Secure sysctl settings with CFEngine


Here's how to maintain Linux sysctl settings across all hosts in an organization using the Evolve free promise library and CFEngine. ---

Sysctl data is separated from CFEngine policy in its own data file.

# sysctl.txt
# Promise sysctl.conf and live kernel settings

# context(0) ;; sysctl variable name(1)         ;; value(2) ;; promisee(3)
any          ;; net.ipv6.conf.all.accept_ra     ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.all.autoconf      ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.default.autoconf  ;; 0        ;; ipv6 auto assign
any          ;; net.ipv6.conf.eth0.accept_ra    ;; 0        ;; ipv6 auto assign
sol          ;; net.ipv6.conf.bond0.accept_ra   ;; 0        ;; ipv6 auto assign

alix         ;; net.ipv6.conf.all.forwarding    ;; 1        ;; Routing
alix         ;; net.ipv4.ip_forward             ;; 1        ;; Routing
neptune      ;; proc.sys.kernel.sysrq           ;; 0        ;; Laptop security

Columns labeled 1 and 2 are the sysctl setting name and the value. Column 3 is the promisee, used for documentation. Column 0 is the class or context that must be true for the sysctl setting to be applied.

The Evolve free promise library has two sysctl bundles. One promises live sysctl settings and the other promises the sysctl.conf file. Use methods promises to call each bundle, passing the same parameter file.


"live sysctl settings"
   usebundle => efl_sysctl_live( "${sys.workdir}/inputs/bundle_params/sysctl.txt" ),
   action    => if_elapsed( "240" );

"sysctl conf settings"
   usebundle => efl_sysctl_conf_file( "${sys.workdir}/inputs/bundle_params/sysctl.txt" ),
   action    => if_elapsed( "240" );

The live bundle calls the sysctl command often. If_elapsed is used to reduce the load from excessive promise evaluation.

Evolve Thinking's free CFEngine library


Our free CFEngine library empowers users to build and deploy new policy faster, simplify existing policy, and reduce staff training. --- We do this by offering simple reusable bundles and full data separation using CSV parameter files.

Just as CFEngine uses a handful of promises to affect so much change on a host, our small collection of bundles can accomplish most high level tasks in CFEngine.

Typical CFEngine bundles in use today are too specialized. A bundle for cron tables, a bundle for resolv.conf, and another for NTP. This is too specialized and too costly. There is a better way. Simpler bundles can offer greater flexibility and easier reuse at a lower cost. A single service bundle can promise cron tables, NTP, and more. A single editing template bundle can promise resolv.conf, the hosts file, shell profiles, and more. Our library does this and more.

Consider this data file for the bundle efl_chkconfig_enable_service. If the context class is true then the given service is enabled for boot time start using the chkconfig command.

# context(0) ;; service name(1) ;; Promisee(3)

any          ;; cfengine3       ;; Sysadmin team
web_server   ;; apache2         ;; Web team
dev.dns      ;; bind            ;; Dev team

You can call the bundle like this:

"enable with chkconfig"
usebundle => efl_chkconfig_enable_service(

To enable a new service, change only the data file. The promisee is very important. It will help you to find all related data. Labelling a promisee "SSH services for DMZ" will help find all SSH entries, in all data files using a single search.

Our library offers a further step in data separation. The method above can be placed in a data file. The bundle efl_main takes a data file that describes method calls and parameters. For example:

# context(0) ;; promiser(1) ;; bundle(2) ;; ifelapsed(3) ;; parameter(4) ;; promisee(5)

any ;; host classes ;; efl_class_hostname ;; 1 ;; /var/cfengine/inputs/user_data/classes/efl_class_hostname-ipv6_only.txt ;; Neil Watson
any ;; chkconfig enable ;; efl_chkconfig_enable_service ;; 1 ;; /var/cfengine/inputs/user_data/bundle_params/efl_chkconfig_enable_service.txt ;; Neil Watson

When the given context is true a bundle is invoked with the given parameter and using ifelapsed.

At this release the free library offer these bundles and more:

  • Enable and disable services using chkconfig.

  • Install and remove packages.

  • Promise sysctl.conf.

  • Promise live sysctl kernel settings.

  • Delete files.

  • Copy files.

  • Edit templates.

  • Promise commands.

  • Define classes

  • Promise links.

  • Define global variables.

  • Promise that services are configured and running.

  • Promise file permissions.

In the future we'll be offering special purpose bundles that use these simple bundles, ready to use parameter files, and more.

The Evolve free library is open source and available at my Git Hub site.