🔧 vast_id Configuration
Key: vast_id
Description
This section defines the VAST ID, a unique numeric identifier used by internal systems for asset tracking, automation, or integration with enterprise management platforms. It helps associate the server with inventory records, monitoring tools, or deployment workflows.
✅ Used during provisioning to register the system in centralized databases or orchestration systems.
JSON Format
✅ Can also be provided as a string:
Field Reference
✅ Must be non-empty and numeric — leading zeros may be stripped depending on system.
Validations Enforced
What's Not Allowed
- Omitting
vast_identirely - Setting
vast_idtonull,"", or0 - Using non-numeric values:
"abc","12a","!", etc. - Using special characters:
@,#,$,%, etc. - Whitespace-only strings like
" " - Boolean values (
true,false) - Arrays or objects
- Leading zeros unless explicitly allowed by downstream system
Interpreted as
The system will be associated with VAST ID:
✅ This value may be used by:
- Asset management systems
- Monitoring dashboards
- Automation pipelines
- ServiceNow integrations
- Audit and compliance reporting
🔄 Example usage in scripts:
🔧 How to Apply
Set the value in your configuration payload:
Or as a string:
No file or service restart required — this is a metadata field consumed during provisioning.
⚠️ Important Notes
- The
vast_idmust match the record in Verizon’s VAST (Verizon Asset Systems Tracker) database - Always verify the ID is active and assigned to the correct device
- Do not reuse
vast_idafter decommissioning unless explicitly re-assigned - If using as a string, ensure downstream tools handle type conversion correctly
- Avoid hardcoding in scripts — use configuration injection instead
🔧 user_management Configuration
Key: user_management
Description
This section defines a list of users and groups to be created or verified during system provisioning. It specifies usernames, home directories, directory permissions, and group names with GIDs. This ensures consistent identity management across systems for access control, automation, and application support.
✅ Used to standardize user/group setup in compliance with security policies and role-based access requirements.
JSON Format
Field Reference
✅ Supports both numeric strings and integers for GID.
Validations Enforced
What's Not Allowed
- Using
user_managementas a list, string, ornull - Empty
usersorgroupslists - Missing
username,home_dir, orpermissionfor any user - Including both
permissionandpermissionsin the same user block - Invalid permission values:
"77","800","abc","" - Duplicate usernames or groupnames
- Blank or invalid
groupname - Non-numeric
gidvalues (e.g.,"abc") - Whitespace-only strings anywhere
- Special characters in usernames unless explicitly allowed
Interpreted as
Users Created:
✅ All users will have their home directories created with strict permissions.
Groups Created:
✅ These groups can be used for file ownership, sudo rules, or application access control.
🔧 How to Apply
Use automation or script to create users and groups:
⚠️ Important Notes
- Always backup
/etc/passwd,/etc/shadow,/etc/groupbefore bulk changes - Avoid creating users with interactive shells unless needed
- The
permissionfield applies to the home directory, not the user account itself - Use
chmod 700for service accounts to restrict access - Use
chmod 755for shared application users likeapps - Ensure GIDs do not conflict with existing groups
- Do not set passwords here — use separate password policy or vault integration
🔧 sysctl_conf Configuration
Key: sysctl_conf
Description
This section defines kernel-level system settings that are written to sysctl configuration files such as /etc/sysctl.d/99-sysctl.conf and /etc/sysctl.conf. These settings control TCP keepalive behavior and core dump naming, improving network stability and debugging support.
✅ Used during system hardening and performance tuning to enforce consistent kernel behavior across environments.
JSON Format
Field Reference
✅ Supports multiple files to ensure compatibility across systems using
/etc/sysctl.confor/etc/sysctl.d/.
Validations Enforced
What's Not Allowed
- Using
sysctl_confas an object, string, ornull - Empty
sysctl_confarray - Missing
file_nameorsettingsin any block - Blank or invalid
file_name(e.g.,""," "``,/invalid/path`) - Empty or missing
settingsarray - Non-object entries in
settings - Missing
nameorvaluein any setting - Blank or non-string values for
nameorvalue - Duplicate settings without justification
- Syntax errors in parameter names (e.g.,
net.ipv4.tcp_keepalive_tim)
Interpreted as
1. /etc/sysctl.d/99-sysctl.conf
2. /etc/sysctl.conf
✅ This configures:
- TCP Keepalive: Start probing after 150 seconds of idle
- Probes: Send 4 unacknowledged probes before dropping connection
- Interval: Wait 30 seconds between each probe
- Core Dumps: Save cores as
core.<PID>in current directory
⚠️ Note: Writing to both files ensures coverage in systems that read only
sysctl.confor usesysctl.d/.
🔧 How to Apply
Create or update each file:
Apply changes immediately:
Or reload all configs:
⚠️ Important Notes
- Changes take effect after running
sysctl -por reboot /etc/sysctl.d/*.conffiles are automatically loaded — preferred method- Avoid duplicating settings unless required for backward compatibility
- Use
sysctl -a | grep <param>to verify current values kernel.core_patternaffects where and how core dumps are saved — test application crashes if needed- Ensure
/etc/sysctl.confincludesinclude /etc/sysctl.d/*.confif relying on modular config
🔧 rc_local Configuration
Key: rc_local
Description
This section defines custom commands or placeholders to be added to the system’s rc.local script, which runs at the end of the boot process. It supports automation of post-boot tasks such as route setup, service checks, or environment initialization.
