|
| From: | Javier Fernandez-Sanguino |
| Subject: | Re: [Tiger-devel] [RFC] Moving some check_root checks into OS specific checks. |
| Date: | Thu, 26 Jun 2003 09:39:52 +0200 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01 |
Ryan Bradetich wrote:
Hello all, I really like the ideas presented in the check_root script, but I thinksome of the checks need to be broken out into OS specific checks.
Good.
Specifically I am thinking the /etc/securetty type checks. The application checks (like ftpusers, xdm, gdm, etc are fine). I am also planning on adding a sshd check to this script.
That's also a nice check, but maybe should be in an check_ssh module. So that it will only run if the SSH_CONFIG is available (and define that per OS)
The reason I believe the /etc/securetty types checks need to be system specific is because the files have a meaning if they do not exist on the system. Take Linux and HP-UX for example:
(...)
Any thoughts and/or feedback?
Yes, one of the things I wanted to implement in the main engine is to be able to override common checks with local (OS-specific) checks. That's in the TODO:
"- Modify Tiger so it can use a system's scripts if it exists and substitute the one under scripts/ by introducing a run_script funcion (check if the script is under scripts and under systems/$OS/... and run it)"
It's understandable that some checks might be fine-tuned for some OS but not for others so Tiger could first check, if it is configured to run a check, if the check_XXX is available for a specific OS and, if not, to run the generic check.
This avoids duplicating too much of the code and provides a failback mechanism for those OS you do not much about. Take the 'check_listeningprocs' for example (that's when I first started thinking about it). There is a generic check (that uses LSOF), a SunOS 5.8 specific check (which uses PFILES) and a Linux check (which can use either LSOF or NETSTAT). Currently Tiger will always run the generic check, there's no way to tell it "if I'm running an OS which has implemented a more refined check please use it".
In this case, LSOF might not be available in the system you are running but probably PFILES (in SunOS) or NETSTAT (in Linux and Solaris also, but it does not give all the information it needs) might be. Currently the call to any check is just to run it directly, I was thinking on adding a wrapper function that would do something akin to what the config (line 150 to 183) script does, look for in all the $OS/$REL/$REV/$ARCH directories and take the most specific file.
Best regards Javi
| [Prev in Thread] | Current Thread | [Next in Thread] |