Tuning Tracer

Copyright (c), 1995-6 by Management Analytics - All Rights Reserved

Once Tracer is running, you will probably want to tune it to eliminate all false positives and so that it triggers on site-specific conditions that a universal tool can't help you with. Initial tuning is provided with your installation, but you might have slightly different tuning requirements for each system. Tuning Tracer is done by editing the init.pl.[system] file for the type of system you have.

Tuning is easy to do. All you normally have to do is look for the alarms that Tracer gives. If you don't want a particular alarm, remove the entry that causes that alarm from the lists of items in init.pl.[system] . An example might help here.

An Example

Here is an extract from the list of identified root processes for the SunOS version of Unix.

%ROOTDAEMON=("swapper", 0,
	"\/sbin\/init -", 1,
	...
	"syslogd", -1,
	"cron", -1,
	"update", -1 );

In this case, there must be one "swapper" process, it has to be owned by root, and it has to be process number 0, and so on. If your site isn't using the "syslogd" daemon for logging system activities, and instead you are using a custom logger called "customlogger", you would get an error message like this:

 No syslogd running - very bad. 

and another message later on that might look something like this:

The following unidentified root processes are running.
Please verify that they are supposed to be running as root.
USER PID %CPU/M  SZ R TT ST START TIME COMMAND
root 127 0.0 0.0 56 0 co IW Feb 4 0:00 customlogger

To remove the false positives and do the right check, remove:

 "syslogd", -1, 

from init.pl.sunos and insert:

 "customlogger", -1, 

in its place.

The result will be a report that eliminates both warnings and produces the proper response:

 customlogger checks out OK. 

Another Example

Here's another example where we want to allow the rather rarely used network service called "biff" to run without a warning. Here's the original warning message:

+++ NOTICE biff services are not used.
 In /etc/services change:
 FROM: biff		512/udp		comsat
   TO: # biff		512/udp		comsat

Normally, we would eliminate this service and the corresponding NOTICE message by following the instructions and commenting out the line in /etc/services as indicated above. But in this case, we want this service.

To remove the warning, we simply remove the "biff" entry from the list of bad services, changing a line like this:

 "shell", "printer", "biff", 

to a line like this:

 "shell", "printer", 

The same basic process is used for all of the configuration of Tracer.