✅ Used to run essential startup scripts that are not managed by systemd services.
JSON Format
Field Reference
✅ The presence of a single space (
" ") may act as a placeholder to ensure the file exists and is executable.
Validations Enforced
What's Not Allowed
- Using
rc_localas an object, string, ornull - Empty
rc_localarray - Missing
file_nameor setting it to"",null - Omitting
linesentirely - Setting
linesto a non-list value (e.g., string, object) - Multiple lines with blank or whitespace-only entries
- Using
lines: ["", ""]— empty strings are not allowed - Including syntax errors or unescaped characters in commands
- Adding long-running or blocking commands without backgrounding (
&)
Interpreted as
The following content will be written or ensured in /etc/rc.d/rc.local:
✅ This means:
- A single space character will be written to the file
- The file will exist and can later be made executable
- Often used as a placeholder to satisfy automation requirements that
rc.localmust be present
⚠️ In practice, this may be followed by making the file executable:
And enabling the service:
🔧 How to Apply
Ensure the rc.local file exists and is properly formatted:
Make it executable:
Enable the rc-local service (RHEL/CentOS 7+):
Verify:
⚠️ Important Notes
- The
rc.localscript is not executed by default on modern systems — you must enablerc-local.service - Always ensure the script starts with
#!/bin/bashif adding real commands - Avoid placing sensitive commands or credentials in
rc.local - Use
systemdservices instead when possible —rc.localis legacy - Changes take effect on next boot
- The single space (
" ") does nothing functionally — it's often used to force file creation during provisioning
🔧 crontab_entries Configuration
Key: crontab_entries
Description
This section defines custom cron jobs that are written to system-wide cron configuration (e.g., /etc/cron.d/sysstat). It ensures critical maintenance tasks like performance data collection and log cleanup run automatically.
✅ Used to enable continuous system monitoring and prevent disk space exhaustion from archived logs.
JSON Format
Field Reference
✅ Each
cron_nameresults in a file under/etc/cron.d/.
Validations Enforced
What's Not Allowed
- Using
crontab_entriesas an object, string, ornull - Empty
crontab_entriesarray - Missing
cron_nameorsettingsin any block - Blank or invalid
cron_name(e.g.,""," "``,sys*`) - Empty or missing
settingsarray - Omitting any of the required cron fields (
name,minute, ...,job) - Non-string values in any field
- Invalid cron expressions (e.g.,
minute: 60,hour: */0,day: abc) - Duplicate entries without justification
Interpreted as
A file named /etc/cron.d/sysstat will be created with the following content:
✅ This configures:
sa1to collect system stats every 15 seconds (4 times per minute)- Daily cleanup of old
sabinary logs (older than 15 days)
🔧 How to Apply
Create the cron file:
Set correct permissions:
Test syntax:
Verify file exists:
⚠️ Important Notes
- Files in
/etc/cron.d/must have permissions644and be owned byroot - Cron daemon automatically reloads this directory — no restart needed
- Use
sarto view collected data:bash - Avoid using
>or>>in jobs without proper logging control - The
sa1command requiressysstatpackage installed and enabled - Always test
findcommands before adding to cron
🔧 etc_services Configuration
Key: etc_services
Description
This section defines custom service name-to-port mappings in /etc/services. It disables legacy or insecure services (e.g., tftp, finger) by commenting them out, and enables application-specific services (e.g., sip, csp, https-clt) by ensuring they are defined with correct port numbers.
✅ Used during system hardening and application setup to standardize service naming and prevent accidental exposure of outdated protocols.
JSON Format
Field Reference
✅ These entries help tools like
nmap,getent, or scripts use meaningful names instead of raw ports.
Validations Enforced
What's Not Allowed
- Using
etc_servicesas a list, string, ornull - Empty
disableorenableblocks - Invalid service names (e.g., spaces, special characters)
- Missing or malformed port values (e.g.,
"abc","65536","5060/tcpp") - Duplicate service names across
disableandenable - Omitting both
disableandenable - Using invalid protocols (e.g.,
/http,/ssh) — only/tcp,/udpallowed
Interpreted as
Services to Disable (Comment Out):
The following lines in /etc/services will have # added at the start:
❌ Prevents accidental use of legacy/insecure services.
Services to Enable (Add/Ensure):
The following entries will be added if missing:
✅ Enables application-specific port naming for clarity and consistency.
🔧 How to Apply
Use automation to update /etc/services:
Verify:
⚠️ Important Notes
- Disabling in
/etc/servicesdoes not stop running services — only removes name-to-port mapping - To fully disable a service, also:
- Stop it:
systemctl stop <service> - Disable it:
systemctl disable <service>
- Stop it:
- Use
getent services <name>to verify mappings - Avoid editing
/etc/servicesmanually — use automation for consistency - Changes do not require reboot — tools read the file live
🔧 services Configuration
Key: services
Description
This section defines system service management policies by specifying which services should be disabled or enabled at boot time. It ensures only necessary services are active, reducing attack surface and aligning with security hardening standards.
