diff --git a/content/examples/example-snippets/back_references_in_filenames.cf b/content/examples/example-snippets/back_references_in_filenames.cf index d39869a2c..123b3cb78 100644 --- a/content/examples/example-snippets/back_references_in_filenames.cf +++ b/content/examples/example-snippets/back_references_in_filenames.cf @@ -3,38 +3,29 @@ # File editing - back reference # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - # The back reference in a path only applies to the last link - # of the pathname, so the (tmp) gets ignored - - "/tmp/(cf3)_(.*)" - edit_line => myedit("second $(match.2)"); - - # but ... - - # "/tmp/cf3_test" - # create => "true", - # edit_line => myedit("second $(match.1)"); - + # The back reference in a path only applies to the last link + # of the pathname, so the (tmp) gets ignored + "/tmp/(cf3)_(.*)" edit_line => myedit("second $(match.2)"); + # but ... + # "/tmp/cf3_test" + # create => "true", + # edit_line => myedit("second $(match.1)"); } ######################################################## - bundle edit_line myedit(parameter) { vars: - "edit_variable" string => "private edit variable is $(parameter)"; + "edit_variable" string => "private edit variable is $(parameter)"; insert_lines: - "$(edit_variable)"; - + "$(edit_variable)"; } diff --git a/content/examples/example-snippets/basic_example.cf b/content/examples/example-snippets/basic_example.cf index 14f90a30b..8fc7c0e93 100644 --- a/content/examples/example-snippets/basic_example.cf +++ b/content/examples/example-snippets/basic_example.cf @@ -1,10 +1,10 @@ body common control { - bundlesequence => { "main" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "main" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent main { - # example + # example } diff --git a/content/examples/example-snippets/bsd_flags.cf b/content/examples/example-snippets/bsd_flags.cf index 14ad5960e..92c2f6475 100644 --- a/content/examples/example-snippets/bsd_flags.cf +++ b/content/examples/example-snippets/bsd_flags.cf @@ -1,17 +1,18 @@ body common control { - bundlesequence => { "test" }; + bundlesequence => { "test" }; } + bundle agent test { files: freebsd:: "/tmp/newfile" - create => "true", - perms => setbsd; + create => "true", + perms => setbsd; } body perms setbsd { - bsdflags => { "+uappnd","+uchg", "+uunlnk", "-nodump" }; + bsdflags => { "+uappnd", "+uchg", "+uunlnk", "-nodump" }; } diff --git a/content/examples/example-snippets/change_detection.cf b/content/examples/example-snippets/change_detection.cf index c400eb7db..448642957 100644 --- a/content/examples/example-snippets/change_detection.cf +++ b/content/examples/example-snippets/change_detection.cf @@ -1,15 +1,14 @@ body common control { - bundlesequence => { "testbundle" }; - inputs => { "cfengine_stdlib.cf" }; + bundlesequence => { "testbundle" }; + inputs => { "cfengine_stdlib.cf" }; } ######################################################## - bundle agent testbundle { files: - "/usr" - changes => detect_all_change, + "/usr" + changes => detect_all_change, depth_search => recurse("inf"), - action => background; + action => background; } diff --git a/content/examples/example-snippets/change_directory_for_command.cf b/content/examples/example-snippets/change_directory_for_command.cf index 89b1bd138..a65d9ccdd 100644 --- a/content/examples/example-snippets/change_directory_for_command.cf +++ b/content/examples/example-snippets/change_directory_for_command.cf @@ -1,18 +1,16 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - body contain cd(dir) { - chdir => "${dir}"; - useshell => "true"; + chdir => "${dir}"; + useshell => "true"; } bundle agent example { commands: - "/bin/pwd" - contain => cd("/tmp"); + "/bin/pwd" contain => cd("/tmp"); } diff --git a/content/examples/example-snippets/check_file_or_directory_permissions.cf b/content/examples/example-snippets/check_file_or_directory_permissions.cf index b7d18b359..a9ef07aa5 100644 --- a/content/examples/example-snippets/check_file_or_directory_permissions.cf +++ b/content/examples/example-snippets/check_file_or_directory_permissions.cf @@ -1,37 +1,37 @@ bundle agent check_perms { vars: - "ns_files" slist => { - "/local/iu/logs/admin", - "/local/iu/logs/security", - "/local/iu/logs/updates", - "/local/iu/logs/xfer" + "ns_files" + slist => { + "/local/iu/logs/admin", + "/local/iu/logs/security", + "/local/iu/logs/updates", + "/local/iu/logs/xfer", }; files: NameServers:: "/local/dns/pz" - perms => mo("644","dns"), - depth_search => recurse("1"), - file_select => exclude("secret_file"); + perms => mo("644", "dns"), + depth_search => recurse("1"), + file_select => exclude("secret_file"); "/local/iu/dns/pz/FixSerial" - perms => m("755"), - file_select => plain; + perms => m("755"), + file_select => plain; "$(ns_files)" - perms => mo("644","dns"), - file_select => plain; + perms => mo("644", "dns"), + file_select => plain; - "$(ftp)/pub" - perms => mog("644","root","other"); + "$(ftp)/pub" perms => mog("644", "root", "other"); "$(ftp)/pub" - perms => m("644"), - depth_search => recurse("inf"); + perms => m("644"), + depth_search => recurse("inf"); - "$(ftp)/etc" perms => mog("111","root","other"); - "$(ftp)/usr/bin/ls" perms => mog("111","root","other"); - "$(ftp)/dev" perms => mog("555","root","other"); - "$(ftp)/usr" perms => mog("555","root","other"); + "$(ftp)/etc" perms => mog("111", "root", "other"); + "$(ftp)/usr/bin/ls" perms => mog("111", "root", "other"); + "$(ftp)/dev" perms => mog("555", "root", "other"); + "$(ftp)/usr" perms => mog("555", "root", "other"); } diff --git a/content/examples/example-snippets/check_filesystem_space.cf b/content/examples/example-snippets/check_filesystem_space.cf index 0bd82ab8e..4024ab5ec 100644 --- a/content/examples/example-snippets/check_filesystem_space.cf +++ b/content/examples/example-snippets/check_filesystem_space.cf @@ -1,14 +1,13 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - bundle agent example { vars: - "free" int => diskfree("/tmp"); + "free" int => diskfree("/tmp"); reports: - "Freedisk $(free)"; + "Freedisk $(free)"; } diff --git a/content/examples/example-snippets/class_match_example.cf b/content/examples/example-snippets/class_match_example.cf index 2387cbe23..f51bdb279 100644 --- a/content/examples/example-snippets/class_match_example.cf +++ b/content/examples/example-snippets/class_match_example.cf @@ -1,13 +1,12 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - bundle agent example { classes: - "do_it" and => { classmatch(".*_3"), "linux" }; + "do_it" and => { classmatch(".*_3"), "linux" }; reports: do_it:: diff --git a/content/examples/example-snippets/client-server_example.cf b/content/examples/example-snippets/client-server_example.cf index a13eceae2..321c36cb5 100644 --- a/content/examples/example-snippets/client-server_example.cf +++ b/content/examples/example-snippets/client-server_example.cf @@ -3,7 +3,6 @@ # Simple test copy from server connection to cfServer # ######################################################## - # # run this as follows: # @@ -11,86 +10,79 @@ # cf-agent -f runtest_2.cf # # Notice that the same file configures all parts of cfengine - ######################################################## - body common control { - bundlesequence => { "testbundle" }; - version => "1.2.3"; - #fips_mode => "true"; + bundlesequence => { "testbundle" }; + version => "1.2.3"; + #fips_mode => "true"; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/testcopy" - comment => "test copy promise", - copy_from => mycopy("/home/mark/LapTop/words","127.0.0.1"), - perms => system, + "/home/mark/tmp/testcopy" + comment => "test copy promise", + copy_from => mycopy("/home/mark/LapTop/words", "127.0.0.1"), + perms => system, depth_search => recurse("inf"), - classes => satisfied("copy_ok"); + classes => satisfied("copy_ok"); - "/home/mark/tmp/testcopy/single_file" - comment => "test copy promise", - copy_from => mycopy("/home/mark/LapTop/Cfengine3/trunk/README","127.0.0.1"), - perms => system; + "/home/mark/tmp/testcopy/single_file" + comment => "test copy promise", + copy_from => mycopy( + "/home/mark/LapTop/Cfengine3/trunk/README", "127.0.0.1" + ), + perms => system; reports: copy_ok:: "Files were copied.."; } ######################################################### - body perms system { - mode => "0644"; + mode => "0644"; } ######################################################### - body depth_search recurse(d) { - depth => "$(d)"; + depth => "$(d)"; } ######################################################### - -body copy_from mycopy(from,server) +body copy_from mycopy(from, server) { - source => "$(from)"; - servers => { "$(server)" }; - compare => "digest"; - encrypt => "true"; - verify => "true"; - copy_backup => "true"; #/false/timestamp - purge => "false"; - type_check => "true"; - force_ipv4 => "true"; - trustkey => "true"; + source => "$(from)"; + servers => { "$(server)" }; + compare => "digest"; + encrypt => "true"; + verify => "true"; + copy_backup => "true"; + #/false/timestamp + purge => "false"; + type_check => "true"; + force_ipv4 => "true"; + trustkey => "true"; } ######################################################### - body classes satisfied(x) { - promise_repaired => { "$(x)" }; - persist_time => "0"; + promise_repaired => { "$(x)" }; + persist_time => "0"; } ######################################################### # Server config ######################################################### - body server control { - allowconnects => { "127.0.0.1" , "::1" }; - allowallconnects => { "127.0.0.1" , "::1" }; - trustkeysfrom => { "127.0.0.1" , "::1" }; - # allowusers + allowconnects => { "127.0.0.1", "::1" }; + allowallconnects => { "127.0.0.1", "::1" }; + trustkeysfrom => { "127.0.0.1", "::1" }; + # allowusers } ######################################################### - bundle server my_access_rules() { access: - "/home/mark/LapTop" - admit => { "127.0.0.1" }; + "/home/mark/LapTop" admit => { "127.0.0.1" }; } diff --git a/content/examples/example-snippets/command_or_script_execution.cf b/content/examples/example-snippets/command_or_script_execution.cf index 9da2e5cb0..d5e8b23fc 100644 --- a/content/examples/example-snippets/command_or_script_execution.cf +++ b/content/examples/example-snippets/command_or_script_execution.cf @@ -1,7 +1,7 @@ body common control { - bundlesequence => { "my_commands" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "my_commands" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent my_commands @@ -11,6 +11,5 @@ bundle agent my_commands "/usr/bin/update_db"; any:: - "/etc/mysql/start" - contain => setuid("mysql"); + "/etc/mysql/start" contain => setuid("mysql"); } diff --git a/content/examples/example-snippets/commands_example.cf b/content/examples/example-snippets/commands_example.cf index 9da2e5cb0..d5e8b23fc 100644 --- a/content/examples/example-snippets/commands_example.cf +++ b/content/examples/example-snippets/commands_example.cf @@ -1,7 +1,7 @@ body common control { - bundlesequence => { "my_commands" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "my_commands" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent my_commands @@ -11,6 +11,5 @@ bundle agent my_commands "/usr/bin/update_db"; any:: - "/etc/mysql/start" - contain => setuid("mysql"); + "/etc/mysql/start" contain => setuid("mysql"); } diff --git a/content/examples/example-snippets/commenting_lines_in_a_file.cf b/content/examples/example-snippets/commenting_lines_in_a_file.cf index 045686104..352715a9c 100644 --- a/content/examples/example-snippets/commenting_lines_in_a_file.cf +++ b/content/examples/example-snippets/commenting_lines_in_a_file.cf @@ -8,131 +8,115 @@ # - insert # ###################################################################### - body common control { - version => "1.2.3"; - inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/cf3_test" - create => "true", + "/home/mark/tmp/cf3_test" + create => "true", edit_line => myedit("second"); } ######################################################## - bundle edit_line myedit(parameter) { vars: - "edit_variable" string => "private edit variable is $(parameter)"; + "edit_variable" string => "private edit variable is $(parameter)"; replace_patterns: - # replace shell comments with C comments - - "#(.*)" + # replace shell comments with C comments + "#(.*)" replace_with => C_comment, select_region => MySection("New section"); } ######################################## # Bodies ######################################## - body replace_with C_comment { - replace_value => "/* $(match.1) */"; # backreference 0 - occurrences => "all"; # first, last all + replace_value => "/* $(match.1) */"; + # backreference 0 + occurrences => "all"; + # first, last all } ######################################################## - body select_region MySection(x) { - select_start => "\[$(x)\]"; - select_end => "\[.*\]"; + select_start => "\[$(x)\]"; + select_end => "\[.*\]"; } - ###################################################################### # # Comment lines # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/comment_test" - create => "true", + "/home/mark/tmp/comment_test" + create => "true", edit_line => comment_lines_matching; } ######################################################## - bundle edit_line comment_lines_matching { vars: - "regexes" slist => { "one.*", "two.*", "four.*" }; + "regexes" slist => { "one.*", "two.*", "four.*" }; + replace_patterns: - "^($(regexes))$" - replace_with => comment("# "); + "^($(regexes))$" replace_with => comment("# "); } ######################################## # Bodies ######################################## - body replace_with comment(c) { - replace_value => "$(c) $(match.1)"; - occurrences => "all"; + replace_value => "$(c) $(match.1)"; + occurrences => "all"; } - ###################################################################### # # Uncomment lines # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } # try this on some test data like - # one # two # mark one #mark two - ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/comment_test" - create => "true", - edit_line => uncomment_lines_matching("\s*mark.*","#"); + "/home/mark/tmp/comment_test" + create => "true", + edit_line => uncomment_lines_matching("\s*mark.*", "#"); } ######################################################## - -bundle edit_line uncomment_lines_matching(regex,comment) +bundle edit_line uncomment_lines_matching(regex, comment) { replace_patterns: - "#($(regex))$" replace_with => uncomment; + "#($(regex))$" replace_with => uncomment; } ######################################################## - body replace_with uncomment { - replace_value => "$(match.1)"; - occurrences => "all"; + replace_value => "$(match.1)"; + occurrences => "all"; } diff --git a/content/examples/example-snippets/copy_and_flatten_directory.cf b/content/examples/example-snippets/copy_and_flatten_directory.cf index acb217f15..3e7eb2a1a 100644 --- a/content/examples/example-snippets/copy_and_flatten_directory.cf +++ b/content/examples/example-snippets/copy_and_flatten_directory.cf @@ -3,7 +3,6 @@ # Simple test copy from server connection to cfServer # ######################################################## - # # run this as follows: # @@ -11,84 +10,77 @@ # cf-agent -f runtest_2.cf # # Notice that the same file configures all parts of cfengine - ######################################################## - body common control { - bundlesequence => { "testbundle" }; - version => "1.2.3"; + bundlesequence => { "testbundle" }; + version => "1.2.3"; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/testflatcopy" - comment => "test copy promise", - copy_from => mycopy("/home/mark/LapTop/words","127.0.0.1"), - perms => system, + "/home/mark/tmp/testflatcopy" + comment => "test copy promise", + copy_from => mycopy("/home/mark/LapTop/words", "127.0.0.1"), + perms => system, depth_search => recurse("inf"), - classes => satisfied("copy_ok"); + classes => satisfied("copy_ok"); - "/home/mark/tmp/testcopy/single_file" - comment => "test copy promise", - copy_from => mycopy("/home/mark/LapTop/Cfengine3/trunk/README","127.0.0.1"), - perms => system; + "/home/mark/tmp/testcopy/single_file" + comment => "test copy promise", + copy_from => mycopy( + "/home/mark/LapTop/Cfengine3/trunk/README", "127.0.0.1" + ), + perms => system; reports: copy_ok:: "Files were copied.."; } ######################################################### - body perms system { - mode => "0644"; + mode => "0644"; } ######################################################### - body depth_search recurse(d) { - depth => "$(d)"; + depth => "$(d)"; } ######################################################### - -body copy_from mycopy(from,server) +body copy_from mycopy(from, server) { - source => "$(from)"; - servers => { "$(server)" }; - compare => "digest"; - verify => "true"; - copy_backup => "true"; #/false/timestamp - purge => "false"; - type_check => "true"; - force_ipv4 => "true"; - trustkey => "true"; - collapse_destination_dir => "true"; + source => "$(from)"; + servers => { "$(server)" }; + compare => "digest"; + verify => "true"; + copy_backup => "true"; + #/false/timestamp + purge => "false"; + type_check => "true"; + force_ipv4 => "true"; + trustkey => "true"; + collapse_destination_dir => "true"; } ######################################################### - body classes satisfied(x) { - promise_repaired => { "$(x)" }; - persist_time => "0"; + promise_repaired => { "$(x)" }; + persist_time => "0"; } ######################################################### # Server config ######################################################### - body server control { - allowconnects => { "127.0.0.1" , "::1" }; - allowallconnects => { "127.0.0.1" , "::1" }; - trustkeysfrom => { "127.0.0.1" , "::1" }; + allowconnects => { "127.0.0.1", "::1" }; + allowallconnects => { "127.0.0.1", "::1" }; + trustkeysfrom => { "127.0.0.1", "::1" }; } ######################################################### - bundle server my_access_rules() { access: - "/home/mark/LapTop" - admit => { "127.0.0.1" }; + "/home/mark/LapTop" admit => { "127.0.0.1" }; } diff --git a/content/examples/example-snippets/copy_directory_trees.cf b/content/examples/example-snippets/copy_directory_trees.cf index bddfa2db9..9ee23058a 100644 --- a/content/examples/example-snippets/copy_directory_trees.cf +++ b/content/examples/example-snippets/copy_directory_trees.cf @@ -1,21 +1,17 @@ body common control { - bundlesequence => { "my_recursive_copy" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "my_recursive_copy" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent my_recursive_copy { files: - - "/home/mark/tmp/test_dir" - + "/home/mark/tmp/test_dir" copy_from => local_cp("$(sys.workdir)/bin/."), depth_search => recurse("inf"); - "/home/mark/tmp/test_dir" - - copy_from => secure_cp("$(sys.workdir)/bin","serverhost"), + "/home/mark/tmp/test_dir" + copy_from => secure_cp("$(sys.workdir)/bin", "serverhost"), depth_search => recurse("inf"); - } diff --git a/content/examples/example-snippets/copy_single_files.cf b/content/examples/example-snippets/copy_single_files.cf index a323573b0..ba29ff229 100644 --- a/content/examples/example-snippets/copy_single_files.cf +++ b/content/examples/example-snippets/copy_single_files.cf @@ -1,16 +1,15 @@ body common control { - bundlesequence => { "mycopy" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "mycopy" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent mycopy { files: - - "/home/mark/tmp/test_plain" + "/home/mark/tmp/test_plain" copy_from => local_cp("$(sys.workdir)/bin/file"); - "/home/mark/tmp/test_remote_plain" - copy_from => secure_cp("$(sys.workdir)/bin/file","serverhost"); + "/home/mark/tmp/test_remote_plain" + copy_from => secure_cp("$(sys.workdir)/bin/file", "serverhost"); } diff --git a/content/examples/example-snippets/copy_then_edit_a_file_convergently.cf b/content/examples/example-snippets/copy_then_edit_a_file_convergently.cf index 28fbb4366..f26dba155 100644 --- a/content/examples/example-snippets/copy_then_edit_a_file_convergently.cf +++ b/content/examples/example-snippets/copy_then_edit_a_file_convergently.cf @@ -1,24 +1,19 @@ bundle agent master { files: - "$(final_destination)" + "$(final_destination)" create => "true", edit_line => fix_file("$(staging_file)"), edit_defaults => empty, - perms => mo("644","root"), + perms => mo("644", "root"), action => ifelapsed("60"); } -# bundle edit_line fix_file(f) { insert_lines: - - "$(f)" - # insert this into an empty file to reconstruct - insert_type => "file"; + "$(f)" insert_type => "file"; replace_patterns: - "searchstring" - replace_with => With("replacestring"); + "searchstring" replace_with => With("replacestring"); } diff --git a/content/examples/example-snippets/create_files_and_directories.cf b/content/examples/example-snippets/create_files_and_directories.cf index 21e4c2476..38c677c10 100644 --- a/content/examples/example-snippets/create_files_and_directories.cf +++ b/content/examples/example-snippets/create_files_and_directories.cf @@ -3,28 +3,25 @@ # Simple test create files # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/test_plain" + "/home/mark/tmp/test_plain" perms => system, create => "true"; - "/home/mark/tmp/test_dir/." + "/home/mark/tmp/test_dir/." perms => system, create => "true"; } ######################################################### - body perms system { - mode => "0640"; + mode => "0640"; } ######################################################### diff --git a/content/examples/example-snippets/custom_editing.cf b/content/examples/example-snippets/custom_editing.cf index f3265a16d..2508ba5ce 100644 --- a/content/examples/example-snippets/custom_editing.cf +++ b/content/examples/example-snippets/custom_editing.cf @@ -1,13 +1,11 @@ bundle agent modifying_managed_file { vars: - - "data" slist => { "10.1.2.3 sirius", "10.1.2.4 ursa-minor", "10.1.2.5 orion"}; + "data" + slist => { "10.1.2.3 sirius", "10.1.2.4 ursa-minor", "10.1.2.5 orion" }; files: - - "/etc/hosts" - + "/etc/hosts" comment => "Append a list of lines to the end of a file if they don't exist", perms => m("644"), create => "true", diff --git a/content/examples/example-snippets/custom_editing_1.cf b/content/examples/example-snippets/custom_editing_1.cf index 0f5d14390..fe4f9ec01 100644 --- a/content/examples/example-snippets/custom_editing_1.cf +++ b/content/examples/example-snippets/custom_editing_1.cf @@ -3,20 +3,17 @@ # Edit variable = value in a text file # ####################################################### - body common control { - bundlesequence => { "testsetvar" }; + bundlesequence => { "testsetvar" }; } ####################################################### - bundle agent testsetvar { vars: - "v[variable_1]" string => "value_1"; - "v[variable_2]" string => "value_2"; + "v[variable_1]" string => "value_1"; + "v[variable_2]" string => "value_2"; files: - "/tmp/test_setvar" - edit_line => set_variable_values("testsetvar.v"); + "/tmp/test_setvar" edit_line => set_variable_values("testsetvar.v"); } diff --git a/content/examples/example-snippets/database_creation.cf b/content/examples/example-snippets/database_creation.cf index 90f4a144c..73776108b 100644 --- a/content/examples/example-snippets/database_creation.cf +++ b/content/examples/example-snippets/database_creation.cf @@ -1,65 +1,58 @@ body common control { - bundlesequence => { "dummy" }; + bundlesequence => { "dummy" }; } body knowledge control - { - #sql_database => "postgres"; - - sql_owner => "postgres"; - sql_passwd => ""; # No passwd - sql_type => "postgres"; + #sql_database => "postgres"; + sql_owner => "postgres"; + sql_passwd => ""; + # No passwd + sql_type => "postgres"; } body common control { - bundlesequence => { "databases" }; + bundlesequence => { "databases" }; } bundle agent databases { - #commands: - # "/usr/bin/createdb cf_topic_maps", - # contain => as_user("mysql"); - + #commands: + # "/usr/bin/createdb cf_topic_maps", + # contain => as_user("mysql"); databases: - "knowledge_bank/topics" - + "knowledge_bank/topics" database_operation => "create", database_type => "sql", database_columns => { - "topic_name,varchar,256", - "topic_comment,varchar,1024", - "topic_id,varchar,256", - "topic_type,varchar,256", - "topic_extra,varchar,26" + "topic_name,varchar,256", + "topic_comment,varchar,1024", + "topic_id,varchar,256", + "topic_type,varchar,256", + "topic_extra,varchar,26", }, database_server => myserver; } - ################################################ - - body database_server myserver { - none:: - db_server_owner => "postgres"; - db_server_password => ""; - db_server_host => "localhost"; - db_server_type => "postgres"; - db_server_connection_db => "postgres"; - - any:: - db_server_owner => "root"; - db_server_password => ""; - db_server_host => "localhost"; - db_server_type => "mysql"; - db_server_connection_db => "mysql"; + none:: + db_server_owner => "postgres"; + db_server_password => ""; + db_server_host => "localhost"; + db_server_type => "postgres"; + db_server_connection_db => "postgres"; + any:: + db_server_owner => "root"; + db_server_password => ""; + db_server_host => "localhost"; + db_server_type => "mysql"; + db_server_connection_db => "mysql"; } body contain as_user(x) { - exec_owner => "$(x)"; + exec_owner => "$(x)"; } diff --git a/content/examples/example-snippets/deleting_lines_exception.cf b/content/examples/example-snippets/deleting_lines_exception.cf index 507983333..e8b6941ad 100644 --- a/content/examples/example-snippets/deleting_lines_exception.cf +++ b/content/examples/example-snippets/deleting_lines_exception.cf @@ -3,7 +3,6 @@ # Simple test editfile # ######################################################## - # # This assumes a file format like: # @@ -14,24 +13,21 @@ # [section 2] # # lines... etc - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - "/tmp/passwd_excerpt" - create => "true", + "/tmp/passwd_excerpt" + create => "true", edit_line => mark_n_root; } ######################################################## - bundle edit_line mark_n_root { delete_lines: - "mark.*|root.*" not_matching => "true"; + "mark.*|root.*" not_matching => "true"; } diff --git a/content/examples/example-snippets/deleting_lines_from_a_file.cf b/content/examples/example-snippets/deleting_lines_from_a_file.cf index 0807aa33b..8be13b6c4 100644 --- a/content/examples/example-snippets/deleting_lines_from_a_file.cf +++ b/content/examples/example-snippets/deleting_lines_from_a_file.cf @@ -1,51 +1,48 @@ body common control { - bundlesequence => { "test" }; + bundlesequence => { "test" }; } bundle agent test { files: - "/tmp/resolv.conf" # test on "/tmp/resolv.conf" # - create => "true", - edit_line => resolver, + "/tmp/resolv.conf" + # test on "/tmp/resolv.conf" # + create => "true", + edit_line => resolver, edit_defaults => def; } - ####################################################### # For the library ####################################################### - bundle edit_line resolver { vars: - "search" slist => { "search iu.hio.no cfengine.com", "nameserver 128.39.89.10" }; + "search" + slist => { "search iu.hio.no cfengine.com", "nameserver 128.39.89.10" }; delete_lines: - "search.*"; + "search.*"; insert_lines: - "$(search)" location => end; + "$(search)" location => end; } ####################################################### - body edit_defaults def { - empty_file_before_editing => "false"; - edit_backup => "false"; - max_file_size => "100000"; + empty_file_before_editing => "false"; + edit_backup => "false"; + max_file_size => "100000"; } ######################################################## - body location start { - # If not line to match, applies to whole text body - before_after => "before"; + # If not line to match, applies to whole text body + before_after => "before"; } ######################################################## - body location end { - # If not line to match, applies to whole text body - before_after => "after"; + # If not line to match, applies to whole text body + before_after => "after"; } diff --git a/content/examples/example-snippets/disabling_and_rotating_files.cf b/content/examples/example-snippets/disabling_and_rotating_files.cf index 8dcc7620d..2855e06ee 100644 --- a/content/examples/example-snippets/disabling_and_rotating_files.cf +++ b/content/examples/example-snippets/disabling_and_rotating_files.cf @@ -1,18 +1,12 @@ body common control { - bundlesequence => { "my_disable" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "my_disable" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } bundle agent my_disable { - files: - - "/home/mark/tmp/test_create" - rename => disable; - - "/home/mark/tmp/rotate_my_log" - rename => rotate("4"); - + "/home/mark/tmp/test_create" rename => disable; + "/home/mark/tmp/rotate_my_log" rename => rotate("4"); } diff --git a/content/examples/example-snippets/distribute_root_passwords.cf b/content/examples/example-snippets/distribute_root_passwords.cf index bd125abf1..be7ebb189 100644 --- a/content/examples/example-snippets/distribute_root_passwords.cf +++ b/content/examples/example-snippets/distribute_root_passwords.cf @@ -3,69 +3,70 @@ # Root password distribution # ###################################################################### - body common control { - version => "1.2.3"; - inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { "set_root_password" }; + version => "1.2.3"; + inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "set_root_password" }; } ######################################################## - bundle common g { vars: - "secret_keys_dir" string => "/tmp"; + "secret_keys_dir" string => "/tmp"; } ######################################################## - bundle agent set_root_password { vars: - # Or get variables directly from server with Enterprise - "remote-passwd" string => remotescalar("rem_password","127.0.0.1","yes"); - - # Test this on a copy + # Or get variables directly from server with Enterprise + "remote-passwd" string => remotescalar("rem_password", "127.0.0.1", "yes"); + # Test this on a copy files: - "/var/cfengine/ppkeys/rootpw.txt" - copy_from => secure_cp("$(sys.fqhost)-root.txt","master_host.example.org"); - # or $(pw_class)-root.txt + "/var/cfengine/ppkeys/rootpw.txt" + copy_from => secure_cp( + "$(sys.fqhost)-root.txt", + # or $(pw_class)-root.txt + "master_host.example.org" + ); - "/tmp/shadow" - edit_line => set_root_password; + "/tmp/shadow" edit_line => set_root_password; } ######################################################## - bundle edit_line set_root_password { vars: - # Assume this file contains a single string of the form root:passwdhash: - # with : delimiters to avoid end of line/file problems - - "pw" int => readstringarray("rpw","$(sys.workdir)/ppkeys/rootpw.txt", - "#[^\n]*",":","1","200"); + # Assume this file contains a single string of the form root:passwdhash: + # with : delimiters to avoid end of line/file problems + "pw" + int => readstringarray( + "rpw", "$(sys.workdir)/ppkeys/rootpw.txt", "#[^\n]*", ":", "1", "200" + ); field_edits: - "root:.*" - # Set field of the file to parameter - edit_field => col(":","2","$(rpw[root][1])","set"); + "root:.*" edit_field => col(":", "2", "$(rpw[root][1])", "set"); } ######################################################## - bundle server passwords { vars: - # Read a file of format - # - # classname: host1,host2,host4,IP-address,regex.*,etc - # + # Read a file of format + # + # classname: host1,host2,host4,IP-address,regex.*,etc + "pw_classes" + int => readstringarray( + "acl", + "$(g.secret_keys_dir)/classes.txt", + "#[^\n]*", + ":", + "100", + "4000" + ); - "pw_classes" int => readstringarray("acl","$(g.secret_keys_dir)/classes.txt", - "#[^\n]*",":","100","4000"); - "each_pw_class" slist => getindices("acl"); + "each_pw_class" slist => getindices("acl"); access: - "/secret/keys/$(each_pw_class)-root.txt" - admit => splitstring("$(acl[$(each_pw_class)][1])" , ":" , "100"), + "/secret/keys/$(each_pw_class)-root.txt" + admit => splitstring("$(acl[$(each_pw_class)][1])", ":", "100"), ifencrypted => "true"; } diff --git a/content/examples/example-snippets/distribute_ssh_keys.cf b/content/examples/example-snippets/distribute_ssh_keys.cf index 8405f95b6..05c693a84 100644 --- a/content/examples/example-snippets/distribute_ssh_keys.cf +++ b/content/examples/example-snippets/distribute_ssh_keys.cf @@ -1,7 +1,6 @@ # Assume that we have collected all users' public keys into a single source area # on the server. First copy the ones we need to localhost, and then edit them into # the user's local keyring. - # vars: # # "users" slist => { "user1", "user2", ...