We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I''m looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I''m wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vince, If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you''re sure that puppet is done running and you get a copy of the last ''change'' state of the system in case someone has planted something since the last run. Basically, you''re effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you''re using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote:> We just starting using samhain on our servers. > > Since updates to our puppet manifests tend to change files on the > system that samhain monitors, I''m looking for a good way to > reinitialize the samhain database whenever puppet changes something on > the system to reduce notifications that samhain produces. I''m > wondering if anyone has an elegant way of dealing with this. > > Ideally we do something like this: > > 1. let puppet run > 2. if any files changed during the puppet run, then puppet will > automatically reinitialize samhain > > or even if we can do something like this it would be fine: > > 1. have puppet disable samhain before it processes its manifests > 2. apply manifest changes > 3. reinitialize the samhain database > 4. enable samhain > > Any suggestions would be very helpful. > > Thanks. >- -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaughan@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
(zombie thread raaaaar!) Where this comes up for me is when I have packages set to "latest". There''s not really any way, I don''t think, to integrate samhain into this process (that is, to say "I just installed this package with apt, so update those files"). which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like "run this, and update every file it touches cuz I''m OK with that". -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vince, > > If you really want to do this, I would do the first scenario you > describe with a few key points. > > 1) Let puppet run > 2) Have an exec in puppet that runs a job in the background that does > the following: > - Waits until all puppet instances have finished running > - Runs a samhain check against the system and e-mails/syslogs it to > the admin > - Re-initializes the database. > > This way, you''re sure that puppet is done running and you get a copy of > the last ''change'' state of the system in case someone has planted > something since the last run. > > Basically, you''re effectively defeating a great deal of the purpose of > samhain, which is to protect against unknown changes. If you > automatically reinitialize the database, then you run the high risk of > someone being able to plant something during the next initialization. > > You also are going to be putting a heavy load on your system on a fairly > regular basis. > > What I would instead suggest is to only use samhain to monitor those > items that Puppet is not already watching. Puppet will, of course, > change any file to its proper state, so having samhain watch it as well > is redundant effort on the part of your system. > > You may, however, have perfectly good reasons for doing it this way. > > If you''re using a Linux or Solaris system, you may also want to look at > the built in auditing subsystems and/or inotify for real-time > notification functionality. > > Trevor > > On 01/08/2010 04:41 PM, Vince wrote: > > We just starting using samhain on our servers. > > > > Since updates to our puppet manifests tend to change files on the > > system that samhain monitors, I''m looking for a good way to > > reinitialize the samhain database whenever puppet changes something on > > the system to reduce notifications that samhain produces. I''m > > wondering if anyone has an elegant way of dealing with this. > > > > Ideally we do something like this: > > > > 1. let puppet run > > 2. if any files changed during the puppet run, then puppet will > > automatically reinitialize samhain > > > > or even if we can do something like this it would be fine: > > > > 1. have puppet disable samhain before it processes its manifests > > 2. apply manifest changes > > 3. reinitialize the samhain database > > 4. enable samhain > > > > Any suggestions would be very helpful. > > > > Thanks. > > > > - -- > Trevor Vaughan > Vice President, Onyx Point, Inc. > email: tvaughan@onyxpoint.com > phone: 410-541-ONYX (6699) > > - -- This account not approved for unencrypted sensitive information -- > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h > 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC > =wp0h > -----END PGP SIGNATURE-----> -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
|Does this help? dpkg -L PACKAGENAME | On 06/08/2011 01:44 AM, Robin Lee Powell wrote:> (zombie thread raaaaar!) > > Where this comes up for me is when I have packages set to "latest". > There''s not really any way, I don''t think, to integrate samhain into > this process (that is, to say "I just installed this package with > apt, so update those files"). > > which is pretty unfortunate, really; that seems like a fairly basic > feature for something like samhain. Something like "run this, and > update every file it touches cuz I''m OK with that". > > -Robin > > On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Vince, >> >> If you really want to do this, I would do the first scenario you >> describe with a few key points. >> >> 1) Let puppet run >> 2) Have an exec in puppet that runs a job in the background that does >> the following: >> - Waits until all puppet instances have finished running >> - Runs a samhain check against the system and e-mails/syslogs it to >> the admin >> - Re-initializes the database. >> >> This way, you''re sure that puppet is done running and you get a copy of >> the last ''change'' state of the system in case someone has planted >> something since the last run. >> >> Basically, you''re effectively defeating a great deal of the purpose of >> samhain, which is to protect against unknown changes. If you >> automatically reinitialize the database, then you run the high risk of >> someone being able to plant something during the next initialization. >> >> You also are going to be putting a heavy load on your system on a fairly >> regular basis. >> >> What I would instead suggest is to only use samhain to monitor those >> items that Puppet is not already watching. Puppet will, of course, >> change any file to its proper state, so having samhain watch it as well >> is redundant effort on the part of your system. >> >> You may, however, have perfectly good reasons for doing it this way. >> >> If you''re using a Linux or Solaris system, you may also want to look at >> the built in auditing subsystems and/or inotify for real-time >> notification functionality. >> >> Trevor >> >> On 01/08/2010 04:41 PM, Vince wrote: >> >>> We just starting using samhain on our servers. >>> >>> Since updates to our puppet manifests tend to change files on the >>> system that samhain monitors, I''m looking for a good way to >>> reinitialize the samhain database whenever puppet changes something on >>> the system to reduce notifications that samhain produces. I''m >>> wondering if anyone has an elegant way of dealing with this. >>> >>> Ideally we do something like this: >>> >>> 1. let puppet run >>> 2. if any files changed during the puppet run, then puppet will >>> automatically reinitialize samhain >>> >>> or even if we can do something like this it would be fine: >>> >>> 1. have puppet disable samhain before it processes its manifests >>> 2. apply manifest changes >>> 3. reinitialize the samhain database >>> 4. enable samhain >>> >>> Any suggestions would be very helpful. >>> >>> Thanks. >>> >>> >> - -- >> Trevor Vaughan >> Vice President, Onyx Point, Inc. >> email: tvaughan@onyxpoint.com >> phone: 410-541-ONYX (6699) >> >> - -- This account not approved for unencrypted sensitive information -- >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (GNU/Linux) >> >> iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h >> 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC >> =wp0h >> -----END PGP SIGNATURE----- >> > >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> >> >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sure, but I don''t see any way to tell samhain "these files right here have changed; trust the new values". I only see "accept everything". -Robin On Wed, Jun 08, 2011 at 02:11:34AM -0400, vagn scott wrote:> |Does this help? > > dpkg -L PACKAGENAME > | > > > > On 06/08/2011 01:44 AM, Robin Lee Powell wrote: > >(zombie thread raaaaar!) > > > >Where this comes up for me is when I have packages set to "latest". > >There''s not really any way, I don''t think, to integrate samhain into > >this process (that is, to say "I just installed this package with > >apt, so update those files"). > > > >which is pretty unfortunate, really; that seems like a fairly basic > >feature for something like samhain. Something like "run this, and > >update every file it touches cuz I''m OK with that". > > > >-Robin > > > >On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- > >>Hash: SHA1 > >> > >>Vince, > >> > >>If you really want to do this, I would do the first scenario you > >>describe with a few key points. > >> > >>1) Let puppet run > >>2) Have an exec in puppet that runs a job in the background that does > >>the following: > >> - Waits until all puppet instances have finished running > >> - Runs a samhain check against the system and e-mails/syslogs it to > >>the admin > >> - Re-initializes the database. > >> > >>This way, you''re sure that puppet is done running and you get a copy of > >>the last ''change'' state of the system in case someone has planted > >>something since the last run. > >> > >>Basically, you''re effectively defeating a great deal of the purpose of > >>samhain, which is to protect against unknown changes. If you > >>automatically reinitialize the database, then you run the high risk of > >>someone being able to plant something during the next initialization. > >> > >>You also are going to be putting a heavy load on your system on a fairly > >>regular basis. > >> > >>What I would instead suggest is to only use samhain to monitor those > >>items that Puppet is not already watching. Puppet will, of course, > >>change any file to its proper state, so having samhain watch it as well > >>is redundant effort on the part of your system. > >> > >>You may, however, have perfectly good reasons for doing it this way. > >> > >>If you''re using a Linux or Solaris system, you may also want to look at > >>the built in auditing subsystems and/or inotify for real-time > >>notification functionality. > >> > >>Trevor > >> > >>On 01/08/2010 04:41 PM, Vince wrote: > >>>We just starting using samhain on our servers. > >>> > >>>Since updates to our puppet manifests tend to change files on the > >>>system that samhain monitors, I''m looking for a good way to > >>>reinitialize the samhain database whenever puppet changes something on > >>>the system to reduce notifications that samhain produces. I''m > >>>wondering if anyone has an elegant way of dealing with this. > >>> > >>>Ideally we do something like this: > >>> > >>>1. let puppet run > >>>2. if any files changed during the puppet run, then puppet will > >>>automatically reinitialize samhain > >>> > >>>or even if we can do something like this it would be fine: > >>> > >>>1. have puppet disable samhain before it processes its manifests > >>>2. apply manifest changes > >>>3. reinitialize the samhain database > >>>4. enable samhain > >>> > >>>Any suggestions would be very helpful. > >>> > >>>Thanks. > >>> > >>- -- Trevor Vaughan > >> Vice President, Onyx Point, Inc. > >> email: tvaughan@onyxpoint.com > >> phone: 410-541-ONYX (6699) > >> > >>- -- This account not approved for unencrypted sensitive information -- > >>-----BEGIN PGP SIGNATURE----- > >>Version: GnuPG v1.4.9 (GNU/Linux) > >> > >>iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h > >>884An0f6XKVrqGKnXKVkWfoFwBPbtQfC > >>=wp0h > >>-----END PGP SIGNATURE----- > >>-- > >>You received this message because you are subscribed to the Google Groups "Puppet Users" group. > >>To post to this group, send email to puppet-users@googlegroups.com. > >>To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > >>For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >> > >> > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
