Change detection

This policy will look for changes recursively in a directory.

    body common control 
    {
    bundlesequence  => { "example"  };
    }

    ########################################################

    bundle agent example
    {
    files:

      "/etc/example"    # Directory to monitor for changes.

       changes      => detect_all_change,
       depth_search => recurse("inf");
    }

    #########################################################

    body changes detect_all_change 
    {
    report_changes => "all";
    update_hashes  => "yes";
    }

    #########################################################

    body depth_search recurse(d) 
    {
    depth        => "$(d)";
    }

This policy can be found in /var/cfengine/share/doc/examples/unit_change_detect.cf.

Here is an example run.

First, let's create some files for CFEngine to monitor:

# mkdir /etc/example 
# date > /etc/example/example.conf  

CFEngine detects new files and adds them to the file integrity database:

# cf-agent -f unit_change_detect.cf
2013-06-06T20:53:26-0700    error: /example/files/'/etc/example':
File '/etc/example/example.conf' was not in 'md5' database - new file found
# cf-agent -f unit_change_detect.cf -K

If there are no changes, CFEngine runs silently:

# cf-agent -f unit_change_detect.cf
#   

Now let's update the mtime, and then the mtime and content. CFEngine will notice the changes and record the new profile:

# touch /etc/example/example.conf # update mtime
# cf-agent -f unit_change_detect.cf -K
2013-06-06T20:53:52-0700    error: Last modified time for
'/etc/example/example.conf' changed 'Thu Jun  6 20:53:18 2013'
-> 'Thu Jun  6 20:53:49 2013'
# date >> /etc/example/example.conf # update mtime and content
# cf-agent -f unit_change_detect.cf -K
2013-06-06T20:54:01-0700    error: Hash 'md5' for '/etc/example/example.conf' changed!
2013-06-06T20:54:01-0700    error: /example/files/'/etc/example': Updating hash for
'/etc/example/example.conf' to 'MD5=8576cb25c9f78bc9ab6afd2c32203ca1'
2013-06-06T20:54:01-0700    error: Last modified time for '/etc/example/example.conf'
changed 'Thu Jun  6 20:53:49 2013' -> 'Thu Jun  6 20:53:59 2013'
#