################################################################ # # cf.site - for iu.hio.no # # This file contains site specific data and system policy # ################################################################# ### # # BEGIN cf.site # ### classes: # groups # # If this file exists, then ssh has been installed ok # Setup_SSH_OK = ( '/usr/bin/test -f /etc/ssh2/ssh2_config' ) ################################################################# links: Prepare:: # # "local" software is always mounted /iu/nexus/local # or /iu/cube/local, but we really want these to look # like they are mounted at /usr/local or /local # /local -> /$(site)/$(binserver)/local /usr/local -> /local dax:: # # On dax /iu/dax/local is only a small a partition # large enough to hold the SDT simulation software # which is specially licensed to dax. This fills in # the blanks in /iu/dax/local by linking to nexus. # /iu/dax/local +> /iu/nexus/local # # Different people like to see perl installed # in different places # solaris:: /usr/bin/perl5 -> /local/bin/perl /usr/bin/perl -> /local/bin/perl # So that stupid perl/cgi can find it... /lib/libgdbm.so.1 -> /local/lib/libgdbm.so.1 cube:: /local/etc/fingerdir -> /iu/nexus/local/etc/fingerdir ###################################################################### # Other package installation fixes ###################################################################### nexus:: /local/bin/acroread -> /local/Acrobat4/bin/acroread /local/bin/xmgr -> /local/xmgr/bin/xmgr /local/lib/xemacs/site-lisp/site-start.el -> /iu/nexus/local/iu/lib/EmacsCStyleLisp /iu/nexus/ua/www-data/www/local/latex2html/icons.gif -> /local/latex2html/icons.gif AllBinaryServers:: # # KDE Setup # /local/kde/share/applnk/Graphics/Gimp.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/Gimp.kdelnk /local/kde/share/applnk/apps/Internet/TkRat.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/TkRat.kdelnk /local/kde/share/applnk/apps/WordProcessing/office.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/office.kdelnk /local/kde/share/applnk/apps/Graphic/xmgr.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/xmgr.kdelnk /local/kde/share/applnk/apps/Utilities/xterm.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/xterm.kdelnk /local/kde/share/applnk/apps/Development/freebuilder.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/freebuilder.kdelnk /local/kde/share/config/kpanelrc ->! /iu/nexus/local/iu/lib/KdeSetup/kpanelrc /local/kde/share/config/kdisplayrc ->! /iu/nexus/local/iu/lib/KdeSetup/kdisplayrc /local/kde/share/applnk/apps/Utilities/ical.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/ical.kdelnk solaris:: /local/kde/share/applnk/apps/Development/javaworkshop.kdelnk ->! /iu/nexus/local/iu/lib/KdeSetup/javaworkshop.kdelnk # # KDM Setup # nexus:: /local/kde/share/config/kdmrc ->! /iu/nexus/local/iu/lib/kdmrcSolaris cube:: /local/kde/share/config/kdmrc ->! /iu/nexus/local/iu/lib/kdmrcLinux debian.!rom21X:: /etc/rc2.d/S13kdm ->! /iu/nexus/local/iu/etc/S13kdm ############################################################### disable: # # CERT warning, security fix # any:: /usr/lib/expreserve rootfull.solaris:: /var/log/syslog rotate=empty inform=true # Don't allow running the passwd program on any host except nexus & daneel !nexus.!daneel.!rom21X:: /usr/bin/passwd repository=none # solaris:: # /usr/lib/login repository=none inform=true ################################################################# # # Some very basic security file permissions # ################################################################ files: nexus:: /local/iu/Admin r=inf owner=root mode=600 action=fixall CheckIntegrity.Rest.AllBinaryServers:: /iu/$(host)/local owner=root,bin,man,daemon,www-data group=root,daemon,bin,staff,www-data,adm,other,sys action=warnall mode=o-w r=inf checksum=md5 syslog=true ignore=fingerdir ignore=cfengine ignore=var ignore=etc ignore=dns ignore=mail ignore=lprng ignore=src ignore=logs ignore=texmf ignore=log ignore=locks ignore=aliases ignore=conf ignore=servlets exclude=*.log ignore=jserv ignore=real exclude=CheckRealServer ignore=pluto exclude=.bash_history exclude=*.db nexus:: # /iu/nexus/ECG mode=770 g=ecg act=fixall r=inf /etc/passwd o=root checksum=md5 action=fixall nexus.Hr12.OnTheHour:: $(checksrc) o=mark r=inf checksum=md5 action=warnall debian||solaris:: /etc/inetd.conf o=root checksum=md5 action=fixall Prepare.!rom21X:: /.cshrc m=0644 r=0 o=root act=touch /tmp/screens/. m=0755 o=root act=touch /var/spool/cron m=755 act=fixall Prepare.!rom21X:: # openssh... /etc/ssh2/ssh2_config m=644 o=root g=0 act=fixall /etc/ssh2/sshd2_config m=644 o=root g=0 act=fixall nexus:: /local/teTeX/texmf/ls-R m=666 o=root act=fixplain #/local/iu/etc/passwd m=0644 o=root g=other action=fixplain # These files contain passwords to databases /iu/nexus/ua/mysql/UpdateEmployDB.php o=mysql mode=700 action=fixall /iu/nexus/ua/mysql/UpdateStudentDB.php o=mysql mode=700 action=fixall /iu/nexus/ua/mysql/UpdateCalendarDB.php o=mysql mode=700 action=fixall /iu/nexus/ua/mysql/GetAliases.php o=mysql mode=700 action=fixall nexus.Hr18.OnTheHour:: /etc/mnttab m=644 act=fixall # S/KEY installation /etc/skeykeys mode=644 o=root action=touch ################################################################# # # Some routine file tidying # ################################################################# tidy: # # Make sure the file repository doesn't fill up # /var/spool/cfengine pattern=* age=0 # # Nothing needs to be in /tmp more than a day # !rom21X:: /tmp pattern=.* age=1 r=inf /tmp pattern=* age=1 r=inf rmdirs=sub type=mtime Hr05.(nexus|quetzalcoatal):: /local pattern=core age=0 r=inf ignore: latex2html ################################################################# shellcommands: PasswdServer:: # Build and install the BSD compatible passwd file for GNU/Linux # from the master passwd/shadow file on solaris "/local/iu/bin/BuildPasswdFiles" "/local/iu/bin/BuildGroupFiles" nexus.Sunday.Hr15.OnTheHour:: # # See how much rubbish users have accumulated on disks # Sends no automatic warnings even if they exceed 60MB # "$(cfbin)/noseyparker /iu/nexus/ua ${sysadm} nomail" "$(cfbin)/noseyparker /iu/nexus/ub ${sysadm} nomail" "$(cfbin)/noseyparker /iu/nexus/uc ${sysadm} nomail" "$(cfbin)/noseyparker /iu/nexus/ud ${sysadm} nomail" cube.Sunday.Hr16.OnTheHour:: # # See how much rubbish users have accumulated on disks # Sends automatic warnings if they exceed 60MB # "$(cfbin)/noseyparker /iu/cube/u1 ${sysadm} " "$(cfbin)/noseyparker /iu/cube/u2 ${sysadm} " "$(cfbin)/noseyparker /iu/cube/u3 ${sysadm} " "$(cfbin)/noseyparker /iu/cube/u4 ${sysadm} nomail" # # Update the ls-lR database for TeX # nexus.Hr01.OnTheHour:: "/local/iu/bin/TexRehash > /dev/null 2>&1" !Setup_SSH_OK.!rom21X:: # If ssh is not properly installed, install it! "/local/iu/bin/SetupSSH" ############################################################### editfiles: nexus:: # # Disable the reboot/shutdown button on the KDM login # What were they THINKING?! # { /local/iu/lib/kdmrcSolaris ReplaceAll "K Desktop Environment" With "Sun/Solaris" CommentLinesMatching ".*ShutdownButton=RootOnly.*" AppendIfNoSuchLine "ShutdownButton=ConsoleOnly" } { /local/iu/lib/kdmrcLinux ReplaceAll "K Desktop Environment" With "Debian GNU/Linux" CommentLinesMatching ".*ShutdownButton=RootOnly.*" AppendIfNoSuchLine "ShutdownButton=ConsoleOnly" } ###################################################################### required: # # Any host must have a /local, /usr/local fs. Check that # it exists and looks sensible. (i.e. not empty) # If free space falls below 50mb start declare an emergency # as a signal to "tidy" # / freespace=10mb define=rootfull /${site}/${binserver}/local 128_39_89:: /iu/nexus/ua freespace=50mb define=emergency /iu/nexus/ub freespace=50mb define=emergency /iu/nexus/uc freespace=50mb define=emergency /iu/nexus/ud freespace=50mb define=emergency !haddock.!daneel:: /iu/cube/u1 freespace=50mb define=emergency /iu/cube/u2 freespace=50mb define=emergency /iu/cube/u3 freespace=50mb define=emergency /iu/cube/u4 freespace=50mb define=emergency ########################################################################### copy: /iu/nexus/local/iu/etc/keys dest=/var/cfengine/keys mode=400 o=root server=nexus # # make sure the password file is distributed # solaris.PasswordClients:: /etc/passwd dest=/etc/passwd server=nexus type=checksum mode=644 o=root secure=true /etc/shadow dest=/etc/shadow server=nexus type=checksum mode=600 o=root secure=true !solaris.PasswordClients:: /etc/shadow dest=/etc/shadow server=nexus type=checksum mode=640 o=root g=shadow size=>20k nexus:: # The alias-data contains both staff and students /iu/nexus/ua/mysql/aliasdata dest=/local/iu/aliases/aliases o=root g=root mode=644 type=sum define=alias_update # /etc/passwd dest=/iu/nexus/local/iu/etc/passwd mode=644 size=>500 # /etc/shadow dest=/iu/nexus/local/iu/etc/shadow