From b5b8adfda27367d9e96ff96e6b2de953fed0576f Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Thu, 5 Mar 2026 19:12:27 +0100 Subject: [PATCH 01/10] Added more detailed documentation for cf-check Ticket: ENT-13796 Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 803b757519b96f2af964eb824841fb5f5fff54b9) Signed-off-by: Ole Herman Schumacher Elgesem --- .../reference/components/cf-check.markdown | 127 +++++++++++++++++- 1 file changed, 123 insertions(+), 4 deletions(-) diff --git a/content/reference/components/cf-check.markdown b/content/reference/components/cf-check.markdown index 6cf3d362a..2deb09055 100644 --- a/content/reference/components/cf-check.markdown +++ b/content/reference/components/cf-check.markdown @@ -2,13 +2,132 @@ layout: default title: cf-check sorting: 80 -keywords: [cf-hub] aliases: - "/reference-components-cf-check.html" --- -Utility for diagnosis and repair of local CFEngine databases. +The `cf-check` binary can be used to inspect, dump, diagnose, and repair LMDB databases used by CFEngine. +The diagnosis and repair parts of `cf-check` are built into CFEngine, meaning corrupt databases are automatically fixed and users normally don't need to run these commands manually. -## Command reference +## Help output (`--help`) -{{< CFEngine_include_snippet(cf-check.help, [\s]*--[a-z], ^$) >}} +The `--help` command line option gives you an overview of what the tool can do: + +```command +cf-check --help +``` + +```output +{{< CFEngine_include_markdown(cf-check.help, .*) >}} +``` + +## Inspecting databases + +The `dump` command can be used to look at the contents of each database in a JSON5 format. + +```command +cf-check dump /var/cfengine/state/cf_lastseen.lmdb +``` + +```json {output} +{ + "a172.31.7.155": "SHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0", + "kSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": "172.31.7.155", + "qiSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": { + "Q": { "dq": 190.0, "expect": 173.8105, "q": 245.0, "var": 14173.7558 }, + "acknowledged": false, + "lastseen": 1772732121 + }, + "qoSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": { + "Q": { "dq": 190.0, "expect": 173.8105, "q": 245.0, "var": 14173.7558 }, + "acknowledged": false, + "lastseen": 1772732121 + }, + "version": "2" +} +``` + +We use JSON5 because it has some nice additions to normal JSON, like allowing trailing commas and escape sequences which make binary (non-ascii) data more readable. + +**Tip:** You can use `json5` and `jq` if you want to convert to JSON and format the output; + +```command +cf-check dump /var/cfengine/state/cf_lastseen.lmdb | json5 | jq +``` + +```json {output} +{ + "a172.31.7.155": "SHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0", + "kSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": "172.31.7.155", + "qiSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": { + "Q": { "dq": 190, "expect": 173.7718, "q": 245, "var": 14127.5535 }, + "acknowledged": false, + "lastseen": 1772732421 + }, + "qoSHA=9153587b09d8426fd6b3e2dc6c47c29891e2a20430148725ce6e7d95d48637c0": { + "Q": { "dq": 190, "expect": 173.7718, "q": 245, "var": 14127.5535 }, + "acknowledged": false, + "lastseen": 1772732421 + }, + "version": "2" +} +``` + +## Diagnosing potentially corrupt database files + +The `diagnose` command can be used to check the state of databases. +By default it will look at all the LMDB databases (in `/var/cfengine/state/`). +Technically it will attempt to open the database, and run some per-database validation checks (based on the filename). +This work is done in a forked subprocess, so if it crashes or fails in any way, the parent `cf-check` process can handle it and print a summary. + +```command +cf-check diagnose +``` + +```output +info: No filenames specified, defaulting to .lmdb files in /var/cfengine/state +info: Status of '/var/cfengine/state/history.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/cf_state.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/nova_cookies.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/nova_track.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/nova_measures.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/cf_changes.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/packages_installed_apt_get.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/cf_lock.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/performance.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/cf_lastseen.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/cf_observations.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/nova_agent_execution.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/packages_updates_apt_get.lmdb': OK [0% usage] +info: Status of '/var/cfengine/state/nova_static.lmdb': OK [0% usage] +info: All 14 databases healthy +``` + +You can also specify a specific filename: + +```command +cf-check diagnose /var/cfengine/state/cf_lastseen.lmdb +``` + +```output +info: Status of '/var/cfengine/state/cf_lastseen.lmdb': OK [0% usage] +info: All 1 databases healthy +``` + +## Repairing corrupt databases + +The `repair` command builds on the functionality of the `diagnose` command, but attempts to fix the situation when there are corrupt databases found. + +```command +cf-check repair /var/cfengine/state/cf_state.lmdb +``` + +```output + info: Status of '/var/cfengine/state/cf_state.lmdb': LMDB_INVALID_DATABASE [0% usage] + error: Problems detected in 1/1 databases +notice: 1 corrupt database to fix + info: Backing up to '/var/cfengine/backups/1772733351-WZgDKk/' + info: Copying: '/var/cfengine/state/cf_state.lmdb' -> '/var/cfengine/backups/1772733351-WZgDKk/cf_state.lmdb' + error: Failed to repair file '/var/cfengine/state/cf_state.lmdb', removing +notice: Database repair successful +``` From 5a27d9a169abf5cfccb15c1e351e940df6528e3b Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Wed, 18 Mar 2026 16:11:41 +0100 Subject: [PATCH 02/10] Updated the box used in local virtual machine part of getting started Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 2bdf9468688d44e7b6ae8b20fd54f8af3223f5f0) Signed-off-by: Ole Herman Schumacher Elgesem --- .../01-installation/local-virtual-machine.markdown | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/getting-started/01-installation/local-virtual-machine.markdown b/content/getting-started/01-installation/local-virtual-machine.markdown index 38d800366..98f5938eb 100644 --- a/content/getting-started/01-installation/local-virtual-machine.markdown +++ b/content/getting-started/01-installation/local-virtual-machine.markdown @@ -77,9 +77,9 @@ Vagrant.configure("2") do |config| SHELL end - # Ubuntu 20.04 VM, for CFEngine Enterprise Hub: + # Ubuntu 24.04 VM, for CFEngine Enterprise Hub: config.vm.define "hub", autostart: false do |hub| - hub.vm.box = "ubuntu/focal64" + hub.vm.box = "cloud-image/ubuntu-24.04" hub.vm.hostname = "hub" hub.vm.network "private_network", ip: "192.168.56.2" hub.ssh.insert_key = true @@ -93,7 +93,7 @@ end The `Vagrantfile` above does some important things: -- Defines an Ubuntu 20.04 virtual machine called `hub`, with hostname `hub` +- Defines an Ubuntu 24.04 virtual machine called `hub`, with hostname `hub` - Sets its IP address to be `192.168.56.2` - Sets how much memory and CPU cores we want the VM to have - Copies the `id_rsa.pub` public key into the host when it starts, so we can use `ssh` From 3773e1658a9984b541fd9968259fc641a078b45a Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Wed, 18 Mar 2026 17:16:29 +0100 Subject: [PATCH 03/10] Removed trailing whitespace in .cf files Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit e1c6c530f9be95c5e2c8360cbf15ea4d0e694b08) Signed-off-by: Ole Herman Schumacher Elgesem --- .../examples/tutorials/file_compare_test.cf | 28 ++-- content/resources/additional-topics/STIGs.cf | 124 +++++++++--------- 2 files changed, 76 insertions(+), 76 deletions(-) diff --git a/content/examples/tutorials/file_compare_test.cf b/content/examples/tutorials/file_compare_test.cf index 606b2e3e5..98adc2c16 100644 --- a/content/examples/tutorials/file_compare_test.cf +++ b/content/examples/tutorials/file_compare_test.cf @@ -133,7 +133,7 @@ bundle agent create_aout # Removes any previous binary "rmaout" string => execresult("$(global_vars.rmexec) $(global_vars.aoutexec)","noshell"); - + doesfileacexist:: "compilestr" string => "$(global_vars.gccexec) $(global_vars.workdir)/a.c -o $(global_vars.aoutexec)"; "gccaout" string => execresult("$(compilestr)","noshell"); @@ -143,7 +143,7 @@ bundle agent create_aout "gcc output: $(gccaout)"; "Creating aout using $(compilestr)"; !doesfileacexist:: - "Cannot compile a.out, $(global_vars.workdir)/a.c does not exist."; + "Cannot compile a.out, $(global_vars.workdir)/a.c does not exist."; doesaoutexist:: "The binary application aout has been compiled from the source in the create_aout_source_file bundle. It uses the stat library to compare two files, determine if the modified times are different, and whether the second file is newer than the first. The difference between this