...
- Class parameters may be tweaked (via Hiera, ENC, or due to internal logic such as ::params)
- Different CCEs may prescribe mutually-exclusive requirements for the same resource.
- SIMP must support multiple compliance profiles, which may recommend CCEs that are mutually-exclusive wrt a given resource.
The Benefits: Better Compliance Tooling
- Provide a security officer a detailed mapping of which resources have been prescribe to fite
Problems
- Potential for catalog bloat
- Additional complexity in module design (e.g., mapping.pp in the new standard layout)
- Mapping CCEs to resources managed across multiple modules could get ugly
- Following current PuppetLabs practices, the recommended solution would be to manage this from a Profile.
- However, Profiles aren't good Puppet Forge
- IDEA: would it be better to provide a module ("simp-ccemappings") that provides mappings (ala the selinux-policy-targeted RPM)
- Following current PuppetLabs practices, the recommended solution would be to manage this from a Profile.
...