help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Knowledge Base"


From: Christopher Browne
Subject: "Knowledge Base"
Date: Wed, 27 Sep 2000 22:51:15 -0500

On Sat, 23 Sep 2000 17:34:31 +0530, the world broke into rejoicing as
chetana <address@hidden>  said:
>    I am chetana, from TEXAS INSTRUMENTS, India. I needed some
> clarifications regarding the functionality
> of cfengine.
> 
> Does cfengine have a knowledge-base about the Operating system's files?
> This means that, if one were to change the permissions for a system
> file, would cfengine be able to report the discrepency , without having
> the correct mode specified in the files section in the configuration
> file?
> 
> I agree, this is most likely not possible , since ,if it were, it would
> have to maintain a knowledge base about many Operating systems! but this
> is just a thought... Kindly respond if there's any way to do it
> automatically..

As you suggest, this isn't something that could be _immediately_ reported
correctly, as the sets of permissions _and checksums_ will legitimately
vary from operating system to operating system.

However, it would be appropriate to accumulate checksums for files in
OS-related directories via the files facility.  Thus, you might have
rules something like:

files:
   /sbin checksum=md5 action=warnall recurse=inf owner=root,bin\
              group=root,sys 
   /usr/sbin checksum=md5 action=warnall recurse=inf owner=root,bin\
              group=root,sys 

The _first_ time you run it, this will find _all_ the files as warnings
since they are all new; in subsequent runs, it should only locate those
files where the status has changed, and, in particular, the checksum
has changed.

You might want to start out by running a find command to locate all the
Solaris setuid files, and then build a rule that will ensure that those
are the only setuid files in future, warning of anything else that gets
setuid status.

You'll obviously need to trust that the _first_ time cfengine gets run,
everything is OK.  After that, cfengine can help flag when configuration
changes.

This is exactly the same sort of thing that Tripwire does; you might
want to consult its docs as well for ideas.
--
address@hidden - <http://www.ntlug.org/~cbbrowne/linux.html>
Would-be National Mottos:
USA: "We don't care where you come from.  We can't find our *own*
country on a map..."



reply via email to

[Prev in Thread] Current Thread [Next in Thread]