detect if file needs changed

24 views
Skip to first unread message

brad.v...@gmail.com

unread,
Jan 5, 2023, 5:51:43 AM1/5/23
to Salt-users
We have our Linux systems connected to the Windows Active Directory through CentrifyDC.  The Windows group policy pushes some unwanted changes to our sshd_config file.  We've asked corporate to give our sub-zone an exemption, but they refuse.  So, we added an immutable bit to sshd_config.  Unfortunately, that means salt also can't change it.  I'd like to be able to detect if a change to sshd_config is required.  If so, remove the immutable attribute, make then change and add it back.  Something like:

{% if /etc/ssh/sshd_config != salt://{{ DIR }}/sshd_config.template %}
remove-immutable:
  file.managed:
    - name: /etc/ssh/sshd_config
    - attrs: ''
{% endif %}

/etc/ssh/sshd_config:
  file.managed:
    - source: salt://{{ DIR }}/sshd_config.template
    - template: jinja
    - mode: 600
    - user: root
    - group: root
    - attrs: i
    - defaults:
      hsts: {{ hsts }}
      yesno: "{{ yesno }}"

Does anyone have a clue how to detect if the is different?  Or maybe, just not worry about detecting?  Remove the attribute always.  Then, whether or not the sshd_config gets updated, the state will apply the immutable bit if it is missing.  That seems to be simpler?

Dafydd Jones (techneg.it)

unread,
Jan 5, 2023, 10:01:02 AM1/5/23
to salt-...@googlegroups.com
Hi,

this seems to be a situation where you would use a prereq requisite. (https://docs.saltproject.io/en/latest/ref/states/requisites.html#prereq)

So Salt itself checks whether a change would be made to sshd_config. If so, it would apply the remove-immutable state first, then apply the change to sshd_config, and in so doing
make the file immutable again.

HTH,
Dafydd

--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/fa3cfec3-fceb-412d-bd3f-ebdbae55e7e6n%40googlegroups.com.

brad.v...@gmail.com

unread,
Jan 5, 2023, 10:39:55 AM1/5/23
to Salt-users
Ah!  Great!  I will work on that.  Thank you!

Brad Van Orden

unread,
Jan 6, 2023, 6:25:11 AM1/6/23
to salt-...@googlegroups.com
I made the implementation and it works perfectly!

remove_immutable:
  cmd.run:
    - name: chattr -i /etc/ssh/sshd_config
    - prereq:
      - file: etc_ssh_sshd_config

etc_ssh_sshd_config:
  file.managed:
    - name: /etc/ssh/sshd_config
    - source: salt://{{ DIR }}/sshd_config.template
    - template: jinja
    - mode: 600
    - user: root
    - group: root
    - attrs: i
    - defaults:
      hsts: {{ hsts }}
      yesno: "{{ yesno }}"

thanks for the help!

You received this message because you are subscribed to a topic in the Google Groups "Salt-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/salt-users/3kk_KF2WLeA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to salt-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/salt-users/39ff0e72-e7de-4619-802a-defc2482fe6an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages