I suppose so, but I haven't ever worked with puppet reporting. My questions about the business issue behind this request are more along the lines of what his management wants the information for. There are a number of corollary questions that come up, including but not limited to:
-Why are you checking this data? Is for some form of compliance, or something else? -Why are you reporting on an invalid (presumably) sshd_config without enforcing the correct configuration? -Why only report an issue whenever puppet is run? If it's important to audit when sshd_config is changed and/or the daemon is restarted, shouldn't you check that between puppet runs too? -Why only check through puppet? If somebody disables the agent (temporary lab work, for instance) don't you still want PermitRootLogin checked? -Why do a single puppet run? That is still using cpu/io for a whole agent run to check a single item. -Why do two puppet agent runs at all? That is twice the cpu/io to find a single data point. They all seem to come down to how his management wants to check validity in puppet rather than enforce it and report what happened. As we've both demonstrated, going down that path automatically requires extra effort making puppet do something that it's sensibly not quite designed for. On Fri, Dec 28, 2012 at 08:19:02AM +1100, Denmat wrote: > Hi, > > Couldn't he run --noop as a scanner for hosts out of compliance and then when > one is found, run normal puppet run (obviously you don't have to run in noop > and just run normal runs and monitor reports). > > That way management can see that non compliant host are being made compliant > ( a much more useful report one would think). > > So the solution would be to describe the state of the sshd_config file the > way it should be and enforce that. > > Reporting options on that are normal puppet reports. > > Cheers, > Den > > On 28/12/2012, at 7:23, Christopher Wood <[email protected]> wrote: > > > Metaphorically, your management is asking you to drive nails with a > > screwdriver. The right tool for the job here is facter, not puppet. (And > > puppet already uses facter, so your management apparently doesn't > > understand the stack here.) While this is ultimately their problem, it > > sounds like you have to act as an enabler in order to keep your job and buy > > your groceries. Anyway, on to the helpful stuff! > > > > I have no idea what sort of thing is in this compliance report. I will > > assume that it is checking which hosts have successfully completed a puppet > > agent run. To deliberately fail this in your scenario I might: > > > > -write a script which checks the value of PermitRootLogin > > -script should exit with a non-zero status if the value is undesired > > -package this script in a deb (or rpm on your platform) > > -use puppet to distribute my deb everywhere > > -use an exec to run the script > > > > Then you will see the same style of failure as if you ran this: > > > > $ puppet apply -e 'exec { "/bin/false": }' > > err: /Stage[main]//Exec[/bin/false]/returns: change from notrun to 0 > > failed: /bin/false returned 1 instead of one of [0] at line 1 > > notice: Finished catalog run in 0.08 seconds > > > > And that means the host is non-compliant. > > > > Another item on my original point: ensure your communications with > > management on this matter are all documented via email. When they finally > > figure out how much technical debt they are accruing you will not wish to > > be left holding their bag. > > > > > > On Thu, Dec 27, 2012 at 12:01:08PM -0800, pdiddy wrote: > >> Understood, but is it possible to get it done via puppet? I've management > >> requirement. > >> > >> On Thursday, December 27, 2012 2:52:31 PM UTC-5, Christopher Wood wrote: > >> > >> You might be better off putting together a custom fact about this. Then > >> you can check fact(s) on the host(s) without trying to > >> manage-but-not-manage something inside puppet. > >> > >> On Thu, Dec 27, 2012 at 11:15:14AM -0800, pdiddy wrote: > >>> How do I check content of a file in puppet? > >>> ex: I want to see if "PermitRootLogin" is "no" > >> in /etc/ssh/sshd_config > >>> file (RHEL). If it's "yes" i want to show it on compliance report. > >> For now > >>> I don't want make any changes to the sshd_config file through > >> puppet. > >>> Here is something I have: > >>> define line($file, $line, $ensure = 'present') { > >>> $line = "PermitRootLogin no" > >>> $file = "/etc/ssh/sshd_config" > >>> case $ensure { > >>> default : { err ( "unknown ensure value ${ensure}" ) } > >>> present: { > >>> warning/flag code: > >>> unless => "/bin/grep '${line}' '${file}'" > >>> } > >>> } > >>> } > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > >> Groups > >>> "Puppet Users" group. > >>> To view this discussion on the web visit > >>> [1][1]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J. > >>> To post to this group, send email to [2][email protected]. > >>> To unsubscribe from this group, send email to > >>> [3][email protected]. > >>> For more options, visit this group at > >>> [4]http://groups.google.com/group/puppet-users?hl=en. > >>> > >>> References > >>> > >>> Visible links > >>> 1. [5]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J > >> > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Puppet Users" group. > >> To view this discussion on the web visit > >> [6]https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > >> References > >> > >> Visible links > >> 1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J > >> 2. javascript: > >> 3. javascript: > >> 4. http://groups.google.com/group/puppet-users?hl=en > >> 5. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J > >> 6. https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
