static int RemoveKeys(const char *host)
{
char ip[CF_BUFSIZE];
char digest[CF_BUFSIZE];
strcpy(ip, Hostname2IPString(host));
Address2Hostkey(ip, digest);
RemoveHostFromLastSeen(digest);
int removed_by_ip = RemovePublicKey(ip);
int removed_by_digest = RemovePublicKey(digest);
if ((removed_by_ip == -1) || (removed_by_digest == -1))
{
CfOut(cf_error, "", "Unable to remove keys for the host %s",
remove_keys_host);
return 255;
}
else if (removed_by_ip + removed_by_digest == 0)
{
CfOut(cf_error, "", "No keys for host %s were found", remove_keys_host);
return 1;
}
else
{
CfOut(cf_inform, "", "Removed %d key(s) for host %s",
removed_by_ip + removed_by_digest, remove_keys_host);
return 0;
}
}
bool RemoveHostFromLastSeen(const char *hostname, char *hostkey)
{
char ip[CF_BUFSIZE];
char digest[CF_BUFSIZE] = { 0 };
if (!hostkey)
{
strcpy(ip, Hostname2IPString(hostname));
IPString2KeyDigest(ip, digest);
}
else
{
snprintf(digest, sizeof(digest), "%s", hostkey);
}
CF_DB *dbp;
char key[CF_BUFSIZE];
if (!OpenDB(&dbp, dbid_lastseen))
{
CfOut(cf_error, "", " !! Unable to open last seen DB");
return false;
}
snprintf(key, CF_BUFSIZE, "-%s", digest);
DeleteComplexKeyDB(dbp, key, strlen(key) + 1);
snprintf(key, CF_BUFSIZE, "+%s", digest);
DeleteComplexKeyDB(dbp, key, strlen(key) + 1);
CloseDB(dbp);
return true;
}
int RemoveKeys(const char *host)
{
char digest[CF_BUFSIZE];
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, host, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"ERROR, could not resolve %s, not removing", host);
return 255;
}
Address2Hostkey(ipaddr, digest);
RemoveHostFromLastSeen(digest);
int removed_by_ip = RemovePublicKey(ipaddr);
int removed_by_digest = RemovePublicKey(digest);
if ((removed_by_ip == -1) || (removed_by_digest == -1))
{
Log(LOG_LEVEL_ERR, "Unable to remove keys for the host %s", host);
return 255;
}
else if (removed_by_ip + removed_by_digest == 0)
{
Log(LOG_LEVEL_ERR, "No keys for host %s were found", host);
return 1;
}
else
{
Log(LOG_LEVEL_INFO, "Removed %d key(s) for host %s",
removed_by_ip + removed_by_digest, host);
return 0;
}
}
static int HailServer(char *host, Attributes a, Promise *pp)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
a.copy.portnumber = (short) ParseHostname(host, peer);
snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer));
Address2Hostkey(ipv4, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
CfOut(cf_verbose, "", " -> Using interactive key trust...\n");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipv4, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, 8, stdin) == NULL)
{
FatalError("EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
CfOut(cf_error, "", "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf(" -> Will trust the key...\n");
a.copy.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf(" -> Will not trust the key...\n");
a.copy.trustkey = false;
break;
}
else
{
printf(" !! Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
CfOut(cf_inform, "", "...........................................................................\n");
CfOut(cf_inform, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, a.copy.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(cf_inform, "", "...........................................................................\n");
#else /* !__MINGW32__ */
if (BACKGROUND)
{
CfOut(cf_inform, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, a.copy.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
CfOut(cf_inform, "", "...........................................................................\n");
CfOut(cf_inform, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, a.copy.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(cf_inform, "", "...........................................................................\n");
}
#endif /* !__MINGW32__ */
a.copy.servers = SplitStringAsRList(peer, '*');
if (a.copy.servers == NULL || strcmp(a.copy.servers->item, "localhost") == 0)
{
cfPS(cf_inform, CF_NOP, "", pp, a, "No hosts are registered to connect to");
return false;
}
else
{
conn = NewServerConnection(a, pp);
if (conn == NULL)
{
DeleteRlist(a.copy.servers);
CfOut(cf_verbose, "", " -> No suitable server responded to hail\n");
return false;
}
}
/* Check trust interaction*/
pp->cache = NULL;
if (strlen(MENU) > 0)
{
#if defined(HAVE_NOVA)
if (!Nova_ExecuteRunagent(conn, MENU))
{
DisconnectServer(conn);
DeleteRlist(a.copy.servers);
return false;
}
#endif
}
else
{
HailExec(conn, peer, recvbuffer, sendbuffer);
}
DeleteRlist(a.copy.servers);
return true;
}
int HailServer(char *host,struct Attributes a,struct Promise *pp)
{ struct cfagent_connection *conn;
char sendbuffer[CF_BUFSIZE],recvbuffer[CF_BUFSIZE],peer[CF_MAXVARSIZE],ipv4[CF_MAXVARSIZE],digest[CF_MAXVARSIZE],user[CF_SMALLBUF];
long gotkey;
char reply[8];
struct Item *queries;
a.copy.portnumber = (short)ParseHostname(host,peer);
snprintf(ipv4,CF_MAXVARSIZE,"%s",Hostname2IPString(peer));
IPString2KeyDigest(ipv4,digest);
GetCurrentUserName(user,CF_SMALLBUF);
if (INTERACTIVE)
{
CfOut(cf_verbose,""," -> Using interactive key trust...\n");
gotkey = (long)HavePublicKey(user,peer,digest);
