Puppet users - Jul 2009 - Reporting and documenting in Modules/Classes

Hello,

I have a set of modules and classes that I created and would like to
know the best way to document what each modules and class is doing.

Please excuse the log example ...

For example: My ''AC-3'' Module contains a number of
''GEN'' references
from an older labeling system and I would like to be able document the
fact that this module and set of classes do ''GENx''  etc.
Let''s say I
needed to capture that mapping and provide a :

AC-3:
  - GENx
  - GENy
  - GENz

Is ''info(blah) the correct method so I can query either the log file
or other record to find out what a module or class implements? Or is
there a better way to document and query this information in my
module?

Thanks,

=== example ===
# AC-3: Access Enforcement
# Kickstart Actions:

	# AC-3(1)
	# Kickstart Actions:
	class ac-3::p1 {
		## (GEN002420: CAT II) (Previously - G086) The SA will ensure user
filesystems,
		## removable media, and remote filesystems will be mounted with the
nosuid
		## option.

		# global defaults
		Exec { path => "/usr/bin:/usr/sbin/:/bin:/sbin" }

		#nosuid, nodev, and acl on /home
		exec { "sed -i ''s/\(
\/home.*defaults\)/\1,nosuid,nodev,acl/'' /etc/
fstab":
			onlyif => "test `grep '' \/home '' /etc/fstab | grep
-c nosuid` -eq
0",
		}

		#nosuid and acl on /sys
		exec { "sed -i ''s/\( \/sys.*defaults\)/\1,nosuid,acl/''
/etc/fstab":
			onlyif => "test `grep '' \/sys '' /etc/fstab | grep
-c nosuid` -eq
0",
		}

		#nosuid and acl on /boot
		exec { "sed -i ''s/\( \/boot.*defaults\)/\1,nosuid,acl/''
/etc/fstab":
			onlyif => "test `grep '' \/boot '' /etc/fstab | grep
-c nosuid` -eq
0",
		}

		#nodev and acl on /usr
		exec { "sed -i ''s/\( \/usr.*defaults\)/\1,nodev,acl/''
/etc/fstab":
			onlyif => "test `grep '' \/usr '' /etc/fstab | grep
-c nodev` -eq 0",
		}

		#nodev and acl on /usr/local
		exec { "sed -i ''s/\(
\/usr\/local.*defaults\)/\1,nodev,acl/'' /etc/
fstab":
			onlyif => "test `grep '' \/usr/local '' /etc/fstab |
grep -c nodev` -
eq 0",
		}
}

	# AC-3(2)
	# Kickstart Actions:

	# AC-3(3)
	# Kickstart Actions:

	# AC-3(4)
	# Kickstart Actions:
	class ac-3::p4 {
		## (GEN001260: CAT II) (Previously - G037) The SA will ensure all
system log
		## files have permissions of 640, or more restrictive.

		# default path for following execs
		Exec { path => "/usr/bin:/usr/sbin:/bin:sbin" }

		exec { "find /var/log/ -type f -exec chmod 640 ''{}''
\;":
			cwd => "/",
			path => "/bin:/sbin:/usr/bin:/usr/sbin";
		}

		exec { "sed -i ''s/chmod 0664/chmod 0640/''
/etc/rc.d/rc.sysinit":
			cwd => "/",
			path => "/bin:/sbin:/usr/bin:/usr/sbin";
		}


		## (GEN002980: CAT II) The SA will ensure the cron.allow
		## file has permissions of 600, or more restrictive.
		## (GEN003240: CAT II) The SA will ensure the owner and
		## group owner of the cron.allow file is root.
		file { "/etc/cron.allow":
				owner => "root",
				group => "root",
				mode  => 600,

				## (GEN003060: CAT II) The SA will ensure default system accounts
(with the
				## possible exception of root) will not be listed in the
cron.allow file. If
				## there is only a cron.deny file, the default accounts (with the
possible
				## exception of root) will be listed there.
				# CLIP note: this is not needed for AC-3, but this STIG is
				# added here due to prevent duplicate puppet resources.  See below
				# for the cron.deny part of the STIG.
				ensure => file,
				content => "root\n"
		}

		## (GEN003200: CAT II)  The SA will ensure the cron.deny
		## file has permissions of 600, or more restrictive.
		## (GEN003260: CAT II) The SA will ensure the owner and
		## group owner of the cron.deny file is root.
		file { "/etc/cron.deny":
			owner => "root",
			group => "root",
			mode  => 600,

			## (GEN003060: CAT II) The SA will ensure default system accounts
(with the
			## possible exception of root) will not be listed in the cron.allow
file. If
			## there is only a cron.deny file, the default accounts (with the
possible
			## exception of root) will be listed there.
			# CLIP note: this is not needed for AC-3, but this STIG is
			# added here due to prevent duplicate puppet resources.  See above
			# for the cron.allow part of the STIG.
			content => generate("/bin/awk", "-F:", "\$1 !=
\"root\" { print \
$1 }", "/etc/passwd")
		}

		## (GEN003960: CAT II) (Previously - G631) The SA will ensure the
owner of
		## the traceroute command is root.
		## (GEN003980: CAT II) (Previously - G632) The SA will ensure the
group
		## owner of the traceroute command is root, sys, or bin.
		## (GEN004000: CAT II) (Previously - G633) The SA will ensure the
traceroute
		## command has permissions of 700, or more restrictive.
		file { "/bin/traceroute":
			owner => "root",
			group => "root",
			mode  => 700;
		}

		## (GEN006520: CAT II) (Previously - G189) The SA will ensure
security tools
		## and databases have permissions of 740, or more restrictive.
		file {
			"/etc/rc.d/init.d/iptables": mode => 740;
			"/sbin/iptables": mode => 740;
			"/usr/share/logwatch/scripts/services/iptables": mode => 740;
		}
	}
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---