Forge Home

baseline_compliance

Applies a compliant baseline to your Puppet catalogs.

6,822 downloads

6,652 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Support the Puppet Community by contributing to this module

You are welcome to contribute to this module by suggesting new features, currency updates, or fixes. Every contribution is valuable to help ensure that the module remains compatible with the latest Puppet versions and continues to meet community needs. Complete the following steps:

  1. Review the module’s contribution guidelines and any licenses. Ensure that your planned contribution aligns with the author’s standards and any legal requirements.
  2. Fork the repository on GitHub, make changes on a branch of your fork, and submit a pull request. The pull request must clearly document your proposed change.

For questions about updating the module, contact the module’s author.

Version information

  • 0.1.1 (latest)
  • 0.1.0
released Sep 24th 2016
This version is compatible with:
  • ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'ccaum-baseline_compliance', '0.1.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add ccaum-baseline_compliance
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install ccaum-baseline_compliance --version 0.1.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

ccaum/baseline_compliance — version 0.1.1 Sep 24th 2016

baseline_compliance

Table of Contents

  1. Description
  2. Setup - The basics of getting started with baseline_compliance
  3. Usage - Configuration options and additional functionality
  4. Gotchas - Things to watch out for

Description

This module provides a method for using Puppet code to define a compliance baseline that is intelligently applied to your existing Puppet code. This enables you to write Puppet modules that enforce configurations that comply with internal and regulatory compliance policies without suffering through duplicate resource errors nor resorting to spaghetti code.

Setup

To configure your Puppet master to apply compliant baselines, you'll need to configure the Puppet master to use the baselinecompliance catalog terminus. This can be done with the following command as root.

    $ puppet config set catalog_terminus baselinecompliance

Now all catalog compilation will first compile a catalog from the baseline environment, and then intelligently merge it with the catalog compiled for the environment assigned to the node.

Usage

Create a new environment called baseline. This environment can be managed with r10k just like any other environment you already manage.

Creating baseline modules

For each class that is part of a node's main catalog, the baseline catalog compiler will look for an equivilant in the baseline environment. If one is found, it will be added for compilation as part of the baseline catalog.

Therefor, if you want to have a baseline Apache configuration, just create an apache module with an apache class, add it to the baseline environment, and include any base resources you want to enforce in the apache class. If the node has Class['apache'] in its catalog, your baseline Class['apache'] will automatically be added to the baseline catalog.

Note, baseline classes do not support class parameters. One important point of using the baseline catalog compiler is any module should be able to be used as part of the mainline catalog. Since we cannot gaurantee class parameters will match between the main module used and the baseline module, it's far better to just not use parameters at all. Hiera, however, is still available for parameter data bindings.

Monitoring compliance enforcement & overwites

Below are the scenarios the baselinecompiler catalog terminus will recognize and how it will handle it. Each time the catalog terminus runs into each of the scenarios, a log will be present in the agent's run report.

  • If a resource exists in the baseline catalog, but not the main catalog, the resource will be added to the main catalog

  • If a resource exists in both catalogs, but the baseline resource has a parameter not present in the main catalog's instance of the resource, the parameter will be added to the main catalog's resource instance.

  • If a resource exists in both catalogs and they both have a parameter with different values, the main catalog's resource's parameter will take precidence over the baseline's resources' parameter.

Each Puppet agent run will log each scneario if they occur. For example:

    Info: Using configured environment 'production'
    Info: Retrieving pluginfacts
    Info: Retrieving plugin
    Notice: Compiled catalog for master.vm in environment production in 8.78 seconds
    Notice: Compiled catalog for master.vm in environment baseline in 0.03 seconds
    Info: Adding baseline Notify[message] resource to catalog
    Warning: Resource File[/tmp/example]'s parameter 'group' value of 'pe-puppet' is overwriting baseline value of '0'
    Info: Adding baseline parameter 'mode' with value '0755' to resource File[/tmp/example]
    Info: Caching catalog for master.vm
    Info: Applying configuration version '1468390945'

Example Baseline Environment

This control repository has a baseline enviornment that deploys the os_hardening set of modules: http://github.com/ccaum/puppet-control/tree/baseline

Gotchas

Currently, custom facts in the baseline enviornment will not work. When the Puppet agent performs its pluginsync at the beginning of the run, it only syncs the facts from its assigned environment. Any module you use in the baseline environment that uses custom facts should have those facts added to the node's assigned environment.