Class: CemAcpt::Provision::Linux

Inherits:

OsData

• Object
• OsData
• CemAcpt::Provision::Linux

Defined in:

lib/cem_acpt/provision/terraform/linux.rb

Overview

Class provides methods for gathering provision data for Linux nodes

Constant Summary

Constants included from Logging

Logging::LEVEL_MAP

Instance Attribute Summary

Attributes inherited from OsData

#base_provision_directory

Class Method Summary

• .valid_names ⇒ Object
• .valid_versions ⇒ Object

Instance Method Summary

• #destination_provision_directory ⇒ Object
• #provision_commands ⇒ Object
• #provision_commands_wrapper(image_name, scan_mode: false) ⇒ Array<String>

  A wrapper around provision_commands that allows for extra commands to be added for a specific OS version(i.e EL 8).

• #puppet_bin_path ⇒ Object
• #scan_provision_commands ⇒ Array<String>

  Commands to run on a scan-mode node.

• #systemd_files ⇒ Object

Methods inherited from OsData

#goss_files, #implementation_name, #initialize, os_family_for, #provision_directory, #puppet_manifest_file, #remote_module_package_name, use_for?

Methods included from Logging

current_log_config, #current_log_config, current_log_format, #current_log_format, current_log_level, #current_log_level, included, logger, #logger, new_log_config, #new_log_config, new_log_formatter, #new_log_formatter, new_log_level, #new_log_level, new_logger, #new_logger, verbose?, #verbose?

Constructor Details

This class inherits a constructor from CemAcpt::Provision::OsData

Class Method Details

.valid_names ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 9

def self.valid_names
  %w[centos rhel oel alma rocky ubuntu]
end

.valid_versions ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 13

def self.valid_versions
  %w[7 8 9 10 2004 2204 2404]
end

Instance Method Details

#destination_provision_directory ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 25

def destination_provision_directory
  '/opt/cem_acpt'
end

#provision_commands ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 29

def provision_commands
  commands = [
    "sudo /opt/puppetlabs/puppet/bin/puppet module install #{destination_provision_directory}/#{remote_module_package_name}",
    'curl -fsSL https://goss.rocks/install | sudo sh',
    'sudo /opt/puppetlabs/puppet/bin/gem install webrick',
    'sudo chmod +x /opt/cem_acpt/log_service/log_service.rb',
    'sudo /opt/cem_acpt/log_service/log_service.rb',
  ]
  unless systemd_files.empty?
    systemd_files.each do |file|
      commands << "sudo cp /opt/cem_acpt/systemd/#{file} /etc/systemd/system/#{file}"
    end
    commands << 'sudo systemctl daemon-reload'
    systemd_files.each do |file|
      commands << "sudo systemctl start #{file} && sudo systemctl enable #{file}"
    end
  end

  commands << apply_command
end

#provision_commands_wrapper(image_name, scan_mode: false) ⇒ Array<String>

A wrapper around provision_commands that allows for extra commands to be added for a specific OS version(i.e EL 8)

Parameters:

• image_name (String) —

  The name of the OS image being provisioned.

• scan_mode (Boolean) (defaults to: false) —

  When true, returns the scan-mode command list (Goss-free, scan-daemon-installed) wrapped with the same OS-specific prefixes.

Returns:

• (Array<String>) —

  An array of shell commands to be run on the provisioned nodes to set up the necessary environment for running the Puppet manifest, including any additional commands needed for specific OS versions.

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 82

def provision_commands_wrapper(image_name, scan_mode: false)
  base = scan_mode ? scan_provision_commands : provision_commands
  if ['rhel-8', 'oel-8', 'alma-8', 'rocky-8'].any? { |el8| image_name.include?(el8) }
    commands = [
      'sudo dnf upgrade --refresh -y rpm glibc',
      'sudo rm /var/lib/rpm/.rpm.lock',
      'sudo dnf upgrade -y dnf',
    ]
    (commands << base).flatten
  elsif image_name.include?('ubuntu')
    commands = ['sudo apt purge -y unattended-upgrades', 'sudo apt-get update -y']
    (commands << base).flatten
  else
    base
  end
end

#puppet_bin_path ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 21

def puppet_bin_path
  '/opt/puppetlabs/puppet/bin/puppet'
end

#scan_provision_commands ⇒ Array<String>

Commands to run on a scan-mode node. Skips Goss installation and the Goss systemd units (they are not used in scan mode), installs the scan daemon and its scanners (including a Java JRE because CIS-CAT Pro’s Assessor-CLI is a Java app), then applies the puppet manifest. The CIS-CAT Pro tarball is uploaded and extracted by the cis_cat_pro_upload null_resource in main.tf, so this method does not touch /opt/cis-cat-pro/.

Returns:

• (Array<String>) —

  commands for ‘provisioner “remote-exec”`.

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 58

def scan_provision_commands
  commands = [
    "sudo /opt/puppetlabs/puppet/bin/puppet module install #{destination_provision_directory}/#{remote_module_package_name}",
    'sudo /opt/puppetlabs/puppet/bin/gem install webrick',
    'sudo chmod +x /opt/cem_acpt/log_service/log_service.rb',
    'sudo /opt/cem_acpt/log_service/log_service.rb',
    install_scanner_packages_command,
    install_java_command,
    'sudo chmod +x /opt/cem_acpt/scan/scan_service.rb',
    'sudo cp /opt/cem_acpt/scan/scan_service.service /etc/systemd/system/scan_service.service',
    'sudo systemctl daemon-reload',
    'sudo systemctl start scan_service.service && sudo systemctl enable scan_service.service',
  ]
  commands << apply_command
  commands
end

#systemd_files ⇒ Object

# File 'lib/cem_acpt/provision/terraform/linux.rb', line 17

def systemd_files
  Dir.glob(File.join(provision_directory, 'systemd', '*.service')).map { |f| File.basename(f) }
end