On Thu, Oct 4, 2012 at 4:19 PM, Mike Svoboda <[email protected]> wrote:
> I'm writing a policy that will test network firewall rules to make sure
> basic pieces of infrastructure work. Here's an example of something I
> have written in policy.
>
>
> vars:
> "ntp_service_hosts" slist => {"box1-linkedin.com",
> "box2-linkedin.com," };
>
> classes:
> "ntp_udp_failure_$(ntp_service_hosts)" not =>
> returnszero("$(netcat_binary) -u $(ntp_service_hosts) $(udp_port[ntp]) >
> /dev/null 2>&1","useshell");
You could use a commands promise to run netcat. Then set a class
based on the outcome (exit status). That would give you a chance to
canonify the class on the RHS.
Reference manual says:
If none of the attributes kept_returncodes, repaired_returncodes, or
failed_returncodes are set, the default is to consider a return code
zero as promise repaired, and nonzero as promise failed.
So look into
kept_returncodes
repaired_returncodes
failed_returncodes
netcat returning 0 could be added to "failed_returncodes", as that's a
deviation from policy that CFEngine cannot repair.
Here is a working example:
{{{
body common control {
inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" };
}
bundle agent example {
commands:
"/bin/true"
classes => success_is_failure("monkey brains"),
comment => "probe the firewall to make sure holes are plugged.
probes should *not* succeed!";
reports:
monkey_brains::
"DANGER!!!";
}
body classes success_is_failure(x)
{
failed_returncodes => { "0" };
repair_failed => { canonify("$(x)") };
}
}}}
Best,
Aleksey
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