if (!gotkey)
{
gotkey = (long)HavePublicKey(user,ipv4,digest);
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n",host,ipv4);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
fgets(reply,8,stdin);
Chop(reply);
if (strcmp(reply,"yes")==0)
{
printf(" -> Will trust the key...\n");
a.copy.trustkey = true;
break;
}
else if (strcmp(reply,"no")==0)
{
printf(" -> Will not trust the key...\n");
a.copy.trustkey = false;
break;
}
else
{
printf(" !! Please reply yes or no...(%s)\n",reply);
}
}
}
}
/* Continue */
#ifdef MINGW
CfOut(cf_inform,"","...........................................................................\n");
CfOut(cf_inform,""," * Hailing %s : %u, with options \"%s\" (serial)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS);
CfOut(cf_inform,"","...........................................................................\n");
#else /* NOT MINGW */
if (BACKGROUND)
{
CfOut(cf_inform,"","Hailing %s : %u, with options \"%s\" (parallel)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS);
}
else
{
CfOut(cf_inform,"","...........................................................................\n");
CfOut(cf_inform,""," * Hailing %s : %u, with options \"%s\" (serial)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS);
CfOut(cf_inform,"","...........................................................................\n");
}
#endif /* NOT MINGW */
a.copy.servers = SplitStringAsRList(peer,'*');
if (a.copy.servers == NULL || strcmp(a.copy.servers->item,"localhost") == 0)
{
cfPS(cf_inform,CF_NOP,"",pp,a,"No hosts are registered to connect to");
return false;
}
else
{
conn = NewServerConnection(a,pp);
if (conn == NULL)
{
CfOut(cf_verbose,""," -> No suitable server responded to hail\n");
return false;
}
}
/* Check trust interaction*/
pp->cache = NULL;
if (strlen(MENU) > 0)
{
#ifdef HAVE_NOVA
enum cfd_menu menu = String2Menu(MENU);
switch(menu)
{
case cfd_menu_delta:
Nova_QueryForKnowledgeMap(conn,MENU,time(0) - SECONDS_PER_MINUTE * 10);
break;
case cfd_menu_full:
Nova_QueryForKnowledgeMap(conn,MENU,time(0) - SECONDS_PER_WEEK);
break;
case cfd_menu_relay:
#ifdef HAVE_CONSTELLATION
queries = Constellation_CreateAllQueries();
Constellation_QueryRelay(conn,queries);
DeleteItemList(queries);
#endif
break;
default:
break;
}
#endif /* HAVE_NOVA */
}
else
{
HailExec(conn,peer,recvbuffer,sendbuffer);
}
ServerDisconnection(conn);
DeleteRlist(a.copy.servers);
return true;
}
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config)
{
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
HashControls(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_server", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET denybadclocks = %d\n", DENYBADCLOCKS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET logconns = %d\n", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET call_collect_interval = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET server listen = %s \n",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET collect_window = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET cfruncommand = %s\n", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, rp->item))
{
AppendItem(&SV.nonattackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Denying connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, rp->item))
{
AppendItem(&SV.attackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Skip verify connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.skipverify, rp->item))
{
AppendItem(&SV.skipverify, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing multiple connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, rp->item))
{
AppendItem(&SV.multiconnlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing users ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, rp->item))
{
AppendItem(&SV.allowuserlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Trust keys from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, rp->item))
{
AppendItem(&SV.trustkeylist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
SHORT_CFENGINEPORT = (short) IntFromString(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
RvalScalarValue(retval));
SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_KEY_TTL].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Ignoring deprecated option keycacheTTL");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
}
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(IntFromString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
void KeepControlPromises(Policy *policy)
{
Rval retval;
Rlist *rp;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_AGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_common", cp->lval, &retval) != DATA_TYPE_NONE)
{
/* Already handled in generic_agent */
continue;
}
if (GetVariable("control_agent", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(cf_error, "", "Unknown lval %s in agent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_maxconnections].lval) == 0)
{
CFA_MAXTHREADS = (int) Str2Int(retval.item);
CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFA_MAXTHREADS);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0)
