[Integrit-users] Re: Inheriting of options in integrit is causing me a problem
Brought to you by:
ecashin
Menu
▾
▴
[Integrit-users] Re: Inheriting of options in integrit is causing me a problem
|
From: Ed L C. <ec...@co...> - 2001-02-26 06:49:59
|
(Cc'ed to integrit-users mailing list. See URL for subscription info: http://sourceforge.net/mail/?group_id=15369) Matt Hoskins <ma...@ni...> writes: > I've installed integrit on a debian box, and have got several > configuration files for covering parts of the directory > structure. The one I'm having problems with is the one that checks > /etc. The reason is that I want to ignore changes to mtab (so I can > remount the floppy read only, and a couple of other root users can > do nfs mounts if they need to) without me getting warned about it. I > put in !/etc/mtab, which is all well and good... However > mounting/unmounting on this machine uses mtab~ and mtab.tmp as a > lock file and temporary file, which causes the "file info change > time" and "modification time" of the directory itself to change. So > I'd like to not do those checks just for the /etc directory. My > reading of the config file format implies tho' that I can't easily > do that. If I set the switches on /etc to not do these checks, these > switches will then be inherited by all the files and subdirectories > under etc, which is not what I want. You are quite correct. This was a tradeoff based on my own experience. I like the inherited rules, but the price is that in cases like the one you mention, you have to explicitly list the exceptions, and some benign changes on directory "m" and "c" show up in the report. I was wondering how long it would take for someone to remark upon this inconvenience. > If I'm correct in what I've said above (and haven't missed something > obvious), it would be nice if there were a way to additionally > specify flags which are just for the directory node which aren't > inherited (in addition to ones which are), so I can get around this > problem (it would probably be useful in general for directories > which get temporary files created in as part of processes). I agree that this feature would merit the increased complexity of an additional token in the config file syntax. A dot at the beginning of a rule could mean, "don't inherit -- rule applies to this file (specifically, directory) only". I'll look into adding that feature for version two, which probably won't be too long in coming ... and won't depend on openssl, one way or another. > Other than that, it works a treat! Thanks for putting the effort > into making it :). It was worth it to get to use it! ;) But I'm glad other people get to use it too, and I'm glad that you like it. Thanks very much for the valuable feedback. -- --Ed Cashin integrit file verification system ec...@co... http://integrit.sourceforge.net/ |
