Identifying "Critical configuration files mismatch across cluster members"

Identifying "Critical configuration files mismatch across cluster members"
0

The alert is based on md5sum comparison of a list of configuration files that Indeni considers to be those that must be identical across cluster members.


These files include:

  • updates.def
  • fwkern.conf
  • local.arp
  • sysctl.conf
  • modprobe.conf
  • rc.local
  • rc.sysinit
  • grub.conf
  • resolv.con
  • syslog.conf


The issue is that md5sum comparison fails in cases like:

  1. Different line order
  2. Comments
  3. Files with trailing clear or null characters


The challenge is to:

  1. Confirm the list of critical files
  2. Find an effective solution for comparing files efficiently and effectively.

one could match on every line and saving in array. then use some logic in the alert rule to compare if each line from device1 metric exists in the metric for device2.

One would need to exclude lines starting with comment characters, or empty lines.


The other things that are different like password hashes and date stamps is already excluded.

That's a good susggestion Johnathan, my concern is the amount of memory that can take, depending on the size of the files, vs md5 which is only a few bytes long.

What about this option: We can parse/manipulate the (configuration) file on the device, sorting, removing unnecessary spaces/new-lines/etc and then calculate the md5. This way we will not need to deal with the size of the file

Note that local.arp will likely be different across cluster members as it will use the MAC address of the physical interface. So this should be excluded from the check, maybe only check the first column which is the IP Address ?