aelsabbahy
commented
8 years ago Can you give a few examples using the current goss JSON structure on how this would look like.
I'm having a hard time visualizing where this will fit.
Closed ryancox closed 4 years ago
aelsabbahy
commented
8 years ago Can you give a few examples using the current goss JSON structure on how this would look like.
I'm having a hard time visualizing where this will fit.
aelsabbahy
commented
8 years ago This is possibly dependent on #31
ryancox
commented
8 years ago Syntax is the tricky part. Keeping things clean and backward compatible. Here are some ideas; none of which are particularly great, but perhaps they will spark some inspiration ;)
"port!": { <--- some sort of operator that specifies only .. very magical
"tcp6:80": {
"listening": true
},
},
"port-whitelist": { <--- '-whitelist' suffix which is a bit more descriptive
"tcp:80": {
"listening": false
},
},
"only-port": { <--- 'only-' prefix which is also a bit more descriptive
"tcp6:80": {
"listening": true
},
},
"only-port": {
}, <-- empty section means no ports should be listeningHmm, that clarifies a lot, and I think I'll use a similar syntax as the one I take in issue #31. The only magical piece about this is feature is keying off of the attribute that determines Existence, similar to autoadd (ex. File.Exists, Port.Listening, Package.Installed).
All your examples made sense to me except for one:
"port-whitelist": { <--- '-whitelist' suffix which is a bit more descriptive
"tcp:80": {
"listening": false
},
},I'm not really understanding the expected behavior for this, would that ensure port 80 is NOT listening and all other ports are listening, or is it the same as no ports are listening.
ryancox
commented
8 years ago Oops ... that was a copy/paste error. Should have been "listening": true
aelsabbahy
commented
8 years ago Now that #31 is shipped, I'm wondering if this should be a separate resource all together. Something like:
user:
nobody:
exists: true
uid: 99
gid: 99
groups:
- nobody
home: /
whitelist:
users: [nobody, root]
ports: { have-len: 0 }
packages: { have-len: 2 }or
package-whitelist:
kernel:
installed: true
openssh:
installed: true
port-whitelist: {}
user-whitelist:
nobody:
exists: true
uid: 99
gid: 99
groups:
- nobody
home: /
root:
exists: true
stale[bot]
commented
4 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
For certain resource types, it would be very useful to specify a white list. e.g. only users 'apache' and 'root' should exist. This whitelist might be the null set. e.g. no ports should be listening.