When it comes to process management we are usually interested in
three things: i) making sure certain processes are running,
ii) making sure some processes are NOT running and iii)
sending HUP signals to force configuration updates.
To HUP a daemon and make sure that it is running, we write
The useshell option tells cfengine that it should not use a shell
to start the program. The idea here is to protect against IFS attacks.
Unfortunately some programs require a shell in order to be started,
but most do not. This is an extra precaution.
When the cron daemon crashes, restarting it can be a problem
since it does not close its filed descriptors properly when forking.
The dumb-option helps here:
There are few legimate reasons to run the ping command more than a few
times. The chances of cfengine detecting single pings is quite small.
But coordinated ping attacks are another story. When it was revealed
that a user had twenty ping processes attempting to send large ping
packets to hosts in the United States it was obvious the the account
had been compromised. Fortunately for the recipient, the ping command
was incorrectly phrased and would probably not have been noticed.
processes:
"sshd"
restart "/local/sbin/sshd"
useshell=false
"snmp" signal=kill
"mibiisa" signal=kill
"named" matches=>1
restart "/local/bind/bin/named"
useshell=false
# Do the network community a service and run this
"identd" restart "/local/sbin/identd" inform=true
Process management also includes the garbage collection
which we shall return to briefly.
Please take a moment to fill out
this visitor survey You can help support this site by
visiting the advertisers that sponsor it! (only once each, though)
