static int RemoveKeys(const char *host) { char ip[CF_BUFSIZE]; char digest[CF_BUFSIZE]; strcpy(ip, Hostname2IPString(host)); Address2Hostkey(ip, digest); RemoveHostFromLastSeen(digest); int removed_by_ip = RemovePublicKey(ip); int removed_by_digest = RemovePublicKey(digest); if ((removed_by_ip == -1) || (removed_by_digest == -1)) { CfOut(cf_error, "", "Unable to remove keys for the host %s", remove_keys_host); return 255; } else if (removed_by_ip + removed_by_digest == 0) { CfOut(cf_error, "", "No keys for host %s were found", remove_keys_host); return 1; } else { CfOut(cf_inform, "", "Removed %d key(s) for host %s", removed_by_ip + removed_by_digest, remove_keys_host); return 0; } }
bool RemoveHostFromLastSeen(const char *hostname, char *hostkey) { char ip[CF_BUFSIZE]; char digest[CF_BUFSIZE] = { 0 }; if (!hostkey) { strcpy(ip, Hostname2IPString(hostname)); IPString2KeyDigest(ip, digest); } else { snprintf(digest, sizeof(digest), "%s", hostkey); } CF_DB *dbp; char key[CF_BUFSIZE]; if (!OpenDB(&dbp, dbid_lastseen)) { CfOut(cf_error, "", " !! Unable to open last seen DB"); return false; } snprintf(key, CF_BUFSIZE, "-%s", digest); DeleteComplexKeyDB(dbp, key, strlen(key) + 1); snprintf(key, CF_BUFSIZE, "+%s", digest); DeleteComplexKeyDB(dbp, key, strlen(key) + 1); CloseDB(dbp); return true; }
int RemoveKeys(const char *host) { char digest[CF_BUFSIZE]; char ipaddr[CF_MAX_IP_LEN]; if (Hostname2IPString(ipaddr, host, sizeof(ipaddr)) == -1) { Log(LOG_LEVEL_ERR, "ERROR, could not resolve %s, not removing", host); return 255; } Address2Hostkey(ipaddr, digest); RemoveHostFromLastSeen(digest); int removed_by_ip = RemovePublicKey(ipaddr); int removed_by_digest = RemovePublicKey(digest); if ((removed_by_ip == -1) || (removed_by_digest == -1)) { Log(LOG_LEVEL_ERR, "Unable to remove keys for the host %s", host); return 255; } else if (removed_by_ip + removed_by_digest == 0) { Log(LOG_LEVEL_ERR, "No keys for host %s were found", host); return 1; } else { Log(LOG_LEVEL_INFO, "Removed %d key(s) for host %s", removed_by_ip + removed_by_digest, host); return 0; } }
static int HailServer(char *host, Attributes a, Promise *pp) { AgentConnection *conn; char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE], digest[CF_MAXVARSIZE], user[CF_SMALLBUF]; bool gotkey; char reply[8]; a.copy.portnumber = (short) ParseHostname(host, peer); snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer)); Address2Hostkey(ipv4, digest); GetCurrentUserName(user, CF_SMALLBUF); if (INTERACTIVE) { CfOut(cf_verbose, "", " -> Using interactive key trust...\n"); gotkey = HavePublicKey(user, peer, digest) != NULL; if (!gotkey) { gotkey = HavePublicKey(user, ipv4, digest) != NULL; } if (!gotkey) { printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4); printf(" Do you want to accept one on trust? (yes/no)\n\n--> "); while (true) { if (fgets(reply, 8, stdin) == NULL) { FatalError("EOF trying to read answer from terminal"); } if (Chop(reply, CF_EXPANDSIZE) == -1) { CfOut(cf_error, "", "Chop was called on a string that seemed to have no terminator"); } if (strcmp(reply, "yes") == 0) { printf(" -> Will trust the key...\n"); a.copy.trustkey = true; break; } else if (strcmp(reply, "no") == 0) { printf(" -> Will not trust the key...\n"); a.copy.trustkey = false; break; } else { printf(" !! Please reply yes or no...(%s)\n", reply); } } } } /* Continue */ #ifdef __MINGW32__ CfOut(cf_inform, "", "...........................................................................\n"); CfOut(cf_inform, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, a.copy.portnumber, REMOTE_AGENT_OPTIONS); CfOut(cf_inform, "", "...........................................................................\n"); #else /* !__MINGW32__ */ if (BACKGROUND) { CfOut(cf_inform, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, a.copy.portnumber, REMOTE_AGENT_OPTIONS); } else { CfOut(cf_inform, "", "...........................................................................\n"); CfOut(cf_inform, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, a.copy.portnumber, REMOTE_AGENT_OPTIONS); CfOut(cf_inform, "", "...........................................................................\n"); } #endif /* !__MINGW32__ */ a.copy.servers = SplitStringAsRList(peer, '*'); if (a.copy.servers == NULL || strcmp(a.copy.servers->item, "localhost") == 0) { cfPS(cf_inform, CF_NOP, "", pp, a, "No hosts are registered to connect to"); return false; } else { conn = NewServerConnection(a, pp); if (conn == NULL) { DeleteRlist(a.copy.servers); CfOut(cf_verbose, "", " -> No suitable server responded to hail\n"); return false; } } /* Check trust interaction*/ pp->cache = NULL; if (strlen(MENU) > 0) { #if defined(HAVE_NOVA) if (!Nova_ExecuteRunagent(conn, MENU)) { DisconnectServer(conn); DeleteRlist(a.copy.servers); return false; } #endif } else { HailExec(conn, peer, recvbuffer, sendbuffer); } DeleteRlist(a.copy.servers); return true; }
int HailServer(char *host,struct Attributes a,struct Promise *pp) { struct cfagent_connection *conn; char sendbuffer[CF_BUFSIZE],recvbuffer[CF_BUFSIZE],peer[CF_MAXVARSIZE],ipv4[CF_MAXVARSIZE],digest[CF_MAXVARSIZE],user[CF_SMALLBUF]; long gotkey; char reply[8]; struct Item *queries; a.copy.portnumber = (short)ParseHostname(host,peer); snprintf(ipv4,CF_MAXVARSIZE,"%s",Hostname2IPString(peer)); IPString2KeyDigest(ipv4,digest); GetCurrentUserName(user,CF_SMALLBUF); if (INTERACTIVE) { CfOut(cf_verbose,""," -> Using interactive key trust...\n"); gotkey = (long)HavePublicKey(user,peer,digest); if (!gotkey) { gotkey = (long)HavePublicKey(user,ipv4,digest); } if (!gotkey) { printf("WARNING - You do not have a public key from host %s = %s\n",host,ipv4); printf(" Do you want to accept one on trust? (yes/no)\n\n--> "); while (true) { fgets(reply,8,stdin); Chop(reply); if (strcmp(reply,"yes")==0) { printf(" -> Will trust the key...\n"); a.copy.trustkey = true; break; } else if (strcmp(reply,"no")==0) { printf(" -> Will not trust the key...\n"); a.copy.trustkey = false; break; } else { printf(" !! Please reply yes or no...(%s)\n",reply); } } } } /* Continue */ #ifdef MINGW CfOut(cf_inform,"","...........................................................................\n"); CfOut(cf_inform,""," * Hailing %s : %u, with options \"%s\" (serial)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS); CfOut(cf_inform,"","...........................................................................\n"); #else /* NOT MINGW */ if (BACKGROUND) { CfOut(cf_inform,"","Hailing %s : %u, with options \"%s\" (parallel)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS); } else { CfOut(cf_inform,"","...........................................................................\n"); CfOut(cf_inform,""," * Hailing %s : %u, with options \"%s\" (serial)\n",peer,a.copy.portnumber,REMOTE_AGENT_OPTIONS); CfOut(cf_inform,"","...........................................................................