root/eddie/trunk/doc/manual.html

<HTML>
 <Head>
  <Title>The EDDIE-Tool User's Manual</Title>
 </Head>

 <Body bgcolor=white>
  <Center>
   <H2>The EDDIE-Tool User's Manual</H2>
  </Center>

  <p>
   <b>Contents:</b>
   <ul>
    <li> <a href="#introduction">Introduction</a>
    <li> <a href="#installation">Installation</a>
     <ul>
      <li> <a href="#downloading">Downloading</a>
      <li> <a href="#installing">Installing</a>
     </ul>
    <li> <a href="#cmdline">Command-Line Options</a>
    <li> <a href="#configuration">Configuration</a>
     <ul>
      <li> <a href="#config_files">Config Files</a>
      <li> <a href="#globals">Global Configurables</a>
      <li> <a href="#config_format">Configuration Format</a>
      <li> <a href="#simple_config">Simple Configuration</a>
      <li> <a href="#directives">Directives</a>
      <ul>
          <li> <a href="#commondirectiveargs">Common Directive Arguments</a>
          <li> <a href="#rule_format">Rule Format</a>
          <li> <a href="#builtindirectives">Built-in Directives</a>
          <li> <a href="#directivedetails">Directive Details</a>
      </ul>
      <li> <a href="#builtindirectives">Built-in Directives</a>
      <li> <a href="#actions">Actions</a>
      <li> <a href="#notif_msg_objects">Notification and Message objects</a>
     </ul>
    <li> <a href="#other_features">Other Features</a>
     <ul>
      <li> <a href="#console">Console</a>
     </ul>
   </ul>
  </p>

  <hr>

  <p>
   <H3><a name="introduction">Introduction</a></H3>
  </p>
  <p>
   The EDDIE-Tool (commonly just called EDDIE)
   is an agent for system, network and security monitoring.
   It is highly customizable and easily extendable.
   It has been designed to be as platform-independent as possible, with
   platform-specific code limited to a small group of modules, making it
   easily portable to new platforms.
   It is fully written in <a href="http://www.python.org/">Python</a> and
   the configuration has a Python "look-and-feel" to it, although no Python
   or coding skills are necessary to configure it.
  </p><p>
   This user's manual is specific for EDDIE-Tool versions 0.29 and above,
   as some significant changes were made to improve the configuration.
   These changes can be <a href="changes_ver_029.txt">read here</a>.
   The user's manual for earlier versions can be
   <a href="manual-pre-029.html">read here</a>.
  </p>

  <hr>

  <p>
   <H3><a name="installation">Installation</a></H3>
   <H4><a name="downloading">Downloading</a></H4>
  </p>
  <p>
   You need to download the following:
   <ul>
    <li> <b>Required:</b>
    <ul>
     <li> EDDIE - <a href="http://eddie-tool.net//download/">http://eddie-tool.net/download/</a>
     <li> Python 2.2.1+ - <a href="http://www.python.org/">http://www.python.org/</a> (must support threads) - Python 2.3+ is recommended, but Eddie has been tested with Python versions 2.2.1 through to 2.4.x.  On Windows Python 2.3 or newer is required.
    </ul>
    <li> <b>Optional:</b>
     <ul>
      <li> Elvin 4 - <a href="http://elvin.dstc.edu.au/">http://elvin.dstc.edu.au/</a> - Elvin is the message system supported by EDDIE and some of its related
      tools to pass alerts, collected data, etc between them.  It is not
      required for basic monitoring.
      <li> elvinrrd - <a href="http://www.psychofx.com/elvinrrd/">http://www.psychofx.com/elvinrrd/</a> -
      the daemon for storing EDDIE-collected data into RRD databases.
      <li> estored - <i>available soon</i> -
      the daemon for storing EDDIE-collected data into databases.
    </ul>
   </ul>
  </p>