{
CF_PERSISTENCE = (int) Str2Int(retval.item);
CfOut(cf_verbose, "", "SET checksum_alert_time = %d\n", CF_PERSISTENCE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentaccess].lval) == 0)
{
ACCESSLIST = (Rlist *) retval.item;
CheckAgentAccess(ACCESSLIST, InputFiles(policy));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0)
{
Rlist *rp;
if (VERBOSE)
{
printf("%s> SET refresh_processes when starting: ", VPREFIX);
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
printf(" %s", (char *) rp->item);
PrependItem(&PROCESSREFRESH, rp->item, NULL);
}
printf("\n");
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Abort classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
AddAbortClass(name, cp->classes);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Abort bundle classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
if (!IsItemIn(ABORTBUNDLEHEAP, name))
{
AppendItem(&ABORTBUNDLEHEAP, name, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_addclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "-> Add classes ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
CfOut(cf_verbose, "", " -> ... %s\n", ScalarValue(rp));
NewClass(rp->item, NULL);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_auditing].lval) == 0)
{
CfOut(cf_verbose, "", "This option does nothing and is retained for compatibility reasons");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0)
{
ALWAYS_VALIDATE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET alwaysvalidate = %d\n", ALWAYS_VALIDATE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_allclassesreport].lval) == 0)
{
ALLCLASSESREPORT = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET allclassesreport = %d\n", ALLCLASSESREPORT);
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_secureinput].lval) == 0)
{
CFPARANOID = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET secure input = %d\n", CFPARANOID);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0)
{
CfOut(cf_verbose, "", "binarypaddingchar is obsolete and does nothing\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_hashupdates].lval) == 0)
{
bool enabled = GetBoolean(retval.item);
SetChecksumUpdates(enabled);
CfOut(cf_verbose, "", "SET ChecksumUpdates %d\n", enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_exclamation].lval) == 0)
{
CfOut(cf_verbose, "", "exclamation control is deprecated and does not do anything\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_childlibpath].lval) == 0)
{
char output[CF_BUFSIZE];
snprintf(output, CF_BUFSIZE, "LD_LIBRARY_PATH=%s", (char *) retval.item);
if (putenv(xstrdup(output)) == 0)
{
CfOut(cf_verbose, "", "Setting %s\n", output);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0)
{
DEFAULT_COPYTYPE = (char *) retval.item;
CfOut(cf_verbose, "", "SET defaultcopytype = %s\n", DEFAULT_COPYTYPE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0)
{
SINGLE_COPY_LIST = (Rlist *) retval.item;
CfOut(cf_verbose, "", "SET file single copy list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fautodefine].lval) == 0)
{
SetFileAutoDefineList(ListRvalValue(retval));
CfOut(cf_verbose, "", "SET file auto define list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_dryrun].lval) == 0)
{
DONTDO = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET dryrun = %c\n", DONTDO);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_inform].lval) == 0)
{
INFORM = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET inform = %c\n", INFORM);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_verbose].lval) == 0)
{
VERBOSE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET inform = %c\n", VERBOSE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repository].lval) == 0)
{
SetRepositoryLocation(retval.item);
CfOut(cf_verbose, "", "SET repository = %s\n", ScalarRvalValue(retval));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_skipidentify].lval) == 0)
{
bool enabled = GetBoolean(retval.item);
SetSkipIdentify(enabled);
CfOut(cf_verbose, "", "SET skipidentify = %d\n", (int) enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0)
{
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
AddFilenameToListOfSuspicious(ScalarValue(rp));
CfOut(cf_verbose, "", "-> Considering %s as suspicious file", ScalarValue(rp));
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repchar].lval) == 0)
{
char c = *(char *) retval.item;
SetRepositoryChar(c);
CfOut(cf_verbose, "", "SET repchar = %c\n", c);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0)
{
CF_MOUNTALL = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET mountfilesystems = %d\n", CF_MOUNTALL);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_editfilesize].lval) == 0)
{
EDITFILESIZE = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET EDITFILESIZE = %d\n", EDITFILESIZE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0)
{
VIFELAPSED = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VIFELAPSED);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_expireafter].lval) == 0)
{
VEXPIREAFTER = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VEXPIREAFTER);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_timeout].lval) == 0)
