Darc - config file

[jacob martinson]

Ted,

I just put another version out there.  I didn't add code to make sure
the local binaries are executable (there are a number of different
binaries darc runs on the management system and I'm not in a position
at the moment to make all the changes to check everywhere) but I did
improve the error reporting so instead of getting the ambiguous
message you saw earlier you'll see this:

'Error running aide in compare mode'
nice: /usr/local/bin/aide: Permission denied

or whatever the details are for the particular problem that was
encountered.  I'm hoping that will at least reduce the amount of time
it takes to track down the problem.  I thought that was how it worked
before but I had made a mistake in my code that prevented the detailed
errors from coming through.

Also, I added a new option...  --only-email-failures

This causes the email reports to only be sent if one or more hosts
failed a check or was unable to be checked for some reason.  I didn't
include that option initially because I think it could give the admin
a false sense of security.  If he gets used to not seeing reports come
in he won't know if something breaks that causes reporting to not work
- like the mail server getting owned for instance.  But... to each his
own... it wasn't difficult to add and you've been so much help I
couldn't say no =)

I also changed the name of the sample config from config.py to
sample_config.py so you *should* be able to just unpack the binaries
on top of the old ones to upgrade.

Also, I changed the default recipient list so my gmail account isn't
in there.  Thanks for that one =)

-jacob


On 5/1/06, Ted M Harapat <ted.harapat at planetdiscover.com> wrote:
> Ah, I never tried the CLI output. Now that I look I see so much good
> info in there.
>
> Excellent point about the ssh key changing. One forgets that there is a
> purpose to alert you of a change after so long.
>
> I am surprised how fast it runs the check. I have 61 hosts and it takes
> a 61-62 seconds to check them all.
>
> Everything is looking good. Thanks again for the changes.
>
> -ted
>
>
> jacob martinson wrote:
> > my responses are inline...
> >
> > On 5/1/06, Ted M Harapat <ted.harapat at planetdiscover.com> wrote:
> >> Jacob,
> >>
> >> Okay, I'm up to 0.3.49 now.
> >>
> >> I didn't see an obvious way to do the upgrade so I just copied the .py
> >> files and then stole the part with the defined hosts in the config.py
> >> file and put it in the new one. I ran it once before pulling your email
> >> out as the recipient so you might have gotten one of my reports. (You
> >> ought to change it to a bogus domain at least so you don't get lots of
> >> these from future users each night.)
> >>
> >
> > hahaha, excellent suggestion, thanks =)
> >
> >> I don't quite understand the ssh key auto-population. At least I've
> >> never heard of anything that did it. But next time a host changes I'll
> >> be thankful its in there.
> >
> > This won't pick up a *changed* host key, it just stores it if it isn't
> > already there.  You don't want it to automatically swap out a changed
> > key because a changed key is the only indicator you're going to get if
> > someone is running a man in the middle attack on you.
> >
> >> One gotcha you need to add is to tell them to make sure the aide binary
> >> is executable on the Management system. I didn't have that and I was
> >> getting countless "Error running aide in compare mode" errors. Took me a
> >> bit to realize that the local binary was why.
> >
> > I will add a check to automatically try to chmod +x the binaries if
> > they're not exectuable and report a more detailed error if the chmod
> > is unsuccessful.
> >
> >>
> >> Once done, I got a clean report from my hosts then added a
> >> evil_guy_shell.sh script and that was picked up and displayed perfectly
> >> in the email report. So it worked beautifully! I love the new report
> >> format - good enough to give a non technical person (manager) an email
> >> copy without touch up. Thanks for the work on here. It worked before but
> >> now it really shines.
> >>
> >
> > thanks, that was my goal =)
> >
> >> Is the only way to update the database to run the "--update-all" flag? I
> >> saw that in the new version notes but not in the other docs. Or did I
> >> skim it too fast?
> >
> > you can update an individual host's baseline with the -u option -
> >
> > ./darc.py -c config.py -u hostname
> >
> > it's in the command line help output -
> >
> >  -uUPDATE_HOST, --update=UPDATE_HOST
> >                        Update baseline database with the contents of
> > the most
> >                        recent archive database (based on timestamped
> > directory
> >                        and filename paths).  Used when you want to
> > acknowledge
> >                        and accept the filesystem changes in the last
> > report
> >                        for a particular host.
> >
> >>
> >> Perhaps a feature to add (unless I missed it already being there), is to
> >> not send a report if all the hosts passed. I can filter it out on the
> >> mail client but it might be a nice "quiet" option.
> >>
> >
> > i'll see what i can do =)
>