Thank you Neil,
I think that I was unclear. I realized that !SuSe was Not suse and that
evalutated to be true. I was trying to target the "redhat" class as true
and use that.
I Read that there is no formal If-then-else and that was achived via
classes.
So, I have crontabs for 3 different OS's in 3 different locations
SuSE::
"crontab" string => "/var/spool/cron/tabs/root";
redhat::
"crontab" string => "/var/spool/cron/root";
!SuSE::
"crontab" string => "/var/spool/cron/crontabs/root";
So, how do I get crontab to be /var/spool/cron/root when it is on a Redhat
server?
Would I need to explicity capture the other OS types ( ie solaris?)
Thank You again.
Ian
help-cfengine-requ...@cfengine.org
Sent by: help-cfengine-boun...@cfengine.org
11/30/2009 07:40 PM
Please respond to
help-cfengine@cfengine.org
To
help-cfengine@cfengine.org
cc
Subject
Help-cfengine Digest, Vol 46, Issue 1
Send Help-cfengine mailing list submissions to
help-cfengine@cfengine.org
To subscribe or unsubscribe via the World Wide Web, visit
https://cfengine.org/mailman/listinfo/help-cfengine
or, via email, send a message with subject or body 'help' to
help-cfengine-requ...@cfengine.org
You can reach the person managing the list at
help-cfengine-ow...@cfengine.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Help-cfengine digest..."
Today's Topics:
1. Re: Beginner Help Please (nwat...@symcor.com)
2. Re: How to create a new file, and overwrite the old one?
(Matt Wise)
3. Re: How to create a new file, and overwrite the old one?
(Nakarin Phooripoom)
4. Re: Change detection and differentiation, OT (Ed Brown)
5. RE: Change detection and differentiation, OT (Justin Lloyd)
6. Re: Change detection and differentiation, OT (Ed Brown)
----------------------------------------------------------------------
Message: 1
Date: Mon, 30 Nov 2009 16:02:52 -0500
From: nwat...@symcor.com
Subject: Re: Beginner Help Please
To: help-cfengine@cfengine.org
Message-ID:
<of9a03decf.25cf79f1-on8525767e.00736edb-8525767e.00739...@symcor.com>
Content-Type: text/plain; charset="us-ascii"
help-cfengine-boun...@cfengine.org wrote on 2009-11-30 15:57:24:
> bundle common g
> {
> vars:
>
> # SuSE::
>
> # "crontab" string => "/var/spool/cron/tabs/root";
>
> redhat::
>
> "crontab" string => "/var/spool/cron/root";
>
> !SuSE::
>
> "crontab" string => "/var/spool/cron/crontabs/root";
Welcome aboard.
'!SuSE::'
Means 'if the current host is not a member of that class'. Redhat is not
Suse so the string is defined there.
Sincerely,
--
Neil Watson
416-673-3465
-------------- next part --------------
CONFIDENTIALITY WARNING
This communication, including any attachments, is for the exclusive use of
addressee and may contain proprietary and/or confidential information. If
you are not the intended recipient, any use, copying, disclosure,
dissemination or distribution is strictly prohibited. If you are not the
intended recipient, please notify the sender immediately by return e-mail,
delete this communication and destroy all copies.
AVERTISSEMENT RELATIF ? LA CONFIDENTIALIT?
Ce message, ainsi que les pi?ces qui y sont jointes, est destin? ? l?usage
exclusif de la personne ? laquelle il s?adresse et peut contenir de
l?information personnelle ou confidentielle. Si le lecteur de ce message
n?en est pas le destinataire, nous l?avisons par la pr?sente que toute
diffusion, distribution, reproduction ou utilisation de son contenu est
strictement interdite. Veuillez avertir sur-le-champ l?exp?diteur par
retour de courrier ?lectronique et supprimez ce message ainsi que toutes
les pi?ces jointes.
------------------------------
Message: 2
Date: Mon, 30 Nov 2009 13:29:27 -0800
From: Matt Wise <mw...@logitech.com>
Subject: Re: How to create a new file, and overwrite the old one?
