[Spacewalk-list] Config management questions
Waldirio Manhães Pinheiro
waldirio at gmail.com
Wed Apr 29 12:50:00 UTC 2015
Hello friends
I can see different's ways to achieve the result, for example, you can
create a script to create a hash from these files (/tmp/hash-file1,
/tmp/hash-file2, ...) and another to test the actual hash with reference
hash, if equal return ok, case not, different.
The control, distribution, and check you will use Configuration Channel,
API or spacecmd.
Let me know if was clear the idea.
Take Care
______________
Atenciosamente
Waldirio
msn: waldirio at gmail.com
Skype: waldirio
Site: www.waldirio.com.br
Blog: blog.waldirio.com.br
LinkedIn: http://br.linkedin.com/pub/waldirio-pinheiro/22/b21/646
PGP: www.waldirio.com.br/public.html
On Mon, Apr 27, 2015 at 1:02 PM, Will Beldman <wbeldma at uwo.ca> wrote:
> I'm trying to do a better job in my organization managing changes to
> configuration files.
>
> Most of our authentication and authorization I'd like to defer to LDAP so I
> figured monitoring some local user management config files would be a good
> start (eg. /etc/passwd, /etc/shadow, /etc/group). My idea was that if a
> sysadmin tried to add a local user, Spacewalk could alert me to the change
> because it would no longer match my centrally manged files.
>
> However, I've already realized that I have a problem with my /etc/shadow
> file
> because the hash associated with the root password will obviously be
> different
> for every machine so I cannot manage it centrally.
>
> I tried to use macros like so:
> =====================================
> root:{| rhn.system.custom_info(root_hash) |}::0:99999:7:::
> ...
> =====================================
> and this works but I've realized that this means I am loading the root
> password hash onto every system as a custom info value which is probably
> not a
> good idea security-wise. If my Spacewalk server were compromised, the
> /etc/shadow file for every system is also compromised.
>
> Is there any ability to do things like ignore certain lines or put in regex
> wildcards so I can just say "put whatever you want in here"? Or is there a
> feature request for this?
>
>
> Also, can I get some idea, philosophically, on how to leverage config
> management in Spacewalk to it's potential. I think I really need to put up
> a
> config management server (Puppet/Chef/etc) to do what I really want, but in
> the interim, I was hoping to get some ideas on common uses for config
> management in Spacewalk.
>
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20150429/8fdb7115/attachment.htm>
More information about the Spacewalk-list
mailing list