Cool!<br><br>I used a series of postinstall kickstart scripts that accomplished the security lockdown when I was at GTRI. I did not write them but was happy to see the powers that be that performed security analysis were very happy with their output. That entire process should be fairly easy to dump into puppet for change control.<br>
<br>When I left, RHEL6 was under development for similar treatment.<br><br><div class="gmail_quote">On Thu, Feb 16, 2012 at 2:17 PM, George Allen <span dir="ltr"><<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">There is a project on Forge.mil to build configs for Puppet to apply<br>
the DISA STIGs and NSA Guides. So far they're only setup to apply to a<br>
RHEL 5.x box from what I understand, and I haven't played with them<br>
yet... but I would definitely like to start learning puppet as soon as<br>
I get some time.<br>
<div><div class="h5"><br>
On Tue, Feb 14, 2012 at 1:38 PM, <a href="mailto:mike@trausch.us">mike@trausch.us</a> <<a href="mailto:mike@trausch.us">mike@trausch.us</a>> wrote:<br>
> On 02/14/2012 09:56 AM, <a href="mailto:mike@trausch.us">mike@trausch.us</a> wrote:<br>
>> I am finding myself somewhat happy with it. I'm still allergic to<br>
>> things written in Ruby, of course. If there were a drop-in Puppet clone<br>
>> in Python, I'd be all over that like white on rice, and I may not stay<br>
>> with puppet forever, but for the time being, I am rather liking it. I<br>
>> have a master on Linode, a server here at the house, and a VM on my<br>
>> desktop that I am using to play with it for the time being.<br>
><br>
> At this point, I have a working setup that manages SSH and NTP<br>
> configuration (yeah, I know, stupid easy for those who do Puppet in<br>
> their sleep) for both Gentoo and Debian systems, including handling some<br>
> interesting differences between the two distributions.<br>
><br>
> One thing that I am finding that is annoying is that it seems that you<br>
> can say things like "debian" in selectors, but if you use a regex it<br>
> refuses to allow it (because it won't match "Debian"). There is a bug<br>
> in Puppet's Redmine instance (#3229), but it seems to have been<br>
> summarily closed without action.<br>
><br>
> It seems that the "case" command matches case-insensitive whereas<br>
> selectors using regular expressions do not. Of course a character class<br>
> can be used to work around that, but I don't see a way to tell Puppet's<br>
> regular expression system to simply match case-insensitive.<br>
><br>
> I think that it may be possible for me to Puppet-ize my production<br>
> domain within the next day or two. That in itself is fascinating to me.<br>
><br>
> One thing I would like to do, though I haven't quite figured out how it<br>
> would fit into Puppet's framework, would be to enforce certain types of<br>
> policy, like "ensure that all systems have run their updates once per<br>
> week". There are other ways of doing that, of course, but I think it'd<br>
> be nice to have _all_ my configuration in a single system, and not just<br>
> most of it.<br>
><br>
> Another thing I would like to be able to do is somehow give Puppet a<br>
> whitelist of packages that are allowed to be on various systems, such<br>
> that any package that (a) isn't in the whitelist and (b) isn't a<br>
> dependency of something in the whitelist will be removed by Puppet<br>
> automagically.<br>
><br>
> Both of the last two things, though, seem to be outside of the scope of<br>
> Puppet's capabilities.<br>
><br>
> --- Mike<br>
><br>
> --<br>
> A man who reasons deliberately, manages it better after studying Logic<br>
> than he could before, if he is sincere about it and has common sense.<br>
> --- Carveth Read, “Logic”<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><br>As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as
they please, and those who survive will be left to contemplate the
outcome.<br>- <i><i><i><i>2011 Noam Chomsky<br><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i><br>