\n"); } #endif /* NOT MINGW */ a.copy.servers = SplitStringAsRList(peer,'*'); if (a.copy.servers == NULL || strcmp(a.copy.servers->item,"localhost") == 0) { cfPS(cf_inform,CF_NOP,"",pp,a,"No hosts are registered to connect to"); return false; } else { conn = NewServerConnection(a,pp); if (conn == NULL) { CfOut(cf_verbose,""," -> No suitable server responded to hail\n"); return false; } } /* Check trust interaction*/ pp->cache = NULL; if (strlen(MENU) > 0) { #ifdef HAVE_NOVA enum cfd_menu menu = String2Menu(MENU); switch(menu) { case cfd_menu_delta: Nova_QueryForKnowledgeMap(conn,MENU,time(0) - SECONDS_PER_MINUTE * 10); break; case cfd_menu_full: Nova_QueryForKnowledgeMap(conn,MENU,time(0) - SECONDS_PER_WEEK); break; case cfd_menu_relay: #ifdef HAVE_CONSTELLATION queries = Constellation_CreateAllQueries(); Constellation_QueryRelay(conn,queries); DeleteItemList(queries); #endif break; default: break; } #endif /* HAVE_NOVA */ } else { HailExec(conn,peer,recvbuffer,sendbuffer); } ServerDisconnection(conn); DeleteRlist(a.copy.servers); return true; }
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config) { Rval retval; CFD_MAXPROCESSES = 30; MAXTRIES = 5; DENYBADCLOCKS = true; CFRUNCOMMAND[0] = '\0'; SetChecksumUpdates(true); /* Keep promised agent behaviour - control bodies */ Banner("Server control promises.."); HashControls(ctx, policy, config); /* Now expand */ Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER); if (constraints) { for (size_t i = 0; i < SeqLength(constraints); i++) { Constraint *cp = SeqAt(constraints, i); if (!IsDefinedClass(ctx, cp->classes, NULL)) { continue; } if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_server", cp->lval }, &retval, NULL)) { CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in server control body", cp->lval); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0) { SetFacility(retval.item); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0) { DENYBADCLOCKS = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET denybadclocks = %d\n", DENYBADCLOCKS); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0) { LOGENCRYPT = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0) { SV.logconns = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET logconns = %d\n", SV.logconns); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0) { CFD_MAXPROCESSES = (int) IntFromString(retval.item); MAXTRIES = CFD_MAXPROCESSES / 3; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0) { COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET call_collect_interval = %d (seconds)\n", COLLECT_INTERVAL); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0) { SERVER_LISTEN = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET server listen = %s \n", (SERVER_LISTEN)? "true":"false"); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0) { COLLECT_WINDOW = (int) IntFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET collect_window = %d (seconds)\n", COLLECT_INTERVAL); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0) { strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET cfruncommand = %s\n", CFRUNCOMMAND); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.nonattackerlist, rp->item)) { AppendItem(&SV.nonattackerlist, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Denying connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.attackerlist, rp->item)) { AppendItem(&SV.attackerlist, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Skip verify connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.skipverify, rp->item)) { AppendItem(&SV.skipverify, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing multiple connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.multiconnlist, rp->item)) { AppendItem(&SV.multiconnlist, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing users ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.allowuserlist, rp->item)) { AppendItem(&SV.allowuserlist, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0) { Rlist *rp; CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Trust keys from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SV.trustkeylist, rp->item)) { AppendItem(&SV.trustkeylist, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0) { SHORT_CFENGINEPORT = (short) IntFromString(retval.item); strncpy(STR_CFENGINEPORT, retval.item, 15); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT, RvalScalarValue(retval)); SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item)); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_KEY_TTL].lval) == 0) { CfOut(OUTPUT_LEVEL_VERBOSE, "", "Ignoring deprecated option keycacheTTL"); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0) { strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET bindtointerface = %s\n", BINDINTERFACE); continue; } } } if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval) != DATA_TYPE_NONE) { SetSyslogHost(Hostname2IPString(retval.item)); } if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval) != DATA_TYPE_NONE) { SetSyslogPort(IntFromString(retval.item)); } if (ScopeControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval) != DATA_TYPE_NONE) { FIPS_MODE = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET FIPS_MODE = %d\n", FIPS_MODE); } if (ScopeControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval) != DATA_TYPE_NONE) { LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60; } }
void KeepControlPromises(Policy *policy) { Rval retval; Rlist *rp; Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_AGENT); if (constraints) { for (size_t i = 0; i < SeqLength(constraints); i++) { Constraint *cp = SeqAt(constraints, i); if (IsExcluded(cp->classes, NULL)) { continue; } if (GetVariable("control_common", cp->lval, &retval) != DATA_TYPE_NONE) { /* Already handled in generic_agent */ continue; } if (GetVariable("control_agent", cp->lval, &retval) == DATA_TYPE_NONE) { CfOut(cf_error, "", "Unknown lval %s in agent control body", cp->lval); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_maxconnections].lval) == 0) { CFA_MAXTHREADS = (int) Str2Int(retval.item); CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFA_MAXTHREADS); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0) { CF_PERSISTENCE = (int) Str2Int(retval.item); CfOut(cf_verbose, "", "SET checksum_alert_time = %d\n", CF_PERSISTENCE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentfacility].lval) == 0) { SetFacility(retval.item); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentaccess].lval) == 0) { ACCESSLIST = (Rlist *) retval.item; CheckAgentAccess(ACCESSLIST, InputFiles(policy)); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0) { Rlist *rp; if (VERBOSE) { printf("%s> SET refresh_processes when starting: ", VPREFIX); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { printf(" %s", (char *) rp->item); PrependItem(&PROCESSREFRESH, rp->item, NULL); } printf("\n"); } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortclasses].