Viraj's Weblog

I recently got a message from a client that said whenever he added groups to a server, they would disappear.

Now this is what I call a system reacting to change. It gives me no surprises. If someone tries to change something I specifically don't want them to change, those changes are eventually discarded. In this case it was /etc/group being checksummed to a copy on the cfengine distribution server, and when the change was found, it simply put back in the original version. Same goes for passwd, shadow, and other important files. This even provides some security to the box, and makes the system look like it's a live organism .

There are many cases where someone goes into the system and breaks something. A tool like cfengine can be used to provide some armor on the system, with some ability for self-correction. Of course someone can just go to the cfengine server and screw up the distribution files there, but that requires some more conscious effort.

It's impossible to code for every possible damage that can be done to a system, but you can think about the major problems and counter those, which is better than nothing. Here is another of my questions on the mailing list. I started a small war, but It's pretty cool to get responses from computer science professors .