static void KeepPromises(Policy *policy, const ReportContext *report_context)
{
Constraint *cp;
Rval retval;
for (cp = ControlBodyConstraints(policy, cf_monitor); cp != NULL; cp = cp->next)
{
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_monitor", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", "Unknown lval %s in monitor control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFM_CONTROLBODY[cfm_histograms].lval) == 0)
{
/* Keep accepting this option for backward compatibility. */
}
if (strcmp(cp->lval, CFM_CONTROLBODY[cfm_tcpdump].lval) == 0)
{
MonNetworkSnifferEnable(GetBoolean(retval.item));
}
if (strcmp(cp->lval, CFM_CONTROLBODY[cfm_forgetrate].lval) == 0)
{
sscanf(retval.item, "%lf", &FORGETRATE);
CfDebug("forget rate = %f\n", FORGETRATE);
}
}
}
static void KeepPromises(EvalContext *ctx, const Policy *policy)
{
Rval retval;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_MONITOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_monitor");
if (!EvalContextVariableGet(ctx, ref, &retval, NULL))
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in monitor control body", cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_HISTOGRAMS].lval) == 0)
{
/* Keep accepting this option for backward compatibility. */
}
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_TCP_DUMP].lval) == 0)
{
MonNetworkSnifferEnable(BooleanFromString(retval.item));
}
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_FORGET_RATE].lval) == 0)
{
sscanf(retval.item, "%lf", &FORGETRATE);
Log(LOG_LEVEL_DEBUG, "forget rate %f", FORGETRATE);
}
}
}
}
static void KeepPromises(EvalContext *ctx, Policy *policy)
{
Rval retval;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_MONITOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_monitor", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in monitor control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_HISTOGRAMS].lval) == 0)
{
/* Keep accepting this option for backward compatibility. */
}
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_TCP_DUMP].lval) == 0)
{
MonNetworkSnifferEnable(BooleanFromString(retval.item));
}
if (strcmp(cp->lval, CFM_CONTROLBODY[MONITOR_CONTROL_FORGET_RATE].lval) == 0)
{
sscanf(retval.item, "%lf", &FORGETRATE);
CfDebug("forget rate = %f\n", FORGETRATE);
}
}
}
}
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config)
{
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
HashControls(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_server", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET denybadclocks = %d\n", DENYBADCLOCKS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET logconns = %d\n", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET call_collect_interval = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET server listen = %s \n",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET collect_window = %d (seconds)\n", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET cfruncommand = %s\n", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, rp->item))
{
AppendItem(&SV.nonattackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Denying connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, rp->item))
{
AppendItem(&SV.attackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Skip verify connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.skipverify, rp->item))
{
AppendItem(&SV.skipverify, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing multiple connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, rp->item))
{
AppendItem(&SV.multiconnlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Allowing users ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, rp->item))
{
AppendItem(&SV.allowuserlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Rlist *rp;
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET Trust keys from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, rp->item))
{
AppendItem(&SV.trustkeylist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
SHORT_CFENGINEPORT = (short) IntFromString(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
RvalScalarValue(retval));
SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_KEY_TTL].lval) == 0)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", "Ignoring deprecated option keycacheTTL");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
}
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(IntFromString(retval.item));
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (ScopeControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
void KeepControlPromises(Policy *policy)
{
Rval retval;
Rlist *rp;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_AGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_common", cp->lval, &retval) != DATA_TYPE_NONE)
{
/* Already handled in generic_agent */
continue;
}
if (GetVariable("control_agent", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(cf_error, "", "Unknown lval %s in agent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_maxconnections].lval) == 0)
{
CFA_MAXTHREADS = (int) Str2Int(retval.item);
CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFA_MAXTHREADS);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0)
{
CF_PERSISTENCE = (int) Str2Int(retval.item);
CfOut(cf_verbose, "", "SET checksum_alert_time = %d\n", CF_PERSISTENCE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_agentaccess].lval) == 0)
{
ACCESSLIST = (Rlist *) retval.item;
CheckAgentAccess(ACCESSLIST, InputFiles(policy));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0)
{
Rlist *rp;
if (VERBOSE)
{
printf("%s> SET refresh_processes when starting: ", VPREFIX);
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
printf(" %s", (char *) rp->item);
PrependItem(&PROCESSREFRESH, rp->item, NULL);
}
printf("\n");
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Abort classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
AddAbortClass(name, cp->classes);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Abort bundle classes from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
if (!IsItemIn(ABORTBUNDLEHEAP, name))
{
AppendItem(&ABORTBUNDLEHEAP, name, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_addclasses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "-> Add classes ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
CfOut(cf_verbose, "", " -> ... %s\n", ScalarValue(rp));
NewClass(rp->item, NULL);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_auditing].lval) == 0)
{
CfOut(cf_verbose, "", "This option does nothing and is retained for compatibility reasons");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0)
{
ALWAYS_VALIDATE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET alwaysvalidate = %d\n", ALWAYS_VALIDATE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_allclassesreport].lval) == 0)
{
ALLCLASSESREPORT = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET allclassesreport = %d\n", ALLCLASSESREPORT);
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_secureinput].lval) == 0)
{
CFPARANOID = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET secure input = %d\n", CFPARANOID);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0)
{
CfOut(cf_verbose, "", "binarypaddingchar is obsolete and does nothing\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_hashupdates].lval) == 0)
{
bool enabled = GetBoolean(retval.item);
SetChecksumUpdates(enabled);
CfOut(cf_verbose, "", "SET ChecksumUpdates %d\n", enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_exclamation].lval) == 0)
{
CfOut(cf_verbose, "", "exclamation control is deprecated and does not do anything\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_childlibpath].lval) == 0)
{
char output[CF_BUFSIZE];
snprintf(output, CF_BUFSIZE, "LD_LIBRARY_PATH=%s", (char *) retval.item);
if (putenv(xstrdup(output)) == 0)
{
CfOut(cf_verbose, "", "Setting %s\n", output);
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0)
{
DEFAULT_COPYTYPE = (char *) retval.item;
CfOut(cf_verbose, "", "SET defaultcopytype = %s\n", DEFAULT_COPYTYPE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0)
{
SINGLE_COPY_LIST = (Rlist *) retval.item;
CfOut(cf_verbose, "", "SET file single copy list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_fautodefine].lval) == 0)
{
SetFileAutoDefineList(ListRvalValue(retval));
CfOut(cf_verbose, "", "SET file auto define list\n");
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_dryrun].lval) == 0)
{
