On 25 Jan 2001, Perry E. Metzger wrote:

[snip]

> > Agreed, but we'd also need the capability to see if they've changed.
> 
> That's already in the scripts. Have a look. This is orthogonal.

I'm a dope.  I even said "passwd file" later on in the paragraph.  I
need more coffee, or something (scotch?  no, too early...)

> > I'd agree with the idea that in general, a box as configured within
> > reason should not produce warnings or anomalous results in the daily
> > outputs, especially when it's a stock configuration right out of base.tgz
> > and etc.tgz
> 
> Yup. You want to be able to have /etc/security come out clean on a
> reasonably configured box.

Definitely.

On a perhaps-related note, it may be nice to have the security prepend
items such as "WARNING" or "CHANGE" or such - this way a central
logging/admin box could easily pipe mail into a simple script for
processing, and an admin of lots of boxes doesn't necessarily have to
view tons of email every night - it can be boiled down to changes or
warnings.

Not that a script couldn't be written to parse the existing output, it 
just wouldn't be as easy.

Just an idea.

-
Jon
 --------------------------------------------------------------------
 - The opinions expressed are not necesarily those of my employer.
 - USATODAY.com latest Health news for 12/4/2000 at 2:10 p.m.:
    Tobacco firm backs lung cancer test: Spaz the cat will never again
    want for medication to relieve his constipation.