# # /var/lib/cfengine2/masterfiles/inputs/cfagent.conf # # This is the master file maintained on the server. It carries # out several jobs on each of the managed nodes. # # Most notably it: # # Copies some static files from the master to the client(s). # Disables a couple of annoying services from inetd. # Installs some software on each node, vim, less, etc. # Purges some software, eg nano. # Adds a custom /etc/sudoers file. # Makes /root/.ssh + installs a public key to allow remote logins. # # NOTES: # If you wish to use this yourself you'll need to do three things: # # 1. Change the domain to match your local DNS domain from 'my.flat'. # 2. Change the address of the cfengine server from 'server.my.flat'. # 3. Setup the master files to be copied to the hosts. # # Steve # -- # http://www.steve.org.uk/ # # # Define a group which is the result of the existance of the SSH pid file. # # This is used later. # groups: pid_file_exists = ( FileExists(/var/run/sshd.pid) ) # # General control setup. # control: domain = ( my.flat ) access = ( root ) cfrunCommand = ( "/usr/sbin/cfagent" ) actionsequence = ( copy files directories tidy resolve editfiles shellcommands disable processes ) maxage = ( 7 ) SecureInput = ( on ) Syslog = ( on ) WarnNonUserFiles = ( on ) mountpattern = ( / ) homepattern = ( home ) # # If the PID file exists then setup a variable. # pid_file_exists:: sshd_pid = ( ExecResult(/bin/cat /var/run/sshd.pid) ) # # Define various classes for each host this script runs upon. # # The clases are defined if the various files used exist. # classes: any:: have_sudo= ( FileExists(/usr/bin/sudo) ) missing_sudo = ( any -have_sudo ) have_less = ( FileExists(/usr/bin/less) ) missing_less = ( any -have_less ) have_vim = ( FileExists(/usr/bin/vim) ) missing_vim = ( any -have_vim ) have_nvi = ( FileExists(/usr/bin/nvi) ) have_nano = ( FileExists(/usr/bin/nano) ) # # Copy some files from the cfengine server onto the clients. # # /etc/hosts # Copied from the master to each client. # # /etc/apt/sources.list # Copied from the master to the clients. If this file is installed then # then a class is defined so that 'apt-get update' is automatically # executed later on. # copy: /var/lib/cfengine2/masterfiles/inputs/etc/hosts dest=/etc/hosts server=server.my.flat mode=644 type=checksum /var/lib/cfengine2/masterfiles/inputs/etc/apt/sources.list dest=/etc/apt/sources.list server=server.my.flat mode=644 type=checksum define=update_apt # # Fix some basic file permissions. # # Make sure that /home/ doesn't have any "other" writable files/directories. # files: /etc/passwd mode=644 owner=root group=root action=fixall /etc/shadow mode=640 owner=root group=shadow action=fixall /etc/sudoers mode=440 owner=root group=root action=fixall home mode=o-w r=inf act=fixall # # Clean out *ALL* files older than $(maxage) days from /tmp. # tidy: /tmp pattern=* age=$(maxage) recurse=inf # # Make sure /tmp has the correct ownership + permissions. # # Create /root/.ssh so that we can install an SSH key to it. # directories: /tmp mode=1777 owner=root group=root /root/.ssh 700 owner=root group=root # # Setup the resolv.conf file on each client. # resolve: "search my.flat" 192.168.1.1 "# Edit with cfengine" # # Magically make sure our sudoers file contains the most recent # text. # # We could copy this file from our central host instead. I just # wanted to experiment with inplace-replacements. # editfiles: { /etc/sudoers # Check for header, edit if the header doesn't match # BeginGroupIfNoLineMatching "# /etc/sudoers v03" # Recreate from scratch EmptyEntireFilePlease # Add header Append "# /etc/sudoers v03" # File contents Append '#' Append '# This file MUST be edited with cfengine' Append '#' Append '# See the man page for details on how to write a sudoers file.' Append '#' Append '' Append '# Host alias specification' Append '' Append '# User alias specification' Append '' Append '# Cmnd alias specification' Append '' Append '# User privilege specification' Append 'root ALL=(ALL) ALL' Append 'skx ALL=(ALL) NOPASSWD: ALL' EndGroup } # # Add a public key to the .ssh login files if it is not present. # { /root/.ssh/authorized_keys AutoCreate Backup "off" AppendIfNoSuchLine "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAnZ6zgSc4MDsWx29rLPS2RuzWAa2oBjdQ5UqsEX2ee5lLg6iDC7tb70lgMqILJamMBYXM0Ey3GXM+mSnRtEEVF7kszUsnrgETcrf+4quTQIM1ddJ4clOvSNlsPON1JojBv6Xg/h2OVDnhcguXoD7lrB3LSx1yXpFz3B+YN/EL6fc= root@server.my.flat" } # # Disable some dangerous services spawned by inetd. Define a class # if we do so to allow us to restart inetd. # editfiles: { /etc/inetd.conf HashCommentLinesContaining "rshd" HashCommentLinesContaining "rlogind" HashCommentLinesContaining "daytime" HashCommentLinesContaining "telnetd" DefineClasses "modified_inetd" } # # Filter used to make sure we only get the root sshd process, not # any open connections. # # (Sending SIGHUP will restart the master sshd process, but kill client # connections - not good.) # filters: { rootsshd PID: "${sshd_pid}" Result: "PID" } # # Allow X11 forwarding for SSH - enabling it then restart the server. # Also allow remote root logins - we need this since we've added the # SSH keys. # editfiles: { /etc/ssh/sshd_config ReplaceAll "X11Forwarding no" With "X11Forwarding yes" ReplaceAll "PermitRootLogin no" With "PermitRootLogin yes" DefineClasses "ssh_restart" } processes: ssh_restart:: "sshd" filter=rootsshd signal=HUP # # Send HUP to the inetd server if we disabled services. # processes: modified_inetd:: "inetd" signal=hup # # Disable some files. # disable: /root/.rhosts /etc/hosts.equiv # # 1. If we have updated the /etc/apt/sources.list file from the master # server then run 'apt-get update'. Honestly we should probably run # this all the time if we're expecting an unstable host. # # 2. Install/Remove software based upon the classes we defined at the # top of this script. # # shellcommands: update_apt:: "/usr/bin/apt-get update" missing_sudo:: "/usr/bin/apt-get --yes --force-yes install --reinstall sudo" missing_less:: "/usr/bin/apt-get --yes --force-yes install --reinstall less" missing_vim:: "/usr/bin/apt-get --yes --force-yes install --reinstall vim" have_nvi:: "/usr/bin/dpkg --purge nvi" have_nano:: "/usr/bin/dpkg --purge nano"