Node: Checksum Databases, Next: , Previous: Hints for implementing security, Up: Security and cfengine



Checksum Databases

Cfengine can be used to check for changes in files which only something as exacting as an MD5 checksum/digest can detect. If you define a checksum database and activate checksum verification,

     
     control:
     
       ChecksumDatabase = ( /etc/cfengine/cache.db )
     
     files:
     
        /filename checksum=md5 ....
     
     

cfengine will build a Berkeley db database of file checksums and warn you when files' checksums change. This gives cfengine Tripwire functionality. It can be used to show up Trojan horse versions of programs. It should be used sparingly though since database management and MD5 checksum computation are resource intensive opoerations and this could add significant time to a cfengine run.

NOTE! Warnings are usually unecessary. If you are worried about the integrity of the system then don't bother warning about checksum mismatches here. Make an md5 copy comparison with a read only medium which has correct versions of the program on it. That way if a binary is compromised you will not only warn about it but also repair the damage immediately!

The control variable ChecksumUpdates may be switched to on in order to force cfengine to update its checksum database after warning of a change. The default value of this variable is off for cfengine but on for cfd. This is because cfd uses a database as a cache, while cfengine uses it as a security check.