Re: Using editfiles for TCP wrappers in inetd.conf

[Chip Seraphine]

Ferguson, Steve wrote:
> I'm trying to define a convergent policy with cfengine to replace field 6 in
> inetd.conf with /path/to/tcpd for all tcp-based services.  I'm curious to
> see how others are approaching (or would approach) this without resorting to
> an external script to make the edits.

Well, editfiles is great at adding/removing lines, but it is not strong 
at doing conditional editing within a line.

I ended up doing something like this:


use_inetd::
  { /etc/inetd.conf
    SetCommentStart "#"
    PrependIfNoSuchLine "## $(notice_edit)"

    #Ixnay on the cp6tay.  Delete all uncommented v6 lines so we don't
    #have to worry about them in later pattern matches.
    DeleteLinesMatching "^[^\#]+$(s)(ud|tc)p6$(s).*$"

    #Hostinfo is a local service that goes on all inetd.conf hosts
    BeginGroupIfDefined "hostinfo_ok"
      SetLine "hostinfo stream tcp   nowait  root     /opt/bin/hostinfo 
hostinfo"
      AppendIfNoLineMatching "^.*hostinfo$(w)hostinfo$(s)*$"
      UnCommentLinesMatching "^.*hostinfo$(w)hostinfo$(s)*$"
    EndGroup
    BeginGroupIfNotDefined "hostinfo_ok"
      CommentLinesMatching "^.*hostinfo$(w)hostinfo$(s).*$"
    EndGroup

    BeginGroupIfDefined "comsat_ok"
      SetLine "comsat dgram   udp     wait    root    /usr/sbin/tcpd 
in.comsat"
      AppendIfNoLineMatching "^[\#[:space:]]*comsat$(w)in.comsat$(s)*$"
      UnCommentLinesMatching "^[\#[:space:]]*comsat$(w)in.comsat$(s)*$"
    EndGroup


... ad nauseum for all the servies of interest.  It was tedious as hell 
to set up the first time, but now I can just define groups like:

finger_ok = ( host1 host2 @lab2_netgroup -lab2_masterhost )

...and turn services on and off everywhere.

At the end of the block I define a class called "hup_inetd", which 
triggers an action in the processes: section that hup's inetd (logically 
enough :-)