Monitoring Directory Permissions
Hi guys
I have a *directory *on a client system, and it needs to have permission of 777
From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
inotifywait comes to mind but there are other alternatives like scripting something to watch the audit log.
Jim
On Tue, Dec 2, 2014 at 1:28 AM, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi guys
I have a *directory *on a client system, and it needs to have permission of 777 From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--
Jim Louis \\\\||//// \ ~ ~ / | @ @ |*
*--oOo---(_)---oOo--*
'If a Neanderthal came and sat next to you on a bus, you'd probably get up and change seats. But if a *Homo erectus* came and sat next to you on a bus, you'd probably get off the bus.' ~ unknown
What's the point of monitoring for it? To let you know you need to correct them? If that, why not just put a cron job in place that sets them properly?
--
*Steve Coile*Senior Network and Systems Engineer, McClatchy Interactive <http://www.mcclatchyinteractive.com/> Office: 919-861-1247 | Mobile: 919-622-5369 | Fax: 919-861-1300
On Tue, Dec 2, 2014 at 2:28 AM, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi guys
I have a *directory *on a client system, and it needs to have permission of 777 From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I thought directories supported the same monitors as files so you could check for mode=777, for example. However, the man page seems to contradict this.
=G=
From: Xymon <xymon-bounces at xymon.com> on behalf of Steve Coile <scoile at mcclatchyinteractive.com> Sent: Tuesday, December 2, 2014 9:26 AM To: Vernon Everett Cc: Xymon mailinglist Subject: Re: [Xymon] Monitoring Directory Permissions
What's the point of monitoring for it? To let you know you need to correct them? If that, why not just put a cron job in place that sets them properly?
-- Steve Coile Senior Network and Systems Engineer, McClatchy Interactive<http://www.mcclatchyinteractive.com/> Office: 919-861-1247 | Mobile: 919-622-5369 | Fax: 919-861-1300
On Tue, Dec 2, 2014 at 2:28 AM, Vernon Everett <everett.vernon at gmail.com<mailto:everett.vernon at gmail.com>> wrote: Hi guys
I have a directory on a client system, and it needs to have permission of 777
From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon
I know, it's a lot simpler to put it right quietly with a cron, or even part of the update process, and I have considered this, but as always, it's political. The client wants it this way.
With their previous installation of Xymon, I had it working, so I know it's possible. However, it was all lost in a catastrophic system failure (with no backups). I rebuilt Xymon on a new server for them, but and I can't a hell remember how I configured the directory monitoring.
Regards Vernon
On 2 December 2014 at 22:26, Steve Coile <scoile at mcclatchyinteractive.com> wrote:
What's the point of monitoring for it? To let you know you need to correct them? If that, why not just put a cron job in place that sets them properly?
--
*Steve Coile*Senior Network and Systems Engineer, McClatchy Interactive <http://www.mcclatchyinteractive.com/> Office: 919-861-1247 | Mobile: 919-622-5369 | Fax: 919-861-1300
On Tue, Dec 2, 2014 at 2:28 AM, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi guys
I have a *directory *on a client system, and it needs to have permission of 777 From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
I just tested this using file instead of dir. It works for UNIX (everything is a file), can't speak for windows. I'm not sure that it is designed or intended to work this way and I doubt you can mix DIR and FILE for the same O/S directory.
analysis.cfg
DIR /foo SIZE<8192 SIZE>4096 COLOR=yellow
FILE /foo MODE=0644 COLOR=RED TRACK FILE /foo OWNERID=johndoe COLOR=yellow
client-local.cfg file:/foo:md5
Good Luck.
From: Xymon [xymon-bounces at xymon.com] on behalf of Vernon Everett [everett.vernon at gmail.com] Sent: Tuesday, December 2, 2014 2:08 PM To: Xymon mailinglist Subject: Re: [Xymon] Monitoring Directory Permissions
I know, it's a lot simpler to put it right quietly with a cron, or even part of the update process, and I have considered this, but as always, it's political. The client wants it this way.
With their previous installation of Xymon, I had it working, so I know it's possible. However, it was all lost in a catastrophic system failure (with no backups). I rebuilt Xymon on a new server for them, but and I can't a hell remember how I configured the directory monitoring.
Regards Vernon
On 2 December 2014 at 22:26, Steve Coile <scoile at mcclatchyinteractive.com<mailto:scoile at mcclatchyinteractive.com>> wrote: What's the point of monitoring for it? To let you know you need to correct them? If that, why not just put a cron job in place that sets them properly?
