Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance syntax to support whitelisted resources #38

Closed
ryancox opened this issue Jan 31, 2016 · 7 comments
Closed

Enhance syntax to support whitelisted resources #38

ryancox opened this issue Jan 31, 2016 · 7 comments
Labels
enhancement stale Used by https://probot.github.io/apps/stale/

Comments

@ryancox
Copy link
Contributor

ryancox commented Jan 31, 2016

For certain resource types, it would be very useful to specify a white list. e.g. only users 'apache' and 'root' should exist. This whitelist might be the null set. e.g. no ports should be listening.
@aelsabbahy
Copy link
Member

Can you give a few examples using the current goss JSON structure on how this would look like.

I'm having a hard time visualizing where this will fit.

@aelsabbahy
Copy link
Member

This is possibly dependent on #31

@ryancox
Copy link
Contributor Author

ryancox commented Feb 1, 2016

Syntax is the tricky part. Keeping things clean and backward compatible. Here are some ideas; none of which are particularly great, but perhaps they will spark some inspiration ;)

"port!": {     <--- some sort of operator that specifies only .. very magical
    "tcp6:80": {
        "listening": true
    },
},


"port-whitelist": { <--- '-whitelist' suffix which is a bit more descriptive
    "tcp:80": {
        "listening": false
    },
},

"only-port": { <--- 'only-' prefix which is also a bit more descriptive 
    "tcp6:80": {
        "listening": true
    },
},  

"only-port": {
}, <-- empty section means no ports should be listening

@aelsabbahy
Copy link
Member

Hmm, that clarifies a lot, and I think I'll use a similar syntax as the one I take in issue #31. The only magical piece about this is feature is keying off of the attribute that determines Existence, similar to autoadd (ex. File.Exists, Port.Listening, Package.Installed).

All your examples made sense to me except for one:

"port-whitelist": { <--- '-whitelist' suffix which is a bit more descriptive
    "tcp:80": {
        "listening": false
    },
},

I'm not really understanding the expected behavior for this, would that ensure port 80 is NOT listening and all other ports are listening, or is it the same as no ports are listening.

@ryancox
Copy link
Contributor Author

ryancox commented Feb 1, 2016

Oops ... that was a copy/paste error. Should have been "listening": true

@aelsabbahy
Copy link
Member

Now that #31 is shipped, I'm wondering if this should be a separate resource all together. Something like:

user:
  nobody:
    exists: true
    uid: 99
    gid: 99
    groups:
    - nobody
    home: /
whitelist:
  users: [nobody, root]
  ports: { have-len: 0 }
  packages: { have-len: 2 }

or

package-whitelist:
  kernel:
    installed: true
  openssh:
    installed: true
port-whitelist: {}
user-whitelist:
  nobody:
    exists: true
    uid: 99
    gid: 99
    groups:
    - nobody
    home: /
  root:
    exists: true

@stale
Copy link

stale bot commented Jul 9, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Used by https://probot.github.io/apps/stale/ label Jul 9, 2020
@stale stale bot closed this as completed Jul 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement stale Used by https://probot.github.io/apps/stale/
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ryancox @aelsabbahy