Neil,
I've not made the leap yet from cf2, but so far your practical use cases
and examples and questions on cf3 have been more useful even than the
reference guide in starting to "get" cf3. Thank you.
Maybe it's just that this is only an example, but I have to wonder about
the value or economy of all this. Six variables set to "root"?
Defining the owner/group/mode strings as separate variables for every
file? Where is the power or leverage in this? In cf2, the 'files:'
action could be completely defined for any file in basically less space
than is used here to create the array entry. Am I missing a bigger picture?
thanks again,
Ed
nwat...@symcor.com wrote:
> I've made good progress is producing reusable policies with CF3. Consider
> a security policy that checks the permissions of a motley group of files.
> At first one might consider setting a a list or two and going from there.
>
> vars:
>
> "644-mode" string => "0644";
> "644-usr" string => "root";
> "644-grp" string => "root";
>
> linux::
>
> "644-file" slist => {
> "/var/log/messages.*",
> "/var/log/cfengine.*",
> "/root/.ssh/authorized_keys"
> };
>
> files:
>
> linux::
>
> "${644-file}"
> perms => system(
> "${644-mode}",
> "${644-usr}",
> "${644-grp}"
> ),
> action => warn_now,
> classes => cdefine(
> "${644-file}_kept",
> "${644-file}_repaired",
> "${644-file}_failed"
> ),
> comment => "Sec policy for mode 644 files";
>
> Expanding this promise to files with different modes or owners quickly
> becomes difficult to manage. Fortunately using arrays and methods allows
> for something much better.
>
> vars:
>
> redhat|suse::
>
> ##################
> # File attirbutes are listed here as arrays.
> "msgs[trg]" string => "/var/log/messages.*";
> "msgs[mod]" string => "0644";
> "msgs[usr]" string => "root";
> "msgs[grp]" string => "root";
>
> "cflogs[trg]" string => "/var/log/cfengine.*";
> "cflogs[mod]" string => "0644";
> "cflogs[usr]" string => "root";
> "cflogs[grp]" string => "root";
>
> "raks[trg]" string => "/root/.ssh/authorized_keys";
> "raks[mod]" string => "0644";
> "raks[usr]" string => "root";
> "raks[grp]" string => "root";
>
> ##################
> # The files above are now presented in a list that will be used to index
> the arrays.
>
> redhat|suse::
>
> "files" slist => {
> "msgs",
> "cflogs",
> "raks",
> "root",
> "rcd"
> },
> comment => "List of arrays (below) to index.";
>
> ##################
> # Pass file information above to a files promise
>
> redhat|suse|sunos_5_10::
>
> "any" usebundle => fileperms(
> "${${files}[trg]}",
> "${${files}[mod]}",
> "${${files}[usr]}",
> "${${files}[grp]}"
> );
> }
>
> In this policy there is a clear list of files and associated modes and
> owners. It is easy for the less CF savvy administrator to expand. All of
> the heavy lifting is being done by the 'fileperms' bundle in the library
> and can be called from anywhere.
>
> bundle agent fileperms (trg, mod, usr, grp){
> # Bundle to set file permissions.
>
> files:
> "${trg}"
> perms => mode( "${mod}" ),
> action => warn_now, # Passive only at this point.
> classes => cdefine(
> "${trg}_mode_kept",
> "${trg}_mode_repaired",
> "${trg}_mode_failed"
> ),
> comment => "Check mode for ${trg}";
>
> "${trg}"
> perms => chown( "${usr}", "${grp}" ),
> action => warn_now, # Passive only at this point.
> classes => cdefine(
> "${trg}_chown_kept",
> "${trg}_chown_repaired",
> "${trg}_chown_failed"
> ),
> comment => "Check owner and group for ${trg}";
>
> reports:
>
> all::
> "WARNING: ${trg} fixed mode to ${mod}.",
> ifvarclass => canonify("${trg}_mode_repaired");
>
> "${trg} correct mode ${mod}.",
> ifvarclass => canonify("${trg}_mode_kept");
>
> "ALARM: ${trg} wrong mode ${mod}.",
> ifvarclass => canonify("${trg}_mode_failed");
>
> "WARNING: ${trg} fixed owner and group to ${usr}:${grp}.",
> ifvarclass => canonify("${trg}_chown_repaired");
>
> "${trg} correct owner and group ${usr}:${grp}.",
> ifvarclass => canonify("${trg}_chown_kept");
>
> "ALARM: ${trg} wrong owner or group ${usr}:${grp}.",
> ifvarclass => canonify("${trg}_chown_failed");
> }
>
> Sincerely,
> --
> Neil Watson
> 416-673-3465
>
>
> ------------------------------------------------------------------------
>
>
>
> CONFIDENTIALITY WARNING
> This communication, including any attachments, is for the exclusive use of
> addressee and may contain proprietary and/or confidential information. If you
> are not the intended recipient, any use, copying, disclosure, dissemination
> or distribution is strictly prohibited. If you are not the intended
> recipient, please notify the sender immediately by return e-mail, delete this
> communication and destroy all copies.
>
> AVERTISSEMENT RELATIF À LA CONFIDENTIALITÉ
> Ce message, ainsi que les pièces qui y sont jointes, est destiné à l’usage
> exclusif de la personne à laquelle il s’adresse et peut contenir de
> l’information personnelle ou confidentielle. Si le lecteur de ce message n’en
> est pas le destinataire, nous l’avisons par la présente que toute diffusion,
> distribution, reproduction ou utilisation de son contenu est strictement
> interdite. Veuillez avertir sur-le-champ l’expéditeur par retour de courrier
> électronique et supprimez ce message ainsi que toutes les pièces jointes.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
