FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-01-2012, 10:22 PM
Ross Walker
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

On Feb 1, 2012, at 2:54 PM, Tom H <tom@limepepper.co.uk> wrote:

> Hi CentOS experts,*
>
> Short Version*
>
> I would like to produce a weekly report in HTML for each CentOS 5.x
> server we have indicating configuration compliance with some industry
> benchmark. I am looking for a tool or tools to implement this, I am
> happy to use 3rd party proprietary stuff if necessary.
> *

You could have a weekly cron job on all boxes that does a rpm for all package config files, diff against a "snapshot" copy contained under /var somewhere, email those diffs to a change management system,then save the current files in the snapshot directory.

First run will send the complete configs, all subsequent runs will send the diffs.

Of course you need a change management system that will hold an inventory of systems, those systems' hardware/software inventories and configurations, and track those changes with alerts and reports and such.

I don't know of a good system for doing all that unfortunately, but if you do find one let me know.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-01-2012, 11:04 PM
Kwan Lowe
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

On Wed, Feb 1, 2012 at 2:54 PM, Tom H <tom@limepepper.co.uk> wrote:

> Hi CentOS experts,*
>
> Short Version*
>
> I would like to produce a weekly report in HTML for each CentOS 5.x
> server we have indicating configuration compliance with some industry
> benchmark. I am looking for a tool or tools to implement this, I am
> happy to use 3rd party proprietary stuff if necessary.



> [snip]
>

I'm in a similar situation. We have a growing infrastructure of over 300
instances of RHEL4/5/6. Though not specifically CentOS the tools are the
same. My focus has been on PCI compliance. As of yet we don't have any SOX
systems on Linux, but I expect that will change in the near future.

For PCI compliance there are a few things that we do. The first thing was
to get a handle on the buildout process which we did via kickstart. This
ensured consistency in the builds which previously was done by different
engineers/operators with different skill levels. We validated the standard
image and then used Satellite/Spacewalk to keep track of the versions.

The next step was the daily bit rot and the damage from the application
folks whose sole experience was on desktop or laptop systems (i.e., they
never had to comply with any industry standards). We started by separating
OS from application. This meant not only separate volume groups and mount
points for application files, but also things like ensuring that apps did
not run as root (you'd be amazed how many developers insist that builds
must occur as root). In just about every case where we allowed application
developers to have root access we ended up with systems that were wildly
out of compliance. In one case a developer installed an entire desktop
suite, including MP3 player and video editing tools, in order to satisfy a
dependency on a single widget library. We don't do that any more. :/

Next was auditing, which I think may apply to your question.

For the basic package setup, Spacewalk or Satellite can track the versions
and allow you to lock the package set. There are also existing scripts that
wrap variations of an 'rpm -qVa' and send the reports back. Tools such as
tripwire are also useful for this. If you have deployed SELinux, you can
effectively even lock the root user from installing or modifying system
packages.

For the configurations, we are experimenting with cfengine and puppet. They
allow you to track configuration changes, reset changes, etc.. I've also
used CVS to track configuration files directly. I.e., checkin the changes
onto a logged administration server then have the production servers
checkout the changes on an on-demand or scheduled basis. This minimizes
on-the-fly configurations that accumulate and take the server out of
compliance. There are tools to generate reports from cfengine/puppet that
show which configurations have changed, etc..

We are also using the perl test harness to run validations. It's pretty
coding intensive so you'd possibly need a Perl developer initially to
create and to maintain the scripts. The idea is to create the test scripts
in lock step with changes to the kickstart. The harness generates a PASS or
FAIL response depending on the Perl test. For example, for PCI compliance
we have a standard login banner. The test does an MD5 sum against the
target machine's /etc/issue.net and checks it against the stored hash. If
the hashes correspond it passes the test (barring hash collisions of course
).