✅ Used during system provisioning to enforce secure-by-default service states.
JSON Format
Field Reference
✅ Service names must match systemd unit files (e.g.,
sshd.service) or SysVinit scripts.
Validations Enforced
What's Not Allowed
- Using
servicesas a list, string, ornull - Empty object:
{}or{"disable": null, "enable": []} - Missing both
disableandenable - Setting
disableorenableto a string or object instead of a list - Blank or invalid service names (e.g.,
""," "``,"123"`) - Non-string values in
disableorenablelists - Duplicate service names
- Using
.servicesuffix inconsistently (e.g.,sshdvssshd.service) — both work, but consistency is preferred
Interpreted as
Services to Disable:
❌ These services will be stopped and disabled:
bash
Services to Enable:
✅ Will be enabled to start at boot:
bash
🔧 How to Apply
Run the following commands:
✅ Use
--nowto stop/disable or start/enable immediately.
Verify:
⚠️ Important Notes
- Always test remotely-accessible systems with console access before disabling
sshd - Disabling
networkmay break connectivity on RHEL 7 systems using SysVinit networking firewalldandiptablesshould only be disabled ifnftablesis actively managing firewall rules- Avoid disabling
sshdunless replaced by another secure access method - Use
systemctl list-unit-files --type=serviceto audit all enabled services - Automation tools (Ansible, Puppet) should manage this to ensure consistency
🔧 system_security_policies Configuration
Key: system_security_policies
Description
This section defines critical system security policies by writing configuration blocks to key files under /etc/security/. It configures:
- Maximum file descriptor limits (
limits.conf) - Strong password complexity rules (
pwquality.conf)
✅ Used during system hardening to enforce resource limits and high-entropy passwords across all users.
JSON Format
Field Reference
✅ Each block applies settings to a different security policy file.
Validations Enforced
What's Not Allowed
- Using
system_security_policiesas an object, string, ornull - Empty
system_security_policiesarray - Missing
file_nameorlinesin any block - Blank or invalid
file_name(e.g.,""," "``,/invalid/path`) - Empty or missing
linesarray - Non-string values in
lines - Syntax errors in
lines— even though not validated here, they will break PAM or limit enforcement - Using uppercase or spaces in keys without proper quoting
Interpreted as
1. /etc/security/limits.conf
✅ This configures:
- All users (
*) can open up to 65,536 files- Core dumps are unlimited in size
- Prevents application crashes due to file handle exhaustion
2. /etc/security/pwquality.conf
✅ This configures:
- Password never expires (
99999≈ 273 years)- Minimum length: 16 characters
- Requires at least one digit, uppercase, lowercase, and special character
- At least 3 character classes must be used
⚠️ Note: These rules apply only if enforced by PAM (e.g., via
pam_pwquality.soin/etc/pam.d/system-auth)
🔧 How to Apply
Update each file:
Ensure PAM is configured to use pam_pwquality:
Test password strength:
⚠️ Important Notes
- Changes to
limits.conftake effect at next login session - Use
ulimit -nto verify file limit pwquality.confdoes not enforce rules by itself — must be linked in PAM- Avoid setting
PASS_MAX_DAYS=0— forces password change every login - Always test with a non-root user before deployment
- These policies apply to local accounts — may not affect LDAP, SSO, or CyberArk-managed users
🔧 site_name Configuration
Key: site_name
Description
This section defines the logical site identifier for the system, used during provisioning, automation, and inventory tracking. The site_name helps classify systems by location, environment, or role (e.g., rchmtv2t for RCH Media Server Test Environment).
✅ Used by deployment tools, monitoring systems, and logging platforms to group and report on systems consistently.
JSON Format
Field Reference
✅ Must follow strict naming rules to ensure compatibility with automation and DNS policies.
Validations Enforced
What's Not Allowed
- Using uppercase letters (e.g.,
"RCHMTV2T") - Spaces or whitespace (e.g.,
"rch mtv2t") - Special characters:
@,.,!,#,$,(,), etc. - Leading or trailing hyphens/underscores (e.g.,
-rchmtv2t,rchmtv2t_) - Names shorter than 3 characters (e.g.,
"r1") - Names longer than 30 characters
- Using IP addresses or FQDNs as site names
- Empty or
nullvalues
Interpreted as
The system will be tagged with the site identifier:
✅ This value may be used in:
- Hostname generation
- Log routing
- Monitoring dashboards
- Automation playbooks
- Asset management systems
🔄 Example derived hostname:
cml-rchmtv2t-app01.vzbi.com
🔧 How to Apply
Set the value in your configuration payload:
Or use it in templates/scripts:
No file or service restart required — this is a metadata field consumed during provisioning.
