Home

Security Monitoring and Enforcement with Cfengine 3

Issue 205

From Issue #205
May 2011

Jul 31, 2011  By Aleksey Tsalolikhin
 in
Cfengine is well known as a powerful system configuration management tool, but did you know you also can use it to secure your systems?
Managing sshd.conf

The next example is Diego Zamboni's Cfengine bundle for editing the sshd configuration file and restarting sshd if any changes were made. It has two parts (to abstract the under-the-hood details). In the first part, the sysadmin edits the sshd array to set variables corresponding to the sshd configuration parameters. For example, to mandate Protocol 2 of SSH, set: 

"sshd[Protocol]" string => "2";

If the parameter is commented out, Cfengine uncomments it and sets it to the desired value. If the parameter is absent, Cfengine adds it and sets it to the desired value. Additionally, if any changes were made to sshd_config, sshd restarts to activate the change.

Listing 5. use_edit_sshd.cf

bundle agent configfiles
{
vars:
  "sshdconfig" string => "/etc/ssh/sshd_config";

  # SSHD configuration to set
  "sshd[Protocol]" string => "2";
  "sshd[X11Forwarding]" string => "yes";
  "sshd[UseDNS]" string => "no";

methods:
  "sshd" usebundle => edit_sshd("$(sshdconfig)", "configfiles.sshd");
}

Listing 6. edit_sshd.cf

# Parameters are:
# file: file to edit
# params: an array indexed by parameter name, containing 
# the corresponding values. For example:
# "sshd[Protocol]" string => "2";
# "sshd[X11Forwarding]" string => "yes";
# "sshd[UseDNS]" string => "no";
# Diego Zamboni, November 2010
bundle agent edit_sshd(file,params)
{
files:
  "$(file)"
  handle => "edit_sshd",
  comment => "Set desired sshd_config parameters",
  edit_line => set_config_values("$(params)"),
  classes => if_repaired("restart_sshd");

# set_config_values is a bundle Diego wrote based on 
# set_variable_values from Cfengine_stdlib.cf.

commands:
  restart_sshd.!no_restarts::
    "/etc/init.d/sshd restart"
    handle => "sshd_restart",
    comment => "Restart sshd if the configuration file was modified";
}

bundle edit_line set_config_values(v)

 # Sets the RHS of configuration items in the file of the form
 # LHS RHS
 # If the line is commented out with #, it gets uncommented first.
 # Adds a new line if none exists.
 # The argument is an associative array containing v[LHS]="rhs"
 
 # Based on set_variable_values from Cfengine_stdlib.cf, modified to
 # use whitespace as separator, and to handle commented-out lines.
 
{
vars:
  "index" slist => getindices("$(v)");

  # Be careful if the index string contains funny chars
  "cindex[$(index)]" string => canonify("$(index)");

field_edits:

  # If the line is there, but commented out, first uncomment it
  "#+$(index)\s+.*"
     edit_field => col("\s+","1","$(index)","set");

  # match a line starting like the key something
  "$(index)\s+.*"
     edit_field => col("\s+","2","$($(v)[$(index)])","set"),
        classes => if_ok("not_$(cindex[$(index)])");

insert_lines:

  "$(index) $($(v)[$(index)])",
      ifvarclass => "!not_$(cindex[$(index)])";
}

For an example of changes made, run diff of sshd_config before and after Cfengine edited it to set Protocol, X11Forwarding and UseDNS: 


# diff /etc/ssh/sshd_config /etc/ssh/sshd_config.cf-before-edit
14c14
< #Protocol 2,1
---
> Protocol 2
95,96c95,96
< #X11Forwarding no
< X11Forwarding no
---
> X11Forwarding yes
> X11Forwarding yes
109c109
< #UseDNS yes
---
> UseDNS no
#

You may notice X11Forwarding is there twice after the edit, because it was in the file twice before the edit, once commented and once uncommented. But, this does not break things. Having X11Forwarding yes is valid syntax, and the /usr/sbin/sshd -t syntax checker does not complain.

You also may notice that cf-agent saved a copy of the original file, just in case.

Learning More

Download the source and follow the Recommended Reading on the Quick Start Guide site. Also, please visit us on the help-cfengine mailing list to share your ideas on automating security with Cfengine.

Resources

Cfengine Source Archive: www.cfengine.org/pages/source_code

Quick Start Guide: www.cfengine.org/pages/getting_started

“Automating Security with GNU Cfengine”, Kirk Bauer, February 5, 2004 (although based on Cfengine 2, the article gives an excellent overview of Cfengine's philosophy and power): www.linuxjournal.com/article/6848

Diego Zamboni's Cfengine Bundle for Editing the sshd Configuration File and Restarting sshd If Needed: https://gist.github.com/714948

Download the Cfengine Policies Used in This Article: www.verticalsysadmin.com/cfengine/LJ-May-2011

Aleksey Tsalolikhin has been a UNIX systems administrator for 13 years, including seven at EarthLink. Wrangling EarthLink's server farms by hand, he developed an abiding interest in automating server configuration management. Aleksey taught “Introduction to Automating System Administration with Cfengine 3” at Ohio Linux Fest 2010 and Southern California Linux Expo 2011 as an instructor from the League of Professional System Administrators.

______________________

Aleksey Tsalolikhin has been a UNIX/Linux system administrator for 14 years.

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions