track changes to files like /etc/passwd, /etc/group? #4507
-
|
This morning all of a sudden I wasn't able to start libvirt vms and wonder if my user was removed from the libvirt group in /etc/group. Is there a way with report_changes to track these changes, via full content and/or diffs in Mission Portal? If the file is more than 4k will it be fully visible in Mission Portal? Is there some documentation about the File Integrity Monitoring? Would that be the way to do this? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
I did end up with changes in the report after my host started reporting properly I think. So I learned that these files are tracked by default and just changing them should cause entries in the FIM report. https://github.com/cfengine/masterfiles/blob/master/cfe_internal/enterprise/file_change.cf So now I have to figure out how to add myself to the proper libvirt groups. Currently I can't seem to make changes stick. It seems like maybe there is policy to remove my user account from ALL groups or something odd like that. But that's another discussion. 👍 |
Beta Was this translation helpful? Give feedback.
I did end up with changes in the report after my host started reporting properly I think.
So I learned that these files are tracked by default and just changing them should cause entries in the FIM report.
https://github.com/cfengine/masterfiles/blob/master/cfe_internal/enterprise/file_change.cf
So now I have to figure out how to add myself to the proper libvirt groups. Currently I can't seem to make changes stick. It seems like maybe there is policy to remove my user account from ALL groups or something odd like that. But that's another discussion.
👍