www.delorie.com/gnu/docs/cfengine/cfengine-Tutorial_89.html   search  
Buy GNU books!

GNU cfengine

[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

7.12 Checksums and Tripwire functionality

Cfagent can be used to check for changes in files which only something as exacting as an MD5 checksum/digest can detect. If you specify a checksum database and activate checksum verification,

  ChecksumDatabase = ( /var/cfengine/cache.db )

  ChecksumUpdates = ( false )


    /filename checksum=md5 ....
    /dirname  checksum=md5 recurse=inf....

    # If the database isn't secure, nothing is secure...

    /var/cfengine/cache.db  mode=600 owner=root action=fixall

then cfagent will build a database of file checksums and warn you when files' checksums change. This makes cfagent act like Tripwire (currently only with MD5 checksums). It can be used to show up Trojan horse versions of programs. It should be used sparingly though since database management and MD5 checksum computation are resource intensive operations and this could add significant time to a cfagent run. The ChecksumUpdates variable (normally false) can be set to true to update the checksum database when programs change for valid reasons.

Warnings are all every fine and well, but the spirit of cfengine is not to bother us with warnings, it is to fix things automatically. Warning is a useful supplement, but in security breaches it is better to fix the problem, rather than leaving the host in a dangerous state. If you are worried about the integrity of the system then don't just warn about checksum mismatches here, make an md5 copy comparison against a read-only medium which has correct, trusted version of the file on it. That way if a binary is compromised you will not only warn about it but also repair the damage immediately!

The control variable ChecksumUpdates may be switched to on in order to force cfagent to update its checksum database after warning of a change.

  webmaster     delorie software   privacy  
  Copyright 2003   by The Free Software Foundation     Updated Jun 2003