Hey all,
Regarding issue #56 on foreman_openscap [1].
Currently there are two ways to assign a compliance policy to a host:
- Assign a hostgroup while creating / updating a compliance policy
- Assign a compliance policy to host(s) via the multiple actions on hosts
index.
The issue (copied):
> ATM, when a policy is created, a puppet class is attached to the hostgroup.
> this in turn adds the class parameters to the ENC output of a puppet run
> and configures the client.
>
> this could be done automatically instead, where the enc output is appended
> with the scap content without a direct class / hostgroup class.
>
> additionally, this reduces the risk of someone removing the puppet class
> from the hostgroup, and allow us to link the policy via any object (e.g.
> all hosts that belongs to org XX, domain YY, Content View etc).
>
We thought of introducing a lock mechanism to HostgroupClass & HostClass
(:locked => boolean). If locked is set to true, one will not be able to
accidentally remove the selected puppet class (will have to unlock, and
only then remove). This way, when adding the openscap puppet client, we
will also lock it. This represents, I think, a broader approach to puppet
classes added by plugins.
Another option, suggested by @ohadlevy is to add the openscap parameters to
the global ENC parameters, as demonstrated in his comment [2]
I'd love to hear your comments and thoughts or other possible ways to
address this issue.
Cheers,
[1] https://github.com/OpenSCAP/foreman_openscap/issues/56
[2] https://github.com/OpenSCAP/foreman_openscap/issues/56#issuecomment-70635126
Hello,
sending comments below in text
> Hey all,
> Regarding issue #56 on foreman_openscap [1].
> Currently there are two ways to assign a compliance policy to a host:
> 1) Assign a hostgroup while creating / updating a compliance policy
> 2) Assign a compliance policy to host(s) via the multiple actions on hosts
> index.
>
> The issue (copied):
> > ATM, when a policy is created, a puppet class is attached to the
> > hostgroup.
> > this in turn adds the class parameters to the ENC output of a puppet run
> > and configures the client.
> >
> > this could be done automatically instead, where the enc output is appended
> > with the scap content without a direct class / hostgroup class.
> >
> > additionally, this reduces the risk of someone removing the puppet class
> > from the hostgroup, and allow us to link the policy via any object (e.g.
> > all hosts that belongs to org XX, domain YY, Content View etc).
>
> We thought of introducing a lock mechanism to HostgroupClass & HostClass
> (:locked => boolean). If locked is set to true, one will not be able to
> accidentally remove the selected puppet class (will have to unlock, and
> only then remove). This way, when adding the openscap puppet client, we
> will also lock it. This represents, I think, a broader approach to puppet
> classes added by plugins.
This lock would make it clear that this puppet class should not be
disassociated. It should be implemented in a same way for host group, config
group and direct host associations.
Later we may add some UI so advanced users can unlock and remove it but for
now we would just add some interface for plugin developers so they don't have
to work with internals.
> Another option, suggested by @ohadlevy is to add the openscap parameters to
> the global ENC parameters, as demonstrated in his comment [2]
The more I think about this way, we'd have to introduced some new objects that
will hold manifests list that should be added. Then we have to solve how to
deal with association to host/host groups/config groups again, unless we want
to assign this manifest to all hosts, which might not be the case even for
OpenSCAP. If we'll introduce more features into foreman_scap_plugin users may
want to properly test through development/test/production environments.
Another issue is that we'd have to add some hack so we display the class in
assignment list (probably just host form) so user knows that this manifest is
always added and we should disable removing. Therefore I lean to locking which
is similar to mechanism we have for config templates.
···
On Monday 16 of February 2015 03:41:41 Shlomi Zadok wrote:
I’d love to hear your comments and thoughts or other possible ways to
address this issue.
Cheers,
[1] https://github.com/OpenSCAP/foreman_openscap/issues/56
[2]
https://github.com/OpenSCAP/foreman_openscap/issues/56#issuecomment-7063512
6
–
Marek
