Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes using DevOps Tools #12

Open
dokuhebi opened this issue Jul 30, 2014 · 7 comments
Open

Fixes using DevOps Tools #12

dokuhebi opened this issue Jul 30, 2014 · 7 comments

Comments

@dokuhebi
Copy link

After today's face-to-face discussion, I wanted to open an issue to track the need to port the fixes over to DevOps tools like puppet, chef, and others.
@dokuhebi
Copy link
Author

My plan is to take the existing bash scripts in "stig-fix-el6/cat1" and move them into "stig-fix-el6/cat1/bash". Then the various scripts for different tools will be in respective tool directories. (Unless people want the directory structure to be "stig-fix-el6/fixes/bash/cat1" and "stig-fix-el6/fixes/puppet/cat1"

@fcaviggia
Copy link
Owner

The biggest difference between platforms (Amazon Web Services, Puppet, and Bare Metal [Current]) will be the configuration especially the sudoers, pam files, and sshd configurations) are different enough to at least maintain 3 different versions of the script. I was originally looking at forking the project into stig-fix-el6-aws for AWS, stig-fix-el6-puppet, and stig-fix-el6 for bare metal. What do you think? Is there any other input on the idea? I'm trying to go with the will of the community. I'm going to try and get some input from some other Red Hatters as well, specifically Jason Callaway who has taken the scripts and made them work on AWS.

@dokuhebi
Copy link
Author

dokuhebi commented Aug 1, 2014

My concern is that as we move beyond puppet into more DevOps tools, there will be too many forks. I would suggest reorganizing the file structure to move the cat1, cat2, cat3, ca4, and manual directories into separate tool platforms (i.e. bash, puppet, chef, ansible). The "config" directory can stay where it is, since the files will be used as inputs across all the platforms.

@ruckc
Copy link

ruckc commented Aug 1, 2014
edited
Loading

It may be better if someone could build a simple DSL describing the stigs,
which could then generate the relevant tool configurations. For example,
if you standardized usage of chown/chmod and "templates" for various files,
it could then be parsed and could automatically generate the relevant tool
specific code. Otherwise you would be spending time trying to make each
tool have identical outcomes, which incurs a potentially higher testing
burden.

On Fri, Aug 1, 2014 at 3:56 PM, Tom Albrecht [email protected]
wrote:

My concern is that as we move beyond puppet into more DevOps tools, there
will be too many forks. I would suggest reorganizing the file structure to
move the cat1, cat2, cat3, ca4, and manual directories into separate tool
platforms (i.e. bash, puppet, chef, ansible). The "config" directory can
stay where it is, since the files will be used as inputs across all the
platforms.


Reply to this email directly or view it on GitHub
#12 (comment)
.

@chris-rock
Copy link

I propose you have a look at the Hardening Framework. It does the implementations for puppet, chef and ansible. The framework uses the same validation tests to ensure all implementations behave the same. Have a look at our implementation: https://github.com/hardening-io Would be great if you could provide feedback.

@fcaviggia
Copy link
Owner

Awesome, thanks for the link. I'll pass that project around Red Hat to review.

@chris-rock
Copy link

Amazing, let me know if you need anything.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dokuhebi @chris-rock @ruckc @fcaviggia