On 02/02/12 00:04, Kwan Lowe wrote:
Next was auditing, which I think may apply to your question.
For the configurations, we are experimenting with cfengine and puppet. They allow you to track configuration changes, reset changes, etc.. I've also used CVS to track configuration files directly. I.e., checkin the changes onto a logged administration server then have the production servers checkout the changes on an on-demand or scheduled basis. This minimizes on-the-fly configurations that accumulate and take the server out of compliance. There are tools to generate reports from cfengine/puppet that show which configurations have changed, etc..
I noticed that a bunch of projects are using puppet to remediate the problems detected in the auditing, eg changing file permissions and adding/removing packages. fedora aqueduct is on, and fedora secstate is another, also the NIST rhel STIG has a puppet script to apply the changes.
We are also using the perl test harness to run validations. It's pretty coding intensive so you'd possibly need a Perl developer initially to
At the moment, custom probes are more likely to be nagios for me, than compliance, I would be happy with most of the basic benchmarks...
We are still looking at other methods. _______________________________________________
OK, well if you are interested, then I have created a question on serverfault.com to track my progress, I will keep it updated. http://serverfault.com/questions/355680/configuration-compliance-auditing-fo...
If you have any great ideas then I will bung some points on your account there...
Cheers, Tom