###################################################################### # update.conf with GnuPG verified signed config files. # # This update.conf will download signed config files and verify # their authenticity before replacing existing config files. # # The signature on cfagent.conf is verified, and if it fails a new # copy is downloaded from the central server. # # Feel free to use any download method. I use wget over http, but scp, # rsync, ftp, tftp, cfengine file distribution, carrier pigeon, or # other preferred method of file transfer is acceptable. # # Prerequisites: # # wget, GnuPG # # Create a GnuPG key for the administrator to sign the config # files with. A copy of the administrator public key must be # imported into a new keyring called /etc/cfkey for gpgv to # work properly. # # The secret key should be kept secured for signing configs # on the central host (GoldServer). # # This was tested on Gentoo Linux, so please check your paths, # and add a class for your OS. # # - Russell Adams control: Access = ( root ) sysadm = ( me@mydomain.com ) smtpserver = ( mail.mydomain.com ) AddInstallable = ( ConfigOk ConfigGood ConfigBad RecentlyDownloadedConfig ForceUpdate ) actionsequence = ( directories files shellcommands.ValidationPhase disable shellcommands.UpdatePhase copy tidy ) workdir = ( /var/cfengine ) Split = ( ";" ) # wget should get recursively, but not get parents dirs or create dirs. # accept only .conf* files, and log it all to a logfile (very noisy) WgetOptions = ( "-Y off -np -nd -r -A .conf,.asc -o /tmp/cf-wget.log" ) AdminKeyRing = ( "--keyring /etc/cfkey" ) GoldServer = ( "http://www.mydomain.com/cfengine/" ) SplayTime = ( 2 ) IfElapsed = ( 5 ) files: /etc/cfkey mode=0400 owner=root group=root action=fixall directories: $(workdir)/inputs/cache mode=700 owner=root group=root shellcommands: # Check cfagent.conf exists and is authentic or force an update. ValidationPhase:: "/usr/bin/gpgv $(AdminKeyRing) \ $(workdir)/inputs/cfagent.conf.asc" timeout=120 preview=true define=ConfigOk elsedefine=ConfigBad ifelapsed=0 # Change this timeperiod to suit your tastes. (Q1|ForceUpdate|ConfigBad).UpdatePhase:: # Copy configs from master server to temporary location "/usr/bin/wget $(WgetOptions) $(GoldServer)" timeout=120 chdir=/var/cfengine/inputs/cache preview=false define=RecentlyDownloadedConfig ifelapsed=0 disable: # If cfagent.conf isn't authentic, disable it in case the download # fails. ConfigBad.!ConfigGood:: $(workdir)/inputs/cfagent.conf syslog=true inform=true define=ForceUpdate $(workdir)/inputs/cfagent.conf.asc syslog=true inform=true define=ForceUpdate filters: # Filter files that have good signatures { SigOk Type: "reg" ExecProgram: "/usr/bin/gpgv $(AdminKeyRing) $(this).asc" Result: "Type.Exec" } # Filter valid signatures { AscOk Type: "reg" ExecProgram: "/usr/bin/gpgv $(AdminKeyRing) $(this)" Result: "Type.Exec" } copy: # Copy new config files with valid signatures into WORKDIR RecentlyDownloadedConfig:: $(workdir)/inputs/cache/ dest=$(workdir)/inputs/ include=*.conf exclude=*index* recurse=inf backup=false filter=SigOk mode=600 owner=root group=root type=sum define=ConfigGood syslog=true info=true # Copy signatures to WORKDIR too for future validation $(workdir)/inputs/./cache/ dest=$(workdir)/inputs/ include=*.conf.asc exclude=*index* recurse=inf backup=false filter=AscOk mode=600 owner=root group=root type=sum define=ConfigGood syslog=true info=true tidy: # Good idea from example update.conf $(workdir)/outputs pattern=* age=7 inform=false syslog=false # Purge downloaded files $(workdir)/inputs/cache pattern=* age=0 inform=false syslog=false