Author: Bryant

cfengine is cool. I dug it. The tutorial was introductory and I was pretty sold on the concepts. If you already know about cfengine there is nothing useful for you in this post.

Cheap summary: a host is classified into a number of groups. Lots of classifications are automatic; there’s a linux group (any machine running linux), there’s a 129_120_10 group (any host on the 129.120.10 subnet), there’s a Hr02 group (any host running cfengine between the hours of 2 AM and 3 AM), etc. Why would you want that last? Maybe you only want to do some checks during that hour. Yes, this is yet another way to schedule periodic jobs in a manner that future sysadmins will be unable to find… but I digress.

You then can specify actions that should take place if a host is in a specific group. Some of the action classes are very generic — running shell commands, deleting files, checking permissions and owners of files, copying files from a central server, etc. Some are pretty specific — there’s a class that allows you to tweak the nameservers in /etc/resolv.conf. This will not work out so well if your nameserver resolver file lives somewhere else, of course. There’s a class that’s tuned for defining the NFS server from which a host mounts its mailspool. Cool but not necessarily of general use. However, there’s a class for editing files which is pretty featureful, so you can roll your own stuff as needed.

It kinda runs under Windows if you have cygwin installed. Hm.

It reminds me of the system we used at AltaVista, but it is substantially more featureful.

Our VoIP/Asterisk tutorial is going much more quickly than the presenter expected. This is not unusual for first-time presenters. Asterisk is pretty interesting, but shows signs of being an open source project. Hm — OK, some sample configuration file stuff:

exten => s,73,Playback(thank-you-for-calling)
exten => s,74,GotoIfTime(6:01-18:00|mon-sun|*|*?s,76)
exten => s,75,Goto(s,78)
exten => s,76,Playback(have-a-great-day-goodbye)

In theory, the template is something like exten => <exten>,<priority>,<application>(<args>), but it’s been brutally extended into something that looks alarmingly like BASIC. See the line numbers masquerading as priorities? It looks like it was originally just a simple method of specifying extensions, but grew like kudzu. Soon there’ll be m4 macros for building these scripts which masquerade as configuration files.

My Monday LISA tutorial was on system log aggregation, analysis, and statistics. mjr taught it, and he’s as good a public speaker as ever. Also the topic was pretty damned fascinating. I’ll be dumping a pile of links into del.icio.us sometime soonish now.

Highlights, some of which are significant and some of which are just cool:

You can set up an invisible loghost. What you do is you specify a non-existent host as the loghost on all your DMZ servers. You’re gonna need to manually stuff an entry into the arp table so that your DMZ servers will blithely send syslog packets off into thin air. Then you hook the real loghost up to the DMZ with no IP address in promiscuous mode. Run tcpdump on it to capture all the packets, and write some cheap perl to strip syslog payloads out of the captured packets.

Or use mjr’s plog instead of tcpdump, since it’ll automate all that complex stuff for you. Neat.

Artifical ignorance. Cute term. It’s basically the same rule of thumb as “block everything, then permit what you want” but reversed. “It’s interesting unless I’ve explicitly said it’s boring.” At a very basic level, it looks like this: grep -v -f patternfile. As you figure out what you don’t care about, stick a regexp to match into patternfile and you won’t see it again. The process speeds up over time, obviously. This calls out for a slick web front end.

First seen anomaly detection. It’s sort of like artificial ignorance, but different. You alert every time something completely new appears in the logs. There is a tool for this, also written by mjr, called NBS (Never Before Seen). It uses Berkeley DB and is very fast. You feed it input for a specified dataset and it tells you if it’s seen that particular chunk of input before. It can report on its database in a bunch of useful ways.

Example: record DHCP servers giving out IP addresses. (Sample string after a bit of log parsing: “10.0.0.10 gives IP 10.0.1.1 to MAC 0:2:2d:10:10:10”.) If a new MAC address shows up, it’ll be flagged by NBS as a new chunk of input, because that string is guaranteed to differ in that case. If an old MAC address gets a different IP address, that’ll show up too, but only the first time it gets that particular IP. As a bonus, you’ll find out if any new DHCP servers show up. Pure gold.

Another example, which happens to be the first use I thought of: turn it loose on my HTTPD log files. Filter said log files for referrer and URL pairs; report the first time a new referrer/URL pair is seen. I have something like this in place now but it’s written in perl and it’s fairly fragile; this will be better.

Or just dump URLs into the database. “Hm, someone just tried to load /cgi/foobar.exe for the first time; looks like a new exploit.”

So yeah, a very cool tutorial. I’m all jazzed about the possibilities. Check out his web site on the topic.

There is some desire for a Jon Udell-esque library bookmarklet for Harvard’s Hollis Catalog. A little bit of research, and there you go. It’s not perfect, since Hollis doesn’t seem to use ISBNs as the primary index, but the first book listed on the results page will be the book you’re looking for if it’s in the catalog.