Cfengine configuration directory

Starting out with anomaly detection

Relevant classes: any

Monitoring and anomaly detection is a complicated topic. Here is a simple and innocent way to get started. It will ensure that you get a simple mail message when anomalies in a few key variables are detected. Cfengine anomaly detection is in early experimental stages, but it can already detection unusual behaviour, such as web server scans and unusual E-mail activity.
  • Make sure the cfenvd daemon is running on every host
  • Note that it needs to run for about four weeks before sensible results will be seen
  • Make sure each host imports the following configuration file: 
#################################################################
#
# cf.environ
#
# Just a test for responses to measured anomalies
#
#################################################################

classes:

 # Check only for anomalies on these hosts

 anomaly_hosts = ( nexus cube dax )  

#################################################################

shellcommands:

  nfsd_in_high_dev2::

  "/bin/echo High NFS server access rate 2 dev at $(host) value $(value_nfsd_in) average $(average_nfsd_in) pm $(stddev_nfsd_in)"


 # ROOT PROCS

  anomaly_hosts.RootProcs_high_dev2::

   "/bin/echo RootProc anomaly high 2 dev on $(host) value $(value_rootprocs) average $(average_rootprocs) pm $(stddev_rootprocs)"

 # USER PROCS

 anomaly_hosts.UserProcs_high_dev2::
 
   "/bin/echo UserProc anomaly high 2 dev on $(host) value $(value_userprocs) average $(average_userprocs) pm $(stddev_userprocs)"
     
 anomaly_hosts.UserProcs_high_anomaly::
 
   "/bin/echo UserProc anomaly high 3 dev!! on $(host)"
    
 # WWW IN
 
 anomaly_hosts.www_in_high_dev2::
 
   "/bin/echo Incoming www anomaly high 2 dev on $(host) - value $(value_www_in) average $(average_www_in) pm $(stddev_www_in)" 

 anomaly_hosts.www_in_high_anomaly::
 
   "/bin/echo Incoming www anomaly high anomaly dev!! on $(host) - value $(value_www_in) average $(average_www_in) pm $(stddev_www_in)" 
  
 # SMTP IN
 
 anomaly_hosts.smtp_in_high_dev2::
 
   "/bin/echo Incoming smtp anomaly high 2 dev on $(host)  value $(value_smtp_in) average  $(average_smtp_in) pm $(stddev_smtp_in)" 

 anomaly_hosts.smtp_in_high_anomaly::
 
   "/bin/echo Incoming smtp anomaly high anomaly !! on $(host)  value $(value_smtp_in) average  $(average_smtp_in) pm $(stddev_smtp_in)"
 
 # SMTP OUT
 
 anomaly_hosts.smtp_out_high_dev2::
 
   "/bin/echo Outgoing smtp anomaly high 2 dev on $(host) value $(value_smtp_out) average  $(average_smtp_out) pm $(stddev_smtp_out)"
 
 anomaly_hosts.smtp_out_high_anomaly::
 
   "/bin/echo Outgoing smtp anomaly high anomaly dev!! on $(host) value $(value_smtp_out) average $(average_smtp_out) pm $(stddev_smtp_out)"
 
 # SAMBA

 anomaly_hosts.netbiosssn_in_high_dev2::

   "/bin/echo SAMBA access high 2 on $(host) value $(value_netbiosssn_in) average $(average_netbiosssn_in) pm $(stddev_netbiosssn_in)"
Back to documentation