Stephan Andreas wrote: > The problem is clear, I think. > But a simple example: > You are an operator for e.g. a OBSD Firewall. > Yesterday everything was ok, > Today a person phoned me and want that I open a tcp port for him. Ok I open. > Tomorrow, I notice problems that I never have had before. But I have > forgotten > the new open port. Now it is nice to have a ChangeLog. > > Because it is faster than restore an Backup.
...and more productive, as you may be able to see what is wrong, rather than simply roll back to what was... This functionality is built into and turned on by default in OpenBSD. If you set up the root user's e-mail to forward or otherwise be delivered to your inbox every morning, you will find this is already being done for you. If you didn't do this, you have a pile of these things waiting for you to read through in /var/mail/root. Every night, as part of the /etc/daily script, it looks for changes to the files listed in /etc/changelist, and stores a backup of those files. If it finds a change, it mails you a diff of that file in an insecurity report. If you keep those, you have a very good record of the history of changes on your machine. Ta-da! Just what you asked for, by simply creating a /root/.forward with just your e-mail address in it. :) Within a few days, you will be reinventing this on every Unix machine you work with. That being said... I'm also fond of this little entry in my /etc/daily.local file: TGZFILE=/backup/`date "+backup%Y-%m-%d"`.tgz cd / tar czf $TGZFILE etc var On firewalls and DNS servers I have done this with, you get many YEARS of this backup files on the spare space on a 40G drive. Another trick that works well for firewalls is to have a script which you use to synchronize the pf.conf (and other) files between machines. I wrote one which: * did a diff -u against the other machine * Recorded that diff into a file, tossed the user into an editor to both review and explain/document the diff * Saved that file to /bkup/history * copy the compared files AND the change log file to the other machine and install them * run pfctl -f on that other machine. (this was all done in shell script and base tools, no packages were added to the machine) Yes, you could say I reinvented cvs for this, but I liked this specialized script over a general CMS for a few reasons, including the fact it stuffed the diff in your face and had it there while you were making the change message, and I found the dated change files much easier to grep through when looking for when something changed and why. Nick.