Tripwire functionality

Relevant classes: any Files which are not supposed to change over long periods of time (e.g. system binaries), can be secured by enabling a checksum database. The files option checksum=md5 tells cfengine to make a record of the checksum of existing files and warn about any changes. This is a useful approach to intrusion detection. If important files are exchanged for Trojan horses etc, this method will find them You probably do not want to do this whole check every hour. Once a day is probably enough for most sites: classes: CheckIntegrity = ( Hr00 ) files: CheckIntegrity:: /usr/local o=root,bin,man action=warnall mode=o-w r=inf checksum=md5 ignore=fingerdir ignore=cfengine ignore=var ignore=etc ignore=dns ignore=mail ignore=lprng ignore=src ignore=logs ignore=texmf ignore=log ignore=locks ignore=aliases ignore=conf exclude=*.log Note how some directories are excluded, and files which change all the time (like log files) are also excluded. If one excludes directories, this provides an opportunity to would-be crackers to use these as hiding places, so some thought is required to set this up in the best possible way. Back to documentation