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Abort classes from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { char name[CF_MAXVARSIZE] = ""; strncpy(name, rp->item, CF_MAXVARSIZE - 1); AddAbortClass(name, cp->classes); } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Abort bundle classes from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { char name[CF_MAXVARSIZE] = ""; strncpy(name, rp->item, CF_MAXVARSIZE - 1); if (!IsItemIn(ABORTBUNDLEHEAP, name)) { AppendItem(&ABORTBUNDLEHEAP, name, cp->classes); } } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_addclasses].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "-> Add classes ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { CfOut(cf_verbose, "", " -> ... %s\n", ScalarValue(rp)); NewClass(rp->item, NULL); } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_auditing].lval) == 0) { CfOut(cf_verbose, "", "This option does nothing and is retained for compatibility reasons"); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0) { ALWAYS_VALIDATE = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET alwaysvalidate = %d\n", ALWAYS_VALIDATE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_allclassesreport].lval) == 0) { ALLCLASSESREPORT = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET allclassesreport = %d\n", ALLCLASSESREPORT); } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_secureinput].lval) == 0) { CFPARANOID = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET secure input = %d\n", CFPARANOID); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0) { CfOut(cf_verbose, "", "binarypaddingchar is obsolete and does nothing\n"); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0) { strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1); CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_hashupdates].lval) == 0) { bool enabled = GetBoolean(retval.item); SetChecksumUpdates(enabled); CfOut(cf_verbose, "", "SET ChecksumUpdates %d\n", enabled); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_exclamation].lval) == 0) { CfOut(cf_verbose, "", "exclamation control is deprecated and does not do anything\n"); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_childlibpath].lval) == 0) { char output[CF_BUFSIZE]; snprintf(output, CF_BUFSIZE, "LD_LIBRARY_PATH=%s", (char *) retval.item); if (putenv(xstrdup(output)) == 0) { CfOut(cf_verbose, "", "Setting %s\n", output); } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0) { DEFAULT_COPYTYPE = (char *) retval.item; CfOut(cf_verbose, "", "SET defaultcopytype = %s\n", DEFAULT_COPYTYPE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0) { SINGLE_COPY_LIST = (Rlist *) retval.item; CfOut(cf_verbose, "", "SET file single copy list\n"); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fautodefine].lval) == 0) { SetFileAutoDefineList(ListRvalValue(retval)); CfOut(cf_verbose, "", "SET file auto define list\n"); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_dryrun].lval) == 0) { DONTDO = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET dryrun = %c\n", DONTDO); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_inform].lval) == 0) { INFORM = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET inform = %c\n", INFORM); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_verbose].lval) == 0) { VERBOSE = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET inform = %c\n", VERBOSE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repository].lval) == 0) { SetRepositoryLocation(retval.item); CfOut(cf_verbose, "", "SET repository = %s\n", ScalarRvalValue(retval)); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_skipidentify].lval) == 0) { bool enabled = GetBoolean(retval.item); SetSkipIdentify(enabled); CfOut(cf_verbose, "", "SET skipidentify = %d\n", (int) enabled); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0) { for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { AddFilenameToListOfSuspicious(ScalarValue(rp)); CfOut(cf_verbose, "", "-> Considering %s as suspicious file", ScalarValue(rp)); } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repchar].lval) == 0) { char c = *(char *) retval.item; SetRepositoryChar(c); CfOut(cf_verbose, "", "SET repchar = %c\n", c); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0) { CF_MOUNTALL = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET mountfilesystems = %d\n", CF_MOUNTALL); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_editfilesize].lval) == 0) { EDITFILESIZE = Str2Int(retval.item); CfOut(cf_verbose, "", "SET EDITFILESIZE = %d\n", EDITFILESIZE); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0) { VIFELAPSED = Str2Int(retval.item); CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VIFELAPSED); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_expireafter].lval) == 0) { VEXPIREAFTER = Str2Int(retval.item); CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VEXPIREAFTER); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_timeout].lval) == 0) { CONNTIMEOUT = Str2Int(retval.item); CfOut(cf_verbose, "", "SET timeout = %jd\n", (intmax_t) CONNTIMEOUT); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_max_children].lval) == 0) { CFA_BACKGROUND_LIMIT = Str2Int(retval.item); CfOut(cf_verbose, "", "SET MAX_CHILDREN = %d\n", CFA_BACKGROUND_LIMIT); if (CFA_BACKGROUND_LIMIT > 10) { CfOut(cf_error, "", "Silly value for max_children in agent control promise (%d > 10)", CFA_BACKGROUND_LIMIT); CFA_BACKGROUND_LIMIT = 1; } continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_syslog].lval) == 0) { CfOut(cf_verbose, "", "SET syslog = %d\n", GetBoolean(retval.item)); continue; } if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_environment].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET environment variables from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (putenv(rp->item) != 0) { CfOut(cf_error, "putenv", "Failed to set environment variable %s", ScalarValue(rp)); } } continue; } } } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE) { LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60; } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != DATA_TYPE_NONE) { FIPS_MODE = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE); } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != DATA_TYPE_NONE) { SetSyslogPort(Str2Int(retval.item)); CfOut(cf_verbose, "", "SET syslog_port to %s", ScalarRvalValue(retval)); } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != DATA_TYPE_NONE) { SetSyslogHost(Hostname2IPString(retval.item)); CfOut(cf_verbose, "", "SET syslog_host to %s", Hostname2IPString(retval.item)); } #ifdef HAVE_NOVA Nova_Initialize(); #endif }