mode=644 size=>50 solaris.!haddock:: $(nisfiles)/group.solaris dest=/etc/group server=nexus mode=644 (debian.PasswordClients)|daystrom:: $(nisfiles)/passwd.slinux dest=/etc/passwd type=checksum server=nexus mode=644 o=root size=>50k $(nisfiles)/group.linux dest=/etc/group server=nexus mode=644 size=>100 # # Some other basic system files are distributed # # any:: # ssh_known_hosts er ssh v1... # $(nisfiles)/ssh_known_hosts dest=/etc/ssh_known_hosts o=root mode=644 !rom21X:: $(nisfiles)/shells dest=/etc/shells mode=644 any:: $(nisfiles)/etc_profile dest=/etc/profile o=root mode=644 solaris:: $(nisfiles)/services dest=/etc/inet/services mode=644 debian:: $(nisfiles)/services dest=/etc/services mode=644 # # Mirror some filesystems, for backup # quetzalcoatal.Hr01.OnTheHour:: /iu/nexus/local dest=/iu/quetzalcoatal/local typecheck=false r=inf server=nexus ignore=src ignore=logs ignore=log ignore=var sigmund.Hr01.OnTheHour:: /iu/cube/local dest=/iu/sigmund/local r=inf server=cube ignore=src ignore=logs ignore=log exclude=httpd.conf ignore=/iu/cube/local/iu/httpd/htdocs ignore=/iu/cube/local/iu/X11 pax.OnTheHour:: # this is really important! /iu/nexus/private dest=/iu/pax/backup/private server=nexus r=inf mode=600 FTPServers:: # # If /etc/shells does not conatin your shell, you # cannot use FTP! # /local/iu/etc/shells dest=/etc/shells m=0644 # debian:: # To prevent the use of kvt ... Modified file invokes xterm instead # /local/iu/etc/kvt.kdelnk dest=/local/kde/share/applnk/Utilities/kvt.kdelnk m=644 ##################################################################### # # Some processes that we do not / do want running # ##################################################################### processes: "cfenvd" restart "/usr/local/sbin/cfenvd" useshell=false "eggdrop" signal=kill # exclude=solluna exclude=holterr "BitchX" signal=kill "enting" signal=kill "bnc" signal=kill "mount -o" signal=term # these should not hang around. If they do, # then the RPC is fucked, pardon my french "cron" signal=hup inform=false # Get cron to reread config file DayTime:: "rc5des" signal=kill "stst" signal=kill linux:: SetOptionString "aucx" any.Hr23:: # # Kill user-processes over a day old. At Hr23 because linux ps - wrongly - # reports processes as a day old when it has started before 00.00 (which isn't # exactly accurate) # "Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec" signal=kill include=ftpd include=tcsh include=bash include=xterm include=kio include=kaudio include=maudio include=netscape include=ftp include=tkrat include=pine include=perl include=irc include=kfm include=freebuild include=javac include=/bin/ls include=emacs include=passwd include=ls include=less include=more include=man include=pvm3 include=pvmd3 include=lpr include=communicator include=kbgndwm include=krootwm include=utmp_update include=sdtpm include=sdthelp include=sdtsan include=staroffice include=kvt include=kwm include=server include=konsole include=kghostview include=alarmd include=ssh2 include=ping include=ssh exclude=sshd exclude=sowille exclude=rmserver # Real Streaming Server "maudio" signal=kill "kaudio" signal=kill # # Kill processes which have run on for too long e.g. 999:99 cpu time # Careful - a pattern to match 99:99 will kill everything! # "[0-9][0-9][0-9][0-9]:[0-9][0-9]" signal=term exclude=root exclude=daemon "[0-9][0-9][0-9]:[0-9][0-9]" signal=term exclude=root exclude=daemon Hr05:: # # Make sure these die. The above regex only works half the time! # "ftp" signal=kill "netscape" signal=kill nexus:: "irc" signal=kill # :-) better still, all machines! ###################################################################### # # Define some ACLs useful for www # acl: { WWWacl # For CGI scripts which write to a special directory fstype:posix method:overwrite mask:*:rwx user:*:rwx group:*:r-x other:*:r user:www:=rwx # Need me and www because the file will end up with owner user:mark:=rwx # www as run by httpd # default_mask:=rwx # default_user:=rwx # default_group:=r # default_other:=r } ###################################################################### directories: # Guestbook management (nexus|cube).Hr05:: home/www/cgi-out owner=www ######################################################################## copy: nexus.Hr05:: /local/iu/etc/README.cgi dest=home/www/cgi-out/README.cgi mode=644 o=www backup=false # Cgi scripts can write freely here without being setuid ######### # # END cf.site # #########