  <p>
   <H4><a name="installing">Installing</a></H4>
  </p>
    Follow the <a href="QUICKSTART.txt">QUICKSTART</a> document
         (also located in the eddie/doc/ directory) or continue with
         the steps below.
  <p>
   <ul>
    <li> Python - first install Python by following the instructions
    included in the Python distribution.  EDDIE is written in Python
    and will not work if Python is not available.  Python must have
    been compiled with thread support as EDDIE is fully threaded.
    EDDIE has been tested with Python versions 2.2.1 through to 2.4.x
    under Linux, Solaris and HP-UX, OS X, FreeBSD, OpenBSD and Windows.
    <li> EDDIE - un-tar EDDIE into your favorite directory, eg: /opt
     <dir> <b>$ cd /opt</b> </dir>
     <dir> <b>$ gtar xvzf eddie-0.xx.tgz</b> </dir>
     Edit the main EDDIE file, eddie.py in the bin directory
     <dir> <b>$ vi eddie-0.xx/bin/eddie.py</b> </dir>
     and change the first line to point to your Python interpreter, eg:
     <dir> <b>#!/opt/python/bin/python</b> </dir>
     Note: DO NOT remove the special '#!' characters.
    <li> That should be all that is needed to get EDDIE up & running.
     You can test that EDDIE will work by
     running it, eg:
     <dir> <b>$ /installdir/eddie-0.xx/bin/eddie.py</b> </dir>
     You should see the version of EDDIE and your system type, eg:
     <dir> <b>EDDIE v0.30<br>systype: Linux/2.2.5-15/i586</b> </dir>
     You can see what systems are supported by EDDIE by looking in the
     eddie/lib/ directory.  Besides common, the other directories will
     be specific to different operating systems (e.g., 'Linux', 'SunOS').
     If your system is not supported yet you will have to wait for a
     port of EDDIE to your system or contact the developers to see about
     porting it yourself.
    <li> If you see the above output with no major error messages then
     EDDIE is working.  However, without any configuration it will
     not be doing anything.  Now the hard^H^H^H^Hfun part,
     building the configuration.
     (Press [CTRL]-C to stop it.)
   </ul>


  <hr>

  <p>
   <H3><a name="cmdline">Command-Line Options</a></H3>
  </p>

   <ul>
    <li><b>-h</b>, <b>--help</b>: display the help text, then exit
    <li><b>--version</b>: display the EDDIE-tool version, then exit
    <li><b>-c FILE</b>, <b>--config=FILE</b>: specify the path to the configuration file<br>The default is <i>(RUNDIR)/../config/eddie.cf</i>
    <li><b>--showconfig</b>: display the configuration, then exit
    <li><b>-v</b>, <b>--verbose</b>: display extra messages
    <li><b>-d</b>, <b>--daemon</b>: run in the background, and return the PID of the daemon process
   </ul>


  <hr>

  <p>
   <H3><a name="configuration">Configuration</a></H3>

   <H4><a name="config_files">Config files</a></H4>
  </p>
   <ul>
    <li> The EDDIE config files should be in /installdir/eddie-0.xx/config.
     EDDIE begins by looking for an eddie.cf file in this directory, ie:
     <dir> <b>/installdir/eddie-0.xx/config/eddie.cf</b> </dir>
    <li> EDDIE is distributed with a config.sample directory containing
     example configuration files.  You should look over these to get
     an idea of how the configuration works.
    <li> You must first create a config directory, if one isn't there already, eg:
     <dir> <b>$ mkdir /installdir/eddie-0.xx/config</b> </dir>
     then create an eddie.cf file in this new directory.  You can copy
     and change the config.sample/eddie.cf file if you like.
    <li> It is common for the EDDIE Directives (the rules which EDDIE
     uses to collect data and perform actions) to be written in
     separate rules files.  These are then INCLUDEd in the main eddie.cf
     config file.  The rules files can be in the same directory as eddie.cf
     or can be in subdirectories under it.  It is common for a complex
     setup to split the rules into multiple files grouped by commonality.
   </ul>

