SSH Tectia

Managed File Change Detection

The Management Agent keeps track of all centrally managed SSH Tectia-related files on the host. The Management Agent tracks the files on each SSH Tectia application separately so that all managed files of an application form one set of files. If any one of these files is modified, the system will notice it and the Management Agent reports it to the Management Server. Any further configuration updates on the application will be disabled, unless an administrator explicitly allows overwriting of the local changes.

The managed file change detection is used for the following purposes:

The managed file change detection is implemented in the Management Agent with some help from the Management Server. The Management Agent computes an SHA-1 hash digest over each centrally managed file that is deployed to a host. The SHA-1 digests and the file permissions are stored in local information files on the host. Each application has its own information file containing information about its centrally managed files. The file change detection is implemented by tracking the content of the files and their permissions. It does not depend on the file modification times nor user or group IDs.

When a new configuration is deployed to the host, the Management Agent first checks the status of the existing files. If the files have not been modified, the configuration is deployed normally. If any of the old files have been modified, the configuration deployment operation is cancelled and an error is reported to the Management Server. The error message contains information about the locally changed files including the names of the first 10 modified files.

The local changes can be overwritten with an explicit request from the Management Server. In this case, a backup copy of each locally modified file is saved as filename.orig before the file is overwritten. Note that the system keeps only one backup copy of each file.

File change detection also detects if someone has modified the information file of the Management Agent on a host. When a configuration is deployed to a host, the Management Agent computes an SHA-1 hash digest over its information file. The hash digest is stored on the Management Server and it is returned to the Management Agent on each configuration deployment. Therefore, even if someone managed to change a file and the Management Agent information file, this will be detected when a new configuration is deployed to the host.