Re: [Puppet Users] How to control who can add/update permissions in sudoers

2016-05-19 Thread Rob Nelson 
This is probably something that should be addressed via code management or
audits, rather than via puppet. It can't really know e intentions, so if
someone wants to exec 'rm -fR' it will gleefully let it happen. It's on you
to trust your developers and have a pipeline to test things. Canary nodes
that can be audited may be a good idea here.

On Thursday, May 19, 2016, Alex Scoble  wrote:

> Problem is that if you don't have a way of limiting where sudo entries can
> be made, someone can create a new module and grant themselves full sudo
> rights there for a large number of systems. When in a large enterprise such
> as ours, there are modules that are created and maintained by teams outside
> of the main teams that maintain the bulk of the puppet code.
>
> I think one possibility we are looking in to is using Teamcity (could also
> be done with Jenkins) to check that sudo calls aren't made outside of our
> protected sudo module.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com
> 
> .
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/5198fce0-fb84-42fe-bc8e-b6c2b48141d3%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 

Rob Nelson
rnels...@gmail.com

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAC76iT8ogdZZ1iP5ebLRkjOeGDZU0-FUn12%2Bu1f1n-h0JLTerA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] How to control who can add/update permissions in sudoers

2016-05-19 Thread Thomas Müller 
Look for assert_private in puppetlabs-stdlib module. Maybe its what you are 
looking for.

Thomas

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a7c6f739-8090-471e-a43c-d764fd2cb426%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] How to control who can add/update permissions in sudoers

2016-05-18 Thread Alex Scoble 
Hi all,

We're currently on PE 3.8.4.

We need to be able to manage sudoers permissions with Puppet, but control 
things so sudoers permissions can only be granted within a specific module.

So permissions could be included via 'include foo::bar' from anywhere, but 
the actual sudoers permissions used by the include could only be set within 
the specific module that has access tightly controlled.

The goal is to prevent someone from injecting a new sudoers rule in to a 
module/manifest outside of our control.

Any ideas?

Thanks,

Alex

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/38c300e1-9b21-499f-9eb6-6f3347042a28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.