}; @@ -11,53 +10,58 @@ # "any" usebundle => allow_ssh_login_from_authorized_keys(@(users),"sourcehost"); # ######################################################################## - -bundle agent allow_ssh_rootlogin_from_authorized_keys(user,sourcehost) +bundle agent allow_ssh_rootlogin_from_authorized_keys(user, sourcehost) { vars: - "local_cache" string => "/var/cfengine/ssh_cache"; - "authorized_source" string => "/master/CFEngine/ssh_keys"; + "local_cache" string => "/var/cfengine/ssh_cache"; + "authorized_source" string => "/master/CFEngine/ssh_keys"; files: - "$(local_cache)/$(user).pub" + "$(local_cache)/$(user).pub" comment => "Copy public keys from a an authorized cache into a cache on localhost", - perms => mo("600","root"), - copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"), + perms => mo("600", "root"), + copy_from => remote_cp( + "$(authorized_source)/$(user).pub", "$(sourcehost)" + ), action => if_elapsed("60"); - "/root/.ssh/authorized_keys" + "/root/.ssh/authorized_keys" comment => "Edit the authorized keys into the user's personal keyring", - edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"), + edit_line => insert_file_if_no_line_matching( + "$(user)", "$(local_cache)/$(user).pub" + ), action => if_elapsed("60"); } ######################################################################## - -bundle agent allow_ssh_login_from_authorized_keys(user,sourcehost) +bundle agent allow_ssh_login_from_authorized_keys(user, sourcehost) { vars: - "local_cache" string => "/var/cfengine/ssh_cache"; - "authorized_source" string => "/master/CFEngine/ssh_keys"; + "local_cache" string => "/var/cfengine/ssh_cache"; + "authorized_source" string => "/master/CFEngine/ssh_keys"; files: - "$(local_cache)/$(user).pub" + "$(local_cache)/$(user).pub" comment => "Copy public keys from a an authorized cache into a cache on localhost", - perms => mo("600","root"), - copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"), + perms => mo("600", "root"), + copy_from => remote_cp( + "$(authorized_source)/$(user).pub", "$(sourcehost)" + ), action => if_elapsed("60"); - "/home/$(user)/.ssh/authorized_keys" + "/home/$(user)/.ssh/authorized_keys" comment => "Edit the authorized keys into the user's personal keyring", - edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"), + edit_line => insert_file_if_no_line_matching( + "$(user)", "$(local_cache)/$(user).pub" + ), action => if_elapsed("60"); } ######################################################################## - -bundle edit_line insert_file_if_no_line_matching(user,file) +bundle edit_line insert_file_if_no_line_matching(user, file) { classes: - "have_user" expression => regline("$(user).*","$(this.promiser)"); + "have_user" expression => regline("$(user).*", "$(this.promiser)"); + insert_lines: !have_user:: - "$(file)" - insert_type => "file"; + "$(file)" insert_type => "file"; } diff --git a/content/examples/example-snippets/editing_files.cf b/content/examples/example-snippets/editing_files.cf index 5586c73b6..5d749e7b1 100644 --- a/content/examples/example-snippets/editing_files.cf +++ b/content/examples/example-snippets/editing_files.cf @@ -3,21 +3,22 @@ # Comment lines # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } ######################################################## - bundle agent testbundle { vars: - "patterns" slist => { "finger.*", "echo.*", "exec.*", "rstat.*", - "uucp.*", "talk.*" }; + "patterns" + slist => { + "finger.*", "echo.*", "exec.*", "rstat.*", "uucp.*", "talk.*" + }; + files: - "/etc/inetd.conf" - edit_line => comment_lines_matching("@(testbundle.patterns)","#"); + "/etc/inetd.conf" + edit_line => comment_lines_matching("@(testbundle.patterns)", "#"); } diff --git a/content/examples/example-snippets/editing_password_or_group_files.cf b/content/examples/example-snippets/editing_password_or_group_files.cf index 982c2d9fb..c5bbc266e 100644 --- a/content/examples/example-snippets/editing_password_or_group_files.cf +++ b/content/examples/example-snippets/editing_password_or_group_files.cf @@ -1,17 +1,15 @@ body common control { - inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { "edit_passwd" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "edit_passwd" }; } + bundle agent edit_passwd { vars: - "userset" slist => { "user1", "user2", "user3" }; + "userset" slist => { "user1", "user2", "user3" }; files: - "/etc/passwd" - edit_line => set_user_field("mark","7","/set/this/shell"); - - "/etc/group" - edit_line => append_user_field("root","4","@(main.userset)"); + "/etc/passwd" edit_line => set_user_field("mark", "7", "/set/this/shell"); + "/etc/group" edit_line => append_user_field("root", "4", "@(main.userset)"); } diff --git a/content/examples/example-snippets/editing_password_or_group_files_custom.cf b/content/examples/example-snippets/editing_password_or_group_files_custom.cf index f15026089..57bd03287 100644 --- a/content/examples/example-snippets/editing_password_or_group_files_custom.cf +++ b/content/examples/example-snippets/editing_password_or_group_files_custom.cf @@ -1,30 +1,24 @@ body common control { - bundlesequence => { "addpasswd" }; + bundlesequence => { "addpasswd" }; } bundle agent addpasswd { vars: - # want to set these values by the names of their array keys - "pwd[mark]" string => "mark:x:1000:100:Mark Burgess:/home/mark:/bin/bash"; "pwd[fred]" string => "fred:x:1001:100:Right Said:/home/fred:/bin/bash"; "pwd[jane]" string => "jane:x:1002:100:Jane Doe:/home/jane:/bin/bash"; files: - "/tmp/passwd" create => "true", edit_line => append_users_starting("addpasswd.pwd"); - } - ############################################################ # Library stuff ############################################################ - bundle edit_line append_users_starting(v) { vars: @@ -34,11 +28,9 @@ bundle edit_line append_users_starting(v) "add_$(index)" not => userexists("$(index)"); insert_lines: - "$($(v)[$(index)])", - if => "add_$(index)"; + "$($(v)[$(index)])" if => "add_$(index)"; } ############################################################ - bundle edit_line append_groups_starting(v) { vars: @@ -48,6 +40,5 @@ bundle edit_line append_groups_starting(v) "add_$(index)" not => groupexists("$(index)"); insert_lines: - "$($(v)[$(index)])", - if => "add_$(index)"; + "$($(v)[$(index)])" if => "add_$(index)"; } diff --git a/content/examples/example-snippets/editing_tabular_files.cf b/content/examples/example-snippets/editing_tabular_files.cf index bd4dce392..e24808ede 100644 --- a/content/examples/example-snippets/editing_tabular_files.cf +++ b/content/examples/example-snippets/editing_tabular_files.cf @@ -8,64 +8,54 @@ # - insert # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { vars: - "userset" slist => { "one-x", "two-x", "three-x" }; + "userset" slist => { "one-x", "two-x", "three-x" }; files: - # Make a copy of the password file - - "/home/mark/tmp/passwd" - create => "true", - edit_line => set_user_param("mark","6","/set/this/shell"); + # Make a copy of the password file + "/home/mark/tmp/passwd" + create => "true", + edit_line => set_user_param("mark", "6", "/set/this/shell"); - "/home/mark/tmp/group" - create => "true", - edit_line => append_user_param("root","4","@(userset)"); + "/home/mark/tmp/group" + create => "true", + edit_line => append_user_param("root", "4", "@(userset)"); commands: - "/bin/echo" args => $(userset); + "/bin/echo" args => $(userset); } ######################################################## - -bundle edit_line set_user_param(user,field,val) +bundle edit_line set_user_param(user, field, val) { field_edits: - "$(user):.*" - # Set field of the file to parameter - edit_field => col(":","$(field)","$(val)","set"); + "$(user):.*" edit_field => col(":", "$(field)", "$(val)", "set"); } ######################################################## - -bundle edit_line append_user_param(user,field,allusers) +bundle edit_line append_user_param(user, field, allusers) { vars: - "val" slist => { @(allusers) }; + "val" slist => { @(allusers) }; field_edits: - "$(user):.*" - # Set field of the file to parameter - edit_field => col(":","$(field)","$(val)","alphanum"); + "$(user):.*" edit_field => col(":", "$(field)", "$(val)", "alphanum"); } ######################################## # Bodies ######################################## - -body edit_field col(split,col,newval,method) +body edit_field col(split, col, newval, method) { - field_separator => $(split); - select_field => $(col); - value_separator => ","; - field_value => $(newval); - field_operation => $(method); - extend_fields => "true"; + field_separator => $(split); + select_field => $(col); + value_separator => ","; + field_value => $(newval); + field_operation => $(method); + extend_fields => "true"; } diff --git a/content/examples/example-snippets/ensure_not_running.cf b/content/examples/example-snippets/ensure_not_running.cf index 9d580b7bf..c500b20a3 100644 --- a/content/examples/example-snippets/ensure_not_running.cf +++ b/content/examples/example-snippets/ensure_not_running.cf @@ -1,13 +1,10 @@ bundle agent restart_process { vars: - - "killprocs" slist => { "snmpd", "gameserverd", "irc", "crack" }; + "killprocs" slist => { "snmpd", "gameserverd", "irc", "crack" }; processes: - - "$(killprocs)" - + "$(killprocs)" comment => "Ensure processes are not running", signals => { "term", "kill" }; } diff --git a/content/examples/example-snippets/ensure_running.cf b/content/examples/example-snippets/ensure_running.cf index 0a164b40b..19a0a8564 100644 --- a/content/examples/example-snippets/ensure_running.cf +++ b/content/examples/example-snippets/ensure_running.cf @@ -1,16 +1,11 @@ bundle agent restart_process { processes: - - "httpd" - + "httpd" comment => "Make sure apache web server is running", restart_class => "restart_httpd"; commands: - restart_httpd:: - "/etc/init.d/apache2 restart"; - } diff --git a/content/examples/example-snippets/ensure_running_1.cf b/content/examples/example-snippets/ensure_running_1.cf index 9c21d16ea..c9ffc33d2 100644 --- a/content/examples/example-snippets/ensure_running_1.cf +++ b/content/examples/example-snippets/ensure_running_1.cf @@ -1,19 +1,15 @@ bundle agent cfengine_processes { vars: - "component" slist => { "cf-execd", "cf-monitord", "cf-serverd", "cf-hub" }; processes: - "$(component)" comment => "Make sure server parts of CFEngine are running", restart_class => canonify("$(component)_not_running"); commands: - "$(sys.workdir)/bin/$(component)" comment => "Make sure server parts of CFEngine are running", if => canonify("$(component)_not_running"); - } diff --git a/content/examples/example-snippets/environment_variables.cf b/content/examples/example-snippets/environment_variables.cf index be2edbc4a..0a1587d82 100644 --- a/content/examples/example-snippets/environment_variables.cf +++ b/content/examples/example-snippets/environment_variables.cf @@ -3,25 +3,22 @@ # Virtual environments # ####################################################### - body common control { - bundlesequence => { "my_vm_cloud" }; + bundlesequence => { "my_vm_cloud" }; } ####################################################### - bundle agent my_vm_cloud { environments: - "centos5" + "centos5" environment_resources => virt_xml, - environment_type => "xen", - environment_host => "ursa-minor"; - # default environment_state => "create" on host, and "suspended elsewhere" + environment_type => "xen", + environment_host => "ursa-minor"; + # default environment_state => "create" on host, and "suspended elsewhere" } ####################################################### - body environment_resources virt_xml { - env_spec_file => "/srv/xen/centos5-libvirt-create.xml"; + env_spec_file => "/srv/xen/centos5-libvirt-create.xml"; } diff --git a/content/examples/example-snippets/environments_(virtual).cf b/content/examples/example-snippets/environments_(virtual).cf index 8fddf18a3..247f63c97 100644 --- a/content/examples/example-snippets/environments_(virtual).cf +++ b/content/examples/example-snippets/environments_(virtual).cf @@ -3,41 +3,38 @@ # Virtual environments # ####################################################### - body common control { - bundlesequence => { "my_vm_cloud" }; + bundlesequence => { "my_vm_cloud" }; } ####################################################### - bundle agent my_vm_cloud { vars: - "vms[atlas]" slist => { "guest1", "guest2", "guest3" }; + "vms[atlas]" slist => { "guest1", "guest2", "guest3" }; environments: - scope||any:: # These should probably be in class "any" to ensure uniqueness + scope||any:: + # These should probably be in class "any" to ensure uniqueness "$(vms[$(sys.host)])" - environment_resources => virt_xml("$(xmlfile[$(this.promiser)])"), - environment_interface => vnet("eth0,192.168.1.100/24"), - environment_type => "test", - environment_host => "atlas"; - # default environment_state => "create" on host, and "suspended elsewhere" + environment_resources => virt_xml("$(xmlfile[$(this.promiser)])"), + environment_interface => vnet("eth0,192.168.1.100/24"), + environment_type => "test", + environment_host => "atlas"; + # default environment_state => "create" on host, and "suspended elsewhere" } ####################################################### - body environment_resources virt_xml(specfile) { - env_spec_file => "$(specfile)"; + env_spec_file => "$(specfile)"; } ####################################################### - body environment_interface vnet(primary) { - env_name => "$(this.promiser)"; - env_addresses => { "$(primary)" }; - host1:: - env_network => "default_vnet1"; - host2:: - env_network => "default_vnet2"; + env_name => "$(this.promiser)"; + env_addresses => { "$(primary)" }; + host1:: + env_network => "default_vnet1"; + host2:: + env_network => "default_vnet2"; } diff --git a/content/examples/example-snippets/execresult_example.cf b/content/examples/example-snippets/execresult_example.cf index 195dcde1b..f7ed9cf7f 100644 --- a/content/examples/example-snippets/execresult_example.cf +++ b/content/examples/example-snippets/execresult_example.cf @@ -1,14 +1,13 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - bundle agent example { vars: - "my_result" string => execresult("/bin/ls /tmp","noshell"); + "my_result" string => execresult("/bin/ls /tmp", "noshell"); reports: - "Variable is $(my_result)"; + "Variable is $(my_result)"; } diff --git a/content/examples/example-snippets/find_mac_address.cf b/content/examples/example-snippets/find_mac_address.cf index a7f59204b..1a38a9a69 100644 --- a/content/examples/example-snippets/find_mac_address.cf +++ b/content/examples/example-snippets/find_mac_address.cf @@ -1,57 +1,44 @@ bundle agent test { vars: - linux:: - "interface" string => execresult("/sbin/ifconfig eth0","noshell"); + "interface" string => execresult("/sbin/ifconfig eth0", "noshell"); solaris:: - "interface" string => execresult("/usr/sbin/ifconfig bge0","noshell"); + "interface" string => execresult("/usr/sbin/ifconfig bge0", "noshell"); freebsd:: - "interface" string => execresult("/sbin/ifconfig le0","noshell"); + "interface" string => execresult("/sbin/ifconfig le0", "noshell"); darwin:: - "interface" string => execresult("/sbin/ifconfig en0","noshell"); + "interface" string => execresult("/sbin/ifconfig en0", "noshell"); classes: - linux:: - - "ok" expression => regextract( - ".*HWaddr ([^\s]+).*(\n.*)*", - "$(interface)", - "mac" - ); + "ok" + expression => regextract( + ".*HWaddr ([^\s]+).*(\n.*)*", "$(interface)", "mac" + ); solaris:: - - "ok" expression => regextract( - ".*ether ([^\s]+).*(\n.*)*", - "$(interface)", - "mac" - ); + "ok" + expression => regextract( + ".*ether ([^\s]+).*(\n.*)*", "$(interface)", "mac" + ); freebsd:: - - "ok" expression => regextract( - ".*ether ([^\s]+).*(\n.*)*", - "$(interface)", - "mac" - ); + "ok" + expression => regextract( + ".*ether ([^\s]+).*(\n.*)*", "$(interface)", "mac" + ); darwin:: - - "ok" expression => regextract( - "(?s).*ether ([^\s]+).*(\n.*)*", - "$(interface)", - "mac" - ); + "ok" + expression => regextract( + "(?s).*ether ([^\s]+).*(\n.*)*", "$(interface)", "mac" + ); reports: - ok:: - "MAC address is $(mac[1])"; - } diff --git a/content/examples/example-snippets/garbage_collection.cf b/content/examples/example-snippets/garbage_collection.cf index 7627d66e2..1c91d36ef 100644 --- a/content/examples/example-snippets/garbage_collection.cf +++ b/content/examples/example-snippets/garbage_collection.cf @@ -1,78 +1,62 @@ body common control { - bundlesequence => { "garbage_collection" }; - inputs => { "cfengine_stdlib.cf" }; + bundlesequence => { "garbage_collection" }; + inputs => { "cfengine_stdlib.cf" }; } - bundle agent garbage_collection { files: - Sunday:: - "$(sys.workdir)/nova_repair.log" - - comment => "Rotate the promises repaired logs each week", - rename => rotate("7"), - action => if_elapsed("10000"); + comment => "Rotate the promises repaired logs each week", + rename => rotate("7"), + action => if_elapsed("10000"); "$(sys.workdir)/nova_notkept.log" - - comment => "Rotate the promises not kept logs each week", - rename => rotate("7"), - action => if_elapsed("10000"); + comment => "Rotate the promises not kept logs each week", + rename => rotate("7"), + action => if_elapsed("10000"); "$(sys.workdir)/promise.log" - - comment => "Rotate the promises not kept logs each week", - rename => rotate("7"), - action => if_elapsed("10000"); + comment => "Rotate the promises not kept logs each week", + rename => rotate("7"), + action => if_elapsed("10000"); any:: - "$(sys.workdir)/outputs" - - comment => "Garbage collection of any output files", - delete => tidy, - file_select => days_old("3"), - depth_search => recurse("inf"); + comment => "Garbage collection of any output files", + delete => tidy, + file_select => days_old("3"), + depth_search => recurse("inf"); "$(sys.workdir)/" - - comment => "Garbage collection of any output files", - delete => tidy, - file_select => days_old("14"), - depth_search => recurse("inf"); + comment => "Garbage collection of any output files", + delete => tidy, + file_select => days_old("14"), + depth_search => recurse("inf"); # Other resources - - "/tmp" - - comment => "Garbage collection of any temporary files", - delete => tidy, - file_select => days_old("3"), - depth_search => recurse("inf"); + comment => "Garbage collection of any temporary files", + delete => tidy, + file_select => days_old("3"), + depth_search => recurse("inf"); "/var/log/apache2/.*bz" - - comment => "Garbage collection of rotated log files", - delete => tidy, - file_select => days_old("30"), - depth_search => recurse("inf"); + comment => "Garbage collection of rotated log files", + delete => tidy, + file_select => days_old("30"), + depth_search => recurse("inf"); "/var/log/apache2/.*gz" - - comment => "Garbage collection of rotated log files", - delete => tidy, - file_select => days_old("30"), - depth_search => recurse("inf"); + comment => "Garbage collection of rotated log files", + delete => tidy, + file_select => days_old("30"), + depth_search => recurse("inf"); "/var/log/zypper.log" - - comment => "Prevent the zypper log from choking the disk", - rename => rotate("0"), - action => if_elapsed("10000"); - + comment => "Prevent the zypper log from choking the disk", + rename => rotate("0"), + action => if_elapsed("10000"); } diff --git a/content/examples/example-snippets/get_a_list_of_users.cf b/content/examples/example-snippets/get_a_list_of_users.cf index a037b3f18..7ee59f6c6 100644 --- a/content/examples/example-snippets/get_a_list_of_users.cf +++ b/content/examples/example-snippets/get_a_list_of_users.cf @@ -3,17 +3,16 @@ # GetUsers # ####################################################### - body common control { - bundlesequence => { test }; + bundlesequence => { test }; } ####################################################### - bundle agent test { vars: - "allusers" slist => getusers("zenoss,mysql,at","12,0"); + "allusers" slist => getusers("zenoss,mysql,at", "12,0"); + reports: linux:: "Found user $(allusers)"; diff --git a/content/examples/example-snippets/global_classes.cf b/content/examples/example-snippets/global_classes.cf index 15be8c357..40eaf3d03 100644 --- a/content/examples/example-snippets/global_classes.cf +++ b/content/examples/example-snippets/global_classes.cf @@ -1,62 +1,56 @@ body common control { - bundlesequence => { "g","tryclasses_1", "tryclasses_2" }; + bundlesequence => { "g", "tryclasses_1", "tryclasses_2" }; } ################################# - bundle common g { classes: - "one" expression => "any"; - "client_network" expression => iprange("128.39.89.0/24"); + "one" expression => "any"; + "client_network" expression => iprange("128.39.89.0/24"); } ################################# - bundle agent tryclasses_1 { classes: - "two" expression => "any"; + "two" expression => "any"; } ################################# - bundle agent tryclasses_2 { classes: - "three" expression => "any"; + "three" expression => "any"; + reports: one.three.!two:: "Success"; } - ###### Global classes body common control { - bundlesequence => { "g","tryclasses_1", "tryclasses_2" }; + bundlesequence => { "g", "tryclasses_1", "tryclasses_2" }; } ################################# - bundle common g { classes: - "one" expression => "any"; - "client_network" expression => iprange("128.39.89.0/24"); + "one" expression => "any"; + "client_network" expression => iprange("128.39.89.0/24"); } ################################# - bundle agent tryclasses_1 { classes: - "two" expression => "any"; + "two" expression => "any"; } ################################# - bundle agent tryclasses_2 { classes: - "three" expression => "any"; + "three" expression => "any"; + reports: one.three.!two:: "Success"; } - ################################# diff --git a/content/examples/example-snippets/hashing_for_change_detection_(tripwire).cf b/content/examples/example-snippets/hashing_for_change_detection_(tripwire).cf index b788c48a9..78c283efe 100644 --- a/content/examples/example-snippets/hashing_for_change_detection_(tripwire).cf +++ b/content/examples/example-snippets/hashing_for_change_detection_(tripwire).cf @@ -3,18 +3,16 @@ # Change detect # ######################################################## - body common control { - bundlesequence => { "testbundle" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "testbundle" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } ######################################################## - bundle agent testbundle { files: - "/home/mark/tmp/web" -> "me" - changes => detect_all_change, + "/home/mark/tmp/web" -> "me" + changes => detect_all_change, depth_search => recurse("inf"); } diff --git a/content/examples/example-snippets/hello_world.cf b/content/examples/example-snippets/hello_world.cf index 05fd98486..c68e6326f 100644 --- a/content/examples/example-snippets/hello_world.cf +++ b/content/examples/example-snippets/hello_world.cf @@ -1,6 +1,6 @@ body common control { - bundlesequence => { "hello" }; + bundlesequence => { "hello" }; } bundle agent hello diff --git a/content/examples/example-snippets/inserting_lines_in_a_file.cf b/content/examples/example-snippets/inserting_lines_in_a_file.cf index 653d8a5c0..689dd1161 100644 --- a/content/examples/example-snippets/inserting_lines_in_a_file.cf +++ b/content/examples/example-snippets/inserting_lines_in_a_file.cf @@ -3,60 +3,51 @@ # Insert a number of lines with vague whitespace # ####################################################### - body common control { - any:: - bundlesequence => { "insert" }; + any:: + bundlesequence => { "insert" }; } - ####################################################### - bundle agent insert { vars: - "v" string => " One potato"; + "v" string => " One potato"; files: - "/tmp/test_insert" + "/tmp/test_insert" create => "true", edit_line => insert_name("$(insert.v)"); } ####################################################### # For the library ####################################################### - bundle edit_line insert_name(name) { insert_lines: - " $(name)" - whitespace_policy => { "ignore_leading", "ignore_embedded" }; + " $(name)" whitespace_policy => { "ignore_leading", "ignore_embedded" }; } ####################################################### - body edit_defaults empty { - empty_file_before_editing => "true"; + empty_file_before_editing => "true"; } - ####################################################### # # Insert a number of lines # ####################################################### - body common control { - any:: - bundlesequence => { "insert" }; + any:: + bundlesequence => { "insert" }; } - ####################################################### - bundle agent insert { vars: - "v" string => " + "v" + string => " One potato Two potato Three potatoe @@ -64,7 +55,7 @@ bundle agent insert "; files: - "/tmp/test_insert" + "/tmp/test_insert" create => "true", edit_line => insert_name("$(insert.v)"), edit_defaults => empty; @@ -72,62 +63,48 @@ bundle agent insert ####################################################### # For the library ####################################################### - bundle edit_line insert_name(name) { insert_lines: - "Begin$(const.n)$(name)$(const.n)End"; + "Begin$(const.n)$(name)$(const.n)End"; } ####################################################### - body edit_defaults empty { - empty_file_before_editing => "false"; + empty_file_before_editing => "false"; } - ####################################################### # # Insert a number of lines # ####################################################### - body common control { - any:: - bundlesequence => { "insert" }; + any:: + bundlesequence => { "insert" }; } - ####################################################### - bundle agent insert { vars: - "v" slist => { - "One potato", - "Two potato", - "Three potatoe", - "Four" - }; + "v" slist => { "One potato", "Two potato", "Three potatoe", "Four" }; files: - "/tmp/test_insert" + "/tmp/test_insert" create => "true", edit_line => insert_name("@(insert.v)"); - # edit_defaults => empty; - + # edit_defaults => empty; } ####################################################### # For the library ####################################################### - bundle edit_line insert_name(name) { insert_lines: - "$(name)"; + "$(name)"; } ####################################################### - body edit_defaults empty { - empty_file_before_editing => "true"; + empty_file_before_editing => "true"; } diff --git a/content/examples/example-snippets/kill_process.cf b/content/examples/example-snippets/kill_process.cf index 5c13b8d2b..04b079714 100644 --- a/content/examples/example-snippets/kill_process.cf +++ b/content/examples/example-snippets/kill_process.cf @@ -1,12 +1,10 @@ body common control { - bundlesequence => { "test" }; + bundlesequence => { "test" }; } bundle agent test { processes: - - "sleep" - signals => { "term", "kill" }; + "sleep" signals => { "term", "kill" }; } diff --git a/content/examples/example-snippets/laptop_support_configuration.cf b/content/examples/example-snippets/laptop_support_configuration.cf index cc9f79c67..74dfc742c 100644 --- a/content/examples/example-snippets/laptop_support_configuration.cf +++ b/content/examples/example-snippets/laptop_support_configuration.cf @@ -3,66 +3,50 @@ # Laptop # ####################################################### - body common control { - bundlesequence => { - "update", - "garbage_collection", - "main", - "backup", - }; - inputs => { - "update.cf", - "site.cf", - "library.cf" - }; + bundlesequence => { "update", "garbage_collection", "main", "backup" }; + inputs => { "update.cf", "site.cf", "library.cf" }; } ####################################################### - body agent control { - # if default runtime is 5 mins we need this for long jobs - ifelapsed => "15"; + # if default runtime is 5 mins we need this for long jobs + ifelapsed => "15"; } ####################################################### - body monitor control { - forgetrate => "0.7"; + forgetrate => "0.7"; } ####################################################### - body executor control { - splaytime => "1"; - mailto => "mark@iu.hio.no"; - smtpserver => "localhost"; - mailmaxlines => "30"; - # Instead of a separate update script, now do this - - exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf && $(sys.workdir)/bin/cf-agent"; + splaytime => "1"; + mailto => "mark@iu.hio.no"; + smtpserver => "localhost"; + mailmaxlines => "30"; + # Instead of a separate update script, now do this + exec_command => "$(sys.workdir)/bin/cf-agent -f failsafe.cf && $(sys.workdir)/bin/cf-agent"; } ####################################################### # General site issues can be in bundles like this one ####################################################### - bundle agent main { vars: "component" slist => { "cf-monitord", "cf-serverd" }; - # - - - - - - - - - - - - - - - - - - - - - - - - - + # - - - - - - - - - - - - - - - - - - - - - - - - files: - "$(sys.resolv)" # test on "/tmp/resolv.conf" # - create => "true", - edit_line => resolver, + "$(sys.resolv)" + # test on "/tmp/resolv.conf" # + create => "true", + edit_line => resolver, edit_defaults => def; processes: "$(component)" restart_class => canonify("$(component)_not_running"); - # - - - - - - - - - - - - - - - - - - - - - - - - - + # - - - - - - - - - - - - - - - - - - - - - - - - commands: "$(sys.workdir)/bin/$(component)" if => canonify("$(component)_not_running"); @@ -70,7 +54,6 @@ bundle agent main ####################################################### # Backup ####################################################### - bundle agent backup { files: @@ -83,7 +66,6 @@ bundle agent backup ####################################################### # Garbage collection issues ####################################################### - bundle agent garbage_collection { files: @@ -91,5 +73,4 @@ bundle agent garbage_collection delete => tidy, file_select => days_old("3"), depth_search => recurse("inf"); - } diff --git a/content/examples/example-snippets/ldap_interactions.cf b/content/examples/example-snippets/ldap_interactions.cf index 3863d1ad0..ddea8a0c0 100644 --- a/content/examples/example-snippets/ldap_interactions.cf +++ b/content/examples/example-snippets/ldap_interactions.cf @@ -1,36 +1,71 @@ body common control { - bundlesequence => { "ldap" , "followup"}; + bundlesequence => { "ldap", "followup" }; } ################################################################################################### # NOTE!! relying on LDAP or other network data without validation is EXTREMELY dangerous. # You could destroy a system by assuming that the service will respond with a # sensible result. CFEngine does not recommend reliance on network services in configuration. ################################################################################################### - bundle agent ldap { vars: - # Get the first matching value for "uid" - - "value" string => ldapvalue("ldap://eternity.iu.hio.no","dc=cfengine,dc=com","(sn=User)","uid","subtree","none"); + # Get the first matching value for "uid" + "value" + string => ldapvalue( + "ldap://eternity.iu.hio.no", + "dc=cfengine,dc=com", + "(sn=User)", + "uid", + "subtree", + "none" + ); - # Get all matching values for "uid" - should be a single record match - "list" slist => ldaplist("ldap://eternity.iu.hio.no","dc=cfengine,dc=com","(sn=User)","uid","subtree","none"); + # Get all matching values for "uid" - should be a single record match + "list" + slist => ldaplist( + "ldap://eternity.iu.hio.no", + "dc=cfengine,dc=com", + "(sn=User)", + "uid", + "subtree", + "none" + ); classes: - "gotdata" expression => ldaparray("myarray","ldap://eternity.iu.hio.no","dc=cfengine,dc=com","(uid=mark)","subtree","none"); - "found" expression => regldap("ldap://eternity.iu.hio.no","dc=cfengine,dc=com","(sn=User)","uid","subtree","jon.*","none"); + "gotdata" + expression => ldaparray( + "myarray", + "ldap://eternity.iu.hio.no", + "dc=cfengine,dc=com", + "(uid=mark)", + "subtree", + "none" + ); + + "found" + expression => regldap( + "ldap://eternity.iu.hio.no", + "dc=cfengine,dc=com", + "(sn=User)", + "uid", + "subtree", + "jon.*", + "none" + ); reports: linux:: "LDAP VALUE $(value) found"; "LDAP LIST VALUE $(list)"; + gotdata:: "Found specific entry data ...