class solaris { file { ["/usr/lib/X11/nls", "/var/run", "/var/spool/lpd"]: create => directory } file { "/etc/inetd.conf": owner => root, checksum => md5 } #--------------------------------------------------------------- # # get rid of this crap # #--------------------------------------------------------------- # FIXME there is no tidy-like functionality in puppet yet... #tidy: # /usr/tmp pattern=* age=1 #/etc/rc2.d pattern=S80lp age=0 #--------------------------------------------------------------- # # make links # #--------------------------------------------------------------- # FIXME we need clobber selectivity a la ->! symlink { "/etc/services": path => "/etc/inet/services"; "/usr/bin/perl": path => "/usr/local/bin/perl"; "/var/spool/mail": path => "/var/mail" } #--------------------------------------------------------------- # # make sure these don't exist # #--------------------------------------------------------------- # FIXME no disable functionality #delete { # "/etc/.login": type=>file; # "/bin/rdist":; # "/usr/lib/print/printd ":; # "/usr/openwin/bin/kcms_calibrate":; # "/usr/openwin/bin/kcms_configure":; # "/usr/bin/admintool":; # "/etc/rc2.d/S99dtlogin":; #} #--------------------------------------------------------------- # # check these modes # #--------------------------------------------------------------- file { # # If this doesn't exist fork will not work and the # system will not even be able to run the /etc/rc # scripts at boottime # "/etc/system": mode => 644, owner => root, group => root; "/usr/sbin/mount": mode => 555, owner => bin, group => bin; "/usr/sbin/ping": mode => 4555; "/etc/passwd": mode => 0644, owner => root, group => other; "/etc/shadow": mode => 0600, owner => root, group => other; "/etc/defaultrouter": mode => 0644, owner => root, group => other; "/etc/inet": mode => 755, owner => root, group => other; "/var/adm/wtmpx": mode => 0644, owner => adm, group => adm; "/var/adm/utmpx": mode => 0644, owner => root, group => bin; "/tmp": mode => 1777; "/usr/openwin/bin/xdm": mode => 0755, owner => root, group => bin; # FIXME no ability to specify a different loglevel or something #"/usr/bin/tip": mode => 0711, inform => true # bof "/usr/bin/tip": mode => 0711; # bof "/usr/openwin/bin/Xsun": mode => 0755; # bof "/usr/openwin/bin/kcms_configure": mode => 0755; # bof "/usr/lib/dmi/snmpXdmid": mode => 0000; # bof CA-2001-05 "/usr/bin/at": mode => 0755 # string format vuln } # FIXME this mode isn't currently supported #"/usr/dt/bin": recurse => true, mode => -6000; # CheckIntegrity.Rest:: # FIXME this shold be done on a specific 'checkintegrity' schedule # FIXME there is no 'ignore' functionality file { "/etc": owner => [root,bin,uucp,lp,adm,httpd], recurse => true; "/usr": owner => [root,bin,uucp,lp,adm,httpd,cricket,mysql], recurse => true, checksum => md5, ignore => [tmp, logs, mysql-data-instance-1, authdir]; "/var/spool/cron/crontabs": checksum => md5, recurse => true; } service { "inetd": running => true } file { "/etc/inet/ntp.conf": source => "puppet://$server/dest/apps/ntp/ntp.conf", backup => false, checksum => md5, mode => 644, owner => root, group => root } service { "xntpd": running => true, subscribe => file["/etc/inet/ntp.conf"] } } # this class is obsolete anyway... class firewall inherits solaris { service { "inetd": running => false } } # yeah, this is disabled, goddamit #kirby|pixie:: # /export/apache/docroots/*/htdocs # o=luke # g=sysadmin # r=inf # action=fixall # ignore=.htaccess # ignore=icontek.com # ignore=kaniesremodeling.com # ignore=logs # ignore=mail.madstop.com # # /export/apache/docroots/cricket.madstop.com/htdocs/.htaccess # o=httpd # g=httpd # action=fixall # /export/apache/docroots/kaniesremodeling.com/htdocs # o=isaiah # g=httpd # r=inf # action=fixall class solarisx86 inherits solaris { package { cfng: install => "0.1.1"; subversion: install => "1.0.6"; php: install => "4.3.4"; noshell: install => "1.0"; nagios: install => "1.2"; openldap: install => "2.1.25"; nagios-plugins: install => "1.3.1"; apache: install => "2.0.50"; db: install => "4.1.25"; flex: install => "2.5.4a"; gdbm: install => "1.8.3"; libxml2: install => "2.6.7"; mysql: install => "4.0.17"; openssh: install => "3.8.1p1"; openssl: install => "0.9.7d"; perl: install => "5.8.2"; rrdtool: install => "1.0.45"; courier-imap: install => "3.0.3"; nsca: install => "2.4"; vim: install => "6.3"; ImageMagick: install => "6.1.1-4"; ganglia: install => "2.5.7" } } class sparcsolaris inherits solaris { package { apache: install => "1.3.29"; cfng: install => "0.1.1"; automake: install => "1.8.4"; autoconf: install => "2.59"; db: install => "4.1.25"; openldap: install => "2.1.25"; openssh: install => "3.8.1p1"; openssl: install => "0.9.7d"; rrdtool: install => "1.0.42"; ruby: install => "1.8.0"; nagios: install => "1.2"; nagios-plugins: install => "1.3.1"; nsca: install => "2.4" } } #--------------------------------------------------------------- # # runs various shell commands # #--------------------------------------------------------------- # FIXME this needs to be scheduled # FIXME there's no umask setting in exec # FIXME there's no group setting in exec # FIXME the user setting doesn't work #exec { # "/usr/bin/catman -M /usr/openwin/share/man": # umask => 0022, owner => root, group => bin; # "/usr/bin/catman -M /usr/share/man" # umask => 0022, owner => root, group => bin #} #--------------------------------------------------------------- # # make sure these files look like this... # #--------------------------------------------------------------- # FIXME there is nothing resembling editfiles right now #editfiles: # # # # # Makes sure that cfengine will be run by cron # # installs itself as a cron job - sneaky! :) # # # # { /var/spool/cron/crontabs/root # AppendIfNoSuchLine "0,30 * * * * ${cfbindir}/cfexecd -F" # } # # #{ ${sshdconfigroot}/sshd_config # # ReplaceAll ".*UseLogin.*no" With "UseLogin yes" # #} # # # # # Solaris configuration for extra logins # # # # { /etc/auto_home # DeleteLinesContaining "+" # } # # { /etc/auto_master # DeleteLinesContaining "+" # } # # { /etc/system # AppendIfNoSuchLine "set pt_cnt=128" # AppendIfNoSuchLine "set noexec_user_stack_log = 1" # AppendIfNoSuchLine "set noexec_user_stack = 1" # } # # { /etc/rmmount.conf # HashCommentLinesContaining "action cdrom" # HashCommentLinesContaining "action floppy" # } # # { /etc/inet/inetd.conf # ReplaceAll "/usr/sbin/in.ftpd" With "/usr/sbin/tcpd" # HashCommentLinesContaining "in.rshd" # HashCommentLinesContaining "in.rlogind" # HashCommentLinesContaining "rwall" # HashCommentLinesContaining "/usr/sbin/in.fingerd" # HashCommentLinesContaining "comsat" # HashCommentLinesContaining "exec" # HashCommentLinesContaining "echo" # HashCommentLinesContaining "discard" # HashCommentLinesContaining "charge" # HashCommentLinesContaining "quotas" # HashCommentLinesContaining "users" # HashCommentLinesContaining "spray" # HashCommentLinesContaining "sadmin" # HashCommentLinesContaining "rquota" # HashCommentLinesContaining "kcms" # HashCommentLinesContaining "comsat" # HashCommentLinesContaining "xaudio" # HashCommentLinesContaining "uucp" # HashCommentLinesContaining "/dt" # HashCommentLinesContaining "tnamed" # HashCommentLinesContaining "in.r" # HashCommentLinesContaining "kerbd" # HashCommentLinesContaining "rpc.rstatd" # HashCommentLinesContaining "cachefsd" # HashCommentLinesContaining "gssd" # HashCommentLinesContaining "telnet" # } # !kirby:: # { /etc/inet/inetd.conf # HashCommentLinesContaining "tftp" # } # # # # # umask define when inetd starts is inherited by all subprocesses # # this makes ftp post files open to the world # # { /etc/rc2.d/S72inetsvc # PrependIfNoSuchLine "umask 022" # HashCommentLinesContaining "/usr/sbin/in.named &" # } # # home:: # { /etc/netmasks # AppendIfNoSuchLine "192.168.0.0 255.255.255.0" # } # # pixie:: # { /etc/netmasks # AppendIfNoSuchLine "207.65.26.0 255.255.255.0" # } #--------------------------------------------------------------- # # processes to kill, restart, or hup # #--------------------------------------------------------------- # FIXME cannot manage normal processes #processes: # # # these shouldn't run under any circumstances # "ttdbserverd" signal=kill # "dmispd" signal=kill # "kwmsound" signal=kill # "hpnp" signal=kill # "cmsd" signal=kill # # # these should run everywhere # "xntpd" restart "/usr/lib/inet/xntpd" # useshell=false