[osiris-devel] Feature Request - Dated Ignores

Jason 'XenoPhage' Frisvold friz at godshell.com
Tue Jun 1 10:38:32 EDT 2004 

On Sun, 2004-05-30 at 13:01, Brian Wotring wrote:
> A couple of thoughts:
> 
> First, the scan configuration files have nothing really to do with the 
> comparison process.  That is, the scan configs are not consulted during 
> the comparison process, only when performing a scan.   I think adding 
> this to the configuration syntax would complicate it a great deal, as 
> well as require changes to the management console's analysis engine.

Good point, didn't think of that :)

> Second, this is only half the solution.  I'm sure you've thought of 
> this, but because it is so important I think I should mention it.  In 
> order to maintain any sort of faith in the integrity of these files, 
> you have to know the time window, and more importantly, the next 
> resultant state of the files.  That is, a time window alone is almost 
> worthless because in the cases you've listed you will have to leave 
> some breathing room and that means that any change in that window would 
> be considered legitimate; not a good thing ;)

Yeah, I thought about the time window... was thinking of putting a
variable in there to allow a +- change in time...

> As far as managing the alerts go, I think it falls outside the scope of 
> the management console.  If you know the schedules of these items, you 
> should be able to deal with this at a higher level.  For example, email 
> notifications could easily be filtered/archived according to content.  
> For syslog entries, a log analysis program (e.g. swatch) could easily 
> be used to look for these scheduled changes and report on the ones that 
> fall outside of your time window, and deal with the time window problem 
> by triggering an alert if more than one change happens inside that 
> window.

I'll check out swatch ... I figured this might fall outside of the scope
of this ...  The problem that I see is that I know these files will
change at a certain time due to cronjobs, log rotations, etc.  So I'm
expecting the mails from osiris explaining that the checksum changed,
the ctime changed, etc ...  I could just dump those messages, but they
continue to come in until the database is updated...  Which is why I
thought the best place to deal with this would be at the source....

> I hope this helps.

Yup :)

-- 
---------------------------
Jason 'XenoPhage' Frisvold
Engine / Technology Programmer
friz at godshell.com
RedHat Certified - RHCE # 803004140609871
MySQL Pro Certified - ID# 207171862
MySQL Core Certified - ID# 205982910
---------------------------
"Something mysterious is formed, born in the silent void. Waiting alone
and unmoving, it is at once still and yet in constant motion. It is the
source of all programs. I do not know its name, so I will call it the
Tao of Programming."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040601/969bfef5/attachment.pgp

More information about the osiris-devel mailing list