$(ldap.myarray[uid]),$(ldap.myarray[gecos]), etc"; + found:: "Matched regex"; } + bundle agent followup { reports: diff --git a/content/examples/example-snippets/linking_files.cf b/content/examples/example-snippets/linking_files.cf index 91388777d..afb3298cb 100644 --- a/content/examples/example-snippets/linking_files.cf +++ b/content/examples/example-snippets/linking_files.cf @@ -8,87 +8,74 @@ # - insert # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - # Make a copy of the password file - - "/home/mark/tmp/passwd" - link_from => linkdetails("/etc/passwd"), + # Make a copy of the password file + "/home/mark/tmp/passwd" + link_from => linkdetails("/etc/passwd"), move_obstructions => "true"; - "/home/mark/tmp/linktest" - link_from => linkchildren("/usr/local/sbin"); - - #child links + "/home/mark/tmp/linktest" link_from => linkchildren("/usr/local/sbin"); + #child links } ######################################################### - body link_from linkdetails(tofile) { - source => "$(tofile)"; - link_type => "symlink"; - when_no_source => "force"; # kill + source => "$(tofile)"; + link_type => "symlink"; + when_no_source => "force"; + # kill } ######################################################### - body link_from linkchildren(tofile) { - source => "$(tofile)"; - link_type => "symlink"; - when_no_source => "force"; # kill - link_children => "true"; - when_linking_children => "if_no_such_file"; # "override_file"; + source => "$(tofile)"; + link_type => "symlink"; + when_no_source => "force"; + # kill + link_children => "true"; + when_linking_children => "if_no_such_file"; + # "override_file"; } - ####################################################### # # Test dead link removal # ####################################################### - body common control { - any:: - bundlesequence => { - "testbundle" - }; + any:: + bundlesequence => { "testbundle" }; } - ############################################ - bundle agent testbundle { files: - "/home/mark/tmp/test_to" -> "someone" + "/home/mark/tmp/test_to" -> "someone" depth_search => recurse("inf"), perms => modestuff, action => tell_me; } ############################################ - body depth_search recurse(d) { - rmdeadlinks => "true"; - depth => "$(d)"; + rmdeadlinks => "true"; + depth => "$(d)"; } ############################################ - body perms modestuff { - mode => "o-w"; + mode => "o-w"; } ############################################ - body action tell_me { - report_level => "inform"; + report_level => "inform"; } diff --git a/content/examples/example-snippets/listing_files-pattern_in_a_directory.cf b/content/examples/example-snippets/listing_files-pattern_in_a_directory.cf index 5d44ceafa..aa660318a 100644 --- a/content/examples/example-snippets/listing_files-pattern_in_a_directory.cf +++ b/content/examples/example-snippets/listing_files-pattern_in_a_directory.cf @@ -1,14 +1,13 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - bundle agent example { vars: - "ls" slist => lsdir("/etc","p.*","true"); + "ls" slist => lsdir("/etc", "p.*", "true"); reports: - "ls: $(ls)"; + "ls: $(ls)"; } diff --git a/content/examples/example-snippets/locate_and_transform_files.cf b/content/examples/example-snippets/locate_and_transform_files.cf index 8cd7e4051..2d0b1bd29 100644 --- a/content/examples/example-snippets/locate_and_transform_files.cf +++ b/content/examples/example-snippets/locate_and_transform_files.cf @@ -3,35 +3,29 @@ # Compressing files # ####################################################### - body common control { - any:: - bundlesequence => { - "testbundle" - }; - version => "1.2.3"; + any:: + bundlesequence => { "testbundle" }; + version => "1.2.3"; } ############################################ - bundle agent testbundle { files: - "/home/mark/tmp/testcopy" + "/home/mark/tmp/testcopy" file_select => pdf_files, transformer => "/usr/bin/gzip $(this.promiser)", depth_search => recurse("inf"); } ############################################ - body file_select pdf_files { - leaf_name => { ".*.pdf" , ".*.fdf" }; - file_result => "leaf_name"; + leaf_name => { ".*.pdf", ".*.fdf" }; + file_result => "leaf_name"; } ############################################ - body depth_search recurse(d) { - depth => "$(d)"; + depth => "$(d)"; } diff --git a/content/examples/example-snippets/log_rotation.cf b/content/examples/example-snippets/log_rotation.cf index f49bbb067..0b519ec92 100644 --- a/content/examples/example-snippets/log_rotation.cf +++ b/content/examples/example-snippets/log_rotation.cf @@ -1,21 +1,15 @@ body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } - ############################################ - bundle agent testbundle - { files: - "/home/mark/tmp/rotateme" - rename => rotate("4"); + "/home/mark/tmp/rotateme" rename => rotate("4"); } - ############################################ - body rename rotate(level) { - rotate => "$(level)"; + rotate => "$(level)"; } diff --git a/content/examples/example-snippets/logging.cf b/content/examples/example-snippets/logging.cf index 13c2542ac..50a5128f0 100644 --- a/content/examples/example-snippets/logging.cf +++ b/content/examples/example-snippets/logging.cf @@ -1,48 +1,41 @@ body common control { - bundlesequence => { "test" }; + bundlesequence => { "test" }; } bundle agent test { vars: - - "software" slist => { "/root/xyz", "/tmp/xyz" }; + "software" slist => { "/root/xyz", "/tmp/xyz" }; files: - - "$(software)" - + "$(software)" create => "true", action => logme("$(software)"); - } body action logme(x) { - log_kept => "/tmp/private_keptlog.log"; - log_failed => "/tmp/private_faillog.log"; - log_repaired => "/tmp/private_replog.log"; - log_string => "$(sys.date) $(x) promise status"; + log_kept => "/tmp/private_keptlog.log"; + log_failed => "/tmp/private_faillog.log"; + log_repaired => "/tmp/private_replog.log"; + log_string => "$(sys.date) $(x) promise status"; } body common control { - bundlesequence => { "one" }; + bundlesequence => { "one" }; } bundle agent one { files: - - "/tmp/xyz" - + "/tmp/xyz" create => "true", action => log; - } body action log { - log_level => "inform"; + log_level => "inform"; } diff --git a/content/examples/example-snippets/macro_template.cf b/content/examples/example-snippets/macro_template.cf index 8d2c1f862..51793ae7e 100644 --- a/content/examples/example-snippets/macro_template.cf +++ b/content/examples/example-snippets/macro_template.cf @@ -1,12 +1,10 @@ bundle agent hand_edited_template { vars: - - "masterfiles" string => "/mysite/masterfiles"; + "masterfiles" string => "/mysite/masterfiles"; "policy_server" string => "policy_host.domain.tld"; files: - "/etc/hosts" comment => "Synchronize hosts with a hand-edited template in svn", perms => m("644"), @@ -16,10 +14,8 @@ bundle agent hand_edited_template action => if_elapsed("60"); commands: - "/usr/bin/svn update" comment => "Update the company document repository including manuals to a local copy", contain => silent_in_dir("$(masterfiles)/trunk"), if => canonify("$(policy_server)"); - } diff --git a/content/examples/example-snippets/measurements.cf b/content/examples/example-snippets/measurements.cf index e28472fbd..4479caac7 100644 --- a/content/examples/example-snippets/measurements.cf +++ b/content/examples/example-snippets/measurements.cf @@ -1,5 +1,4 @@ #cop measurements,example - ####################################################### # # Test file: @@ -8,36 +7,31 @@ # Blonk blonk bnklkygsuilnm # ####################################################### - body common control { - bundlesequence => { "report" }; + bundlesequence => { "report" }; } ####################################################### - body monitor control { - forgetrate => "0.7"; - histograms => "true"; + forgetrate => "0.7"; + histograms => "true"; } ####################################################### - bundle agent report { reports: - " + " Free memory read at $(mon.av_free_memory_watch) cf_monitord read $(mon.value_monitor_self_watch) "; } ####################################################### - bundle monitor watch { measurements: - # Test 1 - extract string matching - - "/home/mark/tmp/testmeasure" + # Test 1 - extract string matching + "/home/mark/tmp/testmeasure" handle => "blonk_watch", stream_type => "file", data_type => "string", @@ -46,21 +40,21 @@ bundle monitor watch match_value => find_blonks, action => sample_min("10"); - # Test 2 - follow a special process over time - # using cfengine's process cache to avoid resampling - - "/var/cfengine/state/cf_rootprocs" + # Test 2 - follow a special process over time + # using cfengine's process cache to avoid resampling + "/var/cfengine/state/cf_rootprocs" handle => "monitor_self_watch", stream_type => "file", data_type => "int", history_type => "static", units => "kB", - match_value => proc_value(".*cf-monitord.*", - "root\s+[0-9.]+\s+[0-9.]+\s+[0-9.]+\s+[0-9.]+\s+([0-9]+).*"); - - # Test 3, discover disk device information + match_value => proc_value( + ".*cf-monitord.*", + "root\s+[0-9.]+\s+[0-9.]+\s+[0-9.]+\s+[0-9.]+\s+([0-9]+).*" + ); - "/bin/df" + # Test 3, discover disk device information + "/bin/df" handle => "free_disk_watch", stream_type => "pipe", data_type => "slist", @@ -68,11 +62,9 @@ bundle monitor watch units => "device", match_value => file_system; - # Update this as often as possible - - # Test 4 - - "/tmp/file" + # Update this as often as possible + # Test 4 + "/tmp/file" handle => "line_counter", stream_type => "file", data_type => "counter", @@ -80,43 +72,37 @@ bundle monitor watch history_type => "log"; } ########################################################## - body match_value scanlines(x) { - select_line_matching => "^$(x)$"; + select_line_matching => "^$(x)$"; } ########################################################## - body action sample_min(x) { - ifelapsed => $(x); - expireafter => $(x); + ifelapsed => $(x); + expireafter => $(x); } ########################################################## - body match_value find_blonks { - select_line_number => "2"; - extraction_regex => "Blonk blonk ([blonk]+).*"; + select_line_number => "2"; + extraction_regex => "Blonk blonk ([blonk]+).*"; } ########################################################## - body match_value free_memory { - select_line_matching => "MemFree:.*"; - extraction_regex => "MemFree:\s+([0-9]+).*"; + select_line_matching => "MemFree:.*"; + extraction_regex => "MemFree:\s+([0-9]+).*"; } ########################################################## - -body match_value proc_value(x,y) +body match_value proc_value(x, y) { - select_line_matching => $(x); - extraction_regex => $(y); + select_line_matching => $(x); + extraction_regex => $(y); } ########################################################## - body match_value file_system { - select_line_matching => "/.*"; - extraction_regex => "(.*)"; + select_line_matching => "/.*"; + extraction_regex => "(.*)"; } diff --git a/content/examples/example-snippets/method_validation.cf b/content/examples/example-snippets/method_validation.cf index bc25818dc..fffce3ef7 100644 --- a/content/examples/example-snippets/method_validation.cf +++ b/content/examples/example-snippets/method_validation.cf @@ -1,34 +1,33 @@ body common control { - bundlesequence => { "testbundle" }; - version => "1.2.3"; + bundlesequence => { "testbundle" }; + version => "1.2.3"; } ########################################### - body agent control { - abortbundleclasses => { "invalid" }; + abortbundleclasses => { "invalid" }; } ########################################### - bundle agent testbundle { vars: - "userlist" slist => { "xyz", "mark", "jeang", "jonhenrik", "thomas", "eben" }; + "userlist" + slist => { "xyz", "mark", "jeang", "jonhenrik", "thomas", "eben" }; methods: - "any" usebundle => subtest("$(userlist)"); + "any" usebundle => subtest("$(userlist)"); } ########################################### - bundle agent subtest(user) { classes: - "invalid" not => regcmp("[a-z][a-z][a-z][a-z]","$(user)"); + "invalid" not => regcmp("[a-z][a-z][a-z][a-z]", "$(user)"); reports: !invalid:: "User name $(user) is valid at 4 letters"; + invalid:: "User name $(user) is invalid"; } diff --git a/content/examples/example-snippets/methods.cf b/content/examples/example-snippets/methods.cf index e0415e87b..3898e284b 100644 --- a/content/examples/example-snippets/methods.cf +++ b/content/examples/example-snippets/methods.cf @@ -1,24 +1,23 @@ body common control { - bundlesequence => { "testbundle" }; - version => "1.2.3"; + bundlesequence => { "testbundle" }; + version => "1.2.3"; } ########################################### - bundle agent testbundle { vars: - "userlist" slist => { "mark", "jeang", "jonhenrik", "thomas", "eben" }; + "userlist" slist => { "mark", "jeang", "jonhenrik", "thomas", "eben" }; + methods: - "any" usebundle => subtest("$(userlist)"); + "any" usebundle => subtest("$(userlist)"); } - ########################################### - bundle agent subtest(user) { commands: - "/bin/echo Fix $(user)"; + "/bin/echo Fix $(user)"; + reports: - "Finished doing stuff for $(user)"; + "Finished doing stuff for $(user)"; } diff --git a/content/examples/example-snippets/mount_a_filesystem.cf b/content/examples/example-snippets/mount_a_filesystem.cf index db61c9c69..a613b424f 100644 --- a/content/examples/example-snippets/mount_a_filesystem.cf +++ b/content/examples/example-snippets/mount_a_filesystem.cf @@ -1,28 +1,23 @@ -# # cfengine 3 # # cf-agent -f ./cftest.cf -K -# - body common control { - bundlesequence => { "mounts" }; + bundlesequence => { "mounts" }; } -# bundle agent mounts { storage: - "/mnt" mount => nfs("slogans.iu.hio.no","/home"); + "/mnt" mount => nfs("slogans.iu.hio.no", "/home"); } ###################################################################### - -body mount nfs(server,source) +body mount nfs(server, source) { - mount_type => "nfs"; - mount_source => "$(source)"; - mount_server => "$(server)"; - #mount_options => { "rw" }; - edit_fstab => "true"; - unmount => "true"; + mount_type => "nfs"; + mount_source => "$(source)"; + mount_server => "$(server)"; + #mount_options => { "rw" }; + edit_fstab => "true"; + unmount => "true"; } diff --git a/content/examples/example-snippets/mount_nfs_filesystem.cf b/content/examples/example-snippets/mount_nfs_filesystem.cf index db61c9c69..a613b424f 100644 --- a/content/examples/example-snippets/mount_nfs_filesystem.cf +++ b/content/examples/example-snippets/mount_nfs_filesystem.cf @@ -1,28 +1,23 @@ -# # cfengine 3 # # cf-agent -f ./cftest.cf -K -# - body common control { - bundlesequence => { "mounts" }; + bundlesequence => { "mounts" }; } -# bundle agent mounts { storage: - "/mnt" mount => nfs("slogans.iu.hio.no","/home"); + "/mnt" mount => nfs("slogans.iu.hio.no", "/home"); } ###################################################################### - -body mount nfs(server,source) +body mount nfs(server, source) { - mount_type => "nfs"; - mount_source => "$(source)"; - mount_server => "$(server)"; - #mount_options => { "rw" }; - edit_fstab => "true"; - unmount => "true"; + mount_type => "nfs"; + mount_source => "$(source)"; + mount_server => "$(server)"; + #mount_options => { "rw" }; + edit_fstab => "true"; + unmount => "true"; } diff --git a/content/examples/example-snippets/ordering_promises.cf b/content/examples/example-snippets/ordering_promises.cf index 08f485122..b876d76d7 100644 --- a/content/examples/example-snippets/ordering_promises.cf +++ b/content/examples/example-snippets/ordering_promises.cf @@ -7,17 +7,15 @@ # cf-agent -f ./cftest.cf -K # ################################################################## - body common control { - bundlesequence => { "order" }; + bundlesequence => { "order" }; } ################################################################## - bundle agent order { vars: - "list" slist => { "three", "four" }; + "list" slist => { "three", "four" }; commands: ok_later:: @@ -27,8 +25,7 @@ bundle agent order "/bin/echo six"; any:: - - "/bin/echo one" classes => d("ok_later","otherthing"); + "/bin/echo one" classes => d("ok_later", "otherthing"); "/bin/echo two"; "/bin/echo $(list)"; @@ -36,10 +33,9 @@ bundle agent order "/bin/echo seven"; } ############################################ - -body classes d(if,else) +body classes d(if, else) { - promise_repaired => { "$(if)" }; - repair_failed => { "$(else)" }; - persist_time => "0"; + promise_repaired => { "$(if)" }; + repair_failed => { "$(else)" }; + persist_time => "0"; } diff --git a/content/examples/example-snippets/packages_examples_solaris.cf b/content/examples/example-snippets/packages_examples_solaris.cf index 7b7d91858..c3f604835 100644 --- a/content/examples/example-snippets/packages_examples_solaris.cf +++ b/content/examples/example-snippets/packages_examples_solaris.cf @@ -1,10 +1,7 @@ bundle agent example_using_ips_package_method { - packages: - solaris:: - "shell/zsh" package_policy => "add", package_method => ips; @@ -13,42 +10,33 @@ bundle agent example_using_ips_package_method bundle agent example_using_solaris_package_method { files: - solaris:: - "/tmp/$(admin_file)" create => "true", - edit_defaults => empty_file, # defined in stdlib - edit_line => create_solaris_admin_file; # defined in stdlib - + edit_defaults => empty_file, + # defined in stdlib + edit_line => create_solaris_admin_file; + # defined in stdlib packages: - solaris:: - "SMCzlib" package_policy => "add", - package_method => solaris( "SMCzlib", - "zlib-1.2.3-sol10-sparc-local", - "$(admin_file)"); + package_method => solaris( + "SMCzlib", "zlib-1.2.3-sol10-sparc-local", "$(admin_file)" + ); } bundle agent example_using_solaris_install_package_method { packages: - solaris:: - - "SMCzlib" - package_method => solaris_install("/tmp/SMCzlib.adminfile") + "SMCzlib" package_method => solaris_install("/tmp/SMCzlib.adminfile"); } bundle agent example_using_pkgsrc_module { - packages: - solaris:: - "vim" policy => "present", package_module => pkgsrc; diff --git a/content/examples/example-snippets/postfix_mail_configuration.cf b/content/examples/example-snippets/postfix_mail_configuration.cf index 0a2ed89c3..3798e24bf 100644 --- a/content/examples/example-snippets/postfix_mail_configuration.cf +++ b/content/examples/example-snippets/postfix_mail_configuration.cf @@ -3,62 +3,57 @@ # Postfix # ####################################################### - body common control { - inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { postfix }; + inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { postfix }; } ####################################################### - bundle agent postfix { vars: - "prefix" string => "/etc"; - "smtpserver" string => "localhost"; - "mailrelay" string => "mailx.example.org"; + "prefix" string => "/etc"; + "smtpserver" string => "localhost"; + "mailrelay" string => "mailx.example.org"; files: - "$(prefix)/main.cf" - edit_line => prefix_postfix; - - "$(prefix)/sasl-passwd" - create => "true", - perms => mo("0600","root"), - edit_line => append_if_no_line("$(smtpserver) _$(sys.fqhost):chmsxrcynz4etfrejizhs22"); + "$(prefix)/main.cf" edit_line => prefix_postfix; + + "$(prefix)/sasl-passwd" + create => "true", + perms => mo("0600", "root"), + edit_line => append_if_no_line( + "$(smtpserver) _$(sys.fqhost):chmsxrcynz4etfrejizhs22" + ); } - ####################################################### # For the library ####################################################### - bundle edit_line prefix_postfix { - # - # Value have the form NAME = "quoted space separated list" - # + # Value have the form NAME = "quoted space separated list" vars: - "ps[relayhost]" string => "[$(postfix.mailrelay)]:587"; - "ps[mydomain]" string => "iu.hio.no"; - "ps[smtp_sasl_auth_enable]" string => "yes"; - "ps[smtp_sasl_password_maps]" string => "hash:/etc/postfix/sasl-passwd"; - "ps[smtp_sasl_security_options]" string => ""; - "ps[smtp_use_tls]" string => "yes"; - "ps[default_privs]" string => "mailman"; - "ps[inet_protocols]" string => "all"; - "ps[inet_interfaces]" string => "127.0.0.1"; - "parameter_name" slist => getindices("ps"); + "ps[relayhost]" string => "[$(postfix.mailrelay)]:587"; + "ps[mydomain]" string => "iu.hio.no"; + "ps[smtp_sasl_auth_enable]" string => "yes"; + "ps[smtp_sasl_password_maps]" string => "hash:/etc/postfix/sasl-passwd"; + "ps[smtp_sasl_security_options]" string => ""; + "ps[smtp_use_tls]" string => "yes"; + "ps[default_privs]" string => "mailman"; + "ps[inet_protocols]" string => "all"; + "ps[inet_interfaces]" string => "127.0.0.1"; + "parameter_name" slist => getindices("ps"); delete_lines: - "$(parameter_name).*"; + "$(parameter_name).*"; insert_lines: - "$(parameter_name) = $(ps[$(parameter_name)])"; + "$(parameter_name) = $(ps[$(parameter_name)])"; } ######################################################## - bundle edit_line append_if_nsl(parameter) { insert_lines: - "$(parameter)"; # This is default + # This is default: + "$(parameter)"; } diff --git a/content/examples/example-snippets/process_management.cf b/content/examples/example-snippets/process_management.cf index 3f971f1c7..71e2098e0 100644 --- a/content/examples/example-snippets/process_management.cf +++ b/content/examples/example-snippets/process_management.cf @@ -1,175 +1,152 @@ body common control { - bundlesequence => { "test" }; + bundlesequence => { "test" }; } bundle agent test { processes: - "sleep" - signals => { "term", "kill" }; + "sleep" signals => { "term", "kill" }; } ######################################################## # # Simple test processes # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { processes: - "sleep" - process_count => up("sleep"); + "sleep" process_count => up("sleep"); + reports: sleep_out_of_control:: "Out of control"; } ######################################################## - body process_count up(s) { - match_range => "5,10"; # or irange("1","10"); - out_of_range_define => { "$(s)_out_of_control" }; + match_range => "5,10"; + # or irange("1","10"); + out_of_range_define => { "$(s)_out_of_control" }; } ######################################################## # # Simple test processes # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { processes: ".*" process_select => proc_finder("a.*"), - process_count => up("cfservd"); + process_count => up("cfservd"); } ######################################################## - body process_count up(s) { - match_range => "1,10"; # or irange("1","10"); - out_of_range_define => { "$(s)_out_of_control" }; + match_range => "1,10"; + # or irange("1","10"); + out_of_range_define => { "$(s)_out_of_control" }; } ######################################################## - body process_select proc_finder(p) { - stime_range => irange(ago("0","0","0","2","0","0"),now); - process_result => "stime"; + stime_range => irange(ago("0", "0", "0", "2", "0", "0"), now); + process_result => "stime"; } - ######################################################## # # Simple test processes # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { processes: ".*" - process_select => proc_finder("a.*"), - process_count => up("cfservd"); + process_select => proc_finder("a.*"), + process_count => up("cfservd"); } ######################################################## - body process_count up(s) { - match_range => "1,10"; # or irange("1","10"); - out_of_range_define => { "$(s)_out_of_control" }; + match_range => "1,10"; + # or irange("1","10"); + out_of_range_define => { "$(s)_out_of_control" }; } ######################################################## - body process_select proc_finder(p) { - process_owner => { "avahi", "bin" }; - command => "$(p)"; - pid => "100,199"; - vsize => "0,1000"; - process_result => "command.(process_owner|vsize)"; + process_owner => { "avahi", "bin" }; + command => "$(p)"; + pid => "100,199"; + vsize => "0,1000"; + process_result => "command.(process_owner|vsize)"; } body common control { - bundlesequence => { "process_restart" }; + bundlesequence => { "process_restart" }; } ######################################################### - bundle agent process_restart { processes: - "/usr/bin/daemon" - restart_class => "launch"; + "/usr/bin/daemon" restart_class => "launch"; commands: launch:: "/usr/bin/daemon"; } + body common control { - bundlesequence => { "process_restart" }; + bundlesequence => { "process_restart" }; } ######################################################### - bundle agent process_restart { vars: - "component" - slist => { - "cf-monitord", - "cf-serverd", - "cf-execd" - }; + "component" slist => { "cf-monitord", "cf-serverd", "cf-execd" }; processes: - "$(component)" - restart_class => canonify("$(component)_not_running"); + "$(component)" restart_class => canonify("$(component)_not_running"); commands: - "/var/cfengine/bin/$(component)" - if => canonify("$(component)_not_running"); + "/var/cfengine/bin/$(component)" if => canonify("$(component)_not_running"); } ######################################################## # # Simple test process restart # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { processes: - - "cfservd" - process_count => up("cfservd"); + "cfservd" process_count => up("cfservd"); cfservd_out_of_control:: "cfservd" - signals => { "stop" , "term" }, + signals => { "stop", "term" }, restart_class => "stopped_out_of_control_cf_serverd"; commands: @@ -177,9 +154,9 @@ bundle agent testbundle "/usr/local/sbin/cfservd"; } ######################################################## - body process_count up(s) { - match_range => "1,10"; # or irange("1","10"); - out_of_range_define => { "$(s)_out_of_control" }; + match_range => "1,10"; + # or irange("1","10"); + out_of_range_define => { "$(s)_out_of_control" }; } diff --git a/content/examples/example-snippets/prune_processes.cf b/content/examples/example-snippets/prune_processes.cf index c6ae2bcc1..60af9929c 100644 --- a/content/examples/example-snippets/prune_processes.cf +++ b/content/examples/example-snippets/prune_processes.cf @@ -1,25 +1,19 @@ body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } - ######################################################## - bundle agent testbundle { processes: - - ".*" - - process_select => big_processes("mark"), + ".*" + process_select => big_processes("mark"), signals => { "term" }; } - ######################################################## - body process_select big_processes(o) { - process_owner => { $(o) }; - rsize => irange("100000","900000"); - process_result => "rsize.process_owner"; + process_owner => { $(o) }; + rsize => irange("100000", "900000"); + process_result => "rsize.process_owner"; } diff --git a/content/examples/example-snippets/read_from_a_tcp_socket.cf b/content/examples/example-snippets/read_from_a_tcp_socket.cf index 41aed6ebf..0f18882a8 100644 --- a/content/examples/example-snippets/read_from_a_tcp_socket.cf +++ b/content/examples/example-snippets/read_from_a_tcp_socket.cf @@ -1,20 +1,26 @@ body common control { - bundlesequence => { "example" }; + bundlesequence => { "example" }; } ########################################################### - bundle agent example { vars: - "my80" string => readtcp("research.iu.hio.no","80","GET /index.php HTTP/1.1$(const.r)$(const.n)Host: research.iu.hio.no$(const.r)$(const.n)$(const.r)$(const.n)",20); + "my80" + string => readtcp( + "research.iu.hio.no", + "80", + "GET /index.php HTTP/1.1$(const.r)$(const.n)Host: research.iu.hio.no$(const.r)$(const.n)$(const.r)$(const.n)", + 20 + ); classes: - "server_ok" expression => regcmp(".*200 OK.*\n.*","$(my80)"); + "server_ok" expression => regcmp(".*200 OK.*\n.*", "$(my80)"); reports: server_ok:: "Server is alive"; + !server_ok:: "Server is not responding - got $(my80)"; } diff --git a/content/examples/example-snippets/resolver_management.cf b/content/examples/example-snippets/resolver_management.cf index 92d40edac..8cc3c6e77 100644 --- a/content/examples/example-snippets/resolver_management.cf +++ b/content/examples/example-snippets/resolver_management.cf @@ -3,74 +3,59 @@ # Resolve conf # ####################################################### - -bundle common g # globals +bundle common g +# globals { vars: - "searchlist" slist => { - "search iu.hio.no", - "search cfengine.com" - }; - "nameservers" slist => { - "128.39.89.10", - "128.39.74.16", - "192.168.1.103" - }; + "searchlist" slist => { "search iu.hio.no", "search cfengine.com" }; + "nameservers" slist => { "128.39.89.10", "128.39.74.16", "192.168.1.103" }; + classes: - "am_name_server" expression => reglist("@(nameservers)","$(sys.ipv4[eth1])"); + "am_name_server" + expression => reglist("@(nameservers)", "$(sys.ipv4[eth1])"); } - ####################################################### - body common control { - any:: - bundlesequence => { - "g", - resolver(@(g.searchlist),@(g.nameservers)) - }; - domain => "iu.hio.no"; + any:: + bundlesequence => { "g", resolver(@(g.searchlist), @(g.nameservers)) }; + domain => "iu.hio.no"; } - ####################################################### - -bundle agent resolver(s,n) +bundle agent resolver(s, n) { files: - # When passing parameters down, we have to refer to - # a source context - - "$(sys.resolv)" # test on "/tmp/resolv.conf" # - create => "true", - edit_line => doresolv("@(this.s)","@(this.n)"), + # When passing parameters down, we have to refer to + # a source context + "$(sys.resolv)" + # test on "/tmp/resolv.conf" # + create => "true", + edit_line => doresolv("@(this.s)", "@(this.n)"), edit_defaults => reconstruct; - # or edit_defaults => modify + # or edit_defaults => modify } - ####################################################### # For the library ####################################################### - -bundle edit_line doresolv(s,n) +bundle edit_line doresolv(s, n) { vars: - "line" slist => { @(s), @(n) }; + "line" slist => { @(s), @(n) }; + insert_lines: - "$(line)"; + "$(line)"; } ####################################################### - body edit_defaults reconstruct { - empty_file_before_editing => "true"; - edit_backup => "false"; - max_file_size => "100000"; + empty_file_before_editing => "true"; + edit_backup => "false"; + max_file_size => "100000"; } ####################################################### - body edit_defaults modify { - empty_file_before_editing => "false"; - edit_backup => "false"; - max_file_size => "100000"; + empty_file_before_editing => "false"; + edit_backup => "false"; + max_file_size => "100000"; } diff --git a/content/examples/example-snippets/restart_process.cf b/content/examples/example-snippets/restart_process.cf index c6f9ef62a..8d034ff88 100644 --- a/content/examples/example-snippets/restart_process.cf +++ b/content/examples/example-snippets/restart_process.cf @@ -1,21 +1,14 @@ body common control { - bundlesequence => { "process_restart" }; + bundlesequence => { "process_restart" }; } - ######################################################### - - bundle agent process_restart { processes: - - "/usr/bin/daemon" - restart_class => "launch"; + "/usr/bin/daemon" restart_class => "launch"; commands: - launch:: "/usr/bin/daemon"; - } diff --git a/content/examples/example-snippets/restart_process_1.cf b/content/examples/example-snippets/restart_process_1.cf index c857843e5..ac66ab60a 100644 --- a/content/examples/example-snippets/restart_process_1.cf +++ b/content/examples/example-snippets/restart_process_1.cf @@ -1,30 +1,16 @@ body common control { - bundlesequence => { "process_restart" }; + bundlesequence => { "process_restart" }; } - ######################################################### - - bundle agent process_restart { vars: - - "component" - slist => { - "cf-monitord", - "cf-serverd", - "cf-execd" - }; + "component" slist => { "cf-monitord", "cf-serverd", "cf-execd" }; processes: - - "$(component)" - restart_class => canonify("not_running_$(component)"); + "$(component)" restart_class => canonify("not_running_$(component)"); commands: - - "/var/cfengine/bin/$(component)" - if => canonify("not_running_$(component)"); - + "/var/cfengine/bin/$(component)" if => canonify("not_running_$(component)"); } diff --git a/content/examples/example-snippets/search_and_replace_text.cf b/content/examples/example-snippets/search_and_replace_text.cf index 6de505e87..6a1fd1ae6 100644 --- a/content/examples/example-snippets/search_and_replace_text.cf +++ b/content/examples/example-snippets/search_and_replace_text.cf @@ -8,49 +8,40 @@ # - insert # ###################################################################### - body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } - ######################################################## - bundle agent testbundle { files: - "/tmp/replacestring" - create => "true", + "/tmp/replacestring" + create => "true", edit_line => myedit("second"); } ######################################################## - bundle edit_line myedit(parameter) { vars: - "edit_variable" string => "private edit variable is $(parameter)"; + "edit_variable" string => "private edit variable is $(parameter)"; replace_patterns: - # replace shell comments with C comments - - "puppet" - replace_with => With("cfengine 3"); + # replace shell comments with C comments + "puppet" replace_with => With("cfengine 3"); } - ######################################## # Bodies ######################################## - body replace_with With(x) { - replace_value => $(x); - occurrences => "first"; + replace_value => $(x); + occurrences => "first"; } ######################################## - body select_region MySection(x) { - select_start => "\[$(x)\]"; - select_end => "\[.