Unix System Administration

1
Unix System Administration
Chuck Hauser 2007-10-19
2
Cfengine

• Automated suite of programs for configuring and
  maintaining Unix-like computers
• Developed by Mark Burgess of Oslo University
  College
• Started in 1993 wanted to replace shell scripts
  with a declarative language that documented
  configurations.

3
Some Cfengine Capabilities

• Check or set file ownership and permissions
• Edit configuration files
• Remove unwanted files (tidy)
• Check integrity of important files
• Process management

4
Implementing Cfengine

• Primary Documentation www.cfengine.org
• Secondary Documentation Wikipedia lists several
  Cfengine links
• Software required packages are at
  www.sunfreeware.com

5
Additional Useful Info
6
Cfengine Software Packages
7
Installing Packages

• Put packages in /var/spool/pkg.
• Install in this order libgcc, db, openssl,
  cfengine.
• Unzip each package gunzipÄlibgcc-3.3-sol9-spar
  c-local.gz
• Then install as root pkgadd
  dÄlibgcc-3.3-sol9-sparc-local

8
Cfengine Directory Structure

• After package installation, libraries are in
  /usr/local/lib and binaries are in
  /usr/local/sbin.
• Cfengines production location is /var/cfengine
  /var/cfengine/bin stores programs, ./inputs
  stores configuration files, and ./outputs stores
  output from cfagent runs in timestamped files.
• Additional /var/cfengine directories are created
  as needed by the Cfengine programs.

9
Setup Script for Cfengine
!/usr/bin/ksh if ! -f /usr/local/sbin/cfagent
then echo "Quitting, no cfengine programs
on Äthis machine!" exit fi if ! -d
/var/cfengine/bin then mkdir -p
/var/cfengine/bin chown rootother
/var/cfengine/bin fi
10
Setup Script continued
cd /usr/local/sbin cp cfagent cfenvgraph cfrun
cfdoc cfexecd \ cfservd cfenvd cfkey cfshow
vicf \ /var/cfengine/bin if ! -d
/var/cfengine/inputs then mkdir
/var/cfengine/inputs fi if ! -d
/var/cfengine/outputs then mkdir
/var/cfengine/outputs fi
11
Some Cfengine Programs
12
How It Works

• A configuration file describes the state a system
  should be in
• Descriptive, not procedural does not describe
  explicitly how to achieve that state
• A single cfengine run may result in multiple
  passes (convergence)
• Single host setup only requires the cfagent
  program and a cfagent.conf file that describes
  the desired configuration

13
The Configuration File

• A configuration file consists of actions and
  classes (also called groups)
• Actions either tell the program how to behave or
  what to do.
• Actions are often followed by statements in this
  form name ( list )
• Classes may be used to restrict a particular
  action to a host that is only a member of that
  class (group)
• May have variables these may be special internal
  variables, user-defined strings, or shell
  environment variables

14
Configuration File Structure

• File consists of action sections, which are
  reserved words followed by a colon
• Some sections are for initial settings and
  definitions acl, alerts, binservers, broadcast,
  control, defaultroute, filters, groups,
  homeservers, ignore, import, strategies, etc.
• Other sections perform specific actions alerts,
  copy, disks, disable, editfiles, files, links,
  netconfig, resolve, packages, processes,
  shellcommands, and tidy
• It is not necessary to have or use all sections

15
A cfagent.conf Section

• linkseasyspooler_fix /usr/bin/lp -gt
  /usr/bin/llp syslogtrue informtrue

Actions end with a colon and start a section
Classes within an action end with a double-colon
16
A Very Simple Configuration File

• cfagent.hello
• control
• actionsequence ( shellcommands )
• shellcommands
• /bin/echo Hello world! useshellfalse
• To execute
• /var/cfengine/bin/cfagent f cfagent.hello
• cfenginecis/bin/echo Hello Hello world!

