FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

LinkBack Thread Tools
Old 02-01-2012, 06:54 PM
Tom H
Default Configuration Compliance auditing for many CentOS 5.x boxes

Hi CentOS experts,*

Short Version*

I would like to produce a weekly report in HTML for each CentOS 5.x
server we have indicating configuration compliance with some industry
benchmark. I am looking for a tool or tools to implement this, I am
happy to use 3rd party proprietary stuff if necessary.
Long(er) Version*

Current Situation.. I have a client with many (200x) CentOS 5.x
servers deployed in various web, mail, database and file server roles,
and these boxes have been variously administrated to a lessor or greater

All the boxes have EPEL repository included as part of their
base-install, and all boxes have cron jobs for "yum -y update" running
frequently, and are rebooted when kernels are available. (so they are
not in a terrible state)

For network, local and external vulnerabilities - We use a 3rd party
firm, who use WebInspect to monitor for external facing ports and
vulnerable services and produce various regular reports to my boss.
(hence am not looking at Nessus, OpenVAS or network based scanning tools
right now, or indeed any vulnerability tools)

However we now have a New Big Boss in Town - who is an ex security
compliance dude. The new rules are; that if its not being regularly
tested, then its not in compliance, even if it is in compliance etc. (to
be honest, I quite like that rule)

So now I am looking for a way to generate a report of server compliance
with some compliance standard for all the boxes regularly.

We have a basic list of configuration settings, that is a weaker form of
various compliance recommendations, so I am confident that most
compliance benchmarks like CIS, EAL3 or the linux web STIG level would
be sufficient.

We have chef installed on the CentOS instances, hence I can push out yum
based packages, (and I can install from source tarballs, but it will
make me cry, on these instances)

I Would like to have... a tool that runs locally on each CentOS box and
produces a reasonably comprehensive html report regarding configuration

(and a massive bonus would be to send email alert for severe problems,
but I can script that if required)

Ideally I could generate a weekly report that indicates compliance with
1 or more of the recognised linux server benchmarks. I am happy to pay
for a subscription for the checklist, but I suspect the kind per
instance 100 USD licenses I see are going to blow my budget.

Current progress is...

I see that OPENSCAP and OVAL have tools in CentOS-base or EPEL, such as

ovaldi - oval reference interpreter

Which can be used to create reports. However they seem a little unrefined.

For SCAP and OVAL content I have found the following.

1. NIST provide SCAP content for RHEL desktop, which is kinda close;
2. http://usgcb.nist.gov/usgcb/rhel_content.html
3. There is a tool called sectool in the fedora repos, but I can't get
it to run on CentOS due to a missing python-slip module.

Any suggestions on functioning stacks for this problem would be helpful.



CentOS mailing list
Old 02-01-2012, 11:40 PM
Tom H
Default Configuration Compliance auditing for many CentOS 5.x boxes

On 02/02/12 00:04, Kwan Lowe wrote:
> Next was auditing, which I think may apply to your question.
> For the configurations, we are experimenting with cfengine and puppet. They
> allow you to track configuration changes, reset changes, etc.. I've also
> used CVS to track configuration files directly. I.e., checkin the changes
> onto a logged administration server then have the production servers
> checkout the changes on an on-demand or scheduled basis. This minimizes
> on-the-fly configurations that accumulate and take the server out of
> compliance. There are tools to generate reports from cfengine/puppet that
> show which configurations have changed, etc..
I noticed that a bunch of projects are using puppet to remediate the
problems detected in the auditing, eg changing file permissions and
adding/removing packages. fedora aqueduct is on, and fedora secstate is
another, also the NIST rhel STIG has a puppet script to apply the changes.

> We are also using the perl test harness to run validations. It's pretty
> coding intensive so you'd possibly need a Perl developer initially to

At the moment, custom probes are more likely to be nagios for me, than
compliance, I would be happy with most of the basic benchmarks...

> We are still looking at other methods.
> _______________________________________________

OK, well if you are interested, then I have created a question on
serverfault.com to track my progress, I will keep it updated.

If you have any great ideas then I will bung some points on your account


CentOS mailing list
Old 02-01-2012, 11:43 PM
Tom H
Default Configuration Compliance auditing for many CentOS 5.x boxes

On 02/02/12 00:26, Les Mikesell wrote:
> Is anyone looking at salt instead of puppet yet? http://saltstack.org/

I had such a bad experience with puppet, that I ran like a jilted
teenage lover on a rebound into the arms of chef...

unfortunately I may not have reviewed all the options (including salt)
when making that decision.
CentOS mailing list

Thread Tools

All times are GMT. The time now is 05:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org