Identifying "Critical configuration files mismatch across cluster members"

Shouky_Dan · September 10, 2017, 2:56pm

The alert is based on md5sum comparison of a list of configuration files that Indeni considers to be those that must be identical across cluster members.

These files include:

updates.def
fwkern.conf
local.arp
sysctl.conf
modprobe.conf
rc.local
rc.sysinit
grub.conf
resolv.con
syslog.conf

The issue is that md5sum comparison fails in cases like:

Different line order
Comments
Files with trailing clear or null characters

The challenge is to:

Confirm the list of critical files
Find an effective solution for comparing files efficiently and effectively.

Johnathan_Browall_No · September 11, 2017, 3:49pm

one could match on every line and saving in array. then use some logic in the alert rule to compare if each line from device1 metric exists in the metric for device2.

One would need to exclude lines starting with comment characters, or empty lines.

The other things that are different like password hashes and date stamps is already excluded.

Alon_Ashkenazi · September 13, 2017, 2:02pm

That's a good susggestion Johnathan, my concern is the amount of memory that can take, depending on the size of the files, vs md5 which is only a few bytes long.

What about this option: We can parse/manipulate the (configuration) file on the device, sorting, removing unnecessary spaces/new-lines/etc and then calculate the md5. This way we will not need to deal with the size of the file

Peter_Lyndley · September 19, 2017, 9:08am

Note that local.arp will likely be different across cluster members as it will use the MAC address of the physical interface. So this should be excluded from the check, maybe only check the first column which is the IP Address ?