{
CONNTIMEOUT = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET timeout = %jd\n", (intmax_t) CONNTIMEOUT);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_max_children].lval) == 0)
{
CFA_BACKGROUND_LIMIT = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET MAX_CHILDREN = %d\n", CFA_BACKGROUND_LIMIT);
if (CFA_BACKGROUND_LIMIT > 10)
{
CfOut(cf_error, "", "Silly value for max_children in agent control promise (%d > 10)",
CFA_BACKGROUND_LIMIT);
CFA_BACKGROUND_LIMIT = 1;
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_syslog].lval) == 0)
{
CfOut(cf_verbose, "", "SET syslog = %d\n", GetBoolean(retval.item));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_environment].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET environment variables from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (putenv(rp->item) != 0)
{
CfOut(cf_error, "putenv", "Failed to set environment variable %s", ScalarValue(rp));
}
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60;
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(Str2Int(retval.item));
CfOut(cf_verbose, "", "SET syslog_port to %s", ScalarRvalValue(retval));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
CfOut(cf_verbose, "", "SET syslog_host to %s", Hostname2IPString(retval.item));
}
#ifdef HAVE_NOVA
Nova_Initialize();
#endif
}
static GenericAgentConfig *CheckOpts(int argc, char **argv)
{
extern char *optarg;
char *sp;
int optindex = 0;
int c, alpha = false, v6 = false;
GenericAgentConfig *config = GenericAgentConfigNewDefault(AGENT_TYPE_AGENT);
/* Because of the MacOS linker we have to call this from each agent
individually before Generic Initialize */
POLICY_SERVER[0] = '\0';
while ((c = getopt_long(argc, argv, "rdvnKIf:D:N:Vs:x:MBb:h", OPTIONS, &optindex)) != EOF)
{
switch ((char) c)
{
case 'f':
if (optarg && strlen(optarg) < 5)
{
FatalError(" -f used but argument \"%s\" incorrect", optarg);
}
GenericAgentConfigSetInputFile(config, optarg);
MINUSF = true;
break;
case 'b':
if (optarg)
{
config->bundlesequence = SplitStringAsRList(optarg, ',');
CBUNDLESEQUENCE_STR = optarg;
}
break;
case 'd':
HardClass("opt_debug");
DEBUG = true;
break;
case 'B':
BOOTSTRAP = true;
MINUSF = true;
GenericAgentConfigSetInputFile(config, "promises.cf");
IGNORELOCK = true;
HardClass("bootstrap_mode");
break;
case 's':
if(IsLoopbackAddress(optarg))
{
FatalError("Use a non-loopback address when bootstrapping");
}
// temporary assure that network functions are working
OpenNetwork();
strncpy(POLICY_SERVER, Hostname2IPString(optarg), CF_BUFSIZE - 1);
CloseNetwork();
for (sp = POLICY_SERVER; *sp != '\0'; sp++)
{
if (isalpha((int)*sp))
{
alpha = true;
}
if (ispunct((int)*sp) && *sp != ':' && *sp != '.')
{
alpha = true;
}
if (*sp == ':')
{
v6 = true;
}
}
if (alpha && !v6)
{
FatalError
("Error specifying policy server. The policy server's IP address could not be looked up. Please use the IP address instead if there is no error.");
}
break;
case 'K':
IGNORELOCK = true;
break;
case 'D':
NewClassesFromString(optarg);
break;
case 'N':
NegateClassesFromString(optarg);
break;
case 'I':
INFORM = true;
break;
case 'v':
VERBOSE = true;
break;
case 'n':
DONTDO = true;
IGNORELOCK = true;
HardClass("opt_dry_run");
break;
case 'V':
PrintVersionBanner("cf-agent");
exit(0);
case 'h':
Syntax("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID);
exit(0);
case 'M':
ManPage("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID);
exit(0);
case 'x':
CfOut(cf_error, "", "Self-diagnostic functionality is retired");
exit(0);
case 'r':
SHOWREPORTS = true;
break;
default:
Syntax("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID);
exit(1);
}
}
if (argv[optind] != NULL)
{
CfOut(cf_error, "", "Unexpected argument with no preceding option: %s\n", argv[optind]);
FatalError("Aborted");
}
CfDebug("Set debugging\n");
return config;
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (short) ParseHostname(host, peer),
};
snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer));
Address2Hostkey(ipv4, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Using interactive key trust...\n");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipv4, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, 8, stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf(" -> Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf(" -> Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf(" !! Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
#else /* !__MINGW32__ */
if (BACKGROUND)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(fc.servers->item, "localhost") == 0)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err);
if (conn == NULL)
{
RlistDestroy(fc.servers);
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> No suitable server responded to hail\n");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_runagent", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
RUNATTR.copy.trustkey = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
RUNATTR.copy.encrypt = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
