- From: Noah Kantrowitz <
>
- To: "
" <
>
- Subject: [chef] Re: Auditing file checksums
- Date: Thu, 25 Sep 2014 12:31:46 -0700
On Sep 25, 2014, at 11:45 AM, Daniel Gutierrez
<
>
wrote:
>
Hello Chefs,
>
>
We are trying to migrate all of our Puppet security audit functionality to
>
Chef,
>
however, we don't see an easy way to monitor file checksums
>
for security audits. For example in Puppet this is easy with a line like:
>
>
file {"/etc/at.deny": mode=>"600", owner=>"root", group=>"root", checksum=>"
>
md5", audit=>all; }
>
>
Puppet will log the checksum of a file, and compare it on each subsequent
>
run.
>
The Chef file resource has no checksum, or audit option similar to the
>
Puppet file resource.
>
I found some references to the "remote_file" resource but this seems geared
>
toward
>
downloading files remotely, not auditing files in place.
>
>
Has anyone done something like this with Chef before?
>
Any pointers would be greatly appreciated.
What is the advantage of this over just having Chef manage the file contents?
If you are looking for a file integrity manager, you can use Chef to deploy
something like Tripwire, OSSSec, or Samhain.
--Noah
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Archive powered by MHonArc 2.6.16.