7.12 Checksums and Tripwire functionality
Cfagent can be used to check for changes in files which only something
as exacting as an MD5 checksum/digest can detect. If you specify a
checksum database and activate checksum verification,
then cfagent will build a database of file checksums and warn you when
files' checksums change. This makes cfagent act like Tripwire
(currently only with MD5 checksums). It can be used to show up Trojan
horse versions of programs. It should be used sparingly though since
database management and MD5 checksum computation are resource
intensive operations and this could add significant time to a cfagent
run. The ChecksumUpdates variable (normally false) can be set to true
to update the checksum database when programs change for valid
ChecksumDatabase = ( /var/cfengine/cache.db )
ChecksumUpdates = ( false )
/filename checksum=md5 ....
/dirname checksum=md5 recurse=inf....
# If the database isn't secure, nothing is secure...
/var/cfengine/cache.db mode=600 owner=root action=fixall
Warnings are all every fine and well, but the spirit of cfengine is
not to bother us with warnings, it is to fix things automatically.
Warning is a useful supplement, but in security breaches it is better
to fix the problem, rather than leaving the host in a dangerous state.
If you are worried about the integrity of the system then don't just
warn about checksum mismatches here, make an md5 copy comparison
against a read-only medium which has correct, trusted version of the
file on it. That way if a binary is compromised you will not only warn
about it but also repair the damage immediately!
The control variable ChecksumUpdates may be switched to on
in order to force cfagent to update its checksum database after
warning of a change.