To: Mark Burgess <mark.burg...@iu.hio.no>
Cc: help-cfengine <help-cfengine@cfengine.org>
Message-ID: <68cc7d87-f1be-40ee-b634-aa7e31295...@logitech.com>
Content-Type: text/plain; charset=us-ascii
Ok, I'm a bit further... found the edit_defaults stuff so that I can
overwrite the original file. Also have setup a template... so the file is
first copied over in the overall config download from update.cf as a .tmpl
file. Then when the ntp bundle is called, it creates a new /etc/ntp.conf
from the template with expand_scalars.
Now just a few more questions about this process..
1) I ran cf-agent -v to test it, and it worked. I then made a change to
the config and re-ran it.. this time it didn't overwrite /etc/ntp.conf. Is
there some setting that limits the frequency at which files can be
replaced or services are checked? Or should I be able to run cf-execd
every minute and get updates every single time? (not that I would, just
checking.)
2) I have a method called 'enable_chkconfig that goes and enables a
service if its disabled, and starts it up. This runs every single time,.
to make sure that no one turns off a particular service. However, I'd like
to separately be able to say "if ${file} was changed in any way, call
method restart_service. If no changes made, call check_service." Any tips
on how to get that done?
bundle agent setup_network
{
methods:
## Generic Linux Host Setup
linux::
"any" usebundle => ntp;
}
#
# Set up Network Time Protocol on our hosts
#
bundle agent ntp
{
vars:
"ntp1" string => "sdc01ntp01.idc.logitech.com";
"ntp2" string => "vdc01ntp01.idc.logitech.com";
"ntp3" string => "pool.ntp.org";
"dest" string => "/etc/ntp.conf";
"sourcelist" string => "
server ${ntp1}
server ${ntp2}
server ${ntp3}
";
files:
"${dest}"
comment => "Generating $(dest) file for
ntp bundle.",
create => "true",
edit_line =>
create_file_from_template("/var/cfengine/inputs/sources/setup_network/ntp.conf.tmpl"),
edit_defaults => replace;
methods:
"any" usebundle => enable_chkconfig("ntpd");
}
#######################################################
# Custom edit_defaults for replacing existing files
#######################################################
body edit_defaults replace
{
empty_file_before_editing => "true";
edit_backup => "false";
max_file_size => "100000";
}
########################################################
# Function for creating new files from a template
########################################################
bundle edit_line create_file_from_template(template)
{
insert_lines:
"$(template)"
insert_type => "file",
expand_scalars => "true";
}
--Matt Wise
On Nov 30, 2009, at 8:50 AM, Mark Burgess wrote:
>
> See the example
>
> tests/units/unit_template.cf
>
> in the source code.
>
> Matt Wise wrote:
>> How do I create a new file from a template, or a variable.. and
overwrite the system-file thats in its place? (CF3 syntax)
>>
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@cfengine.org
>> https://cfengine.org/mailman/listinfo/help-cfengine
>
> --
> Mark Burgess
>
> -------------------------------------------------
> Professor of Network and System Administration
> Oslo University College, Norway
>
> Personal Web: http://www.iu.hio.no/~mark
> Office Telf : +47 22453272
> -------------------------------------------------
------------------------------
Message: 3
Date: Mon, 30 Nov 2009 23:53:15 +0100
From: Nakarin Phooripoom <mynameisje...@gmail.com>
Subject: Re: How to create a new file, and overwrite the old one?
To: help-cfengine help <help-cfengine@cfengine.org>
Message-ID: <5c3b5337-1f30-4b09-a716-2668af550...@gmail.com>
Content-Type: text/plain; charset=us-ascii
On Nov 30, 2009, at 10:29 PM, Matt Wise wrote:
> Ok, I'm a bit further... found the edit_defaults stuff so that I can
overwrite the original file. Also have setup a template... so the file is
first copied over in the overall config download from update.cf as a .tmpl
file. Then when the ntp bundle is called, it creates a new /etc/ntp.conf
from the template with expand_scalars.
>
> Now just a few more questions about this process..
