help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: find file changes

From: Mark . Burgess
Subject: Re: find file changes
Date: Wed, 10 Oct 2001 10:17:19 +0200 (MET DST) 
On 10 Oct, Hermann Biller wrote:
> Mark.Burgess@iu.hio.no wrote:
>> 
>> On  9 Oct, Tony wrote:
>> > 
>> > Conseptually I'd like to see something like tripwire or aide like
>> > functionality integrated w/ cfengine.
>> > 
>> > So my cfengine.conf would contain something like
>> > 
>> > files:
>> > AllMachines.FileMonitor::
>> > /etc/TIMEZONE              L
>> > /etc/aliases               L
>> > /etc/auto_master   L
>> > /etc/bootparams    L
>> > /etc/bootptab              L
>> > /etc/datemsk               L
>> > /usr/bin                R-tiger-rmd160-sha1
>> > /usr/include            R-tiger-rmd160-sha1
>> > /usr/lib                R-tiger-rmd160-sha1
>> > /usr/libdata            R-tiger-rmd160-sha1
>> > /usr/libexec            R-tiger-rmd160-sha1
>> > /usr/local/bin          R-tiger-rmd160-sha1
>> > /usr/local/etc          L
>> > /usr/local/lib          R-tiger-rmd160-sha1
>> > /usr/local/libexec      R-tiger-rmd160-sha1
>> > /usr/local/sbin         R-tiger-rmd160-sha1
>> > 
>> > where L is an aide is a predefined macro for things about the file to 
>> > check for.
>> > 
>> 
>> 
>> I don't reall understand why folks have not understood that this
>> is all pretty much possible today and has been for some time.
>> The specific features of tripwire which do not resemble cfengine's
>> way if working are mainly omitted because I strongly feel that tripwire's
>> approach is wrong.
>> 
>> Tripwire is about binding people's time by just sending warnings.
>> Cfengine is about saving time by keeping things right. I will
>> never allow that to change. If cfengine really is missing something
>> important (i.e. not just something traditional) then I will
>> add it, but I do not add features just because other well known
>> software has them. There has to be a defensible reason.
>> 
> 
> hmm... i just try to find a solution for possible situations:
> 
> i'ld like to have something like a tripwire functionality in combination with
> a configuration engine.
> the needs are:
> - some of the systems needs a guarantee not to be changed without a formal 
> change request
> - we want to know changes of configuration files. there might be an intruder
> - cfengine installed in an other context lead to the following problem:
>   the sun staff had installed disksuite on one of the machines. their changes 
> has been
>   overwritten automatically by cfengine. it needed 2 days to resolve the 
> consequences.


This is not cfengine's fault, it was the sunstaff's for not checking the policy 
in advance!


> - also we maintain systems in different responsability. to some of the systems
>   users have root access. for those system we want to be informed about the 
> change.
> 
> - sometimes we make manual changes for evaluation. the duty system 
> administrator should
>   be aware of this. (and define the duration)
>   
> 
> so my proposal for an automated configuration will be:
> - watch the systems for alien changes
> - scripts to consolidate should be performed manually on request (cfagent 
> -DBaseConfig)
> 
> this does not follow the paradigmas of cfengine by 100%.


It certainly does. You have not mentioned a single thing which is
not easily achievable now. I think it's back to the documentation
for you!! And let's try to identify how it can be simplified to get
going for start users.


Mark

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]