sierra-tango-echo
commented
6 years ago We'd want to run that same check / policy on all monitored machines
Open sierra-tango-echo opened 6 years ago
sierra-tango-echo
commented
6 years ago We'd want to run that same check / policy on all monitored machines
sierra-tango-echo
commented
6 years ago markt [2:19 PM]
@steve: re “any changes to the rpm database”… changes would be expected when people use gridware
cos installation of RPMs is triggered on module load if they’re not installed yet
i mean, it’s fine to make that a flag, but just saying that it may be a little noisy
sierra-tango-echo
commented
6 years ago we want to know if anyone other than us is altering the configuration without permission / having logged it, so its a trade off between knowing that and being too noisy, if it alerts just once then resets for the next day that'd go some way to alleviating this but also we could possible do as a cluster level check (run over pdsh on the controller) so we dont get loads of alerts if all of the nodes have the same rpm breach
rossrodwell
commented
6 years ago I shall now begin rolling my checks to a live cluster slowly but surely.
rossrodwell
commented
6 years ago Is it important to notice the RPM DB changes if said change is a result of using gridware ? If not, then if there is a way to detect that gridware lead to an RPM installation, we could use this condition to filter these out to reduce noise.
mjtko
commented
6 years ago /var/log/gridware/depends.log should change if new RPMs are installed by gridware on a node, does that help?
rossrodwell
commented
6 years ago
/var/log/gridware/depends.logshould change if new RPMs are installed by gridware on a node, does that help?
Yes thanks!
Investigate writing a check for nagios that runs a tripwire check daily, and reports if there are any changes.
The policy we'd want to run would be as silent as possible but its aim would be to pick up any changes to the system done my an administrator. For starters things like
I'd suggest the check acknowledges the changes after its alerted us, so that it only triggers only once - the idea being we'd see the alert - check the FC logs to see if the changes were done by one of us and investigate further if they were not.