www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_85.html   search  
 
Buy GNU books!


GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

7.8 Process monitoring

When it comes to process management we are usually interested in three things: i) making sure certain processes are running, ii) making sure some processes are NOT running and iii) sending HUP signals to force configuration updates. To HUP a daemon and make sure that it is running, we write
 
processes:

 linux::
  
  "inetd"  signal=hup restart "/usr/sbin/inetd"   useshell=false
  "xntp"              restart "/local/sbin/xntpd" useshell=false
 
The useshell option tells cfengine that it should not use a shell to start the program. The idea here is to protect against IFS attacks. Unfortunately some programs require a shell in order to be started, but most do not. This is an extra precaution. When the cron daemon crashes, restarting it can be a problem since it does not close its filed descriptors properly when forking. The dumb-option helps here:
 
  "cron" matches=>1 restart "/etc/init.d/cron start"  useshell=dumb

To kill processes which should not be running, we write:

 
 processes:

   solaris::

   #
   # Don't want CDE stuff or SNMP peepholes...
   #

    "ttdbserverd" signal=kill
    "snmpd"       signal=kill
    "mibiisa"     signal=kill

A couple of years ago, a broken cracked account was revealed at Oslo College by the following test in the cfengine configuration:

 
processes:

   # Ping attack ?

   "ping"  signal=kill inform=true

There are few legimate reasons to run the ping command more than a few times. The chances of cfengine detecting single pings is quite small. But coordinated ping attacks are another story. When it was revealed that a user had twenty ping processes attempting to send large ping packets to hosts in the United States it was obvious the the account had been compromised. Fortunately for the recipient, the ping command was incorrectly phrased and would probably not have been noticed.

 
processes:

     "sshd"        
                  restart "/local/sbin/sshd"
                  useshell=false    

     "snmp"       signal=kill
     "mibiisa"    signal=kill

     "named"      matches=>1
                  restart "/local/bind/bin/named"
                  useshell=false

     # Do the network community a service and run this

     "identd"   restart "/local/sbin/identd" inform=true

Process management also includes the garbage collection which we shall return to briefly.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003