application and using CFEngine's built in support for getting file stats (e.g. filestat, isnewerthan), which provides file modification time accurate to a second. However, in order to better compare two files might sometimes require parts of a second as well. The stat library provides the extra support for retrieving the additional information required to get better accuracy (down to parts of a second), and is utilized by the binary application a.out that is compiled within the create_aout bundle."; "*********************************"; @@ -189,20 +189,20 @@ bundle agent do_files_exist_1 doesfile1exist:: - "any" usebundle => delete_file("$(global_vars.file1)"); + "any" usebundle => delete_file("$(global_vars.file1)"); doesfile2exist:: - "any" usebundle => delete_file("$(global_vars.file2)"); + "any" usebundle => delete_file("$(global_vars.file2)"); reports: !doesfile1exist:: "$(global_vars.file1) does not exist."; doesfile1exist:: - "$(global_vars.file1) did exist. Call to delete it was made."; - + "$(global_vars.file1) did exist. Call to delete it was made."; + !doesfile2exist:: "$(global_vars.file2) does not exist."; doesfile2exist:: - "$(global_vars.file2) did exist. Call to delete it was made."; + "$(global_vars.file2) did exist. Call to delete it was made."; } @@ -245,7 +245,7 @@ bundle agent copy_a_file bundle agent do_files_exist_2 { - + methods: "any" usebundle => does_file_exist($(global_vars.file1)); @@ -275,7 +275,7 @@ bundle agent does_file_exist(filename) bundle agent list_file_1 { - methods: + methods: "any" usebundle => file_content($(global_vars.file1)); "any" usebundle => file_content($(global_vars.file2)); reports: @@ -314,7 +314,7 @@ bundle agent stat vars: doesfile1exist:: - + "file1" string => "$(global_vars.file1)"; "file2" string => "$(global_vars.file2)"; @@ -329,7 +329,7 @@ bundle agent stat "file2_split2" string => nth("file2_split1",1); "file2_split3" slist => string_split($(file2_split2),"\.",3); "file2_split4" string => nth("file2_split3",1); - + methods: "any" usebundle => exec_aout(); @@ -390,11 +390,11 @@ body replace_with hello_world bundle agent list_file_2 { - + methods: "any" usebundle => file_content($(global_vars.file1)); - "any" usebundle => file_content($(global_vars.file2)); + "any" usebundle => file_content($(global_vars.file2)); classes: @@ -422,7 +422,7 @@ bundle agent file_content(filename) "file_content" string => readfile( "$(filename)" , "0" ); "file_stat" string => filestat("$(filename)","mtime"); - + reports: "Contents of $(filename) = $(file_content). Last Modified Time = $(file_stat)."; #"The report on contents will only show new content and modifications. Even if the method is called more than once, if the evaluation is exactly the same as the previous call then there will be no report (possibly because the bundle is not evaluated a second time?)."; diff --git a/content/resources/additional-topics/STIGs.cf b/content/resources/additional-topics/STIGs.cf index b19830faa..97b6510ba 100644 --- a/content/resources/additional-topics/STIGs.cf +++ b/content/resources/additional-topics/STIGs.cf @@ -1,15 +1,15 @@ ################################################################################ -# -# _ _ _ _ -# / \ / \ / \ / \ +# +# _ _ _ _ +# / \ / \ / \ / \ # ( S )( T )( I )( G ) -# \_/ \_/ \_/ \_/ +# \_/ \_/ \_/ \_/ # -# Security Technical Implementation Guides +# Security Technical Implementation Guides # # OS SRG UNIX Version # Version 1 Release 1 -# +# # # Copyright (C) CFEngine AS # @@ -43,7 +43,7 @@ bundle agent STIGs handle => "stigs_vars_redhat_5_strings_from_etc_shadow", string => readfile("/etc/shadow", 99999); - "shadow_list" -> { "GEN000560" } + "shadow_list" -> { "GEN000560" } comment => "Break strings into a list", handle => "stigs_vars_redhat_5_list_from_etc_shadow", slist => splitstring("$(shadow)","[\n]",500); @@ -63,10 +63,10 @@ bundle agent STIGs handle => "stigs_vars_redhat_5_fstab_contents", string => readfile("/etc/fstab","4000"); - "network_services_daemon_files" -> { "GEN001180" } + "network_services_daemon_files" -> { "GEN001180" } comment => "List of Network services daemon files", handle => "stigs_vars_redhat_5_network_services_daemon_files", - slist => { + slist => { "/var/cfengine/state/cf_incoming.nfsd", "/var/cfengine/state/cf_outgoing.nfsd", "/usr/sbin/.*", @@ -75,7 +75,7 @@ bundle agent STIGs "system_dirs" -> { "GEN001220", "GEN001240" } comment => "List of important system directories", handle => "stigs_vars_redhat_5_system_dirs", - slist => { + slist => { "/etc", "/bin", "/sbin", @@ -83,32 +83,32 @@ bundle agent STIGs "/usr/sbin", }; - "system_log_files" -> { "GEN001260" } + "system_log_files" -> { "GEN001260" } comment => "List of system log files", handle => "stigs_vars_redhat_5_system_log_files", - slist => { + slist => { "/var/log" }; - "manual_page_files" -> { "GEN001280" } + "manual_page_files" -> { "GEN001280" } comment => "List of manual page files", handle => "stigs_vars_redhat_5_manual_page_files", - slist => { + slist => { "/usr/share/man", "/usr/share/info", }; - "library_dirs" -> { "GEN001300" } + "library_dirs" -> { "GEN001300" } comment => "List of library files", handle => "stigs_vars_redhat_5_library_dirs", - slist => { + slist => { "/usr/lib", }; "nis_nisplus_yp_files" -> { "GEN001320", "GEN001340", "GEN001360" } comment => "List of NIS/NIS+/yp files", handle => "stigs_vars_redhat_5_nis_nisplus_yp_files", - slist => { + slist => { "/var/yp", }; @@ -170,7 +170,7 @@ bundle agent STIGs "pam_files" -> { "GEN002100" } comment => "List of PAM files to disable .rhosts", handle => "stigs_vars_redhat_5_pam_files", - slist => { + slist => { "/etc/pam.d/ekshell", "/etc/pam.d/kshell", }; @@ -188,7 +188,7 @@ bundle agent STIGs "umask_files" -> { "GEN001560", "GEN002560" } comment => "List of files which contain system and user default umask", handle => "stigs_vars_redhat_5_umask_files", - slist => { + slist => { "/etc/bashrc", "/etc/csh.cshrc", "/etc/csh.login", @@ -211,7 +211,7 @@ bundle agent STIGs "auditd" }; - "$(preferred_services)_status" -> { "GEN002660" } + "$(preferred_services)_status" -> { "GEN002660" } comment => "List of service status of those preferred services", handle => "stigs_vars_redhat_5_preferred_services_status", string => execresult("/sbin/chkconfig --list $(preferred_services)","noshell"); @@ -219,17 +219,17 @@ bundle agent STIGs "cron_users" -> { "GEN002960" } comment => "List of users who would be able to use cron utility", handle => "stigs_vars_redhat_5_cron_users", - slist => { + slist => { "root", "user1", "user2", "user3", }; - "cron_dirs" -> { "GEN003040", "GEN003080" } + "cron_dirs" -> { "GEN003040", "GEN003080" } comment => "List of cron directories", handle => "stigs_vars_redhat_5_cron_dirs", - slist => { + slist => { "/etc/cron.hourly", "/etc/cron.daily", "/etc/cron.weekly", @@ -237,10 +237,10 @@ bundle agent STIGs "/etc/cron.d", }; - "other_cron_dirs" -> { "GEN003040", "GEN003080" } + "other_cron_dirs" -> { "GEN003040", "GEN003080" } comment => "List of other cron directories", handle => "stigs_vars_redhat_5_other_cron_dirs", - slist => { + slist => { "/var/spool/cron", }; @@ -274,7 +274,7 @@ bundle agent STIGs "finger" }; - "$(unneeded_services)_status" -> { "GEN003700", "GEN003860" } + "$(unneeded_services)_status" -> { "GEN003700", "GEN003860" } comment => "List of service status of those unneeded services", handle => "stigs_vars_redhat_5_unneeded_services_status", string => execresult("/sbin/chkconfig --list $(unneeded_services)","noshell"); @@ -300,7 +300,7 @@ bundle agent STIGs # "accounts_to_disable" -> { "GEN004820", "GEN004840" } # comment => "List of users to be disabled (not to be deleted from the system)", # handle => "stigs_vars_redhat_5_accounts_to_disable", -# slist => { +# slist => { # "ftp", # }; @@ -308,7 +308,7 @@ bundle agent STIGs comment => "List of unnecessary accounts", handle => "stigs_vars_redhat_5_accounts_to_delete", slist => { - "ftp", + "ftp", "shutdown", "halt", "game", @@ -322,7 +322,7 @@ bundle agent STIGs comment => "List of ftpusers files", handle => "stigs_vars_redhat_5_ftpusers_files", slist => { - "/etc/ftpusers", + "/etc/ftpusers", "/etc/vsftpd.ftpusers", }; @@ -338,7 +338,7 @@ bundle agent STIGs "hosts_allow" -> { "GEN006620" } comment => "List of hosts to be assigned to /etc/hosts.allow", handle => "stigs_vars_redhat_5_hosts_allow", - slist => { + slist => { "ALL:10.", "ALL:172.16.", "ALL:192.168.", @@ -352,7 +352,7 @@ bundle agent STIGs "have_usr_partitioned" -> { "GEN001080" } comment => "Check if /usr is partitioned", - handle => "stigs_classes_redhat_5_usr_partitioned", + handle => "stigs_classes_redhat_5_usr_partitioned", expression => regcmp(".*/usr.*","$(fstab_contents)"); "have_usr_$(shells)" -> { "GEN001080" } @@ -360,7 +360,7 @@ bundle agent STIGs handle => "stigs_classes_redhat_5_shells_in_usr", expression => fileexists("$(usr_dir)/$(shells)"); - "do_$(hosts_related_files)" -> { "GEN002040" } + "do_$(hosts_related_files)" -> { "GEN002040" } comment => "Check if the files are symlinks", handle => "stigs_classes_redhat_5_hosts_related_files", not => islink("$(hosts_related_files)"); @@ -370,12 +370,12 @@ bundle agent STIGs handle => "stigs_classes_redhat_5_uid_less_than_500", expression => islessthan("$($(allusers_not_root)_uid)","500"); - "$(preferred_services)_off" -> { "GEN002660" } + "$(preferred_services)_off" -> { "GEN002660" } comment => "Check if those preferred services are on or not", handle => "stigs_classes_redhat_5_preferred_services_off", not => regcmp(".