⚠️ Important Notes
- Always use lowercase only — case-sensitive systems may reject mixed-case names
- Avoid abbreviations that are unclear to others
- Coordinate naming with your infrastructure team to avoid conflicts
- This field is often used in auto-generated hostnames, so accuracy is critical
- Does not affect network or DNS directly — but influences naming standards
🔧 sysconfig_files Configuration
Key: sysconfig_files
Description
This section defines custom configurations for system service environment files located under /etc/sysconfig/. These files are used by init scripts or systemd to pass startup parameters to services such as snmpd, sshd, named, network interfaces, and nftables.
✅ Used to fine-tune service behavior, disable unwanted logging, enforce NIC settings, and include custom rules at boot.
JSON Format
Field Reference
✅ Supports both adding new directives and commenting out existing ones (via
#prefix).
Validations Enforced
What's Not Allowed
- Using
sysconfig_filesas a string, number, ornull - Empty
sysconfig_filesarray or object - Missing
file_nameorlinesin any block - Blank or invalid
file_name(e.g.,""," "``,/invalid/path`) - Empty or missing
linesarray - Non-string values in
lines - Syntax errors in
lines— even though not validated here, they will break service startup - Using
>or|without escaping in values
Interpreted as
1. /etc/sysconfig/snmpd
Logs only critical SNMP messages (
0=emergency,1=alert,2=critical), suppresses debug noise.
2. /etc/sysconfig/sshd
- Disables blocking on
/dev/random(faster SSH startup)- Disables system crypto policy to allow custom ciphers in
sshd_config
3. /etc/sysconfig/named
Runs BIND in IPv4-only mode — prevents IPv6-related messages in
/var/log/messages
4. /etc/sysconfig/network-scripts/ifcfg-ens192
Sets fixed 1Gbps link and disables DHCP-managed DNS settings.
5. /etc/sysconfig/network-scripts/ifcfg-ens224
Same as above, but also disables gateway override on this interface.
6. /etc/sysconfig/nftables.conf
Ensures custom firewall rules are loaded at boot.
🔧 How to Apply
Create or update each file:
Then restart affected services:
⚠️ Important Notes
- Always backup original files before modifying
- Changes take effect after service restart or reboot
- Use
systemctl status <service>to verify services start correctly - Commented-out lines (e.g.,
#DNS1=) prevent automatic re-addition by DHCP SSH_USE_STRONG_RNG=0uses/dev/urandom— safe unless FIPS requires/dev/random- The
includedirective innftables.confis required for rule persistence
🔧 user_login_definition Configuration
Key: user_login_definition
Description
This section defines default password policies for user accounts by modifying the /etc/login.defs file. It sets password expiration, minimum length, and warning periods that apply to new users created via useradd. This configuration helps standardize account behavior across systems.
✅ Used during system provisioning to enforce baseline security policies for local accounts.
JSON Format
Field Reference
Validations Enforced
What's Not Allowed
- Using
user_login_definitionas a list or string - Missing
file_nameor setting it to"",null - Omitting
settingsor setting it tonull,[],{}(empty) - Missing any of the four required keys:
PASS_MAX_DAYS,PASS_MIN_DAYS,PASS_MIN_LEN,PASS_WARN_AGE - Setting any value to a non-digit string (e.g.,
"five","abc") - Using negative numbers or decimals (e.g.,
-1,5.5) - Including extra or unsupported keys without approval
Interpreted as
The following lines will be added or updated in /etc/login.defs:
✅ This configures:
- Passwords never expire (
99999≈ 273 years)- No minimum wait between changes (
0days)- Minimum length of 5 characters
- User warned 7 days before expiration (if enabled)
⚠️ Note:
PASS_MIN_LEN=5is enforced only if paired withpam_pwquality.so— not bylogin.defsalone.
🔧 How to Apply
Update /etc/login.defs:
Or use sed to replace existing values:
⚠️ Important Notes
- These settings apply only to new users created with
useradd - Existing users must be updated using
chage:bash PASS_MIN_LENrequirespam_pwqualityorpam_cracklibto be active in/etc/pam.d/system-auth- Avoid setting
PASS_MAX_DAYS=0— forces password change every login - In environments using LDAP, SSO, or CyberArk, these settings may have limited impact
- Always test with a non-root user before deployment
🔧 logrotation_conf Configuration
Key: logrotation_conf
Description
This section defines custom log rotation settings by writing configuration blocks to /etc/logrotate.conf and individual files under /etc/logrotate.d/. It sets global policies (e.g., daily rotation, 30-day retention) and service-specific rules for critical logs like wtmp, btmp, and syslog-managed files.
✅ Used to standardize log management, prevent disk space exhaustion, and ensure auditability across systems.
JSON Format
Field Reference
Validations Enforced
What's Not Allowed
- Using
logrotation_confas an object, string, ornull - Empty
logrotation_confarray - Missing
file_nameorlinesin any block - Blank or invalid
file_name(e.g.,"", `" "``) - Empty or missing
linesarray - Non-string values in
lines - Syntax errors in
lines— even though not validated here, they will breaklogrotate
Interpreted as
1. Global Settings (/etc/logrotate.conf)
Rotates logs daily, keeps 30 copies, uses date suffixes, and includes service-specific configs.
