SURVIVOR: cksum Check Module | ||||||||||||||||||||||||||||
Dependencies
Arguments
DescriptionThe cksum module uses cksum or another utility specified by the sumutil argument (as either an executable in the default path or an explicit path) to determine if files have been modified. Although this module may be helpful for monitoring against malicious modifications, it is not designed for such a purpose and as such is not intended to be a complete solution for that problem. The module is more intended for detecting accidental or other modifications without malicious intent.Important: The Remote Daemon must run with sufficient privileges to read the files to be summed. Using A Configuration FileA configuration file must exist on each host to be monitored. The contents of the file are lines of the form returned by the cksum utility:sum octets filenameFor example: 3663153827 234316 /usr/bin/fooIf the sum utility is set to md5sum (which is not installed by default on all operating systems), the contents of the file are lines of the form returned by md5sum instead: sum filenameFor example: 3996cdfb9e03285325a73bfd440352d9 /usr/bin/foo The configuration files can be generated using find. For example: # find /usr/bin /usr/sbin -exec cksum {} \; > /etc/survivor/cksum.cf The module will compare the current sum of each filename listed against the sum listed. If a file does not exist, is not readable, or if the sums of the file do not match, MODEXEC_PROBLEM will be returned. Without A Configuration FileIf no configuration file is specified, only one file can be checksummed per check stanza. In this case, the arguments to the Check are simply the file to be examined and the expected sum. For md5sum, the sum takes the format of the hash, for other utilities the sum takes the format of the hash, a space, and the octet count.Examples
$Date: 2006/11/19 18:31:21 $ $Revision: 0.4 $ |
keywords cksumcf file sum sumutil |