  <p>
   <H4><a name="globals">Global Configurables</a></H4>
  </p>
  <p>
   The global configurables are usually in eddie.cf and are listed below:
   <ul>
    <li> <b>LOGFILE</b> - the file to log to (this should be the first thing set so that
         any problems are logged to the right place).
    <li> <b>LOGLEVEL</b> - how much detail to log to the above logfile.
    <li> <b>ADMIN</b> - the administrator's email address.
    <li> <b>ADMINLEVEL</b> - how much log detail to send to the admin.
    <li> <b>ADMIN_NOTIFY</b> - how often to send admin log emails.
    <li> <b>NUMTHREADS</b> - the maximum number of threads (including supporting threads
         and directive threads) EDDIE will attempt to limit itself to using.  This
         should be a minimum of 5.
    <li> <b><a name="SCANPERIOD">SCANPERIOD</a></b>
         - the default time to wait between checks; can be overridden by
         each directive.
         See <a href="#timedef">Time Definition</a> for definition of time format.
    <li> <b>CONSOLE_PORT</b> - defines the tcp port EDDIE binds to to provide a console interface
         to the directive states; this defaults to 33343, and can be set to 0 to disable
         this feature (see <a href="#console">Console</a>).
    <li> <b>EMAIL_FROM</b> - the From: address to be used by the email action.  Will default to the user EDDIE is run as.
    <li> <b>EMAIL_REPLYTO</b> - the Reply-To: address to be used by the email action.  Defaults to empty string, "".
    <li> <b>SENDMAIL</b> - the location of the sendmail binary which EDDIE uses to send all emails.  Is usually '/usr/lib/sendmail' (Solaris) or '/usr/sbin/sendmail' (Redhat Linux).  Defaults to '/usr/lib/sendmail'.
    <li> <b>SMTP_SERVERS</b> - a comma-separated list of SMTP servers to use to make SMTP connections for email sending.  Defaults to 'localhost'.
    <li> <b>ELVINURL</b> - the URL of an Elvin server (if required).
    <li> <b>ELVINSCOPE</b> - the scope of an Elvin server (if required).
    <li> <b><a name="INTERPRETERS">INTERPRETERS</a></b>
         - commands classed as "interpreters" by process checking rules
         (see the <a href="#PROC">PROC</a> directive).
    <li> <b><a name="WORKDIR">WORKDIR</a></b>
         - directory where Eddie can store temporary files.  [Eddie 0.35+]
    <li> <b><a name="RESCANCONFIGS">RESCANCONFIGS</a></b>
         - Flag indicating the desire to constantly scan (and reload) config file changes. Defaults to true.
    <li> <b>CLASS</b> - a grouping of hosts which share the same directives.
    <li> <b>ALIAS</b> - global aliases can be set here, if required.
    <li> <b>INCLUDE</b> - include another configuration file; it is common to split the rules
         into different files in a large installation.
   </ul>
     eddie.cf is well documented, so read through the file and modify the
     settings to suit your environment.
  </p>

  <p>
   <H4><a name="config_format">Configuration Format</a></H4>
  </p>
  <p>
   The EDDIE configuration follows the standard Python code format.
   Where methods or child objects of an object are indicated by
   indenting them beneath the parent object definition, sub-objects
   or parameters of a directive object are similarly indicated by indenting
   them beneath the parent object definition.  For example, a part of the
   configuration may look like:
         <pre>
    group testing:
        PING testping:
            host="10.0.0.1"
            numpings=10
            rule="not alive"
            action=email("chris", "%(host)s failed ping")

    FILE file1:
        file='/tmp/file1.tmp'
        scanperiod='2m'
        rule='not exists'
        action=ticker("%(file)s does not exist", timeout=1)
        act2ok=ticker("%(file)s now exists", timeout=1)
         </pre>

     A config group called "testing" is defined, then the PING
     directive "testping" is configured inside this group because
     it is indented.  Similarly, all testping's arguments are
     indented as they belong to the PING directive configuration.
     The second directive, FILE called "file1", is at the same
     indentation level as the group definition (i.e., not indented)
     and is therefore a global directive.  Thus, all hosts using
     this example config would execute the FILE directive, but only
     those hosts in the "testing" group would execute the PING
     directive.
     <br><br>

     If you are used to Python coding this will be second nature to you.
     If you are not, it will not be hard to pick up.
     <br><br>

     The above example also introduces the format of directive
     definitions.  Directives are the rules which do "something".
     More often than not, they will perform system or network checks
     of some sort.  But they are very flexible and could be configured
     to do more than simple checks.
     <br><br>

     In any case, the format of directive definitions is:
         <pre>
             DIRECTIVE name:
                 argument1=value1
                 [argument2=value2
                 ...]
         </pre>

     where "DIRECTIVE" is the directive name, like PROC or FS, and
     "name" is the user-defined, unqie name of this directive object.  The
     arguments customize the directive appropriately.  Some arguments
     are directive-specific while others are common to all directives.
     <br><br>