RUNATTR.copy.portnumber = (short) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_ERROR, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
RUNATTR.copy.timeout = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval))
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
static int HailServer(const EvalContext *ctx, const GenericAgentConfig *config,
char *host)
{
assert(host != NULL);
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE],
hostkey[CF_HOSTKEY_STRING_SIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
bool trustkey = false;
char *hostname, *port;
ParseHostPort(host, &hostname, &port);
if (hostname == NULL || strcmp(hostname, "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No remote hosts were specified to connect to");
return false;
}
if (port == NULL)
{
port = "5308";
}
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, hostname, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", hostname);
return false;
}
Address2Hostkey(hostkey, sizeof(hostkey), ipaddr);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, ipaddr, hostkey) != NULL;
if (!gotkey)
{
/* TODO print the hash of the connecting host. But to do that we
* should open the connection first, and somehow pass that hash
* here! redmine#7212 */
printf("WARNING - You do not have a public key from host %s = %s\n",
hostname, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
#ifndef __MINGW32__
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing %s : %s (in the background)",
hostname, port);
}
else
#endif
{
Log(LOG_LEVEL_INFO,
"........................................................................");
Log(LOG_LEVEL_INFO, "Hailing %s : %s",
hostname, port);
Log(LOG_LEVEL_INFO,
"........................................................................");
}
ConnectionFlags connflags = {
.protocol_version = config->protocol_version,
.trust_server = trustkey
};
int err = 0;
conn = ServerConnection(hostname, port, CONNTIMEOUT, connflags, &err);
if (conn == NULL)
{
Log(LOG_LEVEL_ERR, "Failed to connect to host: %s", hostname);
return false;
}
/* Send EXEC command. */
HailExec(conn, hostname, recvbuffer, sendbuffer);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strlcpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (unsigned short) ParseHostname(host, peer),
};
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, peer, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", peer);
return false;
}
Address2Hostkey(ipaddr, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipaddr, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n",
host, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
#else /* !__MINGW32__ */
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (parallel)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(RlistScalarValue(fc.servers), "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err, -1);
if (conn == NULL)
{
RlistDestroy(fc.servers);
Log(LOG_LEVEL_VERBOSE, "No suitable server responded to hail");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strncpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
void LastSeen(char *hostname,enum roles role)
{ DB *dbp,*dbpent;
DB_ENV *dbenv = NULL, *dbenv2 = NULL;
char name[CF_BUFSIZE],databuf[CF_BUFSIZE];
time_t now = time(NULL);
struct QPoint q,newq;
double lastseen,delta2;
int lsea = -1;
if (strlen(hostname) == 0)
{
snprintf(OUTPUT,CF_BUFSIZE,"LastSeen registry for empty hostname with role %d",role);
CfLog(cflogonly,OUTPUT,"");
return;
}
Debug("LastSeen(%s) reg\n",hostname);
/* Tidy old versions - temporary */
snprintf(name,CF_BUFSIZE-1,"%s/%s",CFWORKDIR,CF_OLDLASTDB_FILE);
unlink(name);
if ((errno = db_create(&dbp,dbenv,0)) != 0)
{
snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't init last-seen database %s\n",name);
CfLog(cferror,OUTPUT,"db_open");
return;
}
snprintf(name,CF_BUFSIZE-1,"%s/%s",CFWORKDIR,CF_LASTDB_FILE);
#ifdef CF_OLD_DB
if ((errno = (dbp->open)(dbp,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0)
#else
if ((errno = (dbp->open)(dbp,NULL,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0)
#endif
{
snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't open last-seen database %s\n",name);
CfLog(cferror,OUTPUT,"db_open");
return;
}
/* Now open special file for peer entropy record - INRIA intermittency */
snprintf(name,CF_BUFSIZE-1,"%s/%s.%s",CFWORKDIR,CF_LASTDB_FILE,hostname);
if ((errno = db_create(&dbpent,dbenv2,0)) != 0)
{
snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't init last-seen database %s\n",name);
CfLog(cferror,OUTPUT,"db_open");
return;
}
#ifdef CF_OLD_DB
if ((errno = (dbpent->open)(dbpent,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0)
#else
if ((errno = (dbpent->open)(dbpent,NULL,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0)
#endif
{
snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't open last-seen database %s\n",name);
CfLog(cferror,OUTPUT,"db_open");
return;
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_lock(&MUTEX_GETADDR) != 0)
{
CfLog(cferror,"pthread_mutex_lock failed","unlock");
exit(1);
}
#endif
switch (role)
{
case cf_accept:
snprintf(databuf,CF_BUFSIZE-1,"-%s",Hostname2IPString(hostname));
break;
case cf_connect:
snprintf(databuf,CF_BUFSIZE-1,"+%s",Hostname2IPString(hostname));
break;
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_unlock(&MUTEX_GETADDR) != 0)
{
CfLog(cferror,"pthread_mutex_unlock failed","unlock");
exit(1);
}
#endif
if (GetMacroValue(CONTEXTID,"LastSeenExpireAfter"))
{
lsea = atoi(GetMacroValue(CONTEXTID,"LastSeenExpireAfter"));
lsea *= CF_TICKS_PER_DAY;
}
if (lsea < 0)
{
lsea = CF_WEEK;
}
if (ReadDB(dbp,databuf,&q,sizeof(q)))
{
lastseen = (double)now - q.q;
newq.q = (double)now; /* Last seen is now-then */
newq.expect = GAverage(lastseen,q.expect,0.3);
delta2 = (lastseen - q.expect)*(lastseen - q.expect);
newq.var = GAverage(delta2,q.var,0.3);
}
else
{
lastseen = 0.0;
newq.q = (double)now;
newq.expect = 0.0;
newq.var = 0.0;
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_lock(&MUTEX_GETADDR) != 0)
{
CfLog(cferror,"pthread_mutex_lock failed","unlock");
exit(1);
}
#endif
if (lastseen > (double)lsea)
{
Verbose("Last seen %s expired\n",databuf);
DeleteDB(dbp,databuf);
}
else
{
WriteDB(dbp,databuf,&newq,sizeof(newq));
WriteDB(dbpent,GenTimeKey(now),&newq,sizeof(newq));
}
#ifdef HAVE_PTHREAD_H
if (pthread_mutex_unlock(&MUTEX_GETADDR) != 0)
{
CfLog(cferror,"pthread_mutex_unlock failed","unlock");
exit(1);
}
#endif
dbp->close(dbp,0);
dbpent->close(dbpent,0);
}
void KeepControlPromises()
{ struct Constraint *cp;
char rettype;
void *retval;
struct Rlist *rp;
for (cp = ControlBodyConstraints(cf_agent); cp != NULL; cp=cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_common",cp->lval,&retval,&rettype) != cf_notype)
{
/* Already handled in generic_agent */
continue;
}
if (GetVariable("control_agent",cp->lval,&retval,&rettype) == cf_notype)
{
CfOut(cf_error,"","Unknown lval %s in agent control body",cp->lval);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_maxconnections].lval) == 0)
{
CFA_MAXTHREADS = (int)Str2Int(retval);
CfOut(cf_verbose,"","SET maxconnections = %d\n",CFA_MAXTHREADS);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0)
{
CF_PERSISTENCE = (int)Str2Int(retval);
CfOut(cf_verbose,"","SET checksum_alert_time = %d\n",CF_PERSISTENCE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentfacility].lval) == 0)
{
SetFacility(retval);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentaccess].lval) == 0)
{
ACCESSLIST = (struct Rlist *) retval;
CheckAgentAccess(ACCESSLIST);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0)
{
struct Rlist *rp;
if (VERBOSE)
{
printf("%s> SET refresh_processes when starting: ",VPREFIX);
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
printf(" %s",(char *)rp->item);
PrependItem(&PROCESSREFRESH,rp->item,NULL);
}
printf("\n");
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET Abort classes from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
CanonifyNameInPlace(name);
if (!IsItemIn(ABORTHEAP,name))
{
AppendItem(&ABORTHEAP,name,cp->classes);
}
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET Abort bundle classes from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
CanonifyNameInPlace(name);
if (!IsItemIn(ABORTBUNDLEHEAP,name))
{
AppendItem(&ABORTBUNDLEHEAP,name,cp->classes);
}
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_addclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","-> Add classes ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
CfOut(cf_verbose,""," -> ... %s\n",rp->item);
NewClass(rp->item);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_auditing].lval) == 0)
{
AUDIT = GetBoolean(retval);
CfOut(cf_verbose,"","SET auditing = %d\n",AUDIT);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0)
{
ALWAYS_VALIDATE = GetBoolean(retval);
CfOut(cf_verbose,"","SET alwaysvalidate = %d\n",ALWAYS_VALIDATE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_secureinput].lval) == 0)
{
CFPARANOID = GetBoolean(retval);
CfOut(cf_verbose,"","SET secure input = %d\n",CFPARANOID);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0)
{
PADCHAR = *(char *)retval;
CfOut(cf_verbose,"","SET binarypaddingchar = %c\n",PADCHAR);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE,retval,CF_BUFSIZE-1);
CfOut(cf_verbose,"","SET bindtointerface = %s\n",BINDINTERFACE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_hashupdates].lval) == 0)
{
CHECKSUMUPDATES = GetBoolean(retval);
CfOut(cf_verbose,"","SET ChecksumUpdates %d\n",CHECKSUMUPDATES);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_exclamation].lval) == 0)
{
EXCLAIM = GetBoolean(retval);
CfOut(cf_verbose,"","SET exclamation %d\n",EXCLAIM);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_childlibpath].lval) == 0)
{
char output[CF_BUFSIZE];
snprintf(output,CF_BUFSIZE,"LD_LIBRARY_PATH=%s",(char *)retval);
if (putenv(strdup(output)) == 0)
{
CfOut(cf_verbose,"","Setting %s\n",output);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0)
{
DEFAULT_COPYTYPE = (char *)retval;
CfOut(cf_verbose,"","SET defaultcopytype = %c\n",DEFAULT_COPYTYPE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0)
{
SINGLE_COPY_LIST = (struct Rlist *)retval;
CfOut(cf_verbose,"","SET file single copy list\n");