DONTDO = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET dryrun = %c\n", DONTDO);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_inform].lval) == 0)
{
INFORM = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET inform = %c\n", INFORM);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_verbose].lval) == 0)
{
VERBOSE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET inform = %c\n", VERBOSE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repository].lval) == 0)
{
SetRepositoryLocation(retval.item);
CfOut(cf_verbose, "", "SET repository = %s\n", ScalarRvalValue(retval));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_skipidentify].lval) == 0)
{
bool enabled = GetBoolean(retval.item);
SetSkipIdentify(enabled);
CfOut(cf_verbose, "", "SET skipidentify = %d\n", (int) enabled);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0)
{
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
AddFilenameToListOfSuspicious(ScalarValue(rp));
CfOut(cf_verbose, "", "-> Considering %s as suspicious file", ScalarValue(rp));
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_repchar].lval) == 0)
{
char c = *(char *) retval.item;
SetRepositoryChar(c);
CfOut(cf_verbose, "", "SET repchar = %c\n", c);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0)
{
CF_MOUNTALL = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET mountfilesystems = %d\n", CF_MOUNTALL);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_editfilesize].lval) == 0)
{
EDITFILESIZE = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET EDITFILESIZE = %d\n", EDITFILESIZE);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0)
{
VIFELAPSED = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VIFELAPSED);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_expireafter].lval) == 0)
{
VEXPIREAFTER = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET ifelapsed = %d\n", VEXPIREAFTER);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_timeout].lval) == 0)
{
CONNTIMEOUT = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET timeout = %jd\n", (intmax_t) CONNTIMEOUT);
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_max_children].lval) == 0)
{
CFA_BACKGROUND_LIMIT = Str2Int(retval.item);
CfOut(cf_verbose, "", "SET MAX_CHILDREN = %d\n", CFA_BACKGROUND_LIMIT);
if (CFA_BACKGROUND_LIMIT > 10)
{
CfOut(cf_error, "", "Silly value for max_children in agent control promise (%d > 10)",
CFA_BACKGROUND_LIMIT);
CFA_BACKGROUND_LIMIT = 1;
}
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_syslog].lval) == 0)
{
CfOut(cf_verbose, "", "SET syslog = %d\n", GetBoolean(retval.item));
continue;
}
if (strcmp(cp->lval, CFA_CONTROLBODY[cfa_environment].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET environment variables from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (putenv(rp->item) != 0)
{
CfOut(cf_error, "putenv", "Failed to set environment variable %s", ScalarValue(rp));
}
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60;
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != DATA_TYPE_NONE)
{
FIPS_MODE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogPort(Str2Int(retval.item));
CfOut(cf_verbose, "", "SET syslog_port to %s", ScalarRvalValue(retval));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != DATA_TYPE_NONE)
{
SetSyslogHost(Hostname2IPString(retval.item));
CfOut(cf_verbose, "", "SET syslog_host to %s", Hostname2IPString(retval.item));
}
#ifdef HAVE_NOVA
Nova_Initialize();
#endif
}
static void KeepKnowControlPromises()
{
Constraint *cp;
Rval retval;
for (cp = ControlBodyConstraints(cf_know); cp != NULL; cp = cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_knowledge", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", " !! Unknown lval %s in knowledge control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_tm_prefix].lval) == 0)
{
CfOut(cf_error, "", "The topic map prefix has been deprecated");
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_builddir].lval) == 0)
{
strncpy(BUILD_DIR, retval.item, CF_BUFSIZE);
if (strlen(MANDIR) < 2) /* MANDIR defaults to BUILDDIR */
{
strncpy(MANDIR, retval.item, CF_BUFSIZE);
}
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_type].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_database].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_owner].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_passwd].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_server].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_sql_connect_db].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_query_engine].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_htmlbanner].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_htmlfooter].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_stylesheet].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_query_output].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_graph_output].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_views].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_genman].lval) == 0)
{
GENERATE_MANUAL = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET generate_manual = %d\n", GENERATE_MANUAL);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_mandir].lval) == 0)
{
strncpy(MANDIR, retval.item, CF_MAXVARSIZE);
CfOut(cf_verbose, "", "SET manual_source_directory = %s\n", MANDIR);
continue;
}
if (strcmp(cp->lval, CFK_CONTROLBODY[cfk_docroot].lval) == 0)
{
CfOut(cf_verbose, "", " -> Option %s has been deprecated in this release", cp->lval);
continue;
}
}
}
void KeepControlPromises(Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_runagent", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_force_ipv4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_trustkey].lval) == 0)
{
RUNATTR.copy.trustkey = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_encrypt].lval) == 0)
{
RUNATTR.copy.encrypt = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_portnumber].lval) == 0)
{
RUNATTR.copy.portnumber = (short) Str2Int(retval.item);
CfOut(cf_verbose, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_background].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(cf_error, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = GetBoolean(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_maxchild].lval) == 0)
{
MAXCHILD = (short) Str2Int(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_output_to_file].lval) == 0)
{
OUTPUT_TO_FILE = GetBoolean(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_output_directory].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_timeout].lval) == 0)
{
RUNATTR.copy.timeout = (short) Str2Int(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[cfr_hosts].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != cf_notype)
{
LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60;
}
}
ExecConfig *ExecConfigNew(bool scheduled_run, const EvalContext *ctx, const Policy *policy)
{
ExecConfig *exec_config = xcalloc(1, sizeof(ExecConfig));
exec_config->scheduled_run = scheduled_run;
exec_config->exec_command = xstrdup("");
exec_config->agent_expireafter = 2 * 60; /* two hours */
exec_config->mail_server = xstrdup("");
exec_config->mail_from_address = xstrdup("");
exec_config->mail_to_address = xstrdup("");
exec_config->mail_subject = xstrdup("");
exec_config->mail_max_lines = 30;
exec_config->mailfilter_include = SeqNew(0, &free);
exec_config->mailfilter_include_regex = SeqNew(0, &RegexFree);
exec_config->mailfilter_exclude = SeqNew(0, &free);
exec_config->mailfilter_exclude_regex = SeqNew(0, &RegexFree);
exec_config->fq_name = xstrdup(VFQNAME);
exec_config->ip_address = xstrdup(VIPADDRESS);
exec_config->ip_addresses = GetIpAddresses(ctx);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
DataType t;
const void *value = EvalContextVariableGet(ctx, ref, &t);
VarRefDestroy(ref);
if (t == CF_DATA_TYPE_NONE)
{
ProgrammingError("Unknown attribute '%s' in control body,"
" should have already been stopped by the parser",
cp->lval);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFILTER_INCLUDE].lval) == 0)
{
SeqDestroy(exec_config->mailfilter_include);
SeqDestroy(exec_config->mailfilter_include_regex);
RlistMailFilterFill(value, &exec_config->mailfilter_include,
&exec_config->mailfilter_include_regex, "include");
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFILTER_EXCLUDE].lval) == 0)
{
SeqDestroy(exec_config->mailfilter_exclude);
SeqDestroy(exec_config->mailfilter_exclude_regex);
RlistMailFilterFill(value, &exec_config->mailfilter_exclude,
&exec_config->mailfilter_exclude_regex, "exclude");
}
}
}
return exec_config;
}