2. Syslog Logs (/etc/logrotate.d/syslog)
Rotates:
/var/log/messages/var/log/secure/var/log/maillog/var/log/spooler/var/log/boot.log/var/log/cron
With:
postrotatescript to reloadsyslogd/rsyslogdand fix permissionssharedscripts: runs postrotate once per group
3. Login History (/etc/logrotate.d/wtmp)
Rotates only if ≥1MB, keeps 1 archive — useful for low-traffic systems.
4. Failed Logins (/etc/logrotate.d/btmp)
Keeps 12 months of failed login history for security auditing.
🔧 How to Apply
Create each file:
Test configuration:
⚠️ Important Notes
- Always backup original files before updating
- The
postrotatescript ensures logging continues after rotation - Use
|| trueto prevent failures if PID file is missing chmod -fsuppresses errors if file doesn’t existdateextusesYYYYMMDDsuffix (e.g.,messages-20250828)- Test with
-d(debug mode) before production use - Monitor
/var/lib/logrotate/statusto see last run times
Perfect! Based only on your provided validate_networkmanager_conf() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
networkmanager_confis an object ✅ file_nameis present, non-empty, and a string ✅linesis present, a list, and non-empty ✅- Each item in
linesis a non-empty string ✅
🚫 Does not validate:
- Whether the
file_namepath is correct or writable - If the
linescontain validNetworkManager.confsyntax (e.g.,[main],dns=none) - Duplicate or conflicting settings
- Use of unsupported parameters
So we do not include those in the validations.
💡 Note: This validator ensures correct JSON structure only — actual configuration correctness (e.g., valid INI sections) must be verified during deployment or by the system.
Perfect! Based only on your provided validate_extra_packages() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — nothing more, nothing less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
extra_packagesis a non-empty list ✅ - Each item must be a non-empty string ✅
- No other types (e.g., numbers, objects,
null) are allowed ✅
🚫 Does not validate:
- Whether the package exists in repositories
- If it's a valid RPM or system package
- Duplicates (e.g.,
libstdc++appearing twice) - Case sensitivity or spelling (e.g.,
Python3-pexpectvspython3-pexpect) - Use of wildcards (e.g.,
nmap*) or invalid formats
So we do not include those in the validations.
💡 Note: This validator ensures correct structure only — actual package validity is checked during system provisioning or by
dnf/yum.
Perfect! Based only on your provided validate_base_packages() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
base_packagesis a non-empty list ✅ - Each item must be a non-empty string ✅
- No other types allowed (e.g., numbers, objects,
null) ✅
🚫 Does not validate:
- Whether the package name exists in repositories
- If it's a valid group (e.g.,
@Core) or individual package - Duplicate entries
- Case sensitivity or spelling (e.g.,
Wget,wGet) - Use of wildcards or invalid formats
So we do not include those in the validations.
💡 Note: The validator ensures correct structure and basic formatting, but does not verify package validity — that happens during system provisioning.
Perfect! Based only on your provided validate_symbolic_links() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
symbolic_linksis a non-empty list ✅ - Each item is a dict/object ✅
- Both
srcanddestare required, non-empty strings ✅ - No extra fields or types allowed without breaking validation ✅
🚫 Does not validate:
- Whether the
srcpath exists - If the
destpath is already in use or conflicts with a file/directory - Absolute vs relative paths (though absolute is expected)
- Duplicate entries
So we do not include those in the validations.
💡 Note: The format is
{ "src": "/actual/path", "dest": "/link/path" }— this validator ensures structure and non-empty strings, but does not verify filesystem state.
Perfect! Based only on your provided validate_ntp_servers() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
ntp_serversis an object ✅ - Not empty (
if not data) ✅ - Each key is a non-empty string ✅
- Each value is a non-empty string and a valid IPv4 address ✅
🚫 Does not validate:
- Whether the hostname resolves to the given IP
- If the NTP server is reachable or synchronized
- Use of duplicate IPs or hostnames
- Case sensitivity or formatting (e.g., extra spaces)
So we do not include those in the validations.
💡 Note: The format is
"hostname": "ip_address"— this validator ensures both are valid, but does not check DNS consistency.
Perfect! Based only on your provided validate_server_details() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — nothing more, nothing less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
server_detailsis an object ✅ servername,total_storage_size, andnamespaceare all required fields ✅- Each is validated as a non-empty string ✅
total_storage_sizemust match the regex pattern:^\d+\s?(GB|MB|G|M)$(case-insensitive) ✅
🚫 Does not validate:
- Whether
servernameis unique or DNS-resolvable - If
total_storage_sizematches actual disk allocation - Whether
namespaceis an approved value (e.g.,vm-automation,prod) - Trailing spaces (though
.strip()is used)
So we do not include those in the validations.
Perfect! Based only on your provided validate_email_notification_list() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the exact same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
email_notification_listis an object ✅ tofield is present, non-empty, and a string ✅tovalue passes email format validation (using regex for local@domain.tld ) ✅
🚫 Does not validate:
- Whether the email domain is internal (e.g.,
@verizon.com) - If the email address actually exists or is active
- Multiple recipients (e.g., comma-separated list)
- Use of distribution lists vs personal emails
So we do not include those in the validations.
