[Integrit-users] Re: integrit

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

(Cc'ed to the integrit-users mailing list.  To join, see:
http://sourceforge.net/mail/?group_id=15369)

"Cott Lang" <co...@in...> writes:

> First let me say - excellent program. :)  I've been wanting an open source
> Tripwire like program for a while, but don't have much free time to
> implement one.  Integrit works great!

Thank you very much for the input.  :)  

> I have only one suggestion.
> 
> I maintain large farms of servers... and to me, unless I'm missing
> something, there's one major shortcoming. That's specifying the database
> names INSIDE the config file.  That way, you just use the same config file
> for every machine in a 20 machine farm with separate databases.  If there
> was just some way to specify
> known and current databases on the command line instead of the config file,
> this would work perfectly. :)
> 
> Please tell me if I'm an idiot and am missing a way of making this work in
> the current rev... :)

No, you are correct, if you mean that because each host must read from
its own database then each host must have a separate configuration
file.

This was a concious trade off between complex convenience and
simplicity.  The current solution is, as you guessed, to have twenty
configuration files -- looks messy but is trivial to generate with
UN*X tools like sed, awk, perl, sh, etc.

What do the others think?  Is it worth making the command-line options
more complex in order to accomodate cases like this where the
configuration would be identical save the database specifications?

My initial reaction is always conservative, since the two main design
goals are simplicity and a small memory footprint, and since UN*X
tools can provide the flexibility that might otherwise be achieved by
making integrit more complex.  

The assumption is that the simplicity will naturally lead to
convenience, since integrit is a new tool to learn, but users will
already know perl, Bourne shell, or awk ... that's my first reaction,
but just thinking ...

  /mnt/secsrv/integrit -C /mnt/secsrv/general.conf \
    -k /mnt/secsrv/known-`hostname`.cdb \
    -n /root/current.cdb

... since "-c" is already taken, the "-n" (for "new") option would
specify the location of the current-state database.  

That's eight command-line options total.  Databases would be required
in config files only if not listed on the command line.  Command line
database options would override config file database specifications.

With that many command-line options, long-style options might be
necessary.  

-- 
--Ed Cashin                   PGP public key:
  ec...@te...       http://www.terry.uga.edu/~ecashin/pgp/