[osiris-devel] Re: [osiris] Creating a filter for modules

Alexei_Roudnev Alexei_Roudnev at exigengroup.com
Mon Jun 7 13:47:34 EDT 2004 

I do not remember, if it was fixed in osiris 4, but osiris 2 have a serious
stability problem - if it
failed during writing some database (say, no disk space), it left this
database in corrupted state, and next scans will cause osirismd
to fail, so making impossible normal system work. I remember discussion
about cremoving database files before writing them, but I do
not remember our conclusion - how it is implemented in osiris4.

It is serious problem, because it means, that after you deploy all system
(say, on 100 servers) and run it succesfully for a while (say,1 year - so
that
it is supported by OPS perople, not by skilled designers / developers), it
saddenly stops to work, and fix require to understand, what's going on,
finding damaged database and removing it, which is annoying if doing
manually, and is not easy to automate.

Alex Roudnev
PS. I am writing script, which will remove expired and unused databases
older than some time, but such script is not able to
remove  damaged database, because it is not clean, how to recongize it. Do
you have any idea, how to determine 'current' database from
perl/shell script?

PPS. What was a decision about database expiration in osiris4? I remember a
discussion, but unfortunately the only proposed approach was to remove old
database at once, which makes any forensic impossible - I prefer to set up
number of old databases (say, 2) which are saved, and remove 'DB - NN'
database only.






>
> Currently, filters do not apply to modules, but I this should be
> possible.  I will add this to the feature list.  Thanks.
>
> On Jun 7, 2004, at 9:47 AM, David Vasil wrote:
>
> > I am using osiris in a shop of mixed solaris / linux servers
> > and workstations.  When using the mod_kmods module, I would like
> > to create a filter so that modules that are autocleaned do not
> > set off a warning when they are scanned.  Specifically the nfs
> > module in a linux environment.  Here is a example log message:
> >
> > -----
> > [223][changed-hostname][cmp][mod_kmods][kern:nfs][nfs
> >   84600  19 (autoclean),nfs                    84600  20 (autoclean)]
> > -----
> >
> > I have been able to set up filters for file system based filters
> > but have not been able to create one for mod_kmods yet and would
> > like to have these messages ignored.  I have tried to create a
> > filter like this:
> >
> > -----
> > host=*;path=mod_kmods;include only: missing new ;
> > -----
> >
> > and it still sends the cmp messages.  In fact, when I added this
> > rule, I began receiving messages from an old filter I created
> > which was working great until the mod_kmods filter was added:
> >
> > -----
> > host=*;path=/usr/local/etc/postfix/prng_exch;include only: perm uid
> > gid missing ;
> > -----
> >
> > and I kept receiving email for this rule until I removed both filters
> > and re-added the filter for prng_exch.  Is there a way to create
> > a filter for modules?  If not, would this be something to include
> > in future versions?
> >
> > -- 
> > +------------------------------------------------------------+
> > | Dave Vasil                                vasil at cs.utk.edu |
> > | University of Tennessee             Computer Science Dept. |
> > | UTKCS Systems Administrator                   865-974-8364 |
> > +------------------------------------------------------------+
> > _______________________________________________
> > osiris mailing list
> > osiris at lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris
> --
>    Brian Wotring ( brian at shmoo.com )
>    PGP KeyID: 0x9674763D
>
> _______________________________________________
> osiris mailing list
> osiris at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
>

More information about the osiris-devel mailing list