[Gllug] Production system - Linux 2.4.24, LVM and cciss

Rickey Costas rickey at lefteris.co.uk
Mon Jan 12 17:58:09 UTC 2004


Bruce Richardson wrote:

> On Mon, Jan 12, 2004 at 04:46:45PM +0000, Rickey wrote:
> 

> 
> With cfengine you describe the state your machines *should* be in and it
> makes such changes are as necessary to achieve that.  It makes it a
> useful tool for imposing security policy.

Why not just obliterate the local config each time from a centrally held 
config using something like cvs or rsync ?  How is cfengine better that 
some simple scripting, or tripwire say ?

> To take a simple example, consider the /home directory.  Linux systems
> often configure the permissions on these in eccentric ways and admin
> tampering can leave a network with a range of /home set-ups across the
> network.  cfengine (assuming it is already installed) lets you tidy that
> up quite simply.  You just add a line to the config file on the cfengine
> master describing what the permissions on /home and all the machines on
> the network will change to match.

Couldnt that be part of the local machines daily jobs ?  Say rsync a 
file which the machine local cron runs to check the perms ?


> This is already simpler than the only practical alternative (in the
> absence of cfengine or a similar tool), which is to use ssh to change
> the permissions on each host. 

Bad form to immediately state something is the only solution to a 
problem you have just presented, no ;-)

> Now consider that cfengine is typically
> run in a regular cronjob, which means that it will correct any tampering
> (malicious or absent-minded) within hours.  Then consider that cfengine
> allows you to place hosts into multiple, arbitrary classes, allowing you
> to specify different /home permissions for the different classes.  You
> can use cfengine to associate a huge range of configuration options with
> different classes.  Done properly, reconfiguring a server to reflect a
> change in function becomes as simple as changing the class(es) of the
> host and waiting.

I'm not seeing the advantage this has over some simple scripting with 
cvs and cron.

Cheers,

Rickey.

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list