static GenericAgentConfig *CheckOpts(int argc, char **argv) { extern char *optarg; char *sp; int optindex = 0; int c, alpha = false, v6 = false; GenericAgentConfig *config = GenericAgentConfigNewDefault(AGENT_TYPE_AGENT); /* Because of the MacOS linker we have to call this from each agent individually before Generic Initialize */ POLICY_SERVER[0] = '\0'; while ((c = getopt_long(argc, argv, "rdvnKIf:D:N:Vs:x:MBb:h", OPTIONS, &optindex)) != EOF) { switch ((char) c) { case 'f': if (optarg && strlen(optarg) < 5) { FatalError(" -f used but argument \"%s\" incorrect", optarg); } GenericAgentConfigSetInputFile(config, optarg); MINUSF = true; break; case 'b': if (optarg) { config->bundlesequence = SplitStringAsRList(optarg, ','); CBUNDLESEQUENCE_STR = optarg; } break; case 'd': HardClass("opt_debug"); DEBUG = true; break; case 'B': BOOTSTRAP = true; MINUSF = true; GenericAgentConfigSetInputFile(config, "promises.cf"); IGNORELOCK = true; HardClass("bootstrap_mode"); break; case 's': if(IsLoopbackAddress(optarg)) { FatalError("Use a non-loopback address when bootstrapping"); } // temporary assure that network functions are working OpenNetwork(); strncpy(POLICY_SERVER, Hostname2IPString(optarg), CF_BUFSIZE - 1); CloseNetwork(); for (sp = POLICY_SERVER; *sp != '\0'; sp++) { if (isalpha((int)*sp)) { alpha = true; } if (ispunct((int)*sp) && *sp != ':' && *sp != '.') { alpha = true; } if (*sp == ':') { v6 = true; } } if (alpha && !v6) { FatalError ("Error specifying policy server. The policy server's IP address could not be looked up. Please use the IP address instead if there is no error."); } break; case 'K': IGNORELOCK = true; break; case 'D': NewClassesFromString(optarg); break; case 'N': NegateClassesFromString(optarg); break; case 'I': INFORM = true; break; case 'v': VERBOSE = true; break; case 'n': DONTDO = true; IGNORELOCK = true; HardClass("opt_dry_run"); break; case 'V': PrintVersionBanner("cf-agent"); exit(0); case 'h': Syntax("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID); exit(0); case 'M': ManPage("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID); exit(0); case 'x': CfOut(cf_error, "", "Self-diagnostic functionality is retired"); exit(0); case 'r': SHOWREPORTS = true; break; default: Syntax("cf-agent - cfengine's change agent", OPTIONS, HINTS, ID); exit(1); } } if (argv[optind] != NULL) { CfOut(cf_error, "", "Unexpected argument with no preceding option: %s\n", argv[optind]); FatalError("Aborted"); } CfDebug("Set debugging\n"); return config; }
static int HailServer(EvalContext *ctx, char *host) { AgentConnection *conn; char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE], digest[CF_MAXVARSIZE], user[CF_SMALLBUF]; bool gotkey; char reply[8]; FileCopy fc = { .portnumber = (short) ParseHostname(host, peer), }; snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer)); Address2Hostkey(ipv4, digest); GetCurrentUserName(user, CF_SMALLBUF); if (INTERACTIVE) { CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Using interactive key trust...\n"); gotkey = HavePublicKey(user, peer, digest) != NULL; if (!gotkey) { gotkey = HavePublicKey(user, ipv4, digest) != NULL; } if (!gotkey) { printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4); printf(" Do you want to accept one on trust? (yes/no)\n\n--> "); while (true) { if (fgets(reply, 8, stdin) == NULL) { FatalError(ctx, "EOF trying to read answer from terminal"); } if (Chop(reply, CF_EXPANDSIZE) == -1) { CfOut(OUTPUT_LEVEL_ERROR, "", "Chop was called on a string that seemed to have no terminator"); } if (strcmp(reply, "yes") == 0) { printf(" -> Will trust the key...\n"); fc.trustkey = true; break; } else if (strcmp(reply, "no") == 0) { printf(" -> Will not trust the key...\n"); fc.trustkey = false; break; } else { printf(" !! Please reply yes or no...(%s)\n", reply); } } } } /* Continue */ #ifdef __MINGW32__ CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n"); CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n"); #else /* !__MINGW32__ */ if (BACKGROUND) { CfOut(OUTPUT_LEVEL_INFORM, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); } else { CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n"); CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n"); } #endif /* !__MINGW32__ */ fc.servers = RlistFromSplitString(peer, '*'); if (fc.servers == NULL || strcmp(fc.servers->item, "localhost") == 0) { CfOut(OUTPUT_LEVEL_INFORM, "", "No hosts are registered to connect to"); return false; } else { int err = 0; conn = NewServerConnection(fc, false, &err); if (conn == NULL) { RlistDestroy(fc.servers); CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> No suitable server responded to hail\n"); return false; } } /* Check trust interaction*/ HailExec(conn, peer, recvbuffer, sendbuffer); RlistDestroy(fc.servers); return true; } /********************************************************************/ /* Level 2 */ /********************************************************************/ static void KeepControlPromises(EvalContext *ctx, Policy *policy) { Rval retval; RUNATTR.copy.trustkey = false; RUNATTR.copy.encrypt = true; RUNATTR.copy.force_ipv4 = false; RUNATTR.copy.portnumber = SHORT_CFENGINEPORT; /* Keep promised agent behaviour - control bodies */ Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT); if (constraints) { for (size_t i = 0; i < SeqLength(constraints); i++) { Constraint *cp = SeqAt(constraints, i); if (!IsDefinedClass(ctx, cp->classes, NULL)) { continue; } if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_runagent", cp->lval }, &retval, NULL)) { CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0) { RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0) { RUNATTR.copy.trustkey = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0) { RUNATTR.copy.encrypt = BooleanFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0) { RUNATTR.copy.portnumber = (short) IntFromString(retval.item); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0) { /* * Only process this option if are is no -b or -i options specified on * command line. */ if (BACKGROUND || INTERACTIVE) { CfOut(OUTPUT_LEVEL_ERROR, "", "Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option."); } else { BACKGROUND = BooleanFromString(retval.item); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0) { MAXCHILD = (short) IntFromString(retval.item); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0) { OUTPUT_TO_FILE = BooleanFromString(retval.item); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0) { if (IsAbsPath(retval.item)) { strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1); CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0) { RUNATTR.copy.timeout = (short) IntFromString(retval.item); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0) { if (HOSTLIST == NULL) // Don't override if command line setting { HOSTLIST = retval.item; } continue; } } } if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval)) { LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60; } }
