Stephan Andreas wrote:
> The problem is clear, I think.
> But a simple example:
> You are an operator for e.g. a OBSD Firewall.
> Yesterday everything was ok,
> Today a person phoned me and want that I open a tcp port for him. Ok I open.
> Tomorrow, I notice problems that I never have had before. But I have
> forgotten
> the new open port. Now it is nice to have a ChangeLog.
>
> Because it is faster than restore an Backup.
...and more productive, as you may be able to see what is wrong, rather
than simply roll back to what was...
This functionality is built into and turned on by default in OpenBSD.
If you set up the root user's e-mail to forward or otherwise be
delivered to your inbox every morning, you will find this is already
being done for you. If you didn't do this, you have a pile of these
things waiting for you to read through in /var/mail/root.
Every night, as part of the /etc/daily script, it looks for changes to
the files listed in /etc/changelist, and stores a backup of those files.
If it finds a change, it mails you a diff of that file in an insecurity
report. If you keep those, you have a very good record of the history
of changes on your machine.
Ta-da! Just what you asked for, by simply creating a /root/.forward
with just your e-mail address in it. :) Within a few days, you will
be reinventing this on every Unix machine you work with.
That being said... I'm also fond of this little entry in my
/etc/daily.local file:
TGZFILE=/backup/`date "+backup%Y-%m-%d"`.tgz
cd /
tar czf $TGZFILE etc var
On firewalls and DNS servers I have done this with, you get many
YEARS of this backup files on the spare space on a 40G drive.
Another trick that works well for firewalls is to have a script
which you use to synchronize the pf.conf (and other) files between
machines. I wrote one which:
* did a diff -u against the other machine
* Recorded that diff into a file, tossed the user into an editor
to both review and explain/document the diff
* Saved that file to /bkup/history
* copy the compared files AND the change log file to the other
machine and install them
* run pfctl -f on that other machine.
(this was all done in shell script and base tools, no packages
were added to the machine)
Yes, you could say I reinvented cvs for this, but I liked this
specialized script over a general CMS for a few reasons, including
the fact it stuffed the diff in your face and had it there while
you were making the change message, and I found the dated change
files much easier to grep through when looking for when something
changed and why.
Nick.
