GNU cfengine
7.8 Process monitoring
When it comes to process management we are usually interested in
three things: i) making sure certain processes are running,
ii) making sure some processes are NOT running and iii)
sending HUP signals to force configuration updates.
To HUP a daemon and make sure that it is running, we write
| | processes:
linux::
"inetd" signal=hup restart "/usr/sbin/inetd" useshell=false
"xntp" restart "/local/sbin/xntpd" useshell=false
|
The useshell option tells cfengine that it should not use a shell
to start the program. The idea here is to protect against IFS attacks.
Unfortunately some programs require a shell in order to be started,
but most do not. This is an extra precaution.
When the cron daemon crashes, restarting it can be a problem
since it does not close its filed descriptors properly when forking.
The dumb-option helps here:
| |
"cron" matches=>1 restart "/etc/init.d/cron start" useshell=dumb
|
To kill processes which should not be running, we write:
| |
processes:
solaris::
#
# Don't want CDE stuff or SNMP peepholes...
#
"ttdbserverd" signal=kill
"snmpd" signal=kill
"mibiisa" signal=kill
|
A couple of years ago, a broken cracked account was revealed at
Oslo College by the following test in the cfengine configuration:
| | processes:
# Ping attack ?
"ping" signal=kill inform=true
|
There are few legimate reasons to run the ping command more than a few
times. The chances of cfengine detecting single pings is quite small.
But coordinated ping attacks are another story. When it was revealed
that a user had twenty ping processes attempting to send large ping
packets to hosts in the United States it was obvious the the account
had been compromised. Fortunately for the recipient, the ping command
was incorrectly phrased and would probably not have been noticed.
| | processes:
"sshd"
restart "/local/sbin/sshd"
useshell=false
"snmp" signal=kill
"mibiisa" signal=kill
"named" matches=>1
restart "/local/bind/bin/named"
useshell=false
# Do the network community a service and run this
"identd" restart "/local/sbin/identd" inform=true
|
Process management also includes the garbage collection
which we shall return to briefly.
