Re: Simply look for changes to /etc
57 views
Skip to first unread message
jcbollinger
Jul 27, 2012, 3:35:35 PM7/27/12
to puppet...@googlegroups.com
On Friday, July 27, 2012 6:30:15 AM UTC-5, bailey86 wrote:
I have a simple request.On a single server I'd like to be able to see changes to any files in /etc. This is because other users may carry out changes - and I'd like to monitor what changes to /etc/ are made by package installs.
That's simple to say, but not so simple to do. Especially so if you want to track multiple changes over time, notice creation of new files, etc.. Puppet really isn't designed for that sort of job. It's aimed at achieving and maintaining particular system states, not at recording changes in state over time.
I hadn't heard of etckeeper before, but using git for this sort of thing sounds particularly apropos. Although it may not be available pre-packaged for SLES, the code looks pretty simple. It shouldn't be hard to package it up, especially with the Debian packaging available as a guide.
John
Stuart Cracraft
Jul 28, 2012, 2:57:33 AM7/28/12
to puppet...@googlegroups.com
Good idea.
Until Puppet has the important production-tracking / security / forensics feature you want, use the "exec" in Puppet and
roll-your-own production-monitoring class.
One idea for implementation follows:
Backup /etc.
Then run the following, outputting it to "A" or "B" at time "t":
find /etc -exec md5sum {} \; | sort -k 34 | md5sum
At time "t+<n>", rerun the above but output to the other of "A" or "B".
Backup /etc to a separate backup file.
Diff A and B.
If no difference (e.g. diff is empty), no data change (note: does not measure updates/"touches" that don't change data -
for that, diff the successive output of a sorted "find /etc -ls {} \;" as well.)
If difference (diff is non-empty), the files(s) and/or directory that is added, removed, or changed, is shown with the before/after checksums.
Remove the 1st backup. 2nd backup becomes 1st backup for next run to accumulate 2nd backup, etc.
Testing the above with mkdir somedir, touch somedir/somefile, rm somedir/somefile, rmdir somedir
gave predictable md5 hashes returning to the prior state, a decent sign, though not a comprehensive test.
The reason you use find instead of cpio/tar and backup /etc twice is to have a before/after for forensics to find the changed file(s)
--Stuart
On Jul 27, 2012, at 4:30 AM, bailey86 <bail...@gmail.com> wrote:
I have a simple request.On a single server I'd like to be able to see changes to any files in /etc. This is because other users may carry out changes - and I'd like to monitor what changes to /etc/ are made by package installs.
(The server is running SLES 11 SP2. Normally, I'd use etckeeper which is a simple tool for putting /etc/* files into a local git repository but this is not available on SLES).Could anyone point me at how to install puppet on this SLES server and what commands would be used to see any changes to /etc/* files. And then maybe how to add these changes into the current configs so I can see new changes again. I'm getting the Pro Puppet book today but though that what I'm asking for might be relatively simple.Thanks,Kevin Bailey--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8DX-7Hhiz00J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
devzero2000
Jul 28, 2012, 4:07:35 AM7/28/12
to puppet...@googlegroups.com
Sorry for the top posting.
Unless someone want consider that a configuration management system is
also an integrity checker, i no for example, i suggest to use for this
sort of thing a specific tool. There are many, also sophisticated. A
very simple tool is aide, for example, or tripwire.
Best regards
2012/7/27, bailey86 <bail...@gmail.com>:
Inviato dal mio dispositivo mobile
Unless someone want consider that a configuration management system is
also an integrity checker, i no for example, i suggest to use for this
sort of thing a specific tool. There are many, also sophisticated. A
very simple tool is aide, for example, or tripwire.
Best regards
2012/7/27, bailey86 <bail...@gmail.com>:
> I have a simple request.
>
> On a single server I'd like to be able to see changes to any files in /etc.
>
> This is because other users may carry out changes - and I'd like to
> monitor what changes to /etc/ are made by package installs.
