[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Problems with filters
From: |
Harry Hoffman |
Subject: |
Problems with filters |
Date: |
Mon, 18 Apr 2005 13:29:33 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Fedora/1.7.6-1.3.2 |
Hi All,
I'm attempting to apply filters for file checks in /tmp and /var/tmp but
things aren't working as I had expected. Any ideas?
Below is some (hopefully) relevant info.
Thanks,
Harry
filters:
{ tmpexe
Type: "reg"
ExecRegex: "/usr/bin/file (.*executable.*)"
Result: "ExecRegex"
DefineClasses: "tmpalert"
}
files:
/tmp filter=tmpexe action=alert r=inf
/var/tmp filter=tmpexe action=alert r=inf
Running "/usr/bin/file" on "/tmp/test.sh" results in:
/tmp/test.sh: Bourne-Again shell script text executable
Running cfengine in debug mode seems to show that the file should be
ignored (which it shouldn't)?
IgnoreFile(/tmp,test.sh)
CheckExistingFile(/tmp/test.sh)
cf:mason: Checking fs-object /tmp/test.sh
CheckExistingFile(+0,-0)
IgnoredOrExcluded(/tmp/test.sh)
FileObjectFilter(/tmp/test.sh)
Applying filter tmpexe
Prepending [reg]
Prepending [file]
Prepending [Type]
AddMacroValue(main.this=/tmp/test.sh)
ExpandVarstring(/tmp/test.sh)
Added Macro at hash address 18 to object main with value this=/tmp/test.sh
ExpandVarstring(/usr/bin/file (.*executable.*))
cfpopen(/usr/bin/file )
cfpclose(pp)
cfpopen - Waiting for process 23151
Filter result on /tmp/test.sh was 0
Skipping filtered file /tmp/test.sh
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Problems with filters,
Harry Hoffman <=