Saltstack command for installing a package on the remote server or salt-minion the client
1. The following command is to install, activate and start the qualys-cloud-agent on RedHat and CentOS
# vi qualys-cloud-agent-redhat.sls ---
{% if grains['os_family'] == "RedHat" -%}
install qualys-cloud-agent:
pkg.installed:
- sources:
- qualys-cloud-agent: salt://_files//qualys-cloud-agent.x86_64.rpm
activate qualys-cloud-agent:
module.run:
- name: cmd.run
- cmd: "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=c4171172-7e24-47d8-a995-4364923c3b54 CustomerId=aac8d569-c20c-3a9f-e040-10ac130471e6"
enable qualys-cloud-agent service:
service.running:
- name: qualys-cloud-agent
- enable: True
- reload: True
{% endif %}2. The following command is to install, activate and start the qualys-cloud-agent on RedHat and CentOS
# vi qualys-cloud-agent-debian.sls
---
{% if grains['os_family'] == "Debian" -%}
install qualys-cloud-agent:
pkg.installed:
- sources:
- qualys-cloud-agent: salt://_files//qualys-cloud-agent.x86_64.deb
activate qualys-cloud-agent:
module.run:
- name: cmd.run
- cmd: "/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent.sh ActivationId=c4171172-7e24-47d8-a995-4364923c3b54 CustomerId=aac8d569-c20c-3a9f-e040-10ac130471e6"
enable qualys-cloud-agent service:
service.running:
- name: qualys-cloud-agent
- enable: True
- reload: True
{% endif %}3. To push / install the package to the single host use the following command and for group of systems you can use nodegroup name so push it.
# salt dev-vm1.acg.com state.apply qualys-cloud-agent-debian
4. Use the following command to create sshusers list and this group will be pushed to /etc/group on the client and only this sshusers will have access to ssh and rest of them will be blocked
# vi sshusers.sls
--- sshusers admin access: group.present: - name: sshusers - members: - root - dev_user1 - dev_user2
5. Use the following state file to give sudo access to the list of users mentioned in the server_admins list under below mentioned path.
# vi sudoers.sls
setup server_admins sudoers access:
file.managed:
- name: /etc/sudoers.d/server_admins
- source: salt://_files/sudoers/server_admins
- user: root
- group: root
- mode: 4406. Use the following state file to mount file systems per auto.master configuration in the specified server
# vi automount.sls
---
# RHEL5 & RHEL6
{% if salt['my_helpers.occurrences']('ldap', '/etc/auto.master') > 0 %}
Remove all brocade data:
file.absent:
- name: /etc/auto.master
{% endif %}
## RHEL7
{% if salt['my_helpers.occurrences']('sss', '/etc/auto.master') > 0 %}
Remove all brocade data:
file.absent:
- name: /etc/auto.master
{% endif %}
copy /etc/auto.master:
file.managed:
- name: /etc/auto.master
- source: salt://_files/asic/_etc_auto.master
reload autofs daemon:
service.running:
- name: autofs
- enable: True
- reload: True
- watch:
- file: /etc/auto.master7. To restrict other than sshusers for ssh use the following state file
# vi sshd-server.sls
---
include:
- nisclient
{% if grains['os_family'] == "RedHat" -%}
{% if grains['osmajorrelease'] == 5 %}
{% if grains['osarch'] == "x86_64" %}
/usr/local/sbin/sshd:
file.managed:
- source: salt://_files/el5/_usr_local_sbin_sshd
- user: root
- group: root
- mode: 755
/etc/sysconfig/sshd:
file.managed:
- source: salt://_files/el5/_etc_sysconfig_sshd
- user: root
- group: root
- mode: 644
{% if salt['file.file_exists']('/usr/local/sbin/sshd') -%}
/etc/init.d/sshd:
file.replace:
- name: /etc/init.d/sshd
- pattern: SSHD=.*
- repl: SSHD=/usr/local/sbin/sshd
- append_if_not_found: True
- backup: master
service.running:
- name: sshd
- watch:
- file: /etc/init.d/sshd
{% endif %}
{% endif %}
{% endif %}
{% endif %}
Disable GSSAPIAuthentication:
file.line:
- name: /etc/ssh/sshd_config
- match: 'GSSAPIAuthentication yes'
- mode: delete
Disable GSSAPICleanupCredentials:
file.line:
- name: /etc/ssh/sshd_config
- match: 'GSSAPICleanupCredentials yes'
- mode: delete
Enable UseDNS:
file.replace:
- name: /etc/ssh/sshd_config
- pattern: ^#UseDNS .*
- repl: UseDNS no
- append_if_not_found: True
- backup: master
Set UseDNS to "no":
file.replace:
- name: /etc/ssh/sshd_config
- pattern: UseDNS .*
- repl: UseDNS no
- append_if_not_found: True
- backup: master
service.running:
- name: sshd
- watch:
- file: /etc/ssh/sshd_config
sshusers group access:
group.present:
- name: sshusers
- gid: 1000
- system: True
- addusers:
- root
Copy nologin script:
file.managed:
- name: /opt/script/nologin
- source: salt://_files/_nologin
- mode: 755
- makedirs: True
/etc/ssh/sshd_config:
file.append:
- name: /etc/ssh/sshd_config
- text: |
# Allow access to sshusers group
Match Group *,!sshusers
ForceCommand /opt/script/nologin8. Use the following script to force users not login for everyone other than mentioned Match group
# nologin
#!/bin/sh
echo -ne "\e[31m\e[1m"
cat << EOF
####################################################
# #
# You are not authorized to log on to this machine #
# #
####################################################
EOF
echo -ne "\e[0m"9. Use the following command for sudoers file
# vi ~/_file/sudoers/server_admins
#
# server_admins sudoers file
#
User_Alias DEV=dev_user1,dev_user2,dev_user3
DEV ALL=(ALL) NOPASSWD: ALL
qa_user1 ALL = (root) ALL10. To get full inventory of a host
# salt nc-efabuild-01.extremenetworks.com grains.items
# salt nc-efabuild-01.extremenetworks.com grains.items os_faimily
October 06, 2021
Tags :
Salt command
Subscribe by Email
Follow Updates Articles from This Blog via Email
No Comments