Home

Paolo Predonzani edited this page Dec 27, 2017 · 3 revisions

Tstconfig: automatic configuration testing for fun and security

Tstconfig is a system administration tool that tests (a large number of) configuration files automatically. It is distributed under an MIT open source license and hosted on GitHub.

The usage scenario is the following. Suppose you need to install a new LAMP system. You have to install certain packages and modules, set up a firewall, harden security, configure Apache, configure MySQL, configure Php, etc. If you've done it before, you know that you have to tweak maybe 100 properties in some 20 configuration files.

That's a lot of work to do. When touching so many files, steps are easily forgotten and errors are easily introduced. This is where Tstconfig comes in handy. It tests the configuration files for you, so you can be sure of the system's integrity. Tstconfig looks at the configurations, checks that certain properties have the value that you want them to have, and reports any discrepancies.

How it works

Tstconfig is launched from a Linux shell and takes a definition file as its argument:

$ tstconfig examples/sshd.tstconfig

In this case the definition file is examples/sshd.tstconfig which is included in the distribution. Let's have a closer look at it.

######################################################
# sshd.tstconfig: test sshd configuration
######################################################

# The location of the configuration file
file /etc/ssh/sshd_config

# The syntax for parsing
parse_mode tokenized
hash_comment_allowed true

# Check that root cannot login via ssh
property PermitRootLogin
assert_eq no

# Check that only certain users can login via ssh
property AllowUsers
assert_eq your_user_name

The first time you run the tests, Tstconfig will probably produce the following report:

$ tstconfig examples/sshd.tstconfig
Tstconfig 0.2

Reading definition file: examples/sshd.tstconfig
ASSERTION FAILED
 File:      /etc/ssh/sshd_config
 Property:  PermitRootLogin
 Value:     yes
 Assertion: assert_eq no

ASSERTION FAILED
 File:      /etc/ssh/sshd_config
 Property:  AllowUsers
 Value:     <undefined>
 Assertion: assert_eq your_user_name


SUMMARY REPORT: FAIL
Assertions tested: 2
Assertions passed: 0
Assertions failed: 2
Errors: 0

From the report, you find out that all the tests failed. This may mean one of two things:

  • Sshd is indeed not configured correctly. In this case you need to fix /etc/ssh/sshd_config
  • The definition file examples/sshd.tstconfig is incorrect and needs to be customised.

Apply the changes that you think are more appropriate for your situation, then re-run Tstconfig. This time it should output a success report:

$ tstconfig examples/sshd.tstconfig
Tstconfig 0.2

Reading definition file: examples/sshd.tstconfig

SUMMARY REPORT: PASS
Assertions tested: 2
Assertions passed: 2
Assertions failed: 0
Errors: 0

Supported configuration syntaxes

Out of the box, Tstconfig supports the syntaxes of many common configurations:

  • /etc/passwd
  • /etc/shadow
  • /etc/group
  • /etc/hosts
  • Apache
  • Apt
  • Fail2ban
  • Ssh/sshd

It also support the following generic formats:

  • .ini (useful for MySQL and Php configurations)
  • Java-style .properties
  • Generic key-values
  • Tokenized lines
  • Fixed format tables

In addition, Tstconfig can parse the output of a few popular commands:

  • ufw status verbose (firewall status)
  • netstat -plnt (report of listening sockets)
  • apache2ctl -M (list of enabled Apache modules)
  • swapon -s (list of swap files and partitions)

Who should use Tstconfig

If you are a system administrator working alone, Tstconfig can help you enforce good configuration standards across the many systems you manage.

If you are a team of system administrators, Tstconfig can help you enforce common standards across the team.

If you use other configuration management tools (such as Puppet, Chef or Ansible), Tstconfig is a nice "belt and braces" check that costs nothing and gives good confidence of a system's integrity.

Documentation