CFEngine Help: Re: NFS mount options and behaviour

[no-reply]

Forum: CFEngine Help
Subject: Re: NFS mount options and behaviour
Author: Beto
Link to topic: https://cfengine.com/forum/read.php?3,25748,25851#msg-25851

I use an edit_line bundle to edit fstab options and do a remount.  Maybe it 
would be of use to you.


#########################################################
#
# Check nosuid mounts

bundle agent mount_nosuid
{
vars:
        "Fstab" -> { "GEN002420" }
                comment => "CAT II (Previously - G086) UNIX STIG: 3.12.1 Set 
User ID (suid)",
                string  => "/etc/fstab";

        "fstab"
                comment => "Read /etc/fstab into array",
                slist   => readstringlist(
                        "$(Fstab)",
                        "#[^\n]*",
                        "\n",
                        "256",
                        "8192"
                        );

        "nosuid_filesystems" 
                comment => "Pattern to match file systems that require nosuid",
                string  => 
"^(/dev/|\w+:)((?!\s(/|/media/\w+|/opt|/opt/applmgr(/\S*)?|/opt/oracle|/proc|swap|/tmp|/usr|/var)\s).)*$";

        "nosuid"
                comment => "Pattern to match file systems that have nosuid 
option",
                string  => "^((?![\s,](nosuid)[\s,]).)*$";

        "may_need_nosuid"
                comment => "List of file systems with no nosuid option",
                slist   => grep("$(nosuid_filesystems)","fstab");

        "need_nosuid"
                comment => "List of file systems that need nosuid option",
                slist   => grep("$(nosuid)","may_need_nosuid");

files:
    any::
        "$(Fstab)"
                comment         => "Edit /etc/fstab",
                edit_line       => set_nosuid_option,
                edit_defaults   => std_defs,
                create          => "true";

methods:
    any::
        "ok"    usebundle       => remount("$(need_nosuid)");
}

bundle agent remount(fs)
{
vars:
    hpux::
        "fs_type"       string  => "-F";
        "mount"         string  => "/sbin/mount";
    linux::
        "fs_type"       string  => "-t";
        "mount"         string  => "/bin/mount";

classes:
        "remount"
                comment         => "Extract device, fstype, options and mount 
point into array",
                expression      => 
regextract("([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s.*","$(fs)","fs_ent");

commands:
    remount::
        "$(mount) $(fs_type) $(fs_ent[3]) -o remount,nosuid,$(fs_ent[4]) 
$(fs_ent[1]) $(fs_ent[2])",
                comment => "Remount a file system";

reports:
    remount.debug::
        "remount needed: $(mount) $(fs_type) $(fs_ent[3]) -o 
remount,nosuid,$(fs_ent[4]) $(fs_ent[1]) $(fs_ent[2])"
                comment => "Turn on debugging with \"cf-agent -KIb mount_nfs 
-Ddebug -f ./promises.cf\"";
}

bundle edit_line set_nosuid_option
{
field_edits:
        "$(mount_nosuid.nosuid_filesystems)"
                comment         => "Remove suid mount option",
                edit_field      => col("\s+","4","suid","delete");

        "$(mount_nosuid.nosuid_filesystems)"
                comment         => "Add nosuid mount option",
                edit_field      => col("\s+","4","nosuid","append");
}


_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine