The `cfenvd' program serves two purposes: as an anomaly detection engine
and as a source of entropy for generating random numbers, such as for
encryption keys. Although it is not a compulsory part of cfengine, it is
highly recommended to run this daemon. It requires few resources and poses
no vulnerability to the system. It will play an increasingly important
role in future developments.
In cfengine 2.x, additional classes are automatically evaluated based on
the state of the host, in relation to earlier times. This is
accomplished by the additional `cfenvd' daemon, which continually
updates a database of system averages and variances, which characterize
"normal" behaviour. The state of the system is examined and compared
to the database, and the state is classified in terms of the current
level of activity, as compared to an average of equivalent earlier
times. e.g.
The first of these tells us that the number of root processes is
two standard deviations below the average of past behaviour, which might
be fortuitous, or might signify a problem, such as a crashed server.
The WWW item tells us that the number of incoming connections is three
standard deviations above average. The smtp item tells us that outgoing
smtp connections are more than three standard deviations above average,
perhaps signifying a mail flood.
The setting of these classes is transparent to the user, but the
additional information is only visible to the privileged owner of
the cfengine work-directory, where the data are cached.
Active incoming ports are also registered as "pin-portnumber", but this
is mainly an experimental feature for future research. The resulting class list,
obtained from exploring the environment of the system, and after parsing
a configuration, looks something like this:
host% cfagent -p -v
[snip]
Defined Classes = ( any Thursday Hr14 Min24 Min20_25
Day19 July Yr2001 solaris examplehost 32_bit sunos_5_7
sunos_sun4u sunos_sun4u_5_7 sparc solaris2_7 129_0_0
129_0_0_10 loghost OnTheHour peaktime DayTime
examplehost_example_org longjob Setup_SSH_OK y MailHub
percent_60 RootProcs_normal_dev2 nfsd_out_low_dev2
pin-1554 pin-80 pin-21 pin-6011 pin-5308 pin-139
pin-983 pin-10 )
[snip]
It is not yet known how the extra environment classes will be used in
practice. One obvious possibility is to limit certain heavy-weight
operations (such as file tree scans) when the host is very busy, and
to increase the probability of their occurrence when the host is
lightly loaded. See the example in section 11.
It remains to be seen how users will respond to these possibilities.
Please take a moment to fill out
this visitor survey You can help support this site by
visiting the advertisers that sponsor it! (only once each, though)