*:on.*","$($(preferred_services)_status)"); - "$(unneeded_services)_on" -> { "GEN003700", "GEN003860" } + "$(unneeded_services)_on" -> { "GEN003700", "GEN003860" } comment => "Check if those unneeded services are on or not", handle => "stigs_classes_redhat_5_unneeded_services_on", expression => regcmp(".*:on.*","$($(unneeded_services)_status)"); @@ -390,7 +390,7 @@ bundle agent STIGs files: redhat_5:: - + "/etc/inittab" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } comment => "CAT I & II (Previously - G001, G002, G003, L222) UNIX STIG: 2.5.1.1 System Equipment, 12.14 The /etc/inittab File", handle => "stigs_files_redhat_5_etc_inittab", @@ -403,7 +403,7 @@ bundle agent STIGs perms => mog("640","root","root"), edit_line => maintain_syslog_conf, classes => if_repaired("restart_syslog"); - + "/etc/pam.d/system-auth-ac" -> { "GEN000460", "GEN000600", "GEN000620", "GEN000640", "GEN000800" } comment => "CAT II (Previously - G013, G019, G606) UNIX STIG: 3.1.3 Account Access, 3.2.1 Password Guidelines", handle => "stigs_files_redhat_5_etc_pam_d_system_auth", @@ -414,12 +414,12 @@ bundle agent STIGs comment => "CAT II (Previously - G013) UNIX STIG: 3.1.3 Accounnt Access", handle => "stigs_files_redhat_5_usr_sbin_authconfig", perms => m("ugo-x"); - + "/etc/login.defs" -> { "GEN000480", "GEN000540", "GEN000580", "GEN000700", "GEN000820" } comment => "CAT II (Previously - G004, G019, G020) UNIX STIG: 3.1.3 Account Access, 3.2.1 Password Guidelines", handle => "stigs_files_redhat_5_etc_login_defs", edit_line => maintain_login_defs; - + "/etc/profile" -> { "GEN000500" } comment => "CAT II (Previously - G605) UNIX STIG: 3.1.4 Inactivity Timeout/Locking", handle => "stigs_vars_redhat_5_etc_profile", @@ -442,7 +442,7 @@ bundle agent STIGs depth_search => recurse("1"), file_select => only_dir_exclude2("root","tmp"), perms => mog("755","root","root"); - + "/etc/securetty" -> { "GEN000980", "GEN001000", "LNX00620", "LNX00640", "LNX00660" } comment => "CAT II (Previously - G026, G698) UNIX STIG: 3.3 Root Account, 12.17 The /etc/securetty File", handle => "stigs_files_redhat_5_etc_securetty", @@ -505,7 +505,7 @@ bundle agent STIGs depth_search => recurse("inf"), file_select => exclude2("cron.*","audit"), perms => m("640"); - + "$(manual_page_files)" -> { "GEN001280" } comment => "CAT III, UNIX STIG: 3.4 File and Directory Controls", handle => "stigs_files_redhat_5_manual_page_files", @@ -537,7 +537,7 @@ bundle agent STIGs depth_search => recurse("inf"), file_select => exclude2(".dt",".dtprofile"), perms => mog("700","$(users_list)","$(users_list)"); - + "/var/lib/avahi-autoipd/." -> { "GEN001460" } comment => "CAT III (Previously - G052) UNIX STIG: 3.5 Home Directories", handle => "stigs_files_redhat_5_var_lib_avahi_autoipd", @@ -638,7 +638,7 @@ bundle agent STIGs comment => "CAT II (Previously - G092) UNIX STIG: 3.15 Default Accounts", handle => "stigs_files_redhat_5_default_accounts_shell_for_badnaming_users", edit_line => set_user_field("avahi-autoipd","7","/sbin/nologin"); - + "/etc/audit/audit.rules" -> { "GEN002660", "GEN002700", "GEN002720", "GEN002740", "GEN002760", "GEN002780", "GEN002800", "GEN002820", "GEN002840" } comment => "CAT I & II (Previously - G093, G095, G100-G106) UNIX STIG: 3.16 Audit Requirements", handle => "stigs_files_redhat_5_etc_audit_audit_rules", @@ -658,7 +658,7 @@ bundle agent STIGs perms => mog("644","root","root"), edit_defaults => empty, edit_line => maintain_logrotated_audit; - + "/etc/cron.deny" -> { "GEN002960", "GEN003060", "GEN003200", "GEN003260" } comment => "CAT II (Previously - G200, G620, G623) UNIX STIG: 3.17.3 Restrictions", handle => "stigs_files_redhat_5_etc_cron_deny", @@ -740,7 +740,7 @@ bundle agent STIGs comment => "CAT III UNIX STIG: 3.20.1 Restrict/Disable Core Dumps", handle => "stigs_files_redhat_5_var_crash", perms => mog("700","root","root"); - + "/etc/sysctl.conf" -> { "GEN003600", "GEN005600", "LNX00480", "LNX00500","LNX00520" } comment => "CAT II (Previously - L204, L206, L208) UNIX STIG: 3.20.5 Network Security Settings, 12.12 Kernel Configuration File", handle => "stigs_files_redhat_5_etc_sysctl_conf", @@ -780,7 +780,7 @@ bundle agent STIGs handle => "stigs_files_redhat_5_network_analysis_tools", perms => mog("700","root","root"), rename => disable; - + "/bin/traceroute" -> { "GEN003960", "GEN003980", "GEN004000" } comment => "CAT II (Previously - G631, G632, G633) UNIX STIG: 4.5 Traceroute", handle => "stigs_files_redhat_5_bin_traceroute", @@ -792,7 +792,7 @@ bundle agent STIGs perms => mog("644","root","root"), edit_line => comment_lines_matching("decode:\h+root","#"), classes => if_repaired("restart_aliases"); - + "/etc/mail/sendmail.cf" -> { "GEN004440", "GEN004540", "GEN004560" } comment => "CAT III (Previously - G133, G646) UNIX STIG: 4.7 Sendmail or Equivalent", handle => "stigs_files_redhat_5_etc_mail_sendmail_cf", @@ -835,7 +835,7 @@ bundle agent STIGs comment => "CAT II UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", handle => "stigs_files_redhat_5_etc_ssh_ssh_banner", create => "true", - perms => mog("640","root","root"), + perms => mog("640","root","root"), edit_defaults => empty, edit_line => create_ssh_banner; @@ -939,21 +939,21 @@ bundle agent STIGs handle => "stigs_commands_redhat_5_restart_syslog"; restart_inittab:: - + "/sbin/init q" -> { "GEN000020", "GEN000040", "GEN000060", "LNX00580" } comment => "CAT I & II (Previously - G001, G002, G003, L222) UNIX STIG: 2.5.1.1 System Equipment, 12.14 The /etc/inittab File", handle => "stigs_commands_redhat_5_restart_inittab", contain => silent; - + restart_sysctl:: - + "/sbin/sysctl -p" -> { "GEN003600" } comment => "CAT II UNIX STIG: 3.20.5 Network Security", handle => "stigs_commands_redhat_5_restart_sysctl", contain => silent; - + restart_sendmail:: - + "/sbin/service sendmail restart" -> { "GEN004540", "GEN004560" } comment => "CAT II (Previously - G646) UNIX STIG: 4.7 Sendmail or Equivalent", handle => "stigs_commands_redhat_5_restart_sendmail"; @@ -965,12 +965,12 @@ bundle agent STIGs handle => "sting_commands_redhat_5_restart_aliases"; restart_sshd:: - + "/sbin/service sshd restart" -> { "GEN005500", "GEN005540" } comment => "CAT I & II (Previously - G701) UNIX STIG: 4.15 Secure Shell (SSH) and Equivalents", handle => "stigs_commands_redhat_5_restart_sshd"; - -# + +# methods: @@ -990,7 +990,7 @@ bundle agent STIGs # comment => "CAT II (Previously - L140, L142) UNIX STIG: 4.8 File Transfer Protocol (FTP)", # handle => "stigs_methods_redhat_5_unix_stigs_4_8", # usebundle => disabling_accounts("$(accounts_to_disable)"); - + "UNIX STIG 4.8/UNIX STIG 12.9" -> { "GEN004820", "GEN004840", "LNX00320", "LNX00340" } comment => "CAT I & II (Previously - G107, V052, L140, L142) UNIX STIG: 4.8 File Transfer Protocol (FTP) and Telnet, 12.9 Default Accounts", handle => "stigs_methods_redhat_5_unix_stigs_4_8_12_9", @@ -1238,7 +1238,7 @@ bundle edit_line maintain_login_defs insert_lines: "FAIL_DELAY 4 # GEN000480" -> { "GEN000480" } comment => "The login delay between login prompts after a failed login is set to less than four seconds.", - handle => "maintain_login_defs_insert_lines_gen000480"; + handle => "maintain_login_defs_insert_lines_gen000480"; } # GEN000500 @@ -1258,7 +1258,7 @@ bundle edit_line maintain_etc_profile # GEN000980, GEN001000 bundle edit_line maintain_securetty { -# delete_lines: +# delete_lines: # "vc/(\d+)" -> { "GEN000980" } # comment => "Allow root to login only from the system console.", # handle => "maintain_securetty_delete_lines_gen000980_1"; @@ -1375,7 +1375,7 @@ bundle edit_line maintain_umask(mask) "\h+umask\s(?!$(mask)$).*" -> { "GEN002560" } comment => "Ensure umask is 077", handle => "maintain_umask_replace_patterns_gen002560", - replace_with => value(" umask 077"); + replace_with => value(" umask 077"); } # GEN002660 GEN002720 GEN002740 GEN002760 GEN002780 GEN002800 GEN002820 GEN002840 @@ -1539,7 +1539,7 @@ bundle edit_line maintain_sendmail "^O SmtpGreetingMessage=\$j Sendmail \$v/\$Z; \$b" -> { "GEN004560" } comment => "Hide sendmail version.", handle => "maintain_sendmail_replace_patterns_gen004560", - replace_with => value("O SmtpGreetingMessage= Mail Server Ready STIG-GEN004560; $b"); + replace_with => value("O SmtpGreetingMessage= Mail Server Ready STIG-GEN004560; $b"); } # GEN004900 @@ -1571,7 +1571,7 @@ bundle edit_line create_ssh_banner * ***Users should have no expectation of privacy.