www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_86.html   search  
 
Buy GNU books!


GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

7.9 Monitoring files

Almost all security programs available are for the monitoring of file integrity. Cfengine also incorporates tools for monitoring files. Here are some of the elements in the faily complex files command:
 
 files:

     classes::

        /file-object
                          mode=mode
                          owner=uid-list
                          group=gid-list
                          action=fixall/warnall..
                          ignore=pattern
                          include=pattern
                          exclude=pattern
                          checksum=md5
                          syslog=true/on/false/off

In additions to these, there are extra flags for BSD filesystems and ways of managing file ACLs for systems like NT. Here are some examples of basic checks on file permissions:

 
 classes:

  # Define a class of hosts based on a test...

  have_shadow = ( `/bin/test -f /etc/shadow` )

  NFSservers = ( server1 server2 )

 files:

   any::

      /etc/passwd mode=0644 o=root  g=other  action=fixplain

   have_shadow::

      /etc/shadow mode=0400 o=root  g=other  action=fixplain

   # Takes a while so do this at midnight and only on servers

   NFSservers.Hr00::

      /usr/local 
            mode=-0002   Check no files are writable!
            recurse=inf 
            owner=root,bin 
            group=0,1,2,3,4,5,6,7,staff
            action=fixall

In the last example we parse through a whole file system (recurse=inf) and as a result we get a number of checks for free. Any previously unknown setuid programs are reported as well as any suspicious filenames (see below).


  webmaster   donations   bookstore     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003