On Tue, May 10, 2011 at 02:08:22AM -0400, Jerome Baum wrote: >On Tue, May 10, 2011 at 07:51, Aleksey Tsalolikhin ><atsaloli.t...@gmail.com<mailto:atsaloli.t...@gmail.com>> wrote: >What is entropy here and how it is computed? Are both low and high >entropy "bad"? Or is low entropy good, high entropy bad?
Generally speaking, entropy is a measurement of "disorder" or "variation." There are specific, formal definitions, but I think that these two are sufficient for now. >Low entropy is bad (not "bad" but bad, for security reasons). Entropy is >basically how much "randomness" is available, which is very important for >cryptographic systems -- such as SSL, SSH, and security in cfengine. Right. Entropy is typically used to make your RNG much more random. :) It is possible to "run out" of entropy as well. An example of this, on Linux systems is to compare the behavior of "od /dev/random" and "od /dev/urandom". The output from /dev/random will pause when you run out of entropy, whereas output from /dev/urandom has no such limitation. The data from /dev/random is consider much higher quality with regards to randomness. >You tend to get low entropy on server systems w/out keyboard and mouse to take >entropy from. For further reading >http://en.wikipedia.org/wiki/Entropy_(computing) helps. Yep, and various other sources as well (audio input, video, etc). Back to cfengine... The entropy and anomaly classes come from cf-monitord (so if you turn it off, you won't get those classes). The cf-monitord process will try to track various metrics, and provide those to cf-agent. It can actually watch the traffic flows, and categorize traffic by port number, but this requires, essentially, letting cf-monitor "sniff" all traffic--which might not be acceptable in your environment. Metrics other than network traffic can also be checked. Your other email mentions "loadavg_high_ldt", which means that cf-monitord thinks that, at that time, the load average was higher than usual based on the "Leap-Detection Test" (hence "ldt"). You may also see entries like "messages_high_dev1", which indicate that that the current value of the metric is more than 1 standard deviation above the average. This paper also talks about it in detail for CF2: http://www.iu.hio.no/cfengine/docs/cfengine-Anomalies.pdf And this one goes into the mathematics behind it: http://www.iu.hio.no/~mark/papers/anomaly.pdf One of the better explanations of how anomaly detection works is actually in the SAGE short-topics booklet that Mark Burgess and Aeleen Frisch wrote a few years back. It uses CF2 syntax, but I believe that the general concepts are still valid. Unfortunately, it doesn't cover the LDT stuff I mentioned before. http://www.sage.org/pubs/16_cfengine/ Unfortunately, I've been unable to find a paper that discusses anomaly detection for CF3 in detail. -- Jesse Becker NHGRI Linux support (Digicon Contractor) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
