hardening-script-el6 icon indicating copy to clipboard operation
hardening-script-el6 copied to clipboard

Published 20 hours ago verified publisher icon fcaviggia

Fixes using DevOps Tools

Open dokuhebi opened this issue 10 years ago • 7 comments

After today's face-to-face discussion, I wanted to open an issue to track the need to port the fixes over to DevOps tools like puppet, chef, and others.

dokuhebi avatar Jul 30 '14 20:07 dokuhebi

My plan is to take the existing bash scripts in "stig-fix-el6/cat1" and move them into "stig-fix-el6/cat1/bash". Then the various scripts for different tools will be in respective tool directories. (Unless people want the directory structure to be "stig-fix-el6/fixes/bash/cat1" and "stig-fix-el6/fixes/puppet/cat1"

dokuhebi avatar Jul 30 '14 20:07 dokuhebi

The biggest difference between platforms (Amazon Web Services, Puppet, and Bare Metal [Current]) will be the configuration especially the sudoers, pam files, and sshd configurations) are different enough to at least maintain 3 different versions of the script. I was originally looking at forking the project into stig-fix-el6-aws for AWS, stig-fix-el6-puppet, and stig-fix-el6 for bare metal. What do you think? Is there any other input on the idea? I'm trying to go with the will of the community. I'm going to try and get some input from some other Red Hatters as well, specifically Jason Callaway who has taken the scripts and made them work on AWS.

fcaviggia avatar Aug 01 '14 10:08 fcaviggia

My concern is that as we move beyond puppet into more DevOps tools, there will be too many forks. I would suggest reorganizing the file structure to move the cat1, cat2, cat3, ca4, and manual directories into separate tool platforms (i.e. bash, puppet, chef, ansible). The "config" directory can stay where it is, since the files will be used as inputs across all the platforms.

dokuhebi avatar Aug 01 '14 19:08 dokuhebi

It may be better if someone could build a simple DSL describing the stigs, which could then generate the relevant tool configurations. For example, if you standardized usage of chown/chmod and "templates" for various files, it could then be parsed and could automatically generate the relevant tool specific code. Otherwise you would be spending time trying to make each tool have identical outcomes, which incurs a potentially higher testing burden.

Curtis Ruck Anytime: 210-857-1126

On Fri, Aug 1, 2014 at 3:56 PM, Tom Albrecht [email protected] wrote:

My concern is that as we move beyond puppet into more DevOps tools, there will be too many forks. I would suggest reorganizing the file structure to move the cat1, cat2, cat3, ca4, and manual directories into separate tool platforms (i.e. bash, puppet, chef, ansible). The "config" directory can stay where it is, since the files will be used as inputs across all the platforms.

— Reply to this email directly or view it on GitHub https://github.com/RedHatGov/stig-fix-el6/issues/12#issuecomment-50927862 .

ruckc avatar Aug 01 '14 20:08 ruckc

I propose you have a look at the Hardening Framework. It does the implementations for puppet, chef and ansible. The framework uses the same validation tests to ensure all implementations behave the same. Have a look at our implementation: https://github.com/hardening-io Would be great if you could provide feedback.

chris-rock avatar Apr 29 '15 06:04 chris-rock

Awesome, thanks for the link. I'll pass that project around Red Hat to review.

fcaviggia avatar Apr 29 '15 14:04 fcaviggia

Amazing, let me know if you need anything.

chris-rock avatar Apr 29 '15 14:04 chris-rock