static void KeepControlPromises(EvalContext *ctx, Policy *policy, GenericAgentConfig *config)
{
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
if (!EvalContextVariableGet(ctx, ref, &retval, NULL))
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in server control body", cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting denybadclocks to '%s'", DENYBADCLOCKS ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting logencrypt to '%s'", LOGENCRYPT ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE, "Setting maxconnections to %d", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting call_collect_interval to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting server listen to '%s' ",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting collect_window to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting cfruncommand to '%s'", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, rp->item))
{
AppendItem(&SV.nonattackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, rp->item))
{
AppendItem(&SV.attackerlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting skip verify connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.skipverify, rp->item))
{
AppendItem(&SV.skipverify, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, rp->item))
{
AppendItem(&SV.multiconnlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, rp->item))
{
AppendItem(&SV.allowuserlist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Rlist *rp;
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, rp->item))
{
AppendItem(&SV.trustkeylist, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
SHORT_CFENGINEPORT = (short) IntFromString(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
Log(LOG_LEVEL_VERBOSE, "Setting default portnumber to %u = %s = %s", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
RvalScalarValue(retval));
SHORT_CFENGINEPORT = htons((short) IntFromString(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
continue;
}
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST, &retval))
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(retval.item))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long",
(char *) retval.item);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'",
(char *) retval.item);
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT, &retval))
{
SetSyslogPort(IntFromString(retval.item));
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE, &retval))
{
FIPS_MODE = BooleanFromString(retval.item);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval))
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
static void KeepControlPromises(Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
if (GetVariable("control_runagent", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
RUNATTR.copy.trustkey = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
RUNATTR.copy.encrypt = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
RUNATTR.copy.portnumber = (short) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_ERROR, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
RUNATTR.copy.timeout = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != DATA_TYPE_NONE)
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
void KeepControlPromises()
{ struct Constraint *cp;
char rettype;
void *retval;
struct Rlist *rp;
for (cp = ControlBodyConstraints(cf_agent); cp != NULL; cp=cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_common",cp->lval,&retval,&rettype) != cf_notype)
{
/* Already handled in generic_agent */
continue;
}
if (GetVariable("control_agent",cp->lval,&retval,&rettype) == cf_notype)
{
CfOut(cf_error,"","Unknown lval %s in agent control body",cp->lval);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_maxconnections].lval) == 0)
{
CFA_MAXTHREADS = (int)Str2Int(retval);
CfOut(cf_verbose,"","SET maxconnections = %d\n",CFA_MAXTHREADS);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_checksum_alert_time].lval) == 0)
{
CF_PERSISTENCE = (int)Str2Int(retval);
CfOut(cf_verbose,"","SET checksum_alert_time = %d\n",CF_PERSISTENCE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentfacility].lval) == 0)
{
SetFacility(retval);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_agentaccess].lval) == 0)
{
ACCESSLIST = (struct Rlist *) retval;
CheckAgentAccess(ACCESSLIST);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_refresh_processes].lval) == 0)
{
struct Rlist *rp;
if (VERBOSE)
{
printf("%s> SET refresh_processes when starting: ",VPREFIX);
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
printf(" %s",(char *)rp->item);
PrependItem(&PROCESSREFRESH,rp->item,NULL);
}
printf("\n");
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET Abort classes from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
CanonifyNameInPlace(name);
if (!IsItemIn(ABORTHEAP,name))
{
AppendItem(&ABORTHEAP,name,cp->classes);
}
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_abortbundleclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET Abort bundle classes from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
char name[CF_MAXVARSIZE] = "";
strncpy(name, rp->item, CF_MAXVARSIZE - 1);
CanonifyNameInPlace(name);
if (!IsItemIn(ABORTBUNDLEHEAP,name))
{
AppendItem(&ABORTBUNDLEHEAP,name,cp->classes);
}
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_addclasses].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","-> Add classes ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
CfOut(cf_verbose,""," -> ... %s\n",rp->item);
NewClass(rp->item);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_auditing].lval) == 0)
{
AUDIT = GetBoolean(retval);
CfOut(cf_verbose,"","SET auditing = %d\n",AUDIT);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_alwaysvalidate].lval) == 0)
{
ALWAYS_VALIDATE = GetBoolean(retval);
CfOut(cf_verbose,"","SET alwaysvalidate = %d\n",ALWAYS_VALIDATE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_secureinput].lval) == 0)
{
CFPARANOID = GetBoolean(retval);
CfOut(cf_verbose,"","SET secure input = %d\n",CFPARANOID);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_binarypaddingchar].lval) == 0)
{
PADCHAR = *(char *)retval;
CfOut(cf_verbose,"","SET binarypaddingchar = %c\n",PADCHAR);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE,retval,CF_BUFSIZE-1);
CfOut(cf_verbose,"","SET bindtointerface = %s\n",BINDINTERFACE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_hashupdates].lval) == 0)
{
CHECKSUMUPDATES = GetBoolean(retval);
CfOut(cf_verbose,"","SET ChecksumUpdates %d\n",CHECKSUMUPDATES);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_exclamation].lval) == 0)
{
EXCLAIM = GetBoolean(retval);
CfOut(cf_verbose,"","SET exclamation %d\n",EXCLAIM);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_childlibpath].lval) == 0)
{
char output[CF_BUFSIZE];
snprintf(output,CF_BUFSIZE,"LD_LIBRARY_PATH=%s",(char *)retval);
if (putenv(strdup(output)) == 0)
{
CfOut(cf_verbose,"","Setting %s\n",output);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_defaultcopytype].lval) == 0)
{
DEFAULT_COPYTYPE = (char *)retval;
CfOut(cf_verbose,"","SET defaultcopytype = %c\n",DEFAULT_COPYTYPE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fsinglecopy].lval) == 0)
{
SINGLE_COPY_LIST = (struct Rlist *)retval;
CfOut(cf_verbose,"","SET file single copy list\n");
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_fautodefine].lval) == 0)
{
AUTO_DEFINE_LIST = (struct Rlist *)retval;
CfOut(cf_verbose,"","SET file auto define list\n");
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_dryrun].lval) == 0)
{
DONTDO = GetBoolean(retval);
CfOut(cf_verbose,"","SET dryrun = %c\n",DONTDO);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_inform].lval) == 0)
{
INFORM = GetBoolean(retval);
CfOut(cf_verbose,"","SET inform = %c\n",INFORM);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_verbose].lval) == 0)
{
VERBOSE = GetBoolean(retval);
CfOut(cf_verbose,"","SET inform = %c\n",VERBOSE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repository].lval) == 0)
{
VREPOSITORY = strdup(retval);
CfOut(cf_verbose,"","SET repository = %s\n",VREPOSITORY);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_skipidentify].lval) == 0)
{
SKIPIDENTIFY = GetBoolean(retval);
CfOut(cf_verbose,"","SET skipidentify = %d\n",SKIPIDENTIFY);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_suspiciousnames].lval) == 0)
{
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
PrependItem(&SUSPICIOUSLIST,rp->item,NULL);
CfOut(cf_verbose,"", "-> Concidering %s as suspicious file", rp->item);
