Cfengine 3 example unit_root_passwd.html

# Copyright (C) Cfengine AS # This file is part of Cfengine 3 - written and maintained by Cfengine AS. # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; version 3. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA # To the extent this program is licensed as part of the Enterprise # versions of Cfengine, the applicable Commerical Open Source License # (COSL) may apply to this file if you as a licensee so wish it. See # included file COSL.txt. ###################################################################### # # Root password distribution # ###################################################################### body common control { version => "1.2.3"; bundlesequence => { "SetRootPassword" }; } ######################################################## bundle common g { vars: "secret_keys_dir" string => "/tmp"; } ######################################################## bundle agent SetRootPassword { files: "/var/cfengine/ppkeys/rootpw.txt" copy_from => scp("$(fqhost)-root.txt","master_host.example.org"); # or $(pw_class)-root.txt # Test this on a copy "/tmp/shadow" edit_line => SetPasswd("root"); } ######################################################## bundle edit_line SetPasswd(user) { vars: # Assume this file contains a single string of the form :passwdhash: # with : delimiters to avoid end of line/file problems "gotpw" int => readstringarray("pw","$(sys.workdir)/ppkeys/root-pw.txt","#[^\n]*",":","3","200"); field_edits: "$(user).*" # Set field of the file to parameter # File has format root:HASH: or user:HASH: edit_field => col(":","2","$(pw[root][1])","set"); } ######################################################## bundle server passwords { vars: # Read a file of format # # classname: host1,host2,host4,IP-address,regex.*,etc # "pw_classes" int => readstringarray("acl","$(g.secret_keys_dir)/classes.txt","#[^\n]*",":","100","4000"); "each_pw_class" slist => getindices("acl"); access: "/secret/keys/$(each_pw_class)-root.txt" admit => splitstring("$(acl[$(each_pw_class)][1])" , ":" , "100"), ifencrypted => "true"; } ######################################## # Bodies ######################################## body edit_field col(split,col,newval,method) { field_separator => "$(split)"; select_field => "$(col)"; value_separator => ","; field_value => "$(newval)"; field_operation => "$(method)"; extend_fields => "true"; allow_blank_fields => "true"; } ######################################## body copy_from scp(from,server) { source => "$(from)"; compare => "digest"; encrypt => "true"; verify => "true"; } }