You could just post process the samahain output to ignore files listed in $puppet/var/state/state.yaml
John On 8 June 2011 16:14, Robin Lee Powell <rlpow...@digitalkingdom.org> wrote: > Sure, but I don't see any way to tell samhain "these files right > here have changed; trust the new values". I only see "accept > everything". > > -Robin > > On Wed, Jun 08, 2011 at 02:11:34AM -0400, vagn scott wrote: > > |Does this help? > > > > dpkg -L PACKAGENAME > > | > > > > > > > > On 06/08/2011 01:44 AM, Robin Lee Powell wrote: > > >(zombie thread raaaaar!) > > > > > >Where this comes up for me is when I have packages set to "latest". > > >There's not really any way, I don't think, to integrate samhain into > > >this process (that is, to say "I just installed this package with > > >apt, so update those files"). > > > > > >which is pretty unfortunate, really; that seems like a fairly basic > > >feature for something like samhain. Something like "run this, and > > >update every file it touches cuz I'm OK with that". > > > > > >-Robin > > > > > >On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: > > >>-----BEGIN PGP SIGNED MESSAGE----- > > >>Hash: SHA1 > > >> > > >>Vince, > > >> > > >>If you really want to do this, I would do the first scenario you > > >>describe with a few key points. > > >> > > >>1) Let puppet run > > >>2) Have an exec in puppet that runs a job in the background that does > > >>the following: > > >> - Waits until all puppet instances have finished running > > >> - Runs a samhain check against the system and e-mails/syslogs it to > > >>the admin > > >> - Re-initializes the database. > > >> > > >>This way, you're sure that puppet is done running and you get a copy of > > >>the last 'change' state of the system in case someone has planted > > >>something since the last run. > > >> > > >>Basically, you're effectively defeating a great deal of the purpose of > > >>samhain, which is to protect against unknown changes. If you > > >>automatically reinitialize the database, then you run the high risk of > > >>someone being able to plant something during the next initialization. > > >> > > >>You also are going to be putting a heavy load on your system on a > fairly > > >>regular basis. > > >> > > >>What I would instead suggest is to only use samhain to monitor those > > >>items that Puppet is not already watching. Puppet will, of course, > > >>change any file to its proper state, so having samhain watch it as well > > >>is redundant effort on the part of your system. > > >> > > >>You may, however, have perfectly good reasons for doing it this way. > > >> > > >>If you're using a Linux or Solaris system, you may also want to look at > > >>the built in auditing subsystems and/or inotify for real-time > > >>notification functionality. > > >> > > >>Trevor > > >> > > >>On 01/08/2010 04:41 PM, Vince wrote: > > >>>We just starting using samhain on our servers. > > >>> > > >>>Since updates to our puppet manifests tend to change files on the > > >>>system that samhain monitors, I'm looking for a good way to > > >>>reinitialize the samhain database whenever puppet changes something on > > >>>the system to reduce notifications that samhain produces. I'm > > >>>wondering if anyone has an elegant way of dealing with this. > > >>> > > >>>Ideally we do something like this: > > >>> > > >>>1. let puppet run > > >>>2. if any files changed during the puppet run, then puppet will > > >>>automatically reinitialize samhain > > >>> > > >>>or even if we can do something like this it would be fine: > > >>> > > >>>1. have puppet disable samhain before it processes its manifests > > >>>2. apply manifest changes > > >>>3. reinitialize the samhain database > > >>>4. enable samhain > > >>> > > >>>Any suggestions would be very helpful. > > >>> > > >>>Thanks. > > >>> > > >>- -- Trevor Vaughan > > >> Vice President, Onyx Point, Inc. > > >> email: tvaug...@onyxpoint.com > > >> phone: 410-541-ONYX (6699) > > >> > > >>- -- This account not approved for unencrypted sensitive information -- > > >>-----BEGIN PGP SIGNATURE----- > > >>Version: GnuPG v1.4.9 (GNU/Linux) > > >> > > >>iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h > > >>884An0f6XKVrqGKnXKVkWfoFwBPbtQfC > > >>=wp0h > > >>-----END PGP SIGNATURE----- > > >>-- > > >>You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > >>To post to this group, send email to puppet-users@googlegroups.com. > > >>To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > > >>For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > >> > > >> > > > > > > > -- > > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > -- > http://singinst.org/ : Our last, best hope for a fantastic future. > Lojban (http://www.lojban.org/): The language in which "this parrot > is dead" is "ti poi spitaki cu morsi", but "this sentence is false" > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- John Warburton Ph: 0417 299 600 Email: jwarbur...@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.