-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vince,
If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you're sure that puppet is done running and you get a copy of the last 'change' state of the system in case someone has planted something since the last run. Basically, you're effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you're using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote: > We just starting using samhain on our servers. > > Since updates to our puppet manifests tend to change files on the > system that samhain monitors, I'm looking for a good way to > reinitialize the samhain database whenever puppet changes something on > the system to reduce notifications that samhain produces. I'm > wondering if anyone has an elegant way of dealing with this. > > Ideally we do something like this: > > 1. let puppet run > 2. if any files changed during the puppet run, then puppet will > automatically reinitialize samhain > > or even if we can do something like this it would be fine: > > 1. have puppet disable samhain before it processes its manifests > 2. apply manifest changes > 3. reinitialize the samhain database > 4. enable samhain > > Any suggestions would be very helpful. > > Thanks. > - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -----END PGP SIGNATURE-----
-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
