客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
开源软件名称(OpenSource Name):salt-formulas/salt-formula-linux开源软件地址(OpenSource Url):https://github.com/salt-formulas/salt-formula-linux开源编程语言(OpenSource Language):SaltStack 71.0%开源软件介绍(OpenSource Introduction):Linux FormulaLinux Operating Systems:
Sample PillarsLinux SystemBasic Linux box linux:
system:
enabled: true
name: 'node1'
domain: 'domain.com'
cluster: 'system'
environment: prod
timezone: 'Europe/Prague'
utc: trueLinux with system users, some with password set: Warning If no linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
sudo: true
shell: /bin/bash
full_name: 'Jonh Doe'
home: '/home/jdoe'
home_dir_mode: 755
email: '[email protected]'
unique: false
jsmith:
name: 'jsmith'
enabled: true
full_name: 'With clear password'
home: '/home/jsmith'
hash_password: true
password: "userpassword"
mark:
name: 'mark'
enabled: true
full_name: "unchange password'
home: '/home/mark'
password: false
elizabeth:
name: 'elizabeth'
enabled: true
full_name: 'With hashed password'
home: '/home/elizabeth'
password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10"Configure password expiration parametersThe following login.defs parameters can be overridden per-user:
linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
...
maxdays: <PASS_MAX_DAYS>
mindays: <PASS_MIN_DAYS>
warndays: <PASS_WARN_DAYS>
inactdays: <INACTIVE>Configure sudo for users and groups under # simplified template:
Cmds_Alias {{ alias }}={{ commands }}
{{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
%{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
# when rendered:
saltuser1 ALL=(ALL) NOPASSWD: ALLlinux:
system:
sudo:
enabled: true
aliases:
host:
LOCAL:
- localhost
PRODUCTION:
- db1
- db2
runas:
DBA:
- postgres
- mysql
SALT:
- root
command:
# Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
# Best practice is to specify full list of commands user is allowed to run.
SUPPORT_RESTRICTED:
- /bin/vi /etc/sudoers*
- /bin/vim /etc/sudoers*
- /bin/nano /etc/sudoers*
- /bin/emacs /etc/sudoers*
- /bin/su - root
- /bin/su -
- /bin/su
- /usr/sbin/visudo
SUPPORT_SHELLS:
- /bin/sh
- /bin/ksh
- /bin/bash
- /bin/rbash
- /bin/dash
- /bin/zsh
- /bin/csh
- /bin/fish
- /bin/tcsh
- /usr/bin/login
- /usr/bin/su
- /usr/su
ALL_SALT_SAFE:
- /usr/bin/salt state*
- /usr/bin/salt service*
- /usr/bin/salt pillar*
- /usr/bin/salt grains*
- /usr/bin/salt saltutil*
- /usr/bin/salt-call state*
- /usr/bin/salt-call service*
- /usr/bin/salt-call pillar*
- /usr/bin/salt-call grains*
- /usr/bin/salt-call saltutil*
SALT_TRUSTED:
- /usr/bin/salt*
users:
# saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
saltuser1: {}
saltuser2:
hosts:
- LOCAL
# User Alias DBA
DBA:
hosts:
- ALL
commands:
- ALL_SALT_SAFE
groups:
db-ops:
hosts:
- ALL
- '!PRODUCTION'
runas:
- DBA
commands:
- /bin/cat *
- /bin/less *
- /bin/ls *
salt-ops:
hosts:
- 'ALL'
runas:
- SALT
commands:
- SUPPORT_SHELLS
salt-ops-2nd:
name: salt-ops
nopasswd: false
setenv: true # Enable sudo -E option
runas:
- DBA
commands:
- ALL
- '!SUPPORT_SHELLS'
- '!SUPPORT_RESTRICTED'Linux with package, latest version: linux:
system:
...
package:
package-name:
version: latestLinux with package from certail repo, version with no upgrades: linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
hold: trueLinux with package from certail repo, version with no GPG verification: linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
verify: falseLinux with autoupdates (automatically install security package updates): linux:
system:
...
autoupdates:
enabled: true
mail: root@localhost
mail_only_on_error: true
remove_unused_dependencies: false
automatic_reboot: true
automatic_reboot_time: "02:00"Managing cron tasksThere are two data structures that are related to managing cron itself and cron tasks: linux:
system:
cron:and linux:
system:
job:linux:system:cron manages cron packages, services, and '/etc/cron.allow' file. 'deny' files are managed the only way - we're ensuring they are absent, that's a requirement from CIS 5.1.8 'cron' pillar structure is the following: linux:
system:
cron:
enabled: true
pkgs: [ <cron packages> ]
services: [ <cron services> ]
user:
<username>:
enabled: trueTo add user to '/etc/cron.allow' use 'enabled' key as shown above. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed. A user would be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:cron:user:<username> linux:system:job manages individual cron tasks. By default, it will use name as an identifier, unless identifier key is explicitly set or False (then it will use Salt's default behavior which is identifier same as command resulting in not being able to change it): linux:
system:
...
job:
cmd1:
command: '/cmd/to/run'
identifier: cmd1
enabled: true
user: 'root'
hour: 2
minute: 0Added the opportunity to set a job with a special keyword like '@reboot' or '@hourly'. Quotes must be used, otherwise PyYAML will strip the '@' sign. linux:
system:
...
job:
cmd1:
command: '/cmd/to/run'
identifier: cmd1
enabled: true
user: 'root'
special: '@reboot'Managing 'at' tasksPillar for managing at tasks is similar to one for cron tasks: linux:
system:
at:
enabled: true
pkgs: [ <at packages> ]
services: [ <at services> ]
user:
<username>:
enabled: trueTo add a user to '/etc/at.allow' use 'enabled' key as shown above. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed. A user will be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:at:user:<username> Linux security limits (limit sensu user memory usage to max 1GB): linux:
system:
...
