Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-3100

RFE: audit runs with 'manifest' and 'diff' modes

    XMLWordPrintable

    Details

    • Type: Knowledge acquisition
    • Status: Done
    • Priority: (None)
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: N/A
    • Component/s: None
    • Labels:
      None

      Description

      We gathered input and discussed a new potential feature – audit agent runs with manifest or diff mode specified as:

      --audit=manifest

      A dry-run mode where every evaluated/actuated promise makes no changes to the system and instead only prints what the result would be. For example:

      • Permissions of the file '/etc/motd' should be 0644
      • The file '/etc/motd' should be a symlink to '/etc/todays-motd'
      • User John should exist
      • Contents of the file '/etc/motd' should be:
        Hello, sir!
        Welcome to a CFEngine-managed system.
        
      • Package 'openssh-server' should be present
      • Package 'openssh-server' version should be '123'
      • ...

      In other words, KEPT and REPAIRED promises would print the resulting state of things they target. The changes to files would accumulate so if two promises change the same file, the second promise would show the resulting state including the changes done by the first commit. Or all promises evaluated/actuated before the current promise, in general.

      --audit=diff

      A dry-run mode where every evaluated/actuated promise makes no changes to the system and instead only prints changes it would do (if any). For example:

      • Permissions of the file '/etc/motd' are 0600, would be changed to 0644
      • User John does not exist, would be created
      • The file '/etc/motd' is a symlink to '/etc/yesterdays-motd' should point to '/etc/todays-motd'
      • Contents of the file '/etc/motd' would be changed:
        @@ -1,2 +1,2 @@
        - Hello, sir!
        + Hello, madame!
        
      • Directory '/etc' does not match the source
      • Show tree-diff?
        @@ -1,2 +1,2 @@
        - /etc/bar
        + /etc/foo
        + /etc/foo: 9 Hello World
        
      • Package 'openssh-server' is not installed, version 'xyz' would be installed
      • Package 'openssh-server' version is '123' should be '1234'
      • ...

      In other words, REPAIRED promises would print the changes of things they target. The changes to files would accumulate so if two promises change the same file, the second diff would be comparing the state after it is evaluated/actuated with the state after the first commit is evaluated/actuated. Or all promises evaluated/actuated before the current promise, in general.

      Functions with side-effects

      Functions with side effects (e.g. returnszero()) would be skipped and with them the whole promises in which they are used. Unless the promise has

      meta => {"audit_safe"}
      

      as its attribute. Author of the policy will make sure that the function calls with possible side effects in the promise are safe to run in the audit mode (don't modify the system).

      • for the future, perhaps we should add a global list of functions that are always audit safe (it could be very tedious to tag every use of a function but it might be unsafe if we are mistaken about a function we think to be safe, but is not).

      Commands promises

      Like functions, command promises should only run during audit mode if the promise is tagged as audit_safe.

        Attachments

          Activity

            People

            • Assignee:
              vpodzime Vratislav Podzimek
              Reporter:
              vpodzime Vratislav Podzimek
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Summary Panel