-- Steve Coile Senior Network and Systems Engineer, McClatchy Interactive<http://www.mcclatchyinteractive.com/> Office: 919-861-1247<tel:919-861-1247> | Mobile: 919-622-5369<tel:919-622-5369> | Fax: 919-861-1300<tel:919-861-1300>
On Tue, Dec 2, 2014 at 2:28 AM, Vernon Everett <everett.vernon at gmail.com<mailto:everett.vernon at gmail.com>> wrote: Hi guys
I have a directory on a client system, and it needs to have permission of 777
From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon
-- "Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
On 12/02/2014 06:25 PM, Tim McCloskey wrote:
I just tested this using file instead of dir. It works for UNIX (everything is a file), can't speak for windows. I'm not sure that it is designed or intended to work this way and I doubt you can mix DIR and FILE for the same O/S directory.
analysis.cfg
DIR /foo SIZE<8192 SIZE>4096 COLOR=yellow
FILE /foo MODE=0644 COLOR=RED TRACK FILE /foo OWNERID=johndoe COLOR=yellow
Hi Tim,
just thought I would respond to your doubts:
"I doubt you can mix DIR and FILE for the same O/S directory."
It turns out, that was actual the test I did.
I was already monitoring a dir for size on a host and just added:
file:/foo (client-local.cfg)
and
FILE /foo MODE=777 yellow (analysis.cfg)
and it worked fine.
Only thing is, on the "files" test page for that host, there are two lines for /foo:
/foo /foo /other/file/name
With no indication as to which one is for which test... but when one goes nongreen, the reason stated below it makes it clear.
Hope that helps!
Bill
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --
Thanks Bill! I was curious about Vernon's original request and had poked at using FILE params for DIR. Quickly discovered that wasn't going to work so just commented out DIR and gave FILE a go, by itself. FILE worked and I didn't look back. Deciphering which of the foo's flips to red should not be troublesome for most. Thanks for the clarification.
Also, I test this on 4.3.17 - on the server, with the server as a client. Aside from the usual /full/path/to/foo perms/ownership, if Vernon has a RedHat variant system selinux might need a tweak.
Regards,
Tim
From: Xymon [xymon-bounces at xymon.com] on behalf of Bill Arlofski [waa-hobbitml at revpol.com] Sent: Tuesday, December 2, 2014 5:08 PM To: xymon at xymon.com Subject: Re: [Xymon] Monitoring Directory Permissions
On 12/02/2014 06:25 PM, Tim McCloskey wrote:
I just tested this using file instead of dir. It works for UNIX (everything is a file), can't speak for windows. I'm not sure that it is designed or intended to work this way and I doubt you can mix DIR and FILE for the same O/S directory.
analysis.cfg
DIR /foo SIZE<8192 SIZE>4096 COLOR=yellow
FILE /foo MODE=0644 COLOR=RED TRACK FILE /foo OWNERID=johndoe COLOR=yellow
Hi Tim,
just thought I would respond to your doubts:
"I doubt you can mix DIR and FILE for the same O/S directory."
It turns out, that was actual the test I did.
I was already monitoring a dir for size on a host and just added:
file:/foo (client-local.cfg)
and
FILE /foo MODE=777 yellow (analysis.cfg)
and it worked fine.
Only thing is, on the "files" test page for that host, there are two lines for /foo:
/foo /foo /other/file/name
With no indication as to which one is for which test... but when one goes nongreen, the reason stated below it makes it clear.
Hope that helps!
Bill
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On 12/02/2014 02:28 AM, Vernon Everett wrote:
Hi guys
I have a *directory *on a client system, and it needs to have permission of 777 From time to time, automated software updates sets it to 770. I am looking for a way to check this, and alert when permissions are not as they should be. Any advice appreciated.
Regards Vernon
Hi Vernon!
You are going to <facepalm> for sure, but here goes.
This thread intrigued me, so I set up a test.
All you need to do is set up the directory test just like you would a file test. :)
So, client-local.cfg:
[remote.host.name] file:/path/of/DIRECTORY_To_Monitor
then, in analisys.cfg:
HOST=remote.host.name FILE /path/of/DIRECTORY_To_Monitor MODE=777 yellow
Now, if the perms on the _directory_ are incorrect the "files" test page will show:
*File* is mode 770 - should be 777
instead of: Directory is mode....
But that should not be an issue, because it is just the wrong word for a directory, and the actual Xymon test that you would set up for alerting on is the "files" test anyway, right ?
Sorry to be the bringer of obvious tidings. heh :)
Bill
-- Bill Arlofski Reverse Polarity, LLC http://www.revpol.com/ -- Not responsible for anything below this line --
participants (6)
-
everett.vernon@gmail.com
-
Galen.Johnson@sas.com
-
jglouisjr@gmail.com
-
scoile@mcclatchyinteractive.com
-
tm@freedom.com
-
waa-hobbitml@revpol.com