*** * *******************************************************************************" -> { "GEN005540" } comment => "Banner for SSH", - handle => "create_ssh_banner_insert_lines_gen005540"; + handle => "create_ssh_banner_insert_lines_gen005540"; } # GEN001120, GEN005500, GEN005540 @@ -1644,7 +1644,7 @@ command=/usr/bin/Xorg -br -audit 4 -s 15 flexible=true" -> { "LNX00360" } comment => "Enable X server audit level 4 and 15 minutes timeout time", handle => "maintain_gdm_custom_conf_insert_lines_lnx00360", - insert_type => "preserve_block"; + insert_type => "preserve_block"; } ##### body here ##### From 4aeb071cf99347ee91d695867ae8f5fa2b8c2530 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Wed, 18 Mar 2026 17:26:42 +0100 Subject: [PATCH 04/10] Fixed indentation in policy style guide Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 62ebc3e311af2c957a2a1866fce402b2d1d4c085) Signed-off-by: Ole Herman Schumacher Elgesem --- .../policy-writing/policy-style.markdown | 109 ++++++++---------- 1 file changed, 49 insertions(+), 60 deletions(-) diff --git a/content/examples/tutorials/policy-writing/policy-style.markdown b/content/examples/tutorials/policy-writing/policy-style.markdown index 8a923730b..f3a7c4c06 100644 --- a/content/examples/tutorials/policy-writing/policy-style.markdown +++ b/content/examples/tutorials/policy-writing/policy-style.markdown @@ -48,31 +48,26 @@ a policy expert who is familiar with Normal ordering. bundle agent main { vars: - - "sshd_config" - string => "/etc/ssh/sshd_config"; + "sshd_config" + string => "/etc/ssh/sshd_config"; files: - - "$(sshd_config)" - edit_line => insert_lines("PermitRootLogin no"), - classes => results("bundle", "sshd_config"); + "$(sshd_config)" + edit_line => insert_lines("PermitRootLogin no"), + classes => results("bundle", "sshd_config"); packages: - - "ssh" - policy => "present"; - package_module => apt_get; + "ssh" + policy => "present"; + package_module => apt_get; services: - sshd_config_repaired:: - - "ssh" - service_policy => "restart", - comment => "After the sshd config file has been repaired, the - service must be reloaded in order for the new - settings to take effect."; + "ssh" + service_policy => "restart", + comment => "After the sshd config file has been repaired, the + service must be reloaded in order for the new + settings to take effect."; } ``` @@ -98,33 +93,27 @@ body common control bundle agent main { - packages: - - "ssh" - policy => "present"; - package_module => apt_get; + "ssh" + policy => "present"; + package_module => apt_get; vars: - - "sshd_config" - string => "/etc/ssh/sshd_config"; + "sshd_config" + string => "/etc/ssh/sshd_config"; files: - - "$(sshd_config)" - edit_line => insert_lines("PermitRootLogin no"), - classes => results("bundle", "sshd_config"); + "$(sshd_config)" + edit_line => insert_lines("PermitRootLogin no"), + classes => results("bundle", "sshd_config"); services: - sshd_config_repaired:: - - "ssh" - service_policy => "restart", - comment => "After the sshd config file has been repaired, the - service must be reloaded in order for the new - settings to take effect."; + "ssh" + service_policy => "restart", + comment => "After the sshd config file has been repaired, the + service must be reloaded in order for the new + settings to take effect."; } ``` @@ -265,21 +254,22 @@ bundle agent example(param1) # param1 - string - { vars: - "copy_of_param1" string => "$(param1)"; - - "jedi" slist => { - "Obi-Wan Kenobi", - "Luke Skywalker", - "Yoda", - "Darth Vader", # He used to be a Jedi, and since he - # tossed the emperor into the Death - # Star's reactor shaft we are including - # him. + "copy_of_param1" string => "$(param1)"; + + "jedi" + slist => { + "Obi-Wan Kenobi", + "Luke Skywalker", + "Yoda", + "Darth Vader", # He used to be a Jedi, and since he + # tossed the emperor into the Death + # Star's reactor shaft we are including + # him. }; classes: - # Most of the time we don't need differentiation of redhat and centos - "EL5" or => { "centos_5", "redhat_5" }; - "EL6" or => { "centos_6", "redhat_6" }; + # Most of the time we don't need differentiation of redhat and centos + "EL5" or => { "centos_5", "redhat_5" }; + "EL6" or => { "centos_6", "redhat_6" }; } ``` @@ -538,7 +528,6 @@ bundle agent satellite_bootstrap_main "bootstrap rhel7 servers to satellite every 24 hours" usebundle => satellite_bootstrap, action => if_elapsed(1440); - } ``` @@ -553,20 +542,20 @@ Formatted parsed policy: ```cf3 bundle agent satellite_bootstrap_main() { -meta: - (!ubuntu&!vvlan&!sarcrole_satellite):: - "tags" slist => {"autorun"}; + meta: + (!ubuntu&!vvlan&!sarcrole_satellite):: + "tags" slist => {"autorun"}; -methods: - any:: - "bootstrap rhel7 servers to satellite every 24 hours" - usebundle => satellite_bootstrap, - action => if_elapsed("1440"); + methods: + any:: + "bootstrap rhel7 servers to satellite every 24 hours" + usebundle => satellite_bootstrap, + action => if_elapsed("1440"); } body file control() { - inputs => { "$(sys.libdir)/stdlib.cf" }; + inputs => { "$(sys.libdir)/stdlib.cf" }; } ``` From fb30ef01d4f615b155975c6d1d2d93a4d34c51a2 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 15:13:01 +0100 Subject: [PATCH 05/10] Fixed syntax errors and other inconsistencies pointed out by linting Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 1dbdca00e70980d4312f0f2dd7a3950936e46a36) --- content/examples/_index.markdown | 7 ++++++- .../example-snippets/all_hosts_the_same.cf | 2 +- .../basic-file-directory.markdown | 19 ++++++++++++++++++- .../examples/example-snippets/copy_files.cf | 19 ------------------- .../example-snippets/database_creation.cf | 5 ----- .../deleting_lines_exception.cf | 4 ++-- .../distribute_root_passwords.cf | 8 ++++---- .../example-snippets/editing_tabular_files.cf | 8 ++++---- .../example-snippets/ensure_running_1.cf | 2 +- .../inserting_lines_in_a_file.cf | 12 ++++++------ ...ating_the_example_into_your_main_policy.cf | 3 --- .../postfix_mail_configuration.cf | 2 +- .../example-snippets/trigger_classes.cf | 4 ++-- .../example-snippets/variation_in_hosts.cf | 8 ++++---- .../warn_if_matching_line_in_file.cf | 4 ++-- .../examples/tutorials/file_compare_test.cf | 4 ++-- .../integrating-with-sumo-logic.markdown | 4 ++-- .../language-concepts/bundles.markdown | 14 ++++++++------ .../files/edit_line/field_edits.markdown | 8 ++++---- .../files/edit_line/insert_lines.markdown | 2 +- content/resources/additional-topics/STIGs.cf | 18 +++++++++--------- 21 files changed, 77 insertions(+), 80 deletions(-) delete mode 100644 content/examples/example-snippets/copy_files.cf delete mode 100644 content/examples/example-snippets/integrating_the_example_into_your_main_policy.cf diff --git a/content/examples/_index.markdown b/content/examples/_index.markdown index 802f48811..68c1f4e5c 100644 --- a/content/examples/_index.markdown +++ b/content/examples/_index.markdown @@ -259,4 +259,9 @@ from the example. For example, the LDAP query in `active_directory.cf` needs a domain name. In the variable declaration, replace "cftesting" with your domain name: -{{< CFEngine_include_snippet(integrating_the_example_into_your_main_policy.cf, .* ) >}} +```cf3 {skip TODO} +vars: + # NOTE: Edit this to your domain, e.g. "corp" + "domain_name" + string => "cftesting"; +``` diff --git a/content/examples/example-snippets/all_hosts_the_same.cf b/content/examples/example-snippets/all_hosts_the_same.cf index 5931a1c1a..0c8ae6188 100644 --- a/content/examples/example-snippets/all_hosts_the_same.cf +++ b/content/examples/example-snippets/all_hosts_the_same.cf @@ -10,7 +10,7 @@ bundle agent central vars: "policy_server" string => "myhost.domain.tld"; "mypackages" slist => { - "nagios" + "nagios", "gcc", "apache2", "php5" diff --git a/content/examples/example-snippets/basic-file-directory.markdown b/content/examples/example-snippets/basic-file-directory.markdown index d5a03387e..9e4dd7b23 100644 --- a/content/examples/example-snippets/basic-file-directory.markdown +++ b/content/examples/example-snippets/basic-file-directory.markdown @@ -76,7 +76,24 @@ Also you could write this using a list variable: ## Copy files -{{< CFEngine_include_snippet(copy_files.cf, .* ) >}} +```cf3 {skip TODO} +files: + "/var/cfengine/inputs" + handle => "update_policy", + perms => m("600"), + copy_from => u_scp("$(master_location)",@(policy_server)), + depth_search => recurse("inf"), + file_select => input_files, + action => immediate; + + "/var/cfengine/bin" + perms => m("700"), + copy_from => u_scp("/usr/local/sbin","localhost"), + depth_search => recurse("inf"), + file_select => cf3_files, + action => immediate, + classes => on_change("reload"); +``` ## Copy and flatten directory diff --git a/content/examples/example-snippets/copy_files.cf b/content/examples/example-snippets/copy_files.cf deleted file mode 100644 index 6c3473d57..000000000 --- a/content/examples/example-snippets/copy_files.cf +++ /dev/null @@ -1,19 +0,0 @@ - files: - -"/var/cfengine/inputs" - -handle => "update_policy", -perms => m("600"), -copy_from => u_scp("$(master_location)",@(policy_server)), -depth_search => recurse("inf"), -file_select => input_files, -action => immediate; - -"/var/cfengine/bin" - -perms => m("700"), -copy_from => u_scp("/usr/local/sbin","localhost"), -depth_search => recurse("inf"), -file_select => cf3_files, -action => immediate, -classes => on_change("reload"); diff --git a/content/examples/example-snippets/database_creation.cf b/content/examples/example-snippets/database_creation.cf index 16b625fa4..90f4a144c 100644 --- a/content/examples/example-snippets/database_creation.cf +++ b/content/examples/example-snippets/database_creation.cf @@ -13,11 +13,6 @@ body knowledge control sql_type => "postgres"; } -bundle knowledge dummy -{ - topics: -} - body common control { bundlesequence => { "databases" }; diff --git a/content/examples/example-snippets/deleting_lines_exception.cf b/content/examples/example-snippets/deleting_lines_exception.cf index ac1c99d53..507983333 100644 --- a/content/examples/example-snippets/deleting_lines_exception.cf +++ b/content/examples/example-snippets/deleting_lines_exception.cf @@ -26,11 +26,11 @@ bundle agent testbundle files: "/tmp/passwd_excerpt" create => "true", - edit_line => MarkNRoot; + edit_line => mark_n_root; } ######################################################## -bundle edit_line MarkNRoot +bundle edit_line mark_n_root { delete_lines: "mark.