4

I am searching for something (be it a Framework, Software or even just a Best Practice) for the following requirement:

I want to provide a kind of blacklist of configuration values (in several configuration file formats) which must not be set/changed.

The system is a Linux(CentOS) appliance, which houses only one application, configuration changes should be rare.

I want to check several configuration files for sanity. Ranging from apache over ifcfg-eth* etc.

Is there a solution which already provides a mechanism like that for a set of 'standard' configuration files?

An Example: I want to prevent users from accidently deativating KeepAlive in Apache but they should be able to change other things in the configuration. I want to prevent 'common mistakes'.

Frederick Roth
  • 143

2 Answers2

3

I've done something similar to this with Puppet (painful) using the solution documented at: Set sysctl.conf parameters with Puppet

It was quite a bit of work to obtain a pretty basic function. In your situation, what's the ratio of parameters you wish to blacklist to those you don't mind being modified? That would impact the approach to solving this. A lot of engineers I know prefer to move entire config files versus using templates or modifying values.

CFEngine had a string modification parameter that would ensure that certain lines were present in a file and add them if they weren't. Same for comments...

Community
  • 1
ewwhite
  • 201,205
0

Your use cases are the primary goals of configuration management tools like Puppet, Chef, CFEngine, bcfg2 and others.

Suppose you wanted to prevent changes to ifcfg-eth0. You would configure these tools to track this file.

When the tools agent wakes up at regular intervals, it can either inform you that a change has occurred, or can revert the file to its original state.

Not Now
  • 3,602