Next: Whom do you trust?, Previous: Hints for implementing security, Up: Security and cfengine
Cfengine can be used to check for changes in files which only something as exacting as an MD5 checksum/digest can detect. If you define a checksum database and activate checksum verification,
control: ChecksumDatabase = ( /etc/cfengine/cache.db ) files: /filename checksum=md5 ....
cfengine will build a Berkeley db database of file checksums and warn you when files' checksums change. This gives cfengine Tripwire functionality. It can be used to show up Trojan horse versions of programs. It should be used sparingly though since database management and MD5 checksum computation are resource intensive opoerations and this could add significant time to a cfengine run.
NOTE! Warnings are usually unecessary. If you are worried about the
integrity of the system then don't bother warning about checksum
mismatches here. Make an md5 copy
comparison with a read only
medium which has correct versions of the program on it. That way if a
binary is compromised you will not only warn about it but also repair
the damage immediately!
The control variable ChecksumUpdates
may be switched to on
in order to force cfengine to update its checksum database after
warning of a change.
The default value of this variable is off for cfengine but on for cfd.
This is because cfd uses a database as a cache, while cfengine uses
it as a security check.