[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: find file changes
|
From: |
Mark . Burgess |
|
Subject: |
Re: find file changes |
|
Date: |
Wed, 10 Oct 2001 20:15:35 +0200 (MET DST) |
On 10 Oct, cbbrowne@cbbrowne.com wrote:
> On Wed, 10 Oct 2001 10:11:09 +0200, the world broke into rejoicing as
> "Hermann Biller" <hb@imp.ch> said:
>> Mark.Burgess@iu.hio.no wrote:
>> >
>> > On 9 Oct, Tony wrote:
>> > >
>> > > Conseptually I'd like to see something like tripwire or aide like
>> > > functionality integrated w/ cfengine.
>> > >
>> > > So my cfengine.conf would contain something like
>> > >
>> > > files:
>> > > AllMachines.FileMonitor::
>> > > /etc/TIMEZONE L
>> > > /etc/aliases L
>> > > /etc/auto_master L
>> > > /etc/bootparams L
>> > > /etc/bootptab L
>> > > /etc/datemsk L
>> > > /usr/bin R-tiger-rmd160-sha1
>> > > /usr/include R-tiger-rmd160-sha1
>> > > /usr/lib R-tiger-rmd160-sha1
>> > > /usr/libdata R-tiger-rmd160-sha1
>> > > /usr/libexec R-tiger-rmd160-sha1
>> > > /usr/local/bin R-tiger-rmd160-sha1
>> > > /usr/local/etc L
>> > > /usr/local/lib R-tiger-rmd160-sha1
>> > > /usr/local/libexec R-tiger-rmd160-sha1
>> > > /usr/local/sbin R-tiger-rmd160-sha1
>> > >
>> > > where L is an aide is a predefined macro for things about the file to che
> ck for.
>> > >
>> >
>> >
>> > I don't reall understand why folks have not understood that this
>> > is all pretty much possible today and has been for some time.
>> > The specific features of tripwire which do not resemble cfengine's
>> > way if working are mainly omitted because I strongly feel that tripwire's
>> > approach is wrong.
>> >
>> > Tripwire is about binding people's time by just sending warnings.
>> > Cfengine is about saving time by keeping things right. I will
>> > never allow that to change. If cfengine really is missing something
>> > important (i.e. not just something traditional) then I will
>> > add it, but I do not add features just because other well known
>> > software has them. There has to be a defensible reason.
>> >
>>
>> hmm... i just try to find a solution for possible situations:
>>
>> i'ld like to have something like a tripwire functionality in combination with
>> a configuration engine.
>> the needs are:
>> - some of the systems needs a guarantee not to be changed without a formal ch
> ange request
>> - we want to know changes of configuration files. there might be an intruder
>> - cfengine installed in an other context lead to the following problem:
>> the sun staff had installed disksuite on one of the machines. their changes
> has been
>> overwritten automatically by cfengine. it needed 2 days to resolve the cons
> equences.
>>
>> - also we maintain systems in different responsability. to some of the system
> s
>> users have root access. for those system we want to be informed about the c
> hange.
>>
>> - sometimes we make manual changes for evaluation. the duty system administra
> tor should
>> be aware of this. (and define the duration)
>>
>>
>> so my proposal for an automated configuration will be:
>> - watch the systems for alien changes
>> - scripts to consolidate should be performed manually on request (cfagent -DB
> aseConfig)
>>
>> this does not follow the paradigmas of cfengine by 100%.
>
> This seems to be a circumstance where you properly need to use two
> quite independent sets of programs.
Cfengine can easily do both. And I use this all this time
at our site. There are docs on how to do it on the cfengine
site -- though not as well organized as they could be. Read
about security with cfengine.
I really don't understand what all this fuss is about.
> "watching systems for changes" just isn't similar to "evolving system
> configuration towards a more correct state."
>
> It would be entirely reasonable to use cfengine to control how
> Tripwire is configured; I don't see it being sensible to try to push
> the functionality of Tripwire into cfengine.
This would be phenomenally pointless. I don't mean to be rude, but
it is frustrating to hear this discussion. I understand that there
is a lot to familarize oneself with, but it's kind of like saying:
"we need to strap this handglider onto the 747 because I glanced
at the manual and didn't see anything about it being able to
glide if the engines fail!"
All you folks who would like better documentation, why not come
to LISA or at the very least organize and work on a way to
improve it. It's all there, if you know what to look for.
M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Re: find file changes, (continued)
- Re: find file changes, Mark . Burgess, 2001/10/09
- Re: find file changes, Tony, 2001/10/09
- Re: find file changes, Hermann Biller, 2001/10/10
- Re: find file changes, Mark . Burgess, 2001/10/10
- Re: find file changes, Hermann Biller, 2001/10/10
- Re: find file changes, Adrian Phillips, 2001/10/10
- Re: find file changes, Ted Zlatanov, 2001/10/10
- Re: find file changes, Mark Rowlands, 2001/10/10
- Re: find file changes, Ronan KERYELL, 2001/10/12
- Re: find file changes, cbbrowne, 2001/10/10
- Re: find file changes,
Mark . Burgess <=
Re: find file changes, Hermann Biller, 2001/10/11
Re: FW: find file changes, Hermann Biller, 2001/10/11