[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Tiger-devel] [RFC] Moving some check_root checks into OS specific c
Re: [Tiger-devel] [RFC] Moving some check_root checks into OS specific checks.
Thu, 26 Jun 2003 09:39:52 +0200
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01
Ryan Bradetich wrote:
I really like the ideas presented in the check_root script, but I think
some of the checks need to be broken out into OS specific checks.
Specifically I am thinking the /etc/securetty type checks. The
application checks (like ftpusers, xdm, gdm, etc are fine). I am also
planning on adding a sshd check to this script.
That's also a nice check, but maybe should be in an check_ssh module. So
that it will only run if the SSH_CONFIG is available (and define that
The reason I believe the /etc/securetty types checks need to be system
specific is because the files have a meaning if they do not exist on the
Take Linux and HP-UX for example:
Any thoughts and/or feedback?
Yes, one of the things I wanted to implement in the main engine is to be
able to override common checks with local (OS-specific) checks. That's
in the TODO:
"- Modify Tiger so it can use a system's scripts if it exists and
substitute the one under scripts/ by introducing a run_script funcion
(check if the script is under scripts and under systems/$OS/... and run
It's understandable that some checks might be fine-tuned for some OS but
not for others so Tiger could first check, if it is configured to run a
check, if the check_XXX is available for a specific OS and, if not, to
run the generic check.
This avoids duplicating too much of the code and provides a failback
mechanism for those OS you do not much about. Take the
'check_listeningprocs' for example (that's when I first started thinking
about it). There is a generic check (that uses LSOF), a SunOS 5.8
specific check (which uses PFILES) and a Linux check (which can use
either LSOF or NETSTAT). Currently Tiger will always run the generic
check, there's no way to tell it "if I'm running an OS which has
implemented a more refined check please use it".
In this case, LSOF might not be available in the system you are running
but probably PFILES (in SunOS) or NETSTAT (in Linux and Solaris also,
but it does not give all the information it needs) might be. Currently
the call to any check is just to run it directly, I was thinking on
adding a wrapper function that would do something akin to what the
config (line 150 to 183) script does, look for in all the
$OS/$REL/$REV/$ARCH directories and take the most specific file.