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fautodefine].lval) == 0)
{
AUTO_DEFINE_LIST = (struct Rlist *)retval;
CfOut(cf_verbose,"","SET file auto define list\n");
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_dryrun].lval) == 0)
{
DONTDO = GetBoolean(retval);
CfOut(cf_verbose,"","SET dryrun = %c\n",DONTDO);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_inform].lval) == 0)
{
INFORM = GetBoolean(retval);
CfOut(cf_verbose,"","SET inform = %c\n",INFORM);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_verbose].lval) == 0)
{
VERBOSE = GetBoolean(retval);
CfOut(cf_verbose,"","SET inform = %c\n",VERBOSE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repository].lval) == 0)
{
VREPOSITORY = strdup(retval);
CfOut(cf_verbose,"","SET repository = %s\n",VREPOSITORY);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_skipidentify].lval) == 0)
{
SKIPIDENTIFY = GetBoolean(retval);
CfOut(cf_verbose,"","SET skipidentify = %d\n",SKIPIDENTIFY);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0)
{
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
PrependItem(&SUSPICIOUSLIST,rp->item,NULL);
CfOut(cf_verbose,"", "-> Concidering %s as suspicious file", rp->item);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repchar].lval) == 0)
{
REPOSCHAR = *(char *)retval;
CfOut(cf_verbose,"","SET repchar = %c\n",REPOSCHAR);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0)
{
CF_MOUNTALL = GetBoolean(retval);
CfOut(cf_verbose,"","SET mountfilesystems = %d\n",CF_MOUNTALL);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_editfilesize].lval) == 0)
{
EDITFILESIZE = Str2Int(retval);
CfOut(cf_verbose,"","SET EDITFILESIZE = %d\n",EDITFILESIZE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0)
{
VIFELAPSED = Str2Int(retval);
CfOut(cf_verbose,"","SET ifelapsed = %d\n",VIFELAPSED);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_expireafter].lval) == 0)
{
VEXPIREAFTER = Str2Int(retval);
CfOut(cf_verbose,"","SET ifelapsed = %d\n",VEXPIREAFTER);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_timeout].lval) == 0)
{
CONNTIMEOUT = Str2Int(retval);
CfOut(cf_verbose,"","SET timeout = %d\n",CONNTIMEOUT);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_max_children].lval) == 0)
{
CFA_BACKGROUND_LIMIT = Str2Int(retval);
CfOut(cf_verbose,"","SET MAX_CHILDREN = %d\n",CFA_BACKGROUND_LIMIT);
if (CFA_BACKGROUND_LIMIT > 10)
{
CfOut(cf_error,"","Silly value for max_children in agent control promise (%d > 10)",CFA_BACKGROUND_LIMIT);
CFA_BACKGROUND_LIMIT = 1;
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_syslog].lval) == 0)
{
LOGGING = GetBoolean(retval);
CfOut(cf_verbose,"","SET syslog = %d\n",LOGGING);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_environment].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET environment variables from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
if (putenv(rp->item) != 0)
{
CfOut(cf_error, "putenv", "Failed to set environment variable %s", rp->item);
}
}
continue;
}
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_lastseenexpireafter].lval,&retval,&rettype) != cf_notype)
{
LASTSEENEXPIREAFTER = Str2Int(retval);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_fips_mode].lval,&retval,&rettype) != cf_notype)
{
FIPS_MODE = GetBoolean(retval);
CfOut(cf_verbose,"","SET FIPS_MODE = %d\n",FIPS_MODE);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_port].lval,&retval,&rettype) != cf_notype)
{
SYSLOGPORT = (unsigned short)Str2Int(retval);
CfOut(cf_verbose,"","SET syslog_port to %d",SYSLOGPORT);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_host].lval,&retval,&rettype) != cf_notype)
{
strncpy(SYSLOGHOST,Hostname2IPString(retval),CF_MAXVARSIZE-1);
CfOut(cf_verbose,"","SET syslog_host to %s",SYSLOGHOST);
}
#ifdef HAVE_NOVA
Nova_Initialize();
#endif
}
void CheckOpts(int argc,char **argv)
{ extern char *optarg;
char arg[CF_BUFSIZE],*sp;
int optindex = 0;
int c,alpha = false,v6 = false;
/* Because of the MacOS linker we have to call this from each agent
individually before Generic Initialize */
POLICY_SERVER[0] = '\0';
while ((c=getopt_long(argc,argv,"rd:vnKIf:D:N:Vs:x:MBb:",OPTIONS,&optindex)) != EOF)
{
switch ((char) c)
{
case 'f':
if (optarg == NULL)
{
FatalError(" -f used but no argument");
}
if (optarg && strlen(optarg) < 5)
{
snprintf(arg,CF_MAXVARSIZE," -f used but argument \"%s\" incorrect",optarg);
FatalError(arg);
}
strncpy(VINPUTFILE,optarg,CF_BUFSIZE-1);
MINUSF = true;
break;
case 'b':
if (optarg)
{
CBUNDLESEQUENCE = SplitStringAsRList(optarg,',');
CBUNDLESEQUENCE_STR = optarg;
}
break;
case 'd':
NewClass("opt_debug");
switch ((optarg==NULL) ? '3' : *optarg)
{
case '1':
D1 = true;
DEBUG = true;
break;
case '2':
D2 = true;
DEBUG = true;
break;
default:
DEBUG = true;
break;
}
break;
case 'B':
BOOTSTRAP = true;
MINUSF = true;
IGNORELOCK = true;
NewClass("bootstrap_mode");
break;
case 's':
// temporary assure that network functions are working
OpenNetwork();
strncpy(POLICY_SERVER,Hostname2IPString(optarg),CF_BUFSIZE-1);
CloseNetwork();
for (sp = POLICY_SERVER; *sp != '\0'; sp++)
{
if (isalpha(*sp))
{
alpha = true;
}
if (ispunct(*sp) && *sp != ':' && *sp != '.')