     Example:
         <pre>
             PROC test:
                name='syslogd'
                rule='not exists'
                scanperiod='30s'
                action=email("alert@my.domain","syslogd is not running")
         </pre>
     This is an example definition of a PROC directive, called 'test'.
     It contains the PROC-specific argument, 'name'. 'rule',
     'scanperiod' and 'action' are arguments which are common to all
     directives.  Some arguments are optional while others are required,
     and errors will be raised if they are missing.  In this example
     'name' and 'rule' are required.  'scanperiod' and 'action' are optional.
  </p>

  <p>
   <H4><a name="simple_config">Simple Configuration</a></H4>
  </p>
  <p>
   An EDDIE configuration can be simple to get basic monitoring started
   quickly and made as complicated as required to perform advanced operations.
   A simple example rules file is shown below to monitor basic services on a host.
   This rules file, named simple.rules, would be placed in the same directory
   as eddie.cf and eddie.cf would contain the entry
     <dir> INCLUDE 'simple.rules' </dir>
   The file simple.rules contains
   <pre>
        # Process checks
        PROC syslogd:
            name='syslogd'
            rule='not exists'
            action=email('root', '%(name)s is not running on %(h)s')
        PROC inetd:
            name='inetd'
            rule='not exists'
            action=email('root', '%(name)s is not running on %(h)s')
        PROC sshd:
            name='sshd'
            rule='not exists'
            action=email('root', '%(name)s is not running on %(h)s')

        # Filesystem checks
        FS root:
            fs='/'
            rule='pctused &gt; 90'
            action=email('root', '%(mountpt)s over 90%% on %(h)s')
        FS varlog:
            fs='/var/log'
            rule='pctused &gt; 90'
            action=email('root', '%(mountpt)s over 90%% on %(h)s')

        # Service Port checks
        SP smtp_port:
            port='smtp'
            protocol='tcp'
            bindaddr='0.0.0.0'
            rule='not exists'
            action=email('root', '%(protocol)s/%(port)s on %(h)s is not listening')
        SP http_port:
            port='http'
            protocol='tcp'
            bindaddr='0.0.0.0'
            rule='not exists'
            action=email('root', '%(protocol)s/%(port)s on %(h)s is not listening')

        # System statistics checks
        SYS loadaverage:
            rule="loadavg1 &gt; 3.00"
            scanperiod='1m'
            action=email('root', '%(h)s load-average &gt; 3.00')</pre>
  </p>


  <p>
   <H4><a name="directives">Directives</a></H4>
  </p>
   The directives are the configuration commands which tell EDDIE
   what to do.
   They are of the form:
   <pre>
    DIRECTIVE name:
        arg1=value1
        arg2=value2
        argn=valuen </pre>
   Where "DIRECTIVE" is the name of the directive itself (see
   <a href="#builtindirectives">Built-in Directives</a>);
   "name" is a user-defined name of the directive definition (the directive ID is usually
   constructed as "DIRECTIVE.name", e.g., "FS.root", and will appear in the logs, console,
   etc);
   "args" are arguments to define what the directive should do and how it should do it.
   Some arguments are common to all directives and others are
   specific to that type of directive.

