[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can I file sweep / and exclude full pathnames?
|
From: |
Thomas Glanzmann |
|
Subject: |
Re: can I file sweep / and exclude full pathnames? |
|
Date: |
28 Dec 2002 20:17:17 GMT |
|
User-agent: |
slrn/0.9.7.4 (Linux) |
> I'd like cfengine to sweep the entire filesystem in one shot, but don't
> want to globally allow any file named sudo or su or crontab in any
> directory to have the SUID bit set. Is there a simple way to do it like
> in the first (non-working) example?
Yep there is one. Have look at my config:
solaris::
#/usr/local.stand, an tg: wegen icipmail/cmqueue s-bits
/ ignore=/local ignore=/src ignore=/mnt ignore=/proj ignore=/autofs
ignore=/home ignore=/proc ignore=/dev ignore=/devices ignore=/usr/local.stand
ignore=/usr/bin/at ignore=/usr/bin/atq
ignore=/usr/bin/atrm ignore=/usr/bin/crontab
ignore=/usr/bin/netstat ignore=/usr/bin/su
http://wwwcip.informatik.uni-erlangen.de/~sithglan/cfengine/inputs/cfagent.conf
But that sux, too. But there should be a way using filters but I didn't figured
it out yet (not even treid hard). But if somebody else does ... please tell me.
:)
Greetings,
Thomas
--
Thomas Glanzmann ++49 (0) 9131 85-27574 Department of Computer Science III
Martensstrasse 3 D-91058 Erlangen Germany University of Erlangen-Nuremberg
http://www3.informatik.uni-erlangen.de/Research/UMLinux/
>From luke@madstop.com Mon Dec 30 19:36:09 2002
Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.10.13)
id 18TAO9-0000B7-00
for help-cfengine@gnu.org; Mon, 30 Dec 2002 19:36:09 -0500
Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.10.13)
id 18TAO5-0000AG-00
for help-cfengine@gnu.org; Mon, 30 Dec 2002 19:36:08 -0500
Received: from [207.65.26.13] (helo=pixie.madstop.com)
by monty-python.gnu.org with esmtp (Exim 4.10.13)
id 18TAHy-0007BT-00
for help-cfengine@gnu.org; Mon, 30 Dec 2002 19:29:46 -0500
Received: from localhost (luke@localhost)
by pixie.madstop.com (8.11.6+Sun/8.11.6) with ESMTP id gBV0Tdc27148
for <help-cfengine@gnu.org>; Mon, 30 Dec 2002 18:29:40 -0600 (CST)
Date: Mon, 30 Dec 2002 18:29:39 -0600 (CST)
From: "Luke A. Kanies" <luke@madstop.com>
X-Sender: luke@pixie
To: help-cfengine@gnu.org
Message-ID: <Pine.GSO.4.10.10212301817300.27090-100000@pixie>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: cfenvd and netstat
X-BeenThere: help-cfengine@gnu.org
X-Mailman-Version: 2.1b5
Precedence: list
List-Id: Users list for GNU cfengine <help-cfengine.gnu.org>
List-Help: <mailto:help-cfengine-request@gnu.org?subject=help>
List-Post: <mailto:help-cfengine@gnu.org>
List-Subscribe: <http://mail.gnu.org/mailman/listinfo/help-cfengine>,
<mailto:help-cfengine-request@gnu.org?subject=subscribe>
List-Archive: <http://mail.gnu.org/pipermail/help-cfengine>
List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/help-cfengine>,
<mailto:help-cfengine-request@gnu.org?subject=unsubscribe>
X-List-Received-Date: Tue, 31 Dec 2002 00:36:09 -0000
Apparently cfenvd is trying to call netstat, but I don't have netstat in
/usr/ucb, where cfenvd is looking for it. (I installed a minimal install,
that's why netstat isn't in /ucb.) I still have a copy in /usr/bin, but i
think it's a bit of a hack just to link it.
Is this a compile-time option, or is it hard-coded? I didn't see in
available in configure.
I'm using Sparc/Solaris, cfengine-2.0.4.
--
"Did you know that black paint is an excellent stain remover?"
- Dogbert