Work in progress

ncharles · Mar 2, 2018 · a8b8244 · a8b8244
1 parent 12f0d90
commit a8b8244
Show file tree

Hide file tree

Showing 2 changed files with 106 additions and 2 deletions.
diff --git a/techniques/system/common/1.0/hooks.st b/techniques/system/common/1.0/hooks.st
@@ -0,0 +1,87 @@
+#####################################################################################
+# Copyright 2018 Normation SAS
+#####################################################################################
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, Version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+#####################################################################################
+
+
+# JSON looks like '{"parameters":{"name":"sudo","destination":"/etc/sudoers"},"reports":
+#[{"id":"32377fd7-02fd-43d0aab7-28460a91347b@@7aefa930-5493-4ec6-9d6b-f093b03ad709@@0","mode":"enforce", "technique":"sudoers", "name":"check_sudo_installed", "value":"None"},
+#  {"id":"92377fd7-02fd-43d0-aab7-28460a91347b@@7aefa930-5493-4ec6-9d6b-f093b03ad709@@0","mode":"audit", "technique":"sudoers", "name":"check_sudo_installed", "value":"None"}
+#  ]}';
+
+
+bundle agent runhook_package(json) {
+  vars:
+      "definitions" data => parsejson("${json}");
+
+      "parameters"  data => mergedata("definitions[parameters]");
+
+      "reporting"   data => mergedata("definitions[reports]");
+
+      "reportkeys" slist => getindices("reporting");
+
+
+      "condition" string => "${parameters[condition]}";
+
+    pass1.is_enforce::
+      "set_dry_mode" string => "false";
+      "not_applicable" string => "result_na";
+    pass1.!is_enforce::
+      "set_dry_mode" string => "true";
+      "not_applicable" string => "audit_na";
+
+    pass1.is_condition_defined::
+      "class_condition" string => "${conditions}";
+
+    pass1.!is_condition_defined::
+      "class_condition" string => "any";
+
+
+  classes:
+      "is_condition_defined"         not => strcmp("${conditions}", "");
+
+      # define if there is at least one enforce
+      "is_enforce"            expression => strcmp("${reporting[${reportkeys}][mode]}", "enforce");
+
+       # For reporting, detect each enforce/audit
+       "is_enforce_${reportkeys}" expression => strcmp("${reporting[${reportkeys}][mode]}", "enforce");
+
+
+    any::
+      "pass2" expression => "pass1";
+      "pass1" expression => "any";
+
+
+  mathods:
+    pass2::
+      # how can we ensure that it is run?
+      "configure_dry_run_mode_${reporting[0][id]}"   usebundle => set_dry_run_mode("${set_dry_mode}");
+      "clean_reporting_context_${reporting[0][id]}"  usebundle => clean_reporting_context;
+
+      "install_package" usebundle => package_present("${parameters[name]}", "", "", ""),
+        ifvarclass => "${class_condition}";
+
+      "reporting"       usebundle => _rudder_common_reports_generic("${reporting[${reportkeys}][technique]}", "package_present_${parameters[name]}", "${reporting[${reportkeys}][id]}", "${reporting[${reportkeys}][name]}", "${reporting[${reportkeys}][value]}", "Installing package ${parameters[name]}"),
+        ifvarclass => "${class_condition}";
+
+      "na_report"       usebundle => _rudder_common_report("${reporting[${reportkeys}][technique]}", "${not_applicable}", "${reporting[${reportkeys}][id]}", "${reporting[${reportkeys}][name]}", "${reporting[${reportkeys}][value]}", "Installing package ${parameters[name]}"),
+        ifvarclass => "!${class_condition}";
+
+  reports:
+    inform::
+      "Executing hook runhook_package to install package ${parameters[name]} - Audit mode: ${set_dry_mode} - Condition is {class_condition}";
+
+}
diff --git a/techniques/systemSettings/userManagement/sudoParameters/3.2/metadata.xml b/techniques/systemSettings/userManagement/sudoParameters/3.2/metadata.xml
@@ -19,6 +19,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
   It will ensure that the defined rights for given users and groups are correctly defined.</DESCRIPTION>
   <MULTIINSTANCE>true</MULTIINSTANCE>
+  <POLICYGENERATION>separated</POLICYGENERATION>
+
   <COMPATIBLE>
     <OS version=">= 4 (Etch)">Debian</OS>
     <OS version=">= 4 (Nahant)">RHEL / CentOS</OS>
@@ -27,7 +29,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
   </COMPATIBLE>
 
   <BUNDLES>
-    <NAME>check_sudo_parameters</NAME>
+    <NAME>check_sudo_parameters_RudderUniqueID</NAME>
   </BUNDLES>
 
   <TMLS>
@@ -38,9 +40,24 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
     <SAMESIZEAS>SUDO_NAME</SAMESIZEAS>
   </TRACKINGVARIABLE>
 
+  <RUNHOOKS>
+    <PRE bundle="runhook_package">
+      <REPORT name="Install sudo"/>
+      <PARAMETER name="name" value="sudo"/>
+    </PRE>
+    <POST name="condition_from_command" condition="sudoparameters_sudoers_tmp_file_ok">
+      <PARAMETER name="command" value="/usr/sbin/visudo /usr/sbin/visudo"/>
+      <PARAMETER name="prefix" value="sudoconfiguration_sudoers_valid"/>
+    </POST>
+    <POST name="copy" condition="sudoconfiguration_sudoers_valid">
+      <PARAMETER name="source" value="/etc/sudoers.rudder"/>
+      <PARAMETER name="destination" value="/etc/sudoers"/>
+    </POST>
+  </RUNHOOKS>
+
   <SECTIONS>
 
-    <SECTION name="Install" component="true" />
+    <SECTION name="Install sudo" component="true" />
     <SECTION name="sudoersFile" component="true" />
 
     <!-- permissions Section , index 1-->