开源软件名称(OpenSource Name):salt-formulas/salt-formula-linux开源软件地址(OpenSource Url):https://github.com/salt-formulas/salt-formula-linux开源编程语言(OpenSource Language):SaltStack 71.0%开源软件介绍(OpenSource Introduction):Linux FormulaLinux Operating Systems:
Sample PillarsLinux SystemBasic Linux box linux:
system:
enabled: true
name: 'node1'
domain: 'domain.com'
cluster: 'system'
environment: prod
timezone: 'Europe/Prague'
utc: true Linux with system users, some with password set: Warning If no linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
sudo: true
shell: /bin/bash
full_name: 'Jonh Doe'
home: '/home/jdoe'
home_dir_mode: 755
email: 'jonh@doe.com'
unique: false
jsmith:
name: 'jsmith'
enabled: true
full_name: 'With clear password'
home: '/home/jsmith'
hash_password: true
password: "userpassword"
mark:
name: 'mark'
enabled: true
full_name: "unchange password'
home: '/home/mark'
password: false
elizabeth:
name: 'elizabeth'
enabled: true
full_name: 'With hashed password'
home: '/home/elizabeth'
password: "$6$nUI7QEz3$dFYjzQqK5cJ6HQ38KqG4gTWA9eJu3aKx6TRVDFh6BVJxJgFWg2akfAA7f1fCxcSUeOJ2arCO6EEI6XXnHXxG10" Configure password expiration parametersThe following login.defs parameters can be overridden per-user:
linux:
system:
...
user:
jdoe:
name: 'jdoe'
enabled: true
...
maxdays: <PASS_MAX_DAYS>
mindays: <PASS_MIN_DAYS>
warndays: <PASS_WARN_DAYS>
inactdays: <INACTIVE> Configure sudo for users and groups under # simplified template:
Cmds_Alias {{ alias }}={{ commands }}
{{ user }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
%{{ group }} {{ hosts }}=({{ runas }}) NOPASSWD: {{ commands }}
# when rendered:
saltuser1 ALL=(ALL) NOPASSWD: ALL linux:
system:
sudo:
enabled: true
aliases:
host:
LOCAL:
- localhost
PRODUCTION:
- db1
- db2
runas:
DBA:
- postgres
- mysql
SALT:
- root
command:
# Note: This is not 100% safe when ALL keyword is used, user still may modify configs and hide his actions.
# Best practice is to specify full list of commands user is allowed to run.
SUPPORT_RESTRICTED:
- /bin/vi /etc/sudoers*
- /bin/vim /etc/sudoers*
- /bin/nano /etc/sudoers*
- /bin/emacs /etc/sudoers*
- /bin/su - root
- /bin/su -
- /bin/su
- /usr/sbin/visudo
SUPPORT_SHELLS:
- /bin/sh
- /bin/ksh
- /bin/bash
- /bin/rbash
- /bin/dash
- /bin/zsh
- /bin/csh
- /bin/fish
- /bin/tcsh
- /usr/bin/login
- /usr/bin/su
- /usr/su
ALL_SALT_SAFE:
- /usr/bin/salt state*
- /usr/bin/salt service*
- /usr/bin/salt pillar*
- /usr/bin/salt grains*
- /usr/bin/salt saltutil*
- /usr/bin/salt-call state*
- /usr/bin/salt-call service*
- /usr/bin/salt-call pillar*
- /usr/bin/salt-call grains*
- /usr/bin/salt-call saltutil*
SALT_TRUSTED:
- /usr/bin/salt*
users:
# saltuser1 with default values: saltuser1 ALL=(ALL) NOPASSWD: ALL
saltuser1: {}
saltuser2:
hosts:
- LOCAL
# User Alias DBA
DBA:
hosts:
- ALL
commands:
- ALL_SALT_SAFE
groups:
db-ops:
hosts:
- ALL
- '!PRODUCTION'
runas:
- DBA
commands:
- /bin/cat *
- /bin/less *
- /bin/ls *
salt-ops:
hosts:
- 'ALL'
runas:
- SALT
commands:
- SUPPORT_SHELLS
salt-ops-2nd:
name: salt-ops
nopasswd: false
setenv: true # Enable sudo -E option
runas:
- DBA
commands:
- ALL
- '!SUPPORT_SHELLS'
- '!SUPPORT_RESTRICTED' Linux with package, latest version: linux:
system:
...
