Perhaps run it in verbose mode to see if it enters the directories?
I ran your policy earlier today, and it worked.
Note that the suspiciousnames list is only matched against regular
files, not directories/symlinks/etc.
--Eystein
On 02/01/2011 07:55 PM, Aleksey Tsalolikhin wrote:
> Dear Eystein,
>
> Thank you. I tried with r1762. I don't get a syntax error any more,
> but it does not actually work to detect suspicious file names.
>
> For example:
>
>
> # cat /var/cfengine/inputs/aleksey_test.cf
> body common control
> {
> bundlesequence => { "report_suspicious_file_names" };
> inputs => { "cfengine_stdlib.cf" };
> }
>
> body agent control
> {
> suspiciousnames => { ".mo", "lrk3", "rootkit" };
> }
>
> bundle agent report_suspicious_file_names
> {
>
> files:
>
> "/root/tmp2"
>
> depth_search => recurse("inf");
> }
>
>
>
> I do have suspicious file names:
>
> # find /root/tmp2/ -ls
> 97519378 4 drwxr-xr-x 3 root root 4096 Feb 1 10:51
> /root/tmp2/
> 97519370 4 drwxr-xr-x 2 root root 4096 Feb 1 10:51
> /root/tmp2/rootkit
> 97519371 4 -rw-r--r-- 1 root root 29 Feb 1 10:51
> /root/tmp2/rootkit/rootkit
> 97519372 4 -rw-r--r-- 1 root root 29 Feb 1 10:51
> /root/tmp2/.mo
> #
>
> But it runs quietly:
>
> # /usr/local/sbin/cf-agent -KIf /var/cfengine/inputs/aleksey_test.cf
> #
>
> Please advise?
>
> Best,
> Aleksey
> _______________________________________________
> Help-cfengine mailing list
> [email protected]
> https://cfengine.org/mailman/listinfo/help-cfengine
_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine
