[Spacewalk-list] Config management questions

Tue Apr 28 13:25:36 UTC 2015

Will --

Your use cases seem similar to what we've implemented here.  That is, the
versioning isn't as full-featured as something like git, but serves the
purpose well of validating that key files haven't changed across the plant
(I've got a daily script that leverages the spacewalk API to flag the
files that are no longer in spec.)

You are also correct that it isn't close to the power of puppet, but
certainly is much lighter-weight and quicker to deploy (again, for a
specific use-case).

On the subject of root passwords:  is it important to your organization to
have DIFFERENT root passwords for each of your servers?  (Yes, I'm
serious!)  If you disallow remote root login (which you should!), and
leverage "sudo" for elevating privileges (with users' using their OWN
password), the root passwords are never really used / exposed.  In such a
case, it's much easier to manage if they are all the same.

(Which leads me back to ansible...)  If having them the same makes you (or
your bosses) insist on CHANGING those passwords more frequently, I'd
suggest using ansible to do so.  It's worked GREAT for us here.  (It's a
fast enough process that you could change your root passwords once a
MONTH, if that's what would make folks happy.)

Changing root passwords across the plant via ansible:

    Create a pseudo-random salt to use for the password hashing:
     [root at HOSTXYZ ~]# python
     >>> import os
     >>> os.urandom(32).encode('base_64')
     '+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/NpLcyJDE=\n'

    The output of the step above provides the INPUT for the next set of
commands (see right AFTER "$1$" below)

    Create a hash of the new password using python's crypt function (see
also 
http://mjanja.co.ke/2013/01/generate-salted-shadow-hashes-using-python-cryp
t/ ).  E.g.:
     >>> import crypt
     >>> 
crypt.crypt("mysupertoughpassword",'$1$+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/N
pLcyJDE=\n')
     '$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0'
     >>> quit()

    The output of the step above allows for the needed INPUT to ansible
below:
     ansible HOSTS_LISTED_HERE -m user -a 'name=root
password=$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0' -K --sudo

Just some thoughts...

Andy

On 4/27/15, 12:02 PM, "Will Beldman" <wbeldma at uwo.ca> wrote:

I'm trying to do a better job in my organization managing changes to
configuration files.

Most of our authentication and authorization I'd like to defer to LDAP so
I 
figured monitoring some local user management config files would be a good
start (eg. /etc/passwd, /etc/shadow, /etc/group). My idea was that if a
sysadmin tried to add a local user, Spacewalk could alert me to the change
because it would no longer match my centrally manged files.

However, I've already realized that I have a problem with my /etc/shadow
file 
because the hash associated with the root password will obviously be
different 
for every machine so I cannot manage it centrally.

I tried to use macros like so:
=====================================
root:{| rhn.system.custom_info(root_hash) |}::0:99999:7:::
...
=====================================
and this works but I've realized that this means I am loading the root
password hash onto every system as a custom info value which is probably
not a 
good idea security-wise. If my Spacewalk server were compromised, the
/etc/shadow file for every system is also compromised.

Is there any ability to do things like ignore certain lines or put in
regex 
wildcards so I can just say "put whatever you want in here"? Or is there a
feature request for this?

Also, can I get some idea, philosophically, on how to leverage config
management in Spacewalk to it's potential. I think I really need to put up
a 
config management server (Puppet/Chef/etc) to do what I really want, but
in 
the interim, I was hoping to get some ideas on common uses for config
management in Spacewalk.

_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list