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_repchar].lval) == 0)
{
REPOSCHAR = *(char *)retval;
CfOut(cf_verbose,"","SET repchar = %c\n",REPOSCHAR);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_mountfilesystems].lval) == 0)
{
CF_MOUNTALL = GetBoolean(retval);
CfOut(cf_verbose,"","SET mountfilesystems = %d\n",CF_MOUNTALL);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_editfilesize].lval) == 0)
{
EDITFILESIZE = Str2Int(retval);
CfOut(cf_verbose,"","SET EDITFILESIZE = %d\n",EDITFILESIZE);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_ifelapsed].lval) == 0)
{
VIFELAPSED = Str2Int(retval);
CfOut(cf_verbose,"","SET ifelapsed = %d\n",VIFELAPSED);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_expireafter].lval) == 0)
{
VEXPIREAFTER = Str2Int(retval);
CfOut(cf_verbose,"","SET ifelapsed = %d\n",VEXPIREAFTER);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_timeout].lval) == 0)
{
CONNTIMEOUT = Str2Int(retval);
CfOut(cf_verbose,"","SET timeout = %d\n",CONNTIMEOUT);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_max_children].lval) == 0)
{
CFA_BACKGROUND_LIMIT = Str2Int(retval);
CfOut(cf_verbose,"","SET MAX_CHILDREN = %d\n",CFA_BACKGROUND_LIMIT);
if (CFA_BACKGROUND_LIMIT > 10)
{
CfOut(cf_error,"","Silly value for max_children in agent control promise (%d > 10)",CFA_BACKGROUND_LIMIT);
CFA_BACKGROUND_LIMIT = 1;
}
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_syslog].lval) == 0)
{
LOGGING = GetBoolean(retval);
CfOut(cf_verbose,"","SET syslog = %d\n",LOGGING);
continue;
}
if (strcmp(cp->lval,CFA_CONTROLBODY[cfa_environment].lval) == 0)
{
struct Rlist *rp;
CfOut(cf_verbose,"","SET environment variables from ...\n");
for (rp = (struct Rlist *) retval; rp != NULL; rp = rp->next)
{
if (putenv(rp->item) != 0)
{
CfOut(cf_error, "putenv", "Failed to set environment variable %s", rp->item);
}
}
continue;
}
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_lastseenexpireafter].lval,&retval,&rettype) != cf_notype)
{
LASTSEENEXPIREAFTER = Str2Int(retval);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_fips_mode].lval,&retval,&rettype) != cf_notype)
{
FIPS_MODE = GetBoolean(retval);
CfOut(cf_verbose,"","SET FIPS_MODE = %d\n",FIPS_MODE);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_port].lval,&retval,&rettype) != cf_notype)
{
SYSLOGPORT = (unsigned short)Str2Int(retval);
CfOut(cf_verbose,"","SET syslog_port to %d",SYSLOGPORT);
}
if (GetVariable("control_common",CFG_CONTROLBODY[cfg_syslog_host].lval,&retval,&rettype) != cf_notype)
{
strncpy(SYSLOGHOST,Hostname2IPString(retval),CF_MAXVARSIZE-1);
CfOut(cf_verbose,"","SET syslog_host to %s",SYSLOGHOST);
}
#ifdef HAVE_NOVA
Nova_Initialize();
#endif
}
ExecConfig *ExecConfigNew(bool scheduled_run, const EvalContext *ctx, const Policy *policy)
{
ExecConfig *exec_config = xcalloc(1, sizeof(ExecConfig));
exec_config->scheduled_run = scheduled_run;
exec_config->exec_command = xstrdup("");
exec_config->agent_expireafter = 2 * 60; /* two hours */
exec_config->mail_server = xstrdup("");
exec_config->mail_from_address = xstrdup("");
exec_config->mail_to_address = xstrdup("");
exec_config->mail_subject = xstrdup("");
exec_config->mail_max_lines = 30;
exec_config->fq_name = xstrdup(VFQNAME);
exec_config->ip_address = xstrdup(VIPADDRESS);
exec_config->ip_addresses = GetIpAddresses(ctx);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
if (!value)
{
/* Has already been checked by the parser. */
ProgrammingError(
"Unknown attribute in body executor control: %s",
cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(value);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(value);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
}
}
return exec_config;
}
void KeepControlPromises()
{
Constraint *cp;
Rval retval;
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
CFD_INTERVAL = 0;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdates(true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
HashControls();
/* Now expand */
for (cp = ControlBodyConstraints(cf_server); cp != NULL; cp = cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_server", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", "Unknown lval %s in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_serverfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denybadclocks].lval) == 0)
{
DENYBADCLOCKS = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET denybadclocks = %d\n", DENYBADCLOCKS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logencryptedtransfers].lval) == 0)
{
LOGENCRYPT = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET LOGENCRYPT = %d\n", LOGENCRYPT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_logallconnections].lval) == 0)
{
LOGCONNS = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET LOGCONNS = %d\n", LOGCONNS);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_maxconnections].lval) == 0)
{
CFD_MAXPROCESSES = (int) Str2Int(retval.item);
MAXTRIES = CFD_MAXPROCESSES / 3;
CfOut(cf_verbose, "", "SET maxconnections = %d\n", CFD_MAXPROCESSES);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_cfruncommand].lval) == 0)
{
strncpy(CFRUNCOMMAND, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET cfruncommand = %s\n", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(NONATTACKERLIST, rp->item))
{
AppendItem(&NONATTACKERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_denyconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Denying connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(ATTACKERLIST, rp->item))
{
AppendItem(&ATTACKERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_skipverify].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Skip verify connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SKIPVERIFY, rp->item))
{
AppendItem(&SKIPVERIFY, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_dynamicaddresses].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Dynamic addresses from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(DHCPLIST, rp->item))
{
AppendItem(&DHCPLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowallconnects].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing multiple connections from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(MULTICONNLIST, rp->item))
{
AppendItem(&MULTICONNLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_allowusers].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Allowing users ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(ALLOWUSERLIST, rp->item))
{
AppendItem(&ALLOWUSERLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_trustkeysfrom].lval) == 0)
{
Rlist *rp;
CfOut(cf_verbose, "", "SET Trust keys from ...\n");
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(TRUSTKEYLIST, rp->item))
{
AppendItem(&TRUSTKEYLIST, rp->item, cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_portnumber].lval) == 0)
{
SHORT_CFENGINEPORT = (short) Str2Int(retval.item);
strncpy(STR_CFENGINEPORT, retval.item, 15);
CfOut(cf_verbose, "", "SET default portnumber = %u = %s = %s\n", (int) SHORT_CFENGINEPORT, STR_CFENGINEPORT,
ScalarRvalValue(retval));
SHORT_CFENGINEPORT = htons((short) Str2Int(retval.item));
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_keyttl].lval) == 0)
{
CfOut(cf_verbose, "", "Ignoring deprecated option keycacheTTL");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[cfs_bindtointerface].lval) == 0)
{
strncpy(BINDINTERFACE, retval.item, CF_BUFSIZE - 1);
CfOut(cf_verbose, "", "SET bindtointerface = %s\n", BINDINTERFACE);
continue;
}
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_host].lval, &retval) != cf_notype)
{
SetSyslogHost(Hostname2IPString(retval.item));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_syslog_port].lval, &retval) != cf_notype)
{
SetSyslogPort(Str2Int(retval.item));
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_fips_mode].lval, &retval) != cf_notype)
{
FIPS_MODE = GetBoolean(retval.item);
CfOut(cf_verbose, "", "SET FIPS_MODE = %d\n", FIPS_MODE);
}
if (GetVariable("control_common", CFG_CONTROLBODY[cfg_lastseenexpireafter].lval, &retval) != cf_notype)
{
LASTSEENEXPIREAFTER = Str2Int(retval.item) * 60;
}
}
void KeepPromises(Policy *policy, ExecConfig *config)
{
for (Constraint *cp = ControlBodyConstraints(policy, cf_executor); cp != NULL; cp = cp->next)
{
if (IsExcluded(cp->classes, NULL))
{
continue;
}
Rval retval;
if (GetVariable("control_executor", cp->lval, &retval) == cf_notype)
{
CfOut(cf_error, "", "Unknown lval %s in exec control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailfrom].lval) == 0)
{