You could just post process the samahain output to ignore files listed in $puppet/var/state/state.yaml John On 8 June 2011 16:14, Robin Lee Powell <rlpowell@digitalkingdom.org> wrote:> Sure, but I don''t see any way to tell samhain "these files right > here have changed; trust the new values". I only see "accept > everything". > > -Robin > > On Wed, Jun 08, 2011 at 02:11:34AM -0400, vagn scott wrote: > > |Does this help? > > > > dpkg -L PACKAGENAME > > | > > > > > > > > On 06/08/2011 01:44 AM, Robin Lee Powell wrote: > > >(zombie thread raaaaar!) > > > > > >Where this comes up for me is when I have packages set to "latest". > > >There''s not really any way, I don''t think, to integrate samhain into > > >this process (that is, to say "I just installed this package with > > >apt, so update those files"). > > > > > >which is pretty unfortunate, really; that seems like a fairly basic > > >feature for something like samhain. Something like "run this, and > > >update every file it touches cuz I''m OK with that". > > > > > >-Robin > > > > > >On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: > > >>-----BEGIN PGP SIGNED MESSAGE----- > > >>Hash: SHA1 > > >> > > >>Vince, > > >> > > >>If you really want to do this, I would do the first scenario you > > >>describe with a few key points. > > >> > > >>1) Let puppet run > > >>2) Have an exec in puppet that runs a job in the background that does > > >>the following: > > >> - Waits until all puppet instances have finished running > > >> - Runs a samhain check against the system and e-mails/syslogs it to > > >>the admin > > >> - Re-initializes the database. > > >> > > >>This way, you''re sure that puppet is done running and you get a copy of > > >>the last ''change'' state of the system in case someone has planted > > >>something since the last run. > > >> > > >>Basically, you''re effectively defeating a great deal of the purpose of > > >>samhain, which is to protect against unknown changes. If you > > >>automatically reinitialize the database, then you run the high risk of > > >>someone being able to plant something during the next initialization. > > >> > > >>You also are going to be putting a heavy load on your system on a > fairly > > >>regular basis. > > >> > > >>What I would instead suggest is to only use samhain to monitor those > > >>items that Puppet is not already watching. Puppet will, of course, > > >>change any file to its proper state, so having samhain watch it as well > > >>is redundant effort on the part of your system. > > >> > > >>You may, however, have perfectly good reasons for doing it this way. > > >> > > >>If you''re using a Linux or Solaris system, you may also want to look at > > >>the built in auditing subsystems and/or inotify for real-time > > >>notification functionality. > > >> > > >>Trevor > > >> > > >>On 01/08/2010 04:41 PM, Vince wrote: > > >>>We just starting using samhain on our servers. > > >>> > > >>>Since updates to our puppet manifests tend to change files on the > > >>>system that samhain monitors, I''m looking for a good way to > > >>>reinitialize the samhain database whenever puppet changes something on > > >>>the system to reduce notifications that samhain produces. I''m > > >>>wondering if anyone has an elegant way of dealing with this. > > >>> > > >>>Ideally we do something like this: > > >>> > > >>>1. let puppet run > > >>>2. if any files changed during the puppet run, then puppet will > > >>>automatically reinitialize samhain > > >>> > > >>>or even if we can do something like this it would be fine: > > >>> > > >>>1. have puppet disable samhain before it processes its manifests > > >>>2. apply manifest changes > > >>>3. reinitialize the samhain database > > >>>4. enable samhain > > >>> > > >>>Any suggestions would be very helpful. > > >>> > > >>>Thanks. > > >>> > > >>- -- Trevor Vaughan > > >> Vice President, Onyx Point, Inc. > > >> email: tvaughan@onyxpoint.com > > >> phone: 410-541-ONYX (6699) > > >> > > >>- -- This account not approved for unencrypted sensitive information -- > > >>-----BEGIN PGP SIGNATURE----- > > >>Version: GnuPG v1.4.9 (GNU/Linux) > > >> > > >>iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h > > >>884An0f6XKVrqGKnXKVkWfoFwBPbtQfC > > >>=wp0h > > >>-----END PGP SIGNATURE----- > > >>-- > > >>You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > >>To post to this group, send email to puppet-users@googlegroups.com. > > >>To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > > >>For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > >> > > >> > > > > > > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > http://singinst.org/ : Our last, best hope for a fantastic future. > Lojban (http://www.lojban.org/): The language in which "this parrot > is dead" is "ti poi spitaki cu morsi", but "this sentence is false" > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- John Warburton Ph: 0417 299 600 Email: jwarburton@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.