[Spacewalk-list] Config management questions
Will Beldman
wbeldma at uwo.ca
Mon Apr 27 16:02:08 UTC 2015
I'm trying to do a better job in my organization managing changes to
configuration files.
Most of our authentication and authorization I'd like to defer to LDAP so I
figured monitoring some local user management config files would be a good
start (eg. /etc/passwd, /etc/shadow, /etc/group). My idea was that if a
sysadmin tried to add a local user, Spacewalk could alert me to the change
because it would no longer match my centrally manged files.
However, I've already realized that I have a problem with my /etc/shadow file
because the hash associated with the root password will obviously be different
for every machine so I cannot manage it centrally.
I tried to use macros like so:
=====================================
root:{| rhn.system.custom_info(root_hash) |}::0:99999:7:::
...
=====================================
and this works but I've realized that this means I am loading the root
password hash onto every system as a custom info value which is probably not a
good idea security-wise. If my Spacewalk server were compromised, the
/etc/shadow file for every system is also compromised.
Is there any ability to do things like ignore certain lines or put in regex
wildcards so I can just say "put whatever you want in here"? Or is there a
feature request for this?
Also, can I get some idea, philosophically, on how to leverage config
management in Spacewalk to it's potential. I think I really need to put up a
config management server (Puppet/Chef/etc) to do what I really want, but in
the interim, I was hoping to get some ideas on common uses for config
management in Spacewalk.
More information about the Spacewalk-list
mailing list