beautypg.com

3 encryption, 4 checksum alerts, 5 disabling use of cfengine – HP Linux Server Management Software User Manual

Page 41: 6 logging options, 3 encryption 2.4.4 checksum alerts, 5 disabling use of cfengine 2.6 logging options

background image

2.4.3 Encryption

In general, file transfer traffic between the master server and a managed client is not encrypted.
For many system management related configuration files this is acceptable. For certain files, an
encrypted file transfer is desirable. The copy action in cfagent.conf has an "encrypt =
true"

option to encrypt the specified file. For additional encryption options, refer to the cfengine

reference manual located in /opt/dsau/doc/cfengine.

2.4.4 Checksum Alerts

cfengine has a checksum alert feature. To monitor changes to a file’s checksum, do the following:

Add the following stanza to /var/opt/dsau/cfengine_master/inputs/
cfagent.conf

:

ChecksumUpdates = ( “on” )

In cfagent.conf’s "files" actionsequence, add checksum = md5 or checksum =
sha

options for the files to monitor. For example,

files:
class::
/etc/example
mode = 644
checksum = md5

Note that this checksum option is different from the checksum = true option used in the
copy actionsequence. That option tells cfengine to use checksums instead of timestamps
when deciding if files need to be copied.

cfagent

creates the checksum database on the client if it does not already exist. When

ChecksumUpdates is set to "on" or "true", then the current checksum for the monitored files
is added to or updated in the checksum database. After this initial run to populate the checksum
database, change ChecksumUpdates to "off". At this point, any changes to a checksum of a
monitored file causes a security warning. For example:

host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
host1: SECURITY ALERT: Checksum for /etc/example changed!
host1: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

2.5 Disabling Use of cfengine

The csync_wizard does not have an unconfigure option to stop a system from being a master
server. To disable a master server, simply stop cfservd:

# /etc/init.d/cfservd stop

To prevent cfservd from starting at system startup, edit /etc/rc.config.d/cfservd and
change CSYNC_CONFIGURED to "0".

If the csync_wizard was used to create the cfengine configuration and add managed clients,
it can be used to remove managed clients. Run the wizard on the master server and select the
"Remove a client"

option. The wizard requires that non-interactive ssh access to the managed

client has been configured as described in the section

“Using the Wizard to Configure a

Synchronization Client” (page 28)

. The specified client will be deleted from cfrun.hosts, its

public key deleted from the master ppkeys directory, and the master’s key deleted from the
client’s ppkeys directory.

2.6 Logging Options

cfengine is intentionally silent about most configuration changes but there are several
configuration options to increase the verbosity of cfengine output, as follows:

2.5 Disabling Use of cfengine

41