simp / pupmod-simp-incron Goto Github PK

View Code? Open in Web Editor NEW

0.0 17.0 15.0 162 KB

A SIMP Puppet module for managing incron

License: Other

Ruby 84.48% Puppet 15.52%

simp incron

pupmod-simp-incron's Introduction

Description
Setup - The basics of getting started with incron
- What incron affects
Usage - Configuration options and additional functionality
Reference - An under-the-hood peek at what the module is doing and how
Limitations - OS compatibility, etc.
Development - Guide for contributing to the module
- Acceptance Tests - Beaker env variables

Description

This module manages the incron packages, service, and /etc/incron.allow.

WARNING:

There were issues in early versions of incron 0.5.12. Please ensure that you are using at least version 0.5.12-10 or later on EL 7+.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

It is designed to be used within a larger SIMP ecosystem, but it can be used independently:

When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
If used as an independent module, all SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review the parameters in [simp/simp_options][simp_simp_options] for details.

If you run into problems, please let us know by filing an issue at https://simp-project.atlassian.net/.

Setup

What incron affects

incron package
incrond service
/etc/incron.deny
/etc/incron.allow

Usage

To use this module, just call the class. This example adds it to a class list in hiera:

---
classes:
  - incron

Users can also be added to /etc/incron.allow with the incron::user defined type, or the incron::users array in hiera. The following example adds a few users to /etc/incron.allow:

incron::users:
  - foo
  - bar

New system table entries can be added to /etc/incron.d/ directory with the incron::system_table defined type, or with the incron::system_table hash in hiera. The following example adds two new system table entries to /etc/incron.d/ directory and removes unmanaged files:

incron::purge: true
incron::system_table:
  allowrw:
    path: '/data/'
    command: '/usr/bin/chmod -R 774 $@/$#'
    mask: ['IN_CREATE']
  deletelog:
    path: '/var/run/daemon'
    command: '/usr/bin/rm /var/log/daemon.log'
    mask: ['IN_DELETE']

Reference

Please refer to the inline documentation within each source file, or to the module's generated YARD documentation for reference material.

Limitations

SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux and compatible distributions, such as CentOS. Please see the metadata.json file for the most up-to-date list of supported operating systems, Puppet versions, and module dependencies.

Development

Please read our [Contribution Guide] (https://simp.readthedocs.io/en/stable/contributors_guide/index.html).

Acceptance tests

This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:

bundle install
bundle exec rake beaker:suites

Please refer to the SIMP Beaker Helpers documentation for more information.

pupmod-simp-incron's People

Contributors

Watchers

Forkers

jeefberkey jeannegreulich brandonrdn op-ct lnemsick-simp nick-markowski gronau-it-consulting ruriky trevor-vaughan pillarsdotnet bschonec rgardner4012 nexcess michael-riddle silug

pupmod-simp-incron's Issues

incron::system_table is not idempotent

When creating an incron::system_table entry, Puppet deletes the original files and then recreates them with identical content. This causes the incron service to be restarted/reloaded. The md5sum of the files before and after are identical. I'm unsure why the module thinks the files need updating.

# incron hiera setup             
incron::purge: true        
incron::system_table:      
 jasper_reports:          
   path: "/tmp/foo"       
   mask:  'IN_CREATE'        
   command: '/bin/echo $@ $#'

[root@mynode limits.d]# puppet agent -t --environment=inacron

Info: Using environment 'inacron'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for mynode.example.com
Info: Applying configuration version '6bbbc5d26fd001ed089b011b8d25d1709c9a53d2'
Notice: /Stage[main]/Incron/File/etc/incron.d/jasper_reports/ensure: removed (corrective)
Notice: /Stage[main]/Incron/Incron::System_table[jasper_reports]/Incron_system_table[jasper_reports]/ensure: created (corrective)
Info: /Stage[main]/Incron/Incron::System_table[jasper_reports]/Incron_system_table[jasper_reports]: Scheduling refresh of Class[Incron::Service]
Info: Class[Incron::Service]: Scheduling refresh of Service[incrond]
Notice: /Stage[main]/Incron::Service/Service[incrond]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 6.59 seconds

[root@mynode limits.d]# puppet agent -t --environment=inacron
Info: Using environment 'inacron'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for mynode.example.com
Info: Applying configuration version '6bbbc5d26fd001ed089b011b8d25d1709c9a53d2'
Notice: /Stage[main]/Incron/File/etc/incron.d/jasper_reports/ensure: removed (corrective)
Notice: /Stage[main]/Incron/Incron::System_table[jasper_reports]/Incron_system_table[jasper_reports]/ensure: created (corrective)
Info: /Stage[main]/Incron/Incron::System_table[jasper_reports]/Incron_system_table[jasper_reports]: Scheduling refresh of Class[Incron::Service]
Info: Class[Incron::Service]: Scheduling refresh of Service[incrond]
Notice: /Stage[main]/Incron::Service/Service[incrond]: Triggered 'refresh' from 1 event
Notice: Applied catalog in 6.71 seconds

The resulting "jasper_reports" file has the same md5sum as before the puppet run but the module still changes the file.

Add the ability to create user incron jobs

It looks like incron jobs only go into /etc/incron.d and are owned by root.

I have a case where a non-root user needs to have a few incron jobs but there doesn't seem to be any way to create a user-owned incron job ala, "incrontab -e -u ".

I'm happy to try to make updates to this module but I'm not familiar enough with Ruby to make changes to anything under ../lib directory.

"enable => false" doesn't delete /etc/incron.d file(s)

Would it make sense to delete the individual /etc/incron.d/<system_table> file when the system table state is "enabled false?" I was quite confused as to why an empty file was in /etc/incron.d/ until I realized that it was empty of any data.