Intergration and Deployment with cfengine

I recently required a larger deployment of OSPatrol-HIDS without too much manual intervention. Almost every OSPatrol-HIDS tutorial I’ve across says this is possible, yet I was unable to find a tutorial demonstrating it. So, in the spirit of open source, I’m contributing a brief overview.

Prerequisites:

In order to facilitate the key request, I chose to generate a file with the relevant information and copy it back to my cfmaster server. I developed the following tutorial to demonstrate a cfengine copy back scenario: Copy Back with cfengine.

Configuring the cfengine clients:

I added a group to my cfagent.conf for my ospatrol server named: hg_ospatrol_server (host group). I then created an ospatrol-hids.cf containing the following:

  • control

My control sections sets up the variables I’ll be using in the rest of the file.

control:
  any::
    ospatrol_key_dir = (/usr/local/cfkeys/ospatrol)
    ospatrol_req_dir = ( $(util_updir)/ospatrol )
  • package

I’m using yum to automatically install OSPatrol-HIDS from my local RPM Repository.

packages:
  !hg_ospatrol_server::
      ospatrol-hids                  action=install
      ospatrol-hids-client           action=install
  • links

The Links section just links ospatrol-agent.conf to ospatrol.conf on the clients.

links:
  !hg_ospatrol_server::
    /var/ospatrol/etc/ospatrol.conf -> /var/ospatrol/etc/ospatrol-agent.conf
  • copy

I manage the ospatrol-agent.conf in cfengine, because my cfengine configurations are all stored in a subversion repository. The first stanza in copy just pushes the most recent copy of the ospatrol-agent.conf file to my network, setting the dynamic class dc_restart_ospatrol if the copy occurs.

copy:
  !hg_ospatrol_server::
      $(distribute)/ospatrol-agent.conf      dest=/var/ospatrol/etc/ospatrol-agent.conf
                                          server=$(policyhost)
                                          mode=640
                                          group=ospatrol
                                          type=sum
                                          define=dc_restart_ospatrol

This second stanza in the copy section copies a file from our ospatrol key directory to the client.keys file on the client. This copy only happens if the two files are different. It also sets dc_restart_ospatrol if the copy occurs.

$(ospatrol_key_dir)/$(host).ospatrol    dest=/var/ospatrol/etc/client.keys
                                  server=$(policyhost)
                                  mode=640
                                  group=ospatrol
                                  type=sum
                                  define=dc_restart_ospatrol
  • processes

My processes block checks to ensure that OSPatrol-HIDS is running the correct daemons.

processes:
  !hg_ospatrol_server::
      "ospatrol-agentd" elsedefine=dc_restart_ospatrol
  ``hg_ospatrol_server``::
      "ospatrol-remoted" elsedefine=dc_restart_ospatrol
  • shellcommands

This section is where the certificate request occurs through some devious mechanisms I designed for no other reason than to amuse myself. Hopefully, it amuses others as well. The first thing it does is issue a command that echo’s the client eth0 ipv4 address to a file named ‘’host.ospatrol’’ in the ospatrol request directory I defined. The hg_ospatrol_server class will use this to generate a cert to place in the aforementioned copy block.

shellcommands:
  !hg_ospatrol_server::
      "/usr/bin/ssh util@$(policyhost) -i $(util_privkey) 'echo $(global.ipv4[eth0]) > $(ospatrol_req_dir)/$(host).ospatrol'"

The last statement checks to see if anyone defined dc_restart_ospatrol, and restart ospatrol-hids if it was defined.

dc_restart_ospatrol::
    "/sbin/service ospatrol-hids restart"

Ok, so who cares?

Well, now, our clients are setup to install, configure, and run OSPatrol-HIDS as well as issuing a request for their certificate. However, the certificate directory on the server is empty and so none of them will actually run. This is a problem.

Configuring the OSPatrol Server w/cfengine

The cfengine part of this was a pain for me because of the order of the actions I had defined and the extent of work I had done incorrectly in the past. I could have figured out an interesting way to handle this, but I didn’t want to scrap my entire cfengine config and start from scratch. So I created a perl script that allowed me to use the manage_agents script without interaction. It does require the Expect.pm & Regexp::Common from CPAN, but is otherwise stock Perl 5.8.x. I also wrote a shell script wrapper to handle running the perl script and culminating the results. I saved these two scripts in /root/security, so if you put them elsewhere, make sure to update the shell script wrapper.

The scripts for managing keys can be downloaded `here < http://db0.us/~brad/cfengine-ospatrol-scripts.tar.gz>`_

The cfengine bit was really simple, it just had to call my wrapper shell script and set the class. I did this with a control block:

control:
 hg_ospatrol_server::
   AddClasses = ( ExecResult(/root/security/ospatrol-scan.sh) )

The combination of the two scripts and this one line in the cfengine configuration handle creating, removing, and exporting the keys, as well as configuring the dc_restart_ospatrol class if there have been changes.