System Security Examples

Table of Contents

Distribute root passwords

body common control
{
      version => "1.2.3";
      inputs => { "$(sys.libdir)/stdlib.cf" };
      bundlesequence  => { "SetRootPassword" };
}

bundle common g
{
  vars:
      "secret_keys_dir" string => "/tmp";
}

bundle agent SetRootPassword
{
  vars:
      # Or get variables directly from server with Enterprise
      "remote-passwd" string => remotescalar("rem_password","127.0.0.1","yes");

      # Test this on a copy
  files:
      "/var/cfengine/ppkeys/rootpw.txt"
      copy_from => secure_cp("$(sys.fqhost)-root.txt","master_host.example.org");
      # or $(pw_class)-root.txt

      "/tmp/shadow"
      edit_line => SetRootPw;
}

bundle edit_line SetRootPw
{
  vars:
      # Assume this file contains a single string of the form root:passwdhash:
      # with : delimiters to avoid end of line/file problems

      "pw" int => readstringarray("rpw","$(sys.workdir)/ppkeys/rootpw.txt",
                                  "#[^\n]*",":","1","200");

  field_edits:
      "root:.*"
      # Set field of the file to parameter
      edit_field => col(":","2","$(rpw[root][1])","set");
}

bundle server passwords
{
  vars:
      # Read a file of format
      #
      # classname: host1,host2,host4,IP-address,regex.*,etc
      #

      "pw_classes" int => readstringarray("acl","$(g.secret_keys_dir)/classes.txt",
                                          "#[^\n]*",":","100","4000");
      "each_pw_class" slist => getindices("acl");

  access:
      "/secret/keys/$(each_pw_class)-root.txt"
      admit => splitstring("$(acl[$(each_pw_class)][1])" , ":" , "100"),
      ifencrypted => "true";
}

Distribute ssh keys

bundle agent allow_ssh_rootlogin_from_authorized_keys(user,sourcehost)
{
  vars:
      "local_cache"       string => "/var/cfengine/ssh_cache";
      "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
      "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600","root"),
      copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"),
      action => if_elapsed("60");

      "/root/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"),
      action => if_elapsed("60");
}

bundle agent allow_ssh_login_from_authorized_keys(user,sourcehost)
{
  vars:
      "local_cache"       string => "/var/cfengine/ssh_cache";
      "authorized_source" string => "/master/CFEngine/ssh_keys";

  files:
      "$(local_cache)/$(user).pub"
      comment => "Copy public keys from a an authorized cache into a cache on localhost",
      perms => mo("600","root"),
      copy_from => remote_cp("$(authorized_source)/$(user).pub","$(sourcehost)"),
      action => if_elapsed("60");

      "/home/$(user)/.ssh/authorized_keys"
      comment => "Edit the authorized keys into the user's personal keyring",
      edit_line => insert_file_if_no_line_matching("$(user)","$(local_cache)/$(user).pub"),
      action => if_elapsed("60");
}

bundle edit_line insert_file_if_no_line_matching(user,file)
{
  classes:
      "have_user" expression => regline("$(user).*","$(this.promiser)");
  insert_lines:
    !have_user::
      "$(file)"
      insert_type => "file";
}