# $Id: cf.windows,v 1.3 2005/10/24 19:23:17 jmates Exp $
#
# Example cfengine configuration for use on Windows. Imported by
# cfagent.conf via:
#
# import:
#   any::
#     ...
#     cf.windows
#
# For more information, see: http://sial.org/howto/cfengine/windows/

classes:
  any::
    croot = ( FileExists(/C) )

    cfenvd_cfnew  = ( FileExists(/usr/sbin/cfenvd.cfnew) )
    cfexecd_cfnew = ( FileExists(/usr/sbin/cfexecd.cfnew) )

    have_win32_daemon  = ( FileExists(/cygdrive/c/Perl/site/lib/ppm-conf/Win32-Daemon.ppd) )

control:
  any::
    windir             = ( ${C}/WINDOWS )
    secdir             = ( ${windir}/security )
    stemplatedir       = ( ${secdir}/templates )
    sys32dir           = ( ${windir}/system32 )
    lgpdir             = ( ${sys32dir}/GroupPolicy )
    ppddir             = ( ${sys32dir}/spool/drivers/ppd )
    sbin               = ( /usr/sbin )
    allusersdir        = ( ${C}/DOCUME~1/ALLUSE~1 )
    masterwindir       = ( ${masterfiles}/os/windows )
    masterstemplatedir = ( ${masterwindir}/templates/security )
    localdir           = ( ${workdir}/local )
    regdir             = ( ${localdir}/registry )
    servicedir         = ( ${localdir}/services )

    cmdwrap            = ( ${sbin}/cmdwrap.pl )
    forkcmd            = ( ${sbin}/fork_cmd.pl )
    forkdoscmd         = ( ${sbin}/fork_dos_cmd.pl )

    dos_drive          = ( c )
    dos_cygdir         = ( \\cygwin )
    dos_sbin           = ( ${dos_cygdir}\\usr\\sbin )
    dos_workdir        = ( ${dos_cygdir}\\var\\cfengine )
    dos_localdir       = ( ${dos_workdir}\\local )
    dos_servicedir     = ( ${dos_localdir}\\services )
    dos_regdir         = ( ${dos_localdir}\\registry )

    install_software   = ( ${dos_sbin}\\install_software.pl )

    # URI under which software hosted for installation (see below)
    software_repository = ( www.example.org/windows-sw )

  croot::
    C = ( /C )

  !croot::
    C = ( /cygdrive/c )

copy:
  any::
    # KLUGE fix broken awk in cygwin with gawk
    /usr/bin/gawk.exe
      dest=/usr/bin/awk.exe
      owner=root group=${zerogroup} mode=755
      backup=false type=checksum

    # required scripts and utilties from server
    ${masterwindir}/sbin/
      dest=/usr/sbin
      owner=root group=${zerogroup} mode=750
      backup=false recurse=1 type=checksum
      server=${policyhost}

    # PPD used by lpadmin.pl for printer support (and by CUPS on the
    # Unix and Mac side of things)
    ${masterfiles}/etc/ppd/
      dest=${ppddir}
      recurse=1 backup=false type=checksum forcedirs=false
      owner=root group=${zerogroup} mode=444
      server=${policyhost}

    # extra Perl modules (has html and site/lib subdirs)
    ${masterwindir}/Perl/
      dest=${C}/Perl
      owner=root group=${zerogroup} mode=755
      backup=false recurse=inf type=checksum
      server=${policyhost}

    # to run cfexecd as Windows service
    /usr/sbin/schedule_cfexecd.pl
      dest=${servicedir}/schedule_cfexecd.pl
      type=checksum backup=false
      define=schedule_cfexecd_copied

   # default security policy
   ${masterstemplatedir}/desktop-base.inf
      dest=${stemplatedir}/desktop-base.inf
      backup=false type=checksum
      server=${policyhost}
      define=set_desktop_base

directories:
  any::
    ${ppddir} owner=root group=${zerogroup} mode=755

    ${lgpdir}/User owner=root group=${zerogroup} mode=755

    ${lgpdir}/Machine owner=root group=${zerogroup} mode=755

    ${allusersdir}/Desktop.old owner=root group=${zerogroup} mode=755

    ${regdir} owner=root group=${zerogroup} mode=750

    ${servicedir} owner=root group=${zerogroup} mode=750

files:
  any::
    ${lgpdir}
      recurse=inf action=fixall
      mode=0755 owner=root group=${zerogroup}
      define=refresh_lgp

links:
  any::
    /C -> /cygdrive/c

tidy:
  any::
    ${allusersdir}/Desktop pattern=*.lnk recurse=1 age=0

processes:
  SetOptionString "-W"

