We have our Linux systems connected to the Windows Active Directory through CentrifyDC. The Windows group policy pushes some unwanted changes to our sshd_config file. We've asked corporate to give our sub-zone an exemption, but they refuse. So, we added an immutable bit to sshd_config. Unfortunately, that means salt also can't change it. I'd like to be able to detect if a change to sshd_config is required. If so, remove the immutable attribute, make then change and add it back. Something like:
{% if /etc/ssh/sshd_config != salt://{{ DIR }}/sshd_config.template %}
remove-immutable:
file.managed:
- name: /etc/ssh/sshd_config
- attrs: ''
{% endif %}
/etc/ssh/sshd_config:
file.managed:
- source:
salt://{{ DIR }}/sshd_config.template
- template: jinja
- mode: 600
- user: root
- group: root
- attrs: i
- defaults:
hsts: {{ hsts }}
yesno: "{{ yesno }}"
Does anyone have a clue how to detect if the is different? Or maybe, just not worry about detecting? Remove the attribute always. Then, whether or not the sshd_config gets updated, the state will apply the immutable bit if it is missing. That seems to be simpler?