enterprise-ubuntu team mailing list archive

Thread
Date

Machine policies

To: "enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx" <enterprise-ubuntu@xxxxxxxxxxxxxxxxxxx>
From: Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>
Date: Tue, 12 Feb 2013 13:26:40 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

Hello,

How do you solve the machine policies topic?

I mean - how do you make sure that a Ubuntu machine in your environmentruns according to some policies you specify? Microsoft defined this as a"Group Policy", perhaps the more general term is "System ConfigurationManagement".

As we found no product that does this out of the box (not sure aboutCentrify, though, but we couldn't afford it), we glued together a numberof components to do the job.

Firstly, we took CFEngine (www.cfengine.com) as the policy "enforcement"tool. This is a configuration automation tool. A valid choice would bePuppet as well, though we found CFEngine to be more lightweight andsuits better for laptops. We defined a set of policies or configurationelements, like domain joining, authentication, firewall, VPN, etc.

Secondly, we used cfgen (http://dozzie.jarowit.net/trac/wiki/cfgen), aconfiguration template solution for flexibility.

Thirdly, we used plaintext, YAML-structured files to hold variables usedfor templating. This part seems trivial, but we allowed inheritancebetween the files, so we created sets of variables depending on countrythe machine originated from, the location the machine is in now (mostlyfor locating proxy servers and nearest mirror), the Active Directorydomain the machine belongs to etc. We also provided a local override onthe machines so the user can disable most policy enforcements (wepreferred that over the user disabling the whole policy).

Lastly, we decided to get all the possible information about a machinewe could from Active Directory. We acquired:1. The place in the directory structure (OU) where the machine objectresides, that gave us the machine original location.2. The IP subnet to AD "Sites and services" mapping, so we were able totell by the machine's location where the machine is now.

3. The owner of the machine (managedBy property).
4. The groups a machine belongs to.

Unfortunately, we could not get the native Group Policy properties of anobject nor the ACLs of Active Directory objects. So, instead, we decidedon a group naming convention. If a machine belongs to group called"policy_certificate", it receives the variables and policies for the"certificate" set.

I would be glad to learn how other people approached the topic, solvedit? Perhaps there are tools out there that we missed?


Cheers,
Ballock

Follow ups

Re: Machine policies
From: Anton Piatek, 2013-02-12
Re: Machine policies
From: Chris Rowson, 2013-02-12