package:
package-name:
version: latest Linux with package from certail repo, version with no upgrades: linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
hold: true Linux with package from certail repo, version with no GPG verification: linux:
system:
...
package:
package-name:
version: 2132.323
repo: 'custom-repo'
verify: false Linux with autoupdates (automatically install security package updates): linux:
system:
...
autoupdates:
enabled: true
mail: root@localhost
mail_only_on_error: true
remove_unused_dependencies: false
automatic_reboot: true
automatic_reboot_time: "02:00" Managing cron tasksThere are two data structures that are related to managing cron itself and cron tasks: linux:
system:
cron: and linux:
system:
job: linux:system:cron manages cron packages, services, and '/etc/cron.allow' file. 'deny' files are managed the only way - we're ensuring they are absent, that's a requirement from CIS 5.1.8 'cron' pillar structure is the following: linux:
system:
cron:
enabled: true
pkgs: [ <cron packages> ]
services: [ <cron services> ]
user:
<username>:
enabled: true To add user to '/etc/cron.allow' use 'enabled' key as shown above. '/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed. A user would be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:cron:user:<username> linux:system:job manages individual cron tasks. By default, it will use name as an identifier, unless identifier key is explicitly set or False (then it will use Salt's default behavior which is identifier same as command resulting in not being able to change it): linux:
system:
...
job:
cmd1:
command: '/cmd/to/run'
identifier: cmd1
enabled: true
user: 'root'
hour: 2
minute: 0 Added the opportunity to set a job with a special keyword like '@reboot' or '@hourly'. Quotes must be used, otherwise PyYAML will strip the '@' sign. linux:
system:
...
job:
cmd1:
command: '/cmd/to/run'
identifier: cmd1
enabled: true
user: 'root'
special: '@reboot' Managing 'at' tasksPillar for managing at tasks is similar to one for cron tasks: linux:
system:
at:
enabled: true
pkgs: [ <at packages> ]
services: [ <at services> ]
user:
<username>:
enabled: true To add a user to '/etc/at.allow' use 'enabled' key as shown above. '/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed. A user will be ignored if any of the following is true: * user is disabled in linux:system:user:<username> * user is disabled in linux:system:at:user:<username> Linux security limits (limit sensu user memory usage to max 1GB): linux:
system:
...
limit:
sensu:
enabled: true
domain: sensu
limits:
- type: hard
item: as
value: 1000000 Enable autologin on linux:
system:
console:
tty1:
autologin: root
# Enable serial console
ttyS0:
autologin: root
rate: 115200
term: xterm To disable set autologin to Set linux:
system:
policyrcd:
- package: cassandra
action: exit 101
- package: '*'
action: switch Set system locales: linux:
system:
locale:
en_US.UTF-8:
default: true
"cs_CZ.UTF-8 UTF-8":
enabled: true Systemd settings: linux:
system:
...
systemd:
system:
Manager:
DefaultLimitNOFILE: 307200
DefaultLimitNPROC: 307200
user:
Manager:
DefaultLimitCPU: 2
DefaultLimitNPROC: 4 Systemd journal settings: linux:
system:
...
