On Wed, 2009-03-04 at 12:46 +1100, Avi Miller wrote: > Hi David, > > David Lutterkort wrote: > > Yeah, that's what that means. Here's a dirty trick to check multiple > > conditions: > > Your assistance so far has been awesome. If I had more time to play, I'm > sure I could solve this in time, but I'm being hammered by the security > teams and I need to get a solution onto our servers as soon as possible. > > I'm trying to check/change /etc/pam.d/system-auth > > The initial (default set) lines look like this: > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > > I want to change them to this (result set): > > password requisite pam_cracklib.so retry=3 lcredit=1 ucredit=1 > dcredit=1 ocredit=1 > password sufficient pam_unix.so md5 shadow try_first_pass > use_authtok remember=7 > > Essentially, I need to check if the lines match the result set and if > not, to make the change. I'm happily able to make the proper changes, > using the following (using the first line as an example): > > changes => [ "rm *[module='pam_cracklib.so'][type='password']/argument", > "set *[module='pam_cracklib.so'][type='password']/argument[1] retry=3", > "set *[module='pam_cracklib.so'][type='password']/argument[2] lcredit=1", > "set *[module='pam_cracklib.so'][type='password']/argument[3] ucredit=1", > "set *[module='pam_cracklib.so'][type='password']/argument[4] dcredit=1", > "set *[module='pam_cracklib.so'][type='password']/argument[5] ocredit=1"], > > But I'm really struggling with the onlyif line to check that all the > arguments are in place, the correct value and there are no extras. I'm > able to test individual argument values and the overall count, but I > seem unable to build a full match that checks everything at once, i.e. > checks each of the first five argument values and ensures that there are > only 5 arguments total.
If you don't mind an unnecessary change the first time you run your Augeas resource on a system, you don't need the onlyif - unnecessary here means that system-auth might be changed simply because there's different amounts of spaces between the current file and what Augeas would generate based on your tree changes. Augeas will not actually change the file if it stays byte-for-byte identical, even if you made changes to the tree (e.g. change the value of a node to something new, then back to the old thing) Depending on the version of the Augeas plugin you have, puppet _might_ report changes even though none were necessary (or made) - Bryan might be able to shed some light on the state of reporting in the Augeas type in 0.24.7 vs the latest in git. David --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
