On Mar 22, 2010, at 9:26 AM, Brice Figureau wrote:
On Mon, 2010-03-22 at 09:14 -0700, Luke Kanies wrote:
There are two easy answers:
1) Our customers actually want to get rid of Tripwire (for multiple
reasons) and if we could just track file changes we've got the most
important replacement functionality.
To really replace tripwire you actually need to encrypt/sign the state
file which I'm not sure we're doing for the moment.
You also need to be able to store it elsewhere in a non-tamperable
storage, with the possibility to manually overwrite it (it remembers
me
when we were doing this on CD-R :-)).
In other words, it's much more than just comparing and firing events.
Well, it depends - to replace everything about Tripwire, that's true.
But basically tracking changes 70% of the way there -- you know stuff
but your confidence on the things you know isn't awesome. To get
close enough for nearly enough, we'd need to sign the catalog and then
sign the resulting state file. With that, we're probably good enough
that I'd be comfortable actually selling that.
2) The ability to track any parameter on any resource is a far cry
from just tracking file content. E.g., you could do things like
track
password changes for root, which would be essentially impossible
for a
tool like Tripwire because it lacks the semantic richness.
Agreed. Even though, osiris is able to track more things than files
it's
not as powerful as Puppet can be.
And here's a bonus reason, for free:
3) It's a great way for people to start managing - first monitor the
state so you know what the current operational mode is, and only once
you have that baseline do you start managing.
And this would only ever slow things down if you used it, just like
noop. And even then it shouldn't be slow - it should actually be
faster than actually managing a resource, because you're just
retrieving and comparing, rather than those two plus writing.
That's correct.
--
Zeilinger's Fundamental Law:
There is no Fundamental Law.
---------------------------------------------------------------------
Luke Kanies -|- http://reductivelabs.com -|- +1(615)594-8199
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