systemd:
journal:
SystemMaxUse: "50M"
RuntimeMaxFiles: "100" Ensure presence of directory: linux:
system:
directory:
/tmp/test:
user: root
group: root
mode: 700
makedirs: true Ensure presence of file by specifying its source: linux:
system:
file:
/tmp/test.txt:
source: http://example.com/test.txt
user: root #optional
group: root #optional
mode: 700 #optional
dir_mode: 700 #optional
encoding: utf-8 #optional
hash: <<hash>> or <<URI to hash>> #optional
makedirs: true #optional
linux:
system:
file:
test.txt:
name: /tmp/test.txt
source: http://example.com/test.txt
linux:
system:
file:
test2:
name: /tmp/test2.txt
source: http://example.com/test2.jinja
template: jinja Ensure presence of file by specifying its contents: linux:
system:
file:
/tmp/test.txt:
contents: |
line1
line2
linux:
system:
file:
/tmp/test.txt:
contents_pillar: linux:network:hostname
linux:
system:
file:
/tmp/test.txt:
contents_grains: motd Ensure presence of file to be serialized through one of the serializer modules (see: https://docs.saltstack.com/en/latest/ref/serializers/all/index.html): linux:
system:
file:
/tmp/test.json:
serialize: json
contents:
foo: 1
bar: 'bar' KernelInstall always up to date LTS kernel and headers from Ubuntu Trusty: linux:
system:
kernel:
type: generic
lts: trusty
headers: true Load kernel modules and add them to linux:
system:
kernel:
modules:
- nf_conntrack
- tp_smapi
- 8021q Configure or blacklist kernel modules with additional options to
'option' can be a mapping (with 'enabled' and 'value' keys) or a scalar. Example for 'scalar' option value: linux:
system:
kernel:
module:
nf_conntrack:
option:
hashsize: 262144 Example for 'mapping' option value: linux:
system:
kernel:
module:
nf_conntrack:
option:
hashsize:
enabled: true
value: 262144 NOTE: 'enabled' key is optional and is True by default. Blacklist a module: linux:
system:
kernel:
module:
nf_conntrack:
blacklist: true A module can have a number of aliases, wildcards are allowed. Define an alias for a module: linux:
system:
kernel:
module:
nf_conntrack:
alias:
nfct:
enabled: true
"nf_conn*":
enabled: true NOTE: 'enabled' key is mandatory as there are no other keys exist. Execute custom command instead of 'insmod' when inserting a module: linux:
system:
kernel:
module:
nf_conntrack:
install:
enabled: true
command: /bin/true NOTE: 'enabled' key is optional and is True by default. Execute custom command instead of 'rmmod' when removing a module: linux:
system:
kernel:
module:
nf_conntrack:
remove:
enabled: true
command: /bin/true NOTE: 'enabled' key is optional and is True by default. Define module dependencies: linux:
system:
kernel:
module:
nf_conntrack:
softdep:
pre:
1:
enabled: true
value: a
2:
enabled: true
value: b
3:
enabled: true
value: c
post:
1:
enabled: true
value: x
2:
enabled: true
value: y
3:
enabled: true
value: z NOTE: 'enabled' key is optional and is True by default. Install specific kernel version and ensure all other kernel packages are not present. Also install extra modules and headers for this kernel: linux:
system:
kernel:
type: generic
extra: true
headers: true
version: 4.2.0-22 Systcl kernel parameters: linux:
system:
kernel:
sysctl:
net.ipv4.tcp_keepalive_intvl: 3
net.ipv4.tcp_keepalive_time: 30
net.ipv4.tcp_keepalive_probes: 8 Configure kernel boot options: linux:
system:
kernel:
boot_options:
- elevator=deadline
- spectre_v2=off
- nopti Alternative way to set kernel boot options: linux:
system:
kernel:
transparent_hugepage: always
elevator: deadline
isolcpu: 1,2,3,4 CPUEnable cpufreq governor for every cpu: linux:
system:
cpu:
governor: performance SELinuxSet SELinux mode on System: linux:
system:
selinux: permissive CGROUPSSetup linux cgroups: linux:
system:
cgroup:
enabled: true
group:
ceph_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
cpuset:
cpus:
value: 1,2,3
memory:
limit_in_bytes:
value: 2G
memsw.limit_in_bytes:
value: 3G
mapping:
subjects:
- '@ceph'
generic_group_1:
controller:
cpu:
shares:
value: 250
cpuacct:
usage:
value: 0
mapping:
subjects:
- '*:firefox'
- 'student:cp' Shared librariesSet additional shared library to Linux system library path: linux:
system:
ld:
library:
java:
- /usr/lib/jvm/jre-openjdk/lib/amd64/server
- /opt/java/jre/lib/amd64/server CertificatesAdd certificate authority into system trusted CA bundle: linux:
system:
ca_certificates:
mycert: |
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE----- |