On 02/02/12 00:04, Kwan Lowe wrote: > > Next was auditing, which I think may apply to your question. > > For the configurations, we are experimenting with cfengine and puppet. They > allow you to track configuration changes, reset changes, etc.. I've also > used CVS to track configuration files directly. I.e., checkin the changes > onto a logged administration server then have the production servers > checkout the changes on an on-demand or scheduled basis. This minimizes > on-the-fly configurations that accumulate and take the server out of > compliance. There are tools to generate reports from cfengine/puppet that > show which configurations have changed, etc.. I noticed that a bunch of projects are using puppet to remediate the problems detected in the auditing, eg changing file permissions and adding/removing packages. fedora aqueduct is on, and fedora secstate is another, also the NIST rhel STIG has a puppet script to apply the changes. > > We are also using the perl test harness to run validations. It's pretty > coding intensive so you'd possibly need a Perl developer initially to > At the moment, custom probes are more likely to be nagios for me, than compliance, I would be happy with most of the basic benchmarks... > We are still looking at other methods. > _______________________________________________ OK, well if you are interested, then I have created a question on serverfault.com to track my progress, I will keep it updated. http://serverfault.com/questions/355680/configuration-compliance-auditing-for-many-centos-5-x-boxes If you have any great ideas then I will bung some points on your account there... Cheers, Tom