Forum: CFEngine Help
Subject: Dealing with Linux immutable files
Author: [email protected]
Link to topic: https://cfengine.com/forum/read.php?3,26968,26968#msg-26968
Some developer set a Cfengine managed configuration file to chattr +i which
enabled the immutable filesystem permissions. This keeps cf-agent from being
able to bring the machine into convergence.
Maybe this is a feature request, but I didn't see any existing Cfengine
functionality to search / detect immutable files. I came up with a workaround
by shelling out in a command statement to the lsattr command to comb through
the root filesystem for any +i enabled files, but, it seems like this was
somewhat of a hack.
vars:
lsattr_data_found::
"immutible_files" slist =>
readstringlist("/var/cfengine/outgoing/lsattr-results", "#.*", "$(const.n)",
99999999999, 99999999999);
classes:
linux::
"lsattr_search_exists" expression =>
fileexists("/usr/local/admin/lsattr-search.sh");
linux::
"lsattr_data_found" expression =>
fileexists("/var/cfengine/outgoing/lsattr-results");
commands:
!lsattr_search_executed.lsattr_search_exists::
"/usr/local/admin/lsattr-search.sh"
handle => "execute_lsattr_search",
classes =>
if_repaired_with_one_day_persistance("lsattr_search_executed"),
contain => stfu;
files::
linux::
"/usr/local/admin/lsattr-search.sh"
handle =>
"usr_local_admin_lsattr_search_sh",
perms => mog("0500","root","root"),
copy_from =>
no_backup_cp("/var/cfengine/inputs/config-general/manage_usr_local_admin/lsattr-search.sh"),
classes =>
if_repaired("lsattr_search_modified");
reports::
lsattr_search_modified::
"cf3: /usr/local/admin/lsattr-search.sh was modified on
$(sys.host)";
lsattr_data_found::
"cf3: The file $(immutible_files) was found to be immutiable on
$(sys.host). With this bit set, Cfengine can not administrate the config.";
And the ugly script itself
#!/bin/bash
# This script looks for any files under /etc or /var that have the +i bit set
for Linux. We execute this script via
# Cfengine executes this script in a policy and reports on files that it finds.
PATH=/usr/bin:/usr/sbin:/sbin:/bin
OS=`uname -s`
if [ "$OS" != "Linux" ]
then
exit 1
fi
if [ -f /var/tmp/lsattr-search ]
then
rm /var/tmp/lsattr-search
fi
if [ -f /var/cfengine/outgoing/lsattr-results ]
then
rm /var/cfengine/outgoing/lsattr-results
fi
for directory in /etc /var
do
lsattr -R $directory 2>&1 | grep '^-' | grep -v 'Operation not supported' >>
/var/tmp/lsattr-search 2>&1
done
while read line
do
imm=`echo $line | cut -c5`
if [ "$imm" == "i" ]
then
echo $line | awk '{print $2}' >> /var/cfengine/outgoing/lsattr-results
fi
done < /var/tmp/lsattr-search
rm /var/tmp/lsattr-search
Anyways, the above solved my problem (or at least allowed me to report on this)
but it seems like this might be something worthwhile to include into Cfengine
itself.
Cheers
Mike
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
