Forum: Cfengine Help
Subject: laying a tripwire and firing the checksum_alerts class
Author: [email protected]
Link to topic: https://cfengine.com/forum/read.php?3,21544,21544#msg-21544
I'm looking at tripwire for the first time, and this is a sample policy that
I've implemented to look at changes under /etc
1 bundle agent lay_etc_tripwire_detection
2 {
3 vars:
4 "files_to_ignore" slist => { "mnttab", "utmppipe",
"mtab", "prelink.cache" } ;
5
6
7 files:
8 sunos_5_10|linux::
9 "/etc"
10 handle => "tripwire_on_etc",
11 changes =>
detect_filesystem_changes,
12 depth_search =>
etc_tripwire_ignores("inf"),
13 file_select =>
ex_list(@(files_to_ignore)),
14 action => background;
15
16 reports:
17 checksum_alerts::
18 "cf3: The tripwire on $(sys.host):/etc has been
tripped. ";
19 }
20 ################################################################
21 body changes detect_filesystem_changes
22 {
23 hash => "md5";
24 report_changes => "all";
25 update_hashes => "yes";
26 }
27
28 ################################################################
29 body depth_search etc_tripwire_ignores(depth_of_directories)
30 {
31 depth => "$(depth_of_directories)";
32 exclude_dirs => { "/etc/saf", "/etc/svc/volatile",
"/etc/devices" };
33
34 }
Apparently, when the body changes action on a MD5 change takes place, the class
checksum_alerts gets raised automatically. And its persistent.
When I try to execute this, I can't get the report to fire on the same
execution. It only fires on subsequent executions of cf-agent (because the
persistent class has taken effect)
[562] ~ $ /var/cfengine/bin/cf-agent -I -K -b lay_etc_tripwire_detection
>> Using command line specified bundlesequence
[563] ~ $
So no MD5 changes detected. Lets create a file. This adds it to the MD5
database.
[563] ~ $ touch /etc/mike
[564] ~ $ /var/cfengine/bin/cf-agent -I -K -b lay_etc_tripwire_detection
>> Using command line specified bundlesequence
[565] ~ $ !! File /etc/mike was not in md5 database - new file found
I: Report relates to a promise with handle "tripwire_on_etc"
I: Made in version '1.3.4' of
'/var/cfengine/inputs/lay_etc_tripwire_detection.cf' near line 14
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ALERT: Last modified time for /etc/mike changed Tue Apr 19 23:52:43 2011 -> Wed
Apr 20 08:20:20 2011
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Now that we've created a file, lets change the MD5 checksum. This triggers the
alert.
[568] ~ $ echo blah >> /etc/mike
[569] ~ $ /var/cfengine/bin/cf-agent -I -K -b lay_etc_tripwire_detection
>> Using command line specified bundlesequence
[570] ~ $ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ALERT: Hash (md5) for /etc/mike changed!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-> Updating hash for /etc/mike to MD5=0d599f0ec05c3bda8c3b8a68c32a1b47
I: Report relates to a promise with handle "tripwire_on_etc"
I: Made in version '1.3.4' of
'/var/cfengine/inputs/lay_etc_tripwire_detection.cf' near line 14
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ALERT: Last modified time for /etc/mike changed Wed Apr 20 08:20:20 2011 -> Wed
Apr 20 08:20:50 2011
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
So we detected the change, but the report didn't print. I think the persistent
class for checksum_alerts is being raised _after_ we pass the reports: or
commands: promises.
On subsequent runs, it does trigger the report, because the class is persistent.
[570] ~ $ /var/cfengine/bin/cf-agent -I -K -b lay_etc_tripwire_detection
>> Using command line specified bundlesequence
R: cf3: The tripwire on esv4-be24.stg:/etc has been tripped.
My problem with this currently, is that I'm running cf-execd on hourly
intervals. My reports / commands would fire an hour after the change was
actually detected.
Also, I've been having problems raising this variable:
checksum_alert_time:
http://www.cfengine.org/manuals/cf3-reference.html#checksum_005falert_005ftime-in-agent
Since I run cf-agent on a hourly basis, and the maximum value to raise the
persistence is 60 minutes, I think its just not working for me. =(
Anyone have a better implementation from what I'm trying to accomplish?
Thanks!
Mike
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
