[ale] Working with Puppet (Was: Re: checking for interest for a free intro class "Introduction to Automating Linux System Administration using CFEngine 3")

Jim Kinney jim.kinney at gmail.com
Thu Feb 16 16:13:14 EST 2012


Yep. Tresys is the current "flag bearer" for selinux as well. The clip
project is heavy selinux plus a bunch of system configuration tweaks to
harden the environment against sloppy users.

On Thu, Feb 16, 2012 at 3:18 PM, George Allen <glallen01 at gmail.com> wrote:

> This was another, similar project: http://oss.tresys.com/projects/clip
> Has a RHEL kickstart to apply the following:
> • Director of Central Intelligence Directive 6/3 “Protecting Sensitive
> Compartmented Information within Information Systems” (DCID 6/3)
> Protection Level 4 (PL4)
> • National Security Systems (NSS) Instruction 1253 “Security Controls
> Catalog for National Security Systems” High Impact requirements
> • Department of Defense (DoD) Instruction Number 8500.2 “Information
> Assurance (IA) Implementation” MAC I Classified requirements
> • Defense Information System Agency (DISA) Information Assurance
> Support Environment (IASE) Security Technical Implementation Guides
> (STIG) Unix V5R1
>
> Haven't tried it yet. Attempted to feed the kickstart link from here:
> http://oss.tresys.com/projects/clip/wiki/GettingStarted into CentOS...
> but it turns out I don't know anything about RedHat/Centos or
> rpm/yum... it was actually easier for me to play with freebsd the
> other day than when I was banging my head against yum, having grown up
> on solaris, slackware and debian.
>
> On Thu, Feb 16, 2012 at 2:40 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> > Cool!
> >
> > I used a series of postinstall kickstart scripts that accomplished the
> > security lockdown when I was at GTRI. I did not write them but was happy
> to
> > see the powers that be that performed security analysis were very happy
> with
> > their output. That entire process should be fairly easy to dump into
> puppet
> > for change control.
> >
> > When I left, RHEL6 was under development for similar treatment.
> >
> >
> > On Thu, Feb 16, 2012 at 2:17 PM, George Allen <glallen01 at gmail.com>
> wrote:
> >>
> >> There is a project on Forge.mil to build configs for Puppet to apply
> >> the DISA STIGs and NSA Guides. So far they're only setup to apply to a
> >> RHEL 5.x box from what I understand, and I haven't played with them
> >> yet... but I would definitely like to start learning puppet as soon as
> >> I get some time.
> >>
> >> On Tue, Feb 14, 2012 at 1:38 PM, mike at trausch.us <mike at trausch.us>
> wrote:
> >> > On 02/14/2012 09:56 AM, mike at trausch.us wrote:
> >> >> I am finding myself somewhat happy with it.  I'm still allergic to
> >> >> things written in Ruby, of course.  If there were a drop-in Puppet
> >> >> clone
> >> >> in Python, I'd be all over that like white on rice, and I may not
> stay
> >> >> with puppet forever, but for the time being, I am rather liking it.
>  I
> >> >> have a master on Linode, a server here at the house, and a VM on my
> >> >> desktop that I am using to play with it for the time being.
> >> >
> >> > At this point, I have a working setup that manages SSH and NTP
> >> > configuration (yeah, I know, stupid easy for those who do Puppet in
> >> > their sleep) for both Gentoo and Debian systems, including handling
> some
> >> > interesting differences between the two distributions.
> >> >
> >> > One thing that I am finding that is annoying is that it seems that you
> >> > can say things like "debian" in selectors, but if you use a regex it
> >> > refuses to allow it (because it won't match "Debian").  There is a bug
> >> > in Puppet's Redmine instance (#3229), but it seems to have been
> >> > summarily closed without action.
> >> >
> >> > It seems that the "case" command matches case-insensitive whereas
> >> > selectors using regular expressions do not.  Of course a character
> class
> >> > can be used to work around that, but I don't see a way to tell
> Puppet's
> >> > regular expression system to simply match case-insensitive.
> >> >
> >> > I think that it may be possible for me to Puppet-ize my production
> >> > domain within the next day or two.  That in itself is fascinating to
> me.
> >> >
> >> > One thing I would like to do, though I haven't quite figured out how
> it
> >> > would fit into Puppet's framework, would be to enforce certain types
> of
> >> > policy, like "ensure that all systems have run their updates once per
> >> > week".  There are other ways of doing that, of course, but I think
> it'd
> >> > be nice to have _all_ my configuration in a single system, and not
> just
> >> > most of it.
> >> >
> >> > Another thing I would like to be able to do is somehow give Puppet a
> >> > whitelist of packages that are allowed to be on various systems, such
> >> > that any package that (a) isn't in the whitelist and (b) isn't a
> >> > dependency of something in the whitelist will be removed by Puppet
> >> > automagically.
> >> >
> >> > Both of the last two things, though, seem to be outside of the scope
> of
> >> > Puppet's capabilities.
> >> >
> >> >        --- Mike
> >> >
> >> > --
> >> > A man who reasons deliberately, manages it better after studying Logic
> >> > than he could before, if he is sincere about it and has common sense.
> >> >                                   --- Carveth Read, “Logic”
> >> >
> >> >
> >> > _______________________________________________
> >> > Ale mailing list
> >> > Ale at ale.org
> >> > http://mail.ale.org/mailman/listinfo/ale
> >> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >> > http://mail.ale.org/mailman/listinfo
> >> >
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >
> >
> >
> >
> > --
> > --
> > James P. Kinney III
> >
> > As long as the general population is passive, apathetic, diverted to
> > consumerism or hatred of the vulnerable, then the powerful can do as they
> > please, and those who survive will be left to contemplate the outcome.
> > - 2011 Noam Chomsky
> >
> > http://heretothereideas.blogspot.com/
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120216/ff735563/attachment-0001.html 


More information about the Ale mailing list