survivor: Cksum Check Module

SURVIVOR: cksum Check Module

About cksum

About cksum

basics

Module Type	Scheduler	Remote
check	No	Yes

syntax

     module cksum {
       [cksumcf <file>]
       [file <file>]
       [sum <string>]
       [sumutil <string>]
     }
     via <transport>

Dependencies

None

Arguments

Name	Type	Value
cksumcf	optional file	A configuration file containing checksums to compare against.
file	optional file	File to checksum. If `cksumcf` is not specified, this argument is required.
sum	optional string	Expected checksum. If `cksumcf` is not specified, this argument is required.
sumutil	optional string, default is "cksum"	Utility to use to generate checksums.

Description

The cksum module uses cksum or another utility specified by the sumutil argument (as either an executable in the default path or an explicit path) to determine if files have been modified. Although this module may be helpful for monitoring against malicious modifications, it is not designed for such a purpose and as such is not intended to be a complete solution for that problem. The module is more intended for detecting accidental or other modifications without malicious intent.

Important: The Remote Daemon must run with sufficient privileges to read the files to be summed.

Using A Configuration File

A configuration file must exist on each host to be monitored. The contents of the file are lines of the form returned by the cksum utility:

      sum octets filename

For example:

      3663153827 234316 /usr/bin/foo

If the sum utility is set to md5sum (which is not installed by default on all operating systems), the contents of the file are lines of the form returned by md5sum instead:

      sum filename

For example:

      3996cdfb9e03285325a73bfd440352d9 /usr/bin/foo

The configuration files can be generated using find. For example:

      # find /usr/bin /usr/sbin -exec cksum {} \; > /etc/survivor/cksum.cf

The module will compare the current sum of each filename listed against the sum listed. If a file does not exist, is not readable, or if the sums of the file do not match, MODEXEC_PROBLEM will be returned.

Without A Configuration File

If no configuration file is specified, only one file can be checksummed per check stanza. In this case, the arguments to the Check are simply the file to be examined and the expected sum. For md5sum, the sum takes the format of the hash, for other utilities the sum takes the format of the hash, a space, and the octet count.

Examples

To monitor a host with cksum.cf in a non-standard location:

    check cksum {
      module cksum {
        cksumcf /var/cache/sums.out
      }
      via remote
    }

To use md5sum instead of cksum:

    check cksum {
      module cksum {
        sumutil md5sum
      }
      via remote
    }

To only monitor /usr/bin/foo (and not use a configuration file):

    check foosum {
      module foosum {
        file /usr/bin/foo
	sum  3663153827 234316
      }
      via remote
    }

As for the previous example, but using md5sum instead:

    check foomd5sum {
      module foosum {
        file    /usr/bin/foo
	sum     3996cdfb9e03285325a73bfd440352d9
	sumutil /usr/bin/md5sum
      }
      via remote
    }

$Date: 2006/11/19 18:31:21 $
$Revision: 0.4 $

keywords
cksumcf
file
sum
sumutil