I've made good progress is producing reusable policies with CF3. Consider
a security policy that checks the permissions of a motley group of files.
At first one might consider setting a a list or two and going from there.
vars:
"644-mode" string => "0644";
"644-usr" string => "root";
"644-grp" string => "root";
linux::
"644-file" slist => {
"/var/log/messages.*",
"/var/log/cfengine.*",
"/root/.ssh/authorized_keys"
};
files:
linux::
"${644-file}"
perms => system(
"${644-mode}",
"${644-usr}",
"${644-grp}"
),
action => warn_now,
classes => cdefine(
"${644-file}_kept",
"${644-file}_repaired",
"${644-file}_failed"
),
comment => "Sec policy for mode 644 files";
Expanding this promise to files with different modes or owners quickly
becomes difficult to manage. Fortunately using arrays and methods allows
for something much better.
vars:
redhat|suse::
##################
# File attirbutes are listed here as arrays.
"msgs[trg]" string => "/var/log/messages.*";
"msgs[mod]" string => "0644";
"msgs[usr]" string => "root";
"msgs[grp]" string => "root";
"cflogs[trg]" string => "/var/log/cfengine.*";
"cflogs[mod]" string => "0644";
"cflogs[usr]" string => "root";
"cflogs[grp]" string => "root";
"raks[trg]" string => "/root/.ssh/authorized_keys";
"raks[mod]" string => "0644";
"raks[usr]" string => "root";
"raks[grp]" string => "root";
##################
# The files above are now presented in a list that will be used to index
the arrays.
redhat|suse::
"files" slist => {
"msgs",
"cflogs",
"raks",
"root",
"rcd"
},
comment => "List of arrays (below) to index.";
##################
# Pass file information above to a files promise
redhat|suse|sunos_5_10::
"any" usebundle => fileperms(
"${${files}[trg]}",
"${${files}[mod]}",
"${${files}[usr]}",
"${${files}[grp]}"
);
}
In this policy there is a clear list of files and associated modes and
owners. It is easy for the less CF savvy administrator to expand. All of
the heavy lifting is being done by the 'fileperms' bundle in the library
and can be called from anywhere.
bundle agent fileperms (trg, mod, usr, grp){
# Bundle to set file permissions.
files:
"${trg}"
perms => mode( "${mod}" ),
action => warn_now, # Passive only at this point.
classes => cdefine(
"${trg}_mode_kept",
"${trg}_mode_repaired",
"${trg}_mode_failed"
),
comment => "Check mode for ${trg}";
"${trg}"
perms => chown( "${usr}", "${grp}" ),
action => warn_now, # Passive only at this point.
classes => cdefine(
"${trg}_chown_kept",
"${trg}_chown_repaired",
"${trg}_chown_failed"
),
comment => "Check owner and group for ${trg}";
reports:
all::
"WARNING: ${trg} fixed mode to ${mod}.",
ifvarclass => canonify("${trg}_mode_repaired");
"${trg} correct mode ${mod}.",
ifvarclass => canonify("${trg}_mode_kept");
"ALARM: ${trg} wrong mode ${mod}.",
ifvarclass => canonify("${trg}_mode_failed");
"WARNING: ${trg} fixed owner and group to ${usr}:${grp}.",
ifvarclass => canonify("${trg}_chown_repaired");
"${trg} correct owner and group ${usr}:${grp}.",
ifvarclass => canonify("${trg}_chown_kept");
"ALARM: ${trg} wrong owner or group ${usr}:${grp}.",
ifvarclass => canonify("${trg}_chown_failed");
}
Sincerely,
--
Neil Watson
416-673-3465
CONFIDENTIALITY WARNING
This communication, including any attachments, is for the exclusive use of
addressee and may contain proprietary and/or confidential information. If you
are not the intended recipient, any use, copying, disclosure, dissemination or
distribution is strictly prohibited. If you are not the intended recipient,
please notify the sender immediately by return e-mail, delete this
communication and destroy all copies.
AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ
Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage
exclusif de la personne à laquelle il s’adresse et peut contenir de
l’information personnelle ou confidentielle. Si le lecteur de ce message n’en
est pas le destinataire, nous l’avisons par la présente que toute diffusion,
distribution, reproduction ou utilisation de son contenu est strictement
interdite. Veuillez avertir sur-le-champ l’expéditeur par retour de courrier
électronique et supprimez ce message ainsi que toutes les pièces jointes.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