>
> 1) I ran cf-agent -v to test it, and it worked. I then made a change to
the config and re-ran it.. this time it didn't overwrite /etc/ntp.conf. Is
there some setting that limits the frequency at which files can be
replaced or services are checked? Or should I be able to run cf-execd
every minute and get updates every single time? (not that I would, just
checking.)
Maybe because of cfengine locking constraints during execution as if "too
soon" to run again. Try to run "cf-agent -vK".
>
> 2) I have a method called 'enable_chkconfig that goes and enables a
service if its disabled, and starts it up. This runs every single time,.
to make sure that no one turns off a particular service. However, I'd like
to separately be able to say "if ${file} was changed in any way, call
method restart_service. If no changes made, call check_service." Any tips
on how to get that done?
>
It is worth to visit this section, classes compound body.
http://www.cfengine.org/manuals/cf3-reference.html#classes-in-_002a
> bundle agent setup_network
> {
> methods:
> ## Generic Linux Host Setup
> linux::
> "any" usebundle => ntp;
> }
>
>
> #
> # Set up Network Time Protocol on our hosts
> #
>
> bundle agent ntp
> {
> vars:
> "ntp1" string => "sdc01ntp01.idc.logitech.com";
> "ntp2" string => "vdc01ntp01.idc.logitech.com";
> "ntp3" string => "pool.ntp.org";
> "dest" string => "/etc/ntp.conf";
> "sourcelist" string => "
> server ${ntp1}
> server ${ntp2}
> server ${ntp3}
> ";
>
> files:
> "${dest}"
> comment => "Generating $(dest) file for
ntp bundle.",
> create => "true",
> edit_line =>
create_file_from_template("/var/cfengine/inputs/sources/setup_network/ntp.conf.tmpl"),
> edit_defaults => replace;
>
> methods:
> "any" usebundle => enable_chkconfig("ntpd");
>
> }
>
> #######################################################
> # Custom edit_defaults for replacing existing files
> #######################################################
> body edit_defaults replace
> {
> empty_file_before_editing => "true";
> edit_backup => "false";
> max_file_size => "100000";
> }
>
> ########################################################
> # Function for creating new files from a template
> ########################################################
> bundle edit_line create_file_from_template(template)
> {
> insert_lines:
> "$(template)"
> insert_type => "file",
> expand_scalars => "true";
> }
>
>
> --Matt Wise
>
> On Nov 30, 2009, at 8:50 AM, Mark Burgess wrote:
>
>>
>> See the example
>>
>> tests/units/unit_template.cf
>>
>> in the source code.
>>
>> Matt Wise wrote:
>>> How do I create a new file from a template, or a variable.. and
overwrite the system-file thats in its place? (CF3 syntax)
>>>
>>> _______________________________________________
>>> Help-cfengine mailing list
>>> Help-cfengine@cfengine.org
>>> https://cfengine.org/mailman/listinfo/help-cfengine
>>
>> --
>> Mark Burgess
>>
>> -------------------------------------------------
>> Professor of Network and System Administration
>> Oslo University College, Norway
>>
>> Personal Web: http://www.iu.hio.no/~mark
>> Office Telf : +47 22453272
>> -------------------------------------------------
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@cfengine.org
> https://cfengine.org/mailman/listinfo/help-cfengine
------------------------------
Message: 4
Date: Mon, 30 Nov 2009 16:03:22 -0700
From: Ed Brown <ebr...@lanl.gov>
Subject: Re: Change detection and differentiation, OT
To: Justin Lloyd <jll...@digitalglobe.com>
Cc: help-cfengine@cfengine.org
Message-ID: <4b144f3a.30...@lanl.gov>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Justin,
Your initial question regarding "the concept of only having cfengine
report on unauthorized changes" was really the focus of my comments.
Basically, I'm suggesting that this is not what cfengine does, however
much we'd like to be able to check that box when it comes to management
expectations, or NIST/FIPS/CIS etc. controls or guidelines (e.g. NIST
800-53A: "system integrity applications and tools detect unauthorized
changes to applications and information"). I'm suggesting NO tool
currently can do this, and that it's up to us to make that point to
whoever might have the expectation.