static int HailServer(const EvalContext *ctx, const GenericAgentConfig *config, char *host) { assert(host != NULL); AgentConnection *conn; char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], hostkey[CF_HOSTKEY_STRING_SIZE], user[CF_SMALLBUF]; bool gotkey; char reply[8]; bool trustkey = false; char *hostname, *port; ParseHostPort(host, &hostname, &port); if (hostname == NULL || strcmp(hostname, "localhost") == 0) { Log(LOG_LEVEL_INFO, "No remote hosts were specified to connect to"); return false; } if (port == NULL) { port = "5308"; } char ipaddr[CF_MAX_IP_LEN]; if (Hostname2IPString(ipaddr, hostname, sizeof(ipaddr)) == -1) { Log(LOG_LEVEL_ERR, "HailServer: ERROR, could not resolve '%s'", hostname); return false; } Address2Hostkey(hostkey, sizeof(hostkey), ipaddr); GetCurrentUserName(user, CF_SMALLBUF); if (INTERACTIVE) { Log(LOG_LEVEL_VERBOSE, "Using interactive key trust..."); gotkey = HavePublicKey(user, ipaddr, hostkey) != NULL; if (!gotkey) { /* TODO print the hash of the connecting host. But to do that we * should open the connection first, and somehow pass that hash * here! redmine#7212 */ printf("WARNING - You do not have a public key from host %s = %s\n", hostname, ipaddr); printf(" Do you want to accept one on trust? (yes/no)\n\n--> "); while (true) { if (fgets(reply, sizeof(reply), stdin) == NULL) { FatalError(ctx, "EOF trying to read answer from terminal"); } if (Chop(reply, CF_EXPANDSIZE) == -1) { Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator"); } if (strcmp(reply, "yes") == 0) { printf("Will trust the key...\n"); trustkey = true; break; } else if (strcmp(reply, "no") == 0) { printf("Will not trust the key...\n"); trustkey = false; break; } else { printf("Please reply yes or no...(%s)\n", reply); } } } } #ifndef __MINGW32__ if (BACKGROUND) { Log(LOG_LEVEL_INFO, "Hailing %s : %s (in the background)", hostname, port); } else #endif { Log(LOG_LEVEL_INFO, "........................................................................"); Log(LOG_LEVEL_INFO, "Hailing %s : %s", hostname, port); Log(LOG_LEVEL_INFO, "........................................................................"); } ConnectionFlags connflags = { .protocol_version = config->protocol_version, .trust_server = trustkey }; int err = 0; conn = ServerConnection(hostname, port, CONNTIMEOUT, connflags, &err); if (conn == NULL) { Log(LOG_LEVEL_ERR, "Failed to connect to host: %s", hostname); return false; } /* Send EXEC command. */ HailExec(conn, hostname, recvbuffer, sendbuffer); return true; } /********************************************************************/ /* Level 2 */ /********************************************************************/ static void KeepControlPromises(EvalContext *ctx, const Policy *policy) { Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT); if (constraints) { for (size_t i = 0; i < SeqLength(constraints); i++) { Constraint *cp = SeqAt(constraints, i); if (!IsDefinedClass(ctx, cp->classes)) { continue; } VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent"); const void *value = EvalContextVariableGet(ctx, ref, NULL); VarRefDestroy(ref); if (!value) { Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0) { /* * Only process this option if are is no -b or -i options specified on * command line. */ if (BACKGROUND || INTERACTIVE) { Log(LOG_LEVEL_WARNING, "'background_children' setting from 'body runagent control' is overridden by command-line option."); } else { BACKGROUND = BooleanFromString(value); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0) { MAXCHILD = (short) IntFromString(value); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0) { OUTPUT_TO_FILE = BooleanFromString(value); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0) { if (IsAbsPath(value)) { strlcpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE); Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0) { if (HOSTLIST == NULL) // Don't override if command line setting { HOSTLIST = value; } continue; } } } const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER); if (expire_after) { LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60; } }
static int HailServer(EvalContext *ctx, char *host) { AgentConnection *conn; char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], digest[CF_MAXVARSIZE], user[CF_SMALLBUF]; bool gotkey; char reply[8]; FileCopy fc = { .portnumber = (unsigned short) ParseHostname(host, peer), }; char ipaddr[CF_MAX_IP_LEN]; if (Hostname2IPString(ipaddr, peer, sizeof(ipaddr)) == -1) { Log(LOG_LEVEL_ERR, "HailServer: ERROR, could not resolve '%s'", peer); return false; } Address2Hostkey(ipaddr, digest); GetCurrentUserName(user, CF_SMALLBUF); if (INTERACTIVE) { Log(LOG_LEVEL_VERBOSE, "Using interactive key trust..."); gotkey = HavePublicKey(user, peer, digest) != NULL; if (!gotkey) { gotkey = HavePublicKey(user, ipaddr, digest) != NULL; } if (!gotkey) { printf("WARNING - You do not have a public key from host %s = %s\n", host, ipaddr); printf(" Do you want to accept one on trust? (yes/no)\n\n--> "); while (true) { if (fgets(reply, sizeof(reply), stdin) == NULL) { FatalError(ctx, "EOF trying to read answer from terminal"); } if (Chop(reply, CF_EXPANDSIZE) == -1) { Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator"); } if (strcmp(reply, "yes") == 0) { printf("Will trust the key...\n"); fc.trustkey = true; break; } else if (strcmp(reply, "no") == 0) { printf("Will not trust the key...\n"); fc.trustkey = false; break; } else { printf("Please reply yes or no...(%s)\n", reply); } } } } /* Continue */ #ifdef __MINGW32__ if (LEGACY_OUTPUT) { Log(LOG_LEVEL_INFO, "..........................................................................."); Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); Log(LOG_LEVEL_INFO, "..........................................................................."); } else { Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); } #else /* !__MINGW32__ */ if (BACKGROUND) { Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (parallel)", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); } else { if (LEGACY_OUTPUT) { Log(LOG_LEVEL_INFO, "..........................................................................."); Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); Log(LOG_LEVEL_INFO, "..........................................................................."); } else { Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber, REMOTE_AGENT_OPTIONS); } } #endif /* !