1.0 KiB
---id: V-71855 status: opt-in tag: packages ---
Ansible tasks will check the rpm -Va output (on CentOS,
RHEL, openSUSE and SLE) or the output of debsums (on
Ubuntu) to see if any files installed from packages have been altered.
The tasks will print a list of files that have changed since their
package was installed.
Deployers should be most concerned with any checksum failures for binaries and their libraries. These are most often a sign of system compromise or poor system administration practices.
Configuration files may appear in the list as well, but these are often less concerning since some of these files are adjusted by the security role itself.
Generating and validating checksums of all files installed by packages consume a significant amount of disk I/O and could impact the performance of a production system. It can also delay the playbook's completion. Therefore, the check is disabled by default.
Deployers can enable the check by setting the following Ansible variable:
security_check_package_checksums: yes