Like you and Neil, I use cfengine for a kind of focused change detection
- it's excellent for that, better than straight file integrity checkers
because it can make things right as well as record the discrepancy and
action taken. But inevitably and unfortunately, detecting
"unauthorized" change still comes down to alert people. This is true
whether a file or resource is under direct management by cfengine or
not. E.g., a cfengine promise repaired could be because of a promise
change, or an update to an underlying package, or a log rotation, or one
of the other routine reasons promises get repaired, OR, it might
represent an unauthorized commandline change getting undone! There is
nothing inherent in change that allows for automated detection of
"unauthorized" change. And change itself is routine and normal, not an
anomaly, like so many people seem to think.
-Ed
------------------------------
Message: 5
Date: Mon, 30 Nov 2009 16:51:24 -0700
From: "Justin Lloyd" <jll...@digitalglobe.com>
Subject: RE: Change detection and differentiation, OT
To: "Ed Brown" <ebr...@lanl.gov>
Cc: help-cfengine@cfengine.org
Message-ID:
<4777941e19c31940ac0f85501eee417105724...@comail02.digitalglobe.com>
Content-Type: text/plain; charset="us-ascii"
Ed,
Ah, you've pointed out my wording error, so thank you for clarifying.
The word "only" should have been elsewhere, reading "the concept of
having cfengine report ONLY on unauthorized changes", as opposed to
reporting on all changes. (Also, remember that I'm only referring to the
"changes" feature here, not regular reporting/logging of promise
repairs.)
Thanks,
Justin
-----Original Message-----
From: Ed Brown [mailto:ebr...@lanl.gov]
Sent: Monday, November 30, 2009 4:03 PM
To: Justin Lloyd
Cc: nwat...@symcor.com; help-cfengine@cfengine.org
Subject: Re: Change detection and differentiation, OT
Justin,
Your initial question regarding "the concept of only having cfengine
report on unauthorized changes" was really the focus of my comments.
Basically, I'm suggesting that this is not what cfengine does, however
much we'd like to be able to check that box when it comes to management
expectations, or NIST/FIPS/CIS etc. controls or guidelines (e.g. NIST
800-53A: "system integrity applications and tools detect unauthorized
changes to applications and information"). I'm suggesting NO tool
currently can do this, and that it's up to us to make that point to
whoever might have the expectation.
Like you and Neil, I use cfengine for a kind of focused change detection
- it's excellent for that, better than straight file integrity checkers
because it can make things right as well as record the discrepancy and
action taken. But inevitably and unfortunately, detecting
"unauthorized" change still comes down to alert people. This is true
whether a file or resource is under direct management by cfengine or
not. E.g., a cfengine promise repaired could be because of a promise
change, or an update to an underlying package, or a log rotation, or one
of the other routine reasons promises get repaired, OR, it might
represent an unauthorized commandline change getting undone! There is
nothing inherent in change that allows for automated detection of
"unauthorized" change. And change itself is routine and normal, not an
anomaly, like so many people seem to think.
-Ed
This electronic communication and any attachments may contain confidential
and proprietary
information of DigitalGlobe, Inc. If you are not the intended recipient,
or an agent or employee
responsible for delivering this communication to the intended recipient,
or if you have received
this communication in error, please do not print, copy, retransmit,
disseminate or
otherwise use the information. Please indicate to the sender that you have
received this
communication in error, and delete the copy you received. DigitalGlobe
reserves the
right to monitor any electronic communication sent or received by its
employees, agents
or representatives.