*\]"; + select_start => "\[$(x)\]"; + select_end => "\[.*\]"; } diff --git a/content/examples/example-snippets/selecting_a_region_in_a_file.cf b/content/examples/example-snippets/selecting_a_region_in_a_file.cf index de818e0cd..feab0718a 100644 --- a/content/examples/example-snippets/selecting_a_region_in_a_file.cf +++ b/content/examples/example-snippets/selecting_a_region_in_a_file.cf @@ -1,51 +1,40 @@ body common control { - version => "1.2.3"; - bundlesequence => { "testbundle" }; + version => "1.2.3"; + bundlesequence => { "testbundle" }; } - ######################################################## - bundle agent testbundle { files: - "/tmp/testfile" - - create => "true", + "/tmp/testfile" + create => "true", edit_line => myedit("second"); } - ######################################################## - bundle edit_line myedit(parameter) { vars: - - "edit_variable" string => "private edit variable is $(parameter)"; + "edit_variable" string => "private edit variable is $(parameter)"; replace_patterns: - - # comment out lines after start - "([^#].*)" - + # comment out lines after start + "([^#].*)" replace_with => comment, select_region => ToEnd("Start.*"); } - ######################################## # Bodies ######################################## - body replace_with comment { - replace_value => "# $(match.1)"; # backreference 0 - occurrences => "all"; # first, last all + replace_value => "# $(match.1)"; + # backreference 0 + occurrences => "all"; + # first, last all } - ######################################################## - - body select_region ToEnd(x) { - select_start => $(x); + select_start => $(x); } diff --git a/content/examples/example-snippets/service_management_(windows).cf b/content/examples/example-snippets/service_management_(windows).cf index cd96da9ec..ccee479df 100644 --- a/content/examples/example-snippets/service_management_(windows).cf +++ b/content/examples/example-snippets/service_management_(windows).cf @@ -1,17 +1,16 @@ body common control { - bundlesequence => { "winservice" }; + bundlesequence => { "winservice" }; } ########################################################### - bundle agent winservice { vars: - "bad_services" slist => { "Alerter", "ClipSrv" }; + "bad_services" slist => { "Alerter", "ClipSrv" }; services: windows:: "$(bad_services)" - service_policy => "disable", - comment => "Disable services that create security issues"; + service_policy => "disable", + comment => "Disable services that create security issues"; } diff --git a/content/examples/example-snippets/set_up_a_pxe_boot_server.cf b/content/examples/example-snippets/set_up_a_pxe_boot_server.cf index 0e599b574..32ad33c63 100644 --- a/content/examples/example-snippets/set_up_a_pxe_boot_server.cf +++ b/content/examples/example-snippets/set_up_a_pxe_boot_server.cf @@ -1,43 +1,33 @@ body common control { - bundlesequence => { "pxe" }; - inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { "pxe" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } - -# # PXE boot server -# - bundle agent pxe { vars: - "software" slist => { - "atftp", - "dhcp-server", - "syslinux", - "apache2" + "software" slist => { "atftp", "dhcp-server", "syslinux", "apache2" }; + + "dirs" + slist => { + "/tftpboot", + "/tftpboot/CFEngine/rpm", + "/tftpboot/CFEngine/inputs", + "/tftpboot/pxelinux.cfg", + "/tftpboot/kickstart", + "/srv/www/repos", }; - "dirs" slist => { - "/tftpboot", - "/tftpboot/CFEngine/rpm", - "/tftpboot/CFEngine/inputs", - "/tftpboot/pxelinux.cfg", - "/tftpboot/kickstart", - "/srv/www/repos" - }; - - "tmp_location" string => "/tftpboot/CFEngine/inputs"; - - # Distros that we can install + "tmp_location" string => "/tftpboot/CFEngine/inputs"; - "rh_distros" slist => { "4.7", "5.2" }; - "centos_distros" slist => { "5.2" }; + # Distros that we can install + "rh_distros" slist => { "4.7", "5.2" }; + "centos_distros" slist => { "5.2" }; - # File contents of atftp configuration - - "atftpd_conf" string => - " + # File contents of atftp configuration + "atftpd_conf" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -49,10 +39,10 @@ ATFTPD_USE_INETD=\"no\" ATFTPD_DIRECTORY=\"/tftpboot\" ATFTPD_BIND_ADDRESSES=\"\" "; - # File contents of DHCP configuration - "dhcpd" string => - " + # File contents of DHCP configuration + "dhcpd" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -66,8 +56,9 @@ DHCPD_RUN_AS=\"dhcpd\" DHCPD_OTHER_ARGS=\"\" DHCPD_BINARY=\"\" "; - "dhcpd_conf" string => - " + + "dhcpd_conf" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -104,10 +95,10 @@ ddns-update-style none; ddns-updates off; } } "; - # File contains of Apache2 HTTP configuration - "httpd_conf" string => - " + # File contains of Apache2 HTTP configuration + "httpd_conf" + string => " # Repository for RHEL5 @@ -143,10 +134,10 @@ AllowOverride None Alias /CFEngine /tftpboot/CFEngine "; - # File contains of Kickstart for RHEL5 configuration - "kickstart_rhel5_conf" string => - " + # File contains of Kickstart for RHEL5 configuration + "kickstart_rhel5_conf" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -204,10 +195,10 @@ wget -nd -r http://192.168.0.1/CFEngine/inputs/ /usr/local/sbin/cf-agent -B /usr/local/sbin/cf-agent "; - # File contains of PXElinux boot menu - "pxelinux_boot_menu" string => - " + # File contains of PXElinux boot menu + "pxelinux_boot_menu" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -220,10 +211,10 @@ boot options: rhel4 - install 32 bit i386 RHEL 4.7 AS (MANUAL) centos5 - install 32 bit i386 CentOS 5.2 (Desktop) (MANUAL) "; - # File contains of PXElinux default configuration - "pxelinux_default" string => - " + # File contains of PXElinux default configuration + "pxelinux_default" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -257,10 +248,10 @@ label centos5 kernel vmlinuz-CentOS5.2 append initrd=initrd-CentOS5.2 load_ramdisk=1 ramdisk_size=16384 install=http://192.168.0.1/distro/centos/5.2 "; - # File contains of specified PXElinux default to be a RHEL5 webserver - "pxelinux_rhel5_webserver" string => - " + # File contains of specified PXElinux default to be a RHEL5 webserver + "pxelinux_rhel5_webserver" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -274,10 +265,10 @@ label rhel5w kernel vmlinuz-RHEL5U2 append initrd=initrd-RHEL5U2 load_ramdisk=1 ramdisk_size=16384 ks=http://192.168.0.1/kickstart/kickstart-RHEL5U2.cfg "; - # File contains of a local repository for RHEL5 - "rhel5_base_repo" string => - " + # File contains of a local repository for RHEL5 + "rhel5_base_repo" + string => " ########################################### ### This file is protected by CFEngine. ### ### Whatever you do, it will be changed ### @@ -303,167 +294,149 @@ name=Cluster Storage baseurl=http://192.168.0.1/repos/rhel5/ClusterStorage/ enable=1 "; - ##################################################### - - + ##################################################### files: packages_ok:: # Create files/dirs and edit the new files - - "/tftpboot/distro/RHEL/$(rh_distros)/." - create => "true"; - - "/tftpboot/distro/CentOS/$(centos_distros)/." - create => "true"; - - "$(dirs)/." - create => "true"; + "/tftpboot/distro/RHEL/$(rh_distros)/." create => "true"; + "/tftpboot/distro/CentOS/$(centos_distros)/." create => "true"; + "$(dirs)/." create => "true"; "/tftpboot/pxelinux.cfg/boot.msg" - create => "true", - perms => mo("644","root"), - edit_line => append_if_no_line("$(pxelinux_boot_menu)"), - edit_defaults => empty; + create => "true", + perms => mo("644", "root"), + edit_line => append_if_no_line("$(pxelinux_boot_menu)"), + edit_defaults => empty; "/tftpboot/pxelinux.cfg/default" - create => "true", - perms => mo("644","root"), - edit_line => append_if_no_line("$(pxelinux_default)"), - edit_defaults => empty; + create => "true", + perms => mo("644", "root"), + edit_line => append_if_no_line("$(pxelinux_default)"), + edit_defaults => empty; "/tftpboot/pxelinux.cfg/default.RHEL5.webserver" - create => "true", - perms => mo("644","root"), - edit_line => append_if_no_line("$(pxelinux_rhel5_webserver)"), - edit_defaults => empty; + create => "true", + perms => mo("644", "root"), + edit_line => append_if_no_line("$(pxelinux_rhel5_webserver)"), + edit_defaults => empty; "/tftpboot/kickstart/kickstart-RHEL5U2.cfg" - create => "true", - perms => mo("644","root"), - edit_line => append_if_no_line("$(kickstart_rhel5_conf)"), - edit_defaults => empty; + create => "true", + perms => mo("644", "root"), + edit_line => append_if_no_line("$(kickstart_rhel5_conf)"), + edit_defaults => empty; "/srv/www/repos/RHEL5.Base.repo" - create => "true", - perms => mo("644","root"), - edit_line => append_if_no_line("$(rhel5_base_repo)"), - edit_defaults => empty; + create => "true", + perms => mo("644", "root"), + edit_line => append_if_no_line("$(rhel5_base_repo)"), + edit_defaults => empty; # Copy files - "/tftpboot" - copy_from => local_cp("/usr/share/syslinux"), - depth_search => recurse("inf"), - file_select => pxelinux_files, - action => immediate; + copy_from => local_cp("/usr/share/syslinux"), + depth_search => recurse("inf"), + file_select => pxelinux_files, + action => immediate; "$(tmp_location)" - perms => m("644"), - copy_from => local_cp("/var/cfengine/inputs"), - depth_search => recurse("inf"), - file_select => input_files, - action => immediate; + perms => m("644"), + copy_from => local_cp("/var/cfengine/inputs"), + depth_search => recurse("inf"), + file_select => input_files, + action => immediate; # Edit atftp, dhcp and apache2 configurations - "/etc/sysconfig/atftpd" - edit_line => append_if_no_line("$(atftpd_conf)"), - edit_defaults => empty, - classes => satisfied("atftpd_ready"); + edit_line => append_if_no_line("$(atftpd_conf)"), + edit_defaults => empty, + classes => satisfied("atftpd_ready"); "/etc/sysconfig/dhcpd" - edit_line => append_if_no_line("$(dhcpd)"), - edit_defaults => empty; + edit_line => append_if_no_line("$(dhcpd)"), + edit_defaults => empty; "/etc/dhcpd.conf" - edit_line => append_if_no_line("$(dhcpd_conf)"), - edit_defaults => empty, - classes => satisfied("dhcpd_ready"); + edit_line => append_if_no_line("$(dhcpd_conf)"), + edit_defaults => empty, + classes => satisfied("dhcpd_ready"); "/etc/apache2/httpd.conf" - edit_line => append_if_no_line("$(httpd_conf)"), - edit_defaults => std_defs, - classes => satisfied("apache2_ok"); - # Make a static link + edit_line => append_if_no_line("$(httpd_conf)"), + edit_defaults => std_defs, + classes => satisfied("apache2_ok"); + # Make a static link "/tftpboot/pxelinux.cfg/C0A8000C" - link_from => mylink("/tftpboot/pxelinux.cfg/default.RHEL5.webserver"); - # Hash comment some lines for apaches + link_from => mylink("/tftpboot/pxelinux.cfg/default.RHEL5.webserver"); + # Hash comment some lines for apaches apache2_ok:: "/etc/apache2/httpd.conf" - edit_line => comment_lines_matching_apache2("#"), - classes => satisfied("apache2_ready"); - commands: - # Restart services + edit_line => comment_lines_matching_apache2("#"), + classes => satisfied("apache2_ready"); + commands: + # Restart services atftpd_ready:: "/etc/init.d/atftpd restart"; + dhcpd_ready:: "/etc/init.d/dhcpd restart"; + apache2_ready:: "/etc/init.d/apache2 restart"; - - ##################################################### - + ##################################################### packages: - ipv4_192_168_0_1:: # Only the PXE boot server - "$(software)" - package_policy => "add", - package_method => zypper, - classes => satisfied("packages_ok"); + package_policy => "add", + package_method => zypper, + classes => satisfied("packages_ok"); } ##################################################### - ########### *** Bodies are here *** ################# - ##################################################### - body file_select pxelinux_files { - leaf_name => { "pxelinux.0" }; - file_result => "leaf_name"; + leaf_name => { "pxelinux.0" }; + file_result => "leaf_name"; } ##################################################### - -body copy_from mycopy_local(from,server) +body copy_from mycopy_local(from, server) { - source => "$(from)"; - compare => "digest"; + source => "$(from)"; + compare => "digest"; } ######################################################### - body link_from mylink(x) { - source => "$(x)"; - link_type => "symlink"; + source => "$(x)"; + link_type => "symlink"; } ####################################################### - body classes satisfied(new_class) { - promise_kept => { "$(new_class)"}; - promise_repaired => { "$(new_class)"}; + promise_kept => { "$(new_class)" }; + promise_repaired => { "$(new_class)" }; } ####################################################### - bundle edit_line comment_lines_matching_apache2(comment) { vars: - "regex" slist => { "\s.*Options\sNone", "\s.*AllowOverride\sNone", "\s.*Deny\sfrom\sall" }; + "regex" + slist => { + "\s.*Options\sNone", "\s.*AllowOverride\sNone", "\s.*Deny\sfrom\sall" + }; replace_patterns: - "^($(regex))$" - replace_with => comment("$(comment)"); + "^($(regex))$" replace_with => comment("$(comment)"); } ####################################################### - body file_select input_files { - leaf_name => { ".*.cf",".*.dat",".*.txt" }; - file_result => "leaf_name"; + leaf_name => { ".*.cf", ".*.dat", ".*.txt" }; + file_result => "leaf_name"; } ####################################################### diff --git a/content/examples/example-snippets/set_up_a_web_server.cf b/content/examples/example-snippets/set_up_a_web_server.cf index 003c8897e..83c642884 100644 --- a/content/examples/example-snippets/set_up_a_web_server.cf +++ b/content/examples/example-snippets/set_up_a_web_server.cf @@ -3,105 +3,71 @@ # Apache webserver module # ##################################################### - bundle agent web_server(state) { vars: - "document_root" string => "/"; - #################################################### - # Site specific configuration - put it in this file - #################################################### - - "site_http_conf" string => "/home/mark/CFEngine-inputs/httpd.conf"; - #################################################### - # Software base - #################################################### - - "match_package" slist => { - "apache2", - "apache2-mod_php5", - "apache2-prefork", - "php5" - }; - ######################################################### - + "document_root" string => "/"; + + #################################################### + # Site specific configuration - put it in this file + #################################################### + "site_http_conf" string => "/home/mark/CFEngine-inputs/httpd.conf"; + + #################################################### + # Software base + #################################################### + "match_package" + slist => { "apache2", "apache2-mod_php5", "apache2-prefork", "php5" }; + ######################################################### processes: web_ok.on:: - "apache2" - restart_class => "start_apache"; + "apache2" restart_class => "start_apache"; off:: - "apache2" - process_stop => "/etc/init.d/apache2 stop"; - - ######################################################### - + "apache2" process_stop => "/etc/init.d/apache2 stop"; + ######################################################### commands: start_apache:: - "/etc/init.d/apache2 start"; # or startssl - ######################################################### - + "/etc/init.d/apache2 start"; + # or startssl + ######################################################### packages: - "$(match_package)" + "$(match_package)" package_policy => "add", package_method => zypper, classes => if_ok("software_ok"); - ######################################################### - + ######################################################### files: software_ok:: "/etc/sysconfig/apache2" - edit_line => fixapache, - classes => if_ok("web_ok"); - ######################################################### - + edit_line => fixapache, + classes => if_ok("web_ok"); + ######################################################### reports: !software_ok.on:: "The web server software could not be installed"; - - ######################################################### - + ######################################################### classes: - "on" expression => strcmp("$(state)","on"); - "off" expression => strcmp("$(state)","off"); + "on" expression => strcmp("$(state)", "on"); + "off" expression => strcmp("$(state)", "off"); } - ####################################################### # For the library ####################################################### - bundle edit_line fixapache { vars: - "add_modules" slist => { - "ssl", - "php5" - }; - - "del_modules" slist => { - "php3", - "php4", - "jk" - }; + "add_modules" slist => { "ssl", "php5" }; + "del_modules" slist => { "php3", "php4", "jk" }; insert_lines: - "APACHE_CONF_INCLUDE_FILES=\"$(web_server.site_http_conf)\""; + "APACHE_CONF_INCLUDE_FILES=\"$(web_server.site_http_conf)\""; field_edits: - ##################################################################### - # APACHE_MODULES="actions alias ssl php5 dav_svn authz_default jk" etc.. - ##################################################################### - - "APACHE_MODULES=.*" - # Insert module "columns" between the quoted RHS - # using space separators - edit_field => quotedvar("$(add_modules)","append"); - - "APACHE_MODULES=.*" - # Delete module "columns" between the quoted RHS - # using space separators - edit_field => quotedvar("$(del_modules)","delete"); - - # if this line already exists, edit it - + ##################################################################### + # APACHE_MODULES="actions alias ssl php5 dav_svn authz_default jk" etc.. + ##################################################################### + "APACHE_MODULES=.*" edit_field => quotedvar("$(add_modules)", "append"); + "APACHE_MODULES=.*" edit_field => quotedvar("$(del_modules)", "delete"); + # if this line already exists, edit it } diff --git a/content/examples/example-snippets/set_up_hpc_clusters.cf b/content/examples/example-snippets/set_up_hpc_clusters.cf index c4cac8ad0..4726cb0a8 100644 --- a/content/examples/example-snippets/set_up_hpc_clusters.cf +++ b/content/examples/example-snippets/set_up_hpc_clusters.cf @@ -1,57 +1,51 @@ ####################################################### - body executor control { - splaytime => "1"; - mailto => "cfengine@example.com"; - smtpserver => "localhost"; - mailmaxlines => "30"; - # Once per hour, on the hour - - schedule => { "Min00" }; + splaytime => "1"; + mailto => "cfengine@example.com"; + smtpserver => "localhost"; + mailmaxlines => "30"; + # Once per hour, on the hour + schedule => { "Min00" }; } ####################################################### - bundle agent services_disable { vars: - # list all of xinetd services (case sensitive) - - "xinetd_services" slist => { - "imap", - "imaps", - "ipop2", - "ipop3", - "krb5-telnet", - "klogin", - "kshell", - "ktalk", - "ntalk", - "pop3s", + # list all of xinetd services (case sensitive) + "xinetd_services" + slist => { + "imap", + "imaps", + "ipop2", + "ipop3", + "krb5-telnet", + "klogin", + "kshell", + "ktalk", + "ntalk", + "pop3s", }; - methods: - # perform the actual disable all xinetd services according to the list above - "any" usebundle => disable_xinetd("$(xinetd_services)"); + methods: + # perform the actual disable all xinetd services according to the list above + "any" usebundle => disable_xinetd("$(xinetd_services)"); processes: - "$(xinetd_services)" - signals => { "kill" }; + "$(xinetd_services)" signals => { "kill" }; } ############################################################################### - bundle agent disable_xinetd(name) { vars: - "status" string => execresult("/sbin/chkconfig --list $(name)", "useshell"); + "status" string => execresult("/sbin/chkconfig --list $(name)", "useshell"); classes: - "on" expression => regcmp(".*on.*","$(status)"); + "on" expression => regcmp(".*on.*", "$(status)"); commands: on:: - "/sbin/chkconfig $(name) off", - comment => "disable $(name) service"; + "/sbin/chkconfig $(name) off" comment => "disable $(name) service"; reports: on:: diff --git a/content/examples/example-snippets/set_up_name_resolution.cf b/content/examples/example-snippets/set_up_name_resolution.cf index 9696db9e5..3fd5febbc 100644 --- a/content/examples/example-snippets/set_up_name_resolution.cf +++ b/content/examples/example-snippets/set_up_name_resolution.cf @@ -1,36 +1,37 @@ bundle agent system_files { files: - "$(sys.resolv)" # test on "/tmp/resolv.conf" # - comment => "Add lines to the resolver configuration", - create => "true", - edit_line => resolver, + "$(sys.resolv)" + # test on "/tmp/resolv.conf" # + comment => "Add lines to the resolver configuration", + create => "true", + edit_line => resolver, edit_defaults => std_edits; - # ...other system files ... - + # ...other system files ... } ####################################################### - bundle edit_line resolver { delete_lines: - # delete any old name servers or junk we no longer need - - "search.*"; - "nameserver 80.65.58.31"; - "nameserver 80.65.58.32"; - "nameserver 82.103.128.146"; - "nameserver 78.24.145.4"; - "nameserver 78.24.145.5"; - "nameserver 128.39.89.10"; + # delete any old name servers or junk we no longer need + "search.*"; + "nameserver 80.65.58.31"; + "nameserver 80.65.58.32"; + "nameserver 82.103.128.146"; + "nameserver 78.24.145.4"; + "nameserver 78.24.145.5"; + "nameserver 128.39.89.10"; insert_lines: - "search mydomain.tld" location => start; + "search mydomain.tld" location => start; + special_net:: "nameserver 128.39.89.8"; "nameserver 128.39.74.66"; + !special_net:: "nameserver 128.38.34.12"; + any:: "nameserver 212.112.166.18"; "nameserver 212.112.166.22"; diff --git a/content/examples/example-snippets/set_up_sudo.cf b/content/examples/example-snippets/set_up_sudo.cf index 95ab34800..dc724688f 100644 --- a/content/examples/example-snippets/set_up_sudo.cf +++ b/content/examples/example-snippets/set_up_sudo.cf @@ -1,12 +1,11 @@ bundle agent system_files { vars: - "masterfiles" string => "/subversion_projects/masterfiles"; - # ... - + "masterfiles" string => "/subversion_projects/masterfiles"; + # ... files: - "/etc/sudoers" + "/etc/sudoers" comment => "Make sure the sudo configuration is secure and up to date", - perms => mog("440","root","root"), - copy_from => secure_cp("$(masterfiles)/sudoers","$(policy_server)"); + perms => mog("440", "root", "root"), + copy_from => secure_cp("$(masterfiles)/sudoers", "$(policy_server)"); } diff --git a/content/examples/example-snippets/simple_template.cf b/content/examples/example-snippets/simple_template.cf index f87b4707b..16d31acf7 100644 --- a/content/examples/example-snippets/simple_template.cf +++ b/content/examples/example-snippets/simple_template.cf @@ -1,8 +1,8 @@ bundle agent hand_edited_config_file { vars: - "file_template" string => - " + "file_template" + string => " # Syntax: # # IP-Address Full-Qualified-Hostname Short-Hostname @@ -20,14 +20,13 @@ ff02::3 ipv6-allhosts 10.0.0.20 host3.domain.tld host3 10.0.0.21 host4.domain.tld host4 "; - ############################################################## - + ############################################################## files: - "/etc/hosts" + "/etc/hosts" comment => "Define the content of all host files from this master source", create => "true", edit_line => append_if_no_lines("$(file_template)"), edit_defaults => empty, - perms => mo("$(mode)","root"), + perms => mo("$(mode)", "root"), action => if_elapsed("60"); } diff --git a/content/examples/example-snippets/simple_versioned_template.cf b/content/examples/example-snippets/simple_versioned_template.cf index c46539117..dd488aed2 100644 --- a/content/examples/example-snippets/simple_versioned_template.cf +++ b/content/examples/example-snippets/simple_versioned_template.cf @@ -1,19 +1,18 @@ bundle agent hand_edited_config_file { vars: - - "masterfiles" string => "/mysite/masterfiles"; + "masterfiles" string => "/mysite/masterfiles"; "policy_server" string => "policy_host.domain.tld"; files: - "/etc/hosts" comment => "Synchronize hosts with a hand-edited template in svn", perms => m("644"), - copy_from => remote_cp("$(masterfiles)/trunk/hosts_master","$(policy_server)"); + copy_from => remote_cp( + "$(masterfiles)/trunk/hosts_master", "$(policy_server)" + ); commands: - "/usr/bin/svn update" comment => "Update the company document repository including manuals to a local copy", contain => silent_in_dir("$(masterfiles)/trunk"), diff --git a/content/examples/example-snippets/software_and_patch_installation.cf b/content/examples/example-snippets/software_and_patch_installation.cf index 251d8e8bb..0e4785d5e 100644 --- a/content/examples/example-snippets/software_and_patch_installation.cf +++ b/content/examples/example-snippets/software_and_patch_installation.cf @@ -2,58 +2,53 @@ # to see list of installed packages type "dpkg --get-selections" # # Package management -# - body common control { - bundlesequence => { "packages" }; + bundlesequence => { "packages" }; } + body agent control { - environment => { "DEBIAN_FRONTEND=noninteractive" }; + environment => { "DEBIAN_FRONTEND=noninteractive" }; } ############################################# - bundle agent packages { vars: - # Test the simplest case -- leave everything to the yum smart manager - - "match_package" slist => { - "apache2" - # "apache2-mod_php5", - # "apache2-prefork", - # "php5" + # Test the simplest case -- leave everything to the yum smart manager + "match_package" + slist => { + "apache2", + # "apache2-mod_php5", + # "apache2-prefork", + # "php5" }; packages: - "$(match_package)" + "$(match_package)" package_policy => "add", package_method => apt; } ############################################# - body package_method apt { - any:: - # ii acpi 0.09-3ubuntu1 - - package_changes => "bulk"; - package_list_command => "/usr/bin/dpkg -l"; - package_list_name_regex => "ii\s+([^\s]+).*"; - package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*"; - # package_list_arch_regex => "none"; - - package_installed_regex => ".*"; # all reported are installed - #package_name_convention => "$(name)_$(version)_$(arch)"; - package_name_convention => "$(name)"; - # Use these only if not using a separate version/arch string - # package_version_regex => ""; - # package_name_regex => ""; - # package_arch_regex => ""; - - package_add_command => "/usr/bin/apt-get --yes install"; - package_delete_command => "/usr/bin/apt-get --yes remove"; - package_update_command => "/usr/bin/apt-get --yes dist-upgrade"; - #package_verify_command => "/bin/rpm -V"; + any:: + # ii acpi 0.09-3ubuntu1 + package_changes => "bulk"; + package_list_command => "/usr/bin/dpkg -l"; + package_list_name_regex => "ii\s+([^\s]+).*"; + package_list_version_regex => "ii\s+[^\s]+\s+([^\s]+).*"; + # package_list_arch_regex => "none"; + package_installed_regex => ".*"; + # all reported are installed + #package_name_convention => "$(name)_$(version)_$(arch)"; + package_name_convention => "$(name)"; + # Use these only if not using a separate version/arch string + # package_version_regex => ""; + # package_name_regex => ""; + # package_arch_regex => ""; + package_add_command => "/usr/bin/apt-get --yes install"; + package_delete_command => "/usr/bin/apt-get --yes remove"; + package_update_command => "/usr/bin/apt-get --yes dist-upgrade"; + #package_verify_command => "/bin/rpm -V"; } diff --git a/content/examples/example-snippets/software_and_patch_installation_1.cf b/content/examples/example-snippets/software_and_patch_installation_1.cf index 978c2ccb2..ae6798365 100644 --- a/content/examples/example-snippets/software_and_patch_installation_1.cf +++ b/content/examples/example-snippets/software_and_patch_installation_1.cf @@ -1,21 +1,16 @@ -# # MSI package management using version criteria -# - body common control { - bundlesequence => { "packages" }; + bundlesequence => { "packages" }; } ############################################# - bundle agent packages { vars: - "match_package" slist => { - "7zip" - }; + "match_package" slist => { "7zip" }; + packages: - "$(match_package)" + "$(match_package)" package_policy => "update", package_select => ">=", package_architectures => { "x86_64" }, @@ -23,15 +18,15 @@ bundle agent packages package_method => msi_vmatch; } ############################################# - body package_method msi_vmatch { - package_changes => "individual"; - package_file_repositories => { "$(sys.workdir)\software_updates\windows", "s:\su" }; - package_installed_regex => ".*"; - - package_name_convention => "$(name)-$(version)-$(arch).msi"; - package_add_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; - package_update_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; - package_delete_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /x"; + package_changes => "individual"; + package_file_repositories => { + "$(sys.workdir)\software_updates\windows", "s:\su" + }; + package_installed_regex => ".