Hello Charlie! > On Tuesday 25 September 2007 1:57:35 am you wrote: > I glossed over a small point with a) (capture config): inode attributes. > I > know that you capture the uid/gid/permissions True > and maybe even the SELinux > context, Not yet. > but do you version it, so that we would know if it changed? The meta-data is kept as properties of the file ... and subversion versiones them, so you'll see in the repository that a file changed from 0777 to 0700. Do I understand you correctly here?
> Or does > the interface at least compare them during the check? Of course it compares them, to quickly see which files are changed. > AIDE does this as > part > of it's checks, so it feels a little like I'm replacing AIDE's > functionality. I don't know AIDE (yet). > c) (causality) is a little more complicated because we might try something > like ausearch -f <path_to_file> -ts today to get all audited activity > on > the file, if any (watches may not be enabled, but perhaps a failed read > would > reveal something). I don't know what ausearch does ... but I believe you'd get similar results with "svn log <file>", and that supports timestamps too. > d) (other execution programs) is meant to allow monitoring of things which > don't have a direct or predictable tie to the filesystem. So, while I > might > track which modules are loaded with the filename /proc/modules, I may not > care about the address reported at the end of the line so I'd create a > small > program to edit that out. FSVS has commit- and update-pipe, which gets called on update or commit ... then only the "interesting" parts are versioned. http://fsvs.tigris.org/source/browse/*checkout*/fsvs/trunk/www/doxygen/html/group__s__p__n.html#g2d334147103fe5343ebed845cea712c7 > Another external program that I might run would be pam_tally, which I > could > use to track users that had been locked out. Take /etc/shadow, there you'll see which users are locked :-) Or, the (probably) easier way - in your cronjob call your programs, redirect their output in some file, and keep that versioned. I don't think I can really compare FSVS with your solutions; but I hope that at least I can provide some answers. Please don't hesitate to ask, if there are any other questions. Regards, Phil -- Versioning your /etc, /home or even your whole installation? Try fsvs (fsvs.tigris.org)! --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