------------------------------
Message: 6
Date: Mon, 30 Nov 2009 17:40:46 -0700
From: Ed Brown <ebr...@lanl.gov>
Subject: Re: Change detection and differentiation, OT
To: Justin Lloyd <jll...@digitalglobe.com>
Cc: help-cfengine@cfengine.org
Message-ID: <4b14660e.7090...@lanl.gov>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Justin,
It's the word "unauthorized" that interests me, and more so than in the
context of your question (which is why I started a new thread, so as to
not completely hijack your valid cfengine question and thread). You
touch on a larger issue here, of concern to policy-makers and compliance
testers and affected admins at many sites. In a broader sense, it's not
just a cfengine issue (and therefore somewhat off-topic for this list
too). Whether using cfengine's tripwire/changes feature, or promise
repairs, or a third-party file integrity checker, or an audit daemon
like auditd, I think all we can really automate is change detection. We
can also reasonably define focused alerting on certain changes (because
the full change record is overwhelming, only useful for forensics
maybe). But the characterization of any particular change as malicious
or unauthorized still needs a warm body in the loop, a fact that gets
confused or overlooked often. I was just hoping to raise awareness or
possibly spark some discussion about that.
thanks,
Ed
Justin Lloyd wrote:
> Ed,
>
> Ah, you've pointed out my wording error, so thank you for clarifying.
> The word "only" should have been elsewhere, reading "the concept of
> having cfengine report ONLY on unauthorized changes", as opposed to
> reporting on all changes. (Also, remember that I'm only referring to the
> "changes" feature here, not regular reporting/logging of promise
> repairs.)
>
> Thanks,
> Justin
>
> -----Original Message-----
> From: Ed Brown [mailto:ebr...@lanl.gov]
> Sent: Monday, November 30, 2009 4:03 PM
> To: Justin Lloyd
> Cc: nwat...@symcor.com; help-cfengine@cfengine.org
> Subject: Re: Change detection and differentiation, OT
>
> Justin,
>
> Your initial question regarding "the concept of only having cfengine
> report on unauthorized changes" was really the focus of my comments.
> Basically, I'm suggesting that this is not what cfengine does, however
> much we'd like to be able to check that box when it comes to management
> expectations, or NIST/FIPS/CIS etc. controls or guidelines (e.g. NIST
> 800-53A: "system integrity applications and tools detect unauthorized
> changes to applications and information"). I'm suggesting NO tool
> currently can do this, and that it's up to us to make that point to
> whoever might have the expectation.
>
> Like you and Neil, I use cfengine for a kind of focused change detection
>
> - it's excellent for that, better than straight file integrity checkers
> because it can make things right as well as record the discrepancy and
> action taken. But inevitably and unfortunately, detecting
> "unauthorized" change still comes down to alert people. This is true
> whether a file or resource is under direct management by cfengine or
> not. E.g., a cfengine promise repaired could be because of a promise
> change, or an update to an underlying package, or a log rotation, or one
>
> of the other routine reasons promises get repaired, OR, it might
> represent an unauthorized commandline change getting undone! There is
> nothing inherent in change that allows for automated detection of
> "unauthorized" change. And change itself is routine and normal, not an
> anomaly, like so many people seem to think.
>
> -Ed
>
>
>
> This electronic communication and any attachments may contain
confidential and proprietary
> information of DigitalGlobe, Inc. If you are not the intended recipient,
or an agent or employee
> responsible for delivering this communication to the intended recipient,
or if you have received
> this communication in error, please do not print, copy, retransmit,
disseminate or
> otherwise use the information. Please indicate to the sender that you
have received this
> communication in error, and delete the copy you received. DigitalGlobe
reserves the
> right to monitor any electronic communication sent or received by its
employees, agents
> or representatives.
>
------------------------------
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
End of Help-cfengine Digest, Vol 46, Issue 1
********************************************
Jefferies archives and monitors outgoing and incoming e-mail. The contents of
this email, including any attachments, are confidential to the ordinary user of
the email address to which it was addressed. If you are not the addressee of
this email you may not copy, forward, disclose or otherwise use it or any part
of it in any form whatsoever. This email may be produced at the request of
regulators or in connection with civil litigation. Jefferies accepts no
liability for any errors or omissions arising as a result of transmission. Use
by other than intended recipients is prohibited. In the United Kingdom,
Jefferies operates as Jefferies International Limited; registered in England:
no. 1978621; registered office: Vintners Place, 68 Upper Thames Street, London
EC4V 3BJ. Jefferies International Limited is authorised and regulated by the
Financial Services Authority._______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
