We have several dozen production Linux servers and I would like to have better control over what files are changed, by whom, when they were changed, etc. Because these are all production servers that are in use 24x7, we do not have the luxury of simply doing a clean build, taking md5sums of each file, and then doing fresh installations. I need a system that can take in-place snapshots of each server's configuration files, store them in some kind of database or text file, and notify me whenever something changes.
I've used tripwire in the past - do you have any other recommendations for this type of project?
On Fri, Oct 17, 2008 at 10:41 AM, Sean Carolan scarolan@gmail.com wrote:
We have several dozen production Linux servers and I would like to have better control over what files are changed, by whom, when they were changed, etc. Because these are all production servers that are in use 24x7, we do not have the luxury of simply doing a clean build, taking md5sums of each file, and then doing fresh installations. I need a system that can take in-place snapshots of each server's configuration files, store them in some kind of database or text file, and notify me whenever something changes.
aide comes with CentOS 4/5 and does part of what you want by doing various checksums. Tripwire will also compile for those too. The issue will be that you will want to turn off prelinking and you will want to make sure that you have configured either program to watch those programs. You can add in audit on EL-5 with a policy setup (capp/niscom/customize) to watch those files and log who/what/when the program was changed by.
However none of the programs stores originals of the config files etc as you are wanting. In that case, your best bet is to turn the problem around and have the config files you want on the servers, and push them out from a central box. Then have the audit programs see if something outside of your central management changed the program.
I've used tripwire in the past - do you have any other recommendations for this type of project? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sean Carolan wrote:
We have several dozen production Linux servers and I would like to have better control over what files are changed, by whom, when they were changed, etc. Because these are all production servers that are in use 24x7, we do not have the luxury of simply doing a clean build, taking md5sums of each file, and then doing fresh installations. I need a system that can take in-place snapshots of each server's configuration files, store them in some kind of database or text file, and notify me whenever something changes.
Anything that is installed via RPM is already databased and tracked. if you edit something you have to track it yourself. I don't know of a good tool for this. For the things I edit frequently and the changes aren't obvious (like DNS zone files), I commit the changes to a CVS server that has viewcvs for easy browsing and diff-ing against earlier versions.
I've used tripwire in the past - do you have any other recommendations for this type of project?
Tripwire doesn't help when you need to put things back the way they were a version or two back. Backups are always a good thing and a brute-force approach would be to rsync your /etc directories off to some other machine, perhaps using the backup-dir option to keep some old versions around. Running rsync with the -v and -n options will tell you if anything changed compared to the last copy. I'm surprised that there isn't a good tool built on top of one of the version control systems that could treat similar machines as branches, though. What needs to be done is very similar to other version control concepts and everyone needs it.
On 17 Oct 2008, at 09:41, Sean Carolan wrote:
We have several dozen production Linux servers and I would like to have better control over what files are changed, by whom, when they were changed, etc. Because these are all production servers that are in use 24x7, we do not have the luxury of simply doing a clean build, taking md5sums of each file, and then doing fresh installations. I need a system that can take in-place snapshots of each server's configuration files, store them in some kind of database or text file, and notify me whenever something changes.
I've used tripwire in the past - do you have any other recommendations for this type of project?
you might want to look at dconf, from http://dag.wieers.com/home-made/dconf/ . probably not hard to script something to notify you when a new snapshot is taken. ===== If you run dconf, it will create a single-file snapshot of your system (config-files, hardware config, system state). By default it will store this file in /var/log/dconf and timestamp it, only when the content is different from the previous run.
You can configure dconf to run from cron on an hourly, daily, weekly or monthly basis and, in case of changes, have it send out a mail. Dconf allows you to go back in time, compare older snapshots, rollback changes or even compare systems with basic text-oriented tools. =====
Jeremiah
On 27 Oct 2008, at 15:56, Jeremiah Heller wrote:
On 17 Oct 2008, at 09:41, Sean Carolan wrote:
We have several dozen production Linux servers and I would like to have better control over what files are changed, by whom, when they were changed, etc. Because these are all production servers that are in use 24x7, we do not have the luxury of simply doing a clean build, taking md5sums of each file, and then doing fresh installations. I need a system that can take in-place snapshots of each server's configuration files, store them in some kind of database or text file, and notify me whenever something changes.
I've used tripwire in the past - do you have any other recommendations for this type of project?
you might want to look at dconf, from http://dag.wieers.com/home-made/dconf/ . probably not hard to script something to notify you when a new snapshot is taken.
[snip]...
You can configure dconf to run from cron on an hourly, daily, weekly or monthly basis and, in case of changes, have it send out a mail.
probably easier to read what I posted and see email notification is a configurable option :P
Dconf allows you to go back in time, compare older snapshots, rollback changes or even compare systems with basic text-oriented tools. =====
Jeremiah