[CentOS] Configuration Compliance auditing for many CentOS 5.x boxes

Thu Feb 2 00:40:30 UTC 2012
Tom H <tom at limepepper.co.uk>

On 02/02/12 00:04, Kwan Lowe wrote:
>
> Next was auditing, which I think may apply to your question.
>
> For the configurations, we are experimenting with cfengine and puppet. They
> allow you to track configuration changes, reset changes, etc..  I've also
> used CVS to track configuration files directly.  I.e., checkin the changes
> onto a logged administration server then have the production servers
> checkout the changes on an on-demand or scheduled basis. This minimizes
> on-the-fly configurations that accumulate and take the server out of
> compliance.  There are tools to generate reports from cfengine/puppet that
> show which configurations have changed, etc..
I noticed that a bunch of projects are using puppet to remediate the 
problems detected in the auditing, eg changing file permissions and 
adding/removing packages. fedora aqueduct is on, and fedora secstate is 
another, also the NIST rhel STIG has a puppet script to apply the changes.

>
> We are also using the perl test harness to run validations. It's pretty
> coding intensive so you'd possibly need a Perl developer initially to
>

At the moment, custom probes are more likely to be nagios for me, than 
compliance, I would be happy with most of the basic benchmarks...

> We are still looking at other methods.
> _______________________________________________

OK, well if you are interested, then I have created a question on 
serverfault.com to track my progress, I will keep it updated.  
http://serverfault.com/questions/355680/configuration-compliance-auditing-for-many-centos-5-x-boxes

If you have any great ideas then I will bung some points on your account 
there...

Cheers,
Tom