Cfengine configuration directory

Setting up a RedHat FTP server

Relevant classes: Red Hat Linux (6.1)

Configuring a service like anonymous FTP requires a certain amount of vigilance. It is a good idea to automate it and let cfengine make sure that things don't go astray. Note that we constantly ensure that the ls program used by the anonymous ftp server is a trusted program by checking it with an md5 signture of a trusted version of the program. If for some reason it should be replaced with a Trojan horse, cfengine would notice the incorrect checksum (md5) and move the bad program to ls.cf-saved and immediately replace it with the correct version without waiting for the adminstrator to act. The inform and syslog options ask for an explicit warning to be made about this copy. Here is a complete anonymous ftp setup and maintenance program for solaris hosts. 

control:

   actionsequence = ( directories copy editfiles files )

   # Define variables

   ftp = ( /usr/local/ftp )

   uid = ( 14 )  # ftp user, these values already in passwd
   gid = ( 50 )  # ftp group

directories:

   $(ftp)/pub      mode=644 owner=root group=root
   $(ftp)/etc      mode=111 owner=root group=root
   $(ftp)/usr      mode=555 owner=root group=root
   $(ftp)/lib      mode=555 owner=root group=root

files:

   $(ftp)/etc/passwd mode=644 o=root    action=fixplain
   $(ftp)/etc/shadow mode=400 o=root    action=fixplain
   $(ftp)/pub        mode=644 owner=ftp action=fixall  recurse=inf

copy:

      # Make sure ls is a trusted program by copying 
      # a secure location...

   /bin/ls dest=$(ftp)/bin/ls 
           mode=111 
           owner=root 
           type=checksum
           inform=true
           syslog=true

   /etc/ld.so.cache dest=$(ftp)/etc/ld.so.cache mode=444 o=root

   /lib            dest=$(ftp)/lib r=1
                   mode=444 
                   owner=root
                   backup=false
                   include=libc*
                   include=libnsl*
                   include=libnss_files*

   /lib            dest=$(ftp)/lib r=1      
                   mode=555
                   owner=root
                   backup=false
                   include=ld-*

##############################################################################

editfiles:

  { $(ftp)/etc/passwd

  AutoCreate
  EmptyEntireFilePlease
  AppendIfNoSuchLine "ftp:x:$(uid):$(gid):Anonymous FTP:$(ftp):/bin/sync"
  }

  { $(ftp)/etc/group

  AutoCreate
  EmptyEntireFilePlease
  AppendIfNoSuchLine "ftp::$(gid):"
  }

  {  $(ftp)/etc/shadow

  AutoCreate
  EmptyEntireFilePlease
  AppendIfNoSuchLine "ftp:NP:6445::::::"
  }

  # Finally...useful for chown

  { /etc/passwd

  ReplaceAll "/home/ftp" With "$(ftp)"
  AppendIfNoSuchLine "ftp:x:$(uid):$(gid):Anonymous FTP:$(ftp):/bin/sync"
  }

  { /etc/group

  AppendIfNoSuchLine "ftp::$(gid):"
  }
Back to documentation