Way to make sure monitoring scripts were not modified

we are using icinga to monitor our linux devices.
icinga executes scripts which are shared to all those devices using an nfs share in read only.
security wants us to either move scripts locally on workstations (which is quite complex because we currently have a lot of old hosts which are not managed via puppet), either we make sure the scripts are safe before executing them.
We would like to be able to check the hash of the script before executing it, unfortunately it seems quite impossible to enter such a command line in the command field, everything we tried so far raised an error, the command we tried in 50+ different ways is:

cmd=/a/b/c/myscript.sh; md5=($(md5sum $cmd)) ; [[ $md5 == xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ]] && $cmd || echo script modified

where xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is the md5sum of the script $cmd

there is also the problem with the fact icinga is adding the PluginDir variable at the beginning of the command when it is not starting with a /

is there a way to do that or another method which could do the same kind of thing?
Thank you in advance for your help

Why does security think, that every tool can secure it’s own files?

Can you get security to install tripwire? I found that as soon as I give the ball back to security, it’s not so important anymore or it get’s done quick :stuck_out_tongue:

If you want to watch the files via monitoring, you would need a new check that doesn’t run on the target and compares the checksum and reports changes / stops execution via API call.

BTW, md5 and sha1 aren’t good enough anymore, use sha256 or sha512.

1 Like

Thank you for your feedback,
The problem is I have no idea how to configure a check which is not executed on the target.
But we changed our infra, now the script will be packaged and pushed to targets in a local FS, which makes my question obsolete.
Regarding md5 you’re right, that was just an example, I should change these old habits :neutral_face:
So, at least this issue is solved for now.