free(config->mail_from_address);
config->mail_from_address = SafeStringDuplicate(retval.item);
CfDebug("mailfrom = %s\n", config->mail_from_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailto].lval) == 0)
{
free(config->mail_to_address);
config->mail_to_address = SafeStringDuplicate(retval.item);
CfDebug("mailto = %s\n", config->mail_to_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_smtpserver].lval) == 0)
{
free(config->mail_server);
config->mail_server = SafeStringDuplicate(retval.item);
CfDebug("smtpserver = %s\n", config->mail_server);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_execcommand].lval) == 0)
{
free(config->exec_command);
config->exec_command = SafeStringDuplicate(retval.item);
CfDebug("exec_command = %s\n", config->exec_command);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_agent_expireafter].lval) == 0)
{
config->agent_expireafter = Str2Int(retval.item);
CfDebug("agent_expireafter = %d\n", config->agent_expireafter);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_executorfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailmaxlines].lval) == 0)
{
config->mail_max_lines = Str2Int(retval.item);
CfDebug("maxlines = %d\n", config->mail_max_lines);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_splaytime].lval) == 0)
{
int time = Str2Int(ScalarRvalValue(retval));
SPLAYTIME = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_schedule].lval) == 0)
{
Rlist *rp;
CfDebug("schedule ...\n");
DeleteItemList(SCHEDULE);
SCHEDULE = NULL;
for (rp = (Rlist *) retval.item; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SCHEDULE, rp->item))
{
AppendItem(&SCHEDULE, rp->item, NULL);
}
}
}
}
}
void KeepControlPromises()
{ struct Constraint *cp;
char rettype;
void *retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
for (cp = ControlBodyConstraints(cf_runagent); cp != NULL; cp=cp->next)
{
if (IsExcluded(cp->classes))
{
continue;
}
if (GetVariable("control_runagent",cp->lval,&retval,&rettype) == cf_notype)
{
CfOut(cf_error,"","Unknown lval %s in runagent control body",cp->lval);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_force_ipv4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = GetBoolean(retval);
CfOut(cf_verbose,"","SET force_ipv4 = %d\n",RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_trustkey].lval) == 0)
{
RUNATTR.copy.trustkey = GetBoolean(retval);
CfOut(cf_verbose,"","SET trustkey = %d\n",RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_encrypt].lval) == 0)
{
RUNATTR.copy.encrypt = GetBoolean(retval);
CfOut(cf_verbose,"","SET encrypt = %d\n",RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_portnumber].lval) == 0)
{
RUNATTR.copy.portnumber = (short)Str2Int(retval);
CfOut(cf_verbose,"","SET default portnumber = %u\n",(int)RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_background].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(cf_error, "", "Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = GetBoolean(retval);
}
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_maxchild].lval) == 0)
{
MAXCHILD = (short)Str2Int(retval);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_output_to_file].lval) == 0)
{
OUTPUT_TO_FILE = GetBoolean(retval);
continue;
}
/*
* HvB: add variabele output directory
*/
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_output_directory].lval) == 0)
{
if ( IsAbsPath(retval) )
{
strncpy(OUTPUT_DIRECTORY,retval,CF_BUFSIZE-1);
CfOut(cf_verbose,"","SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_timeout].lval) == 0)
{
RUNATTR.copy.timeout = (short)Str2Int(retval);
continue;
}
if (strcmp(cp->lval,CFR_CONTROLBODY[cfr_hosts].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval;
}
continue;
}
}
}
void ExecConfigUpdate(const EvalContext *ctx, const Policy *policy, ExecConfig *exec_config)
{
ExecConfigResetDefault(exec_config);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_executor");
Rval retval;
if (!EvalContextVariableGet(ctx, ref, &retval, NULL))
{
// TODO: should've been checked before this point. change to programming error
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in exec control body", cp->lval);
VarRefDestroy(ref);
continue;
}
VarRefDestroy(ref);
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailfrom '%s'", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailto '%s'", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILSUBJECT].lval) == 0)
{
free(exec_config->mail_subject);
exec_config->mail_subject = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "mailsubject '%s'", exec_config->mail_subject);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "smtpserver '%s'", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "exec_command '%s'", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(retval.item);
Log(LOG_LEVEL_DEBUG, "agent_expireafter %d", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECUTORFACILITY].lval) == 0)
{
exec_config->log_facility = xstrdup(retval.item);
Log(LOG_LEVEL_DEBUG, "executorfacility '%s'", exec_config->log_facility);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(retval.item);
Log(LOG_LEVEL_DEBUG, "maxlines %d", exec_config->mail_max_lines);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SPLAYTIME].lval) == 0)
{
int time = IntFromString(RvalScalarValue(retval));
exec_config->splay_time = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SCHEDULE].lval) == 0)
{
Log(LOG_LEVEL_DEBUG, "Loading user-defined schedule...");
StringSetClear(exec_config->schedule);
for (const Rlist *rp = retval.item; rp; rp = rp->next)
{
StringSetAdd(exec_config->schedule, xstrdup(RlistScalarValue(rp)));
Log(LOG_LEVEL_DEBUG, "Adding '%s'", RlistScalarValue(rp));
}
}
}
}
char ipbuf[CF_MAXVARSIZE] = "";
for (Item *iptr = EvalContextGetIpAddresses(ctx); iptr != NULL; iptr = iptr->next)
{
if ((SafeStringLength(ipbuf) + SafeStringLength(iptr->name)) < sizeof(ipbuf))
{
strcat(ipbuf, iptr->name);
strcat(ipbuf, " ");
}
else
{
break;
}
}
Chop(ipbuf, sizeof(ipbuf));
free(exec_config->ip_addresses);
exec_config->ip_addresses = xstrdup(ipbuf);
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (unsigned short) ParseHostname(host, peer),
};
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, peer, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", peer);
return false;
}
Address2Hostkey(ipaddr, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipaddr, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n",
host, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
#else /* !__MINGW32__ */
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (parallel)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
if (LEGACY_OUTPUT)
{
Log(LOG_LEVEL_INFO, "...........................................................................");
Log(LOG_LEVEL_INFO, " * Hailing %s : %u, with options \"%s\" (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
Log(LOG_LEVEL_INFO, "...........................................................................");
}
else
{
Log(LOG_LEVEL_INFO, "Hailing '%s' : %u, with options '%s' (serial)", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(RlistScalarValue(fc.servers), "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err, -1);
if (conn == NULL)
{
RlistDestroy(fc.servers);
Log(LOG_LEVEL_VERBOSE, "No suitable server responded to hail");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strncpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE - 1);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
static void KeepControlPromises(EvalContext *ctx, const Policy *policy, GenericAgentConfig *config)
{
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdatesDefault(ctx, true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in server control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SERVER_FACILITY].lval) == 0)
{
SetFacility(value);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_BAD_CLOCKS].lval) == 0)
{
DENYBADCLOCKS = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting denybadclocks to '%s'", DENYBADCLOCKS ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS].lval) == 0)
{
LOGENCRYPT = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logencrypt to '%s'", LOGENCRYPT ? "true" : "false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LOG_ALL_CONNECTIONS].lval) == 0)
{
SV.logconns = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_MAX_CONNECTIONS].lval) == 0)
{
CFD_MAXPROCESSES = (int) IntFromString(value);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE, "Setting maxconnections to %d", CFD_MAXPROCESSES);
#ifdef LMDB
static int LSD_MAXREADERS = 0;