*"; + package_name_convention => "$(name)-$(version)-$(arch).msi"; + package_add_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; + package_update_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /i"; + package_delete_command => "\"$(sys.winsysdir)\msiexec.exe\" /qn /x"; } diff --git a/content/examples/example-snippets/software_and_patch_installation_1_2.cf b/content/examples/example-snippets/software_and_patch_installation_1_2.cf index 554e2f128..98b73b143 100644 --- a/content/examples/example-snippets/software_and_patch_installation_1_2.cf +++ b/content/examples/example-snippets/software_and_patch_installation_1_2.cf @@ -1,28 +1,19 @@ -# # Package management -# - body common control { - bundlesequence => { "packages" }; - inputs => { "cfengine_stdlib.cf" }; + bundlesequence => { "packages" }; + inputs => { "cfengine_stdlib.cf" }; } ############################################# - bundle agent packages { vars: - # Test the simplest case -- leave everything to the yum smart manager - - "match_package" slist => { - "apache2", - "apache2-mod_php5", - "apache2-prefork", - "php5" - }; + # Test the simplest case -- leave everything to the yum smart manager + "match_package" + slist => { "apache2", "apache2-mod_php5", "apache2-prefork", "php5" }; packages: - "$(match_package)" + "$(match_package)" package_policy => "add", package_method => yum; } diff --git a/content/examples/example-snippets/software_and_patch_installation_1_2_3.cf b/content/examples/example-snippets/software_and_patch_installation_1_2_3.cf index f8f0dda49..2500a9da4 100644 --- a/content/examples/example-snippets/software_and_patch_installation_1_2_3.cf +++ b/content/examples/example-snippets/software_and_patch_installation_1_2_3.cf @@ -1,28 +1,19 @@ -# # Package management -# - body common control { - bundlesequence => { "packages" }; - inputs => { "cfengine_stdlib.cf" } + bundlesequence => { "packages" }; + inputs => { "cfengine_stdlib.cf" } } ############################################# - bundle agent packages { vars: - # Test the simplest case -- leave everything to the zypper smart manager - - "match_package" slist => { - "apache2", - "apache2-mod_php5", - "apache2-prefork", - "php5" - }; + # Test the simplest case -- leave everything to the zypper smart manager + "match_package" + slist => { "apache2", "apache2-mod_php5", "apache2-prefork", "php5" }; packages: - "$(match_package)" + "$(match_package)" package_policy => "add", package_method => zypper; } diff --git a/content/examples/example-snippets/software_distribution.cf b/content/examples/example-snippets/software_distribution.cf index 42b23f480..e481f952c 100644 --- a/content/examples/example-snippets/software_distribution.cf +++ b/content/examples/example-snippets/software_distribution.cf @@ -25,111 +25,116 @@ # "cfengine-nova-1.1.2-i686.msi". # ######################################################################### - bundle agent check_software { vars: - # software to install if not installed - "include_software" slist => { - "7-zip-4.50-$(sys.arch).msi" - }; - # this software gets updated if it is installed - "autoupdate_software" slist => { - "7-zip" - }; - # software to uninstall if it is installed - "exclude_software" slist => { - "7-zip-4.65-$(sys.arch).msi" - }; + # software to install if not installed + "include_software" slist => { "7-zip-4.50-$(sys.arch).msi" }; + + # this software gets updated if it is installed + "autoupdate_software" slist => { "7-zip" }; + + # software to uninstall if it is installed + "exclude_software" slist => { "7-zip-4.65-$(sys.arch).msi" }; methods: - # "any" usebundle => add_software( "@(check_software.include_software)", "$(sys.policy_hub)" ); - # "any" usebundle => update_software( "@(check_software.autoupdate_software)", "$(sys.policy_hub)" ); - # "any" usebundle => remove_software( "@(check_software.exclude_software)", "$(sys.policy_hub)" ); + # "any" usebundle => add_software( "@(check_software.include_software)", "$(sys.policy_hub)" ); + # "any" usebundle => update_software( "@(check_software.autoupdate_software)", "$(sys.policy_hub)" ); + # "any" usebundle => remove_software( "@(check_software.exclude_software)", "$(sys.policy_hub)" ); } ######################################################################### - bundle agent add_software(pkg_name) { vars: - # dir to install from locally - can also check multiple directories - "local_software_dir" string => "C:\Program Files\Cfengine\software\add"; + # dir to install from locally - can also check multiple directories + "local_software_dir" string => "C:\Program Files\Cfengine\software\add"; files: - "$(local_software_dir)" - copy_from => remote_cp("/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/add", "$(srv)"), - depth_search => recurse("1"), - classes => if_repaired("got_newpkg"), - comment => "Copy software from remote repository"; + "$(local_software_dir)" + copy_from => remote_cp( + "/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/add", + "$(srv)" + ), + depth_search => recurse("1"), + classes => if_repaired("got_newpkg"), + comment => "Copy software from remote repository"; packages: - # When to check if the package is installed ? + # When to check if the package is installed ? got_newpkg|any:: - "$(pkg_name)" - package_policy => "add", - package_method => msi_implicit( "$(local_software_dir)" ), - classes => if_else("add_success", "add_fail" ), - comment => "Install new software, if not already present"; + "$(pkg_name)" + package_policy => "add", + package_method => msi_implicit("$(local_software_dir)"), + classes => if_else("add_success", "add_fail"), + comment => "Install new software, if not already present"; reports:: + add_fail:: - "Failed to install one or more packages"; + "Failed to install one or more packages"; } - ######################################################################### - +######################################################################### bundle agent update_software(sw_names) { vars: - # dir to install from locally - can also check multiple directories - "local_software_dir" string => "C:\Program Files\Cfengine\software\update"; + # dir to install from locally - can also check multiple directories + "local_software_dir" string => "C:\Program Files\Cfengine\software\update"; files: - "$(local_software_dir)" - copy_from => remote_cp("/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/update", "$(srv)"), - depth_search => recurse("1"), - classes => if_repaired("got_newpkg"), - comment => "Copy software updates from remote repository"; - + "$(local_software_dir)" + copy_from => remote_cp( + "/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/update", + "$(srv)" + ), + depth_search => recurse("1"), + classes => if_repaired("got_newpkg"), + comment => "Copy software updates from remote repository"; packages: - # When to check if the package is updated ? + # When to check if the package is updated ? got_newpkg|any:: - "$(sw_names)" - package_policy => "update", - package_select => ">=", # picks the newest update available - package_architectures => { "$(sys.arch)" }, # install 32 or 64 bit package ? - package_version => "1.0", # at least version 1.0 - package_method => msi_explicit( "$(local_software_dir)" ), - classes => if_else("update_success", "update_fail"); + "$(sw_names)" + package_policy => "update", + package_select => ">=", + # picks the newest update available + package_architectures => { "$(sys.arch)" }, + # install 32 or 64 bit package ? + package_version => "1.0", + # at least version 1.0 + package_method => msi_explicit("$(local_software_dir)"), + classes => if_else("update_success", "update_fail"); reports: update_fail:: - "Failed to update one or more packages"; + "Failed to update one or more packages"; } - ######################################################################### - +######################################################################### bundle agent remove_software(pkg_name) { vars: - # dir to install from locally - can also check multiple directories - "local_software_dir" string => "C:\Program Files\Cfengine\software\remove"; + # dir to install from locally - can also check multiple directories + "local_software_dir" string => "C:\Program Files\Cfengine\software\remove"; files: - "$(local_software_dir)" - copy_from => remote_cp("/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/remove", "$(srv)"), - depth_search => recurse("1"), - classes => if_repaired("got_newpkg"), - comment => "Copy removable software from remote repository"; + "$(local_software_dir)" + copy_from => remote_cp( + "/var/cfengine/master_software_updates/$(sys.flavour)_$(sys.arch)/remove", + "$(srv)" + ), + depth_search => recurse("1"), + classes => if_repaired("got_newpkg"), + comment => "Copy removable software from remote repository"; packages: got_newpkg:: - "$(pkg_name)" - package_policy => "delete", - package_method => msi_implicit( "$(local_software_dir)" ), - classes => if_else("remove_success", "remove_fail" ), - comment => "Remove software, if present"; + "$(pkg_name)" + package_policy => "delete", + package_method => msi_implicit("$(local_software_dir)"), + classes => if_else("remove_success", "remove_fail"), + comment => "Remove software, if present"; reports:: + remove_fail:: - "Failed to remove one or more packages"; + "Failed to remove one or more packages"; } diff --git a/content/examples/example-snippets/tidying_garbage_files.cf b/content/examples/example-snippets/tidying_garbage_files.cf index 7950c6c2c..9e9a75c78 100644 --- a/content/examples/example-snippets/tidying_garbage_files.cf +++ b/content/examples/example-snippets/tidying_garbage_files.cf @@ -3,45 +3,38 @@ # Deleting files, like cf2 tidy age=0 r=inf # ####################################################### - body common control { - any:: - bundlesequence => { "testbundle" }; + any:: + bundlesequence => { "testbundle" }; } ############################################ - bundle agent testbundle { files: - "/tmp/test" + "/tmp/test" delete => tidy, file_select => zero_age, depth_search => recurse("inf"); } ######################################################### - body depth_search recurse(d) { - #include_basedir => "true"; - depth => "$(d)"; + #include_basedir => "true"; + depth => "$(d)"; } ######################################################### - body delete tidy { - dirlinks => "delete"; - rmdirs => "false"; + dirlinks => "delete"; + rmdirs => "false"; } ######################################################### - body file_select zero_age -# # we can build old "include", "exclude", and "ignore" # from these as standard patterns - these bodies can # form a library of standard patterns -# { - mtime => irange(ago(1,0,0,0,0,0),now); - file_result => "mtime"; + mtime => irange(ago(1, 0, 0, 0, 0, 0), now); + file_result => "mtime"; } diff --git a/content/examples/example-snippets/trigger_classes.cf b/content/examples/example-snippets/trigger_classes.cf index cb418f367..57300b94c 100644 --- a/content/examples/example-snippets/trigger_classes.cf +++ b/content/examples/example-snippets/trigger_classes.cf @@ -3,19 +3,17 @@ # Insert a number of lines and trigger a followup if edited # ####################################################### - body common control { - any:: - bundlesequence => { "insert" }; + any:: + bundlesequence => { "insert" }; } - ####################################################### - bundle agent insert { vars: - "v" string => " + "v" + string => " One potato Two potato Three potahto @@ -23,7 +21,7 @@ bundle agent insert "; files: - "/tmp/test_insert" + "/tmp/test_insert" edit_line => insert_name("$(insert.v)"), edit_defaults => empty, classes => trigger("edited"); @@ -36,25 +34,21 @@ bundle agent insert edited:: "The potatoes are bananas"; } - ####################################################### # For the library ####################################################### - bundle edit_line insert_name(name) { insert_lines: - "Begin$(const.n) $(name)$(const.n)End"; + "Begin$(const.n) $(name)$(const.n)End"; } ####################################################### - body edit_defaults empty { - empty_file_before_editing => "true"; + empty_file_before_editing => "true"; } ####################################################### - body classes trigger(x) { - promise_repaired => { $(x) }; + promise_repaired => { $(x) }; } diff --git a/content/examples/example-snippets/unit_registry.cf.cf b/content/examples/example-snippets/unit_registry.cf.cf index a83c0c4d3..12f32db4d 100644 --- a/content/examples/example-snippets/unit_registry.cf.cf +++ b/content/examples/example-snippets/unit_registry.cf.cf @@ -1,6 +1,6 @@ body common control { - bundlesequence => { "databases" }; + bundlesequence => { "databases" }; } bundle agent databases @@ -8,27 +8,23 @@ bundle agent databases databases: windows:: # Registry has (value,data) pairs in "keys" which are directories - # "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS" # database_operation => "create", # database_type => "ms_registry"; - # "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS\Cfengine" # database_operation => "create", # database_rows => { "value1,REG_SZ,new value 1", "value2,REG_SZ,new val 2"} , # database_type => "ms_registry"; - "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS\Cfengine" - database_operation => "delete", - database_columns => { "value1", "value2" } , - database_type => "ms_registry"; + database_operation => "delete", + database_columns => { "value1", "value2" }, + database_type => "ms_registry"; # "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS\Cfengine" # database_operation => "cache", # cache,restore # registry_exclude => { ".*Windows.*CurrentVersion.*", ".*Touchpad.*", ".*Capabilities.FileAssociations.*", ".*Rfc1766.*" , ".*Synaptics.SynTP.*", ".*SupportedDevices.*8086", ".*Microsoft.*ErrorThresholds" }, # database_type => "ms_registry"; - "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS" - database_operation => "restore", - database_type => "ms_registry"; + database_operation => "restore", + database_type => "ms_registry"; } diff --git a/content/examples/example-snippets/unit_registry_cache.cf.cf b/content/examples/example-snippets/unit_registry_cache.cf.cf index da41e1e19..688a2862e 100644 --- a/content/examples/example-snippets/unit_registry_cache.cf.cf +++ b/content/examples/example-snippets/unit_registry_cache.cf.cf @@ -1,29 +1,26 @@ body common control { - bundlesequence => { - # "registry_cache" - # "registry_restore" - }; + bundlesequence => { + # "registry_cache", "registry_restore" + }; } ######################################### - bundle agent registry_cache { databases: windows:: "HKEY_LOCAL_MACHINE\SOFTWARE\Adobe" - database_operation => "cache", - database_type => "ms_registry", - comment => "Save correct registry settings for Adobe products"; + database_operation => "cache", + database_type => "ms_registry", + comment => "Save correct registry settings for Adobe products"; } ######################################### - bundle agent registry_restore { databases: windows:: "HKEY_LOCAL_MACHINE\SOFTWARE\Adobe" - database_operation => "restore", - database_type => "ms_registry", - comment => "Make sure Adobe products have correct registry settings"; + database_operation => "restore", + database_type => "ms_registry", + comment => "Make sure Adobe products have correct registry settings"; } diff --git a/content/examples/example-snippets/unmount_nfs_filesystem.cf b/content/examples/example-snippets/unmount_nfs_filesystem.cf index ab4c3966f..98be798a0 100644 --- a/content/examples/example-snippets/unmount_nfs_filesystem.cf +++ b/content/examples/example-snippets/unmount_nfs_filesystem.cf @@ -1,27 +1,23 @@ ##################################################################### # Mount NFS ##################################################################### - body common control { - bundlesequence => { "mounts" }; + bundlesequence => { "mounts" }; } ##################################################################### - bundle agent mounts { storage: - # Assumes the filesystem has been exported - - "/mnt" mount => nfs("server.example.org","/home"); + # Assumes the filesystem has been exported + "/mnt" mount => nfs("server.example.org", "/home"); } ###################################################################### - -body mount nfs(server,source) +body mount nfs(server, source) { - mount_type => "nfs"; - mount_source => "$(source)"; - mount_server => "$(server)"; - edit_fstab => "true"; - unmount => "true"; + mount_type => "nfs"; + mount_source => "$(source)"; + mount_server => "$(server)"; + edit_fstab => "true"; + unmount => "true"; } diff --git a/content/examples/example-snippets/updating_from_a_central_hub.cf b/content/examples/example-snippets/updating_from_a_central_hub.cf index 1b4af2c4c..4b1783810 100644 --- a/content/examples/example-snippets/updating_from_a_central_hub.cf +++ b/content/examples/example-snippets/updating_from_a_central_hub.cf @@ -1,36 +1,34 @@ bundle agent update { vars: - "master_location" string => "/var/cfengine/masterfiles"; + "master_location" string => "/var/cfengine/masterfiles"; - "policy_server" string => "10.20.30.123", + "policy_server" + string => "10.20.30.123", comment => "IP address to locate your policy host."; files: - "$(sys.workdir)/inputs" + "$(sys.workdir)/inputs" perms => system("600"), - copy_from => remote_cp("$(master_location)",$(policy_server)), + copy_from => remote_cp("$(master_location)", $(policy_server)), depth_search => recurse("inf"); - "$(sys.workdir)/bin" + "$(sys.workdir)/bin" perms => system("700"), - copy_from => remote_cp("/usr/local/sbin","localhost"), + copy_from => remote_cp("/usr/local/sbin", "localhost"), depth_search => recurse("inf"); } ####################################################### - body server control { - allowconnects => { "127.0.0.1" , "10.20.30.0/24" }; - allowallconnects => { "127.0.0.1" , "10.20.30.0/24" }; - trustkeysfrom => { "127.0.0.1" , "10.20.30.0/24" }; + allowconnects => { "127.0.0.1", "10.20.30.0/24" }; + allowallconnects => { "127.0.0.1", "10.20.30.0/24" }; + trustkeysfrom => { "127.0.0.1", "10.20.30.0/24" }; } ####################################################### - bundle server my_access_rules() { access: 10_20_30_123:: - "/var/cfengine/masterfiles" - admit => { "127.0.0.1", "10.20.30.0/24" }; + "/var/cfengine/masterfiles" admit => { "127.0.0.1", "10.20.30.0/24" }; } diff --git a/content/examples/example-snippets/variation_in_hosts.cf b/content/examples/example-snippets/variation_in_hosts.cf index 980c5be29..48f1bad76 100644 --- a/content/examples/example-snippets/variation_in_hosts.cf +++ b/content/examples/example-snippets/variation_in_hosts.cf @@ -1,68 +1,51 @@ body common control { - bundlesequence => { "central" }; + bundlesequence => { "central" }; } - ############################################ - bundle agent central { classes: - "mygroup_1" or => { "myhost", "host1", "host2", "host3" }; - "mygroup_2" or => { "host4", "host5", "host6" }; + "mygroup_1" or => { "myhost", "host1", "host2", "host3" }; + "mygroup_2" or => { "host4", "host5", "host6" }; vars: - "policy_server" string => "myhost.domain.tld"; + "policy_server" string => "myhost.domain.tld"; + mygroup_1:: - "mypackages" slist => { - "nagios", - "gcc", - "apache2", - "php5", - }; + "mypackages" slist => { "nagios", "gcc", "apache2", "php5" }; + mygroup_2:: - "mypackages" slist => { - "apache", - "mysql", - "php5", - }; + "mypackages" slist => { "apache", "mysql", "php5" }; files: - # Password management can be very simple if all hosts are identical - - "/etc/passwd" - comment => "Distribute a password file", - perms => mog("644","root","root"), - copy_from => secure_cp("/etc/passwd","$(policy_server)"); + # Password management can be very simple if all hosts are identical + "/etc/passwd" + comment => "Distribute a password file", + perms => mog("644", "root", "root"), + copy_from => secure_cp("/etc/passwd", "$(policy_server)"); packages: - "$(mypackages)" + "$(mypackages)" package_policy => "add", package_method => generic; - - # Add more promises below ... - + # Add more promises below ... } - ######################################################### # Server config ######################################################### - body server control { - allowconnects => { "127.0.0.1" , "::1", "10.20.30.0/24" }; - allowallconnects => { "127.0.0.1" , "::1", "10.20.30.0/24" }; - trustkeysfrom => { "127.0.0.1" , "::1", "10.20.30.0/24" }; - # allowusers + allowconnects => { "127.0.0.1", "::1", "10.20.30.0/24" }; + allowallconnects => { "127.0.0.1", "::1", "10.20.30.0/24" }; + trustkeysfrom => { "127.0.0.1", "::1", "10.20.30.0/24" }; + # allowusers } ######################################################### - bundle server my_access_rules() { access: - # myhost.domain.tld makes this file available to 10.20.30* - + # myhost.domain.tld makes this file available to 10.20.30* myhost_domain_tld:: - "/etc/passwd" - admit => { "127.0.0.1", "10.20.30.0/24" }; + "/etc/passwd" admit => { "127.0.0.1", "10.20.30.0/24" }; } diff --git a/content/examples/example-snippets/warn_if_matching_line_in_file.cf b/content/examples/example-snippets/warn_if_matching_line_in_file.cf index 728d5911c..e2e74f18b 100644 --- a/content/examples/example-snippets/warn_if_matching_line_in_file.cf +++ b/content/examples/example-snippets/warn_if_matching_line_in_file.cf @@ -3,30 +3,26 @@ # Warn if line matched # ######################################################## - body common control { - bundlesequence => { "testbundle" }; + bundlesequence => { "testbundle" }; } ######################################################## - bundle agent testbundle { files: - "/var/cfengine/inputs/.*" + "/var/cfengine/inputs/.*" edit_line => delete_lines_matching(".*cfenvd.*"), action => WarnOnly; } ######################################################## - bundle edit_line delete_lines_matching(regex) { delete_lines: - "$(regex)" action => WarnOnly; + "$(regex)" action => WarnOnly; } ######################################################## - body action WarnOnly { - action_policy => "warn"; + action_policy => "warn"; } diff --git a/content/examples/example-snippets/web_server_modules.cf b/content/examples/example-snippets/web_server_modules.cf index 5029b229f..8dab2471a 100644 --- a/content/examples/example-snippets/web_server_modules.cf +++ b/content/examples/example-snippets/web_server_modules.cf @@ -3,67 +3,40 @@ # Apache 2 reconfig - modelled on SuSE # ####################################################### - body common control { - inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { - apache - }; + inputs => { "$(sys.libdir)/stdlib.cf" }; + bundlesequence => { apache }; } ####################################################### - bundle agent apache { files: SuSE:: - "/etc/sysconfig/apache2" - edit_line => fixapache; + "/etc/sysconfig/apache2" edit_line => fixapache; } ####################################################### # For the library ####################################################### - bundle edit_line fixapache { vars: - "add_modules" slist => { - "dav", - "dav_fs", - "ssl", - "php5", - "dav_svn", - "xyz", - "superduper" + "add_modules" + slist => { + "dav", "dav_fs", "ssl", "php5", "dav_svn", "xyz", "superduper" }; - "del_modules" slist => { - "php3", - "jk", - "userdir", - "imagemap", - "alias" - }; - insert_lines: - "APACHE_CONF_INCLUDE_FILES=\"/site/masterfiles/local-http.conf\""; - field_edits: - ##################################################################### - # APACHE_MODULES="authz_host actions alias ..." - ##################################################################### + "del_modules" slist => { "php3", "jk", "userdir", "imagemap", "alias" }; - # Values have the form NAME = "quoted space separated list" - - "APACHE_MODULES=.*" - # Insert module "columns" between the quoted RHS - # using space separators - - edit_field => quoted_var($(add_modules), "append"); - "APACHE_MODULES=.*" - - # Delete module "columns" between the quoted RHS - # using space separators - - edit_field => quoted_var($(del_modules), "delete"); - # if this line already exists, edit it + insert_lines: + "APACHE_CONF_INCLUDE_FILES=\"/site/masterfiles/local-http.conf\""; + field_edits: + ##################################################################### + # APACHE_MODULES="authz_host actions alias ..." + ##################################################################### + # Values have the form NAME = "quoted space separated list" + "APACHE_MODULES=.*" edit_field => quoted_var($(add_modules), "append"); + "APACHE_MODULES=.*" edit_field => quoted_var($(del_modules), "delete"); + # if this line already exists, edit it } diff --git a/content/examples/example-snippets/windows_registry.cf b/content/examples/example-snippets/windows_registry.cf index 72c8d770d..610728ff9 100644 --- a/content/examples/example-snippets/windows_registry.cf +++ b/content/examples/example-snippets/windows_registry.cf @@ -1,13 +1,15 @@ body common control { - bundlesequence => { "reg" }; + bundlesequence => { "reg" }; } bundle agent reg { vars: - - "value" string => registryvalue("HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS\Cfengine","value3"); + "value" + string => registryvalue( + "HKEY_LOCAL_MACHINE\SOFTWARE\Cfengine AS\Cfengine", "value3" + ); reports: windows:: diff --git a/content/resources/additional-topics/STIGs.cf b/content/resources/additional-topics/STIGs.cf index 0698e3be2..64d6e1445 100644 --- a/content/resources/additional-topics/STIGs.cf +++ b/content/resources/additional-topics/STIGs.cf @@ -20,1166 +20,1154 @@ # $Id:$ # ################################################################################ - body common control { - bundlesequence => { "stigs" }; - inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" }; - host_licenses_paid => "1"; + bundlesequence => { "stigs" }; + inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" }; + host_licenses_paid => "1"; } - -# # STIGs compliance with CFEngine 3 (Nova) -# - bundle agent stigs { - vars: - - redhat_5:: - - "shadow" -> { "GEN000560" } - comment => "Read all contents in /etc/shadow for string manipulation later on", - handle => "stigs_vars_redhat_5_strings_from_etc_shadow", - string => readfile("/etc/shadow", 99999); - - "shadow_list" -> { "GEN000560" } - comment => "Break strings into a list", - handle => "stigs_vars_redhat_5_list_from_etc_shadow", - slist => splitstring("$(shadow)","[\n]",500); - - "usr_dir" -> { "GEN001080" } - comment => "/usr directory", - handle => "stigs_vars_redhat_5_usr_directory", - string => "/usr/bin"; - - "shells" -> { "GEN001080" } - comment => "List of Root shells", - handle => "stigs_vars_redhat_5_root_shells", + vars: + redhat_5:: + "shadow" -> { "GEN000560" } + comment => "Read all contents in /etc/shadow for string manipulation later on", + handle => "stigs_vars_redhat_5_strings_from_etc_shadow", + string => readfile("/etc/shadow", 99999); + + "shadow_list" -> { "GEN000560" } + comment => "Break strings into a list", + handle => "stigs_vars_redhat_5_list_from_etc_shadow", + slist => splitstring("$(shadow)", "[\n]", 500); + + "usr_dir" -> { "GEN001080" } + comment => "/usr directory", + handle => "stigs_vars_redhat_5_usr_directory", + string => "/usr/bin"; + + "shells" -> { "GEN001080" } + comment => "List of Root shells", + handle => "stigs_vars_redhat_5_root_shells", slist => { "bash", "sh" }; - "fstab_contents" -> { "GEN001080", "GEN002420" } - comment => "All Contents of /etc/fstab", - handle => "stigs_vars_redhat_5_fstab_contents", - string => readfile("/etc/fstab","4000"); - - "network_services_daemon_files" -> { "GEN001180" } - comment => "List of Network services daemon files", - handle => "stigs_vars_redhat_5_network_services_daemon_files", - slist => { - "/var/cfengine/state/cf_incoming.nfsd", - "/var/cfengine/state/cf_outgoing.nfsd", - "/usr/sbin/.*", - }; - - "system_dirs" -> { "GEN001220", "GEN001240" } - comment => "List of important system directories", - handle => "stigs_vars_redhat_5_system_dirs", - slist => { - "/etc", - "/bin", - "/sbin", - "/usr/bin", - "/usr/sbin", - }; - - "system_log_files" -> { "GEN001260" } - comment => "List of system log files", - handle => "stigs_vars_redhat_5_system_log_files", - slist => { - "/var/log" - }; - - "manual_page_files" -> { "GEN001280" } - comment => "List of manual page files", - handle => "stigs_vars_redhat_5_manual_page_files", - slist => { - "/usr/share/man", - "/usr/share/info", - }; - - "library_dirs" -> { "GEN001300" } - comment => "List of library files", - handle => "stigs_vars_redhat_5_library_dirs", - slist => { - "/usr/lib", - }; + "fstab_contents" -> { "GEN001080", "GEN002420" } + comment => "All Contents of /etc/fstab", + handle => "stigs_vars_redhat_5_fstab_contents", + string => readfile("/etc/fstab", "4000"); - "nis_nisplus_yp_files" -> { "GEN001320", "GEN001340", "GEN001360" } - comment => "List of NIS/NIS+/yp files", - handle => "stigs_vars_redhat_5_nis_nisplus_yp_files", + "network_services_daemon_files" -> { "GEN001180" } + comment => "List of Network services daemon files", + handle => "stigs_vars_redhat_5_network_services_daemon_files", slist => { - "/var/yp", - }; - - "home_users" -> { "GEN001440", "GEN001460", "GEN001480", "GEN001500", "GEN001520" } - comment => "Create a tmp file listing HOME users", - handle => "stigs_vars_redhat_5_home_users_tmp", - string => execresult("/bin/grep home /etc/passwd | /bin/awk -F':' '{print $1}'","useshell"); - - "users_list" -> { "GEN001440", "GEN001460", "GEN001480", "GEN001500", "GEN001520" } - comment => "Read the tmp file to create an actual list of HOME users", - handle => "stigs_vars_redhat_5_home_users_list", + "/var/cfengine/state/cf_incoming.nfsd", + "/var/cfengine/state/cf_outgoing.nfsd", + "/usr/sbin/.*", + }; + + "system_dirs" -> { "GEN001220", "GEN001240" } + comment => "List of important system directories", + handle => "stigs_vars_redhat_5_system_dirs", + slist => { "/etc", "/bin", "/sbin", "/usr/bin", "/usr/sbin" }; + + "system_log_files" -> { "GEN001260" } + comment => "List of system log files", + handle => "stigs_vars_redhat_5_system_log_files", + slist => { "/var/log" }; + + "manual_page_files" -> { "GEN001280" } + comment => "List of manual page files", + handle => "stigs_vars_redhat_5_manual_page_files", + slist => { "/usr/share/man", "/usr/share/info" }; + + "library_dirs" -> { "GEN001300" } + comment => "List of library files", + handle => "stigs_vars_redhat_5_library_dirs", + slist => { "/usr/lib" }; + + "nis_nisplus_yp_files" -> { "GEN001320", "GEN001340", "GEN001360" } + comment => "List of NIS/NIS+/yp files", + handle => "stigs_vars_redhat_5_nis_nisplus_yp_files", + slist => { "/var/yp" }; + + "home_users" -> { + "GEN001440", "GEN001460", "GEN001480", "GEN001500", "GEN001520" + } + comment => "Create a tmp file listing HOME users", + handle => "stigs_vars_redhat_5_home_users_tmp", + string => execresult( + "/bin/grep home /etc/passwd | /bin/awk -F':' '{print $1}'", + "useshell" + ); + + "users_list" -> { + "GEN001440", "GEN001460", "GEN001480", "GEN001500", "GEN001520" + } + comment => "Read the tmp file to create an actual list of HOME users", + handle => "stigs_vars_redhat_5_home_users_list", slist => splitstring("$(home_users)", "[\n]", 500); - "rc_files" -> { "GEN001580", "GEN001620", "GEN001660", "GEN001680" } - comment => "List of Run Control Scripts", - handle => "stigs_vars_redhat_5_rc_files", - slist => { - "/etc/rc.d/rc", - "/etc/rc.d/rc.local", - "/etc/rc.d/rc.sysinit", - }; - - "global_init_files" -> { "GEN001720", "GEN001740", "GEN001760", "GEN001780" } - comment => "List of Global Initialization files", - handle => "stigs_vars_redhat_5_global_init_files", + "rc_files" -> { "GEN001580", "GEN001620", "GEN001660", "GEN001680" } + comment => "List of Run Control Scripts", + handle => "stigs_vars_redhat_5_rc_files", slist => { - "/etc/profile", - "/etc/bashrc", - "/etc/environment", - }; - - "skeleton_dot_files" -> { "GEN001800", "GEN001820" } - comment => "List of default/skeleton dot files", - handle => "stigs_vars_redhat_5_skeleton_dot_files", + "/etc/rc.d/rc", "/etc/rc.d/rc.local", "/etc/rc.d/rc.sysinit", + }; + + "global_init_files" -> { + "GEN001720", "GEN001740", "GEN001760", "GEN001780" + } + comment => "List of Global Initialization files", + handle => "stigs_vars_redhat_5_global_init_files", + slist => { "/etc/profile", "/etc/bashrc", "/etc/environment" }; + + "skeleton_dot_files" -> { "GEN001800", "GEN001820" } + comment => "List of default/skeleton dot files", + handle => "stigs_vars_redhat_5_skeleton_dot_files", slist => { - "/etc/skel/.bash_logout", - "/etc/skel/.bash_profile", - "/etc/skel/.emacs", - "/etc/skel/.bashrc", - }; - - "excluded_local_init_files" -> { "GEN001880" } - comment => "List of excluded local initialization files", - handle => "stigs_vars_redhat_5_excluded_local_init_files", - slist => { - ".dt", - ".dtprofile", - }; - - "hosts_related_files" -> { "GEN002040" } - comment => "List of hosts related files", - handle => "stigs_vars_redhat_5_hosts_related_files", - slist => { - "/root/.rhosts", - "/root/.shosts", - "/etc/hosts.equiv", - }; - - "pam_files" -> { "GEN002100" } - comment => "List of PAM files to disable .rhosts", - handle => "stigs_vars_redhat_5_pam_files", - slist => { - "/etc/pam.d/ekshell", - "/etc/pam.d/kshell", - }; - - "shell_files" -> { "GEN002160", "GEN002180", "GEN002200", "GEN002220" } - comment => "List of login shells from /etc/shells", - handle => "stigs_vars_redhat_5_shell_files", + "/etc/skel/.bash_logout", + "/etc/skel/.bash_profile", + "/etc/skel/.emacs", + "/etc/skel/.bashrc", + }; + + "excluded_local_init_files" -> { "GEN001880" } + comment => "List of excluded local initialization files", + handle => "stigs_vars_redhat_5_excluded_local_init_files", + slist => { ".dt", ".dtprofile" }; + + "hosts_related_files" -> { "GEN002040" } + comment => "List of hosts related files", + handle => "stigs_vars_redhat_5_hosts_related_files", + slist => { "/root/.rhosts", "/root/.shosts", "/etc/hosts.equiv" }; + + "pam_files" -> { "GEN002100" } + comment => "List of PAM files to disable .rhosts", + handle => "stigs_vars_redhat_5_pam_files", + slist => { "/etc/pam.d/ekshell", "/etc/pam.d/kshell" }; + + "shell_files" -> { "GEN002160", "GEN002180", "GEN002200", "GEN002220" } + comment => "List of login shells from /etc/shells", + handle => "stigs_vars_redhat_5_shell_files", slist => readstringlist("/etc/shells", "#.