2.4.4 Checksum Alerts

cfengine has a checksum alert feature. To monitor changes to a file’s checksum, do the following:

Add the following stanza to /var/opt/dsau/cfengine_master/inputs/ cfagent.conf:

ChecksumUpdates = ( “on” )

In cfagent.conf’s "files" actionsequence, add checksum = md5 or checksum = sha options for the files to monitor. For example,

files:

class::

/etc/example mode = 644 checksum = md5

Note that this checksum option is different from the checksum = true option used in the copy actionsequence. That option tells cfengine to use checksums instead of timestamps when deciding if files need to be copied.

cfagent creates the checksum database on the client if it does not already exist. When ChecksumUpdates is set to "on" or "true", then the current checksum for the monitored files is added to or updated in the checksum database. After this initial run to populate the checksum database, change ChecksumUpdates to "off". At this point, any changes to a checksum of a monitored file causes a security warning. For example:

host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

host1: SECURITY ALERT: Checksum for /etc/example changed!

host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2.5 Disabling Use of cfengine

The csync_wizard does not have an unconfigure option to stop a system from being a master server. To disable a master server, simply stop cfservd:

#/sbin/init.d/cfservd stop

To prevent cfservd from starting at system startup, edit /etc/rc.config.d/cfservd and change CSYNC_CONFIGURED to "0".

If the csync_wizard was used to create the cfengine configuration and add managed clients, it can be used to remove managed clients. Run the wizard on the master server and select the "Remove a client" option. The wizard requires that non-interactive ssh access to the managed client has been configured as described in the section “Using the Wizard to Configure a Synchronization Client” (page 25). The specified client will be deleted from cfrun.hosts, its public key deleted from the master ppkeys directory, and the master’s key deleted from the client’s ppkeys directory.

2.6 Logging Options

cfengine is intentionally silent about most configuration changes but there are several configuration options to increase the verbosity of cfengine output, as follows:

Most cfagent.conf actions such as "copy," "editfiles," and "processes," support a syslog = true option to cause the specific action to be logged to syslog.

Similarly, most actions support an "inform = true" option to cause cfagent to report any changes.

cfagent.conf’s control section supports global "inform = (true)" and "syslog = true" options.

cfagent (see cfagent(8)) supports the --inform switch on the command line. For more information, refer to the cfengine reference manual in /opt/dsau/doc/cfengine or the cfagentmanpage.

38 Configuration Synchronization

Page 37 Page 39
Page 38
Image 38
HP UX System Adstration manual Disabling Use of cfengine, Logging Options, Checksum Alerts, # /sbin/init.d/cfservd stop
Page 37 Page 39
Top Page Image Contents