if (LSD_MAXREADERS < CFD_MAXPROCESSES)
{
int rc = UpdateLastSeenMaxReaders(CFD_MAXPROCESSES);
if (rc == 0)
{
LSD_MAXREADERS = CFD_MAXPROCESSES;
}
}
#endif
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_INTERVAL].lval) == 0)
{
COLLECT_INTERVAL = (int) 60 * IntFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting call_collect_interval to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_LISTEN].lval) == 0)
{
SERVER_LISTEN = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting server listen to '%s' ",
(SERVER_LISTEN)? "true":"false");
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CALL_COLLECT_WINDOW].lval) == 0)
{
COLLECT_WINDOW = (int) IntFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting collect_window to %d (seconds)", COLLECT_INTERVAL);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_CF_RUN_COMMAND].lval) == 0)
{
strlcpy(CFRUNCOMMAND, value, sizeof(CFRUNCOMMAND));
Log(LOG_LEVEL_VERBOSE, "Setting cfruncommand to '%s'", CFRUNCOMMAND);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, RlistScalarValue(rp)))
{
AppendItem(&SV.nonattackerlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_DENY_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, RlistScalarValue(rp)))
{
AppendItem(&SV.attackerlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_SKIP_VERIFY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_ALL_CONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, RlistScalarValue(rp)))
{
AppendItem(&SV.multiconnlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOW_USERS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, RlistScalarValue(rp)))
{
AppendItem(&SV.allowuserlist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_TRUST_KEYS_FROM].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, RlistScalarValue(rp)))
{
AppendItem(&SV.trustkeylist, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOWLEGACYCONNECTS].lval) == 0)
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing legacy connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowlegacyconnects, RlistScalarValue(rp)))
{
AppendItem(&SV.allowlegacyconnects, RlistScalarValue(rp), cp->classes);
}
}
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_PORT_NUMBER].lval) == 0)
{
CFENGINE_PORT = IntFromString(value);
strlcpy(CFENGINE_PORT_STR, value, sizeof(CFENGINE_PORT_STR));
Log(LOG_LEVEL_VERBOSE, "Setting default port number to %d",
CFENGINE_PORT);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_BIND_TO_INTERFACE].lval) == 0)
{
strlcpy(BINDINTERFACE, value, sizeof(BINDINTERFACE));
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
continue;
}
if (strcmp(cp->lval, CFS_CONTROLBODY[SERVER_CONTROL_ALLOWCIPHERS].lval) == 0)
{
SV.allowciphers = xstrdup(value);
Log(LOG_LEVEL_VERBOSE, "Setting allowciphers to '%s'", SV.allowciphers);
continue;
}
}
}
const void *value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST);
if (value)
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(value))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long", (const char *)value);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'", (const char *)value);
}
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT);
if (value)
{
SetSyslogPort(IntFromString(value));
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE);
if (value)
{
FIPS_MODE = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (value)
{
LASTSEENEXPIREAFTER = IntFromString(value) * 60;
}
}
static int HailServer(const EvalContext *ctx, const GenericAgentConfig *config,
char *host)
{
assert(host != NULL);
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE],
hostkey[CF_HOSTKEY_STRING_SIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
bool trustkey = false;
char *hostname, *port;
ParseHostPort(host, &hostname, &port);
if (hostname == NULL || strcmp(hostname, "localhost") == 0)
{
Log(LOG_LEVEL_INFO, "No remote hosts were specified to connect to");
return false;
}
if (port == NULL)
{
port = "5308";
}
char ipaddr[CF_MAX_IP_LEN];
if (Hostname2IPString(ipaddr, hostname, sizeof(ipaddr)) == -1)
{
Log(LOG_LEVEL_ERR,
"HailServer: ERROR, could not resolve '%s'", hostname);
return false;
}
Address2Hostkey(hostkey, sizeof(hostkey), ipaddr);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
Log(LOG_LEVEL_VERBOSE, "Using interactive key trust...");
gotkey = HavePublicKey(user, ipaddr, hostkey) != NULL;
if (!gotkey)
{
/* TODO print the hash of the connecting host. But to do that we
* should open the connection first, and somehow pass that hash
* here! redmine#7212 */
printf("WARNING - You do not have a public key from host %s = %s\n",
hostname, ipaddr);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, sizeof(reply), stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
Log(LOG_LEVEL_ERR, "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf("Will trust the key...\n");
trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf("Will not trust the key...\n");
trustkey = false;
break;
}
else
{
printf("Please reply yes or no...(%s)\n", reply);
}
}
}
}
#ifndef __MINGW32__
if (BACKGROUND)
{
Log(LOG_LEVEL_INFO, "Hailing %s : %s (in the background)",
hostname, port);
}
else
#endif
{
Log(LOG_LEVEL_INFO,
"........................................................................");
Log(LOG_LEVEL_INFO, "Hailing %s : %s",
hostname, port);
Log(LOG_LEVEL_INFO,
"........................................................................");
}
ConnectionFlags connflags = {
.protocol_version = config->protocol_version,
.trust_server = trustkey
};
int err = 0;
conn = ServerConnection(hostname, port, CONNTIMEOUT, connflags, &err);
if (conn == NULL)
{
Log(LOG_LEVEL_ERR, "Failed to connect to host: %s", hostname);
return false;
}
/* Send EXEC command. */
HailExec(conn, hostname, recvbuffer, sendbuffer);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, const Policy *policy)
{
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_runagent");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR, "Unknown lval '%s' in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
Log(LOG_LEVEL_WARNING,
"'background_children' setting from 'body runagent control' is overridden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(value);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(value);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(value))
{
strlcpy(OUTPUT_DIRECTORY, value, CF_BUFSIZE);
Log(LOG_LEVEL_VERBOSE, "Setting output direcory to '%s'", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = value;
}
continue;
}
}
}
const char *expire_after = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (expire_after)
{
LASTSEENEXPIREAFTER = IntFromString(expire_after) * 60;
}
}
static void KeepControlPromises(EvalContext *ctx, const Policy *policy, GenericAgentConfig *config)
{
CFD_MAXPROCESSES = 30;
MAXTRIES = 5;
DENYBADCLOCKS = true;
CFRUNCOMMAND[0] = '\0';
SetChecksumUpdatesDefault(ctx, true);
/* Keep promised agent behaviour - control bodies */
Banner("Server control promises..");
PolicyResolve(ctx, policy, config);
/* Now expand */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_SERVER);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
#define IsControlBody(e) (strcmp(cp->lval, CFS_CONTROLBODY[e].lval) == 0)
if (!IsDefinedClass(ctx, cp->classes))
{
continue;
}
VarRef *ref = VarRefParseFromScope(cp->lval, "control_server");
const void *value = EvalContextVariableGet(ctx, ref, NULL);
VarRefDestroy(ref);
if (!value)
{
Log(LOG_LEVEL_ERR,
"Unknown lval '%s' in server control body",
cp->lval);
}
else if (IsControlBody(SERVER_CONTROL_SERVER_FACILITY))
{
SetFacility(value);
}
else if (IsControlBody(SERVER_CONTROL_DENY_BAD_CLOCKS))
{
DENYBADCLOCKS = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting denybadclocks to '%s'",
DENYBADCLOCKS ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_LOG_ENCRYPTED_TRANSFERS))
{
LOGENCRYPT = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting logencrypt to '%s'",
LOGENCRYPT ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_LOG_ALL_CONNECTIONS))
{
SV.logconns = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting logconns to %d", SV.logconns);
}
else if (IsControlBody(SERVER_CONTROL_MAX_CONNECTIONS))
{
CFD_MAXPROCESSES = (int) IntFromString(value);
MAXTRIES = CFD_MAXPROCESSES / 3;
Log(LOG_LEVEL_VERBOSE,
"Setting maxconnections to %d",
CFD_MAXPROCESSES);
/* The handling of max_readers in LMDB is not ideal, but
* here is how it is right now: We know that both cf-serverd and
* cf-hub will access the lastseen database. Worst case every
* single thread and process will do it at the same time, and
