The Management Agent keeps track of all centrally managed SSH Tectia-related files on the host. The Management Agent tracks the files on each SSH Tectia application separately so that all managed files of an application form one set of files. If any one of these files is modified locally, the system will notice it and the Management Agent reports it to the Management Server. Any further configuration updates on the application will be disabled, unless an administrator explicitly allows overwriting of the local changes.
The managed file change detection is used for the following purposes:
To prevent accidental configuration overwrites. If the centrally managed configuration is somehow non-functional on a host, the administrator might fix the problem by making local configuration modifications to the configuration files. The next time the centrally managed configuration is deployed, the file change detection notices the local changes and refuses to overwrite changes without an explicit request from the Management Server administrator.
To collect information on hosts which have local configuration modifications. The Management Agent checks the status of the managed files periodically and during the configuration deployment. If the configurations have been modified, the Management Agent sends a notification to the Management Server, and the configuration status is updated in the host view dialogs.
To detect possible security breaches due to local changes on managed hosts. The periodic file status checking detects all locally modified configuration files and reports them to the Management Server.
The managed file change detection is implemented in the Management Agent with some help from the Management Server. The Management Agent computes an SHA-1 hash digest over each centrally managed file that is deployed to a host. The SHA-1 digests and the file permissions are stored in local information files on the host. Each application has its own information file containing information about its centrally managed files. The file change detection is implemented by tracking the content of the files and their permissions. It does not depend on the file modification times nor user or group IDs.
When a new configuration is deployed to the host, the Management Agent first checks the status of the existing files. If the files have not been modified, the configuration is deployed normally. If any of the old files have been modified, the configuration deployment operation is cancelled and an error is reported to the Management Server. The error message contains information about the locally changed files including the names of the first 10 modified files.
The local changes can be overwritten with an explicit request from the Management Server. In this case, a backup copy of each locally modified file is saved as
filename.orig before the file is overwritten. Note that the system keeps only one backup copy of each file.
File change detection also detects if someone has modified the information file of the Management Agent on a host. When a configuration is deployed to a host, the Management Agent computes an SHA-1 hash digest over its information file. The hash digest is stored on the Management Server and it is returned to the Management Agent on each configuration deployment. Therefore, even if someone managed to change a file and the Management Agent information file, this will be detected when a new configuration is deployed to the host.