*|root.*" not_matching => "true"; diff --git a/content/examples/example-snippets/distribute_root_passwords.cf b/content/examples/example-snippets/distribute_root_passwords.cf index ca2912b5b..bd125abf1 100644 --- a/content/examples/example-snippets/distribute_root_passwords.cf +++ b/content/examples/example-snippets/distribute_root_passwords.cf @@ -8,7 +8,7 @@ body common control { version => "1.2.3"; inputs => { "$(sys.libdir)/stdlib.cf" }; - bundlesequence => { "SetRootPassword" }; + bundlesequence => { "set_root_password" }; } ######################################################## @@ -19,7 +19,7 @@ bundle common g } ######################################################## -bundle agent SetRootPassword +bundle agent set_root_password { vars: # Or get variables directly from server with Enterprise @@ -32,11 +32,11 @@ bundle agent SetRootPassword # or $(pw_class)-root.txt "/tmp/shadow" - edit_line => SetRootPw; + edit_line => set_root_password; } ######################################################## -bundle edit_line SetRootPw +bundle edit_line set_root_password { vars: # Assume this file contains a single string of the form root:passwdhash: diff --git a/content/examples/example-snippets/editing_tabular_files.cf b/content/examples/example-snippets/editing_tabular_files.cf index 7a85d86d3..bd4dce392 100644 --- a/content/examples/example-snippets/editing_tabular_files.cf +++ b/content/examples/example-snippets/editing_tabular_files.cf @@ -26,18 +26,18 @@ bundle agent testbundle "/home/mark/tmp/passwd" create => "true", - edit_line => SetUserParam("mark","6","/set/this/shell"); + edit_line => set_user_param("mark","6","/set/this/shell"); "/home/mark/tmp/group" create => "true", - edit_line => AppendUserParam("root","4","@(userset)"); + edit_line => append_user_param("root","4","@(userset)"); commands: "/bin/echo" args => $(userset); } ######################################################## -bundle edit_line SetUserParam(user,field,val) +bundle edit_line set_user_param(user,field,val) { field_edits: "$(user):.*" @@ -46,7 +46,7 @@ bundle edit_line SetUserParam(user,field,val) } ######################################################## -bundle edit_line AppendUserParam(user,field,allusers) +bundle edit_line append_user_param(user,field,allusers) { vars: "val" slist => { @(allusers) }; diff --git a/content/examples/example-snippets/ensure_running_1.cf b/content/examples/example-snippets/ensure_running_1.cf index 0e0e00efa..9c21d16ea 100644 --- a/content/examples/example-snippets/ensure_running_1.cf +++ b/content/examples/example-snippets/ensure_running_1.cf @@ -1,4 +1,4 @@ -bundle agent CFEngine_processes +bundle agent cfengine_processes { vars: diff --git a/content/examples/example-snippets/inserting_lines_in_a_file.cf b/content/examples/example-snippets/inserting_lines_in_a_file.cf index d71dbb7d0..653d8a5c0 100644 --- a/content/examples/example-snippets/inserting_lines_in_a_file.cf +++ b/content/examples/example-snippets/inserting_lines_in_a_file.cf @@ -20,13 +20,13 @@ bundle agent insert files: "/tmp/test_insert" create => "true", - edit_line => Insert("$(insert.v)"); + edit_line => insert_name("$(insert.v)"); } ####################################################### # For the library ####################################################### -bundle edit_line Insert(name) +bundle edit_line insert_name(name) { insert_lines: " $(name)" @@ -66,14 +66,14 @@ bundle agent insert files: "/tmp/test_insert" create => "true", - edit_line => Insert("$(insert.v)"), + edit_line => insert_name("$(insert.v)"), edit_defaults => empty; } ####################################################### # For the library ####################################################### -bundle edit_line Insert(name) +bundle edit_line insert_name(name) { insert_lines: "Begin$(const.n)$(name)$(const.n)End"; @@ -112,7 +112,7 @@ bundle agent insert files: "/tmp/test_insert" create => "true", - edit_line => Insert("@(insert.v)"); + edit_line => insert_name("@(insert.v)"); # edit_defaults => empty; } @@ -120,7 +120,7 @@ bundle agent insert # For the library ####################################################### -bundle edit_line Insert(name) +bundle edit_line insert_name(name) { insert_lines: "$(name)"; diff --git a/content/examples/example-snippets/integrating_the_example_into_your_main_policy.cf b/content/examples/example-snippets/integrating_the_example_into_your_main_policy.cf deleted file mode 100644 index 441f64667..000000000 --- a/content/examples/example-snippets/integrating_the_example_into_your_main_policy.cf +++ /dev/null @@ -1,3 +0,0 @@ - vars: - # NOTE: Edit this to your domain, e.g. "corp" - "domain_name" string => "cftesting"; diff --git a/content/examples/example-snippets/postfix_mail_configuration.cf b/content/examples/example-snippets/postfix_mail_configuration.cf index fc1cc0a1b..0a2ed89c3 100644 --- a/content/examples/example-snippets/postfix_mail_configuration.cf +++ b/content/examples/example-snippets/postfix_mail_configuration.cf @@ -57,7 +57,7 @@ bundle edit_line prefix_postfix } ######################################################## -bundle edit_line AppendIfNSL(parameter) +bundle edit_line append_if_nsl(parameter) { insert_lines: "$(parameter)"; # This is default diff --git a/content/examples/example-snippets/trigger_classes.cf b/content/examples/example-snippets/trigger_classes.cf index deb2824d5..cb418f367 100644 --- a/content/examples/example-snippets/trigger_classes.cf +++ b/content/examples/example-snippets/trigger_classes.cf @@ -24,7 +24,7 @@ bundle agent insert files: "/tmp/test_insert" - edit_line => Insert("$(insert.v)"), + edit_line => insert_name("$(insert.v)"), edit_defaults => empty, classes => trigger("edited"); @@ -41,7 +41,7 @@ bundle agent insert # For the library ####################################################### -bundle edit_line Insert(name) +bundle edit_line insert_name(name) { insert_lines: "Begin$(const.n) $(name)$(const.n)End"; diff --git a/content/examples/example-snippets/variation_in_hosts.cf b/content/examples/example-snippets/variation_in_hosts.cf index 4a894ea42..980c5be29 100644 --- a/content/examples/example-snippets/variation_in_hosts.cf +++ b/content/examples/example-snippets/variation_in_hosts.cf @@ -15,16 +15,16 @@ bundle agent central "policy_server" string => "myhost.domain.tld"; mygroup_1:: "mypackages" slist => { - "nagios" + "nagios", "gcc", "apache2", - "php5" + "php5", }; mygroup_2:: "mypackages" slist => { - "apache" + "apache", "mysql", - "php5" + "php5", }; files: diff --git a/content/examples/example-snippets/warn_if_matching_line_in_file.cf b/content/examples/example-snippets/warn_if_matching_line_in_file.cf index fe8c2da51..728d5911c 100644 --- a/content/examples/example-snippets/warn_if_matching_line_in_file.cf +++ b/content/examples/example-snippets/warn_if_matching_line_in_file.cf @@ -14,12 +14,12 @@ bundle agent testbundle { files: "/var/cfengine/inputs/.*" - edit_line => DeleteLinesMatching(".*cfenvd.*"), + edit_line => delete_lines_matching(".*cfenvd.