Chapter 24. cf.shellcommands
Prev   Next

Chapter 24. cf.shellcommands

#!/var/cfengine/inputs/sh/cfagent -qKf

control:

    actionsequence = ( shellcommands )

shellcommands:

# cfengine-policy-description: On Linux systems, check that we have certain packages installed: strace rcs sysstat net-snmp

    linux:: "/usr/bin/yum -q -y install strace rcs sysstat net-snmp >/dev/null 2>/dev/null" inform=off ifelapsed=120


# cfengine-policy-description: On Linux systems, check that we have extra add-on packages installed from 3rd party repos: multitail

    linux:: "/usr/bin/yum -q -y --enablerepo=rpmforge install multitail >/dev/null 2>/dev/null" inform=off ifelapsed=120


 
    # cfengine-policy-description: check mounted filesystems to make sure they are over N % utilization (usually 80)

    linux:: /var/cfengine/inputs/sh/check_filesystems.linux.sh inform=off ifelapsed=2
    hpux:: /var/cfengine/inputs/sh/check_filesystems.hpux.sh  inform=off ifelapsed=2

    # cfengine-policy-description: check for orphaned users in /etc/group
    any:: /var/cfengine/inputs/sh/check_for_stray_users_in_etc_group.sh inform=off ifelapsed=2


    # cfengine-policy-description: check localhost entry in /etc/hosts to make sure it does not contain the machine's FQDN

    linux:: "/var/cfengine/inputs/sh/check_localhost_line.sh 127.0.0.1 localhost.localdomain localhost" inform=off ifelapsed=2

    hpux::  "/var/cfengine/inputs/sh/check_localhost_line.sh 127.0.0.1 localhost loopback" inform=off ifelapsed=2


# cfengine-policy-description: compare list of open TCP ports to the list specified by us - used to detect new open ports (maybe somebody in stalls something without telling us) and to detect dead services (serv ices not running that should be running). --- this is commented out for the initial rollout.  Aleksey.


    # note: change dash to underscore in the hostname

    myhost_01:: 	"/var/cfengine/inputs/sh/check_open_ports.sh 21 vsftpd 22 sshd 80 httpd 199 snmpd" inform=off ifelapsed=2

    myhost_02:: 	"/var/cfengine/inputs/sh/check_open_ports.sh 21 vsftpd 22 sshd snmpd" inform=off ifelapsed=2

# cfengine-policy-description: make sure Linux kernel tunable vm.swappiness is set to 0 to prefer keeping applications in physical RAM over swap.
    linux:: "/var/cfengine/inputs/sh/check_kernel.linux.vm.swappiness.sh" inform=off ifelapsed=2

# cfengine-policy-description: make sure root crontab contains certain entries.
    linux:: "/var/cfengine/inputs/sh/check_crontab.sh" inform=off ifelapsed=2

# cfengine-policy-description: make sure UFR is installed and install it if it is not.  Tested under Linux only.
    linux:: "/var/cfengine/inputs/sh/check_UFR_is_there.sh" inform=off ifelapsed=2

# cfengine-policy-description: make sure "autofs" service is not configured to start on boot (Linux)
    linux:: "/var/cfengine/inputs/sh/check_service_disabled.linux.sh autofs" inform=off ifelapsed=2

# cfengine-policy-description: make sure Dag's rpmforge repo is added, but is disabled
    linux:: "/var/cfengine/inputs/sh/check_rpmforge_repo_is_installed_and_disabled.linux.sh" inform=off ifelapsed=2
Prev   Next
Chapter 23. cf.processes Home Chapter 25. check_crontab.sh