changeconfig daemons (puppet, cfengine, etc) with grsec?

A place to submit your RBAC policies and generate ideas for better ones

Moderators: spender, PaX Team

changeconfig daemons (puppet, cfengine, etc) with grsec?

Postby law » Thu Feb 21, 2008 1:23 am

So, does anyone here have grsec running underneath a change-config setup like puppet or cfengine with a daemon living on the local box that checks a central server for changes, all changes being negotiated through that daemon? Any ideas on how I could go about setting up an ACL for a situation like that, with a daemon/process running that should have proper rootly-powers to change just about anything and everything (maybe even /etc/grsec/policy? thoughts?), but also have everything else locked down? Specifically, we're thinking of setting up puppet in our environment, and we want the puppetd client to be able to make changes where it needs to make changes, but we also want to not open ourselves up wide to the l33t-h4xx0rz of the world. Thoughts, anyone?

Many thanks in advance!
--law
law
 
Posts: 15
Joined: Wed Jun 27, 2007 2:21 pm

Return to RBAC policy development