runlevel is 5 for Dev workstations, 3 for
> >> everything, set the id:5:initdefault: line appropriately based on
> >> that... I don''t see a inittab Type in the reference, and
I don''t
> >> wanna
> >> set the entire contents in a a huge string for that one line -
sooo
> >> there must be a simple way to in place change a line?  (puppets
sed?)
>
> Better yet, an Augeas lens.  :)
The lens is actually there; what''s missing is the puppet integration,
though you''d probably need a specific inittab type. Using the
ruby-augeas bindings, the attached script sets the initdefault - that
script is of course not terribly exciting, but it shows what a inittab
provider using Augeas would have to do.

David





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Jeff Leggett wrote:
> Guys does this seem right for SSH client config:
Sure, will work. Not sure if it''s the most concise way to do what
you''re
requiring, and also you''ll drop sshd_config regardless of the package 
being installed. See below.

package {
    [ "openssl", "openssh", "openssl-client" ]:
        ensure => installed;
}

file {
    "/etc/ssh/ssh_config":
        source => "puppet:///module/sshd_config",
        require => [ Package[openssl], Package[openssh], 
Package["openssl-client"] ];
}
> # BL00030 - Configure and verify SSH Client
> package ( openssl:
>         ensure => installed,
>         alias => openssl,
> }
>
> package { openssh:
>         ensure => installed,
>         require => Package[openssl],
> }
>
> package { openssl-client:
>         ensure => installed,
>         require =< Package[openssh],
> }
>
> file { "/etc/ssh/ssh_config":
>         source => "puppet://$server/module/sshd_config" }
Regards,

AJ

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 21 May 2008, Jeff Leggett wrote:
> Guys does this seem right for SSH client config:
For a more complete ssh client and server module, you might want to check out 
my work at http://git.black.co.at/?p=module-ssh


Regards, DavidS
- -- 
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFINRNx/Pp1N6Uzh0URAi5ZAKCHBEkObGkWo+WG7zCO+JL1PkfxKgCfVLzr
PW3WO3KuCYLLVcweGcZ6V/E=5UPY
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---