[Pkg-aide-maintainers] Bug#387463: making aide vserver aware (audit guests from the root server)

Christian Thaeter chth at gmx.net
Fri Sep 22 22:17:54 UTC 2006 

Marc Haber wrote:

> Neat idea. However, I am not convinced that this belongs in the
> distribution package as it would be necessary to touch _all_ rules
> files. The use case is rather special, and greatly increases rule
> complexity. They are already too hard to understand, IMO.
> 
> I am open to arguments though.

I thought about that too ... but since it is evaluated by the
preprocessor, if no vservers exists the @@{VSERVERS} macro becomes a
empty '()' regex, which at least doesn't have any more algorithmic overhead.

Well the cost is that we have these /@@{VSERVERS} linenoise (maybe
rename it to @@{ROOTS} or whatever, but thats matter of taste)
personally I think thats acceptable even for non-vserver users since it
is a single uniform scheme while it adds great benefit to vserver users
who don't need configure anything.

An alternative I can think of is that you provide diffrent sets of
configs and the user can choose one at installation time, maybe by
maintaining a generalized set of configs which is runs through some
other preprocessor (m4?) to generate actual configs, but thats only for
the package maintainer, users should get the proper config installed
without having to deal with regeneration (unless they want to alter them).

YMMW about this ideas, I solved this thing for me and only want to share
my idea with anyone else for a benefit. Just adding a README.vservers
(or better README.chroots) would be fine, actually you just can use my
feature request mail for that instead writing one. The thing is still a
bit sketchy but if it is something a admin has to deploy by himself then
 he likely modifies it to his exact needs. While I maybe thought about
working this idea out in a way that it works generally of all kinds of
chrooted filesystems. Just in case I convinced you about including it, I
am willing to support this with some work (modify scripts, send patches).


	Christian


PS: for non-important infos and discussion, you can rather query me on
irc (cehteh)

More information about the Pkg-aide-maintainers mailing list