If I use the site to deploy some commonly used script or file, is there anything to validate the sha1 or something of the file? We have a concern to use this method if users can possibly change and inject their own code.
I think yes. The file is validated along with the authenticity of the site itself.
1 Like
I just ran a small test and it did put the correct file back in place. Took a bit, but it did it. I guess the risk exposure would be the loop time of the client.
You can try running an action before the client requests(or gets) the correct file and see if it validates the authenticity of the site.
It does not! I changed the script to exit with a non-0 return code and that mucked it up. 
1 Like
Based on what I’ve seen in the logs, I think the files are validated during the gather process when a site is updated. I wonder whether the ‘site force evaluation’ command would cause it to re-check?
That said, Site data is a protected folder with admin-only access; if the end user already has admin rights, they could probably do worse than tamper with your site file.
Is digitally signing your script an option?
Powershell, VBScript, and, I think, JScript, should support this.
Why not use a createfile command? Or a prefetch?
Putting the file in the site was actually a compramise to my original problem here: https://forum.bigfix.com/t/prefetch-block-with-execute-prefect-plugin-error …would still love to figure that one out.
And I can’t build the file since I need to use it in a prefetch block… although this did just give me an idea. That team uses all baselines (even if there is only one fixlet in it). Perhaps we could add in a dependency builder of sorts. Have one for each one of there dependent pieces that validates sha1 and such. 