Package: cfengine3
Version: 3.0.5+dfsg-1
Severity: important
In order to track whether or not a setuid root program is "new", cfengine3
writes a list of these files to /var/lib/cfengine3/cfagent.HOSTNAME.log.
The first problem I encountered is that cfengine3 does not create this file
if it does not exist, leading to the following error message:
cf_ds_ajlc_waterloo_on_ca__1352259918_Tue_Nov__6_22_45_18_2012__b73fe8d0: !!
Can no longer access file /var/lib/cfengine3/cfagent.ds.log, which needed
editing!
If I create this file, I run into the second problem, which is if you do a
files_changed check on more than one directory, the file is overwritten for
each directory. So if I run files_changed on /sbin and /usr/sbin, when it
scans /sbin, cfagent.HOSTNAME.log contains all the suid files in /sbin, then
when it runs on usr/sbin, none of the suid files match, it complains about
them, and overwrites the file with all the suid files in /usr/sbin. So on the
next run, when it scans /sbin, none of the files match, it overwrites the
file, .....
Basicly, the check for new suid files is useless, since they will all be
reported as new every time.
Here's the bundle that does this. I also turn on file_changes reports in the
control bundle, but I don't have setuid turned on.
################################################
# Manage tripware functionality
################################################
# $Id: tripwire.cf,v 1.3 2012-11-07 03:51:09 ajlill Exp $
bundle agent tripwire {
vars:
"ordinary" slist => {
"/boot",
"/bin",
"/sbin",
"/usr/bin",
"/usr/sbin",
"/lib",
"/usr/lib"
};
"homedirs" slist => readstringlist("/etc/passwd","#",":",1000,100000);
files:
"$(sys.workdir)/cfagent.$(sys.host).log"
comment => "Work around a bug in debian package",
perms => mo("600","root"),
create => true;
tripwire::
"/etc"
changes => lay_a_tripwire,
depth_search => recurse("inf"),
file_select => exclude_active_etc,
action => measure("/etc");
"$(homedirs)/.ssh"
changes => lay_a_tripwire,
depth_search => recurse("1"),
file_select => authorized_keys,
action => measure("$(this.promiser)");
"$(ordinary)"
changes => lay_a_tripwire,
depth_search => recurse("inf"),
file_select => exclude_cfsaved,
action => measure("$(this.promiser)");
}
body file_select exclude_cfsaved {
leaf_name => {
".*\.cfsaved",
".*~",
"#.*"
};
file_result => "!leaf_name";
}
body file_select exclude_active_etc {
leaf_name => {
".*.cf",
"mtab",
".*\.cfsaved",
"\.depend\..*",
"adjtime",
".*~",
"#.*"
};
file_result => "!leaf_name";
}
body file_select authorized_keys {
leaf_name => {
"authorized_keys",
"authorized_keys2"
};
file_result => "leaf_name";
}
body action measure(dir)
{
measurement_class => "Detect Changes in $(dir)";
ifelapsed => "240"; # 4 hours
expireafter => "240"; # 4 hours
}
body changes lay_a_tripwire
{
hash => "md5";
report_changes => "content";
updatetrp::
update_hashes => "yes";
}
# $Log: tripwire.cf,v $
# Revision 1.3 2012-11-07 03:51:09 ajlill
# Find a better way to check homedirectories, try a workaround to setuid
# whining
#
# Revision 1.2 2012-11-06 01:07:42 ajlill
# Extend tripwire to all directories
#
# Revision 1.1 2012-11-05 21:28:27 ajlill
# Add tripwire
#
-- System Information:
Debian Release: 6.0.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.37.1 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages cfengine3 depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8o-4squeeze13 SSL shared libraries
cfengine3 recommends no packages.
cfengine3 suggests no packages.
-- Configuration Files:
/etc/default/cfengine3 changed:
RUN_CFMONITORD=1
RUN_CFSERVERD=0
RUN_CFEXECD=1
CFMONITORD_OPTS=""
CFSERVERD_OPTS=""
CFEXECD_OPTS=""
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
