Re: [Puppet Users] How do I check content of a file in puppet

[Christopher Wood]

You might be better off putting together a custom fact about this. Then you can check fact(s) on the host(s) without trying to manage-but-not-manage something inside puppet.

On Thu, Dec 27, 2012 at 11:15:14AM -0800, pdiddy wrote:
> How do I check content of a file in puppet?
> ex: I want to see if "PermitRootLogin" is "no" in /etc/ssh/sshd_config
> file (RHEL). If it's "yes" i want to show it on compliance report. For now
> I don't want make any changes to the sshd_config file through puppet.
> Here is something I have:
> define line($file, $line, $ensure = 'present') {
>         $line = "PermitRootLogin no"
>         $file = "/etc/ssh/sshd_config"
>     case $ensure {
>         default : { err ( "unknown ensure value ${ensure}" ) }
>         present: {
>             warning/flag code:
>                 unless => "/bin/grep '${line}' '${file}'"
>             }
>         }
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> [1]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J

[pdiddy]

Understood, but is it possible to get it done via puppet? I've management requirement.

[Christopher Wood]

Metaphorically, your management is asking you to drive nails with a screwdriver. The right tool for the job here is facter, not puppet. (And puppet already uses facter, so your management apparently doesn't understand the stack here.) While this is ultimately their problem, it sounds like you have to act as an enabler in order to keep your job and buy your groceries. Anyway, on to the helpful stuff!

I have no idea what sort of thing is in this compliance report. I will assume that it is checking which hosts have successfully completed a puppet agent run. To deliberately fail this in your scenario I might:

-write a script which checks the value of PermitRootLogin
-script should exit with a non-zero status if the value is undesired
-package this script in a deb (or rpm on your platform)
-use puppet to distribute my deb everywhere
-use an exec to run the script

Then you will see the same style of failure as if you ran this:

$ puppet apply -e 'exec { "/bin/false": }'
err: /Stage[main]//Exec[/bin/false]/returns: change from notrun to 0 failed: /bin/false returned 1 instead of one of [0] at line 1
notice: Finished catalog run in 0.08 seconds

And that means the host is non-compliant.

Another item on my original point: ensure your communications with management on this matter are all documented via email. When they finally figure out how much technical debt they are accruing you will not wish to be left holding their bag.

> >    [1][1]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J.
> >    To post to this group, send email to [2]puppet...@googlegroups.com.

> >    To unsubscribe from this group, send email to

> >    [3]puppet-users...@googlegroups.com.

> >    For more options, visit this group at

> >    [4]http://groups.google.com/group/puppet-users?hl=en.
> >
> > References
> >
> >    Visible links
> >    1. [5]https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J

>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit

> [6]https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J.

> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J

> 2. javascript:
> 3. javascript:
> 4. http://groups.google.com/group/puppet-users?hl=en
> 5. https://groups.google.com/d/msg/puppet-users/-/M8gmxMKkp58J
> 6. https://groups.google.com/d/msg/puppet-users/-/2kXlOB5em10J

[Denmat]

Hi,

Couldn't he run --noop as a scanner for hosts out of compliance and then when one is found, run normal puppet run (obviously you don't have to run in noop and just run normal runs and monitor reports).

That way management can see that non compliant host are being made compliant ( a much more useful report one would think).

So the solution would be to describe the state of the sshd_config file the way it should be and enforce that.

Reporting options on that are normal puppet reports.

Cheers,
Den

[Christopher Wood]

I suppose so, but I haven't ever worked with puppet reporting. My questions about the business issue behind this request are more along the lines of what his management wants the information for. There are a number of corollary questions that come up, including but not limited to:

-Why are you checking this data? Is for some form of compliance, or something else?
-Why are you reporting on an invalid (presumably) sshd_config without enforcing the correct configuration?
-Why only report an issue whenever puppet is run? If it's important to audit when sshd_config is changed and/or the daemon is restarted, shouldn't you check that between puppet runs too?
-Why only check through puppet? If somebody disables the agent (temporary lab work, for instance) don't you still want PermitRootLogin checked?
-Why do a single puppet run? That is still using cpu/io for a whole agent run to check a single item.
-Why do two puppet agent runs at all? That is twice the cpu/io to find a single data point.

They all seem to come down to how his management wants to check validity in puppet rather than enforce it and report what happened. As we've both demonstrated, going down that path automatically requires extra effort making puppet do something that it's sensibly not quite designed for.

[Jason Edgecombe]

Yes, you can do what you want if you already have a puppet master
(server) in your puppet environment, but you may need configure or
install some add-ons.

All puppet installations include a tool called "facter". Facter gathers
various facts or data about your systems. The system can be configured
to sent this data back to the puppet server. Various puppet add-ons
offer the ability to create reports based on the data that was sent back
to the server. For you needs, you will likely need to write a custom fact.

Here are some links that might be helpful:

Info on facter:
http://puppetlabs.com/blog/facter-part-1-facter-101/

How to do custom facts:
http://docs.puppetlabs.com/guides/custom_facts.html

Puppet reporting:
http://docs.puppetlabs.com/guides/reporting.html

If you don't use a puppet server, then I think there are other options
for gathering the reporting data.

Sincerely,
Jason


P.S. My apologies to other posters, but I didn't see a clear answer to
the question.

>>> To post to this group, send email to puppet...@googlegroups.com<javascript:>.

>>> To unsubscribe from this group, send email to

>>> puppet-users...@googlegroups.com <javascript:>.

[Keiran Sweet]

Hi,

Although I've never used it, this does sound like a task for the auditing functionality that was added into Puppet 2.6.

Some information about it can be found here: http://puppetlabs.com/blog/all-about-auditing-with-puppet/

You may also find the Puppet enterprise documentation on audit and compliance of some use, as it uses the audit metaparams to achieve this functionality.

http://docs.puppetlabs.com/pe/2.7/compliance_basics.html

From what I understand, you can build your own auditing/reporting/compliance tool using your existing puppet framework and a modified report processor that fits your needs.

Hope this helps.

K

[pdiddy]

Thanks everyone, I will look into these options...I will write back in few days...

[pdiddy]

When I build the server I make sure it meets all the compliance requirements (ex: PermitRootLogin, login banner). However, I would like to double check those compliance requirements on daily basis through Puppet (in case someone has changed them). This is an audit requirement.

I was able to write custom facts and now I see "PermitRootLogin" and "login banner" values in node "inventory" list.

I was trying to create same report using following link, but it's not working

http://puppetlabs.com/blog/when-puppet-reports-part-2/

dir structure

------------------------------------------

[root@lxpuppet modules]# pwd

/opt/puppet/share/puppet/modules

[root@lxpuppet modules]# ls -ltR compliance_report

compliance_report:

total 12

-rw-r--r-- 1 peadmin games  154 Jan  2 10:47 Modulefile

drwxr-xr-x 2 peadmin games 4096 Jan  2 10:40 manifests

drwxr-xr-x 3 peadmin games 4096 Jan  2 10:25 lib

compliance_report/manifests:

total 4

-rw-r--r-- 1 peadmin games 467 Jan  2 10:40 init.pp

compliance_report/lib:

total 4

drwxr-xr-x 3 peadmin games 4096 Jan  2 10:25 puppet

compliance_report/lib/puppet:

total 4

drwxr-xr-x 2 peadmin games 4096 Jan  2 10:25 reports

compliance_report/lib/puppet/reports:

total 0

-------------------------------------------------------------------

[pdiddy]

Any thoughts guys...