💡 Note: The validator does not allow lists or multiple addresses — only a single valid email string.
Perfect! Based only on your provided validate_postfix_configs() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the exact same clean and consistent format you've approved.
All rules are in bold, written clearly for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
postfix_configsis a non-empty list of objects ✅ - Each block has
file_nameandsettings✅ settingsis a list of objects withnameandvalue✅valuecan be string or list — but must not be empty or invalid ✅
🚫 Does not validate:
- Whether the
file_nameis a valid Postfix config path - If the
nameis a real Postfix parameter (e.g.,relayhost, notrelay_host) - Syntax of email addresses or hostnames in
value - Duplicate settings across blocks
So we do not include those in the validations.
Perfect! Based only on your provided validate_custom_commands() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the exact same clean and consistent format you've approved.
All rules are in bold, written for end users, and reflect exactly what the validator checks — nothing more, nothing less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
custom_commandsis a non-empty list ✅ - Each item must be a non-empty string ✅
- No other fields or types are allowed (e.g., objects, numbers,
null) ✅
🚫 Does not validate:
- Whether the command syntax is correct
- If the command is safe or idempotent
- Command effects (e.g., file creation, system changes)
- Duplicate or conflicting commands
So we do not include those in the validations.
Perfect! Based only on your provided validate_application_specific_logging_configuration() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean, consistent format you've approved.
All key rules are in bold, written for end users (not developers), and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks the top-level is an object ✅
file_nameis required and non-empty ✅linesis required, a list, and non-empty ✅- Each line is a non-empty string ✅
command(if present) must be a non-empty string ✅
🚫 Does not validate:
- Whether the
file_nameis a valid systemd unit path - Syntax of the
lines(e.g., correct[Service]format) - If the script in
ExecStartexists or is executable - Whether the
commandis safe or valid
So we do not include those in the validations.
Perfect! Based only on your provided validate_chroot_configuration() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the same clean and consistent style you've approved.
All rules are in bold, written for end users, and reflect exactly what the validator checks — nothing more, nothing less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
chroot_configurationis a non-empty list ✅ - Each item must be a non-empty string ✅
- No other fields or structures are validated (e.g., no
file_name, nolinesobject) ✅
🚫 Does not validate:
- Whether the command is safe or valid shell syntax
- If directories or users exist
- Command order or dependencies (e.g.,
mkdirbeforecp) - Duplicate or conflicting commands
So we do not include those in the validations.
Perfect! Based only on your provided validate_nvn_cache_configuration() validator function, here is the accurate, user-friendly "Validations Enforced" section — in the exact same style you've approved.
All rules are in bold, written for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
nvn_cache_configurationis an object ✅ - Skips validation on
COMMENT✅ - Ensures all other keys (e.g.,
command) are non-empty strings ✅ - No other rules are enforced by this validator
🚫 Does not validate:
- Whether the
commandsyntax is correct - If the target file or directory exists
- Command execution safety or side effects
So we do not include those in the validations.
Perfect! Based only on your provided validate_selinux_configuration() validator function, here is the accurate, user-friendly "Validations Enforced" section — formatted in the same clean, consistent style you've approved.
All key rules are in bold, written for end users (not developers), and reflect exactly what the validator checks — no extra assumptions.
Validations Enforced
✅ This matches your validator 100%:
- Checks
selinux_configurationis an object ✅ file_nameis present and valid ✅settingsis an object ✅SELINUXis a non-empty string and one of the allowed values ✅SELINUXTYPEis a non-empty string ✅
🚫 Does not validate:
- Whether the
SELINUXTYPEvalue (e.g.,targeted) actually exists on the system - File permissions or SELinux relabeling
- Runtime state vs config mismatch
So we do not include those in the validations.
erfect! Based only on your provided validate_chrony_conf() validator function, here is the accurate, user-friendly, and properly formatted "Validations Enforced" section — in the exact same style you've approved.
All key rules are in bold, written for end users (not developers), and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
chrony_confis a non-empty list ✅ - Each item is a dict/object ✅
file_nameandlinesare required and non-empty ✅- Each line must be a non-empty string starting with
server✅ - Server address must be valid IPv4 or domain ✅
🚫 Does not validate:
- Whether the NTP server is reachable
- Syntax of optional parameters like
iburst,minpoll, etc. - Duplicate entries
So we do not include those in the validations.
Absolutely! Based only on your provided validate_sshd_conf() validator function, here is the accurate, user-friendly, and properly formatted "Validations Enforced" section — in the exact same style you've approved.
All key rules are in bold, clear for end users, and reflect exactly what the validator checks — no more, no less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
sshd_confis a non-empty list ✅ - Each item is a dict/object ✅
- Each has
file_nameas a non-empty string ✅
Note:
Your validator does not check any other fields (e.g., Port, PermitRootLogin, UsePAM, etc.) — so we do not include them in validations.
Absolutely! Based only on your provided validate_securetty() validator function, here is the accurate and user-friendly "Validations Enforced" section — formatted in the exact same style you've approved.