  <p>
   <H5><a name="commondirectiveargs">Common Directive Arguments</a></H5>
  </p>
    <ul>
     <li> <b><a name="rule">rule=&lt;rule string&gt;</a></b>
          - a string defining a rule that will be evaluated
          (in a Python environment) using variables specific to the current directive.
          The rule should evaluate to 1 (true) or 0 (false).  If the rule is true, the
          directive state will be set to "fail" and the <a href="#action">action</a>
          (if any) will be executed.
          If false, the state will be "ok" and the <a href="#actelse">actelse</a>
          (if any) will
          be executed.  The rule argument may be optional to some directives if they
          provide a default rule.
     <li> <b><a name="scanperiod">scanperiod=&lt;time&gt;</a></b>
          - this changes how often the directive will be run
          (the default is the time period specified by <a href="#SCANPERIOD">SCANPERIOD</a>
          in eddie.cf). See
          <a href="#timedef">Time Definition</a> for formats of &lt;time&gt;.
     <li> <b><a name="numchecks">numchecks=&lt;integer&gt;</a></b>
          - the number of checks to perform before the
          state will be set to fail and actions called. The time between these "re-checks"
          is set by the <a href="#checkwait">checkwait</a> argument.
     <li> <b><a name="checkwait">checkwait=&lt;time&gt;</a></b>
          - the time between "re-checks" if the <a href="#numchecks">numchecks</a> argument
          is greater than 1.  See <a href="#timedef">Time Definition</a> for formats of &lt;time&gt;.
     <li> <b><a name="action">action=&lt;actionlist&gt;</a></b>
          - this is a list of actions (see <a href="#actions">Actions</a>)
          to be performed if the directive enters the failed state. i.e., if the directive
          is performing a check and the check fails, these actions will be called.
     <li> <b><a name="act2ok">act2ok=&lt;actionlist&gt;</a></b>
          - this is a list of actions (see <a href="#actions">Actions</a>)
          to be performed when the directive state changes from failed to ok.
     <li> <b><a name="actelse">actelse=&lt;actionlist&gt;</a></b>
          - this is a list of actions (see <a href="#actions">Actions</a>)
          to be performed when the directive state was ok and is still ok after running
          any checks.
     <li> <b><a name="console_arg">console=&lt;display_string&gt;</a></b> - define what is output to
          <a href="#console">EDDIE Console</a> connections for the current directive.
          Set to None to hide this directive from the Console.
      <li> <b><a name="checkdependson">checkdependson=&lt;directive(s)&gt;</a></b> - don't
          perform the check if any of these directives are in a failed state. [Eddie 0.31+]
      <li> <b><a name="actiondependson">actiondependson=&lt;directive(s)&gt;</a></b> - skip
          action execution if any of these directives are in a failed state. [Eddie 0.31+]
      <li> <b><a name="actionperiod">actionperiod=&lt;time expression&gt;</a></b> - an expresion
          which defines how long to wait before calling the next consequetive action.  The
          variable 't' is the current time between action calls, and defaults to the
          scanperiod after the first action call.  The scan period is also available in the
          expression with the <i>scanperiod</i> variable. Example: actionperiod='t * 2'
          - double the time between consequetive action calls. [Eddie 0.31+]

      <li> <b><a name="history">history=&lt;integer&gt;</a></b> - request directive to
        remember this many previous data samples.  Access them in rules using the terminology
        'history[n].dataname', where n is how many samples ago, and dataname is the name of
        the data to retrieve.  Example, alert if a filesystem grows by over 5% between checks:
        <pre>
        FS export00_grow:
            fs='/export/00'
            scanperiod='1m'
            history = 1
            rule='(pctused - history[1].pctused) &gt; 5'
            action=email('root','%(mountpt)s grew to %(pctused)s')</pre>
        Example 2, alert if average filesystem growth over last 3 sample periods is too high:
        <pre>
        FS export01_avg_grow:
            fs='/export/01'
            scanperiod='1m'
            history = 3
            rule='(pctused + history[1].pctused + history[2].pctused + history[3].pctused) / 3 &gt; 10'
            action=email('root','%(mountpt)s grew to %(pctused)s')</pre>
        Note that at startup, rules will not run until enough history data is available.
        So, in the previous example, the directive would wait for three scanperiods before
        it had enough history data (three sample periods) to be able to evaluate the rule.
        [Eddie 0.31+]

        <li> <b><a name="excludehosts">excludehosts=&lt;hostlist&gt;</a></b> - 
        do not execute this directive on any of the specified hosts.
        Hosts are specified as a string of comma-separated hostnames.
        [Eddie 0.32+]

        <li> <b><a name="actionmaxcalls">actionmaxcalls=&lt;integer&gt;</a></b> - 
        define the maximum number of times actions will be called for a particular
        failure.
        [Eddie 0.32+]

        <li> <b><a name="disabled">disabled=&lt;integer&gt;</a></b> - 
        set to 1 to force a directive to be disabled.  If disabled, a directive
        still exists in the configuration, but no checks will be executed for it.
        [Eddie 0.33+]

