help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: find file changes


From: Hermann Biller
Subject: Re: find file changes
Date: Wed, 10 Oct 2001 10:11:09 +0200 (MES)

Mark.Burgess@iu.hio.no wrote:
> 
> On  9 Oct, Tony wrote:
> > 
> > Conseptually I'd like to see something like tripwire or aide like
> > functionality integrated w/ cfengine.
> > 
> > So my cfengine.conf would contain something like
> > 
> > files:
> > AllMachines.FileMonitor::
> > /etc/TIMEZONE               L
> > /etc/aliases                L
> > /etc/auto_master    L
> > /etc/bootparams     L
> > /etc/bootptab               L
> > /etc/datemsk                L
> > /usr/bin                R-tiger-rmd160-sha1
> > /usr/include            R-tiger-rmd160-sha1
> > /usr/lib                R-tiger-rmd160-sha1
> > /usr/libdata            R-tiger-rmd160-sha1
> > /usr/libexec            R-tiger-rmd160-sha1
> > /usr/local/bin          R-tiger-rmd160-sha1
> > /usr/local/etc          L
> > /usr/local/lib          R-tiger-rmd160-sha1
> > /usr/local/libexec      R-tiger-rmd160-sha1
> > /usr/local/sbin         R-tiger-rmd160-sha1
> > 
> > where L is an aide is a predefined macro for things about the file to check 
> > for.
> > 
> 
> 
> I don't reall understand why folks have not understood that this
> is all pretty much possible today and has been for some time.
> The specific features of tripwire which do not resemble cfengine's
> way if working are mainly omitted because I strongly feel that tripwire's
> approach is wrong.
> 
> Tripwire is about binding people's time by just sending warnings.
> Cfengine is about saving time by keeping things right. I will
> never allow that to change. If cfengine really is missing something
> important (i.e. not just something traditional) then I will
> add it, but I do not add features just because other well known
> software has them. There has to be a defensible reason.
> 

hmm... i just try to find a solution for possible situations:

i'ld like to have something like a tripwire functionality in combination with
a configuration engine.
the needs are:
- some of the systems needs a guarantee not to be changed without a formal 
change request
- we want to know changes of configuration files. there might be an intruder
- cfengine installed in an other context lead to the following problem:
  the sun staff had installed disksuite on one of the machines. their changes 
has been
  overwritten automatically by cfengine. it needed 2 days to resolve the 
consequences.

- also we maintain systems in different responsability. to some of the systems
  users have root access. for those system we want to be informed about the 
change.

- sometimes we make manual changes for evaluation. the duty system 
administrator should
  be aware of this. (and define the duration)
  

so my proposal for an automated configuration will be:
- watch the systems for alien changes
- scripts to consolidate should be performed manually on request (cfagent 
-DBaseConfig)

this does not follow the paradigmas of cfengine by 100%.


regards, hermann
  



reply via email to

[Prev in Thread] Current Thread [Next in Thread]