# # # body perms uperm(user,group,mode) { mode => "$(mode)"; rxdirs => "false"; groups => { "$(group)" }; owners => { "$(user)" }; } # # wmdelib.cf # bundle agent wmde_install_packages(pkgs,name) { packages: freebsd:: "$(pkgs)" policy => "present", package_module => pkg, handle => "$(name)_pkgs_installed", classes => results("namespace","$(name)"); debian:: "$(pkgs)" policy => "present", package_module => apt_get, handle => "$(name)_pkgs_installed", classes => results("namespace","$(name)"); fedora|centos:: "$(pkgs)" policy => "present", package_module => yum, handle => "$(name)_pkgs_installed", classes => results("namespace","$(name)"); } body perms wmde_perms(user,group,mode) { owners => { "$(user)" }; groups => { "$(group)" }; mode => "$(mode)"; rxdirs=>"false"; } bundle agent wmde_srv(service_name,cmd) { classes: "start" expression => strcmp("start","$(cmd)"); "restart" expression => strcmp("restart",cmd); commands: freebsd:: "/bin/sh" args => "-c '/usr/sbin/service $(service_name) onestatus > /dev/null && echo +$(service_name)_running || echo -$(service_name)_running'", inform => "false", module => "true", handle => "$(service_name)_status_tested"; "!$(service_name)_running&start":: "/bin/sh" args => "-c '/usr/sbin/service $(service_name) onestart 2> /dev/null > /dev/null && echo +$(service_name)_started || echo -$(service_name)_started'", module => "true", depends_on => {"$(service_name)_status_tested"}; "!$(service_name)_running&restart":: "/bin/sh" args => "-c '/usr/sbin/service $(service_name) onerestart 2> /dev/null > /dev/null && echo +$(service_name)_started || echo -$(service_name)_started'", module => "true", depends_on => {"$(service_name)_status_tested"}; reports: start:: # "MUST START"; !start:: # "MUST NOT START"; # running:: # "Server $(service_name) - running"; # !running:: # "Server $(service_name) - not running"; } body service_method wmde { service_type => "generic"; service_bundle => wmde_srv ($(this.promiser), $(this.service_policy)); } bundle agent wmde_enable_service(bundlename) { vars: freebsd:: # "cha" string => "$(bundlename).service_cfg_name"; "filename" string => "/etc/rc.conf.d/$($(bundlename).service_cfg_name)"; files: freebsd:: "$(filename)" create => "true", perms => m("644"), content => "$($(bundlename).service_cfg_name)_enable=YES"; reports: # "FREEBSD: $(filename) $(cha)"; } bundle agent wmde_service(service_name,start_cond, restart_cond) { classes: freebsd:: "service_running" expression => returnszero("/usr/sbin/service $(service_name) onestatus >/dev/null 2>&1", "useshell"); commands: "freebsd&(!service_running)&($(start_cond))":: "/usr/sbin/service" args => "$(service_name) onestart >/dev/null 2>&1", contain => wmde_cmd_useshell, handle => "$(handle)_service_started"; "freebsd&(service_running)&($(start_cond))":: "/usr/bin/true" inform => "false", handle => "$(handle)_service_started"; "freebsd&($(restart_cond))":: "/usr/sbin/service" args => "$(service_name) onerestart >/dev/null 2>&1", contain => wmde_cmd_useshell, handle => "$(handle)_service_restarted"; services: "(!freebsd)&($(start_cond))":: "$(service_name)" service_policy => "start", handle => "$(handle)_service_started"; "(!freebsd)&($(restart_cond))":: "$(service_name)" service_policy => "restart", handle => "$(handle)_service_restarted"; reports: } bundle agent wmde_restart_service(service_name, id) { commands: debian|centos|fedora:: "/bin/sh -c " args => "'/bin/echo $(id) > /dev/null && /usr/bin/systemctl restart $(service_name)'"; freebsd:: "/bin/sh -c " args => "'/bin/echo $(id) > /dev/null && /usr/sbin/service $(service_name) onerestart'"; } body contain wmde_cmd_useshell { useshell=>"useshell"; } bundle agent download_and_untar( name, sync_src, sync_dst, install_dir, test_file ) { classes: "$(name)_untar" expression => not(fileexists("$(test_file)")); files: "$(sync_dst)" copy_from => sync_cp("$(sync_src)","$(sys.policy_hub)"), handle => "$(name)_tgz_copied", classes => if_repaired ("$(name)_untar"), perms => m(644); commands: "$(name)_untar":: "/usr/bin/tar" args => "xzvf $(sync_dst) -C $(install_dir)", depends_on => {"$(name)_tgz_copied"}, handle => "$(name)_untarred"; reports: # "TESTFILE: $(test_file)"; } bundle agent install_apt_repo(name,repo_src,key_src,key_name) { classes: debian|ubuntu:: "do_install" expression => not(fileexists("/etc/apt/sources.list.d/$(name).list")); vars: do_install:: "pkgs" slist => { "curl", "ca-certificates", "lsb-release" }; "add_repo_cmd" string => "/usr/bin/add-apt-repository"; methods: do_install:: "any" usebundle => install_wget; "any" usebundle => wmde_install_packages(@(pkgs),"apt_repo"); commands: do_install:: "/bin/sh" args => "$(sys.workdir)/inputs/$(def.wmde_libdir)/scripts/install-php-repo.sh $(name) $(repo_src) $(key_src) $(key_name)", depends_on => { "wget_pkgs_installed", "apt_repo_pkgs_installed" }; } bundle agent install_server_tools { vars: debian|fedora|centos:: "pkgs" slist => { "net-tools", "telnet", "tcpdump", "nmap" }; methods: debian|fedora|centos:: "any" usebundle => wmde_install_packages(@(pkgs),"server_tools"); } bundle agent install_system_repos { classes: centos:: "centos_9_and_later" expression => isgreaterthan("$(sys.os_version_major)", "8") ; commands: vars: # centos:: # "pkgs" slist => { # "epel-release" # }; # !centos:: # "pkgs" slist => {}, # handle => "system_repos_pkgs_installed"; commands: centos:: "/usr/bin/yum" args => "install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(sys.os_version_major).noarch.rpm", if => not(returnszero("rpm -q epel-release > /dev/null","useshell")), handle=>"system_repos_pkgs_installed"; centos_8:: "/usr/bin/dnf" inform => "false", args => "config-manager --set-enabled powertools"; centos_9_and_later:: "/usr/bin/dnf" inform => "false", args => "config-manager --set-enabled crb"; "/usr/bin/update-crypto-policies" inform => "false", contain => wmde_cmd_useshell, args => "--set LEGACY > /dev/null"; methods: # "any" usebundle => wmde_install_packages(@(pkgs),"system_repos"); reports: } bundle agent download_file(method,src,dst,cls,prms_arg) { vars: "prms_default" data => '{ "m":"600", "o":"$(sys.user_data[uid])", "g":"$(sys.user_data[gid])" }'; "prms" data => mergedata(@(prms_default),parsejson($(prms_arg))); classes: "$(method)"; wget:: "run_wget" expression => not(fileexists($(dst))); files: policyhub:: "$(dst)" copy_from => remote_dcp("$(src)","$(sys.policy_hub)"), classes => if_repaired("$(cls)_repaired"), perms => mog ("$(prms[m])","$(prms[o])","$(prms[g])"); methods: wget:: "any" usebundle => "install_wget"; #, handle=>"wget_installed"; commands: run_wget:: "$(wget.exe)" args => "-q -O $(dst) $(src) || (rm -f $(dst) && /usr/bin/false) ", contain => wmde_cmd_useshell, handle => "$(cls)_downloaded", classes => results("namespace","$(cls)"), depends_on => {"wget_installed"}, inform => "true"; "/usr/bin/true" inform => "false", depends_on => {"$(cls)_downloaded"}, classes => if_repaired("$(cls)_kept"); (!run_wget)&(wget):: "/usr/bin/true" inform => "false", classes => if_repaired("$(cls)_kept"); files: "$(dst)" perms => mog ("$(prms[m])","$(prms[o])","$(prms[g])"), depends_on => {"$(cls)_downloaded"}; reports: } bundle edit_line bind_mount(src,dst) { insert_lines: freebsd:: "$(src) $(dst) nullfs rw,late 0 0"; centos:: "$(src) $(dst) none defaults,bind 0 0"; } bundle agent bind_mount(src,dst) { files: "/etc/fstab" edit_line => bind_mount("$(src)","$(dst)"), classes => if_repaired(bind_mount_fstab_changed); commands: bind_mount_fstab_changed:: "echo '$(src)$(dst)' > /dev/null && mount" contain=>wmde_cmd_useshell, args => "-a"; } bundle agent etc_hosts(hosts) { vars: "idx" slist => getindices(@(hosts)); "settings[$(idx)]" string => "$(hosts[$(idx)])"; files: "/etc/hosts" create => "true", perms => m("644"), edit_line => set_config_values("$(this.bundle).settings"), classes => results("namespace","etc_hosts"); } bundle agent cron { vars: "cron_d" string => "/etc/cron.d"; freebsd:: "cron_d" string => "/usr/local/etc/cron.d"; files: "$(cron_d)/." create => "true", handle => "cron_d_created"; } bundle agent create_cron_job(name,time,command) { methods: "any" usebundle => cron; files: "$(cron.cron_d)/$(name)" create => "true", content => "# # Managed by CFEngin # $(time) $(command) ", depends_on => {"cron_d_created"}; }