One of the strongest tools in the Puppet compliance tool chest is the concept of the manifest. Since the manifest represents the system's desired state, we can use the data found in it to show what the system looks like.
Consider the following example: you have an audit requirement that says key security-related services and software must be kept up to date. Working with your security team, you've identified a list of packages that fall under this. For the purposes of our example, we'll say they're openssh
, kerberos
, and openssl
.
We can write a manifest that looks like the following, to ensure that this is the case:
class compliance( $ensure = latest, $packages = ['openssh', 'kerberos', 'openssl'] ) { package { $packages: ensure => $ensure, } }