*"), action => WarnOnly; } ######################################################## -bundle edit_line DeleteLinesMatching(regex) +bundle edit_line delete_lines_matching(regex) { delete_lines: "$(regex)" action => WarnOnly; diff --git a/content/examples/tutorials/file_compare_test.cf b/content/examples/tutorials/file_compare_test.cf index 98adc2c16..1ead33da5 100644 --- a/content/examples/tutorials/file_compare_test.cf +++ b/content/examples/tutorials/file_compare_test.cf @@ -107,7 +107,7 @@ bundle agent create_aout_source_file "$(global_vars.workdir)/a.c" perms => system, create => "true", - edit_line => Insert("@(c)"); + edit_line => insert_name("@(c)"); reports: "The source file $(global_vars.workdir)/a.c has been created. It will be used to compile the binary a.out, which will provide more accurate file stats to compare two files than the built in CFEngine functionality for comparing file stats, including modification time. This information will be used to determine of the second of the two files being compared is newer or not."; @@ -115,7 +115,7 @@ bundle agent create_aout_source_file } -bundle edit_line Insert(name) +bundle edit_line insert_name(name) { insert_lines: "$(name)"; diff --git a/content/examples/tutorials/integrating-with-sumo-logic.markdown b/content/examples/tutorials/integrating-with-sumo-logic.markdown index fc43aa88c..6245d8c00 100644 --- a/content/examples/tutorials/integrating-with-sumo-logic.markdown +++ b/content/examples/tutorials/integrating-with-sumo-logic.markdown @@ -175,7 +175,7 @@ bundle agent sumo_logic_policy_update files: "$(policy_update_file)" create => "true", - edit_line => insert("CFEngine_update: $(sys.last_policy_update)"), + edit_line => insert_str("CFEngine_update: $(sys.last_policy_update)"), edit_defaults => file; "$(policy_update_file)" @@ -204,7 +204,7 @@ body contain shell_command useshell => "useshell"; } -bundle edit_line insert(str) +bundle edit_line insert_str(str) { insert_lines: "$(str)"; diff --git a/content/reference/language-concepts/bundles.markdown b/content/reference/language-concepts/bundles.markdown index 2be40e4de..8794b390d 100644 --- a/content/reference/language-concepts/bundles.markdown +++ b/content/reference/language-concepts/bundles.markdown @@ -30,6 +30,7 @@ declared as: ```cf3 bundle agent my_name { + # Promises for cf-agent } ``` @@ -38,16 +39,17 @@ while `cf-serverd` has bundles declared as: ```cf3 bundle server my_name { + # Promises for cf-serverd } ``` -and `cf-monitord` has bundles declared as +Currently, these are the possible _bundle types_: -```cf3 -bundle monitor my_name -{ -} -``` +- `agent`: Bundle of promises specific to the `cf-agent` binary. +- `server`: Bundle of promises specific to the `cf-serverd` binary. +- `monitor`: Bundle of promises specific to the `cf-monitord` binary. +- `common`: Bundle of promises shared among the different binaries / components. +- `edit_line`: Bunde of promises used in a `files` promise with the `edit_line` attribute. A number of promises can be made in any kind of bundle since they are of a generic input/output nature. These are `vars`, [`classes`][classes], `defaults`, diff --git a/content/reference/promise-types/files/edit_line/field_edits.markdown b/content/reference/promise-types/files/edit_line/field_edits.markdown index 302d4f722..607da82d9 100644 --- a/content/reference/promise-types/files/edit_line/field_edits.markdown +++ b/content/reference/promise-types/files/edit_line/field_edits.markdown @@ -32,12 +32,12 @@ bundle agent example "/tmp/passwd" create => "true", - edit_line => SetUserParam("mark","6","/set/this/shell"); + edit_line => set_user_param("mark","6","/set/this/shell"); "/tmp/group" create => "true", - edit_line => AppendUserParam("root","4","@(userset)"); + edit_line => append_user_param("root","4","@(userset)"); } ``` @@ -45,7 +45,7 @@ The promise in this example assumes a parameterizable model for editing the fields of such files. ```cf3 -bundle edit_line SetUserParam(user,field,val) +bundle edit_line set_user_param(user,field,val) { field_edits: @@ -56,7 +56,7 @@ bundle edit_line SetUserParam(user,field,val) edit_field => col(":","$(field)","$(val)","set"); } -bundle edit_line AppendUserParam(user,field,allusers) +bundle edit_line append_user_param(user,field,allusers) { vars: diff --git a/content/reference/promise-types/files/edit_line/insert_lines.markdown b/content/reference/promise-types/files/edit_line/insert_lines.markdown index 082ab5acd..2e164d091 100644 --- a/content/reference/promise-types/files/edit_line/insert_lines.markdown +++ b/content/reference/promise-types/files/edit_line/insert_lines.markdown @@ -497,7 +497,7 @@ exact_match **Example:** ```cf3 -bundle edit_line Insert(service, filename) +bundle edit_line insert_service(service, filename) { insert_lines: diff --git a/content/resources/additional-topics/STIGs.cf b/content/resources/additional-topics/STIGs.cf index 97b6510ba..0698e3be2 100644 --- a/content/resources/additional-topics/STIGs.cf +++ b/content/resources/additional-topics/STIGs.cf @@ -23,16 +23,16 @@ body common control { - bundlesequence => { "STIGs" }; + bundlesequence => { "stigs" }; inputs => { "/var/cfengine/inputs/cfengine_stdlib.cf" }; - host_licenses_paid => "1"; + host_licenses_paid => "1"; } # # STIGs compliance with CFEngine 3 (Nova) # -bundle agent STIGs +bundle agent stigs { vars: @@ -666,15 +666,15 @@ bundle agent STIGs perms => mog("600","root","root"), edit_defaults => empty, edit_line => append_if_no_line("ALL"); - + "/etc/cron.allow" -> { "GEN002960", "GEN002980","GEN003060", "GEN003240" } comment => "CAT II (Previously - G200, G201, G622) UNIX STIG: 3.17.3 Restrictions", handle => "stigs_files_redhat_5_etc_cron_allow", create => "true", perms => mog("600","root","root"), edit_defaults => empty, - edit_line => maintain_cron_allow("@(STIGs.cron_users)"); - + edit_line => maintain_cron_allow("@(stigs.cron_users)"); + "$(cron_dirs)" -> { "GEN003040", "GEN003080" } comment => "CAT II (Previously - G205) UNIX STIG: 3.17.3 Restrictions", handle => "stigs_files_redhat_5_cron_dirs_600", @@ -716,7 +716,7 @@ bundle agent STIGs handle => "stigs_files_redhat_5_etc_at_deny_all_not_root", create => "true", perms => mog("600","root","root"), - edit_line => append_if_no_lines("@(STIGs.at_deny_users)"); + edit_line => append_if_no_lines("@(stigs.at_deny_users)"); "/etc/at.allow" -> { "GEN003320", "GEN003340", "GEN003460" } comment => "CAT II (Previously - G213, G214, G629) UNIX STIG: 3.18.3 Restrictions", @@ -888,8 +888,8 @@ bundle agent STIGs # "/etc/hosts.allow" -> { "GEN006620" } # comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", # handle => "stigs_files_redhat_5_etc_hosts_allow", -# edit_line => append_if_no_lines("@(STIGs.hosts_allow)"); - +# edit_line => append_if_no_lines("@(stigs.hosts_allow)"); + # "/etc/hosts.deny" -> { "GEN006620" } # comment => "CAT II UNIX STIG: 6.6 Access Control Programs and TCP_WRAPPERS", # handle => "stigs_files_redhat_5_etc_hosts_deny", From 5eef5edbe75ea7d74001596bc6c1cf2820704f00 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 17:38:23 +0100 Subject: [PATCH 06/10] Removed File template examples page Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit d79e5a85f99b8bbe90fafb195c202c7704c961d1) --- .../examples/example-snippets/_index.markdown | 1 - .../example-snippets/file-template.markdown | 28 ------------------- .../examples/example-snippets/templating.cf | 8 ------ .../examples/example-snippets/templating_1.cf | 28 ------------------- 4 files changed, 65 deletions(-) delete mode 100644 content/examples/example-snippets/file-template.markdown delete mode 100644 content/examples/example-snippets/templating.cf delete mode 100644 content/examples/example-snippets/templating_1.cf diff --git a/content/examples/example-snippets/_index.markdown b/content/examples/example-snippets/_index.markdown index 01bb0c7bf..865d44755 100644 --- a/content/examples/example-snippets/_index.markdown +++ b/content/examples/example-snippets/_index.markdown @@ -12,7 +12,6 @@ aliases: - [Software administration examples][Software administration examples] - [Commands, scripts, and execution examples][Commands, scripts, and execution examples] - [File and directory examples][File and directory examples] -- [File template examples][File template examples] - [Database examples][Database examples] - [Network examples][Network examples] - [System security examples][System security examples] diff --git a/content/examples/example-snippets/file-template.markdown b/content/examples/example-snippets/file-template.markdown deleted file mode 100644 index 15b2eaf89..000000000 --- a/content/examples/example-snippets/file-template.markdown +++ /dev/null @@ -1,28 +0,0 @@ ---- -layout: default -title: File template examples -sorting: 7 -aliases: - - "/examples-example-snippets-file-template.html" ---- - -- [Templating][File template examples#Templating] - -## Templating - -With CFEngine you have a choice between editing _deltas_ into files or distributing more-or-less finished templates. Which method you should choose depends should be made by whatever is easiest. - - If you are managing only part of the file, and something else (e.g. a package manager) is managing most of it, then it makes sense to use CFEngine file editing. - If you are managing everything in the file, then it makes sense to make the edits by hand and install them using CFEngine. You can use variables within source text files and let CFEngine expand them locally in situ, so that you can make generic templates that apply netwide. - -Example template: - -{{< CFEngine_include_snippet(templating.cf, .* ) >}} - -To copy and expand this template, you can use a pattern like this: - -{{< CFEngine_include_snippet(templating_1.cf, .* ) >}} - -The the following driving code (based on _copy then edit_) can be placed in a library, after configuring to your environmental locations: - -{{< CFEngine_include_snippet(templating_1.cf, .