Re: find file changes

[Hermann Biller]

Mark.Burgess@iu.hio.no wrote:
> >> 
> >> I don't reall understand why folks have not understood that this
> >> is all pretty much possible today and has been for some time.
> >> The specific features of tripwire which do not resemble cfengine's
> >> way if working are mainly omitted because I strongly feel that tripwire's
> >> approach is wrong.
> >> 
> >> Tripwire is about binding people's time by just sending warnings.
> >> Cfengine is about saving time by keeping things right. I will
> >> never allow that to change. If cfengine really is missing something
> >> important (i.e. not just something traditional) then I will
> >> add it, but I do not add features just because other well known
> >> software has them. There has to be a defensible reason.
> >> 
> > 
> > hmm... i just try to find a solution for possible situations:
> > 
> > i'ld like to have something like a tripwire functionality in combination 
> > with
> > a configuration engine.
> > the needs are:
> > - some of the systems needs a guarantee not to be changed without a formal 
> > change request
> > - we want to know changes of configuration files. there might be an intruder
> > - cfengine installed in an other context lead to the following problem:
> >   the sun staff had installed disksuite on one of the machines. their 
> > changes has been
> >   overwritten automatically by cfengine. it needed 2 days to resolve the 
> > consequences.
> 
> 
> This is not cfengine's fault, it was the sunstaff's for not checking the 
> policy in advance!

      in fact it was my fault. in consequence i do not want to use cfengine in 
a way
      that configurations are done automatically (or "kept right" - see your 
answer above). 

> 
> 
> > - also we maintain systems in different responsability. to some of the 
> > systems
> >   users have root access. for those system we want to be informed about the 
> > change.
> > 
> > - sometimes we make manual changes for evaluation. the duty system 
> > administrator should
> >   be aware of this. (and define the duration)
> >   
> > 
> > so my proposal for an automated configuration will be:
> > - watch the systems for alien changes
> > - scripts to consolidate should be performed manually on request (cfagent 
> > -DBaseConfig)
> > 
> > this does not follow the paradigmas of cfengine by 100%.
> 
> 
> It certainly does. You have not mentioned a single thing which is
> not easily achievable now. I think it's back to the documentation
> for you!! And let's try to identify how it can be simplified to get
> going for start users.

i hoped to get hints from other cfengine users, already walked through this 
questions.

regards, hermann