>
> (The server is running SLES 11 SP2. Normally, I'd use etckeeper which is a
>
> simple tool for putting /etc/* files into a local git repository but this
> is not available on SLES).
>
> Could anyone point me at how to install puppet on this SLES server and what
>
> commands would be used to see any changes to /etc/* files. And then maybe
> how to add these changes into the current configs so I can see new changes
> again. I'm getting the Pro Puppet book today but though that what I'm
> asking for might be relatively simple.
>
> Thanks,
>
> Kevin Bailey
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/8DX-7Hhiz00J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
--
>
> On a single server I'd like to be able to see changes to any files in /etc.
>
> This is because other users may carry out changes - and I'd like to
> monitor what changes to /etc/ are made by package installs.
>
> (The server is running SLES 11 SP2. Normally, I'd use etckeeper which is a
>
> simple tool for putting /etc/* files into a local git repository but this
> is not available on SLES).
>
> Could anyone point me at how to install puppet on this SLES server and what
>
> commands would be used to see any changes to /etc/* files. And then maybe
> how to add these changes into the current configs so I can see new changes
> again. I'm getting the Pro Puppet book today but though that what I'm
> asking for might be relatively simple.
>
> Thanks,
>
> Kevin Bailey
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/8DX-7Hhiz00J.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
Inviato dal mio dispositivo mobile
pdpinfo
Jul 28, 2012, 9:40:43 AM7/28/12
to puppet...@googlegroups.com
Fully agree.
Kevin, you may also consider some system distribution help as, for example, "Remote Filesystem Checker".
Needless to say, you must manage legitimate changes, as for updates, allowing automatic file checksum baseline regeneration after updates.
Regards,
Paolo
Kevin, you may also consider some system distribution help as, for example, "Remote Filesystem Checker".
Needless to say, you must manage legitimate changes, as for updates, allowing automatic file checksum baseline regeneration after updates.
Regards,
Paolo
> puppet-users+unsubscribe@googlegroups.com.
Jakov Sosic
Jul 28, 2012, 9:59:45 AM7/28/12
to puppet...@googlegroups.com
On 07/27/2012 01:30 PM, bailey86 wrote:
> I have a simple request.
>
> On a single server I'd like to be able to see changes to any files in
> /etc. This is because other users may carry out changes - and I'd like
> to monitor what changes to /etc/ are made by package installs.
>
> (The server is running SLES 11 SP2. Normally, I'd use etckeeper which
> is a simple tool for putting /etc/* files into a local git repository
> but this is not available on SLES).
>
> Could anyone point me at how to install puppet on this SLES server and
> what commands would be used to see any changes to /etc/* files. And
> then maybe how to add these changes into the current configs so I can
> see new changes again. I'm getting the Pro Puppet book today but though
> that what I'm asking for might be relatively simple.
I would point you at etckeeper, which is designed for this purpose. It
> I have a simple request.
>
> On a single server I'd like to be able to see changes to any files in
> /etc. This is because other users may carry out changes - and I'd like
> to monitor what changes to /etc/ are made by package installs.
>
> (The server is running SLES 11 SP2. Normally, I'd use etckeeper which
> is a simple tool for putting /etc/* files into a local git repository
> but this is not available on SLES).
>
> Could anyone point me at how to install puppet on this SLES server and
> what commands would be used to see any changes to /etc/* files. And
> then maybe how to add these changes into the current configs so I can
> see new changes again. I'm getting the Pro Puppet book today but though
> that what I'm asking for might be relatively simple.
uses distributed VCS as backend, so you can choose between mercurial,
bazaar, git or darcs. I prefer mercurial for this purpose.
You can also write post-commit hooks which will for example send you an
email with list of changed files at every commit, and set up cron that
will autocommit every night. You can also exclude files from versioning.
--
Jakov Sosic
www.srce.unizg.hr
Reply all
Reply to author
Forward
0 new messages