Re: find file changes

[Tony]

Conseptually I'd like to see something like tripwire or aide like
functionality integrated w/ cfengine.

So my cfengine.conf would contain something like

files:
AllMachines.FileMonitor::
/etc/TIMEZONE           L
/etc/aliases            L
/etc/auto_master        L
/etc/bootparams         L
/etc/bootptab           L
/etc/datemsk            L
/usr/bin                R-tiger-rmd160-sha1
/usr/include            R-tiger-rmd160-sha1
/usr/lib                R-tiger-rmd160-sha1
/usr/libdata            R-tiger-rmd160-sha1
/usr/libexec            R-tiger-rmd160-sha1
/usr/local/bin          R-tiger-rmd160-sha1
/usr/local/etc          L
/usr/local/lib          R-tiger-rmd160-sha1
/usr/local/libexec      R-tiger-rmd160-sha1
/usr/local/sbin         R-tiger-rmd160-sha1

where L is an aide is a predefined macro for things about the file to check for.

---------
Tony Link
University of Maryland
College Park, Maryland 20742-4911
301.405.2988   Fax 301.405.2988
www.nts.umd.edu
PUBLIC KEY: http://ni.umd.edu/~missing/pgp

On Tue, 9 Oct 2001, Hermann Biller wrote:

> dear cfengine users:
>
> here is a simple example to check files:
>
> #################################################################
> # cfengine version 2.0.a14
> #
> # cf.filemonitor
> #
> # cfengine script to monitor changes of given system configuration files
> #
> #################################################################
>
>
> files:
>
> AllMachines.FileMonitor::
>    /etc/TIMEZONE checksum=md5
>    /etc/aliases checksum=md5
>    /etc/auto_master checksum=md5
>    /etc/bootparams checksum=md5
>    /etc/bootptab checksum=md5
>    /etc/datemsk checksum=md5
> ... 80 other files
>
> output:
> testhost root etc/cfengine # cfagent -DFileMonitor
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for /etc/hosts changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for /etc/inet/hosts changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for /apps/sysadmin/etc/cfengine/cf.main 
> changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for 
> /apps/sysadmin/etc/cfengine/cf.groups changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for 
> /apps/sysadmin/etc/cfengine/cf.solaris changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> cf:testhost: SECURITY ALERT: Checksum for 
> /apps/sysadmin/etc/cfengine/cf.filecheck changed!
> cf:testhost: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> there are some open questions.
>
> - contrary to the documentation (files:checksum) the checksum will
>   not be updated in the database.
>   the same alert occurs also at the next run
> - files which were deleted are not displayed
> - files with changed permissions are not displayed
>
> note: it would not be a nice solution if the ownership has be defined
>       for each and every file. some ideas?
>
> regards, hermann
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
>