Consistency Checks, Nightly Scripts, etc.
Andy Glew
aglew at crhc.uiuc.edu
Wed Sep 12 01:39:16 AEST 1990
In my experience administering systems I found that a regular set of
consistency checks run by cron was most useful.
Now that I'm hopefully out of the sysadmin role, I still find that
regular consistency checks, etc., run by /usr/cron or omicron, are
useful. Moreover, I often find myself recommending to present-day
sysadmins of little experience that they write a whole slew of
consistency checks.
My question is: what is a fairly complete list of consistency checks,
file scans, etc., that can be regularly run? Here's a short list
of the top of my head; I inivite additions.
Ownership
Personal: it is quite easy, when working with others, if you
occasionally use root, or if you use tar on System V (:-(), to
create files and directories in your personal directory tree that
are owned by others. It can be extremely annoying to discover
these several months later, particularly if you no longer have
root for some reason (like the disk has changed machine).
Therefore a regularly run consistency check, scanning for unowned
files, avoids problems down the line.
Setuid
Sysadmins, of course, should regularly scan for setuid files,
looking for the most common form of security hole. Trivial, yes,
and easily thwarted, but it'll catch many of the budding student
hackers.
Changes to system files
Permissions
Checksums
One of the first things I do when installing a system from scratch
is to save the ownerships, permissions, sizes, and checksums of
standard system files. Then I effectively diff the current status
of such files against the original list.
After a few days one quickly discovers what files change, and
what are static - in fact, this is one of the best ways I know of
determining the exhaustive list of always growing log files that
need to be periodically cleaned out. Thereafter the frequency of
checks can be reduced.
Of course, this has some security benefits - although a good
hacker can certainly hide herself from this scan. But the best
benefit I've found is that it detects disk errors in infrequently
used system utilities (like prep, say) before you really need
them.
SCCS/RCS
When involved in code development, I have found that listing the
files checked out for editing on a daily basis is helpful.
Moreover, because oftentimes files like /etc/rc are edited without
version control, rcs diffing locates these unsanitary situations
so that you can properly control them. I have often considered
automatically checking in files that have been different,
unchecked in, for a long time, but have never gotten around to it.
Times
There are a variety of time daemons that are supposed to
synchronize clocks; however, a simple "rsh foobar date" to all
systems can often detect time synch problems before all of your
makes break.
Recompiling
Most systems eventually come to have little bits of local utility
source code. Maybe even custom kernels and drivers.
Source code can, of course, break while the system is updated
round it. Simply recompiling all source that's online on a
regular rotating basis can help catch problems early, while the
memory of what has changed is still fresh.
File Usage, Quotas, etc.
Anyone running quotas does this already, of course.
As a sysadmin, I found it useful to total up user disk space even
when I wasn't running quotas - because it helped me estimate when
we were going to have a disk crunch (more than a simple df) and
take preventative measures.
Personal: I still total up my personal disk usage, trying to avoid
the ire of the sysadmin.
Long Filenames
Personal: I used to move regularly between System V, with 14
character filenames, and BSD. A regular scan for long filenames
helped avoid problems. (I limited filenames to 12 characters
because of SCCS/RCS)
Even now that I'm back in BSD, I find it useful to scan for
pathnames longer than 100 characters in length, because of the
stupid length limitations in awk.
Reaper
The best known example of a regularly run program is probably the
file reaper, that deletes old an unnecessary files. This isn't
really a consistency check, but I'll talk about it for now.
It might be worthwhile assembling a fairly complete list of things
to be reapred (actual policies will vary, of course), but that's
probably a whole other newstring.
--
Andy Glew, a-glew at uiuc.edu [get ph nameserver from uxc.cso.uiuc.edu:net/qi]
More information about the Comp.unix.admin
mailing list