Defined Type: easy_type::secure::ensure_control

Defined in:
manifests/secure/ensure_control.pp

Overview

This defined class takes care of applying a control. Depending on the settings this can mean:

- Applying the puppet class belnging to the control
- Applying the puppet class belonging to the validator
- Applying both the puppet class for the control and the validator

When both the control and the validator are selected, the validator is ALWAYS

run BEFORE the control. The reason behind this, is that we ALWAYS want a failing validator to be visible in the In-Control app.

This defined type can use two methods to apply the classes:

1) generate puppet code
2) Use create_resources

Method 1 is the default. This method creates a class name based on some meta parameters and ensures
the control and the validator are executed withi this class. This helps to get better pinnable
Puppet messages.

However on some systems this doesn’t work. (We don’t know yet why :-( ). That is why a fall back using create_resources

is available

Parameters:

  • control_id (Optional[String[1]])

    The chapter that contains the control

  • caller (String[1])

    The name of the calling class

  • product_version (String[1])

    The name and version of the product

  • doc_version (String[1])

    The version number of the CIS document

  • use_schedule (Optional[String[1]])

    The optional schedule to use for the validator. NOT for the control

  • default_operation (Easy_type::Operation)

    The default operation to perform

  • report_as (Easy_type::Report_as) (defaults to: 'warning') 


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
 
# File 'manifests/secure/ensure_control.pp', line 28

define easy_type::secure::ensure_control (
  String[1]            $caller,
  String[1]            $product_version,
  String[1]            $doc_version,
  Easy_type::Operation $default_operation,
  Easy_type::Report_as $report_as = 'warning',
  Optional[String[1]]  $use_schedule,
  Optional[String[1]]  $control_id,
) {
  $use_schedule_string = if $use_schedule == undef {
    'undef'
  } else {
    $use_schedule
  }
  $control               = $title.split('@')[0]
  $resource              = $title.split('@')[1]
  $sanitized_doc_version = easy_type::sanetize($doc_version).downcase
  if $control_id != undef {
    $sanitized_control_id  = easy_type::sanetize($control_id).downcase
    $control_class_name = "${caller}::${product_version}::${sanitized_doc_version}::${sanitized_control_id}::${easy_type::sanetize($resource).downcase}"
  } else {
    $control_class_name = "${caller}::${product_version}::${sanitized_doc_version}::${easy_type::sanetize($resource).downcase}"
  }
  #
  # because sometimes we get unexplained "class already defined" messages, we allow users to
  # override the class generation feature. By default we DO generate the class names. When the hiera variable
  # `easy_type::generate_reference_classes` is set to `false` we skip this.
  #
  $generate_reference_classes = lookup('easy_type::generate_reference_classes', Boolean, undef, true )

  $control_name       = "${caller}::controls::${control}"
  $validator_name     = "${caller}::validators::${control}"
  $validator_ref        = easy_type::to_ref($validator_name)

  #
  # The action for a control is determined by fetching hiera values:
  #  1. module::controls::control_name::resource
  #  2. module::controls::control_name
  #
  #  There is no specific lookup for a validator.
  # 
  $control_action_resource  = lookup("${caller}::controls::${control}::${resource}", Optional[String], undef, undef)
  $action = if $control_action_resource == undef {
    lookup("${caller}::controls::${control}", String, undef, $default_operation )
  } else {
    $control_action_resource
  }

  if $generate_reference_classes {
    debug 'Generating reference classes...'
    # Generate puppet puppet_code
    # lint:ignore:strict_ident
    $puppet_code = case $action {
      'skip': {
        @("PUPPET")
          class ${control_class_name} {
              ${validator_name} { "${resource}": 
                skip => true,
              }
            }
        PUPPET
      }
      'enforce': {
        @("PUPPET")
        class ${control_class_name} {
            ${control_name} { "${resource}": }
          }
        PUPPET
      }
      'validate': {
        @("PUPPET")
          class ${control_class_name} {
            ${validator_name} { "${resource}":
              schedule  => ${use_schedule_string},
              report_as => ${report_as},
            }
          }
        PUPPET
      }
      'both': {
        @("PUPPET")
          class ${control_class_name} {
            ${validator_name} { "${resource}":
              schedule  => ${use_schedule_string},
              report_as => ${report_as},
            }
            -> ${control_name} { "${resource}": }
          }
        PUPPET
      }
      default: { fail "Received unknown control action '${action}'" }
    }
    # lint:endignore:strict_ident
    debug '**** Generated Puppet code is ****'
    debug $puppet_code
    debug '********'
    easy_type::evaluate_puppet($puppet_code)
    contain $control_class_name
  } else {
    debug 'Skip generating reference classes...'
    case $action {
      'skip': {
        create_resources($validator_name, $resource => { 'skip' => true })
      }
      'enforce': {
        create_resources($control_name, $resource => {})
      }
      'validate': {
        create_resources($validator_name, $resource => { 'schedule' => $use_schedule })
      }
      'both': {
        create_resources($validator_name, $resource => { 'schedule' => $use_schedule })
        create_resources($control_name, $resource => { 'require' => "${validator_ref}[${resource}]", 'report_as' => $report_as })
      }
      default: { fail "Received unknown control action '${action}'" }
    }
  }
}