4

I am searching for something (be it a Framework, Software or even just a Best Practice) for the following requirement:

I want to provide a kind of blacklist of configuration values (in several configuration file formats) which must not be set/changed.

The system is a Linux(CentOS) appliance, which houses only one application, configuration changes should be rare.

I want to check several configuration files for sanity. Ranging from apache over ifcfg-eth* etc.

Is there a solution which already provides a mechanism like that for a set of 'standard' configuration files?

An Example: I want to prevent users from accidently deativating KeepAlive in Apache but they should be able to change other things in the configuration. I want to prevent 'common mistakes'.

Frederick Roth
  • 143
  • 5

2 Answers2

3

I've done something similar to this with Puppet (painful) using the solution documented at: Set sysctl.conf parameters with Puppet

It was quite a bit of work to obtain a pretty basic function. In your situation, what's the ratio of parameters you wish to blacklist to those you don't mind being modified? That would impact the approach to solving this. A lot of engineers I know prefer to move entire config files versus using templates or modifying values.

CFEngine had a string modification parameter that would ensure that certain lines were present in a file and add them if they weren't. Same for comments...

Community
  • 1
ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • The requirement is currently a small but growing blacklist. The current requirement could be coded in a day using [scripting language of my choice] but I don't want to end maintaining a framework of configuration checking scripts in some months(we all know how 'small scripts' can grow due to requirements). Therefore I am searching for a 'simple' solution for this. – Frederick Roth Jun 27 '12 at 20:03
  • @FrederickRoth Well, the Augeas provider in puppet should fit the bill for cherry-picking specific settings in the files to enforce. But, depending on if you're looking for more than just blacklisting of those specific settings, it might not quite work for certain definitions of "sanity check". – Shane Madden Jun 27 '12 at 20:58
  • Thanks, I think that gives me at least something to start and take a deeper look :) – Frederick Roth Jun 28 '12 at 07:14
0

Your use cases are the primary goals of configuration management tools like Puppet, Chef, CFEngine, bcfg2 and others.

Suppose you wanted to prevent changes to ifcfg-eth0. You would configure these tools to track this file.

When the tools agent wakes up at regular intervals, it can either inform you that a change has occurred, or can revert the file to its original state.

Not Now
  • 3,532
  • 17
  • 18
  • I briefly checked the Manuals of Puppet, Chef and bcfg2 and have not found the feature I want. Meaning tracking single configuration values inside of configuration files. Am I missunderstanding something in the documentation? An Example: I want to prevent users from accidently deativating KeepAlive in Apache but they should be able to change other things in the file. I need this rather fine granularity. – Frederick Roth Jun 27 '12 at 19:43