  # New cf daemons cannot be copied in if the daemon is running. Kill it
  # off if there is a new daemon to be copied in. Restart the daemon if
  # it is not running and there is no new file to be copied
  cfexecd_cfnew::
    "cfexecd" signal=kill

  !cfexecd_cfnew::
    "cfexecd" restart "${forkcmd} ${sbin}/cfexecd"

  cfenvd_cfnew::
    "cfenvd" signal=kill

  !cfenvd_cfnew::
    "cfenvd" restart "${forkcmd} ${sbin}/cfenvd"

shellcommands:
  any::
    # Unblock cfexecd from sending email
    "${forkdoscmd} \"${dos_drive}:${dos_sbin}\\vscan_whitelist.pl\" -a -p 25 -e cfexecd" ifelapsed=9999

    # Flash, force it to install as the combined install is not working
    "${forkdoscmd} \"${dos_drive}:${install_software}\" Flash \"http://${software_repository}/flashplayer7installer.exe\" -1 9e2bb1b15d8bbdaae3569fc8ef3ff94c explorer /s" ifelapsed=1439

    # Shockwave and Flash
    # http://www.macromedia.com/go/fl_sw_exe_installer
    "${forkdoscmd} \"${dos_drive}:${install_software}\" \"Macromedia Shockwave Player\" \"http://${software_repository}/mm_fl_sw_installer.exe\" -1 45345a0977d652673f6ea8cc08d56568 explorer /s" ifelapsed=1439

    # http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/install-msi.html
    # Java Runtime Environment
    "${forkdoscmd} \"${dos_drive}:${install_software}\" \"J2SE Runtime Environment 5.0 Update 2\" \"http://${software_repository}/J2SE Runtime Environment 5.0 Update 2.msi\" 1.5.0.20 79a635a56d93873d2de653ba32f0909c java.exe /passive" ifelapsed=1439

    # Firefox
    "${forkdoscmd} \"${dos_drive}:${install_software}\" Firefox \"http://${software_repository}/Firefox Setup 1.0.6.exe\" 1.0.6 0c33371972a5852d7e7e66fe50f59518 firefox.exe -ms" ifelapsed=1439

    # Thunderbird
    "${forkdoscmd} \"${dos_drive}:${install_software}\" Thunderbird \"http://${software_repository}/Thunderbird Setup 1.0.6.exe\" 1.0.6 9f2b76d068c6ae0dd874860f88955117 thunderbird.exe -ms" ifelapsed=1439

    # Acrobat Reader
    "${forkdoscmd} \"${dos_drive}:${install_software}\" \"Adobe Reader\" \"http://${software_repository}/AdbeRdr70_enu_full.exe\" 7.0.0 dd62ddef4f53a8a9e426c187c9267e6d AcroRd32.exe /v\"/passive REBOOT=REALLYSUPPRESS\"" ifelapsed=1439

    # Reader Updates in .zip file, installed via install.bat script
    "${forkdoscmd} \"${dos_drive}:${install_software}\" \"Adobe Acrobat 7\" \"http://${software_repository}/AdbeRdr-Up.zip\" 7.0.3 d304964b84b2cb34ae7174facc509e40 AcroRd32.exe install.bat" ifelapsed=1439

    # Update Virus Scan once in awhile
    "${forkdoscmd} \"${dos_drive}:\Program Files\Network Associates\VirusScan\mcupdate.exe\" /update /quiet" ifelapsed=1439

  set_desktop_base::
    "${forkdoscmd} secedit /configure /db \"C:\\WINDOWS\\security\\currentsec.db\" /cfg \"C:\\WINDOWS\\security\\templates\\desktop-base.inf\" /overwrite /quiet"

  refresh_lgp::
    "${forkdoscmd} gpupdate /force"

  schedule_cfexecd_copied::
    "${forkdoscmd} \"${dos_drive}:${dos_servicedir}\\schedule_cfexecd.pl\" install"

  !have_win32_daemon::
    # obtain from: http://www.roth.net/perl/packages/win32-daemon.ppd
    "${forkdoscmd} \"${dos_drive}:\\Perl\\bin\\ppm.bat\" install http://${software_repository}/perl/packages/win32-daemon.ppd -force -follow"