17
Action Sequence Types 1
18
Action Sequence Types 2
19
Action Sequence Types 3
20
Classes (Groups)

• Classes may be predefined (also referred to as
  fixed or hard classes) or defined in the
  configuration file
• Custom classes are usually defined in the groups
  section
• Feedback classes a class may also be defined
  using the define statement when actions are
  performed in other sections (for example, when
  disable actions are performed)defineboot_server
  _disabled

21
Predefined Classes

• Operating systems sunos_5_8, sunos_5_9
• Architecture or hardwaresparc,
  SUNW_Sun_Fire_480R
• Host name or IP address cis, 10_1_12_23
• Date and time stuff Yr2007, March, Day12,
  Monday, Hr00, Min45
• Time intervals in minutes or quarter hours
  Min00-05, Min05-10, Q1, Q3, HR00_Q1

22
Custom Classes

• Can use explicit host nameno_samba ( cis
  entityclient )
• Use command that returns true/falseeasyspooler_f
  ix Ä( /usr/bin/test x /usr/bin/llpÄ-a ! L
  /usr/bin/lp )
• Use built-in functionseasyspooler Ä(
  FileExists(/usr/bin/llp) )

23
Built-in Functions for Classes
24
Using Compound Classes

• Dot (.) is a logical AND nfs.sunos_5_8
• Later cfengine versions also support for
  logical AND
• Vertical bar () is a logical Or Hr00Hr12
• Exclamation point (!) is logical NOT !Hr00
• Parentheses override order dbservers.(sunos_5_8s
  unos_5_9)
• Precedence is () NOT AND OR

25
Additional Class Info

• The any class is a generic all-inclusive group
  (same as not specifying a class)
• To find all defined classes using the default
  configuration file /var/cfengine/bin/cfagent p
  v
• To find all defined classes using a configuration
  file other than cfagent.conf/var/cfengine/bin/cf
  agentÄ p v f cfagent.test

26
Sample groups Section

• groups
• datatel ( IsDir(/datatel) )
• Perform MD5 checksumming on these systems
• do_checksum ( cis )
• Defines an EasySpooler system that needs
• to have the EasySpooler llp binary used
• instead of the default lp command.
• easyspooler_fix ( /usr/bin/testÄ-x
  /usr/bin/llp -a ! -L /usr/bin/lp )

27
Sample groups Section continued

• Place machines in edit_password_defaults
• to edit /etc/default/passwd file
• edit_password_defaults ( cis entityclient )
• If at.allow or cron.allow exist, don't need
• the .deny files
• no_atdeny Ä( IsFile(/etc/cron.d/at.allow) )
• no_crondeny Ä( IsFile(/etc/cron.d/cron.allow) )

28
Control Section

• A configuration file must have a control section,
  otherwise nothing will be done
• Sets default variables
• Can also be used to define new variables
• Defines which actions are carried out and in what
  order

29
Cfengine Variables

• Used for string substitution, similar to a macro
  processor
• Can be defined in the control section for use in
  other sectionsdatatel_age_hold ( 30 )
• May be defined within a specific group, but this
  must be used carefully some must be defined
  globally to avoid runtime errors in the tidy
  section.

30
Using Variables

• Variables are dereferenced either using curly
  braces or parentheses preceded by a dollar sign
  excludeunidata_log_files
  (unidata_mnt)/bin
• Using undefined variables causes syntax errors.

31
Control Default Variables

• The control section can be used to set numerous
  variables that control execution
• Use access to list who can run cfengineaccess
  ( root )
• Syslog activates syslog logging when an inform
  statement is encounteredsyslog ( on )

32
Defining Variables

• control
• cfengine_note Ä( " Note this file managed
  under cfengine" )
• datatel
• unidata_mnt ( /usr/ud71 )
• datatel_owner ( datatel )
• Database locations
• datatel_production Ä( /datatel/coll18/produc
  tion )

33
List Variables

• Variables may consist of multiple items
  separated by a colon
• datatel_hold_dirs Ä( datatel_production/appho
  me/_HOLD_Ädatatel_development/apphome/_HOLD_
  Ädatatel_test/apphome/_HOLD_ )
• unidata_log_files Ä( unidata_mnt/bin/udt.errl
  ogÄunidata_mnt/bin/udtlatch.logÄunidata_m
  ntÄ/bin/saved_logs/udtlatch.log )