* this has in fact been observed. So we add the maximum of
* those two values together to provide a safe ceiling. In
* addition, cf-agent can access the database occasionally as
* well, so add a few extra for that too. */
DBSetMaximumConcurrentTransactions(CFD_MAXPROCESSES
+ EnterpriseGetMaxCfHubProcesses() + 10);
continue;
}
else if (IsControlBody(SERVER_CONTROL_CALL_COLLECT_INTERVAL))
{
COLLECT_INTERVAL = (int) 60 * IntFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting call_collect_interval to %d (seconds)",
COLLECT_INTERVAL);
}
else if (IsControlBody(SERVER_CONTROL_LISTEN))
{
SERVER_LISTEN = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting server listen to '%s' ",
SERVER_LISTEN ? "true" : "false");
}
else if (IsControlBody(SERVER_CONTROL_CALL_COLLECT_WINDOW))
{
COLLECT_WINDOW = (int) IntFromString(value);
Log(LOG_LEVEL_VERBOSE,
"Setting collect_window to %d (seconds)",
COLLECT_INTERVAL);
}
else if (IsControlBody(SERVER_CONTROL_CF_RUN_COMMAND))
{
strlcpy(CFRUNCOMMAND, value, sizeof(CFRUNCOMMAND));
Log(LOG_LEVEL_VERBOSE,
"Setting cfruncommand to '%s'",
CFRUNCOMMAND);
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.nonattackerlist, RlistScalarValue(rp)))
{
PrependItem(&SV.nonattackerlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_DENY_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting denying connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.attackerlist, RlistScalarValue(rp)))
{
PrependItem(&SV.attackerlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_SKIP_VERIFY))
{
/* Skip. */
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_ALL_CONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing multiple connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.multiconnlist, RlistScalarValue(rp)))
{
PrependItem(&SV.multiconnlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_ALLOW_USERS))
{
Log(LOG_LEVEL_VERBOSE, "SET Allowing users ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowuserlist, RlistScalarValue(rp)))
{
PrependItem(&SV.allowuserlist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_TRUST_KEYS_FROM))
{
Log(LOG_LEVEL_VERBOSE, "Setting trust keys from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.trustkeylist, RlistScalarValue(rp)))
{
PrependItem(&SV.trustkeylist, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_ALLOWLEGACYCONNECTS))
{
Log(LOG_LEVEL_VERBOSE, "Setting allowing legacy connections from ...");
for (const Rlist *rp = value; rp != NULL; rp = rp->next)
{
if (!IsItemIn(SV.allowlegacyconnects, RlistScalarValue(rp)))
{
PrependItem(&SV.allowlegacyconnects, RlistScalarValue(rp), cp->classes);
}
}
}
else if (IsControlBody(SERVER_CONTROL_PORT_NUMBER))
{
CFENGINE_PORT = IntFromString(value);
strlcpy(CFENGINE_PORT_STR, value, sizeof(CFENGINE_PORT_STR));
Log(LOG_LEVEL_VERBOSE, "Setting default port number to %d",
CFENGINE_PORT);
}
else if (IsControlBody(SERVER_CONTROL_BIND_TO_INTERFACE))
{
strlcpy(BINDINTERFACE, value, sizeof(BINDINTERFACE));
Log(LOG_LEVEL_VERBOSE, "Setting bindtointerface to '%s'", BINDINTERFACE);
}
else if (IsControlBody(SERVER_CONTROL_ALLOWCIPHERS))
{
SV.allowciphers = xstrdup(value);
Log(LOG_LEVEL_VERBOSE, "Setting allowciphers to '%s'", SV.allowciphers);
}
#undef IsControlBody
}
}
const void *value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_HOST);
if (value)
{
/* Don't resolve syslog_host now, better do it per log request. */
if (!SetSyslogHost(value))
{
Log(LOG_LEVEL_ERR, "Failed to set syslog_host, '%s' too long", (const char *)value);
}
else
{
Log(LOG_LEVEL_VERBOSE, "Setting syslog_host to '%s'", (const char *)value);
}
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_SYSLOG_PORT);
if (value)
{
SetSyslogPort(IntFromString(value));
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_FIPS_MODE);
if (value)
{
FIPS_MODE = BooleanFromString(value);
Log(LOG_LEVEL_VERBOSE, "Setting FIPS mode to to '%s'", FIPS_MODE ? "true" : "false");
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER);
if (value)
{
LASTSEENEXPIREAFTER = IntFromString(value) * 60;
}
value = EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_BWLIMIT);
if (value)
{
double bval;
if (DoubleFromString(value, &bval))
{
bwlimit_kbytes = (uint32_t) ( bval / 1000.0);
Log(LOG_LEVEL_VERBOSE, "Setting rate limit to %d kBytes/sec", bwlimit_kbytes);
}
}
}
static int HailServer(EvalContext *ctx, char *host)
{
AgentConnection *conn;
char sendbuffer[CF_BUFSIZE], recvbuffer[CF_BUFSIZE], peer[CF_MAXVARSIZE], ipv4[CF_MAXVARSIZE],
digest[CF_MAXVARSIZE], user[CF_SMALLBUF];
bool gotkey;
char reply[8];
FileCopy fc = {
.portnumber = (short) ParseHostname(host, peer),
};
snprintf(ipv4, CF_MAXVARSIZE, "%s", Hostname2IPString(peer));
Address2Hostkey(ipv4, digest);
GetCurrentUserName(user, CF_SMALLBUF);
if (INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> Using interactive key trust...\n");
gotkey = HavePublicKey(user, peer, digest) != NULL;
if (!gotkey)
{
gotkey = HavePublicKey(user, ipv4, digest) != NULL;
}
if (!gotkey)
{
printf("WARNING - You do not have a public key from host %s = %s\n", host, ipv4);
printf(" Do you want to accept one on trust? (yes/no)\n\n--> ");
while (true)
{
if (fgets(reply, 8, stdin) == NULL)
{
FatalError(ctx, "EOF trying to read answer from terminal");
}
if (Chop(reply, CF_EXPANDSIZE) == -1)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Chop was called on a string that seemed to have no terminator");
}
if (strcmp(reply, "yes") == 0)
{
printf(" -> Will trust the key...\n");
fc.trustkey = true;
break;
}
else if (strcmp(reply, "no") == 0)
{
printf(" -> Will not trust the key...\n");
fc.trustkey = false;
break;
}
else
{
printf(" !! Please reply yes or no...(%s)\n", reply);
}
}
}
}
/* Continue */
#ifdef __MINGW32__
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
#else /* !__MINGW32__ */
if (BACKGROUND)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "Hailing %s : %u, with options \"%s\" (parallel)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
}
else
{
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
CfOut(OUTPUT_LEVEL_INFORM, "", " * Hailing %s : %u, with options \"%s\" (serial)\n", peer, fc.portnumber,
REMOTE_AGENT_OPTIONS);
CfOut(OUTPUT_LEVEL_INFORM, "", "...........................................................................\n");
}
#endif /* !__MINGW32__ */
fc.servers = RlistFromSplitString(peer, '*');
if (fc.servers == NULL || strcmp(fc.servers->item, "localhost") == 0)
{
CfOut(OUTPUT_LEVEL_INFORM, "", "No hosts are registered to connect to");
return false;
}
else
{
int err = 0;
conn = NewServerConnection(fc, false, &err);
if (conn == NULL)
{
RlistDestroy(fc.servers);
CfOut(OUTPUT_LEVEL_VERBOSE, "", " -> No suitable server responded to hail\n");
return false;
}
}
/* Check trust interaction*/
HailExec(conn, peer, recvbuffer, sendbuffer);
RlistDestroy(fc.servers);
return true;
}
/********************************************************************/
/* Level 2 */
/********************************************************************/
static void KeepControlPromises(EvalContext *ctx, Policy *policy)
{
Rval retval;
RUNATTR.copy.trustkey = false;
RUNATTR.copy.encrypt = true;
RUNATTR.copy.force_ipv4 = false;
RUNATTR.copy.portnumber = SHORT_CFENGINEPORT;
/* Keep promised agent behaviour - control bodies */
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_RUNAGENT);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_runagent", cp->lval }, &retval, NULL))
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in runagent control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_FORCE_IPV4].lval) == 0)
{
RUNATTR.copy.force_ipv4 = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET force_ipv4 = %d\n", RUNATTR.copy.force_ipv4);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TRUSTKEY].lval) == 0)
{
RUNATTR.copy.trustkey = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET trustkey = %d\n", RUNATTR.copy.trustkey);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_ENCRYPT].lval) == 0)
{
RUNATTR.copy.encrypt = BooleanFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET encrypt = %d\n", RUNATTR.copy.encrypt);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_PORT_NUMBER].lval) == 0)
{
RUNATTR.copy.portnumber = (short) IntFromString(retval.item);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET default portnumber = %u\n", (int) RUNATTR.copy.portnumber);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_BACKGROUND].lval) == 0)
{
/*
* Only process this option if are is no -b or -i options specified on
* command line.
