Tripwire functionality in cfengine

45 views
Skip to first unread message

Girish Kg

unread,
Jul 24, 2014, 3:37:57 PM7/24/14
to
Hello,

I am trying to generate the tripwire functionality through cfengine .

Please find the code snippet below.

bundle agent trip
{
files:
        "/tmp/file1"
                comment => "This is to test the tripwire functionality in cfengine",
                changes=>detect_all_change; # Using the std function from cfengine_stdlib.cf

        "/var"
                comment => "This is to test the tripwire functionality in cfengine",
                changes=>detect_all_change,
                depth_search=>recurse("inf");

}

Couple of scenarios the code is not working as expected

1. When a new file is created in "/var", the above code is able to generate the ALERTS. But if a new directory is created the ALERTS are not generated and even the Hash DB is not getting updated

Before creating the dir
----------------------------------

# openssl sha1 checksum_digests.lmdb
SHA1(checksum_digests.lmdb)= 829782211c6aab5b768d68d027c09e832281651b

mkdir /var/test

After creating the dir
------------------------------

# openssl sha1 checksum_digests.lmdb
SHA1(checksum_digests.lmdb)= 829782211c6aab5b768d68d027c09e832281651b

2. No ALERTS is generated even if the file/directory is deleted from the monitoring location. Surprisingly the Hash DB is getting updated .

# openssl sha1 checksum_digests.lmdb
SHA1(checksum_digests.lmdb)= 3f4f81b939c9fcbbe26dbef4f19c1adfb9df4872

rm /var/file

# openssl sha1 checksum_digests.lmdb
SHA1(checksum_digests.lmdb)= 3409f9801c9abb26892d37014676de284b468ed5

I tried this in both cfengine V3.4.1 and V3.6.0 ( with the "detect_all_change_using(sha256)" function).

Can someone help me with this please.

Regards
Gireesh

Nick Anderson

unread,
Jul 24, 2014, 3:49:38 PM7/24/14
to help-c...@googlegroups.com
On 07/24/2014 02:37 PM, Girish Kg wrote:
> Can someone help me with this please.

There have been some fixes that are coming in 3.6.1

CFEngine Core 3.6.1.cbc51dd

files:
"/tmp/watch/."
changes => detect_all_change,
depth_search => recurse("inf");


[root@hub masterfiles]# touch /tmp/watch/file
[root@hub masterfiles]# cf-agent -KIf ./promises.cf
...
2014-07-24T19:45:58+0000 notice:
/default/service_catalogue/files/'/tmp/watch/.'[0]: New file
'/tmp/watch/./file' found
2014-07-24T19:45:58+0000 notice:
/default/service_catalogue/files/'/tmp/watch/.'[0]: Storing sha512 hash
for '/tmp/watch/./file'
(SHA=cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e)

[root@hub masterfiles]# rm /tmp/watch/file
rm: remove regular empty file `/tmp/watch/file'? yes
[root@hub masterfiles]# cf-agent -KIf ./promises.cf
...
2014-07-24T19:47:19+0000 notice:
/default/service_catalogue/files/'/tmp/watch/.'[0]: File
'/tmp/watch/./file' no longer exists

[root@hub masterfiles]# mkdir /tmp/watch/dir
[root@hub masterfiles]# cf-agent -KIf ./promises.cf
...
2014-07-24T19:47:58+0000 notice:
/default/service_catalogue/files/'/tmp/watch/.'[0]: New file
'/tmp/watch/./dir' found

[root@hub masterfiles]# rm -rf /tmp/watch/dir
[root@hub masterfiles]# cf-agent -KIf ./promises.cf
...
2014-07-24T19:48:22+0000 notice:
/default/service_catalogue/files/'/tmp/watch/.'[0]: File
'/tmp/watch/./dir' no longer exists



Girish Kg

unread,
Jul 24, 2014, 6:48:47 PM7/24/14
to help-c...@googlegroups.com
Thank you so much Nick.

I could find the same point in 3.6.1 change log too.


Regards
Gireesh
Reply all
Reply to author
Forward
0 new messages