diff --git a/inventory/inventory-fde/inventory-fde.cf b/inventory/inventory-fde/inventory-fde.cf index 063af89..9231f26 100644 --- a/inventory/inventory-fde/inventory-fde.cf +++ b/inventory/inventory-fde/inventory-fde.cf @@ -2,6 +2,7 @@ body file control { namespace => "inventory_fde"; } + # Duplicated from the CFEngine standard library so this module can be parsed # and tested standalone without loading the full masterfiles. # _tidy: lib/files.cf body delete tidy @@ -200,8 +201,7 @@ bundle agent main "_luks1_dump[${_dm_devices}]" string => execresult( - "${_cryptsetup} luksDump ${_dm_slave_dev[${_dm_devices}]}", - "noshell" + "${_cryptsetup} luksDump ${_dm_slave_dev[${_dm_devices}]}", "noshell" ), if => canonify("_dm_is_luks1_${_dm_devices}"); diff --git a/management/manage-fwupd/main.cf b/management/manage-fwupd/main.cf index 6c651c3..f62cc43 100644 --- a/management/manage-fwupd/main.cf +++ b/management/manage-fwupd/main.cf @@ -144,16 +144,12 @@ bundle agent main commands: linux.default:have_fwupdmgr.manage_fwupd:apply_updates:: "$(default:inventory_fwupd_main.fwupdmgr)" - arglist => { - "update", "--no-reboot-check", "$(_dev_id[$(_dev_idx)])" - }, + arglist => { "update", "--no-reboot-check", "$(_dev_id[$(_dev_idx)])" }, handle => canonify( "manage_fwupd_apply_device_$(_dev_idx)_$(_dev_name[$(_dev_idx)])" ), if => and("_device_allowed_$(_dev_idx)", not("_update_applied")), - classes => default:results( - "bundle", "manage_fwupd_update_$(_dev_idx)" - ), + classes => default:results("bundle", "manage_fwupd_update_$(_dev_idx)"), comment => "Apply firmware update to allowed device $(_dev_name[$(_dev_idx)])"; # --- Post-update marker and reboot -------------------------------- files: diff --git a/management/package-method-winget/package-method-winget.cf b/management/package-method-winget/package-method-winget.cf index 1da97b8..c393c31 100644 --- a/management/package-method-winget/package-method-winget.cf +++ b/management/package-method-winget/package-method-winget.cf @@ -17,18 +17,22 @@ body package_method winget # Here we use the Get-WinGetPackage Cmdlet because it is easier to produce easily parsed information that way package_list_command => "$(sys.winsysdir)\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"Get-WinGetPackage | Select Id,InstalledVersion | ConvertTo-Csv "; package_delete_command => "$(sys.winsysdir)\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"Uninstall-WinGetPackage "; + # Here we use winget instead of PowerShell Cmdlets because we can provide the --accept-source-agreements and --accept-package-agreements this way which gets around dialog prompts package_method_winget:accept_source_agreements.package_method_winget:accept_package_agreements:: package_add_command => "$(sys.winsysdir)\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"winget install --accept-source-agreements --accept-package-agreements "; + !package_method_winget:accept_source_agreements|!package_method_winget:accept_package_agreements:: # the package name is appended to the end of this command, so we try here to make a command which conveys information only package_add_command => "$(sys.winsysdir)\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"Write-Host You must set some vars for package-method-winget to work;exit 1; rem Trying to add package:"; } + # switch to module specific namespace to avoid name collisions body file control { namespace => "package_method_winget"; } + # package_method_winget bundle's purpose is to look at inputs/data for acceptance of source and package agreements # these MUST be agreed to in order for this package method to work properly. bundle agent package_method_winget diff --git a/management/powershell-execution-policy/powershell-execution-policy.cf b/management/powershell-execution-policy/powershell-execution-policy.cf index 5544ec9..912d7c3 100644 --- a/management/powershell-execution-policy/powershell-execution-policy.cf +++ b/management/powershell-execution-policy/powershell-execution-policy.cf @@ -21,6 +21,7 @@ bundle agent powershell_execution_policy_inventory windows:: "${execution_policy_list_cache_command}" contain => powershell; } + # see link below for valid values for scope and policy # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4 # This bundle runs a powershell command: Set-ExecutionPolicy -ExecutionPolicy -Scope diff --git a/management/windows-capability/windows-capability.cf b/management/windows-capability/windows-capability.cf index c1d8ad2..d1a1bc7 100644 --- a/management/windows-capability/windows-capability.cf +++ b/management/windows-capability/windows-capability.cf @@ -27,6 +27,7 @@ body file control { namespace => "windows_capability"; } + # https://learn.microsoft.com/en-us/powershell/module/dism/get-windowscapability?view=windowsserver2022-ps # https://learn.microsoft.com/en-us/powershell/module/dism/remove-windowscapability?view=windowsserver2022-ps # https://learn.microsoft.com/en-us/powershell/module/dism/add-windowscapability?view=windowsserver2022-ps diff --git a/promise-types/git/test.cf b/promise-types/git/test.cf index ef3fc38..513165f 100644 --- a/promise-types/git/test.cf +++ b/promise-types/git/test.cf @@ -2,6 +2,7 @@ body common control { version => "1.0"; } + ####################################################### bundle agent init { @@ -34,6 +35,7 @@ body delete init_delete dirlinks => "delete"; rmdirs => "true"; } + ####################################################### promise agent git { @@ -58,6 +60,7 @@ bundle agent test expression => canonify("starter_pack_repo_updated"), scope => "namespace"; } + ####################################################### bundle agent check { diff --git a/promise-types/groups/groups.cf b/promise-types/groups/groups.cf index 5ab2f38..e0ad442 100644 --- a/promise-types/groups/groups.cf +++ b/promise-types/groups/groups.cf @@ -9,7 +9,6 @@ promise agent groups path => "$(sys.workdir)/modules/promises/groups.py"; interpreter => "/usr/bin/python3"; } - @if minimum_version(3.20) body members foo # @breif Define members for group foo using attributes `include` and @@ -19,7 +18,6 @@ body members foo exclude => { "malcom" }; } @else - bundle common foo # @breif Define members using JSON string. { @@ -36,7 +34,6 @@ body members bar only => { "alice" }; } @else - bundle common bar # @brief Define members using data container. { @@ -44,7 +41,6 @@ bundle common bar "members" data => '{ "only": ["alice"] }'; } @endif - bundle agent example_groups # @breif Example groups promise statements. { @@ -56,7 +52,6 @@ bundle agent example_groups @else members => "$(foo.members)"; @endif - "bar" # policy defaults to present @if minimum_version(3.20) diff --git a/promise-types/json/test.cf b/promise-types/json/test.cf index c5c9c34..c7b0090 100644 --- a/promise-types/json/test.cf +++ b/promise-types/json/test.cf @@ -4,6 +4,7 @@ body common control version => "1.0"; bundlesequence => { "init", "test", "check", "cleanup" }; } + ####################################################### bundle agent init { @@ -29,6 +30,7 @@ bundle agent init "$(this.promise_dirname)/tests/to_append_1.json" create => "true"; } + ####################################################### promise agent json { @@ -73,14 +75,13 @@ bundle agent test "$(this.promise_dirname)/tests/to_append_2.json:f" primitive => "true"; "$(this.promise_dirname)/tests/to_append_2.json:g" primitive => "null"; } + ####################################################### bundle agent check { vars: "to_overwrite_content" - data => readjson( - "$(this.promise_dirname)/tests/to_overwrite.json", 100k - ); + data => readjson("$(this.promise_dirname)/tests/to_overwrite.json", 100k); "to_modify_content" data => readjson("$(this.promise_dirname)/tests/to_modify.json", 100k); @@ -148,6 +149,7 @@ bundle agent check !ok:: "$(this.promise_filename) FAIL"; } + # ####################################################### bundle agent cleanup { diff --git a/promise-types/symlinks/test.cf b/promise-types/symlinks/test.cf index 828ab69..90b2356 100644 --- a/promise-types/symlinks/test.cf +++ b/promise-types/symlinks/test.cf @@ -4,6 +4,7 @@ body common control version => "1.0"; bundlesequence => { "init", "test", "check", "cleanup" }; } + ####################################################### bundle agent init { @@ -14,6 +15,7 @@ bundle agent init "/tmp/replaced-link" link_from => ln_s("/tmp/other-dir"); "/tmp/already-existing-link" link_from => ln_s("/tmp/other-dir"); } + ####################################################### promise agent symlinks { @@ -50,6 +52,7 @@ bundle agent test directory => "/tmp/other-dir", classes => outcome("didnothing"); } + ####################################################### bundle agent check { @@ -81,6 +84,7 @@ bundle agent check !ok:: "$(this.promise_filename) FAIL"; } + # ####################################################### bundle agent cleanup { diff --git a/promise-types/systemd/test.cf b/promise-types/systemd/test.cf index 5a05975..426d9d7 100644 --- a/promise-types/systemd/test.cf +++ b/promise-types/systemd/test.cf @@ -2,10 +2,12 @@ body common control { version => "1.0"; } + ####################################################### bundle agent init { } + ####################################################### promise agent systemd { @@ -35,6 +37,7 @@ bundle agent test expression => canonify("sample_restarted"), scope => "namespace"; } + ####################################################### bundle agent check { @@ -55,6 +58,7 @@ bundle agent check !ok:: "$(this.promise_filename) FAIL"; } + ####################################################### bundle agent cleanup { diff --git a/security/dirtyfrag/dirtyfrag.cf b/security/dirtyfrag/dirtyfrag.cf index 2fc6b10..80a4f29 100644 --- a/security/dirtyfrag/dirtyfrag.cf +++ b/security/dirtyfrag/dirtyfrag.cf @@ -222,8 +222,7 @@ bundle agent main "inventory_dirtyfrag_rxrpc" string => "$(_rxrpc_status)", meta => { - "inventory", - "attribute_name=Dirty Frag CVE-2026-43500 (RxRPC) status", + "inventory", "attribute_name=Dirty Frag CVE-2026-43500 (RxRPC) status", }, comment => "CVE-2026-43500 RxRPC mitigation status"; @@ -314,9 +313,7 @@ bundle agent main # admin override. Userns mitigation is handled in the # vulnerability condition (see dirtyfrag_esp_needs_mitigation). "_esp_mitigated" - or => { - "_esp_conf_exists", "_esp_kernel_patched", "_esp_admin_patched", - }; + or => { "_esp_conf_exists", "_esp_kernel_patched", "_esp_admin_patched" }; # RxRPC is mitigated by the modprobe blacklist, patched kernel, # or admin override.