*/
if (BACKGROUND || INTERACTIVE)
{
CfOut(OUTPUT_LEVEL_ERROR, "",
"Warning: 'background_children' setting from 'body runagent control' is overriden by command-line option.");
}
else
{
BACKGROUND = BooleanFromString(retval.item);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_MAX_CHILD].lval) == 0)
{
MAXCHILD = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_TO_FILE].lval) == 0)
{
OUTPUT_TO_FILE = BooleanFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_OUTPUT_DIRECTORY].lval) == 0)
{
if (IsAbsPath(retval.item))
{
strncpy(OUTPUT_DIRECTORY, retval.item, CF_BUFSIZE - 1);
CfOut(OUTPUT_LEVEL_VERBOSE, "", "SET output direcory to = %s\n", OUTPUT_DIRECTORY);
}
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_TIMEOUT].lval) == 0)
{
RUNATTR.copy.timeout = (short) IntFromString(retval.item);
continue;
}
if (strcmp(cp->lval, CFR_CONTROLBODY[RUNAGENT_CONTROL_HOSTS].lval) == 0)
{
if (HOSTLIST == NULL) // Don't override if command line setting
{
HOSTLIST = retval.item;
}
continue;
}
}
}
if (EvalContextVariableControlCommonGet(ctx, COMMON_CONTROL_LASTSEEN_EXPIRE_AFTER, &retval))
{
LASTSEENEXPIREAFTER = IntFromString(retval.item) * 60;
}
}
void KeepPromises(Policy *policy, ExecConfig *config)
{
bool schedule_is_specified = false;
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (IsExcluded(cp->classes, NULL))
{
continue;
}
Rval retval;
if (GetVariable("control_executor", cp->lval, &retval) == DATA_TYPE_NONE)
{
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in exec control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailfrom].lval) == 0)
{
free(config->mail_from_address);
config->mail_from_address = SafeStringDuplicate(retval.item);
CfDebug("mailfrom = %s\n", config->mail_from_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailto].lval) == 0)
{
free(config->mail_to_address);
config->mail_to_address = SafeStringDuplicate(retval.item);
CfDebug("mailto = %s\n", config->mail_to_address);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_smtpserver].lval) == 0)
{
free(config->mail_server);
config->mail_server = SafeStringDuplicate(retval.item);
CfDebug("smtpserver = %s\n", config->mail_server);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_execcommand].lval) == 0)
{
free(config->exec_command);
config->exec_command = SafeStringDuplicate(retval.item);
CfDebug("exec_command = %s\n", config->exec_command);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_agent_expireafter].lval) == 0)
{
config->agent_expireafter = IntFromString(retval.item);
CfDebug("agent_expireafter = %d\n", config->agent_expireafter);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_executorfacility].lval) == 0)
{
SetFacility(retval.item);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_mailmaxlines].lval) == 0)
{
config->mail_max_lines = IntFromString(retval.item);
CfDebug("maxlines = %d\n", config->mail_max_lines);
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_splaytime].lval) == 0)
{
int time = IntFromString(RvalScalarValue(retval));
SPLAYTIME = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[cfex_schedule].lval) == 0)
{
CfDebug("Loading user-defined schedule...\n");
DeleteItemList(SCHEDULE);
SCHEDULE = NULL;
schedule_is_specified = true;
for (const Rlist *rp = retval.item; rp; rp = rp->next)
{
if (!IsItemIn(SCHEDULE, rp->item))
{
AppendItem(&SCHEDULE, rp->item, NULL);
}
}
}
}
}
if (!schedule_is_specified)
{
LoadDefaultSchedule();
}
}
void ExecConfigUpdate(const EvalContext *ctx, const Policy *policy, ExecConfig *exec_config)
{
ExecConfigResetDefault(exec_config);
Seq *constraints = ControlBodyConstraints(policy, AGENT_TYPE_EXECUTOR);
if (constraints)
{
for (size_t i = 0; i < SeqLength(constraints); i++)
{
Constraint *cp = SeqAt(constraints, i);
if (!IsDefinedClass(ctx, cp->classes, NULL))
{
continue;
}
Rval retval;
if (!EvalContextVariableGet(ctx, (VarRef) { NULL, "control_executor", cp->lval }, &retval, NULL))
{
// TODO: should've been checked before this point. change to programming error
CfOut(OUTPUT_LEVEL_ERROR, "", "Unknown lval %s in exec control body", cp->lval);
continue;
}
if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILFROM].lval) == 0)
{
free(exec_config->mail_from_address);
exec_config->mail_from_address = xstrdup(retval.item);
CfDebug("mailfrom = %s\n", exec_config->mail_from_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILTO].lval) == 0)
{
free(exec_config->mail_to_address);
exec_config->mail_to_address = xstrdup(retval.item);
CfDebug("mailto = %s\n", exec_config->mail_to_address);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SMTPSERVER].lval) == 0)
{
free(exec_config->mail_server);
exec_config->mail_server = xstrdup(retval.item);
CfDebug("smtpserver = %s\n", exec_config->mail_server);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECCOMMAND].lval) == 0)
{
free(exec_config->exec_command);
exec_config->exec_command = xstrdup(retval.item);
CfDebug("exec_command = %s\n", exec_config->exec_command);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_AGENT_EXPIREAFTER].lval) == 0)
{
exec_config->agent_expireafter = IntFromString(retval.item);
CfDebug("agent_expireafter = %d\n", exec_config->agent_expireafter);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_EXECUTORFACILITY].lval) == 0)
{
exec_config->log_facility = xstrdup(retval.item);
CfDebug("executorfacility = %s\n", exec_config->log_facility);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_MAILMAXLINES].lval) == 0)
{
exec_config->mail_max_lines = IntFromString(retval.item);
CfDebug("maxlines = %d\n", exec_config->mail_max_lines);
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SPLAYTIME].lval) == 0)
{
int time = IntFromString(RvalScalarValue(retval));
exec_config->splay_time = (int) (time * SECONDS_PER_MINUTE * GetSplay());
}
else if (strcmp(cp->lval, CFEX_CONTROLBODY[EXEC_CONTROL_SCHEDULE].lval) == 0)
{
CfDebug("Loading user-defined schedule...\n");
StringSetClear(exec_config->schedule);
for (const Rlist *rp = retval.item; rp; rp = rp->next)
{
StringSetAdd(exec_config->schedule, xstrdup(RlistScalarValue(rp)));
CfDebug("Adding %s\n", RlistScalarValue(rp));
}
}
}
}
}