__MINGW32__ */ fc.servers = RlistFromSplitString(peer, '*'); if (fc.servers == NULL || strcmp(RlistScalarValue(fc.servers), "localhost") == 0) { Log(LOG_LEVEL_INFO, "No hosts are registered to connect to"); return false; } else { int err = 0; conn = NewServerConnection(fc, false, &err, -1); if (conn == NULL) { RlistDestroy(fc.servers); Log(LOG_LEVEL_VERBOSE, "No suitable server responded to hail"); return false; } } /* Check trust interaction*/ HailExec(conn, peer, recvbuffer, sendbuffer); RlistDestroy(fc.servers); return true; } /********************************************************************/ /* Level 2 */ /********************************************************************/ static void KeepControlPromises(EvalContext *ctx, const Policy *policy) { Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT); if (constraints) { for (size_t i = 0; i < SeqLength(constraints); i++) { Constraint *cp = SeqAt(constraints, i); if (!IsDefinedClass(ctx, cp->classes)) { continue; } VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent"); const void *value = EvalContextVariableGet(ctx, ref, NULL); VarRefDestroy(ref); if (!value) { Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0) { /* * Only process this option if are is no -b or -i options specified on * command line. */ if (BACKGROUND || INTERACTIVE) { Log(LOG_LEVEL_WARNING, "'background_children' setting from 'body runagent control' is overridden by command-line option."); } else { BACKGROUND = BooleanFromString(value); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0) { MAXCHILD = (short) IntFromString(value); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0) { OUTPUT_TO_FILE = BooleanFromString(value); continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0) { if (IsAbsPath(value)) { strncpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE - 1); Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY); } continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0) { continue; } if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0) { if (HOSTLIST == NULL) // Don't override if command line setting { HOSTLIST = value; } continue; } } } const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER); if (expire_after) { LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60; } }
void LastSeen(char *hostname,enum roles role) { DB *dbp,*dbpent; DB_ENV *dbenv = NULL, *dbenv2 = NULL; char name[CF_BUFSIZE],databuf[CF_BUFSIZE]; time_t now = time(NULL); struct QPoint q,newq; double lastseen,delta2; int lsea = -1; if (strlen(hostname) == 0) { snprintf(OUTPUT,CF_BUFSIZE,"LastSeen registry for empty hostname with role %d",role); CfLog(cflogonly,OUTPUT,""); return; } Debug("LastSeen(%s) reg\n",hostname); /* Tidy old versions - temporary */ snprintf(name,CF_BUFSIZE-1,"%s/%s",CFWORKDIR,CF_OLDLASTDB_FILE); unlink(name); if ((errno = db_create(&dbp,dbenv,0)) != 0) { snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't init last-seen database %s\n",name); CfLog(cferror,OUTPUT,"db_open"); return; } snprintf(name,CF_BUFSIZE-1,"%s/%s",CFWORKDIR,CF_LASTDB_FILE); #ifdef CF_OLD_DB if ((errno = (dbp->open)(dbp,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0) #else if ((errno = (dbp->open)(dbp,NULL,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0) #endif { snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't open last-seen database %s\n",name); CfLog(cferror,OUTPUT,"db_open"); return; } /* Now open special file for peer entropy record - INRIA intermittency */ snprintf(name,CF_BUFSIZE-1,"%s/%s.%s",CFWORKDIR,CF_LASTDB_FILE,hostname); if ((errno = db_create(&dbpent,dbenv2,0)) != 0) { snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't init last-seen database %s\n",name); CfLog(cferror,OUTPUT,"db_open"); return; } #ifdef CF_OLD_DB if ((errno = (dbpent->open)(dbpent,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0) #else if ((errno = (dbpent->open)(dbpent,NULL,name,NULL,DB_BTREE,DB_CREATE,0644)) != 0) #endif { snprintf(OUTPUT,CF_BUFSIZE*2,"Couldn't open last-seen database %s\n",name); CfLog(cferror,OUTPUT,"db_open"); return; } #ifdef HAVE_PTHREAD_H if (pthread_mutex_lock(&MUTEX_GETADDR) != 0) { CfLog(cferror,"pthread_mutex_lock failed","unlock"); exit(1); } #endif switch (role) { case cf_accept: snprintf(databuf,CF_BUFSIZE-1,"-%s",Hostname2IPString(hostname)); break; case cf_connect: snprintf(databuf,CF_BUFSIZE-1,"+%s",Hostname2IPString(hostname)); break; } #ifdef HAVE_PTHREAD_H if (pthread_mutex_unlock(&MUTEX_GETADDR) != 0) { CfLog(cferror,"pthread_mutex_unlock failed","unlock"); exit(1); } #endif if (GetMacroValue(CONTEXTID,"LastSeenExpireAfter")) { lsea = atoi(GetMacroValue(CONTEXTID,"LastSeenExpireAfter")); lsea *= CF_TICKS_PER_DAY; } if (lsea < 0) { lsea = CF_WEEK; } if (ReadDB(dbp,databuf,&q,sizeof(q))) { lastseen = (double)now - q.q; newq.q = (double)now; /* Last seen is now-then */ newq.expect = GAverage(lastseen,q.expect,0.3); delta2 = (lastseen - q.expect)*(lastseen - q.expect); newq.var = GAverage(delta2,q.var,0.3); } else { lastseen = 0.0; newq.q = (double)now; newq.expect = 0.0; newq.var = 0.0; } #ifdef HAVE_PTHREAD_H if (pthread_mutex_lock(&MUTEX_GETADDR) != 0) { CfLog(cferror,"pthread_mutex_lock failed","unlock"); exit(1); } #endif if (lastseen > (double)lsea) { Verbose("Last seen %s expired\n",databuf); DeleteDB(dbp,databuf); } else { WriteDB(dbp,databuf,&newq,sizeof(newq)); WriteDB(dbpent,GenTimeKey(now),&newq,sizeof(newq)); } #ifdef HAVE_PTHREAD_H if (pthread_mutex_unlock(&MUTEX_GETADDR) != 0) { CfLog(cferror,"pthread_mutex_unlock failed","unlock"); exit(1); } #endif dbp->close(dbp,0); dbpent->close(dbpent,0); }
void KeepControlPromises() { struct Constraint *cp; char rettype; void *retval; struct Rlist *rp; for (cp = ControlBodyConstraints(cf_agent); cp != NULL; cp=cp->next) { if (IsExcluded(cp->classes)) { continue; } if (GetVariable("control_common",cp->lval,&retval,&rettype) != cf_notype) { /* Already handled in generic_agent */ continue; } if (GetVariable("control_agent",cp->lval,&retval,&rettype) == cf_notype) { CfOut(cf_error,"","Unknown lval %s in agent control body",cp->lval); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_maxconnections].lval) == 0) { CFA_MAXTHREADS = (int)Str2Int(retval); CfOut(cf_verbose,"","SET maxconnections = %d\n",CFA_MAXTHREADS); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0) { CF_PERSISTENCE = (int)Str2Int(retval); CfOut(cf_verbose,"","SET checksum_alert_time = %d\n",CF_PERSISTENCE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentfacility].lval) == 0) { SetFacility(retval); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentaccess].lval) == 0) { ACCESSLIST = (struct Rlist *) retval; CheckAgentAccess(ACCESSLIST); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0) { struct Rlist *rp; if (VERBOSE) { printf("%s> SET refresh_processes when starting: ",VPREFIX); for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { printf(" %s",(char *)rp->item); PrependItem(&PROCESSREFRESH,rp->item,NULL); } printf("\n"); } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortclasses].lval) == 0) { struct Rlist *rp; CfOut(cf_verbose,"","SET Abort classes from ...