/edit_sshd.cf
Created Nov 25, 2010
| # Parameters are: | |
| # file: file to edit | |
| # params: an array indexed by parameter name, containing the corresponding values. For example: | |
| # "sshd[Protocol]" string => "2"; | |
| # "sshd[X11Forwarding]" string => "yes"; | |
| # "sshd[UseDNS]" string => "no"; | |
| # Diego Zamboni, November 2010 | |
| bundle agent edit_sshd(file,params) | |
| { | |
| files: | |
| "$(file)" | |
| handle => "edit_sshd", | |
| comment => "Set desired sshd_config parameters", | |
| edit_line => set_config_values("$(params)"), | |
| classes => if_repaired("restart_sshd"); | |
| commands: | |
| restart_sshd.!no_restarts:: | |
| "/etc/init.d/sshd restart" | |
| handle => "sshd_restart", | |
| comment => "Restart sshd if the configuration file was modified"; | |
| } | |
| bundle edit_line set_config_values(v) | |
| # Sets the RHS of configuration items in the file of the form | |
| # LHS RHS | |
| # If the line is commented out with #, it gets uncommented first. | |
| # Adds a new line if none exists. | |
| # The argument is an associative array containing v[LHS]="rhs" | |
| # Based on set_variable_values from cfengine_stdlib.cf, modified to | |
| # use whitespace as separator, and to handle commented-out lines. | |
| { | |
| vars: | |
| "index" slist => getindices("$(v)"); | |
| # Be careful if the index string contains funny chars | |
| "cindex[$(index)]" string => canonify("$(index)"); | |
| field_edits: | |
| # If the line is there, but commented out, first uncomment it | |
| "#+$(index)\s+.*" | |
| edit_field => col("\s+","1","$(index)","set"); | |
| # match a line starting like the key something | |
| "$(index)\s+.*" | |
| edit_field => col("\s+","2","$($(v)[$(index)])","set"), | |
| classes => if_ok("not_$(cindex[$(index)])"); | |
| insert_lines: | |
| "$(index) $($(v)[$(index)])", | |
| ifvarclass => "!not_$(cindex[$(index)])"; | |
| } |
| bundle agent configfiles | |
| { | |
| vars: | |
| "sshdconfig" string => "/etc/ssh/sshd_config"; | |
| # SSHD configuration to set | |
| "sshd[Protocol]" string => "2"; | |
| "sshd[X11Forwarding]" string => "yes"; | |
| "sshd[UseDNS]" string => "no"; | |
| methods: | |
| "sshd" usebundle => edit_sshd("$(sshdconfig)", "configfiles.sshd"); | |
| } |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
svenXY
commented
Sep 28, 2011
|
Hi, thanks for the cool snippet. It only fails with the following: ListenAddress 0.0.0.0ListenAddress ::1and "sshd[ListenAddress]" string => "192.168.1.1"; because
Do you have a simple solution for that because here, binding to only one interface is a common case of hardening the system? Maybe it is possible to assign a list instead: Any hint/solution is greatly appreciated. Cheers, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
zzamboni
Sep 28, 2011
Hi Sven,
Good point - it had not occurred to me that some options can be specified multiple times.
Off the top of my head, the idea would be to specify the value to the config array as an slist, and then have the set_config_values loop over them when this is the case. I'll have to play with it and see if/how it works.
Thanks!
--Diego
|
Hi Sven, Good point - it had not occurred to me that some options can be specified multiple times. Off the top of my head, the idea would be to specify the value to the config array as an slist, and then have the set_config_values loop over them when this is the case. I'll have to play with it and see if/how it works. Thanks! |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
svenXY
commented
Apr 4, 2012
|
Hi Diego, do you have an update on this issue meanwhile? Thanks, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
zzamboni
Apr 13, 2012
Hi Sven,
Sorry, I have not had much time to devote to this. It's still in my list, and I hope to get to it soon.
Best regards,
--Diego
|
Hi Sven, Sorry, I have not had much time to devote to this. It's still in my list, and I hope to get to it soon. Best regards, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
fbiryujin
Jun 20, 2012
When trying to check the promises I see this error: "Redefinition of bundle set_config_values for edit_line is a broken promise, near token '{'" Also this promise won't run in my promises.cf when I bootstrap computers to my policy hub. Is the syntax in this wrong?
fbiryujin
commented
Jun 20, 2012
|
When trying to check the promises I see this error: "Redefinition of bundle set_config_values for edit_line is a broken promise, near token '{'" Also this promise won't run in my promises.cf when I bootstrap computers to my policy hub. Is the syntax in this wrong? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
zzamboni
Jun 20, 2012
fbiryujin: the redefinition error is most likely caused because you are including cfengine_stdlib.cf in your policy, which contains set_config_values already - I included it in this example to make it self contained, but you should remove it if you are using the standard library already. For it to run, you need to include the "configfiles" bundle in your bundlesequence declaration or call it through some other mechanism (e.g. a methods: promise), otherwise it will never get executed.
|
fbiryujin: the redefinition error is most likely caused because you are including cfengine_stdlib.cf in your policy, which contains set_config_values already - I included it in this example to make it self contained, but you should remove it if you are using the standard library already. For it to run, you need to include the "configfiles" bundle in your bundlesequence declaration or call it through some other mechanism (e.g. a methods: promise), otherwise it will never get executed. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
zzamboni
Jun 20, 2012
Another comment: if you want to use this, I'd suggest looking at the networking/ssh sketch in the CFEngine Design Center: https://github.com/cfengine/design-center/tree/master/sketches/networking/ssh, since that is the maintained and updated version of this code.
For an introduction to the Design Center and how to use it, please see https://github.com/cfengine/design-center/wiki
|
Another comment: if you want to use this, I'd suggest looking at the networking/ssh sketch in the CFEngine Design Center: https://github.com/cfengine/design-center/tree/master/sketches/networking/ssh, since that is the maintained and updated version of this code. For an introduction to the Design Center and how to use it, please see https://github.com/cfengine/design-center/wiki |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
fbiryujin
Jun 20, 2012
Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode.
fbiryujin
commented
Jun 20, 2012
|
Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
zzamboni
Jun 20, 2012
|
There are Cfengine modes for both Emacs and vi, but I don't know of any support for visual studio or Xcode.
…--Diego
On Jun 20, 2012, at 11:49 AM, ***@***.*** wrote:
Thanks. I'll give that a shot, and get back to you. It'd be really cool to see a way to get CFEngine code syntax coloring added to Visual Studio, or Xcode.
---
Reply to this email directly or view it on GitHub:
https://gist.github.com/714948
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
fbiryujin
commented
Jun 20, 2012
|
Interesting. It'd be great to get an Xcode or VS plugin working. |
Hi,
thanks for the cool snippet.
It only fails with the following:
ListenAddress 0.0.0.0
ListenAddress ::1
and
"sshd[ListenAddress]" string => "192.168.1.1";
"sshd[ListenAddress]" string => "fe80::250:56ff:fec0:8";
because
Do you have a simple solution for that because here, binding to only one interface is a common case of hardening the system?
Maybe it is possible to assign a list instead:
"sshd[ListenAddress]" string => { "192.168.1.1", "fe80::250:56ff:fec0:8" };
Any hint/solution is greatly appreciated.
Cheers,
Sven