34
Control Section actionsequence

• The actionsequence variable specifies which
  actions are carried out and in what
  orderactionsequence ( disable links )
• Action sections in the configuration file that
  are not included in the actionsequence list are
  not performed

35
actionsequence continued

• Classes may be used for control in the
  actionsequence statement actionsequence
  ( tidy.Hr03 disable links.ThisClass editfi
  les links.ThatClass )

36
The import Section

• The import section is used for reading additional
  configuration files import
• piopen
• cf.app_piopen
• For breaking large configuration files into
  smaller files or for using separate files for
  special processing

37
Inheritance and import Files

• The main (or parent) file is completely parsed
  before the import file is read
• Variables and groups in the parent file are
  inherited in the imported file, but variables and
  groups in the imported file are not visible in
  the parent file

38
The disable Section

• Cfengine will disable files (and directories) by
  renaming them instead of deleting them (as
  opposed to the tidy action).
• If no destination name is specified, the file
  will be renamed by appending the suffix
  .cfdisabled to the file name.
• disable can also be used to rotate files such as
  logs.

39
disable syntax

• disable
• class
• /filename destfilename defineclasslist s
  yslogtrue/on/false/off informtrue/on/false/off
  actiondisable/warn

40
A disable Example

• disable
• easyspooler_fix
• /usr/bin/lp syslogtrue informtrue
• no_boot_server.(sunos_5_8sunos_5_9)
• Don't run boot services
• /etc/rc3.d/S16boot.server
• destcfdisabled.S16boot.server
• defineboot_server_disabled
• syslogtrue

Feedback class
41
The editfiles Section

• Performs line-based editing on text files (or
  limited binary editing) after making a backup of
  the file to be edited
• Supports simple regular-expressions
• Syntax different from other actionseditfiles
  class file-to-be-edited action
  quoted-string

42
Sample editfiles Section

• editfiles
• sunos_5_8sunos_5_9
• IIPS Baseline 4.5
• Set TCP initial sequence number
• generation to RFC 1948
• unique-per-connection-ID
• /etc/default/inetinit
• ReplaceAll "TCP_STRONG_ISS01 ÄWith
  "TCP_STRONG_ISS2"

43
Sample editfiles Section continued

• IIPS Baseline 5.1
• Enable TCP connection tracing by inetd
• (this is independent of any TCP Wrappers
• logging).
• /etc/default/inetd
• PrependIfNoSuchLine "(cfengine_note)"
• UnCommentLinesContaining "LOGGING"
• ReplaceAll "LOGGINGNO ÄWith "LOGGINGYES"
• DefineClasses "modified_inetd_conf"

44
The filters Section

• The filters section does not perform actions,
  instead it is used for defining selection
  criteria that may be used in the files or
  processes sections.
• filters
• root_owned_files
• Owner "root"
• Result "Owner"

45
The files section

• The files section can be used for
• File creation
• Checking the existence, ownership, and permssions
  of files
• Changing the ownership and permissions of files
• Testing for setuid root programs

46
Syntax for files

• files
• classes
• /file-object modemode owneruid-list groupg
  id-list actionfixall/other-options/warnall link
  sfalse/stop/traverse/follow/tidy ignorepattern
  includepattern excludepattern

47
Correcting File Permissions

• files
• datatel
• datatel_production/apphome
• modeorw,grw,o-rwx
• ownerdatatel
• groupusers
• actionfixall
• ignore_HOLD_
• ignore_PH_
• ignoreBP
• recurseinf

48
Sample report of correcting file permissions

• Checking file(s) in Ä/datatel/coll18/production/ap
  phome
• cfenginecis Owner of Ä/datatel/coll18/production
  /apphome/DATA/DATA_P/ÄPAYROLL.EXPORTS/200710MO
  was 1010, setting to 100
• cfenginecis Owner of Ä/datatel/coll18/production
  /apphome/DATA/DATA_P/ÄPAYROLL.EXPORTS/200710PT
  was 1010, setting to 100
• cfenginecis Owner of Ä/datatel/coll18/production
  /apphome/DATA/DATA_X/ÄXCSD.DIRECTORY/DCA804071
  14536.SEQ was 1006, Äsetting to 100

49
Creating Files

• IIPS Baseline 6.5 Make sure the machine
  tracks failed login attempts
• /var/adm/loginlog
• ownerroot
• groupsys
• mode600
• actioncreate

50
File Monitoring

• Cfengine provides a file monitoring facility
  similar to the Tripwire program.
• Any file flagged for file monitoring in the files
  section will have its md5 checksum registered in
  a checksums database.
• On subsequent cfengine passes the file will have
  its md5 checksum computed and compared with the
  previously stored value a warning will be issued
  if the values do not match.