        <li> <b><a name="checktime">checktime=&lt;expression&gt;</a></b> - 
        if specified, the directive will only be executed if the expression
        evaluates to true.  The expression can make use of the current time and
        day with the variables: day ('mon', 'tue', etc); time (HHMM); hour (0-23);
        minute (0-59); second (0-59).
        And the for shorthands, the fixed lists: weekdays ('mon' - 'fri'),
        weekend ('sat', 'sun').
        <br> Some Examples:
        <pre>
            checktime='day=="mon" or day=="tue"'
            checktime='day in weekdays and hour &gt; 18'
        </pre>
        [Eddie 0.33+]

    </ul>
   </p>


  <p>
   <H5><a name="rule_format">Rule Format</a></H5>
  </p>

  The format of rules is very simple.
  For those familiar with Python, rules are simply Python expressions
  which are evaluated on-the-fly with the variables set by the directive
  at the time.
  For those unfamiliar with Python, the expressions are almost English-like
  using operators such as: not, and, or; and mathematical operators such as:
  ==, !=, &gt;, &lt;, &gt;=, &lt;=.
  Use these operators to evaluate the variables you are interested in.
  The whole expression should evaluate to 1 (i.e., true) if the actions
  set by the
  <a href="#action">action</a>
  argument should be executed.  If it evaluates to 0
  (i.e., false) only the actions set by the
  <a href="#actelse">actelse</a> argument are executed.

  <p>
  As rule expressions are evaluated in a Python environment, links to
  related Python documentation is provided below.
  <li> <a href="http://www.python.org/doc/current/lib/boolean.html">Boolean Operations</a>
  <li> <a href="http://www.python.org/doc/current/lib/comparisons.html">Comparisons</a>
  <li> <a href="http://www.python.org/doc/current/lib/string-methods.html">String Methods</a>
  </p>


  <p>
   <H5><a name="builtindirectives">Built-in Directives</a></H5>
  </p>
   The built-in directives are grouped roughly into categories and are as follows:
  <p>
   <i>System Monitoring:</i>
   <ul>
    <li> <b><a href="#COM">COM</a></b> - define custom rules.
    <li> <b><a href="#FS">FS</a></b> - perform filesystem checks.
    <li> <b><a href="#IF">IF</a></b> - perform checks on local network interfaces.
    <li> <b><a href="#METASTAT">METASTAT</a></b> - some tests for Solaris Disksuite.
    <li> <b><a href="#NET">NET</a></b> - define a network statistics rule.
    <li> <b><a href="#PID">PID</a></b> - perform checks on PID-files.
    <li> <b><a href="#PROC">PROC</a></b> - perform checks on active processes.
    <li> <b><a href="#SP">SP</a></b> - define a local service port checking rule.
    <li> <b><a href="#DBI">DBI</a></b> - execute a database query.
    <li> <b><a href="#STORE">STORE</a></b> - define a data storage rule.
    <li> <b><a href="#SYS">SYS</a></b> - perform system statistics checks.
    <li> <b><a href="#DISK">DISK</a></b> - perform disk I/O statistics checks.
    <li> <b><a href="#TAPE">TAPE</a></b> - perform tape I/O statistics checks.
   </ul>

   <i>Network Monitoring:</i>
   <ul>
    <li> <b><a href="#HTTP">HTTP</a></b> - perform remote HTTP/HTTPS tests.
    <li> <b><a href="#PING">PING</a></b> - network host ping testing.
    <li> <b><a href="#POP3TIMING">POP3TIMING</a></b> - time &amp; check POP3 connections.
    <li> <b><a href="#PORT">PORT</a></b> - remote TCP port checking rule.
    <li> <b><a href="#RADIUS">RADIUS</a></b> - perform radius authentication tests.
    <li> <b><a href="#SMTP">SMTP</a></b> - test and measure SMTP connections to servers.
    <li> <b><a href="#SNMP">SNMP</a></b> - retrieve and test SNMP data from remote hosts and devices.
   </ul>

   <i>Security Monitoring:</i>
   <ul>
    <li> <b><a href="#FILE">FILE</a></b> - for testing file stats or changes.
    <li> <b><a href="#LOGSCAN">LOGSCAN</a></b> - define a log scanning rule.
   </ul>

   Note that there may be many more directives depending on the version
   of EDDIE or any new or optional directives which may have been added
   to the distribution.  See the EDDIE-Tool developer's guide for more
   information on creating new directives.
  </p>


  <p>
   <H5><a name="directivedetails">Directive Details</a></H5>
  </p>


   <p>
    <b><a name="COM">COM</a></b><br>

    COM is a generic directive used to perform custom
    checks that other directives are not available for.  It simply executes the
    given command in a sub-shell, and captures the stdout/stderr and
    return value for testing by the directive rule.
    <br><br>
    Security note: if EDDIE is run as root, the config files should not
    be world-writable as obviously directives like COM can execute any
    commands on the system.