*", "[\n]", 10, 1000); - "fstab_list" -> { "GEN002420" } - comment => "Break string into a list", - handle => "stigs_vars_redhat_5_list_from_etc_fstab", + "fstab_list" -> { "GEN002420" } + comment => "Break string into a list", + handle => "stigs_vars_redhat_5_list_from_etc_fstab", slist => splitstring("$(fstab_contents)", "[\n]", 100); - "umask_files" -> { "GEN001560", "GEN002560" } - comment => "List of files which contain system and user default umask", - handle => "stigs_vars_redhat_5_umask_files", - slist => { - "/etc/bashrc", - "/etc/csh.cshrc", - "/etc/csh.login", - }; - - "allusers_not_root" -> { "GEN002640", "GEN003300", "GEN003320" } - comment => "List of all system accounts but root and hypen users", - handle => "stigs_vars_redhat_5_list_allusers_not_root", - slist => getusers("root,avahi-autoipd","0"); - - "$(allusers_not_root)_uid" -> { "GEN002640" } - comment => "List of system UIDs", - handle => "stigs_vars_redhat_5_allusers_not_root_uid", - int => getuid("$(allusers_not_root)"); - - "preferred_services" -> { "GEN002660" } - comment => "List of system services to be turn on", - handle => "stigs_vars_redhat_5_preferred_services", - slist => { - "auditd" - }; - - "$(preferred_services)_status" -> { "GEN002660" } - comment => "List of service status of those preferred services", - handle => "stigs_vars_redhat_5_preferred_services_status", - string => execresult("/sbin/chkconfig --list $(preferred_services)","noshell"); - - "cron_users" -> { "GEN002960" } - comment => "List of users who would be able to use cron utility", - handle => "stigs_vars_redhat_5_cron_users", - slist => { - "root", - "user1", - "user2", - "user3", - }; - - "cron_dirs" -> { "GEN003040", "GEN003080" } - comment => "List of cron directories", - handle => "stigs_vars_redhat_5_cron_dirs", - slist => { - "/etc/cron.hourly", - "/etc/cron.daily", - "/etc/cron.weekly", - "/etc/cron.monthly", - "/etc/cron.d", - }; - - "other_cron_dirs" -> { "GEN003040", "GEN003080" } - comment => "List of other cron directories", - handle => "stigs_vars_redhat_5_other_cron_dirs", - slist => { - "/var/spool/cron", - }; - - "cron_files" -> { "GEN003040", "GEN003080" } - comment => "List of cron files", - handle => "stigs_vars_redhat_5_cron_files", - slist => { - "/etc/crontab", - "/usr/share/logwatch/scripts/logwatch.pl", - }; - - "at_deny_users" -> { "GEN003300", "GEN003320" } - comment => "List of users to add to /etc/at.deny (All users but root)", - handle => "stigs_vars_redhat_5_at_deny_users", - slist => getusers("root","0"); - - "unneeded_services" -> { "GEN003700", "GEN003860" } - comment => "List of unneeded inetd/xinetd services to be disabled", - handle => "stigs_vars_redhat_5_unneeded_services", + "umask_files" -> { "GEN001560", "GEN002560" } + comment => "List of files which contain system and user default umask", + handle => "stigs_vars_redhat_5_umask_files", + slist => { "/etc/bashrc", "/etc/csh.cshrc", "/etc/csh.login" }; + + "allusers_not_root" -> { "GEN002640", "GEN003300", "GEN003320" } + comment => "List of all system accounts but root and hypen users", + handle => "stigs_vars_redhat_5_list_allusers_not_root", + slist => getusers("root,avahi-autoipd", "0"); + + "$(allusers_not_root)_uid" -> { "GEN002640" } + comment => "List of system UIDs", + handle => "stigs_vars_redhat_5_allusers_not_root_uid", + int => getuid("$(allusers_not_root)"); + + "preferred_services" -> { "GEN002660" } + comment => "List of system services to be turn on", + handle => "stigs_vars_redhat_5_preferred_services", + slist => { "auditd" }; + + "$(preferred_services)_status" -> { "GEN002660" } + comment => "List of service status of those preferred services", + handle => "stigs_vars_redhat_5_preferred_services_status", + string => execresult( + "/sbin/chkconfig --list $(preferred_services)", "noshell" + ); + + "cron_users" -> { "GEN002960" } + comment => "List of users who would be able to use cron utility", + handle => "stigs_vars_redhat_5_cron_users", + slist => { "root", "user1", "user2", "user3" }; + + "cron_dirs" -> { "GEN003040", "GEN003080" } + comment => "List of cron directories", + handle => "stigs_vars_redhat_5_cron_dirs", slist => { - "bluetooth", - "irda", - "im_sensors", - "portmap", - "rawdevices", - "rpcgssd", - "rpcidmapd", - "rpcsvcgssd", - "sendmail", - "xinetd", - "finger" - }; - - "$(unneeded_services)_status" -> { "GEN003700", "GEN003860" } - comment => "List of service status of those unneeded services", - handle => "stigs_vars_redhat_5_unneeded_services_status", - string => execresult("/sbin/chkconfig --list $(unneeded_services)","noshell"); - - "network_analysis_tools" -> { "GEN003865" } - comment => "List of network analysis tools to be disabled", - handle => "stigs_vars_redhat_5_network_analysis_tools", + "/etc/cron.hourly", + "/etc/cron.daily", + "/etc/cron.weekly", + "/etc/cron.monthly", + "/etc/cron.d", + }; + + "other_cron_dirs" -> { "GEN003040", "GEN003080" } + comment => "List of other cron directories", + handle => "stigs_vars_redhat_5_other_cron_dirs", + slist => { "/var/spool/cron" }; + + "cron_files" -> { "GEN003040", "GEN003080" } + comment => "List of cron files", + handle => "stigs_vars_redhat_5_cron_files", + slist => { "/etc/crontab", "/usr/share/logwatch/scripts/logwatch.pl" }; + + "at_deny_users" -> { "GEN003300", "GEN003320" } + comment => "List of users to add to /etc/at.deny (All users but root)", + handle => "stigs_vars_redhat_5_at_deny_users", + slist => getusers("root", "0"); + + "unneeded_services" -> { "GEN003700", "GEN003860" } + comment => "List of unneeded inetd/xinetd services to be disabled", + handle => "stigs_vars_redhat_5_unneeded_services", slist => { - "/usr/sbin/tcpdump", - "/usr/bin/nc", - }; - - "homes" -> { "GEN004580" } - comment => "String source of all home directories on the system", - handle => "stigs_vars_redhat_5_homes_source", - string => execresult("/bin/cut -d: -f6 /etc/passwd","noshell"); - - "home_list" -> { "GEN004580" } - comment => "List of all home directories on the system (ready to use)", - handle => "sting_vars_redhat_5_home_list", + "bluetooth", + "irda", + "im_sensors", + "portmap", + "rawdevices", + "rpcgssd", + "rpcidmapd", + "rpcsvcgssd", + "sendmail", + "xinetd", + "finger", + }; + + "$(unneeded_services)_status" -> { "GEN003700", "GEN003860" } + comment => "List of service status of those unneeded services", + handle => "stigs_vars_redhat_5_unneeded_services_status", + string => execresult( + "/sbin/chkconfig --list $(unneeded_services)", "noshell" + ); + + "network_analysis_tools" -> { "GEN003865" } + comment => "List of network analysis tools to be disabled", + handle => "stigs_vars_redhat_5_network_analysis_tools", + slist => { "/usr/sbin/tcpdump", "/usr/bin/nc" }; + + "homes" -> { "GEN004580" } + comment => "String source of all home directories on the system", + handle => "stigs_vars_redhat_5_homes_source", + string => execresult("/bin/cut -d: -f6 /etc/passwd", "noshell"); + + "home_list" -> { "GEN004580" } + comment => "List of all home directories on the system (ready to use)", + handle => "sting_vars_redhat_5_home_list", slist => splitstring("$(homes)", "[\n]", 100); -# "accounts_to_disable" -> { "GEN004820", "GEN004840" } -# comment => "List of users to be disabled (not to be deleted from the system)", -# handle => "stigs_vars_redhat_5_accounts_to_disable", -# slist => { -# "ftp", -# }; - - "accounts_to_delete" -> { "GEN004820", "GEN004840", "LNX00320", "LNX00340" } - comment => "List of unnecessary accounts", - handle => "stigs_vars_redhat_5_accounts_to_delete", - slist => { - "ftp", - "shutdown", - "halt", - "game", - "news", - "operator", - "gopher", - "nfsnobody", - }; - - "ftpusers_files" -> { "GEN004880" } - comment => "List of ftpusers files", - handle => "stigs_vars_redhat_5_ftpusers_files", + # "accounts_to_disable" -> { "GEN004820", "GEN004840" } + # comment => "List of users to be disabled (not to be deleted from the system)", + # handle => "stigs_vars_redhat_5_accounts_to_disable", + # slist => { + # "ftp", + # }; + "accounts_to_delete" -> { + "GEN004820", "GEN004840", "LNX00320", "LNX00340" + } + comment => "List of unnecessary accounts", + handle => "stigs_vars_redhat_5_accounts_to_delete", slist => { - "/etc/ftpusers", - "/etc/vsftpd.ftpusers", - }; - - "security_tools" -> { "GEN006520" } - comment => "List of security tools and databases", - handle => "stigs_vars_redhat_5_security_tools", + "ftp", + "shutdown", + "halt", + "game", + "news", + "operator", + "gopher", + "nfsnobody", + }; + + "ftpusers_files" -> { "GEN004880" } + comment => "List of ftpusers files", + handle => "stigs_vars_redhat_5_ftpusers_files", + slist => { "/etc/ftpusers", "/etc/vsftpd.ftpusers" }; + + "security_tools" -> { "GEN006520" } + comment => "List of security tools and databases", + handle => "stigs_vars_redhat_5_security_tools", slist => { - "/etc/rc.d/init.d/iptables", - "/sbin/iptables", - "/usr/share/logwatch/scripts/services/iptables", - }; - - "hosts_allow" -> { "GEN006620" } - comment => "List of hosts to be assigned to /etc/hosts.allow", - handle => "stigs_vars_redhat_5_hosts_allow", - slist => { - "ALL:10.", - "ALL:172.16.", - "ALL:192.168.", - }; - -# - - classes: - - redhat_5:: - - "have_usr_partitioned" -> { "GEN001080" } - comment => "Check if /usr is partitioned", - handle => "stigs_classes_redhat_5_usr_partitioned", - expression => regcmp(".*/usr.*","$(fstab_contents)"); - - "have_usr_$(shells)" -> { "GEN001080" } - comment => "Check if there are any Root shells in $(usr_dir)", - handle => "stigs_classes_redhat_5_shells_in_usr", - expression => fileexists("$(usr_dir)/$(shells)"); - - "do_$(hosts_related_files)" -> { "GEN002040" } - comment => "Check if the files are symlinks", - handle => "stigs_classes_redhat_5_hosts_related_files", - not => islink("$(hosts_related_files)"); - - "$(allusers_not_root)_less_than_500" -> { "GEN002640" } - comment => "Check if the UID less than 500 (System accounts)", - handle => "stigs_classes_redhat_5_uid_less_than_500", - expression => islessthan("$($(allusers_not_root)_uid)","500"); - - "$(preferred_services)_off" -> { "GEN002660" } - comment => "Check if those preferred services are on or not", - handle => "stigs_classes_redhat_5_preferred_services_off", - not => regcmp(".*:on.*","$($(preferred_services)_status)"); - - "$(unneeded_services)_on" -> { "GEN003700", "GEN003860" } - comment => "Check if those unneeded services are on or not", - handle => "stigs_classes_redhat_5_unneeded_services_on", - expression => regcmp(".*:on.*","$($(unneeded_services)_status)"); - - "have_xwindows" -> { "LNX00360" } - comment => "Check if the machine has X windows installed", - handle => "stigs_classes_redhat_5_have_xwindows", - expression => fileexists("/etc/gdm/custom.conf"); - -# - - files: - - redhat_5:: - - "/etc/inittab" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } + "/etc/rc.d/init.d/iptables", + "/sbin/iptables", + "/usr/share/logwatch/scripts/services/iptables", + }; + + "hosts_allow" -> { "GEN006620" } + comment => "List of hosts to be assigned to /etc/hosts.allow", + handle => "stigs_vars_redhat_5_hosts_allow", + slist => { "ALL:10.", "ALL:172.16.", "ALL:192.168." }; + + classes: + redhat_5:: + "have_usr_partitioned" -> { "GEN001080" } + comment => "Check if /usr is partitioned", + handle => "stigs_classes_redhat_5_usr_partitioned", + expression => regcmp(".*/usr.*", "$(fstab_contents)"); + + "have_usr_$(shells)" -> { "GEN001080" } + comment => "Check if there are any Root shells in $(usr_dir)", + handle => "stigs_classes_redhat_5_shells_in_usr", + expression => fileexists("$(usr_dir)/$(shells)"); + + "do_$(hosts_related_files)" -> { "GEN002040" } + comment => "Check if the files are symlinks", + handle => "stigs_classes_redhat_5_hosts_related_files", + not => islink("$(hosts_related_files)"); + + "$(allusers_not_root)_less_than_500" -> { "GEN002640" } + comment => "Check if the UID less than 500 (System accounts)", + handle => "stigs_classes_redhat_5_uid_less_than_500", + expression => islessthan("$($(allusers_not_root)_uid)", "500"); + + "$(preferred_services)_off" -> { "GEN002660" } + comment => "Check if those preferred services are on or not", + handle => "stigs_classes_redhat_5_preferred_services_off", + not => regcmp(".*:on.*", "$($(preferred_services)_status)"); + + "$(unneeded_services)_on" -> { "GEN003700", "GEN003860" } + comment => "Check if those unneeded services are on or not", + handle => "stigs_classes_redhat_5_unneeded_services_on", + expression => regcmp(".*:on.*", "$($(unneeded_services)_status)"); + + "have_xwindows" -> { "LNX00360" } + comment => "Check if the machine has X windows installed", + handle => "stigs_classes_redhat_5_have_xwindows", + expression => fileexists("/etc/gdm/custom.conf"); + + files: + redhat_5:: + "/etc/inittab" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } comment => "CAT I & II (Previously - G001, G002, G003, L222) UNIX STIG: 2.5.1.1 System Equipment, 12.14 The /etc/inittab File", - handle => "stigs_files_redhat_5_etc_inittab", - edit_line => maintain_inittab, + handle => "stigs_files_redhat_5_etc_inittab", + edit_line => maintain_inittab, classes => if_repaired("restart_inittab"); - "/etc/syslog.conf" -> { "GEN000440", "GEN003160", "GEN003660", "GEN004460", "GEN005400", "GEN005420" } + "/etc/syslog.conf" -> { + "GEN000440", + "GEN003160", + "GEN003660", + "GEN004460", + "GEN005400", + "GEN005420", + } comment => "CAT II & III (Previously - G012, G209, G134, G656, G657) UNIX STIG: 3.1.3 Account Access, 4.14 System Logging Daemon, 4.7 Sendmail or Equivalent", - handle => "stigs_files_redhat_5_etc_syslog_conf", - perms => mog("640","root","root"), - edit_line => maintain_syslog_conf, + handle => "stigs_files_redhat_5_etc_syslog_conf", + perms => mog("640", "root", "root"), + edit_line => maintain_syslog_conf, classes => if_repaired("restart_syslog"); - "/etc/pam.d/system-auth-ac" -> { "GEN000460", "GEN000600", "GEN000620", "GEN000640", "GEN000800" } - comment => "CAT II (Previously - G013, G019, G606) UNIX STIG: 3.1.3 Account Access, 3.2.1 Password Guidelines", - handle => "stigs_files_redhat_5_etc_pam_d_system_auth", - edit_defaults => empty, - edit_line => maintain_system_auth; - - "/usr/share/authconfig/authconfig.py" - comment => "CAT II (Previously - G013) UNIX STIG: 3.1.3 Accounnt Access", - handle => "stigs_files_redhat_5_usr_sbin_authconfig", + "/etc/pam.d/system-auth-ac" -> { + "GEN000460", "GEN000600", "GEN000620", "GEN000640", "GEN000800" + } + comment => "CAT II (Previously - G013, G019, G606) UNIX STIG: 3.1.3 Account Access, 3.2.1 Password Guidelines", + handle => "stigs_files_redhat_5_etc_pam_d_system_auth", + edit_defaults => empty, + edit_line => maintain_system_auth; + + "/usr/share/authconfig/authconfig.py" + comment => "CAT II (Previously - G013) UNIX STIG: 3.1.3 Accounnt Access", + handle => "stigs_files_redhat_5_usr_sbin_authconfig", perms => m("ugo-x"); - "/etc/login.defs" -> { "GEN000480", "GEN000540", "GEN000580", "GEN000700", "GEN000820" } + "/etc/login.defs" -> { + "GEN000480", "GEN000540", "GEN000580", "GEN000700", "GEN000820" + } comment => "CAT II (Previously - G004, G019, G020) UNIX STIG: 3.1.3 Account Access, 3.2.1 Password Guidelines", - handle => "stigs_files_redhat_5_etc_login_defs", - edit_line => maintain_login_defs; + handle => "stigs_files_redhat_5_etc_login_defs", + edit_line => maintain_login_defs; - "/etc/profile" -> { "GEN000500" } + "/etc/profile" -> { "GEN000500" } comment => "CAT II (Previously - G605) UNIX STIG: 3.1.4 Inactivity Timeout/Locking", - handle => "stigs_vars_redhat_5_etc_profile", - edit_line => maintain_etc_profile; + handle => "stigs_vars_redhat_5_etc_profile", + edit_line => maintain_etc_profile; - "/etc/passwd" -> { "GEN000900" } + "/etc/passwd" -> { "GEN000900" } comment => "CAT II (Previously - G022) UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_set_root_home_directory", - perms => mog("644", "root","root"), - edit_line => set_user_field("root","6","/root"); - - "/root" -> { "GEN000920" } - comment => "CAT II (Previously - G023) UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_root_dir", - perms => mog("700","root","root"); - - "/" -> { "GEN000920" } - comment => "CAT II (Previously - G023) UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_not_root_and_tmp_dir", - depth_search => recurse("1"), - file_select => only_dir_exclude2("root","tmp"), - perms => mog("755","root","root"); - - "/etc/securetty" -> { "GEN000980", "GEN001000", "LNX00620", "LNX00640", "LNX00660" } - comment => "CAT II (Previously - G026, G698) UNIX STIG: 3.3 Root Account, 12.17 The /etc/securetty File", - handle => "stigs_files_redhat_5_etc_securetty", - perms => mog("640","root","root"), - edit_defaults => empty, - edit_line => maintain_securetty; - - "/etc/pam.d/sshd" -> { "GEN001020" } + handle => "stigs_files_redhat_5_set_root_home_directory", + perms => mog("644", "root", "root"), + edit_line => set_user_field("root", "6", "/root"); + + "/root" -> { "GEN000920" } + comment => "CAT II (Previously - G023) UNIX STIG: 3.3 Root Account", + handle => "stigs_files_redhat_5_root_dir", + perms => mog("700", "root", "root"); + + "/" -> { "GEN000920" } + comment => "CAT II (Previously - G023) UNIX STIG: 3.3 Root Account", + handle => "stigs_files_redhat_5_not_root_and_tmp_dir", + depth_search => recurse("1"), + file_select => only_dir_exclude2("root", "tmp"), + perms => mog("755", "root", "root"); + + "/etc/securetty" -> { + "GEN000980", "GEN001000", "LNX00620", "LNX00640", "LNX00660" + } + comment => "CAT II (Previously - G026, G698) UNIX STIG: 3.3 Root Account, 12.17 The /etc/securetty File", + handle => "stigs_files_redhat_5_etc_securetty", + perms => mog("640", "root", "root"), + edit_defaults => empty, + edit_line => maintain_securetty; + + "/etc/pam.d/sshd" -> { "GEN001020" } comment => "CAT II UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_etc_pamd_sshd", - edit_line => maintain_pamd_sshd; + handle => "stigs_files_redhat_5_etc_pamd_sshd", + edit_line => maintain_pamd_sshd; - "/etc/pam.d/login" -> { "GEN001020" } + "/etc/pam.d/login" -> { "GEN001020" } comment => "CAT II UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_etc_pamd_login", - edit_line => maintain_pamd_login; + handle => "stigs_files_redhat_5_etc_pamd_login", + edit_line => maintain_pamd_login; - "/etc/security/access.conf" -> { "GEN001020", "LNX00400", "LNX00420", "LNX00440" } + "/etc/security/access.conf" -> { + "GEN001020", "LNX00400", "LNX00420", "LNX00440" + } comment => "CAT II (Previously - L044, L045, L046) UNIX STIG: 3.3 Root Account, 12.11 Console Access ", - handle => "stigs_files_redhat_5_etc_security_access_conf", - perms => mog("640","root","root"), - edit_line => maintain_security_access_conf; - - "$(usr_dir)/$(shells)" -> { "GEN001080" } - comment => "CAT III, (Previously - G229) UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_usr_bin_root_shells", - rename => disable, - if => "have_usr_partitioned.have_usr_$(shells)"; - - "$(usr_dir)/$(shells).cfdisabled" -> { "GEN001080" } - comment => "CAT III, (Previously - G229) UNIX STIG: 3.3 Root Account", - handle => "stigs_files_redhat_5_usr_bin_root_shells_cfdisabled", - perms => mog("400","root","root"); - - "/etc/passwd" -> { "GEN001080", "GEN001380", "GEN001400" } + handle => "stigs_files_redhat_5_etc_security_access_conf", + perms => mog("640", "root", "root"), + edit_line => maintain_security_access_conf; + + "$(usr_dir)/$(shells)" -> { "GEN001080" } + comment => "CAT III, (Previously - G229) UNIX STIG: 3.3 Root Account", + handle => "stigs_files_redhat_5_usr_bin_root_shells", + rename => disable, + if => "have_usr_partitioned.have_usr_$(shells)"; + + "$(usr_dir)/$(shells).cfdisabled" -> { "GEN001080" } + comment => "CAT III, (Previously - G229) UNIX STIG: 3.3 Root Account", + handle => "stigs_files_redhat_5_usr_bin_root_shells_cfdisabled", + perms => mog("400", "root", "root"); + + "/etc/passwd" -> { "GEN001080", "GEN001380", "GEN001400" } comment => "CAT I && II (Previously - G047, G048, G229) UNIX STIG: 3.3 Root Account, 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_set_root_shell", - perms => mog("644", "root","root"), - edit_line => set_user_field("root","7","/bin/bash"); + handle => "stigs_files_redhat_5_set_root_shell", + perms => mog("644", "root", "root"), + edit_line => set_user_field("root", "7", "/bin/bash"); - "/etc/ssh/sshd_config" -> { "GEN001120", "GEN005500", "GEN005540" } + "/etc/ssh/sshd_config" -> { "GEN001120", "GEN005500", "GEN005540" } comment => "CAT I & II (Previously - G500, G701) UNIX STIG: 3.3.1 Encrypted Root Access, 4.15 Secure Shell (SSH) and Equivalents", - handle => "stigs_files_redhat_5_etc_ssh_sshd_config", - edit_line => maintain_sshd_config, + handle => "stigs_files_redhat_5_etc_ssh_sshd_config", + edit_line => maintain_sshd_config, classes => if_repaired("restart_sshd"); - "$(network_services_daemon_files)" -> { "GEN001180" } - comment => "CAT II (Previously - G036) UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_network_services_daemon_files", + "$(network_services_daemon_files)" -> { "GEN001180" } + comment => "CAT II (Previously - G036) UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_network_services_daemon_files", perms => m("755"); - "$(system_dirs)" -> { "GEN001220", "GEN001240" } - comment => "CAT II (Previously - G045, G046) UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_system_dirs", - perms => mog("755","root","root"); - - "$(system_log_files)" -> { "GEN001260", "GEN002700" } - comment => "CAT I & II (Previously - G095) UNIX STIG: 3.4 File and Directory Controls, 3.16 Audit Requirements", - handle => "stigs_files_redhat_5_system_log_files", - depth_search => recurse("inf"), - file_select => exclude2("cron.*","audit"), - perms => m("640"); - - "$(manual_page_files)" -> { "GEN001280" } - comment => "CAT III, UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_manual_page_files", - depth_search => recurse("inf"), - perms => m("644"); - - "$(library_dirs)" -> { "GEN001300" } - comment => "CAT II (Previously - G043) UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_library_dirs", - depth_search => recurse("inf"), - perms => m("755"); - - "$(nis_nisplus_yp_files)" -> { "GEN001320", "GEN001340", "GEN001360" } - comment => "CAT II (Previously - G039, G040, G041) UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_nis_nisplus_yp_files", - depth_search => recurse("inf"), -# file_select => plain, - perms => mog("755","root","root"); - - "/etc/shadow" -> { "GEN001400", "GEN001420" } - comment => "CAT II (Previously - G047, G50) UNIX STIG: 3.4 File and Directory Controls", - handle => "stigs_files_redhat_5_etc_shadow", - perms => mog("400","root","root"); - - "/home/$(users_list)/." -> { "GEN001440", "GEN001460", "GEN001480", "GEN001500", "GEN001520", "GEN001540", "GEN001560", "GEN001860", "GEN001920", "GEN001940" } - comment => "CAT II & III & IV (Previously - G051, G052, G053, G054, G055, G067, G068, G082, G056, G060, G609) UNIX STIG: 3.5, 3.6 Home Directories and User Files, 3.8.2 Local Initialization Files", - handle => "stigs_files_redhat_5_home_users", - create => "true", - depth_search => recurse("inf"), - file_select => exclude2(".dt",".dtprofile"), - perms => mog("700","$(users_list)","$(users_list)"); - - "/var/lib/avahi-autoipd/." -> { "GEN001460" } - comment => "CAT III (Previously - G052) UNIX STIG: 3.5 Home Directories", - handle => "stigs_files_redhat_5_var_lib_avahi_autoipd", - create => "true", + "$(system_dirs)" -> { "GEN001220", "GEN001240" } + comment => "CAT II (Previously - G045, G046) UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_system_dirs", + perms => mog("755", "root", "root"); + + "$(system_log_files)" -> { "GEN001260", "GEN002700" } + comment => "CAT I & II (Previously - G095) UNIX STIG: 3.4 File and Directory Controls, 3.16 Audit Requirements", + handle => "stigs_files_redhat_5_system_log_files", + depth_search => recurse("inf"), + file_select => exclude2("cron.*", "audit"), + perms => m("640"); + + "$(manual_page_files)" -> { "GEN001280" } + comment => "CAT III, UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_manual_page_files", + depth_search => recurse("inf"), perms => m("644"); - "$(umask_files)" -> { "GEN001560", "GEN002560" } + "$(library_dirs)" -> { "GEN001300" } + comment => "CAT II (Previously - G043) UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_library_dirs", + depth_search => recurse("inf"), + perms => m("755"); + + "$(nis_nisplus_yp_files)" -> { "GEN001320", "GEN001340", "GEN001360" } + comment => "CAT II (Previously - G039, G040, G041) UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_nis_nisplus_yp_files", + depth_search => recurse("inf"), + # file_select => plain, + perms => mog("755", "root", "root"); + + "/etc/shadow" -> { "GEN001400", "GEN001420" } + comment => "CAT II (Previously - G047, G50) UNIX STIG: 3.4 File and Directory Controls", + handle => "stigs_files_redhat_5_etc_shadow", + perms => mog("400", "root", "root"); + + "/home/$(users_list)/." -> { + "GEN001440", + "GEN001460", + "GEN001480", + "GEN001500", + "GEN001520", + "GEN001540", + "GEN001560", + "GEN001860", + "GEN001920", + "GEN001940", + } + comment => "CAT II & III & IV (Previously - G051, G052, G053, G054, G055, G067, G068, G082, G056, G060, G609) UNIX STIG: 3.5, 3.6 Home Directories and User Files, 3.8.2 Local Initialization Files", + handle => "stigs_files_redhat_5_home_users", + create => "true", + depth_search => recurse("inf"), + file_select => exclude2(".dt", ".dtprofile"), + perms => mog("700", "$(users_list)", "$(users_list)"); + + "/var/lib/avahi-autoipd/." -> { "GEN001460" } + comment => "CAT III (Previously - G052) UNIX STIG: 3.5 Home Directories", + handle => "stigs_files_redhat_5_var_lib_avahi_autoipd", + create => "true", + perms => m("644"); + + "$(umask_files)" -> { "GEN001560", "GEN002560" } comment => "CAT II && III (Previously - G068, G089), UNIX STIG: 3.6 User Files, 3.13 Umask", - handle => "stigs_files_redhat_5_etc_bashrc", - edit_line => maintain_umask("077"); - - "$(rc_files)" -> { "GEN001580", "GEN001620", "GEN001640", "GEN001660", "GEN001680", "GEN001700" } - comment => "CAT I & II (Previously - G058, G061, G062, G611, G612, G613) UNIX STIG: 3.7 Run Control Scripts", - handle => "stigs_files_redhat_5_rc_files", - perms => mog("755","root","root"); - -# "/etc/init.d/.*" -> { "GEN001580", "GEN001620", "GEN001660", "GEN001680" } -# comment => "CAT I & II (Previously - G058, G061, G611, G612) UNIX STIG: 3.7 Run Control Scripts", -# handle => "stigs_files_redhat_5_run_control_scripts_etc_initd", -# perms => mog("755","root","root"); - - "/etc/rc.d/init.d" -> { "GEN001580", "GEN001620", "GEN001640", "GEN001660", "GEN001680", "GEN001700" } - comment => "CAT I & II (Previously - G058, G061, G062, G611, G612, G613) UNIX STIG: 3.7 Run Control Scripts", - handle => "stigs_files_redhat_5_run_control_scripts_etc_rcd_initd", - depth_search => recurse("1"), - file_select => exclude("iptables"), - perms => mog("755","root","root"); - - "$(global_init_files)" -> { "GEN001720", "GEN001740", "GEN001760", "GEN001780" } + handle => "stigs_files_redhat_5_etc_bashrc", + edit_line => maintain_umask("077"); + + "$(rc_files)" -> { + "GEN001580", + "GEN001620", + "GEN001640", + "GEN001660", + "GEN001680", + "GEN001700", + } + comment => "CAT I & II (Previously - G058, G061, G062, G611, G612, G613) UNIX STIG: 3.7 Run Control Scripts", + handle => "stigs_files_redhat_5_rc_files", + perms => mog("755", "root", "root"); + + # "/etc/init.d/.*" -> { "GEN001580", "GEN001620", "GEN001660", "GEN001680" } + # comment => "CAT I & II (Previously - G058, G061, G611, G612) UNIX STIG: 3.7 Run Control Scripts", + # handle => "stigs_files_redhat_5_run_control_scripts_etc_initd", + # perms => mog("755","root","root"); + "/etc/rc.d/init.d" -> { + "GEN001580", + "GEN001620", + "GEN001640", + "GEN001660", + "GEN001680", + "GEN001700", + } + comment => "CAT I & II (Previously - G058, G061, G062, G611, G612, G613) UNIX STIG: 3.7 Run Control Scripts", + handle => "stigs_files_redhat_5_run_control_scripts_etc_rcd_initd", + depth_search => recurse("1"), + file_select => exclude("iptables"), + perms => mog("755", "root", "root"); + + "$(global_init_files)" -> { + "GEN001720", "GEN001740", "GEN001760", "GEN001780" + } comment => "CAT II & III (Previously - G112) UNIX STIG: 3.8.1 Global Initialization Files", - handle => "stigs_files_redhat_5_global_init_files", - edit_line => append_if_no_line("mesg n"), - perms => mog("644","root","root"); + handle => "stigs_files_redhat_5_global_init_files", + edit_line => append_if_no_line("mesg n"), + perms => mog("644", "root", "root"); - "$(skeleton_dot_files)" -> { "GEN001800", "GEN001820" } - comment => "CAT II (Previously - G038) UNIX STIG: 3.8.1 Global Initialization Files", - handle => "stigs_files_redhat_5_skeleton_dot_files", - perms => mog("644","root","root"); + "$(skeleton_dot_files)" -> { "GEN001800", "GEN001820" } + comment => "CAT II (Previously - G038) UNIX STIG: 3.8.1 Global Initialization Files", + handle => "stigs_files_redhat_5_skeleton_dot_files", + perms => mog("644", "root", "root"); - "/home/$(users_list)/$(excluded_local_init_files)" -> { "GEN001880" } - comment => "CAT II (Previously - G057) 3.8.2 Local Initialization Files", - handle => "stigs_files_redhat_5_local_init_files", - perms => mog("755","$(users_list)","$(users_list)"); + "/home/$(users_list)/$(excluded_local_init_files)" -> { "GEN001880" } + comment => "CAT II (Previously - G057) 3.8.2 Local Initialization Files", + handle => "stigs_files_redhat_5_local_init_files", + perms => mog("755", "$(users_list)", "$(users_list)"); - "/home/$(users_list)/..*" -> { "GEN001960" } + "/home/$(users_list)/..*" -> { "GEN001960" } comment => "CAT III (Previously - G610) 3.8.2 Local Initialization Files", - handle => "stigs_files_redhat_5_remove_mesg_file", - edit_line => remove_mesg_y; + handle => "stigs_files_redhat_5_remove_mesg_file", + edit_line => remove_mesg_y; - "$(hosts_related_files)" -> { "GEN002040" } - comment => "CAT I UNIX STIG: 3.9 Trusted System/System Access Control Files", - handle => "stigs_files_redhat_5_remove_and_symlink_hosts_related_files", - delete => tidy, - link_from => ln_s("/dev/null"), - if => canonify("do_$(hosts_related_files)"); + "$(hosts_related_files)" -> { "GEN002040" } + comment => "CAT I UNIX STIG: 3.9 Trusted System/System Access Control Files", + handle => "stigs_files_redhat_5_remove_and_symlink_hosts_related_files", + delete => tidy, + link_from => ln_s("/dev/null"), + if => canonify("do_$(hosts_related_files)"); - "$(pam_files)" -> { "GEN002100" } + "$(pam_files)" -> { "GEN002100" } comment => "CAT II UNIX STIG: 3.9 Trusted System/System Access Control Files", - handle => "stigs_files_redhat_5_pam_files", - edit_line => comment_lines_matching("^auth.*pam_rhosts_auth.so","#"); - - "/etc/shells" -> { "GEN002120" } - comment => "CAT II (Previously - G069) UNIX STIG: 3.10 Shells", - handle => "stigs_files_redhat_5_etc_shells", - create => "true", - edit_defaults => empty, - perms => mog("644","root","root"), - edit_line => maintain_etc_shells; - - "$(shell_files)" -> { "GEN002160", "GEN002180", "GEN002200", "GEN002220" } - comment => "CAT I & II (Previously - G072, G073, G074, G075) UNIX STIG: 3.10 Shells", - handle => "stigs_files_redhat_5_shell_files", - perms => mog("0755","root","root"); - - "/etc/security/console.perms.d/50-default.perms" -> { "GEN002320" } + handle => "stigs_files_redhat_5_pam_files", + edit_line => comment_lines_matching("^auth.*pam_rhosts_auth.so", "#"); + + "/etc/shells" -> { "GEN002120" } + comment => "CAT II (Previously - G069) UNIX STIG: 3.10 Shells", + handle => "stigs_files_redhat_5_etc_shells", + create => "true", + edit_defaults => empty, + perms => mog("644", "root", "root"), + edit_line => maintain_etc_shells; + + "$(shell_files)" -> { "GEN002160", "GEN002180", "GEN002200", "GEN002220" } + comment => "CAT I & II (Previously - G072, G073, G074, G075) UNIX STIG: 3.10 Shells", + handle => "stigs_files_redhat_5_shell_files", + perms => mog("0755", "root", "root"); + + "/etc/security/console.perms.d/50-default.perms" -> { "GEN002320" } comment => "CAT II (Previously - G501) UNIX STIG: 3.11 Device Files", - handle => "stigs_files_redhat_5_security_default_perms", - edit_line => remove_audio_devices; + handle => "stigs_files_redhat_5_security_default_perms", + edit_line => remove_audio_devices; - "/etc/udev/rules.d/55-audio-perms.rules" -> { "GEN002320", "GEN002340", "GEN002360" } + "/etc/udev/rules.d/55-audio-perms.rules" -> { + "GEN002320", "GEN002340", "GEN002360" + } comment => "CAT II (Previously - G501, G502, G504) UNIX STIG: 3.11 Device Files", - handle => "stigs_files_redhat_5_audio_perms_rules", - create => "true", - edit_line => maintain_audio_devices; + handle => "stigs_files_redhat_5_audio_perms_rules", + create => "true", + edit_line => maintain_audio_devices; - "/var/cfengine/state/cf_incoming.*" -> { "GEN002480" } - comment => "CAT II (Previously - G079) UNIX STIG: 3.12.3 Stick Bit", - handle => "stigs_files_redhat_5_cf_incoming_files", + "/var/cfengine/state/cf_incoming.