28 lines
1.0 KiB
ReStructuredText
28 lines
1.0 KiB
ReStructuredText
---
|
|
id: V-71855
|
|
status: opt-in
|
|
tag: packages
|
|
---
|
|
|
|
Ansible tasks will check the ``rpm -Va`` output (on CentOS, RHEL, openSUSE and SLE) or
|
|
the output of ``debsums`` (on Ubuntu) to see if any files installed from packages
|
|
have been altered. The tasks will print a list of files that have changed
|
|
since their package was installed.
|
|
|
|
Deployers should be most concerned with any checksum failures for binaries and
|
|
their libraries. These are most often a sign of system compromise or poor
|
|
system administration practices.
|
|
|
|
Configuration files may appear in the list as well, but these are often less
|
|
concerning since some of these files are adjusted by the security role itself.
|
|
|
|
Generating and validating checksums of all files installed by packages consume a
|
|
significant amount of disk I/O and could impact the performance of a production system.
|
|
It can also delay the playbook's completion. Therefore, the check is disabled by default.
|
|
|
|
Deployers can enable the check by setting the following Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_check_package_checksums: yes
|