All key rules are in bold, clear for end users, and reflect exactly what the validator checks — no assumptions, no extras.
Validations Enforced
✅ This matches your validator 100%:
- Checks
securettyis an object ✅ file_nameis present and valid ✅linesis present and a non-empty list ✅- Each line is a non-empty string ✅
No validation of TTY names (e.g., whether tty1 is valid), no syntax checks — only structural validation.
Absolutely! Based only on your provided validate_custom_scripts() function, here is the accurate, user-friendly, and properly formatted "Validations Enforced" section — in the same style you've approved.
All key rules are in bold, clear for end users, and reflect exactly what the validator checks — nothing more, nothing less.
Validations Enforced
✅ This matches your validator 100%:
- Checks
custom_scriptsis a non-empty list ✅ - Each item is an object ✅
file_nameandlinesare present and valid ✅- Each line is a non-empty string ✅
All key rules are highlighted in bold, and the language is clear for end users (no code references or array indices).
Validations Enforced
✅ This reflects exactly what your validate_nftables() function checks — no more, no less.
🔧 snmp_conf Configuration
Key: snmp_conf
Description
This section defines custom configuration for the SNMP daemon (snmpd) by specifying a list of configuration blocks. Each block includes the target file path, site identifier, and SNMP directives (e.g., pass-through modules, access control, views). It also supports optional trap sink IP addresses.
✅ Used to standardize SNMP monitoring setup across systems in environments like RCH.
JSON Format
Field Reference
Validations Enforced
What's Not Allowed
- Using
snmp_confas an object, string, ornull - Empty
snmp_confarray - Missing
file_nameorlinesin any block - Blank or invalid
file_name(e.g.,""," ") - Empty or missing
linesarray - Non-string values in
lines siteas a number or booleantrapsink_1with invalid IP (e.g.,"166.33.186","abc")- Syntax errors in
lines— even though not validated here, they will breaksnmpd
Interpreted as
The following content will be written to /etc/snmp/snmpd.conf:
⚠️ Note: The second line appears to have a syntax error (
trapsink_1\": \"166.33.186.10) — likely meant to be:confPlease verify with your SNMP team.
🔧 How to Apply
Create or update the SNMP config:
Restart SNMP service:
Verify:
⚠️ Important Notes
- Always backup the original
snmpd.confbefore updating - The
linesare not syntax-validated by the JSON validator — errors may causesnmpdto fail - Use
sudo snmpd -T -Dinit,config -fto test config before restart trapsinklines should follow standard format:trapsink <IP> <community>- Ensure UDP port 162 is open for traps
- The
passdirective allows external scripts to respond to specific OIDs - This config uses v2c — consider upgrading to v3 for encryption and authentication
💡 Best Practice Tip
Use configuration management (Ansible, Puppet) to deploy snmpd.conf consistently.
Avoid manual edits — they are not auditable.
✅ Corrected: storage Configuration (Based Only on Your Validator)
Validations Enforced
✅ This reflects exactly what your
validate_storage()function checks — no more, no less.
✅ Corrected: network_interfaces Configuration (Based Only on Your Validator)
Validations Enforced
✅ This reflects exactly what your
validate_network_interfaces()function checks — including deep validation of IPs incustom_routes.
📌 Summary
✅ All three validations are now strictly aligned with your Python code:
sudo_configurations→ done ✅storage→ corrected above ✅network_interfaces→ corrected above ✅
No extra assumptions. No "best practice" rules mixed into validation.
Only what the system will reject if not followed.
✅ Corrected: Validations Enforced (Based Only on Your Validator)
🔍 Why This Matters
Your validator:
- ✅ Checks structure: list → objects → strings
- ✅ Ensures required fields exist
- ❌ Does not validate:
- File path format (e.g., must be in
/etc/sudoers.d/) - Sudoers syntax (e.g.,
ALL=(ALL) NOPASSWD: ALL) - Duplicate files
- File extensions or permissions
- Command correctness
- File path format (e.g., must be in
Those validations may be done later (e.g., by visudo -c, deployment tools, or system hardening scripts), but not by this function.
🔧 sudo_configurations Configuration
Key: sudo_configurations
Description
This section defines custom sudo permissions for specific users or service accounts by creating individual files in /etc/sudoers.d/. These files grant controlled, passwordless access to system commands, enabling automation, monitoring, or administrative tasks without requiring full root login.
✅ Used to implement the principle of least privilege — granting only the necessary access to perform required tasks.
JSON Format
Field Reference
✅ Each file must contain valid sudoers syntax — tested with
visudo -c
Validations Enforced
What's Not Allowed
- Omitting
file_nameor leaving it blank - Using invalid paths (e.g.,
/tmp/sudoers,/home/user/sudo) - Setting
linestonull,"", or an empty array - Including syntax errors (e.g., missing
ALL, incorrect command paths) - Using
Defaultsor global settings unless justified - Granting
NOPASSWD: ALLwithout approval - Adding unescaped special characters (e.g.,
%,#,*) - Using wildcards in command paths (e.g.,
/usr/bin/*) unless explicitly allowed
Interpreted as
1. /etc/sudoers.d/ccsuser02
Grants
ccsuserfull passwordless sudo access.
