[Gllug] Production system - Linux 2.4.24, LVM and cciss
Rickey Costas
rickey at lefteris.co.uk
Mon Jan 12 17:58:09 UTC 2004
Bruce Richardson wrote:
> On Mon, Jan 12, 2004 at 04:46:45PM +0000, Rickey wrote:
>
>
> With cfengine you describe the state your machines *should* be in and it
> makes such changes are as necessary to achieve that. It makes it a
> useful tool for imposing security policy.
Why not just obliterate the local config each time from a centrally held
config using something like cvs or rsync ? How is cfengine better that
some simple scripting, or tripwire say ?
> To take a simple example, consider the /home directory. Linux systems
> often configure the permissions on these in eccentric ways and admin
> tampering can leave a network with a range of /home set-ups across the
> network. cfengine (assuming it is already installed) lets you tidy that
> up quite simply. You just add a line to the config file on the cfengine
> master describing what the permissions on /home and all the machines on
> the network will change to match.
Couldnt that be part of the local machines daily jobs ? Say rsync a
file which the machine local cron runs to check the perms ?
> This is already simpler than the only practical alternative (in the
> absence of cfengine or a similar tool), which is to use ssh to change
> the permissions on each host.
Bad form to immediately state something is the only solution to a
problem you have just presented, no ;-)
> Now consider that cfengine is typically
> run in a regular cronjob, which means that it will correct any tampering
> (malicious or absent-minded) within hours. Then consider that cfengine
> allows you to place hosts into multiple, arbitrary classes, allowing you
> to specify different /home permissions for the different classes. You
> can use cfengine to associate a huge range of configuration options with
> different classes. Done properly, reconfiguring a server to reflect a
> change in function becomes as simple as changing the class(es) of the
> host and waiting.
I'm not seeing the advantage this has over some simple scripting with
cvs and cron.
Cheers,
Rickey.
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list