[CentOS] Configuration Compliance auditing for many CentOS 5.x boxes
Tom H
tom at limepepper.co.uk
Thu Feb 2 00:40:30 UTC 2012
On 02/02/12 00:04, Kwan Lowe wrote:
>
> Next was auditing, which I think may apply to your question.
>
> For the configurations, we are experimenting with cfengine and puppet. They
> allow you to track configuration changes, reset changes, etc.. I've also
> used CVS to track configuration files directly. I.e., checkin the changes
> onto a logged administration server then have the production servers
> checkout the changes on an on-demand or scheduled basis. This minimizes
> on-the-fly configurations that accumulate and take the server out of
> compliance. There are tools to generate reports from cfengine/puppet that
> show which configurations have changed, etc..
I noticed that a bunch of projects are using puppet to remediate the
problems detected in the auditing, eg changing file permissions and
adding/removing packages. fedora aqueduct is on, and fedora secstate is
another, also the NIST rhel STIG has a puppet script to apply the changes.
>
> We are also using the perl test harness to run validations. It's pretty
> coding intensive so you'd possibly need a Perl developer initially to
>
At the moment, custom probes are more likely to be nagios for me, than
compliance, I would be happy with most of the basic benchmarks...
> We are still looking at other methods.
> _______________________________________________
OK, well if you are interested, then I have created a question on
serverfault.com to track my progress, I will keep it updated.
http://serverfault.com/questions/355680/configuration-compliance-auditing-for-many-centos-5-x-boxes
If you have any great ideas then I will bung some points on your account
there...
Cheers,
Tom
More information about the CentOS
mailing list