*" -> { "GEN002480" } + comment => "CAT II (Previously - G079) UNIX STIG: 3.12.3 Stick Bit", + handle => "stigs_files_redhat_5_cf_incoming_files", perms => m("644"); - "/etc/passwd" -> { "GEN002640", "GEN005000" } - comment => "CAT I & II (Previously - G649, G092) UNIX STIG: 3.15 Default Accounts, 4.8.1 FTP Configuration", - handle => "stigs_files_redhat_5_default_accounts_shell", - edit_line => set_user_field("$(allusers_not_root)","7","/sbin/nologin"), - if => "$(allusers_not_root)_less_than_500"; - - "/etc/passwd" -> { "GEN002640" } - comment => "CAT II (Previously - G092) UNIX STIG: 3.15 Default Accounts", - handle => "stigs_files_redhat_5_default_accounts_shell_for_badnaming_users", - edit_line => set_user_field("avahi-autoipd","7","/sbin/nologin"); - - "/etc/audit/audit.rules" -> { "GEN002660", "GEN002700", "GEN002720", "GEN002740", "GEN002760", "GEN002780", "GEN002800", "GEN002820", "GEN002840" } - comment => "CAT I & II (Previously - G093, G095, G100-G106) UNIX STIG: 3.16 Audit Requirements", - handle => "stigs_files_redhat_5_etc_audit_audit_rules", - perms => m("640"), - edit_defaults => empty, - edit_line => maintain_audit_rules; - - "/var/log/audit" -> { "GEN002680" } - comment => "CAT II (Previously - G094) UNIX STIG: 3.16 Audit Requirements", - handle => "stigs_files_redhat_5_var_log_audit", + "/etc/passwd" -> { "GEN002640", "GEN005000" } + comment => "CAT I & II (Previously - G649, G092) UNIX STIG: 3.15 Default Accounts, 4.8.1 FTP Configuration", + handle => "stigs_files_redhat_5_default_accounts_shell", + edit_line => set_user_field( + "$(allusers_not_root)", "7", "/sbin/nologin" + ), + if => "$(allusers_not_root)_less_than_500"; + + "/etc/passwd" -> { "GEN002640" } + comment => "CAT II (Previously - G092) UNIX STIG: 3.15 Default Accounts", + handle => "stigs_files_redhat_5_default_accounts_shell_for_badnaming_users", + edit_line => set_user_field("avahi-autoipd", "7", "/sbin/nologin"); + + "/etc/audit/audit.rules" -> { + "GEN002660", + "GEN002700", + "GEN002720", + "GEN002740", + "GEN002760", + "GEN002780", + "GEN002800", + "GEN002820", + "GEN002840", + } + comment => "CAT I & II (Previously - G093, G095, G100-G106) UNIX STIG: 3.16 Audit Requirements", + handle => "stigs_files_redhat_5_etc_audit_audit_rules", + perms => m("640"), + edit_defaults => empty, + edit_line => maintain_audit_rules; + + "/var/log/audit" -> { "GEN002680" } + comment => "CAT II (Previously - G094) UNIX STIG: 3.16 Audit Requirements", + handle => "stigs_files_redhat_5_var_log_audit", perms => m("700"); - "/etc/logrotate.d/audit" -> { "GEN002860" } - comment => "CAT II (Previously - G674) UNIX STIG: 3.16 Audit Requirements", - handle => "stigs_files_redhat_5_logrotated_audit", - create => "true", - perms => mog("644","root","root"), - edit_defaults => empty, - edit_line => maintain_logrotated_audit; - - "/etc/cron.deny" -> { "GEN002960", "GEN003060", "GEN003200", "GEN003260" } - comment => "CAT II (Previously - G200, G620, G623) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_etc_cron_deny", - create => "true", - perms => mog("600","root","root"), - edit_defaults => empty, - edit_line => append_if_no_line("ALL"); - - "/etc/cron.allow" -> { "GEN002960", "GEN002980","GEN003060", "GEN003240" } - comment => "CAT II (Previously - G200, G201, G622) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_etc_cron_allow", - create => "true", - perms => mog("600","root","root"), - edit_defaults => empty, - edit_line => maintain_cron_allow("@(stigs.cron_users)"); - - "$(cron_dirs)" -> { "GEN003040", "GEN003080" } - comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_cron_dirs_600", - depth_search => recurse("inf"), - perms => mog("600","root","root"); - - "$(other_cron_dirs)" -> { "GEN003040", "GEN003080" } - comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_other_cron_dirs_700", - depth_search => recurse("inf"), - perms => mog("700","root","root"); - - "$(cron_files)" -> { "GEN003040", "GEN003080" } - comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_other_cron_files", - perms => mog("600","root","root"); - - "/etc" -> { "GEN003100", "GEN003120", "GEN003140" } - comment => "CAT II (Previously - G206, G207, G208) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_cron_dirs_755", - depth_search => recurse("1"), - file_select => cron_dirs, - perms => mog("755","root","root"); - - "/var/spool" -> { "GEN003100", "GEN003120", "GEN003140" } - comment => "CAT II (Previously - G206, G207, G208) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_other_cron_dirs_755", - depth_search => recurse("1"), - file_select => cron_dirs, - perms => mog("755","root","root"); - - "/var/log/cron.*" -> { "GEN003180" } - comment => "CAT II (Previously - G210) UNIX STIG: 3.17.3 Restrictions", - handle => "stigs_files_redhat_5_var_log_cron", - perms => mog("600","root","root"); - - "/etc/at.deny" -> { "GEN003280", "GEN003300", "GEN003320", "GEN003340", "GEN003480" } + "/etc/logrotate.d/audit" -> { "GEN002860" } + comment => "CAT II (Previously - G674) UNIX STIG: 3.16 Audit Requirements", + handle => "stigs_files_redhat_5_logrotated_audit", + create => "true", + perms => mog("644", "root", "root"), + edit_defaults => empty, + edit_line => maintain_logrotated_audit; + + "/etc/cron.deny" -> { "GEN002960", "GEN003060", "GEN003200", "GEN003260" } + comment => "CAT II (Previously - G200, G620, G623) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_etc_cron_deny", + create => "true", + perms => mog("600", "root", "root"), + edit_defaults => empty, + edit_line => append_if_no_line("ALL"); + + "/etc/cron.allow" -> { + "GEN002960", "GEN002980", "GEN003060", "GEN003240" + } + comment => "CAT II (Previously - G200, G201, G622) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_etc_cron_allow", + create => "true", + perms => mog("600", "root", "root"), + edit_defaults => empty, + edit_line => maintain_cron_allow("@(stigs.cron_users)"); + + "$(cron_dirs)" -> { "GEN003040", "GEN003080" } + comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_cron_dirs_600", + depth_search => recurse("inf"), + perms => mog("600", "root", "root"); + + "$(other_cron_dirs)" -> { "GEN003040", "GEN003080" } + comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_other_cron_dirs_700", + depth_search => recurse("inf"), + perms => mog("700", "root", "root"); + + "$(cron_files)" -> { "GEN003040", "GEN003080" } + comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_other_cron_files", + perms => mog("600", "root", "root"); + + "/etc" -> { "GEN003100", "GEN003120", "GEN003140" } + comment => "CAT II (Previously - G206, G207, G208) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_cron_dirs_755", + depth_search => recurse("1"), + file_select => cron_dirs, + perms => mog("755", "root", "root"); + + "/var/spool" -> { "GEN003100", "GEN003120", "GEN003140" } + comment => "CAT II (Previously - G206, G207, G208) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_other_cron_dirs_755", + depth_search => recurse("1"), + file_select => cron_dirs, + perms => mog("755", "root", "root"); + + "/var/log/cron.*" -> { "GEN003180" } + comment => "CAT II (Previously - G210) UNIX STIG: 3.17.3 Restrictions", + handle => "stigs_files_redhat_5_var_log_cron", + perms => mog("600", "root", "root"); + + "/etc/at.deny" -> { + "GEN003280", "GEN003300", "GEN003320", "GEN003340", "GEN003480" + } comment => "CAT II (Previously - G211, G212, G213, G214, G630) UNIX STIG: 3.18.3 Restrictions", - handle => "stigs_files_redhat_5_etc_at_deny_all_not_root", - create => "true", - perms => mog("600","root","root"), - edit_line => append_if_no_lines("@(stigs.at_deny_users)"); - - "/etc/at.allow" -> { "GEN003320", "GEN003340", "GEN003460" } - comment => "CAT II (Previously - G213, G214, G629) UNIX STIG: 3.18.3 Restrictions", - handle => "stigs_files_redhat_5_etc_at_allow", - create => "true", - perms => mog("600","root","root"), - edit_defaults => empty, - edit_line => maintain_at_allow; - - "/var/spool/at/spool/" -> { "GEN003400", "GEN003420" } - comment => "CAT II (Previously - G625, G626) UNIX STIG: 3.18.3 Restrictions", - handle => "stigs_files_redhat_5_var_spool_at_spool", - perms => mog("755","root","root"); - - "/etc/security/limits.conf" -> { "GEN003500" } - comment => "CAT III UNIX STIG: 3.20.1 Restrict/Disable Core Dumps", - handle => "stigs_files_redhat_5_etc_security_limits_conf", - edit_line => append_if_no_line("* - core 0"); - - "/var/crash" -> { "GEN003520" } - comment => "CAT III UNIX STIG: 3.20.1 Restrict/Disable Core Dumps", - handle => "stigs_files_redhat_5_var_crash", - perms => mog("700","root","root"); - - "/etc/sysctl.conf" -> { "GEN003600", "GEN005600", "LNX00480", "LNX00500","LNX00520" } + handle => "stigs_files_redhat_5_etc_at_deny_all_not_root", + create => "true", + perms => mog("600", "root", "root"), + edit_line => append_if_no_lines("@(stigs.at_deny_users)"); + + "/etc/at.allow" -> { "GEN003320", "GEN003340", "GEN003460" } + comment => "CAT II (Previously - G213, G214, G629) UNIX STIG: 3.18.3 Restrictions", + handle => "stigs_files_redhat_5_etc_at_allow", + create => "true", + perms => mog("600", "root", "root"), + edit_defaults => empty, + edit_line => maintain_at_allow; + + "/var/spool/at/spool/" -> { "GEN003400", "GEN003420" } + comment => "CAT II (Previously - G625, G626) UNIX STIG: 3.18.3 Restrictions", + handle => "stigs_files_redhat_5_var_spool_at_spool", + perms => mog("755", "root", "root"); + + "/etc/security/limits.conf" -> { "GEN003500" } + comment => "CAT III UNIX STIG: 3.20.1 Restrict/Disable Core Dumps", + handle => "stigs_files_redhat_5_etc_security_limits_conf", + edit_line => append_if_no_line("* - core 0"); + + "/var/crash" -> { "GEN003520" } + comment => "CAT III UNIX STIG: 3.20.1 Restrict/Disable Core Dumps", + handle => "stigs_files_redhat_5_var_crash", + perms => mog("700", "root", "root"); + + "/etc/sysctl.conf" -> { + "GEN003600", "GEN005600", "LNX00480", "LNX00500", "LNX00520" + } comment => "CAT II (Previously - L204, L206, L208) UNIX STIG: 3.20.5 Network Security Settings, 12.12 Kernel Configuration File", - handle => "stigs_files_redhat_5_etc_sysctl_conf", - perms => mog("600","root","root"), - edit_line => maintain_sysctl_conf, + handle => "stigs_files_redhat_5_etc_sysctl_conf", + perms => mog("600", "root", "root"), + edit_line => maintain_sysctl_conf, classes => if_repaired("restart_sysctl"); - "/etc/xinetd.d" -> { "GEN003720", "GEN003740" } - comment => "CAT II (Previously - G107, G108) UNIX STIG: 4 Network Services", - handle => "stigs_files_redhat_5_etc_xinetdd_dir", - perms => mog("755","root","root"); - - "/etc/xinetd.d" -> { "GEN003720" } - comment => "CAT II (Previously - G107) UNIX STIG: 4 Network Services", - handle => "stigs_files_redhat_5_etc_xinetdd_files", - depth_search => recurse("inf"), - perms => mog("644","root","root"); - - "/etc/xinetd.conf" -> { "GEN003720", "GEN003740" } - comment => "CAT II (Previously - G107, G108) UNIX STIG: 4 Network Services", - handle => "stigs_files_redhat_5_etc_xinetd_conf", - perms => mog("440","root","root"); - - "/etc/services" -> { "GEN003760", "GEN003780" } - comment => "CAT II (Previously - G109, G110) UNIX STIG: 4 Network Services", - handle => "stigs_files_redhat_5_etc_services", - perms => mog("644","root","root"); - - "/usr/bin/finger" -> { "GEN003860" } - comment => "CAT II (Previously - V046) UNIX STIG: 4.3 Finger", - handle => "stigs_files_redhat_5_user_bin_finger", - perms => mog("700","root","root"), - rename => disable; - - "$(network_analysis_tools)" -> { "GEN003865" } - comment => "CAT II, UNIX STIG: 4.3 TCPDump", - handle => "stigs_files_redhat_5_network_analysis_tools", - perms => mog("700","root","root"), - rename => disable; - - "/bin/traceroute" -> { "GEN003960", "GEN003980", "GEN004000" } - comment => "CAT II (Previously - G631, G632, G633) UNIX STIG: 4.5 Traceroute", - handle => "stigs_files_redhat_5_bin_traceroute", - perms => mog("700","root","root"); - - "/etc/aliases" -> { "GEN004360", "GEN004380", "GEN004640" } + "/etc/xinetd.d" -> { "GEN003720", "GEN003740" } + comment => "CAT II (Previously - G107, G108) UNIX STIG: 4 Network Services", + handle => "stigs_files_redhat_5_etc_xinetdd_dir", + perms => mog("755", "root", "root"); + + "/etc/xinetd.d" -> { "GEN003720" } + comment => "CAT II (Previously - G107) UNIX STIG: 4 Network Services", + handle => "stigs_files_redhat_5_etc_xinetdd_files", + depth_search => recurse("inf"), + perms => mog("644", "root", "root"); + + "/etc/xinetd.conf" -> { "GEN003720", "GEN003740" } + comment => "CAT II (Previously - G107, G108) UNIX STIG: 4 Network Services", + handle => "stigs_files_redhat_5_etc_xinetd_conf", + perms => mog("440", "root", "root"); + + "/etc/services" -> { "GEN003760", "GEN003780" } + comment => "CAT II (Previously - G109, G110) UNIX STIG: 4 Network Services", + handle => "stigs_files_redhat_5_etc_services", + perms => mog("644", "root", "root"); + + "/usr/bin/finger" -> { "GEN003860" } + comment => "CAT II (Previously - V046) UNIX STIG: 4.3 Finger", + handle => "stigs_files_redhat_5_user_bin_finger", + perms => mog("700", "root", "root"), + rename => disable; + + "$(network_analysis_tools)" -> { "GEN003865" } + comment => "CAT II, UNIX STIG: 4.3 TCPDump", + handle => "stigs_files_redhat_5_network_analysis_tools", + perms => mog("700", "root", "root"), + rename => disable; + + "/bin/traceroute" -> { "GEN003960", "GEN003980", "GEN004000" } + comment => "CAT II (Previously - G631, G632, G633) UNIX STIG: 4.5 Traceroute", + handle => "stigs_files_redhat_5_bin_traceroute", + perms => mog("700", "root", "root"); + + "/etc/aliases" -> { "GEN004360", "GEN004380", "GEN004640" } comment => "CAT I & II (Previously - G127, G128, V126) UNIX STIG: 4.7 Sendmail or Equivalent", - handle => "stigs_files_redhat_5_etc_aliases", - perms => mog("644","root","root"), - edit_line => comment_lines_matching("decode:\h+root","#"), + handle => "stigs_files_redhat_5_etc_aliases", + perms => mog("644", "root", "root"), + edit_line => comment_lines_matching("decode:\h+root", "#"), classes => if_repaired("restart_aliases"); - "/etc/mail/sendmail.cf" -> { "GEN004440", "GEN004540", "GEN004560" } + "/etc/mail/sendmail.cf" -> { "GEN004440", "GEN004540", "GEN004560" } comment => "CAT III (Previously - G133, G646) UNIX STIG: 4.7 Sendmail or Equivalent", - handle => "stigs_files_redhat_5_etc_mail_sendmail_cf", - edit_line => maintain_sendmail, + handle => "stigs_files_redhat_5_etc_mail_sendmail_cf", + edit_line => maintain_sendmail, classes => if_repaired("restart_sendmail"); - "/var/log/maillog" -> { "GEN004480", "GEN004500" } - comment => "CAT II (Previously - G135, G136) UNIX STIG: 4.7 Sendmail or Equivalent", - handle => "stigs_files_redhat_5_var_log_maillog", - perms => mog("640","root","root"); - - "$(home_list)/.forward" -> { "GEN004580" } - comment => "CAT I (Previously - G647) UNIX STIG: 4.7 Sendmail or Equivalent", - handle => "stigs_files_redhat_5_home_dot_forward", - delete => tidy; - - "$(ftpusers_files)" -> { "GEN004880", "GEN004920", "GEN004940" } - comment => "CAT II (Previously - G140, G142, G143) UNIX STIG: 4.8.1 FTP Configuration", - handle => "stigs_files_redhat_5_etc_ftpusers", - create => "true", - perms => mo("640","root"); - - "$(ftpusers_files)" -> { "GEN004900" } - comment => "CAT II (Previously - G141) UNIX STIG: 4.8.1 FTP Configuration", - handle => "stigs_files_redhat_5_editing_etc_ftpusers", - edit_line => maintain_ftpusers("$(allusers_not_root)"), - if => "$(allusers_not_root)_less_than_500"; - - "/etc/snmp/snmpd.conf" -> { "GEN005320", "GEN005360" } - comment => "CAT II (Previously - G225) UNIX STIG: 4.13 Simple Network Management Protocol (SNMP)", - handle => "stigs_files_redhat_5_etc_snmp_snmpd_conf", - perms => mog("700","root","sys"); - - "/etc/ssh/ssh_config" -> { "GEN005500" } + "/var/log/maillog" -> { "GEN004480", "GEN004500" } + comment => "CAT II (Previously - G135, G136) UNIX STIG: 4.7 Sendmail or Equivalent", + handle => "stigs_files_redhat_5_var_log_maillog", + perms => mog("640", "root", "root"); + + "$(home_list)/.forward" -> { "GEN004580" } + comment => "CAT I (Previously - G647) UNIX STIG: 4.7 Sendmail or Equivalent", + handle => "stigs_files_redhat_5_home_dot_forward", + delete => tidy; + + "$(ftpusers_files)" -> { "GEN004880", "GEN004920", "GEN004940" } + comment => "CAT II (Previously - G140, G142, G143) UNIX STIG: 4.8.1 FTP Configuration", + handle => "stigs_files_redhat_5_etc_ftpusers", + create => "true", + perms => mo("640", "root"); + + "$(ftpusers_files)" -> { "GEN004900" } + comment => "CAT II (Previously - G141) UNIX STIG: 4.8.1 FTP Configuration", + handle => "stigs_files_redhat_5_editing_etc_ftpusers", + edit_line => maintain_ftpusers("$(allusers_not_root)"), + if => "$(allusers_not_root)_less_than_500"; + + "/etc/snmp/snmpd.conf" -> { "GEN005320", "GEN005360" } + comment => "CAT II (Previously - G225) UNIX STIG: 4.13 Simple Network Management Protocol (SNMP)", + handle => "stigs_files_redhat_5_etc_snmp_snmpd_conf", + perms => mog("700", "root", "sys"); + + "/etc/ssh/ssh_config" -> { "GEN005500" } comment => "CAT I UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", - handle => "stigs_files_redhat_5_etc_ssh_ssh_config", - edit_line => maintain_ssh_config; - - "/etc/ssh/ssh_banner" -> { "GEN005540" } - comment => "CAT II UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", - handle => "stigs_files_redhat_5_etc_ssh_ssh_banner", - create => "true", - perms => mog("640","root","root"), - edit_defaults => empty, - edit_line => create_ssh_banner; - - "/etc/exports" -> { "GEN005740", "GEN005760" } - comment => "CAT II & III (Previously - G178, G179) UNIX STIG: 4.20 Network Filesystem (NFS)", - handle => "stigs_files_redhat_5_etc_export", - perms => mog("644","root","root"); - - "/etc/samba/smb.conf" -> { "GEN006100", "GEN006120", "GEN006140" } - comment => "CAT II (Previously - L050, L051, L052) UNIX STIG: 4.24 Samba", - handle => "stigs_files_redhat_5_etc_samba_smb_conf", - perms => mog("644","root","root"); - - "/usr/bin/smbpasswd" -> { "GEN006160", "GEN006180", "GEN006200" } - comment => "CAT II (Previously - L054, L055, L056) UNIX STIG: 4.24 Samba", - handle => "stigs_files_redhat_5_usr_bin_smbpasswd", - perms => mog("600","root","root"); - - "/etc/news/hosts.nntp" -> { "GEN006260" } - comment => "CAT II (Previously - L154) UNIX STIG: 4.25 Internet Network News (INN)", - handle => "stigs_files_redhat_5_etc_news_hosts_nttp", + handle => "stigs_files_redhat_5_etc_ssh_ssh_config", + edit_line => maintain_ssh_config; + + "/etc/ssh/ssh_banner" -> { "GEN005540" } + comment => "CAT II UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", + handle => "stigs_files_redhat_5_etc_ssh_ssh_banner", + create => "true", + perms => mog("640", "root", "root"), + edit_defaults => empty, + edit_line => create_ssh_banner; + + "/etc/exports" -> { "GEN005740", "GEN005760" } + comment => "CAT II & III (Previously - G178, G179) UNIX STIG: 4.20 Network Filesystem (NFS)", + handle => "stigs_files_redhat_5_etc_export", + perms => mog("644", "root", "root"); + + "/etc/samba/smb.conf" -> { "GEN006100", "GEN006120", "GEN006140" } + comment => "CAT II (Previously - L050, L051, L052) UNIX STIG: 4.24 Samba", + handle => "stigs_files_redhat_5_etc_samba_smb_conf", + perms => mog("644", "root", "root"); + + "/usr/bin/smbpasswd" -> { "GEN006160", "GEN006180", "GEN006200" } + comment => "CAT II (Previously - L054, L055, L056) UNIX STIG: 4.24 Samba", + handle => "stigs_files_redhat_5_usr_bin_smbpasswd", + perms => mog("600", "root", "root"); + + "/etc/news/hosts.nntp" -> { "GEN006260" } + comment => "CAT II (Previously - L154) UNIX STIG: 4.25 Internet Network News (INN)", + handle => "stigs_files_redhat_5_etc_news_hosts_nttp", perms => m("600"); - "/etc/news/hosts.nntp.nolimit" -> { "GEN006280" } - comment => "CAT II (Previously - L156) UNIX STIG: 4.25 Internet Network News (INN)", - handle => "stigs_files_redhat_5_etc_news_hosts_nttp_nolimit", + "/etc/news/hosts.nntp.nolimit" -> { "GEN006280" } + comment => "CAT II (Previously - L156) UNIX STIG: 4.25 Internet Network News (INN)", + handle => "stigs_files_redhat_5_etc_news_hosts_nttp_nolimit", perms => m("600"); - "/etc/news/nnrp.access" -> { "GEN006300" } - comment => "CAT II (Previously - L158) UNIX STIG: 4.25 Internet Network News (INN)", - handle => "stigs_files_redhat_5_etc_news_nnrp_access", + "/etc/news/nnrp.access" -> { "GEN006300" } + comment => "CAT II (Previously - L158) UNIX STIG: 4.25 Internet Network News (INN)", + handle => "stigs_files_redhat_5_etc_news_nnrp_access", perms => m("600"); - "/etc/news/passwd.nntp" -> { "GEN006320" } - comment => "CAT II (Previously - L160) UNIX STIG: 4.25 Internet Network News (INN)", - handle => "stigs_files_redhat_5_etc_news_passwd_nntp", + "/etc/news/passwd.nntp" -> { "GEN006320" } + comment => "CAT II (Previously - L160) UNIX STIG: 4.25 Internet Network News (INN)", + handle => "stigs_files_redhat_5_etc_news_passwd_nntp", perms => m("600"); - "/etc/news" -> { "GEN006340", "GEN006360" } - comment => "CAT II (Previously - L162, L164) UNIX STIG: 4.25 Internet Network New (INN)", - handle => "stigs_files_redhat_5_etc_news", - depth_search => recurse("inf"), - perms => og("root","root"); - - "$(security_tools)" -> { "GEN006520" } - comment => "CAT II (Previously - G189) UNIX STIG: 6 UNIX Security Tools", - handle => "stigs_files_redhat_5_security_tools", - perms => mog("740","root","root"); - -# "/etc/hosts.allow" -> { "GEN006620" } -# comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", -# handle => "stigs_files_redhat_5_etc_hosts_allow", -# edit_line => append_if_no_lines("@(stigs.hosts_allow)"); - -# "/etc/hosts.deny" -> { "GEN006620" } -# comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", -# handle => "stigs_files_redhat_5_etc_hosts_deny", -# edit_line => append_if_no_line("ALL: ALL"); - -# "/boot/grub/menu.lst" -> { "LNX00140" } -# comment => "CAT I (Previously - L072) UNIX STIG: 12.4.1.1 Password Protecting the GRUB Console Boot Loader", -# handle => "stigs_files_redhat_5_boot_grub_menu_lst", -# edit_line => maintain_grub; - - "/boot/grub/grub.conf" -> { "LNX00160" } - comment => "CAT II (Previously - L074) UNIX STIG: 12.4.1.1 Password Protecting the GRUB Console Boot Loader", - handle => "stigs_files_redhat_5_boot_grub_grub_conf", + "/etc/news" -> { "GEN006340", "GEN006360" } + comment => "CAT II (Previously - L162, L164) UNIX STIG: 4.25 Internet Network New (INN)", + handle => "stigs_files_redhat_5_etc_news", + depth_search => recurse("inf"), + perms => og("root", "root"); + + "$(security_tools)" -> { "GEN006520" } + comment => "CAT II (Previously - G189) UNIX STIG: 6 UNIX Security Tools", + handle => "stigs_files_redhat_5_security_tools", + perms => mog("740", "root", "root"); + + # "/etc/hosts.allow" -> { "GEN006620" } + # comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", + # handle => "stigs_files_redhat_5_etc_hosts_allow", + # edit_line => append_if_no_lines("@(stigs.hosts_allow)"); + # "/etc/hosts.deny" -> { "GEN006620" } + # comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", + # handle => "stigs_files_redhat_5_etc_hosts_deny", + # edit_line => append_if_no_line("ALL: ALL"); + # "/boot/grub/menu.lst" -> { "LNX00140" } + # comment => "CAT I (Previously - L072) UNIX STIG: 12.4.1.1 Password Protecting the GRUB Console Boot Loader", + # handle => "stigs_files_redhat_5_boot_grub_menu_lst", + # edit_line => maintain_grub; + "/boot/grub/grub.conf" -> { "LNX00160" } + comment => "CAT II (Previously - L074) UNIX STIG: 12.4.1.1 Password Protecting the GRUB Console Boot Loader", + handle => "stigs_files_redhat_5_boot_grub_grub_conf", perms => m("600"); - "/etc/lilo.conf" -> { "LNX00220" } - comment => "CAT I (Previously - L080) UNIX STIG: 12.4.1.2 Password Protecting the LILO Boot Loader", - handle => "stigs_files_redhat_5_etc_lilo_conf", + "/etc/lilo.conf" -> { "LNX00220" } + comment => "CAT I (Previously - L080) UNIX STIG: 12.4.1.2 Password Protecting the LILO Boot Loader", + handle => "stigs_files_redhat_5_etc_lilo_conf", perms => m("600"); - "/etc/gdm/custom.conf" -> { "LNX00360" } - comment => "CAT II (Previously - L032) UNIX STIG: 12.10 X Windows", - handle => "stigs_files_redhat_5_etc_gdm_custom_conf", - edit_line => maintain_gdm_custom_conf, - if => "have_xwindows"; - -# - - commands: - - redhat_5:: - - "/sbin/chkconfig $(preferred_services) on" -> { "GEN002660" } - comment => "CAT II (Previously - G093) UNIX STIG: 3.16 Audit Requirements", - handle => "stigs_commands_redhat_5_enable_preferred_services", - if => "$(preferred_services)_off"; - - "/sbin/chkconfig $(unneeded_services) off" -> { "GEN003700", "GEN003860" } - comment => "CAT II (Previously - V046) UNIX STIG: 4 Network Services", - handle => "stigs_commands_redhat_5_disable_unneeded_services", - if => "$(unneeded_services)_on"; - - restart_syslog:: - - "/etc/init.d/syslog restart" -> { "GEN000440", "GEN003160", "GEN003660", "GEN005400", "GEN005420" } - comment => "CAT II & III (Previously - G012, G209, G656, G657) UNIX STIG: 3.1.3 Account Access, 4.14 System Logging Daemon", - handle => "stigs_commands_redhat_5_restart_syslog"; - - restart_inittab:: - - "/sbin/init q" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } - comment => "CAT I & II (Previously - G001, G002, G003, L222) UNIX STIG: 2.5.1.1 System Equipment, 12.14 The /etc/inittab File", + "/etc/gdm/custom.conf" -> { "LNX00360" } + comment => "CAT II (Previously - L032) UNIX STIG: 12.10 X Windows", + handle => "stigs_files_redhat_5_etc_gdm_custom_conf", + edit_line => maintain_gdm_custom_conf, + if => "have_xwindows"; + + commands: + redhat_5:: + "/sbin/chkconfig $(preferred_services) on" -> { "GEN002660" } + comment => "CAT II (Previously - G093) UNIX STIG: 3.16 Audit Requirements", + handle => "stigs_commands_redhat_5_enable_preferred_services", + if => "$(preferred_services)_off"; + + "/sbin/chkconfig $(unneeded_services) off" -> { "GEN003700", "GEN003860" } + comment => "CAT II (Previously - V046) UNIX STIG: 4 Network Services", + handle => "stigs_commands_redhat_5_disable_unneeded_services", + if => "$(unneeded_services)_on"; + + restart_syslog:: + "/etc/init.d/syslog restart" -> { + "GEN000440", "GEN003160", "GEN003660", "GEN005400", "GEN005420" + } + comment => "CAT II & III (Previously - G012, G209, G656, G657) UNIX STIG: 3.1.3 Account Access, 4.14 System Logging Daemon", + handle => "stigs_commands_redhat_5_restart_syslog"; + + restart_inittab:: + "/sbin/init q" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } + comment => "CAT I & II (Previously - G001, G002, G003, L222) UNIX STIG: 2.5.1.1 System Equipment, 12.14 The /etc/inittab File", handle => "stigs_commands_redhat_5_restart_inittab", - contain => silent; - - restart_sysctl:: - - "/sbin/sysctl -p" -> { "GEN003600" } - comment => "CAT II UNIX STIG: 3.20.5 Network Security", - handle => "stigs_commands_redhat_5_restart_sysctl", - contain => silent; - - restart_sendmail:: - - "/sbin/service sendmail restart" -> { "GEN004540", "GEN004560" } - comment => "CAT II (Previously - G646) UNIX STIG: 4.7 Sendmail or Equivalent", - handle => "stigs_commands_redhat_5_restart_sendmail"; - - restart_aliases:: - - "/usr/bin/newaliases" -> { "GEN004640" } - comment => "CAT I (Previously - V126) 4.7 Sendmail or Equivalent", - handle => "sting_commands_redhat_5_restart_aliases"; - - restart_sshd:: - - "/sbin/service sshd restart" -> { "GEN005500", "GEN005540" } - comment => "CAT I & II (Previously - G701) UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", - handle => "stigs_commands_redhat_5_restart_sshd"; - -# - - methods: - - redhat_5:: - - "UNIX STIG 3.2.1" -> { "GEN000560" } + contain => silent; + + restart_sysctl:: + "/sbin/sysctl -p" -> { "GEN003600" } + comment => "CAT II UNIX STIG: 3.20.5 Network Security", + handle => "stigs_commands_redhat_5_restart_sysctl", + contain => silent; + + restart_sendmail:: + "/sbin/service sendmail restart" -> { "GEN004540", "GEN004560" } + comment => "CAT II (Previously - G646) UNIX STIG: 4.7 Sendmail or Equivalent", + handle => "stigs_commands_redhat_5_restart_sendmail"; + + restart_aliases:: + "/usr/bin/newaliases" -> { "GEN004640" } + comment => "CAT I (Previously - V126) 4.7 Sendmail or Equivalent", + handle => "sting_commands_redhat_5_restart_aliases"; + + restart_sshd:: + "/sbin/service sshd restart" -> { "GEN005500", "GEN005540" } + comment => "CAT I & II (Previously - G701) UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", + handle => "stigs_commands_redhat_5_restart_sshd"; + + methods: + redhat_5:: + "UNIX STIG 3.2.1" -> { "GEN000560" } comment => "CAT I (Previously - G018) UNIX STIG: 3.2.1 Password Guidelines", - handle => "stigs_methods_redhat_5_unix_stigs_3_2_1", - usebundle => disable_accounts_without_passwd("$(shadow_list)"); + handle => "stigs_methods_redhat_5_unix_stigs_3_2_1", + usebundle => disable_accounts_without_passwd("$(shadow_list)"); - "UNIX STIG 3.12.1" -> { "GEN002420" } + "UNIX STIG 3.12.1" -> { "GEN002420" } comment => "CAT II (Previously - G086) UNIX STIG: 3.12.1 Set User ID (suid)", - handle => "stigs_methods_redhat_5_unix_stigs_3_12_1", - usebundle => filesystem_mounted_with_nosuid("/etc/fstab","$(fstab_list)"); - -# "UNIX STIG 4.8" -> { "GEN004820", "GEN004840" } -# comment => "CAT II (Previously - L140, L142) UNIX STIG: 4.8 File Transfer Protocol (FTP)", -# handle => "stigs_methods_redhat_5_unix_stigs_4_8", -# usebundle => disabling_accounts("$(accounts_to_disable)"); - - "UNIX STIG 4.8/UNIX STIG 12.9" -> { "GEN004820", "GEN004840", "LNX00320", "LNX00340" } + handle => "stigs_methods_redhat_5_unix_stigs_3_12_1", + usebundle => filesystem_mounted_with_nosuid( + "/etc/fstab", "$(fstab_list)" + ); + + # "UNIX STIG 4.8" -> { "GEN004820", "GEN004840" } + # comment => "CAT II (Previously - L140, L142) UNIX STIG: 4.8 File Transfer Protocol (FTP)", + # handle => "stigs_methods_redhat_5_unix_stigs_4_8", + # usebundle => disabling_accounts("$(accounts_to_disable)"); + "UNIX STIG 4.8/UNIX STIG 12.9" -> { + "GEN004820", "GEN004840", "LNX00320", "LNX00340" + } comment => "CAT I & II (Previously - G107, V052, L140, L142) UNIX STIG: 4.8 File Transfer Protocol (FTP) and Telnet, 12.9 Default Accounts", - handle => "stigs_methods_redhat_5_unix_stigs_4_8_12_9", - usebundle => deleting_accounts("$(accounts_to_delete)"); - + handle => "stigs_methods_redhat_5_unix_stigs_4_8_12_9", + usebundle => deleting_accounts("$(accounts_to_delete)"); } - ##### bundle agent for methods here ##### - # GEN000560 bundle agent disable_accounts_without_passwd(string) { - classes: - - "name_ok" -> { "GEN000560" } - comment => "Extract only a name field from an inputs string", - handle => "disable_accounts_without_passwd_classes_name_field", - expression => regextract( - "^[\w-]+", - "$(string)", - "name" - ); - - "passwd_ok" -> { "GEN000560" } - comment => "Extract only a passwd field from an inputs string", - handle => "disable_accounts_without_passwd_classes_passwd_field", - expression => regextract( - ":(.*?):", - "$(string)", - "passwd" - ); - - "no_passwd" -> { "GEN000560" } + classes: + "name_ok" -> { "GEN000560" } + comment => "Extract only a name field from an inputs string", + handle => "disable_accounts_without_passwd_classes_name_field", + expression => regextract("^[\w-]+", "$(string)", "name"); + + "passwd_ok" -> { "GEN000560" } + comment => "Extract only a passwd field from an inputs string", + handle => "disable_accounts_without_passwd_classes_passwd_field", + expression => regextract(":(.*?):", "$(string)", "passwd"); + + "no_passwd" -> { "GEN000560" } comment => "Check if there is a password or not", - handle => "disable_accounts_without_passwd_classes_no_passwd", - not => regcmp(".*\$.*","$(passwd[1])"); - -# - - files: - - "/etc/passwd" -> { "GEN000560" } - comment => "Set user shell /sbin/nologin", - handle => "disable_accounts_without_passwd_files_etc_passwd", - edit_line => set_user_field("$(name[0])","7","/sbin/nologin"), - if => "no_passwd"; + handle => "disable_accounts_without_passwd_classes_no_passwd", + not => regcmp(".*\$.*", "$(passwd[1])"); + + files: + "/etc/passwd" -> { "GEN000560" } + comment => "Set user shell /sbin/nologin", + handle => "disable_accounts_without_passwd_files_etc_passwd", + edit_line => set_user_field("$(name[0])", "7", "/sbin/nologin"), + if => "no_passwd"; } - # GEN002420 -bundle agent filesystem_mounted_with_nosuid(path,string) +bundle agent filesystem_mounted_with_nosuid(path, string) { - classes: - "option_ok" expression => regextract( - "\S+\s+\S+\s+\S+\s+(\S+)", - "$(string)", - "option" - ); - - classes: - "have_home" expression => regcmp(".*\/home.*", "$(string)"); - "have_boot" expression => regcmp(".*\/boot.*", "$(string)"); - "have_sys" expression => regcmp(".*\/sys.*", "$(string)"); - "have_usr" expression => regcmp(".*\/usr.*", "$(string)"); - "have_usr_local" expression => regcmp(".*\/usr\/local.*", "$(string)"); - "no_acl" not => regcmp(".*acl.