-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Tstconfig is a system administration tool that tests (a large number of) configuration files automatically. It is distributed under an MIT open source license and hosted on GitHub.
The usage scenario is the following. Suppose you need to install a new LAMP system. You have to install certain packages and modules, set up a firewall, harden security, configure Apache, configure MySQL, configure Php, etc. If you've done it before, you know that you have to tweak maybe 100 properties in some 20 configuration files.
That's a lot of work to do. When touching so many files, steps are easily forgotten and errors are easily introduced. This is where Tstconfig comes in handy. It tests the configuration files for you, so you can be sure of the system's integrity. Tstconfig looks at the configurations, checks that certain properties have the value that you want them to have, and reports any discrepancies.
Tstconfig is launched from a Linux shell and takes a definition file as its argument:
$ tstconfig examples/sshd.tstconfig
In this case the definition file is examples/sshd.tstconfig which is included
in the distribution. Let's have a closer look at it.
######################################################
# sshd.tstconfig: test sshd configuration
######################################################
# The location of the configuration file
file /etc/ssh/sshd_config
# The syntax for parsing
parse_mode tokenized
hash_comment_allowed true
# Check that root cannot login via ssh
property PermitRootLogin
assert_eq no
# Check that only certain users can login via ssh
property AllowUsers
assert_eq your_user_name
The first time you run the tests, Tstconfig will probably produce the following report:
$ tstconfig examples/sshd.tstconfig
Tstconfig 0.2
Reading definition file: examples/sshd.tstconfig
ASSERTION FAILED
File: /etc/ssh/sshd_config
Property: PermitRootLogin
Value: yes
Assertion: assert_eq no
ASSERTION FAILED
File: /etc/ssh/sshd_config
Property: AllowUsers
Value: <undefined>
Assertion: assert_eq your_user_name
SUMMARY REPORT: FAIL
Assertions tested: 2
Assertions passed: 0
Assertions failed: 2
Errors: 0
From the report, you find out that all the tests failed. This may mean one of two things:
- Sshd is indeed not configured correctly. In this case you need to fix
/etc/ssh/sshd_config - The definition file
examples/sshd.tstconfigis incorrect and needs to be customised.
Apply the changes that you think are more appropriate for your situation, then re-run Tstconfig. This time it should output a success report:
$ tstconfig examples/sshd.tstconfig
Tstconfig 0.2
Reading definition file: examples/sshd.tstconfig
SUMMARY REPORT: PASS
Assertions tested: 2
Assertions passed: 2
Assertions failed: 0
Errors: 0
Out of the box, Tstconfig supports the syntaxes of many common configurations:
- /etc/passwd
- /etc/shadow
- /etc/group
- /etc/hosts
- Apache
- Apt
- Fail2ban
- Ssh/sshd
It also support the following generic formats:
- .ini (useful for MySQL and Php configurations)
- Java-style .properties
- Generic key-values
- Tokenized lines
- Fixed format tables
In addition, Tstconfig can parse the output of a few popular commands:
-
ufw status verbose(firewall status) -
netstat -plnt(report of listening sockets) -
apache2ctl -M(list of enabled Apache modules) -
swapon -s(list of swap files and partitions)
If you are a system administrator working alone, Tstconfig can help you enforce good configuration standards across the many systems you manage.
If you are a team of system administrators, Tstconfig can help you enforce common standards across the team.
If you use other configuration management tools (such as Puppet, Chef or Ansible), Tstconfig is a nice "belt and braces" check that costs nothing and gives good confidence of a system's integrity.