* ) >}} diff --git a/content/examples/example-snippets/templating.cf b/content/examples/example-snippets/templating.cf deleted file mode 100644 index 2c8b7ccbb..000000000 --- a/content/examples/example-snippets/templating.cf +++ /dev/null @@ -1,8 +0,0 @@ -# -# System file X -# - -MYVARIABLE = something or other -HOSTNAME = $(sys.host) # CFEngine fills this in - -# ... diff --git a/content/examples/example-snippets/templating_1.cf b/content/examples/example-snippets/templating_1.cf deleted file mode 100644 index cb3dc38c0..000000000 --- a/content/examples/example-snippets/templating_1.cf +++ /dev/null @@ -1,28 +0,0 @@ -bundle agent get_template(final_destination,mode) -{ - vars: - - # This needs to ne preconfigured to your site - - "masterfiles" string => "/home/mark/tmp"; - "this_template" string => lastnode("$(final_destination)","/"); - - files: - - "$(final_destination).staging" - - comment => "Get template and expand variables for this host", - perms => mo("400","root"), - copy_from => remote_cp("$(masterfiles)/templates/$(this_template)","$(policy_server)"), - action => if_elapsed("60"); - - - "$(final_destination)" - - comment => "Expand the template", - create => "true", - edit_line => expand_template("$(final_destination).staging"), - edit_defaults => empty, - perms => mo("$(mode)","root"), - action => if_elapsed("60"); -} From ee2737c0b9ce2122d90c6b5c238cc8543e6a9809 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 17:43:53 +0100 Subject: [PATCH 07/10] Removed nonsense templating example Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 12c0028420b1760ac03d5dc3d826a7f45ebe7bcc) --- .../example-snippets/macro_template_1.cf | 46 ------------------- .../example-snippets/system-file.markdown | 4 -- 2 files changed, 50 deletions(-) delete mode 100644 content/examples/example-snippets/macro_template_1.cf diff --git a/content/examples/example-snippets/macro_template_1.cf b/content/examples/example-snippets/macro_template_1.cf deleted file mode 100644 index aff4e3643..000000000 --- a/content/examples/example-snippets/macro_template_1.cf +++ /dev/null @@ -1,46 +0,0 @@ -bundle agent hand_edited_template -{ - vars: - - "masterfiles" string => "/mysite/masterfiles"; - "policy_server" string => "policy_host.domain.tld"; - - files: - - "/etc/hosts" - comment => "Synchronize hosts with a hand-edited template in svn", - perms => m("644"), - create => "true", - edit_line => expand_template("$(masterfiles)/trunk/hosts_master"), - edit_defaults => empty, - action => if_elapsed("60"); - - commands: - - "/usr/bin/svn update" - comment => "Update the company document repository including manuals to a local copy", - contain => silent_in_dir("$(masterfiles)/trunk"), - if => canonify("$(policy_server)"); - -} -``` -# Syntax: -# -# IP-Address Full-Qualified-Hostname Short-Hostname -# - -127.0.0.1 localhost $(sys.host) -::1 localhost ipv6-localhost ipv6-loopback -fe00::0 ipv6-localnet -ff00::0 ipv6-mcastprefix -ff02::1 ipv6-allnodes -ff02::2 ipv6-allrouters -ff02::3 ipv6-allhosts -10.0.0.100 host1.domain.tld host1 -10.0.0.101 host2.domain.tld host2 -10.0.0.20 host3.domain.tld host3 -10.0.0.21 host4.domain.tld host4 - -# Add below this line - -$(definitions.more_hosts) diff --git a/content/examples/example-snippets/system-file.markdown b/content/examples/example-snippets/system-file.markdown index f80ccd2a3..1208096dd 100644 --- a/content/examples/example-snippets/system-file.markdown +++ b/content/examples/example-snippets/system-file.markdown @@ -51,10 +51,6 @@ The next simplest approach to file management is to add variables to the templat {{< CFEngine_include_snippet(macro_template.cf, .* ) >}} -The macro template file may contain variables, as below, that get expanded by CFEngine. - -{{< CFEngine_include_snippet(macro_template_1.cf, .* ) >}} - ### Custom editing If you do not control the starting state of the file, because it is distributed by an operating system vendor for instance, then editing the final state is the best approach. That way, you will get changes that are made by the vendor, and will ensure your own modifications are kept even when updates arrive. From 33e5e71f391ecd7a88ea744158548300f97ea0d8 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 17:48:48 +0100 Subject: [PATCH 08/10] Removed nonsense example for setting up name resolution Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 22cc9c3b0ed91a00e6c2bd271bf3e6851439657f) --- .../set_up_name_resolution_1.cf | 51 ------------------- .../system-administration.markdown | 8 --- 2 files changed, 59 deletions(-) delete mode 100644 content/examples/example-snippets/set_up_name_resolution_1.cf diff --git a/content/examples/example-snippets/set_up_name_resolution_1.cf b/content/examples/example-snippets/set_up_name_resolution_1.cf deleted file mode 100644 index 5c7d36d53..000000000 --- a/content/examples/example-snippets/set_up_name_resolution_1.cf +++ /dev/null @@ -1,51 +0,0 @@ -bundle agent system_files -{ - vars: - "searchlist" string => "iu.hio.no CFEngine.com"; - "nameservers" slist => { - "128.39.89.10", - "128.39.74.16", - "192.168.1.103" - }; - - files: - "$(sys.resolv)" # test on "/tmp/resolv.conf" # - create => "true", - edit_line => doresolv("$(s)","@(this.n)"), - edit_defaults => empty; - # .... - -} -####################################################### - -bundle edit_line doresolv(search,names) -{ - insert_lines: - "search $(search)"; - "nameserver $(names)"; -} -``` -bundle agent system_files -{ - # ... - - files: - "/etc/hosts" - comment => "Add hosts to the /etc/hosts file", - edit_line => fix_etc_hosts; -} -########################################################### - -bundle edit_line fix_etc_hosts -{ - vars: - "names[127.0.0.1]" string => "localhost localhost.CFEngine.com"; - "names[128.39.89.12]" string => "myhost myhost.CFEngine.com"; - "names[128.39.89.13]" string => "otherhost otherhost.CFEngine.com"; - # etc - - "i" slist => getindices("names"); - - insert_lines: - "$(i) $(names[$(i)])"; -} diff --git a/content/examples/example-snippets/system-administration.markdown b/content/examples/example-snippets/system-administration.markdown index e4c61687f..5f7117407 100644 --- a/content/examples/example-snippets/system-administration.markdown +++ b/content/examples/example-snippets/system-administration.markdown @@ -96,14 +96,6 @@ A simple and straightforward approach is to maintain a separate modular bundle f {{< CFEngine_include_snippet(set_up_name_resolution.cf, .* ) >}} -A second approach is to try to conceal the operational details behind a veil of abstraction. - -{{< CFEngine_include_snippet(set_up_name_resolution_1.cf, .* ) >}} - -DNS is not the only name service, of course. Unix has its older /etc/hosts file which can also be managed using file editing. We simply append this to the system_files bundle. - -{{< CFEngine_include_snippet(set_up_name_resolution_1.cf, .* ) >}} - ## Set up sudo Setting up sudo is straightforward, and is best managed by copying trusted files from a repository. From 981f18e0b0c6feca51238a818068c4032078daa4 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 17:57:53 +0100 Subject: [PATCH 09/10] Fixed example for general pattern of bundles Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 015319902804ce87a39e09b2ae3edc98cf393366) --- .../example-snippets/general.markdown | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/content/examples/example-snippets/general.markdown b/content/examples/example-snippets/general.markdown index d6711a57b..53fc2e003 100644 --- a/content/examples/example-snippets/general.markdown +++ b/content/examples/example-snippets/general.markdown @@ -18,21 +18,19 @@ To get started with CFEngine, you can imagine the following template for enterin ## The general pattern -The general pattern of the syntax is like this (colors in html version: red, CFEngine word; blue, user-defined word): +The general pattern of the syntax is like this: -```cf3 +```cf3 {skip} bundle component name(parameters) { -what_type: - where_when:: - - ## Traditional comment - - "promiser" -> { "promisee1", "promisee2" }, + what_type: + where_when:: + ## Traditional comment + "promiser" -> { "promisee1", "promisee2" }, comment => "The intention ...", - handle => "unique_id_label", - attribute_1 => body_or_value1, - attribute_2 => body_or_value2; + handle => "unique_id_label", + attribute_1 => body_or_value1, + attribute_2 => body_or_value2; } ``` From 5bfc189407cf59cc42dc4b5c6663d1b2f468297f Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem Date: Fri, 6 Mar 2026 18:07:04 +0100 Subject: [PATCH 10/10] Made formatting more consistent in defaults docs and skip snippets for linting Signed-off-by: Ole Herman Schumacher Elgesem (cherry picked from commit 08d18c7381a8f8d29e08478838bb2de856135337) --- ...ory_remediate_sec_vulnerabilities.markdown | 22 ++--- .../language-concepts/_index.markdown | 11 +-- .../reference/promise-types/defaults.markdown | 89 +++++++++++-------- .../files/edit_line/insert_lines.markdown | 4 +- .../promise-types/guest_environments.markdown | 2 +- .../reference/promise-types/services.markdown | 8 +- 6 files changed, 72 insertions(+), 64 deletions(-) diff --git a/content/examples/tutorials/report_inventory_remediate_sec_vulnerabilities.markdown b/content/examples/tutorials/report_inventory_remediate_sec_vulnerabilities.markdown index 572340494..0913152be 100644 --- a/content/examples/tutorials/report_inventory_remediate_sec_vulnerabilities.markdown +++ b/content/examples/tutorials/report_inventory_remediate_sec_vulnerabilities.markdown @@ -38,8 +38,8 @@ This bundle will check if the host is vulnerable to the CVE, define a class _CVE_2014_6217_ if it is vulnerable and augment Mission Portals Inventory interface in CFEngine Enterprise. -```cf3 {file="inventory_CVE_2014_6271.cf"} -bundle agent inventory_CVE_2014_6271 +```cf3 {file="inventory_cve_2014_6271.cf"} +bundle agent inventory_cve_2014_6271 { meta: "description" string => "Remote exploit vulnerability in bash http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271"; @@ -52,13 +52,13 @@ bundle agent inventory_CVE_2014_6271 "test_result" string => execresult("$(env) x='() { :;}; $(echo) vulnerable' $(bash) -c 'echo testing CVE-2014-6271'", "useshell"); - CVE_2014_6271:: + cve_2014_6271:: "vulnerable" string => "CVE-2014-6271", meta => { "inventory", "attribute_name=Vulnerable CVE(s)" }; classes: - "CVE_2014_6271" + "cve_2014_6271" expression => regcmp( "vulnerable.