[chef] Re: Re: Re: Re: Re: Re: RE: Running chef in multiple environments

[Lamont Granquist < >]

On 8/1/14, 1:51 AM, James Le Cuirot wrote:
> I don't really agree with this. If someone has broken in, you should 
> take time to work out exactly what has been changed and how they 
> managed to do it. You should also take that box offline immediately 
> instead of relying on Chef to patch it up in the short term. While 
> Chef's enforcement of permissions is a nice side effect, I don't think 
> it should be used primarily as a security feature. My cookbooks use 
> /etc/shadow but given that this file was already present with the 
> correct permissions before installing Chef, I don't think Chef should 
> attempt to enforce this. You could write a cookbook to enforce the 
> permissions of every vaguely important file on the system but this 
> would be tedious and probably not very effective. Watching for 
> unexpected file system changes is really a job for AIDE and the like. 

I totally agree that Chef/CFEngine/Puppet/etc make bad Tripwire-like 
systems.

I've still absolutely used them as prevent controls in SOX and PCI-DSS 
environments and to show compliance with written systems standards.  We 
can argue about the absolute security utility of that, but practically 
it makes the PCI-DSS auditor go away and I like that... =)