cfengine architecture comparisons?

[Nate Campi]

I'm evaluating cfengine for deployment at work, basically to automate
host security policy (file perms, process management, editing text
files).

In order to accomplish that, I can simply run the agent from cron once
a day and call it complete. I can dist out the config with rsync over
ssh and ssh pubkey auth, so dist of the conf file is taken care of.

What I'm wondering about is whether I should put together a "full"
cfengine architecture now (cfenvd, cfexecd, etc). I'm sure the
flexibility would be nice, change how often the agent runs without
editing cron on the hosts, dist files, stuff like that.

Two things make we wonder if I should keep it simple:

- Mark B himself says in his book "If it isn't broken, don't fix it",
  so I don't know if I should be looking to implement things I don't
  have an immediate need for.

- I'm looking to improve security, and usually this means *not* running
  more daemons running as root on every machine, not adding more.

- Things are less simple, so I deviate from the K.I.S.S. principle
  (another one Mark talks about in his book).

Ok, so that's three things. Anyways, has anyone every written about the
pros/cons of different ways to run cfengine? Perhaps I've covered most
of them right here, or perhaps people discuss this in the achives.

I'd be willing to donate a write-up along these lines if a) it's never
been done and b) people think it could be useful.

TIA
-- 
Nate Campi,  Sysadmin stuff: http://www.campin.net 

"There are three kinds of lies: lies, damned lies, and statistics." - Samuel 
Clemens

pgpw6zeTqXuSS.pgp
Description: PGP signature