51
Configuring File Monitoring

• A file that stores the checksums must be defined
  in the control section CheckSumDatabase
  Ä( /var/cfengine/checksum.db )
• Any files specified in the files section with the
  statement checksummd5 will be monitored
• unidata_mnt/bin/udt_signal checksummd5 i
  nformtrue

52
File Monitoring Example

• files
• (sunos_5_8sunos_5_9)
• /sbin/
• checksummd5
• actionwarnall
• /usr/bin
• checksummd5
• actionwarnall
• includecancel
• includelogin
• includepasswd
• includesu

53
Controlling Updates To The Checksum Database

• The control sections ChecksumUpdates variable
  controls updating the stored checksums
• The default value of no means the database will
  not be updated when a files checksum changes.
• If ChecksumUpdates is set to yes, when a files
  checksum changes a warning is issued once and
  then the new checksum is stored in the database.

54
Maintaining the Checksum Database

• If a patch cluster has been installed, switch
  ChecksumUpdates to yes to store the checksums of
  new binaries in the database, then return
  ChecksumUpdates to off.
• Periodically set the CheckumPurge variable to on
  to remove files that no longer exist from the
  checksum database.

55
The cfengine.hostname.log

• As cfagent searches file systems, it builds a log
  file of all root-owned setuid and setgid programs
  that are found.
• This log is stored in /var/cfengine the file
  name consists of the string cfengine., the
  systems hostname, and the suffix .log e.g.
  cfengine.cis.log.
• Cfagent issues warnings on subsequent searches if
  a new root-owned setuid/setgid program is found
  that is not in the log file.

56
The links Section

• Used to either check or create linkslinkname -gt
  object_to_link_to
• Symbolic links are the default unless typehard
  is specfied.
• If the link exists but points to a different
  object, a warning is issued
• If the link is specified using the ! operator
  (linkname -gt! object_to_link_to), an existing
  link that points incorrectly is changed to point
  to the correct object.

57
The tidy Section

• The tidy action removes (deletes) files from the
  system
• tidy /directory pattern/includewildcard ig
  norepattern excludepattern agedays syslog
  true/on/false/off inform/true/on/false/off

58
A tidy Example

• tidy
• datatel.tidy_hold
• (datatel_hold_dirs)/
• pattern
• ignore.txt
• ignoreW2REPORT
• agedatatel_age_hold

59
The processes Section

• The process action is used to test for processes,
  signal processes, or restart processes
• A regular expression is used to search output
  from the ps command to find the process to be
  acted on

60
A processes Example

• processes
• modified_inetd_conf
• "inetd" signalhup
• no_snmp
• Stop SNMP daemon
• "snmpdx" signalkill informtrue
  Äsyslogtrue

Feedback class
61
The shellcommands Section

• Executes system commands or external scripts
• Must specify full-path for security reasons
• Can specify owner, group, umask, etc. of command

62
A shellcommands Example

• shellcommands
• sunos_5_8sunos_5_9
• Fix tape device permissions. Use a shell
  command because 'files' section doesn't work
  very well with symbolic links.
• "/usr/bin/chmod 0770 /dev/rmt/"
• "/usr/bin/chown rootsys /dev/rmt/

63
Some cfagent Runtime Options
64
cfagent Debugging Levels
65
Test, Test, Test

• Modify actionsequence to test individual
  sections.
• Use p and n options
• Run in verbose (-v) mode and save output
• Use d options when desperate

66
Production

• Simplest approach uses cron to call a script that
  runs cfagent instead of using cfexecd
• Use a source-code control system for cfagent.conf
  file.
• Be sure you have a good backup .