Forum: Cfengine Help
Subject: Re: laying a tripwire and firing the checksum_alerts class
Author: msvob...@linkedin.com
Link to topic: https://cfengine.com/forum/read.php?3,21544,21571#msg-21571
This was my workaround to this issue. I set a class by using returnszero, and
grepping for ALERT on the result of the previous execution of cf-execd.
The reports promise will overwrite /var/cfengine/output/previous on the
subsequent execution, so this notification will only fire / execute once.
Hope this helps someone else trying to accomplish the same.
Thanks
Mike
bundle agent lay_etc_tripwire_detection
{
vars:
"files_to_ignore" slist => { "mnttab", utmppipe", "mtab",
"logadm.conf", "prelink.cache", };
classes:
"tripwire_tripped" expression => returnszero("/bin/grep
ALERT /var/cfengine/outputs/previous > /dev/null","useshell");
files:
sunos_5_10|linux::
"/etc"
handle => "tripwire_on_etc",
changes => detect_filesystem_changes,
depth_search => etc_tripwire_ignores("inf"),
file_select => ex_list(@(files_to_ignore)),
action => background;
commands:
tripwire_tripped::
"/var/cfengine/modules/notify_tripwire_detection.sh";
reports:
tripwire_tripped::
"cf3: The tripwire on $(sys.host):/etc has been tripped.";
}
################################################################
body depth_search etc_tripwire_ignores(depth_of_directories)
{
depth => "$(depth_of_directories)";
exclude_dirs => { "/etc/saf", "/etc/svc", "/etc/devices", };
}
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