\n"); for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { char name[CF_MAXVARSIZE] = ""; strncpy(name, rp->item, CF_MAXVARSIZE - 1); CanonifyNameInPlace(name); if (!IsItemIn(ABORTHEAP,name)) { AppendItem(&ABORTHEAP,name,cp->classes); } } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0) { struct Rlist *rp; CfOut(cf_verbose,"","SET Abort bundle classes from ...\n"); for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { char name[CF_MAXVARSIZE] = ""; strncpy(name, rp->item, CF_MAXVARSIZE - 1); CanonifyNameInPlace(name); if (!IsItemIn(ABORTBUNDLEHEAP,name)) { AppendItem(&ABORTBUNDLEHEAP,name,cp->classes); } } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_addclasses].lval) == 0) { struct Rlist *rp; CfOut(cf_verbose,"","-> Add classes ...\n"); for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { CfOut(cf_verbose,""," -> ... %s\n",rp->item); NewClass(rp->item); } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_auditing].lval) == 0) { AUDIT = GetBoolean(retval); CfOut(cf_verbose,"","SET auditing = %d\n",AUDIT); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0) { ALWAYS_VALIDATE = GetBoolean(retval); CfOut(cf_verbose,"","SET alwaysvalidate = %d\n",ALWAYS_VALIDATE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_secureinput].lval) == 0) { CFPARANOID = GetBoolean(retval); CfOut(cf_verbose,"","SET secure input = %d\n",CFPARANOID); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0) { PADCHAR = *(char *)retval; CfOut(cf_verbose,"","SET binarypaddingchar = %c\n",PADCHAR); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0) { strncpy(BINDINTERFACE,retval,CF_BUFSIZE-1); CfOut(cf_verbose,"","SET bindtointerface = %s\n",BINDINTERFACE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_hashupdates].lval) == 0) { CHECKSUMUPDATES = GetBoolean(retval); CfOut(cf_verbose,"","SET ChecksumUpdates %d\n",CHECKSUMUPDATES); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_exclamation].lval) == 0) { EXCLAIM = GetBoolean(retval); CfOut(cf_verbose,"","SET exclamation %d\n",EXCLAIM); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_childlibpath].lval) == 0) { char output[CF_BUFSIZE]; snprintf(output,CF_BUFSIZE,"LD_LIBRARY_PATH=%s",(char *)retval); if (putenv(strdup(output)) == 0) { CfOut(cf_verbose,"","Setting %s\n",output); } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0) { DEFAULT_COPYTYPE = (char *)retval; CfOut(cf_verbose,"","SET defaultcopytype = %c\n",DEFAULT_COPYTYPE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0) { SINGLE_COPY_LIST = (struct Rlist *)retval; CfOut(cf_verbose,"","SET file single copy list\n"); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fautodefine].lval) == 0) { AUTO_DEFINE_LIST = (struct Rlist *)retval; CfOut(cf_verbose,"","SET file auto define list\n"); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_dryrun].lval) == 0) { DONTDO = GetBoolean(retval); CfOut(cf_verbose,"","SET dryrun = %c\n",DONTDO); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_inform].lval) == 0) { INFORM = GetBoolean(retval); CfOut(cf_verbose,"","SET inform = %c\n",INFORM); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_verbose].lval) == 0) { VERBOSE = GetBoolean(retval); CfOut(cf_verbose,"","SET inform = %c\n",VERBOSE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repository].lval) == 0) { VREPOSITORY = strdup(retval); CfOut(cf_verbose,"","SET repository = %s\n",VREPOSITORY); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_skipidentify].lval) == 0) { SKIPIDENTIFY = GetBoolean(retval); CfOut(cf_verbose,"","SET skipidentify = %d\n",SKIPIDENTIFY); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0) { for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { PrependItem(&SUSPICIOUSLIST,rp->item,NULL); CfOut(cf_verbose,"", "-> Concidering %s as suspicious file", rp->item); } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repchar].lval) == 0) { REPOSCHAR = *(char *)retval; CfOut(cf_verbose,"","SET repchar = %c\n",REPOSCHAR); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0) { CF_MOUNTALL = GetBoolean(retval); CfOut(cf_verbose,"","SET mountfilesystems = %d\n",CF_MOUNTALL); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_editfilesize].lval) == 0) { EDITFILESIZE = Str2Int(retval); CfOut(cf_verbose,"","SET EDITFILESIZE = %d\n",EDITFILESIZE); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0) { VIFELAPSED = Str2Int(retval); CfOut(cf_verbose,"","SET ifelapsed = %d\n",VIFELAPSED); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_expireafter].lval) == 0) { VEXPIREAFTER = Str2Int(retval); CfOut(cf_verbose,"","SET ifelapsed = %d\n",VEXPIREAFTER); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_timeout].lval) == 0) { CONNTIMEOUT = Str2Int(retval); CfOut(cf_verbose,"","SET timeout = %d\n",CONNTIMEOUT); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_max_children].lval) == 0) { CFA_BACKGROUND_LIMIT = Str2Int(retval); CfOut(cf_verbose,"","SET MAX_CHILDREN = %d\n",CFA_BACKGROUND_LIMIT); if (CFA_BACKGROUND_LIMIT > 10) { CfOut(cf_error,"","Silly value for max_children in agent control promise (%d > 10)",CFA_BACKGROUND_LIMIT); CFA_BACKGROUND_LIMIT = 1; } continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_syslog].lval) == 0) { LOGGING = GetBoolean(retval); CfOut(cf_verbose,"","SET syslog = %d\n",LOGGING); continue; } if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_environment].lval) == 0) { struct Rlist *rp; CfOut(cf_verbose,"","SET environment variables from ...\n"); for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next) { if (putenv(rp->item) != 0) { CfOut(cf_error, "putenv", "Failed to set environment variable %s", rp->item); } } continue; } } if (GetVariable("control_common",CFG_CONTROLBODY[cfg_lastseenexpireafter].lval,&retval,&rettype) != cf_notype) { LASTSEENEXPIREAFTER = Str2Int(retval); } if (GetVariable("control_common",CFG_CONTROLBODY[cfg_fips_mode].lval,&retval,&rettype) != cf_notype) { FIPS_MODE = GetBoolean(retval); CfOut(cf_verbose,"","SET FIPS_MODE = %d\n",FIPS_MODE); } if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_port].lval,&retval,&rettype) != cf_notype) { SYSLOGPORT = (unsigned short)Str2Int(retval); CfOut(cf_verbose,"","SET syslog_port to %d",SYSLOGPORT); } if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_host].lval,&retval,&rettype) != cf_notype) { strncpy(SYSLOGHOST,Hostname2IPString(retval),CF_MAXVARSIZE-1); CfOut(cf_verbose,"","SET syslog_host to %s",SYSLOGHOST); } #ifdef HAVE_NOVA Nova_Initialize(); #endif }
