On Wed, Jan 18, 2012 at 6:38 AM, <john.r.rothlisberger at accenture.com> wrote:
No, when I use the FILE spec on a directory/folder it says "File is missing" along with an "Error: Access denied".
I use file on a directory and it works for me. However, I specify the directory using backticks, along with the directories contents, but I don't know how that would change anything. What I'm doing is checking if someone changed the group ownership for entries (files or subdirectories) in the directory "/var/named/", so that different users in the same group can edit the files. My client-local.cfg has:
[myhost]
file:/bin/ls -a /var/named/ | sed '/^\.$/d;/^\.\.$/d;/^lost+found$/d;s|^|/var/named/|':2048
This gives me lots of entries in my client data, each one showing the perms, ownership, size, and so on. One of them is:
[file:/var/named/master] type:40000 (directory) mode:2775 (drwxrwsr-x) linkcount:3 owner:65535 (d619539) group:44 (named) size:4096 clock:1326866742 (2012/01/18-17:05:42) atime:1326866742 (2012/01/18-17:05:42) ctime:1326783927 (2012/01/17-18:05:27) mtime:1326783927 (2012/01/17-18:05:27)
Then in my analysis.cfg I have this:
HOST=%^myhost FILE %/var/named/(\.[^\.]*|[^\.].*) yellow groupid=named
which detects when the group name is incorrect on any dirent not starting with "..", and sets "file" to yellow. I just tested this and it works.
Cheers Jeremy