    <br><br>
    COM-specific Arguments:
    <ul>
     <li> <b>cmd=&lt;command&gt;</b> <i>(required)</i>:
          <br>
          - specifies the command to be executed in a sub-shell.
          <br><br>
          <i>Example:</i>
          <pre>
          cmd="/bin/ls /tmp/*.tmp | wc -l"</pre>
    </ul><br>

    Rule Variables:
    <ul>
     <li> <b>out</b> (string)
          <br>
          - the out variable contains the standard output (stdout) of the executed
          command string.
     <li> <b>outfields<i>n</i></b> (int)
          <br>
          - Number of output fields
     <li> <b>outfield<i>n</i></b> (auto-typed)
          <br>
          - the standard output is also split (by whitespace) and stored in variables
          outfield1, outfield2, etc, to simplify rule creation.
     <li> <b>err</b> (string)
          <br>
          - the err variable contains the standard error (stderr) of the executed
          command string.
     <li> <b>ret</b> (int)
          <br>
          - the ret variable contains the return code of the executed command string.
          <br><br>
     <li> <i>Examples:</i>
          <pre>
          rule='out == "test"'          # true if stdout is just "test"
          rule='out.find("test")'       # true if stdout contains "test"
          rule='int(out) &gt; 5'           # true if out (converted to an integer) is &gt; 5
          rule='int(ret) != 0'          # true if return value of the cmd is not 0
          rule='int(outfield1) != 0'    # true if stdout field 3 is not 0
          </pre>
    </ul>

    Action Variables:
    <ul>
     <li> <b>cmd</b> (string)
          <br>
          - the command string as specified by the cmd argument.
     <li> Plus all the rule variables as usual.
     <li> <i>Examples:</i>
          <pre>
          action=email("alert", "the command '%(cmd)s' failed.")</pre>
    </ul>

    <i>Directive Examples:</i>
    <pre>
        # Check load average (the hard way, without using SYS)
        COM loadavg:
            cmd="uptime | cut -d, -f4 | awk '{print $3}'"
            rule="float(out) &gt; 6.0"
            action=email("alert", "Load on %(h)s is &gt; 6.0")

        # Check number of netscapes running
        COM count_ns:
            cmd="ps -ef | grep netscape | wc -l"
            rule="int(out) &gt; 3.0"
            action=email("alert", "There are %(out)s netscapes running on %(h)s")

        # A variation on checking load average, using 'outfield' variables
        COM loadavg:
            cmd="uptime | cut -d, -f4"
            rule="float(outfield3) &gt; 6.0"
            action=ticker("Load on %(h)s is %(outfield3)s", timeout=1)
    </pre>
   </p>



   <p>
    <b><a name="FILE">FILE</a></b><br>

    This is a directive for performing checks on files or changes to files.
    Rules can be written based on any changes to the file metadata, like
    modification date, size, ownership, permissions, etc.  It can also
    pick up changes to the file itself, which can be useful as a security
    check.

    <br><br>
    FILE-specific Arguments:
    <ul>
     <li> <b>file=&lt;file name&gt;</b> <i>(required)</i>:
          <br>
          - the file to be checked.
     <li> <b>keepdiff=true | false</b> <i>(optional)</i>:
          <br>
          - if true Eddie will generate diffs of changed files.
          Previous copies are stored in the <a href="#WORKDIR">WORKDIR</a>
          directory. [Eddie 0.35+]
     <li> <b>difftype=context | unified | full</b> <i>(optional)</i>:
          <br>
          - the type of diff to generate. [Eddie 0.35+]
     <li> <b>context_lines=&lt;integer&gt;</b> <i>(optional)</i>:
          <br>
          - how