www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_86.html

search

	Buy GNU books!

GNU cfengine

7.9 Monitoring files

Almost all security programs available are for the monitoring of file integrity. Cfengine also incorporates tools for monitoring files. Here are some of the elements in the faily complex files command:

files: classes:: /file-object mode=mode owner=uid-list group=gid-list action=fixall/warnall.. ignore=pattern include=pattern exclude=pattern checksum=md5 syslog=true/on/false/off

In additions to these, there are extra flags for BSD filesystems and ways of managing file ACLs for systems like NT. Here are some examples of basic checks on file permissions:

classes: # Define a class of hosts based on a test... have_shadow = ( `/bin/test -f /etc/shadow` ) NFSservers = ( server1 server2 ) files: any:: /etc/passwd mode=0644 o=root g=other action=fixplain have_shadow:: /etc/shadow mode=0400 o=root g=other action=fixplain # Takes a while so do this at midnight and only on servers NFSservers.Hr00:: /usr/local mode=-0002 Check no files are writable! recurse=inf owner=root,bin group=0,1,2,3,4,5,6,7,staff action=fixall

In the last example we parse through a whole file system (recurse=inf) and as a result we get a number of checks for free. Any previously unknown setuid programs are reported as well as any suspicious filenames (see below).