(zombie thread raaaaar!) Where this comes up for me is when I have packages set to "latest". There's not really any way, I don't think, to integrate samhain into this process (that is, to say "I just installed this package with apt, so update those files").
which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like "run this, and update every file it touches cuz I'm OK with that". -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vince, > > If you really want to do this, I would do the first scenario you > describe with a few key points. > > 1) Let puppet run > 2) Have an exec in puppet that runs a job in the background that does > the following: > - Waits until all puppet instances have finished running > - Runs a samhain check against the system and e-mails/syslogs it to > the admin > - Re-initializes the database. > > This way, you're sure that puppet is done running and you get a copy of > the last 'change' state of the system in case someone has planted > something since the last run. > > Basically, you're effectively defeating a great deal of the purpose of > samhain, which is to protect against unknown changes. If you > automatically reinitialize the database, then you run the high risk of > someone being able to plant something during the next initialization. > > You also are going to be putting a heavy load on your system on a fairly > regular basis. > > What I would instead suggest is to only use samhain to monitor those > items that Puppet is not already watching. Puppet will, of course, > change any file to its proper state, so having samhain watch it as well > is redundant effort on the part of your system. > > You may, however, have perfectly good reasons for doing it this way. > > If you're using a Linux or Solaris system, you may also want to look at > the built in auditing subsystems and/or inotify for real-time > notification functionality. > > Trevor > > On 01/08/2010 04:41 PM, Vince wrote: > > We just starting using samhain on our servers. > > > > Since updates to our puppet manifests tend to change files on the > > system that samhain monitors, I'm looking for a good way to > > reinitialize the samhain database whenever puppet changes something on > > the system to reduce notifications that samhain produces. I'm > > wondering if anyone has an elegant way of dealing with this. > > > > Ideally we do something like this: > > > > 1. let puppet run > > 2. if any files changed during the puppet run, then puppet will > > automatically reinitialize samhain > > > > or even if we can do something like this it would be fine: > > > > 1. have puppet disable samhain before it processes its manifests > > 2. apply manifest changes > > 3. reinitialize the samhain database > > 4. enable samhain > > > > Any suggestions would be very helpful. > > > > Thanks. > > > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: [email protected] > phone: 410-541-ONYX (6699) > > - -- This account not approved for unencrypted sensitive information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h > 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC > =wp0h > -----END PGP SIGNATURE----- > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