{
alpha = true;
}
if (*sp == ':')
{
v6 = true;
}
}
if (alpha && !v6)
{
FatalError("Error specifying policy server. The policy server's IP address could not be looked up. Please use the IP address instead if there is no error.");
}
break;
case 'K':
IGNORELOCK = true;
break;
case 'D': NewClassesFromString(optarg);
break;
case 'N': NegateClassesFromString(optarg,&VNEGHEAP);
break;
case 'I': INFORM = true;
break;
case 'v': VERBOSE = true;
break;
case 'n': DONTDO = true;
IGNORELOCK = true;
NewClass("opt_dry_run");
break;
case 'V':
PrintVersionBanner("cf-agent");
exit(0);
case 'h':
Syntax("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID);
exit(0);
case 'M':
ManPage("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID);
exit(0);
case 'x':
AgentDiagnostic(optarg);
exit(0);
case 'r':
SHOWREPORTS = true;
break;
default: Syntax("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID);
exit(1);
}
}
if (argv[optind] != NULL)
{
CfOut(cf_error,"","Unexpected argument with no preceding option: %s\n",argv[optind]);
FatalError("Aborted");
}
Debug("Set debugging\n");
}
void KeepControlPromises()
{
Constraint *cp;
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
CFD_INTERVAL = 0;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
HashControls();
/* Now expand */
for (cp = ControlBodyConstraints(cf_server); cp != NULL; cp = cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_server", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", "Unknown lval %s in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_serverfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denybadclocks].lval) == 0)
{
DENYBADCLOCKS = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET denybadclocks = %d\n", DENYBADCLOCKS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logencryptedtransfers].lval) == 0)
{
LOGENCRYPT = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logallconnections].lval) == 0)
{
LOGCONNS = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET LOGCONNS = %d\n", LOGCONNS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_maxconnections].lval) == 0)
{
CFD_MAXPROCESSES = (int) Str2Int(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_cfruncommand].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET cfruncommand = %s\n", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(NONATTACKERLIST, rp->item))
{
AppendItem(&NONATTACKERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denyconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Denying connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(ATTACKERLIST, rp->item))
{
AppendItem(&ATTACKERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_skipverify].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Skip verify connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SKIPVERIFY, rp->item))
{
AppendItem(&SKIPVERIFY, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_dynamicaddresses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Dynamic addresses from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(DHCPLIST, rp->item))
{
AppendItem(&DHCPLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowallconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing multiple connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(MULTICONNLIST, rp->item))
{
AppendItem(&MULTICONNLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowusers].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing users ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(ALLOWUSERLIST, rp->item))
{
AppendItem(&ALLOWUSERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_trustkeysfrom].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Trust keys from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(TRUSTKEYLIST, rp->item))
{
AppendItem(&TRUSTKEYLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_portnumber].lval) == 0)
{
SHORT_CFENGINEPORT = (short) Str2Int(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
CfOut(cf_verbose, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
ScalarRvalValue(retval));
SHORT_CFENGINEPORT = htons((short) Str2Int(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_keyttl].lval) == 0)
{
CfOut(cf_verbose, "", "Ignoring deprecated option keycacheTTL");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != cf_notype)
{
SetSyslogHost(Hostname2IPString(retval.item));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != cf_notype)
{
SetSyslogPort(Str2Int(retval.item));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != cf_notype)
{
FIPS_MODE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != cf_notype)
{
LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60;
}
}
