| ▲ | _mig5 6 days ago | |
Hi westurner! > Could it also detect changed package files; if there are per-package-file checksums like with debsums and `rpm -V`? Yes, that's exactly what it does. See https://git.mig5.net/mig5/enroll/src/branch/main/enroll/plat... and https://git.mig5.net/mig5/enroll/src/branch/main/enroll/rpm.... It also tries to ignore packages that came with the distro automatically, e.g focusing on stuff that was explicitly installed (based on 'apt-mark showmanual' for Debian, and 'dnf -q repoquery --userinstalled' (and related commands, like dnf -q history userinstalled) for RH-like) > Does it check extended filesystem labels with e.g. getfacl for SELinux support? Not yet, but that's interesting, I'll look into it. > At least once I've scripted better then regex to convert a configuration file to a Jinja2 templated configuration file (from the current package's default commented config file with the latest options). Yep, that was the inspiration for my companion tool https://git.mig5.net/mig5/jinjaturtle (which enroll will automatically try and use if it finds it on the $PATH - if it can't find it, it will just use 'copy' mode for Ansible tasks, and the original files). Note that running the `enroll manifest` command against multiple separate 'harvests' (e.g harvested from separate machines) but storing it in the same common manifest location, will 'merge' the Ansible manifests. Thereby 'growing' the Ansible manifest as needed. But each host 'feature flips' on/off which files/templates should be deployed on it, based on what was 'harvested' from that host. > Does it log a list of running processes and their contexts; with `ps -Z`? It doesn't use ps, but it examines systemctl to get a list of running services and also timers. Have a look at https://git.mig5.net/mig5/enroll/src/branch/main/enroll/syst... Thanks for the other ideas! I'll look into them. | ||
| ▲ | westurner 5 days ago | parent [-] | |
Thanks for your reply. As well; otoh: Does it already indirectly diff the output of `systemd-analyze security`? Would there be value to it knowing the precedence order of systemd config files? (`man systemd.unit`) How to transform the generated playbooks to - instead of ansible builtins - use a role from ansible-galaxy to create users for example? How to generate tests or stub tests (or a HEALTHCHECK command/script, or k8s Liveness/Readiness/Startup probes, and/or a Nagios or a Prometheus monitoring config,) given ansible inventory and/or just enroll? Ansible Molecule used to default to pytest-testinfra for the verify step but the docs now mention an ansible-native way that works with normal inventory that can presumably still run testinfra tests as a verify step. https://docs.ansible.com/projects/molecule/configuration/?h=... MacOS: honebrew_tap_module, homebrew_module, homebrew_cask_module, osx_defaults_module Conda (Win/Mac/Lin, AMD64, ARM64, PPC64, RISC-V 64 (*), WASM) CycloneDX/cyclonedx-python generates SBOMs from venv, conda, pip requirements.txt, pipenv, poetry, pdm, uv: https://github.com/CycloneDX/cyclonedx-python Container config: /var, $DOCKER_HOST, Podman, Docker, $KUBECONFIG defaults to ~/.kube/config (kube config view), Podman rootless containers Re: vm live migration, memory forensics, and diff'ing whole servers: Live migration and replication solutions already have tested bit-level ~diffing that would also be useful to compare total machine state between 2 or more instances. At >2 nodes, what's anomalous? And how and why do the costs of convergence-based configuration management differ from golden image -based configuration management? E.g. vmdiff diffs VMs. The README says it only diffs RAM on Windows. E.g. AVML and linpmem and volatility3 work with Linux. /? volatility avml inurl:awesome https://www.google.com/search?q=volatiloty+avml+inurl%3Aawes... | ||