[osiris-devel] Feature Request - Dated Ignores

Brian Wotring brian at shmoo.com
Sun May 30 13:01:33 EDT 2004 

A couple of thoughts:

First, the scan configuration files have nothing really to do with the 
comparison process.  That is, the scan configs are not consulted during 
the comparison process, only when performing a scan.   I think adding 
this to the configuration syntax would complicate it a great deal, as 
well as require changes to the management console's analysis engine.

Second, this is only half the solution.  I'm sure you've thought of 
this, but because it is so important I think I should mention it.  In 
order to maintain any sort of faith in the integrity of these files, 
you have to know the time window, and more importantly, the next 
resultant state of the files.  That is, a time window alone is almost 
worthless because in the cases you've listed you will have to leave 
some breathing room and that means that any change in that window would 
be considered legitimate; not a good thing ;)

As far as managing the alerts go, I think it falls outside the scope of 
the management console.  If you know the schedules of these items, you 
should be able to deal with this at a higher level.  For example, email 
notifications could easily be filtered/archived according to content.  
For syslog entries, a log analysis program (e.g. swatch) could easily 
be used to look for these scheduled changes and report on the ones that 
fall outside of your time window, and deal with the time window problem 
by triggering an alert if more than one change happens inside that 
window.

I hope this helps.

On May 30, 2004, at 9:32 AM, Jason 'XenoPhage' Frisvold wrote:

> Hi all,
>
> During certain scheduled times, files on my system are set to change..
> Most notably are rebuilds of ssl certs, and lockfiles for running
> processes when logs rotate.  I know about these, and I'd like to
> automatically ignore them on a regular schedule.  However, if they 
> change
> outside of that schedule, I need to know since there may be a problem..
>
> So, I propose adding some sort of ignore system to osiris that would 
> allow
> a user to ignore a file during a certain period of time.  Obviously the
> system would have to rehash that file and automatically add it to the
> db...  I was imagining something like this:
>
> IgnoreFile "filename" "0 0 * * *"
>
> Where the first field is the filename and the second field is a
> crontab-like entry of the time to ignore the file...  ie, in the above
> example, it would ignore the file at midnight each night...
>
> Thoughts, comments, flames?  :)
>
>
> ---------------------------
> Jason 'XenoPhage' Frisvold
> Engine / Technology Programmer
> friz at godshell.com
> RedHat Certified - RHCE # 803004140609871
> MySQL Pro Certified - ID# 207171862
> MySQL Core Certified - ID# 205982910
> ---------------------------
> "Something mysterious is formed, born in the silent void. Waiting alone
> and unmoving, it is at once still and yet in constant motion. It is the
> source of all programs. I do not know its name, so I will call it the 
> Tao
> of Programming."
> _______________________________________________
> osiris-devel mailing list
> osiris-devel at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris-devel
>
>
--
     Brian Wotring ( brian at shmoo.com )
     PGP KeyID: 0x9674763D

More information about the osiris-devel mailing list