void CheckOpts(int argc,char **argv) { extern char *optarg; char arg[CF_BUFSIZE],*sp; int optindex = 0; int c,alpha = false,v6 = false; /* Because of the MacOS linker we have to call this from each agent individually before Generic Initialize */ POLICY_SERVER[0] = '\0'; while ((c=getopt_long(argc,argv,"rd:vnKIf:D:N:Vs:x:MBb:",OPTIONS,&optindex)) != EOF) { switch ((char) c) { case 'f': if (optarg == NULL) { FatalError(" -f used but no argument"); } if (optarg && strlen(optarg) < 5) { snprintf(arg,CF_MAXVARSIZE," -f used but argument \"%s\" incorrect",optarg); FatalError(arg); } strncpy(VINPUTFILE,optarg,CF_BUFSIZE-1); MINUSF = true; break; case 'b': if (optarg) { CBUNDLESEQUENCE = SplitStringAsRList(optarg,','); CBUNDLESEQUENCE_STR = optarg; } break; case 'd': NewClass("opt_debug"); switch ((optarg==NULL) ? '3' : *optarg) { case '1': D1 = true; DEBUG = true; break; case '2': D2 = true; DEBUG = true; break; default: DEBUG = true; break; } break; case 'B': BOOTSTRAP = true; MINUSF = true; IGNORELOCK = true; NewClass("bootstrap_mode"); break; case 's': // temporary assure that network functions are working OpenNetwork(); strncpy(POLICY_SERVER,Hostname2IPString(optarg),CF_BUFSIZE-1); CloseNetwork(); for (sp = POLICY_SERVER; *sp != '\0'; sp++) { if (isalpha(*sp)) { alpha = true; } if (ispunct(*sp) && *sp != ':' && *sp != '.') { alpha = true; } if (*sp == ':') { v6 = true; } } if (alpha && !v6) { FatalError("Error specifying policy server. The policy server's IP address could not be looked up. Please use the IP address instead if there is no error."); } break; case 'K': IGNORELOCK = true; break; case 'D': NewClassesFromString(optarg); break; case 'N': NegateClassesFromString(optarg,&VNEGHEAP); break; case 'I': INFORM = true; break; case 'v': VERBOSE = true; break; case 'n': DONTDO = true; IGNORELOCK = true; NewClass("opt_dry_run"); break; case 'V': PrintVersionBanner("cf-agent"); exit(0); case 'h': Syntax("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID); exit(0); case 'M': ManPage("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID); exit(0); case 'x': AgentDiagnostic(optarg); exit(0); case 'r': SHOWREPORTS = true; break; default: Syntax("cf-agent - cfengine's change agent",OPTIONS,HINTS,ID); exit(1); } } if (argv[optind] != NULL) { CfOut(cf_error,"","Unexpected argument with no preceding option: %s\n",argv[optind]); FatalError("Aborted"); } Debug("Set debugging\n"); }
void KeepControlPromises() { Constraint *cp; Rval retval; CFD_MAXPROCESSES = 30; MAXTRIES = 5; CFD_INTERVAL = 0; DENYBADCLOCKS = true; CFRUNCOMMAND[0] = '\0'; SetChecksumUpdates(true); /* Keep promised agent behaviour - control bodies */ Banner("Server control promises.."); HashControls(); /* Now expand */ for (cp = ControlBodyConstraints(cf_server); cp != NULL; cp = cp->next) { if (IsExcluded(cp->classes)) { continue; } if (GetVariable("control_server", cp->lval, &retval) == cf_notype) { CfOut(cf_error, "", "Unknown lval %s in server control body", cp->lval); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_serverfacility].lval) == 0) { SetFacility(retval.item); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denybadclocks].lval) == 0) { DENYBADCLOCKS = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET denybadclocks = %d\n", DENYBADCLOCKS); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logencryptedtransfers].lval) == 0) { LOGENCRYPT = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logallconnections].lval) == 0) { LOGCONNS = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET LOGCONNS = %d\n", LOGCONNS); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_maxconnections].lval) == 0) { CFD_MAXPROCESSES = (int) Str2Int(retval.item); MAXTRIES = CFD_MAXPROCESSES / 3; CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_cfruncommand].lval) == 0) { strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1); CfOut(cf_verbose, "", "SET cfruncommand = %s\n", CFRUNCOMMAND); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowconnects].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Allowing connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(NONATTACKERLIST, rp->item)) { AppendItem(&NONATTACKERLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denyconnects].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Denying connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(ATTACKERLIST, rp->item)) { AppendItem(&ATTACKERLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_skipverify].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Skip verify connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(SKIPVERIFY, rp->item)) { AppendItem(&SKIPVERIFY, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_dynamicaddresses].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Dynamic addresses from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(DHCPLIST, rp->item)) { AppendItem(&DHCPLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowallconnects].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Allowing multiple connections from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(MULTICONNLIST, rp->item)) { AppendItem(&MULTICONNLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowusers].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Allowing users ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(ALLOWUSERLIST, rp->item)) { AppendItem(&ALLOWUSERLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_trustkeysfrom].lval) == 0) { Rlist *rp; CfOut(cf_verbose, "", "SET Trust keys from ...\n"); for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next) { if (!IsItemIn(TRUSTKEYLIST, rp->item)) { AppendItem(&TRUSTKEYLIST, rp->item, cp->classes); } } continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_portnumber].lval) == 0) { SHORT_CFENGINEPORT = (short) Str2Int(retval.item); strncpy(STR_CFENGINEPORT, retval.item, 15); CfOut(cf_verbose, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT, ScalarRvalValue(retval)); SHORT_CFENGINEPORT = htons((short) Str2Int(retval.item)); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_keyttl].lval) == 0) { CfOut(cf_verbose, "", "Ignoring deprecated option keycacheTTL"); continue; } if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_bindtointerface].lval) == 0) { strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1); CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE); continue; } } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != cf_notype) { SetSyslogHost(Hostname2IPString(retval.item)); } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != cf_notype) { SetSyslogPort(Str2Int(retval.item)); } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != cf_notype) { FIPS_MODE = GetBoolean(retval.item); CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE); } if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != cf_notype) { LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60; } }