7.8 Process monitoring
When it comes to process management we are usually interested in
three things: i) making sure certain processes are running,
ii) making sure some processes are NOT running and iii)
sending HUP signals to force configuration updates.
To HUP a daemon and make sure that it is running, we write
The useshell option tells cfengine that it should not use a shell
to start the program. The idea here is to protect against IFS attacks.
Unfortunately some programs require a shell in order to be started,
but most do not. This is an extra precaution.
When the cron daemon crashes, restarting it can be a problem
since it does not close its filed descriptors properly when forking.
The dumb-option helps here:
"inetd" signal=hup restart "/usr/sbin/inetd" useshell=false
"xntp" restart "/local/sbin/xntpd" useshell=false
To kill processes which should not be running, we write:
"cron" matches=>1 restart "/etc/init.d/cron start" useshell=dumb
# Don't want CDE stuff or SNMP peepholes...
A couple of years ago, a broken cracked account was revealed at
Oslo College by the following test in the cfengine configuration:
There are few legimate reasons to run the ping command more than a few
times. The chances of cfengine detecting single pings is quite small.
But coordinated ping attacks are another story. When it was revealed
that a user had twenty ping processes attempting to send large ping
packets to hosts in the United States it was obvious the the account
had been compromised. Fortunately for the recipient, the ping command
was incorrectly phrased and would probably not have been noticed.
# Ping attack ?
"ping" signal=kill inform=true
Process management also includes the garbage collection
which we shall return to briefly.
# Do the network community a service and run this
"identd" restart "/local/sbin/identd" inform=true