*", "$(string)"); - - files: - "$(path)" - edit_line => set_fstab_field("/home","4","$(option[1]),nosuid,nodev,acl"), - if => "have_home.no_acl"; - "$(path)" - edit_line => set_fstab_field("/boot","4","$(option[1]),nosuid,acl"), - if => "have_boot.no_acl"; - "$(path)" - edit_line => set_fstab_field("/sys","4","$(option[1]),nosuid,acl"), - if => "have_sys.no_acl"; - "$(path)" - edit_line => set_fstab_field("/usr","4","$(option[1]),nodev,acl"), - if => "have_usr.no_acl"; - "$(path)" - edit_line => set_fstab_field("/usr/local","4","$(option[1]),nodev,acl"), - if => "have_usr_local.no_acl"; + classes: + "option_ok" + expression => regextract( + "\S+\s+\S+\s+\S+\s+(\S+)", "$(string)", "option" + ); + + classes: + "have_home" expression => regcmp(".*\/home.*", "$(string)"); + "have_boot" expression => regcmp(".*\/boot.*", "$(string)"); + "have_sys" expression => regcmp(".*\/sys.*", "$(string)"); + "have_usr" expression => regcmp(".*\/usr.*", "$(string)"); + "have_usr_local" expression => regcmp(".*\/usr\/local.*", "$(string)"); + "no_acl" not => regcmp(".*acl.*", "$(string)"); + + files: + "$(path)" + edit_line => set_fstab_field( + "/home", "4", "$(option[1]),nosuid,nodev,acl" + ), + if => "have_home.no_acl"; + + "$(path)" + edit_line => set_fstab_field("/boot", "4", "$(option[1]),nosuid,acl"), + if => "have_boot.no_acl"; + + "$(path)" + edit_line => set_fstab_field("/sys", "4", "$(option[1]),nosuid,acl"), + if => "have_sys.no_acl"; + + "$(path)" + edit_line => set_fstab_field("/usr", "4", "$(option[1]),nodev,acl"), + if => "have_usr.no_acl"; + + "$(path)" + edit_line => set_fstab_field( + "/usr/local", "4", "$(option[1]),nodev,acl" + ), + if => "have_usr_local.no_acl"; } - # GEN004828, GEN004840 bundle agent disabling_accounts(name) { - files: - - "/etc/passwd" -> { "GEN004820", "GEN004840" } - comment => "Set shell to /sbin/nologin", - handle => "disabling_accounts_files_etc_passwd", - edit_line => set_user_field("$(name)","7","/sbin/nologin"); - - "/etc/shadow" -> { "GEN004820", "GEN004840" } - comment => "Set passwd to !", - handle => "disabling_accounts_files_etc_shadow", - edit_line => set_user_field("$(name)","2","!!"); + files: + "/etc/passwd" -> { "GEN004820", "GEN004840" } + comment => "Set shell to /sbin/nologin", + handle => "disabling_accounts_files_etc_passwd", + edit_line => set_user_field("$(name)", "7", "/sbin/nologin"); + + "/etc/shadow" -> { "GEN004820", "GEN004840" } + comment => "Set passwd to !", + handle => "disabling_accounts_files_etc_shadow", + edit_line => set_user_field("$(name)", "2", "!!"); } - # LNX00320, LNX00340 bundle agent deleting_accounts(name) { - files: - - "/etc/passwd" -> { "LNX00320", "LNX00340" } - comment => "Remove unnecessary accounts from /etc/passwd", - handle => "deleting_accounts_files_etc_passwd", - edit_line => delete_lines_matching("^$(name):.*"); - - "/etc/shadow" -> { "LNX00320", "LNX00340" } - comment => "Remove unnecessary accounts from /etc/shadow", - handle => "deleting_accounts_files_etc_shadow", - edit_line => delete_lines_matching("^$(name):.*"); + files: + "/etc/passwd" -> { "LNX00320", "LNX00340" } + comment => "Remove unnecessary accounts from /etc/passwd", + handle => "deleting_accounts_files_etc_passwd", + edit_line => delete_lines_matching("^$(name):.*"); + + "/etc/shadow" -> { "LNX00320", "LNX00340" } + comment => "Remove unnecessary accounts from /etc/shadow", + handle => "deleting_accounts_files_etc_shadow", + edit_line => delete_lines_matching("^$(name):.*"); } - -# ##### bundle edit_line here ##### # - # GEN000020, GEN000040, GEN000060, LNX00580 bundle edit_line maintain_inittab { - delete_lines: - "~:S:wait.*" -> { "GEN000020", "GEN000040", "GEN000060" } - comment => "Configured to require a password when boot to single-user mode.", + delete_lines: + "~:S:wait.*" -> { "GEN000020", "GEN000040", "GEN000060" } + comment => "Configured to require a password when boot to single-user mode.", handle => "maintain_inittab_delete_lines_gen000020_gen000040_gen000060"; - "^ca::ctrlaltdel.*" -> { "LNX00580" } - comment => "Disable CTRL+ALT+DEL.", + "^ca::ctrlaltdel.*" -> { "LNX00580" } + comment => "Disable CTRL+ALT+DEL.", handle => "maintain_inittab_delete_lines_lnx00580"; - insert_lines: - "~:S:wait:/sbin/sulogin # GEN000020, GEN000040, GEN000060" -> { "GEN000020", "GEN000040", "GEN000060" } - comment => "Configured to require a password when boot to single-user mode.", + insert_lines: + "~:S:wait:/sbin/sulogin # GEN000020, GEN000040, GEN000060" -> { + "GEN000020", "GEN000040", "GEN000060" + } + comment => "Configured to require a password when boot to single-user mode.", handle => "maintain_inittab_insert_lines_gen000020_gen000040_gen000060"; - "ca:12345:ctrlaltdel:/bin/echo \"CTRL-ALT-DEL is disabled\" # LNX00580" -> { "LNX00580" } - comment => "Disable CTRL+ALT+DEL.", + "ca:12345:ctrlaltdel:/bin/echo \"CTRL-ALT-DEL is disabled\" # LNX00580" -> { + "LNX00580" + } + comment => "Disable CTRL+ALT+DEL.", handle => "maintain_inittab_insert_lines_lnx00580"; } - # GEN000440, GEN003160, GEN003660, GEN004460 bundle edit_line maintain_syslog_conf { - delete_lines: - "^auth.notice.*" -> { "GEN003660" } - comment => "Delete existing auth.notice log", + delete_lines: + "^auth.notice.*" -> { "GEN003660" } + comment => "Delete existing auth.notice log", handle => "maintain_syslog_conf_delete_lines_gen003660"; - replace_patterns: - "^authpriv\.\*\h+(?!/var/log/secure).*" -> { "GEN000440" } - comment => "Check authentication log will be shown in /var/log/secure", - handle => "maintain_syslog_conf_replace_patterns_gen000440_1", - replace_with => value("authprivdummy"); - "^authprivdummy$" -> { "GEN000440" } - comment => "Check authentication log will be shown in /var/log/secure", - handle => "maintain_syslog_conf_replace_patterns_gen000440_2", - replace_with => value("authpriv.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/secure"); - - "^cron\.\*h+(?!/var/log/cron).*" -> { "GEN003160" } - comment => "Check cron log will be shown in /var/log/cron", - handle => "maintain_syslog_conf_replace_patterns_gen003160_1", - replace_with => value("crondummy"); - "^crondummy$" -> { "GEN003160" } - comment => "Check cron log will be shown in /var/log/cron", - handle => "maintain_syslog_conf_replace_patterns_gen003160_2", - replace_with => value("cron.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/cron"); - - "^mail\.\*\h+(?!-/var/log/maillog).*" -> { "GEN004460" } - comment => "Check critical-level Sendmail log will be shown in /var/log/maillog", - handle => "maintain_syslog_conf_replace_patterns_gen004460_1", - replace_with => value("maildummy"); - "^maildummy$" -> { "GEN004460" } - comment => "Check critical-level Sendmail log will be shown in /var/log/maillog", - handle => "maintain_syslog_conf_replace_patterns_gen004460_2", - replace_with => value("mail.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)-/var/log/mail"); - - insert_lines: - "auth.notice$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/messages" -> { "GEN003660" } - comment => "Log authentication notice and informational data", + replace_patterns: + "^authpriv\.\*\h+(?!/var/log/secure).*" -> { "GEN000440" } + comment => "Check authentication log will be shown in /var/log/secure", + handle => "maintain_syslog_conf_replace_patterns_gen000440_1", + replace_with => value("authprivdummy"); + + "^authprivdummy$" -> { "GEN000440" } + comment => "Check authentication log will be shown in /var/log/secure", + handle => "maintain_syslog_conf_replace_patterns_gen000440_2", + replace_with => value( + "authpriv.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/secure" + ); + + "^cron\.\*h+(?!/var/log/cron).*" -> { "GEN003160" } + comment => "Check cron log will be shown in /var/log/cron", + handle => "maintain_syslog_conf_replace_patterns_gen003160_1", + replace_with => value("crondummy"); + + "^crondummy$" -> { "GEN003160" } + comment => "Check cron log will be shown in /var/log/cron", + handle => "maintain_syslog_conf_replace_patterns_gen003160_2", + replace_with => value( + "cron.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/cron" + ); + + "^mail\.\*\h+(?!-/var/log/maillog).*" -> { "GEN004460" } + comment => "Check critical-level Sendmail log will be shown in /var/log/maillog", + handle => "maintain_syslog_conf_replace_patterns_gen004460_1", + replace_with => value("maildummy"); + + "^maildummy$" -> { "GEN004460" } + comment => "Check critical-level Sendmail log will be shown in /var/log/maillog", + handle => "maintain_syslog_conf_replace_patterns_gen004460_2", + replace_with => value( + "mail.*$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)-/var/log/mail" + ); + + insert_lines: + "auth.notice$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)$(const.t)/var/log/messages" -> { + "GEN003660" + } + comment => "Log authentication notice and informational data", handle => "maintain_syslog_conf_insert_lines_gen003660"; } - # GEN000460, GEN000600, GEN000620, GEN000640, GEN000800 bundle edit_line maintain_system_auth { - insert_lines: -"#%PAM-1.0 + insert_lines: + "#%PAM-1.0 # GEN000460, GEN000600, GEN000620, GEN000640, GEN000800 auth required pam_tally.so deny=3 onerr=fail unlock_time=900 @@ -1193,196 +1181,192 @@ password required pam_unix.so md5 shadow nullok try_first_pass use_autht session optional pam_keyinit.so revoke session required pam_limits.so -session required pam_unix.so" -> { "GEN000460", "GEN000600", "GEN000620", "GEN000640", "GEN000800" } - comment => "Ensure /etc/pam.d/system-auth-ac has good contents", - handle => "maintain_system_auth_insert_lines_gen000460_gen000600_gen000620_gen000640_gen000800", - insert_type => "preserve_block"; +session required pam_unix.so" -> { + "GEN000460", "GEN000600", "GEN000620", "GEN000640", "GEN000800" + } + comment => "Ensure /etc/pam.d/system-auth-ac has good contents", + handle => "maintain_system_auth_insert_lines_gen000460_gen000600_gen000620_gen000640_gen000800", + insert_type => "preserve_block"; } - # GEN000480, GEN000540, GEN000580, GEN000700, GEN000820 bundle edit_line maintain_login_defs { - replace_patterns: - "^PASS_MAX_DAYS\h+(?!60).*" -> { "GEN000700", "GEN000820" } - comment => "Passwords will be expired in 60 days.", - handle => "maintain_login_defs_replace_patterns_gen000700_gen000820_1", - replace_with => value("PASS_MAX_DAYSdummy60"); - "^PASS_MAX_DAYSdummy60" -> { "GEN000700", "GEN000820" } - comment => "Passwords will be expired in 60 days.", - handle => "maintain_login_defs_replace_patterns_gen000700_gen000820_2", - replace_with => value("PASS_MAX_DAYS 60 # GEN000700"); - - "^PASS_MIN_DAYS\h+(?!1).*" -> { "GEN000540", "GEN000820" } - comment => "Passwords can be changed once every 24 hours.", - handle => "maintain_login_defs_replace_patterns_gen000540_gen000820_1", - replace_with => value("PASS_MIN_DAYSdummy1"); - "^PASS_MIN_DAYSdummy1" -> { "GEN000540", "GEN000820" } - comment => "Passwords can be changed once every 24 hours.", - handle => "maintain_login_defs_replace_patterns_gen000540_gen000820_2", - replace_with => value("PASS_MIN_DAYS 1 # GEN000540"); - - "^PASS_MIN_LEN\h+(?!14).*" -> { "GEN000580" } - comment => "A password does not contain a minimum of 14 characters", + replace_patterns: + "^PASS_MAX_DAYS\h+(?!60).*" -> { "GEN000700", "GEN000820" } + comment => "Passwords will be expired in 60 days.", + handle => "maintain_login_defs_replace_patterns_gen000700_gen000820_1", + replace_with => value("PASS_MAX_DAYSdummy60"); + + "^PASS_MAX_DAYSdummy60" -> { "GEN000700", "GEN000820" } + comment => "Passwords will be expired in 60 days.", + handle => "maintain_login_defs_replace_patterns_gen000700_gen000820_2", + replace_with => value("PASS_MAX_DAYS 60 # GEN000700"); + + "^PASS_MIN_DAYS\h+(?!1).*" -> { "GEN000540", "GEN000820" } + comment => "Passwords can be changed once every 24 hours.", + handle => "maintain_login_defs_replace_patterns_gen000540_gen000820_1", + replace_with => value("PASS_MIN_DAYSdummy1"); + + "^PASS_MIN_DAYSdummy1" -> { "GEN000540", "GEN000820" } + comment => "Passwords can be changed once every 24 hours.", + handle => "maintain_login_defs_replace_patterns_gen000540_gen000820_2", + replace_with => value("PASS_MIN_DAYS 1 # GEN000540"); + + "^PASS_MIN_LEN\h+(?!14).*" -> { "GEN000580" } + comment => "A password does not contain a minimum of 14 characters", handle => "maintain_login_defs_replace_patterns_gen000580_1", - replace_with => value("PASS_MIN_LENdummy14"); - "^PASS_MIN_LENdummy14" -> { "GEN000580" } - comment => "A password does not contain a minimum of 14 characters", + replace_with => value("PASS_MIN_LENdummy14"); + + "^PASS_MIN_LENdummy14" -> { "GEN000580" } + comment => "A password does not contain a minimum of 14 characters", handle => "maintain_login_defs_replace_patterns_gen000580_2", - replace_with => value("PASS_MIN_LEN 14 # GEN000580"); + replace_with => value("PASS_MIN_LEN 14 # GEN000580"); - delete_lines: - "^FAIL_DELAY.*" -> { "GEN000480" } - comment => "Clear up an existing login delay.", + delete_lines: + "^FAIL_DELAY.*" -> { "GEN000480" } + comment => "Clear up an existing login delay.", handle => "maintain_login_defs_delete_lines_gen000480"; - insert_lines: - "FAIL_DELAY 4 # GEN000480" -> { "GEN000480" } - comment => "The login delay between login prompts after a failed login is set to less than four seconds.", + insert_lines: + "FAIL_DELAY 4 # GEN000480" -> { "GEN000480" } + comment => "The login delay between login prompts after a failed login is set to less than four seconds.", handle => "maintain_login_defs_insert_lines_gen000480"; } - # GEN000500 bundle edit_line maintain_etc_profile { - delete_lines: - "^TMOUT.*" -> { "GEN000500" } - comment => "Clear up all TMOUT lines", + delete_lines: + "^TMOUT.*" -> { "GEN000500" } + comment => "Clear up all TMOUT lines", handle => "maintain_etc_profile_delete_lines_gen000500"; - insert_lines: - "TMOUT=900" -> { "GEN000500" } - comment => "Set TMOUT to lock the screen after 15 minutes of inactivity", + insert_lines: + "TMOUT=900" -> { "GEN000500" } + comment => "Set TMOUT to lock the screen after 15 minutes of inactivity", handle => "maintain_etc_profile_insert_lines_gen000500"; } - # GEN000980, GEN001000 bundle edit_line maintain_securetty { -# delete_lines: -# "vc/(\d+)" -> { "GEN000980" } -# comment => "Allow root to login only from the system console.", -# handle => "maintain_securetty_delete_lines_gen000980_1"; -# -# "tty(\d+)" -> { "GEN000980" } -# comment => "Allow root to login only from the system console.", -# handle => "maintain_securetty_delete_lines_gen000980_2"; - - insert_lines: - "console" -> { "GEN000980", "GEN001000" } - comment => "Allow root to login only from the system console/tty.", - handle => "maintain_securetty_insert_lines_gen000980_gen001000"; + # delete_lines: + # "vc/(\d+)" -> { "GEN000980" } + # comment => "Allow root to login only from the system console.", + # handle => "maintain_securetty_delete_lines_gen000980_1"; + # + # "tty(\d+)" -> { "GEN000980" } + # comment => "Allow root to login only from the system console.", + # handle => "maintain_securetty_delete_lines_gen000980_2"; + insert_lines: + "console" -> { "GEN000980", "GEN001000" } + comment => "Allow root to login only from the system console/tty.", + handle => "maintain_securetty_insert_lines_gen000980_gen001000"; } - # GEN001020 bundle edit_line maintain_pamd_sshd { - insert_lines: - "account required pam_access.so" -> { "GEN001020" } + insert_lines: + "account required pam_access.so" -> { "GEN001020" } comment => "Root privilege must be gained via switch from user account", - handle => "maintain_pamd_sshd_insert_lines_gen001020", - location => after("^(account.*auth)$"); + handle => "maintain_pamd_sshd_insert_lines_gen001020", + location => after("^(account.*auth)$"); } - # GEN001020 bundle edit_line maintain_pamd_login { - insert_lines: - "account required pam_access.so" -> { "GEN001020" } + insert_lines: + "account required pam_access.so" -> { "GEN001020" } comment => "Root privilege must be gained via switch from user account", - handle => "maintain_pamd_login_insert_lines_gen001020", - location => after("^(account.*auth)$"); + handle => "maintain_pamd_login_insert_lines_gen001020", + location => after("^(account.*auth)$"); } - # GEN001020 bundle edit_line maintain_security_access_conf { - insert_lines: -"# Only access for root is cron + insert_lines: + "# Only access for root is cron + : root : cron crond tty1 -- : ALL EXCEPT users : ALL" -> { "GEN001020" } - comment => "Allow only root uses cron", - handle => "maintain_security_access_conf_insert_lines_gen001020", - insert_type => "preserve_block"; +- : ALL EXCEPT users : ALL" -> { + "GEN001020" + } + comment => "Allow only root uses cron", + handle => "maintain_security_access_conf_insert_lines_gen001020", + insert_type => "preserve_block"; } - # GEN001960 bundle edit_line remove_mesg_y { - delete_lines: - ".*mesg\h+\-y.*" - comment => "Remove mesg -y", + delete_lines: + ".*mesg\h+\-y.*" + comment => "Remove mesg -y", handle => "remove_mesg_y_delete_lines_gen001960_1"; - ".*mesg\h+y.*" - comment => "Remove mesg y", + + ".*mesg\h+y.*" + comment => "Remove mesg y", handle => "remove_mesg_y_delete_lines_gen001960_2"; } - # GEN002120 bundle edit_line maintain_etc_shells { - insert_lines: -"/bin/sh + insert_lines: + "/bin/sh /bin/bash /sbin/nologin /bin/tcsh /bin/csh /bin/ksh -/bin/ksh93" -> { "GEN002120" } - comment => "Ensure /etc/shells has good contents", - handle => "maintain_etc_shells_insert_lines_gen002120", - insert_type => "preserve_block"; +/bin/ksh93" -> { + "GEN002120" + } + comment => "Ensure /etc/shells has good contents", + handle => "maintain_etc_shells_insert_lines_gen002120", + insert_type => "preserve_block"; } - # GEN002320 bundle edit_line remove_audio_devices { - delete_lines: - ".*sound.*" -> { "GEN002320" } - comment => "Delete all lines contains a word, sound", + delete_lines: + ".*sound.*" -> { "GEN002320" } + comment => "Delete all lines contains a word, sound", handle => "remove_audio_devices_delete_lines_sound_gen002320"; - ".*snd.*" -> { "GEN002320" } - comment => "Delete all lines contains a word, snd", + ".*snd.*" -> { "GEN002320" } + comment => "Delete all lines contains a word, snd", handle => "remove_audio_devices_delete_lines_snd_gen002320"; - ".*mixer.*" -> { "GEN002320" } - comment => "Delete all lines contains a word, mixer", + ".*mixer.*" -> { "GEN002320" } + comment => "Delete all lines contains a word, mixer", handle => "remove_audio_devices_delete_lines_mixer_gen002320"; } - # GEN002320, GEN002340, GEN002360 bundle edit_line maintain_audio_devices { - insert_lines: - "SUBSYSTEM==\"sound|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"", - comment => "Append a line to ensure audio devices' permission and ownership", + insert_lines: + "SUBSYSTEM==\"sound|snd\", OWNER=\"root\", GROUP=\"root\", MODE=\"0644\"", + comment => "Append a line to ensure audio devices' permission and ownership", handle => "maintain_audio_devices_insert_lines_gen002320"; } - # GEN002420 -bundle edit_line set_fstab_field(path,field,val) +bundle edit_line set_fstab_field(path, field, val) { -field_edits: - ".*\$(path)\s.*" - comment => "Edit a user attribute in the password file", - edit_field => col("\s+","$(field)","$(val)","set"); + field_edits: + ".*\$(path)\s.*" + comment => "Edit a user attribute in the password file", + edit_field => col("\s+", "$(field)", "$(val)", "set"); } - # GEN002560 bundle edit_line maintain_umask(mask) { - replace_patterns: - "\h+umask\s(?!$(mask)$).*" -> { "GEN002560" } - comment => "Ensure umask is 077", + replace_patterns: + "\h+umask\s(?!$(mask)$).*" -> { "GEN002560" } + comment => "Ensure umask is 077", handle => "maintain_umask_replace_patterns_gen002560", - replace_with => value(" umask 077"); + replace_with => value(" umask 077"); } - # GEN002660 GEN002720 GEN002740 GEN002760 GEN002780 GEN002800 GEN002820 GEN002840 bundle edit_line maintain_audit_rules { - insert_lines: -"# This file contains the auditctl rules that are loaded + insert_lines: + "# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. @@ -1454,224 +1438,231 @@ bundle edit_line maintain_audit_rules # GEN002840 Security personnel actions -a exit,always -S init_module -S delete_module -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr --w /bin/su" -> { "GEN002660", "GEN002720", "GEN002740", "GEN002760", "GEN002780", "GEN002800", "GEN002820", "GEN002840" } - comment => "Ensure /etc/audit/audit.rules has good contents", - handle => "maintain_audit_rules_insert_lines_gen002660_gen002720_gen002840", - insert_type => "preserve_block"; +-w /bin/su" -> { + "GEN002660", + "GEN002720", + "GEN002740", + "GEN002760", + "GEN002780", + "GEN002800", + "GEN002820", + "GEN002840", + } + comment => "Ensure /etc/audit/audit.rules has good contents", + handle => "maintain_audit_rules_insert_lines_gen002660_gen002720_gen002840", + insert_type => "preserve_block"; } - # GEN002860 bundle edit_line maintain_logrotated_audit { - insert_lines: -"/var/log/audit/audit.log { + insert_lines: + "/var/log/audit/audit.log { $(const.t)daily $(const.t)notifempty $(const.t)missingok $(const.t)postrotate $(const.t)/sbin/service auditd restart 2> /dev/null > /dev/null || true $(const.t)endscript -}" -> { "GEN002860" } - comment => "Ensure old audit logs are closed and new audit logs are started daily", - handle => "maintain_logrotated_audit_insert_lines_gen002860", - insert_type => "preserve_block"; +}" -> { + "GEN002860" + } + comment => "Ensure old audit logs are closed and new audit logs are started daily", + handle => "maintain_logrotated_audit_insert_lines_gen002860", + insert_type => "preserve_block"; } - # GEN002960 GEN003060 bundle edit_line maintain_cron_allow(name) { -# delete_lines: -# ".*" -> { "GEN002960" } -# comment => "Remove all restricted users", -# handle => "maintain_cron_allow_delete_lines_gen02960"; - - insert_lines: - "$(name)" -> { "GEN002960" } - comment => "Allow users from the list to use cron utility", + # delete_lines: + # ".*" -> { "GEN002960" } + # comment => "Remove all restricted users", + # handle => "maintain_cron_allow_delete_lines_gen02960"; + insert_lines: + "$(name)" -> { "GEN002960" } + comment => "Allow users from the list to use cron utility", handle => "maintain_cron_allow_insert_lines_gen02960"; } - # GEN003320 bundle edit_line maintain_at_allow { - insert_lines: - "root" -> { "GEN003320" } - comment => "Remove all restricted users", + insert_lines: + "root" -> { "GEN003320" } + comment => "Remove all restricted users", handle => "maintain_at_allow_insert_lines_gen03320"; } - # GEN003600 GEN005600 bundle edit_line maintain_sysctl_conf { - delete_lines: - "^net.ipv4.tcp_max_syn_backlog.*" -> { "GEN003600" } - comment => "Clear up an existing Network parameters.", + delete_lines: + "^net.ipv4.tcp_max_syn_backlog.*" -> { "GEN003600" } + comment => "Clear up an existing Network parameters.", handle => "maintain_sysctl_conf_delete_lines_gen003600"; - "^net.ipv4.ip_forward.*" -> { "GEN005600" } - comment => "Clear up an existing ip_forward parameters.", + "^net.ipv4.ip_forward.*" -> { "GEN005600" } + comment => "Clear up an existing ip_forward parameters.", handle => "maintain_sysctl_conf_delete_lines_gen005600"; - insert_lines: - "net.ipv4.tcp_max_syn_backlog = 1280" -> { "GEN003600" } - comment => "Secure Network parameters.", + insert_lines: + "net.ipv4.tcp_max_syn_backlog = 1280" -> { "GEN003600" } + comment => "Secure Network parameters.", handle => "maintain_sysctl_conf_insert_lines_gen003600"; - "net.ipv4.ip_forward = 0" -> { "GEN005600" } - comment => "Disable IP forwarding.", + "net.ipv4.ip_forward = 0" -> { "GEN005600" } + comment => "Disable IP forwarding.", handle => "maintain_sysctl_conf_insert_lines_gen005600"; } - # GEN004440 GEN004540, GEN004560 bundle edit_line maintain_sendmail { - replace_patterns: - "^O LogLevel=(?!9).*" -> { "GEN004440" } - comment => "Disable the sendmail help command.", - handle => "maintain_sendmail_replace_patterns_gen004440", - replace_with => value("O LogLevel=9"); - - "^(O.*helpfile)$" -> { "GEN004540" } - comment => "Disable the sendmail help command.", - handle => "maintain_sendmail_replace_patterns_gen004540", - replace_with => comment("#"); - - "^O SmtpGreetingMessage=\$j Sendmail \$v/\$Z; \$b" -> { "GEN004560" } - comment => "Hide sendmail version.", - handle => "maintain_sendmail_replace_patterns_gen004560", - replace_with => value("O SmtpGreetingMessage= Mail Server Ready STIG-GEN004560; $b"); + replace_patterns: + "^O LogLevel=(?!9).*" -> { "GEN004440" } + comment => "Disable the sendmail help command.", + handle => "maintain_sendmail_replace_patterns_gen004440", + replace_with => value("O LogLevel=9"); + + "^(O.*helpfile)$" -> { "GEN004540" } + comment => "Disable the sendmail help command.", + handle => "maintain_sendmail_replace_patterns_gen004540", + replace_with => comment("#"); + + "^O SmtpGreetingMessage=\$j Sendmail \$v/\$Z; \$b" -> { "GEN004560" } + comment => "Hide sendmail version.", + handle => "maintain_sendmail_replace_patterns_gen004560", + replace_with => value( + "O SmtpGreetingMessage= Mail Server Ready STIG-GEN004560; $b" + ); } - # GEN004900 bundle edit_line maintain_ftpusers(name) { - insert_lines: - "root" -> { "GEN004900" } - comment => "Add system accounts to /etc/ftpusers", + insert_lines: + "root" -> { "GEN004900" } + comment => "Add system accounts to /etc/ftpusers", handle => "maintain_ftpusers_insert_lines_root_gen004900"; - "avahi-autoipd" -> { "GEN004900" } - comment => "Add system accounts to /etc/ftpusers", + "avahi-autoipd" -> { "GEN004900" } + comment => "Add system accounts to /etc/ftpusers", handle => "maintain_ftpusers_insert_lines_avahi_autoipd_gen004900"; - "$(name)" -> { "GEN004900" } - comment => "Add system accounts to /etc/ftpusers", + "$(name)" -> { "GEN004900" } + comment => "Add system accounts to /etc/ftpusers", handle => "maintain_ftpusers_insert_lines_system_accounts_gen004900"; } - # GEN005540 bundle edit_line create_ssh_banner { - insert_lines: -"******************************************************************************* + insert_lines: + "******************************************************************************* * NOTICE TO USERS WARNING! The use of this system is restricted to authorized * * users, unauthorized access is forbidden and will be prosecuted by law. * * All information and communications on this system are subject to review, * * monitoring and recording at any time, without notice or permission. * * ***Users should have no expectation of privacy.*** * -*******************************************************************************" -> { "GEN005540" } - comment => "Banner for SSH", - handle => "create_ssh_banner_insert_lines_gen005540"; +*******************************************************************************" -> { + "GEN005540" + } + comment => "Banner for SSH", + handle => "create_ssh_banner_insert_lines_gen005540"; } - # GEN001120, GEN005500, GEN005540 bundle edit_line maintain_sshd_config { - delete_lines: - "^Banner.*" -> { "GEN005540" } - comment => "Clear up an existing Banner.", + delete_lines: + "^Banner.*" -> { "GEN005540" } + comment => "Clear up an existing Banner.", handle => "maintain_sshd_config_delete_lines_gen005540"; - "^PermitRootLogin.*" -> { "GEN001120" } - comment => "Clear up an existing PermitRootLogin", + "^PermitRootLogin.*" -> { "GEN001120" } + comment => "Clear up an existing PermitRootLogin", handle => "maintain_sshd_config_delete_lines_gen001120"; - "^Protocol.*" -> { "GEN005500" } - comment => "Clear up an existing Protocol", + "^Protocol.*" -> { "GEN005500" } + comment => "Clear up an existing Protocol", handle => "maintain_sshd_config_delete_lines_gen005500"; - insert_lines: - "Banner /etc/ssh/ssh_banner # GEN005540" -> { "GEN005540" } - comment => "Configure a warning banner.", + insert_lines: + "Banner /etc/ssh/ssh_banner # GEN005540" -> { "GEN005540" } + comment => "Configure a warning banner.", handle => "maintain_sshd_config_insert_lines_gen005540"; - "PermitRootLogin no # GEN001120" -> { "GEN001120" } - comment => "Don't allow root to use SSH directly.", + "PermitRootLogin no # GEN001120" -> { "GEN001120" } + comment => "Don't allow root to use SSH directly.", handle => "maintain_sshd_config_insert_lines_gen001120"; - "Protocol 2 # GEN005500" -> { "GEN005500" } - comment => "Allow only SSH Protocol version 2", + "Protocol 2 # GEN005500" -> { "GEN005500" } + comment => "Allow only SSH Protocol version 2", handle => "maintain_sshd_config_insert_lines_gen005500"; } - # GEN005500 bundle edit_line maintain_ssh_config { - delete_lines: - "^Ciphers.*" -> { "GEN005500" } - comment => "Clear up an existing Ciphers", + delete_lines: + "^Ciphers.*" -> { "GEN005500" } + comment => "Clear up an existing Ciphers", handle => "maintain_ssh_config_delete_lines_gen005500"; - insert_lines: - "Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc" -> { "GEN005500" } - comment => "Allow only specific ciphers to be used", + insert_lines: + "Ciphers aes256-cbc,aes192-cbc,blowfish-cbc,cast128-cbc,aes128-cbc,3des-cbc" -> { + "GEN005500" + } + comment => "Allow only specific ciphers to be used", handle => "maintain_ssh_config_insert_lines_gen005500"; } - # LNX00140 bundle edit_line maintain_grub { - delete_lines: - "^password.*" -> { "LNX00140" } - comment => "Clear up an existing MD5 encrypted password.", + delete_lines: + "^password.*" -> { "LNX00140" } + comment => "Clear up an existing MD5 encrypted password.", handle => "maintain_grub_delete_lines_lnx00140"; - insert_lines: - # default password is cfengine - "password --md5 $(const.dollar)1$(const.dollar)8fI020$(const.dollar)YPs7MCo3A1ZkS7xagjYnb0" -> { "LNX00140" } - comment => "Use an MD5 encrypted password to GRUB", + insert_lines: + # default password is cfengine + "password --md5 $(const.dollar)1$(const.dollar)8fI020$(const.dollar)YPs7MCo3A1ZkS7xagjYnb0" -> { + "LNX00140" + } + comment => "Use an MD5 encrypted password to GRUB", handle => "maintain_grub_insert_lines_lnx00140", - location => before("^title.*"); + location => before("^title.*"); } - # LNX00360 bundle edit_line maintain_gdm_custom_conf { - insert_lines: -"[server-Standard] + insert_lines: + "[server-Standard] name=Standard server command=/usr/bin/Xorg -br -audit 4 -s 15 -flexible=true" -> { "LNX00360" } - comment => "Enable X server audit level 4 and 15 minutes timeout time", - handle => "maintain_gdm_custom_conf_insert_lines_lnx00360", - insert_type => "preserve_block"; +flexible=true" -> { + "LNX00360" + } + comment => "Enable X server audit level 4 and 15 minutes timeout time", + handle => "maintain_gdm_custom_conf_insert_lines_lnx00360", + insert_type => "preserve_block"; } - ##### body here ##### - body location before(str) { -before_after => "before"; -first_last => "first"; -select_line_matching => "$(str)"; + before_after => "before"; + first_last => "first"; + select_line_matching => "$(str)"; } body file_select cron_dirs { -leaf_name => { "cron.*" }; -file_types => { "dir" }; -file_result => "leaf_name.file_types"; + leaf_name => { "cron.*" }; + file_types => { "dir" }; + file_result => "leaf_name.file_types"; } -body file_select exclude2(name1,name2) +body file_select exclude2(name1, name2) { -leaf_name => { "$(name1)", "$(name2)"}; -file_result => "!leaf_name"; + leaf_name => { "$(name1)", "$(name2)" }; + file_result => "!leaf_name"; } -body file_select only_dir_exclude2(name1,name2) +body file_select only_dir_exclude2(name1, name2) { -file_types => { "dir" }; -leaf_name => { "$(name1)", "$(name2)"}; -file_result => "!leaf_name.file_types"; + file_types => { "dir" }; + leaf_name => { "$(name1)", "$(name2)" }; + file_result => "!leaf_name.file_types"; } diff --git a/generator/build/search/package-lock.json b/generator/build/search/package-lock.json index 7d988b0a7..018a692f3 100644 --- a/generator/build/search/package-lock.json +++ b/generator/build/search/package-lock.json @@ -8,9 +8,7 @@ "name": "search", "version": "1.0.0", "license": "ISC", - "dependencies": { - "flexsearch": "^0.7.21" - } + "dependencies": { "flexsearch": "^0.7.21" } }, "node_modules/flexsearch": { "version": "0.7.21", diff --git a/generator/build/search/package.json b/generator/build/search/package.json index 11cdb6d28..d8e9b3cb1 100644 --- a/generator/build/search/package.json +++ b/generator/build/search/package.json @@ -3,12 +3,8 @@ "version": "1.0.0", "description": "", "main": "createIndex.js", - "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" - }, + "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "", "license": "ISC", - "dependencies": { - "flexsearch": "^0.7.21" - } + "dependencies": { "flexsearch": "^0.7.21" } }