Re: [Puppet Users] Dealing with samhain
|Does this help? dpkg -L PACKAGENAME | On 06/08/2011 01:44 AM, Robin Lee Powell wrote: (zombie thread rar!) Where this comes up for me is when I have packages set to latest. There's not really any way, I don't think, to integrate samhain into this process (that is, to say I just installed this package with apt, so update those files). which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like run this, and update every file it touches cuz I'm OK with that. -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vince, If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you're sure that puppet is done running and you get a copy of the last 'change' state of the system in case someone has planted something since the last run. Basically, you're effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you're using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote: We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I'm looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I'm wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Dealing with samhain
Sure, but I don't see any way to tell samhain these files right here have changed; trust the new values. I only see accept everything. -Robin On Wed, Jun 08, 2011 at 02:11:34AM -0400, vagn scott wrote: |Does this help? dpkg -L PACKAGENAME | On 06/08/2011 01:44 AM, Robin Lee Powell wrote: (zombie thread rar!) Where this comes up for me is when I have packages set to latest. There's not really any way, I don't think, to integrate samhain into this process (that is, to say I just installed this package with apt, so update those files). which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like run this, and update every file it touches cuz I'm OK with that. -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vince, If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you're sure that puppet is done running and you get a copy of the last 'change' state of the system in case someone has planted something since the last run. Basically, you're effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you're using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote: We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I'm looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I'm wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which this parrot is dead is ti poi spitaki cu morsi, but this sentence is false is na nei. My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Dealing with samhain
You could just post process the samahain output to ignore files listed in $puppet/var/state/state.yaml John On 8 June 2011 16:14, Robin Lee Powell rlpow...@digitalkingdom.org wrote: Sure, but I don't see any way to tell samhain these files right here have changed; trust the new values. I only see accept everything. -Robin On Wed, Jun 08, 2011 at 02:11:34AM -0400, vagn scott wrote: |Does this help? dpkg -L PACKAGENAME | On 06/08/2011 01:44 AM, Robin Lee Powell wrote: (zombie thread rar!) Where this comes up for me is when I have packages set to latest. There's not really any way, I don't think, to integrate samhain into this process (that is, to say I just installed this package with apt, so update those files). which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like run this, and update every file it touches cuz I'm OK with that. -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vince, If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you're sure that puppet is done running and you get a copy of the last 'change' state of the system in case someone has planted something since the last run. Basically, you're effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you're using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote: We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I'm looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I'm wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which this parrot is dead is ti poi spitaki cu morsi, but this sentence is false is na nei. My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send
Re: [Puppet Users] Dealing with samhain
(zombie thread rar!) Where this comes up for me is when I have packages set to latest. There's not really any way, I don't think, to integrate samhain into this process (that is, to say I just installed this package with apt, so update those files). which is pretty unfortunate, really; that seems like a fairly basic feature for something like samhain. Something like run this, and update every file it touches cuz I'm OK with that. -Robin On Fri, Jan 08, 2010 at 09:06:13PM -0500, Trevor Vaughan wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vince, If you really want to do this, I would do the first scenario you describe with a few key points. 1) Let puppet run 2) Have an exec in puppet that runs a job in the background that does the following: - Waits until all puppet instances have finished running - Runs a samhain check against the system and e-mails/syslogs it to the admin - Re-initializes the database. This way, you're sure that puppet is done running and you get a copy of the last 'change' state of the system in case someone has planted something since the last run. Basically, you're effectively defeating a great deal of the purpose of samhain, which is to protect against unknown changes. If you automatically reinitialize the database, then you run the high risk of someone being able to plant something during the next initialization. You also are going to be putting a heavy load on your system on a fairly regular basis. What I would instead suggest is to only use samhain to monitor those items that Puppet is not already watching. Puppet will, of course, change any file to its proper state, so having samhain watch it as well is redundant effort on the part of your system. You may, however, have perfectly good reasons for doing it this way. If you're using a Linux or Solaris system, you may also want to look at the built in auditing subsystems and/or inotify for real-time notification functionality. Trevor On 01/08/2010 04:41 PM, Vince wrote: We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I'm looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I'm wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktH5JEACgkQyWMIJmxwHpTUQQCgrGD90YQcMiUV7SbsrNNIrY7h 884An0f6XKVrqGKnXKVkWfoFwBPbtQfC =wp0h -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which this parrot is dead is ti poi spitaki cu morsi, but this sentence is false is na nei. My personal page: http://www.digitalkingdom.org/rlp/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Dealing with samhain
We just starting using samhain on our servers. Since updates to our puppet manifests tend to change files on the system that samhain monitors, I'm looking for a good way to reinitialize the samhain database whenever puppet changes something on the system to reduce notifications that samhain produces. I'm wondering if anyone has an elegant way of dealing with this. Ideally we do something like this: 1. let puppet run 2. if any files changed during the puppet run, then puppet will automatically reinitialize samhain or even if we can do something like this it would be fine: 1. have puppet disable samhain before it processes its manifests 2. apply manifest changes 3. reinitialize the samhain database 4. enable samhain Any suggestions would be very helpful. Thanks. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.