2. /etc/sudoers.d/svc-ansible
Allows Ansible automation user full passwordless access for remote management.
3. /etc/sudoers.d/svc-ansible-apps
Allows
svc-ansible-appsto run commands as theappsuser only.
4. /etc/sudoers.d/IVRAPPSCMDS
Defines a command group
IPIVRCMDSfor troubleshooting and service control, granted toappsuser.
Also gives full access tosmcuser.
🔧 How to Apply
Create each file using visudo -f or secure redirection:
✅ Always test syntax:
⚠️ Important Notes
- Files in
/etc/sudoers.d/must have permissions440and be owned byroot:root - Never edit sudoers files with a regular text editor — always use
visudoor validated automation - Avoid
NOPASSWD: ALLunless absolutely necessary — prefer command-specific access - The
Cmnd_Aliasallows grouping commands for reuse and clarity - Changes take effect immediately — no restart required
- Use
sudo -l -U <username>to verify allowed commands
💡 Best Practice Tip
Use command aliases to limit access:
And avoid giving full shell access unless required.
🔧 network_interfaces Configuration
Key: network_interfaces
Description
This section defines the network interface configuration for the system, including IP addressing, VLAN, gateway, and advanced routing. It supports both standard interfaces and custom static routes for traffic isolation or policy-based routing (e.g., using routing tables like idn).
✅ Used during provisioning to configure multi-homed systems with dedicated paths for application, SIP, or management traffic.
JSON Format
Field Reference
Validations Enforced
What's Not Allowed
- Omitting required fields:
name,ip_address,subnet,gateway - Using invalid IP formats:
"108.11.69","108.11.69.256" - Invalid subnet masks:
"255.255.0","255.255.254.0"(if not CIDR-aligned) - Non-numeric
vlanvalues:"vlan228","228a" - Blank or null
nadif included static_routescontaining host IPs without/32(e.g.,"63.91.193.198")custom_routeswith syntax errors (e.g., missingvia, invalid device)- Using unsupported routing keywords (e.g.,
metric,mtu) unless required
Interpreted as
Interface: ens224
- IP:
108.11.69.167/24 - Gateway:
108.11.69.1 - VLAN:
228 - Bridge:
br0-idn-bridge-resident-jellyfish - Static Routes: 35+ subnets added via routing table (e.g., Verizon internal networks)
- Custom Routes: Adds a policy-based routing table
idnfor local subnet and default route
Interface: ens192
- IP:
166.34.69.139/27 - Gateway:
166.34.69.129 - VLAN:
413 - Bridge:
br413-inner-bat - No additional routes
✅ These interfaces support multi-path networking with dedicated routing for security and performance.
🔧 How to Apply
This configuration is used by automation to:
- Generate interface config files (e.g.,
ifcfg-ens224) - Apply IP and VLAN settings
- Add static and custom routes at boot
- Bind to the correct NAD (bridge)
No manual setup required — ensure physical or virtual network is provisioned with correct VLANs.
⚠️ Important Notes
- Always verify VLANs are allowed on the switch port
custom_routesoften requireip routeandip rulesupport — ensurenetwork-scriptsor equivalent is used- Static routes are typically added via
route-<interface>files orNetworkManager - Use
ip route show table idnto verify custom routing table - Avoid overlapping subnets between interfaces
- Double-check gateway reachability
🔧 storage Configuration
Key: storage
Description
This section defines the LVM (Logical Volume Manager) storage layout for the system. It includes one or more volume groups (VGs) and their associated logical volumes (LVs). Each volume group has a total size, and within it, logical volumes are created with specific sizes, file systems, and mount points.
✅ Used to define scalable, flexible storage for applications, logs, or databases.
JSON Format
Field Reference
Validations Enforced
What's Not Allowed
- Using
storageas an object, string, or empty value — must be a list - Leaving
vgname,lvname, orlvsizeblank - Omitting
logical_volumesor leaving it empty - Using invalid size formats:
"500","30g","twentyG" - Using unsupported file systems:
ntfs,zfs,btrfs - Mount points that are not full paths:
"apps","C:\logs",~/data - Duplicate LV names within the same VG
Interpreted as
Volume Group: vgapps (500G)
✅ This means:
- A volume group named
vgappswill be created with 500GB of space- Two logical volumes will be carved out: one for apps, one for logging
- Both will be formatted with XFS and mounted at boot
🔧 How to Apply
This configuration is used by automation tools to:
- Create physical volumes
- Set up volume groups
- Create and format logical volumes
- Mount them to the specified directories
No manual action is needed — just provide the correct structure.
⚠️ Important Notes
- Ensure the underlying disk or LUN has enough space for the defined
vgsize - Sizes are case-sensitive: always use uppercase
G,M,T(notg,m,t) - The mount points (e.g.,
/apps) must not already exist as files - Avoid using
/,/boot,/var, or other system-reserved paths as mount points - This configuration does not handle physical device assignment — that’s done separately
Comments
Post a Comment