limit:
sensu:
enabled: true
domain: sensu
limits:
- type: hard
item: as
value: 1000000Enable autologin on linux:
system:
console:
tty1:
autologin: root
# Enable serial console
ttyS0:
autologin: root
rate: 115200
term: xtermTo disable set autologin to Set linux:
system:
policyrcd:
- package: cassandra
action: exit 101
- package: '*'
action: switchSet system locales: linux:
system:
locale:
en_US.UTF-8:
default: true
"cs_CZ.UTF-8 UTF-8":
enabled: trueSystemd settings: linux:
system:
...
systemd:
system:
Manager:
DefaultLimitNOFILE: 307200
DefaultLimitNPROC: 307200
user:
Manager:
DefaultLimitCPU: 2
DefaultLimitNPROC: 4Systemd journal settings: linux:
system:
...
systemd:
journal:
SystemMaxUse: "50M"
RuntimeMaxFiles: "100"Ensure presence of directory: linux:
system:
directory:
/tmp/test:
user: root
group: root
mode: 700
makedirs: trueEnsure presence of file by specifying its source: linux:
system:
file:
/tmp/test.txt:
source: http://example.com/test.txt
user: root #optional
group: root #optional
mode: 700 #optional
dir_mode: 700 #optional
encoding: utf-8 #optional
hash: <<hash>> or <<URI to hash>> #optional
makedirs: true #optional
linux:
system:
file:
test.txt:
name: /tmp/test.txt
source: http://example.com/test.txt
linux:
system:
file:
test2:
name: /tmp/test2.txt
source: http://example.com/test2.jinja
template: jinjaEnsure presence of file by specifying its contents: linux:
system:
file:
/tmp/test.txt:
contents: |
line1
line2
linux:
system:
file:
/tmp/test.txt:
contents_pillar: linux:network:hostname
linux:
system:
file:
/tmp/test.txt:
contents_grains: motdEnsure presence of file to be serialized through one of the serializer modules (see: https://docs.saltstack.com/en/latest/ref/serializers/all/index.html): linux:
system:
file:
/tmp/test.json:
serialize: json
contents:
foo: 1
bar: 'bar'KernelInstall always up to date LTS kernel and headers from Ubuntu Trusty: linux:
system:
kernel:
type: generic
lts: trusty
headers: trueLoad kernel modules and add them to linux:
system:
kernel:
modules:
- nf_conntrack
- tp_smapi
- 8021qConfigure or blacklist kernel modules with additional options to
'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar. Example for 'scalar' option value: linux:
system:
kernel:
module:
nf_conntrack:
option:
hashsize: 262144Example for 'mapping' option value: linux:
system:
kernel:
module:
nf_conntrack:
option:
hashsize:
enabled: true
value: 262144NOTE: 'enabled' key is optional and is True by default. Blacklist a module: linux:
system:
kernel:
module:
nf_conntrack:
blacklist: trueA module can have a number of aliases, wildcards are allowed. Define an alias for a module: linux:
system:
kernel:
module:
nf_conntrack:
alias:
nfct:
enabled: true
"nf_conn*":
enabled: trueNOTE: 'enabled' key is mandatory as there are no other keys exist. Execute custom command instead of 'insmod' when inserting a module: linux:
system:
kernel:
module:
nf_conntrack:
install:
enabled: true
command: /bin/trueNOTE: 'enabled' key is optional and is True by default. Execute custom command instead of 'rmmod' when removing a module: linux:
system:
kernel:
module:
nf_conntrack:
remove:
enabled: true
command: /bin/trueNOTE: 'enabled' key is optional and is True by default. Define module dependencies: linux:
system:
kernel:
module:
nf_conntrack:
softdep:
pre:
1:
enabled: true
value: a
2:
enabled: true
value: b
3:
enabled: true
value: c
post:
1:
enabled: true
value: x
2:
enabled: true
value: y
3:
enabled: true
value: zNOTE: 'enabled' key is optional and is True by default. Install specific kernel version and ensure all other kernel packages are not present. Also install extra modules and headers for this kernel: linux:
system:
kernel:
type: generic
extra: true
headers: true
version: 4.2.0-22Systcl kernel parameters: linux:
system:
kernel:
sysctl:
net.ipv4.tcp_keepalive_intvl: 3
net.ipv4.tcp_keepalive_time: 30
net.ipv4.tcp_keepalive_probes: 8Configure kernel boot options: linux:
system:
kernel:
boot_options:
- elevator=deadline
- spectre_v2=off
- noptiAlternative way to set kernel boot options: linux:
system:
kernel:
transparent_hugepage: always
elevator: deadline
isolcpu: 1,2,3,4CPUEnable cpufreq governor for every cpu: linux:
system:
cpu:
governor: performanceSELinuxSet SELinux mode on System: linux:
system:
selinux: permissiveCGROUPSSetup linux cgroups: linux:
system:
cgroup:
enabled: true
group:
ceph_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
cpuset:
cpus:
value: 1,2,3
memory:
limit_in_bytes:
value: 2G
memsw.limit_in_bytes:
value: 3G
mapping:
subjects:
- '@ceph'
generic_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
mapping:
subjects:
- '*:firefox'
- 'student:cp'Shared librariesSet additional shared library to Linux system library path: linux:
system:
ld:
library:
java:
- /usr/lib/jvm/jre-openjdk/lib/amd64/server
- /opt/java/jre/lib/amd64/serverCertificatesAdd certificate authority into system trusted CA bundle: linux:
system:
ca_certificates:
mycert: |
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE----- |