*", "$(test_result)" ), scope => "namespace", persistence => "10", @@ -70,7 +70,7 @@ bundle agent inventory_CVE_2014_6271 DEBUG|DEBUG_cve_2014_6217:: "Test Result: $(test_result)"; - CVE_2014_6271.(inform_mode|verbose_mode):: + cve_2014_6271.(inform_mode|verbose_mode):: "Tested Vulnerable for CVE-2014-6271: $($(this.bundle)_meta.description)"; } ``` @@ -94,7 +94,7 @@ place the command output into the `test_result` variable. Since we have no classes type promise is evaluated and defines the class `CVE_2014_6271` if the output matches the regular expression `vulnerable.\*`. Finally the reports are evaluated before starting the second pass. If the class `DEBUG` or -`DEBUG_inventory_CVE_2014_6271` is set the test command output will be shown, +`DEBUG_inventory_cve_2014_6271` is set the test command output will be shown, and if the vulnerability is present agent is running in inform or verbose mode message indicating the host is vulnerable along with the description will be output. @@ -112,7 +112,7 @@ is to change `"services_autorun" expression => "!any";` to `"services_autorun" expression => "any";` in `def.cf`. Once you have autorun enabled you need only save the policy into -`services/autorun/inventory_CVE_2014_6271.cf`. +`services/autorun/inventory_cve_2014_6271.cf`. ### Report on affected system inventory @@ -154,10 +154,10 @@ See the dashboard alert in action. Now that we know the extent of exposure lets ensure bash gets updated on some of the affected systems. Save the following policy into -`services/autorun/remediate_CVE_2014_6271.cf` +`services/autorun/remediate_cve_2014_6271.cf` -```cf3 {file="remediate_CVE_2014_6271.cf"} -bundle agent remediate_CVE_2014_6271 +```cf3 {file="remediate_cve_2014_6271.cf"} +bundle agent remediate_cve_2014_6271 { meta: "tags" slist => { "autorun" }; @@ -166,7 +166,7 @@ bundle agent remediate_CVE_2014_6271 "allow_update" or => { "hub", "host001" }; methods: - allow_update.CVE_2014_6271:: + allow_update.cve_2014_6271:: "Upgrade_Bash" usebundle => package_latest("bash"); } diff --git a/content/reference/language-concepts/_index.markdown b/content/reference/language-concepts/_index.markdown index 93980e27a..f1eb8ca95 100644 --- a/content/reference/language-concepts/_index.markdown +++ b/content/reference/language-concepts/_index.markdown @@ -8,15 +8,12 @@ aliases: There is only one grammatical form for statements in the language: -```cf3 +```cf3 {skip} bundle bundle_type name { -promise_type: - - classes:: - - "promiser" -> { "promisee1", "promisee2", "..." } - + promise_type: + classes:: + "promiser" -> { "promisee1", "promisee2", "..." } attribute_1 => value_1, attribute_2 => value_2, # ... diff --git a/content/reference/promise-types/defaults.markdown b/content/reference/promise-types/defaults.markdown index debfbcff9..d133ad130 100644 --- a/content/reference/promise-types/defaults.markdown +++ b/content/reference/promise-types/defaults.markdown @@ -14,74 +14,85 @@ the empty string, they remain as variables for possible future expansion. Some variables might be defined but still contain unresolved variables. To handle this you will need to match the `$(abc)` form of the variables. -```cf3 +```cf3 {skip TODO} body common control { -bundlesequence => { "main" }; + bundlesequence => { "main" }; } bundle agent main { -methods: - - "example" usebundle => test("one","x","","$(four)"); + methods: + "example" + usebundle => test("one","x","","$(four)"); } -bundle agent test(a,b,c,d) +bundle agent test(a, b, c, d) { -defaults: - - "a" string => "default a", if_match_regex => ""; - "b" string => "default b", if_match_regex => "x"; - "c" string => "default c", if_match_regex => ""; - "d" string => "default d", if_match_regex => "\$\([a-zA-Z0-9_.]+\)"; - -reports: - - "a = '$(a)', b = '$(b)', c = '$(c)' d = '$(d)'"; + defaults: + "a" + string => "default a", + if_match_regex => ""; + "b" + string => "default b", + if_match_regex => "x"; + "c" + string => "default c", + if_match_regex => ""; + "d" + string => "default d", + if_match_regex => "\$\([a-zA-Z0-9_.]+\)"; + + reports: + "a = '$(a)', b = '$(b)', c = '$(c)' d = '$(d)'"; } ``` Another example: -```cf3 +```cf3 {skip TODO} bundle agent example { -defaults: - - "X" string => "I am a default value"; - "Y" slist => { "I am a default list item 1", "I am a default list item 2" }; - -methods: - - "example" usebundle => mymethod("","bbb"); - -reports: - - "The default value of X is $(X)"; - "The default value of Y is $(Y)"; + defaults: + "X" + string => "I am a default value"; + "Y" + slist => { + "I am a default list item 1", + "I am a default list item 2", + }; + + methods: + "example" + usebundle => mymethod("","bbb"); + + reports: + "The default value of X is $(X)"; + "The default value of Y is $(Y)"; } ########################################################### -bundle agent mymethod(a,b) +bundle agent mymethod(a, b) { vars: - - "no_return" string => "ok"; # readfile("/dont/exist","123"); + "no_return" + string => "ok"; # readfile("/dont/exist","123"); defaults: - - "a" string => "AAAAAAAAA", if_match_regex => ""; - "b" string => "BBBBBBBBB", if_match_regex => ""; - "no_return" string => "no such file"; + "a" + string => "AAAAAAAAA", + if_match_regex => ""; + "b" + string => "BBBBBBBBB", + if_match_regex => ""; + "no_return" + string => "no such file"; reports: - "The value of a is $(a)"; "The value of b is $(b)"; - "The value of no_return is $(no_return)"; } ``` diff --git a/content/reference/promise-types/files/edit_line/insert_lines.markdown b/content/reference/promise-types/files/edit_line/insert_lines.markdown index 2e164d091..ba7a5b082 100644 --- a/content/reference/promise-types/files/edit_line/insert_lines.markdown +++ b/content/reference/promise-types/files/edit_line/insert_lines.markdown @@ -105,10 +105,10 @@ files: "/home/mark/tmp/file_based_on_template" create => "true", - edit_line => ExpandMeFrom("/tmp/source_template"); + edit_line => expand_me_from("/tmp/source_template"); } -bundle edit_line ExpandMeFrom(template) +bundle edit_line expand_me_from(template) { insert_lines: "$(template)" diff --git a/content/reference/promise-types/guest_environments.markdown b/content/reference/promise-types/guest_environments.markdown index 585ffbd16..7a73687e8 100644 --- a/content/reference/promise-types/guest_environments.markdown +++ b/content/reference/promise-types/guest_environments.markdown @@ -404,7 +404,7 @@ eucalyptus **Example:** -```cf3 +```cf3 {skip TODO} bundle agent my_vm_cloud { guest_environments: diff --git a/content/reference/promise-types/services.markdown b/content/reference/promise-types/services.markdown index 1535542ca..7ed5dd152 100644 --- a/content/reference/promise-types/services.markdown +++ b/content/reference/promise-types/services.markdown @@ -227,10 +227,10 @@ body service_method my_custom_service_method service_bundle => my_custom_service_method_windows( $(this.promiser), $(this.service_policy) ); redhat|centos:: - service_bundle => my_custom_service_method_EL( $(this.promiser), $(this.service_policy) ); + service_bundle => my_custom_service_method_rhel( $(this.promiser), $(this.service_policy) ); debian|ubuntu:: - service_bundle => my_custom_service_method_DEB( $(this.promiser), $(this.service_policy) ); + service_bundle => my_custom_service_method_deb( $(this.promiser), $(this.service_policy) ); } bundle agent my_custom_service_method_windows( service_identifier, desired_service_state ) @@ -238,12 +238,12 @@ bundle agent my_custom_service_method_windows( service_identifier, desired_servi # Specific windows implementation } -bundle agent my_custom_service_method_EL( service_identifier, desired_service_state ) +bundle agent my_custom_service_method_rhel( service_identifier, desired_service_state ) { # Specific Redhat|Centos implementation } -bundle agent my_custom_service_method_DEB( service_identifier, desired_service_state ) +bundle agent my_custom_service_method_deb( service_identifier, desired_service_state ) { # Specific Debian|Ubuntu implementation }