We are still looking at other methods.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-01-2012, 11:26 PM
Les Mikesell
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

On Wed, Feb 1, 2012 at 6:04 PM, Kwan Lowe <kwan.lowe@gmail.com> wrote:
>
> For the basic package setup, Spacewalk or Satellite can track the versions
> and allow you to lock the package set. There are also existing scripts that
> wrap variations of an 'rpm -qVa' and send the reports back.

Ocsinventory-ng will send a hardware and software inventory to a
central server daily - with agents for both Linux and windows. It
will pick up the installed rpms but you'd have to extend it to look
for local config changes.

> For the configurations, we are experimenting with cfengine and puppet. They
> allow you to track configuration changes, reset changes, etc..

Is anyone looking at salt instead of puppet yet? http://saltstack.org/

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-02-2012, 01:17 AM
Les Mikesell
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

On Wed, Feb 1, 2012 at 6:43 PM, Tom H <tom@limepepper.co.uk> wrote:
> On 02/02/12 00:26, Les Mikesell wrote:
>>
>>
>> Is anyone looking at salt instead of puppet yet? *http://saltstack.org/
>>
>
> I had such a bad experience with puppet, that I ran like a jilted teenage
> lover on a rebound into the arms of chef...
>
> unfortunately I may not have reviewed all the options (including salt) when
> making that decision.

Not sure salt is quite ready for prime time, but it should be close
for linux anyway. The zeromq over ssl connectivity is the first thing
I've seen that looks like it would scale.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-06-2012, 05:04 PM
"Denniston, Todd A CIV NAVSURFWARCENDIV Crane"
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Tom H
> Sent: Wednesday, February 01, 2012 14:54
> To: CentOS mailing list
> Subject: [CentOS] Configuration Compliance auditing for many CentOS
5.x
> boxes
>
> Hi CentOS experts,*
>
> Short Version*
>
> I would like to produce a weekly report in HTML for each CentOS 5.x
> server we have indicating configuration compliance with some industry
> benchmark. I am looking for a tool or tools to implement this, I am
> happy to use 3rd party proprietary stuff if necessary.


> Current progress is...
>
> I see that OPENSCAP and OVAL have tools in CentOS-base or EPEL, such
as
>
> OpenSCAP-utils
> ovaldi - oval reference interpreter
>
> Which can be used to create reports. However they seem a little
> unrefined.
>
> For SCAP and OVAL content I have found the following.
>
> 1. NIST provide SCAP content for RHEL desktop, which is kinda close;
> 2. http://usgcb.nist.gov/usgcb/rhel_content.html
> 3. There is a tool called sectool in the fedora repos, but I can't get
> it to run on CentOS due to a missing python-slip module.
>
> Any suggestions on functioning stacks for this problem would be
> helpful.

Sorry about no suggestions, but seeing where you are I have a question
back at you:
The http://usgcb.nist.gov/usgcb/rhel_content.html seemed to me to be a
newer schema than the openscap in RH/CentOS 5, did you find a way to run
it on 5?

And I sort of assume you have seen
http://www.redhat.com/security/data/oval/?C=M;O=D
for the RHEL boxes...

Thanks for any pointers.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-06-2012, 07:24 PM
Eero Volotinen
 
Default Configuration Compliance auditing for many CentOS 5.x boxes

2012/2/2 Ross Walker <rswwalker@gmail.com>:
> On Feb 1, 2012, at 2:54 PM, Tom H <tom@limepepper.co.uk> wrote:
>
>> Hi CentOS experts,*
>>
>> Short Version*
>>
>> I would like to produce a weekly report in HTML for each CentOS 5.x
>> server we have indicating configuration compliance with some industry
>> benchmark. I am looking for a tool or tools to implement this, I am
>> happy to use 3rd party proprietary stuff if necessary.
>> *
>
> You could have a weekly cron job on all boxes that does a rpm for all package config files, diff against a "snapshot" copy contained under /var somewhere, email those diffs to a change management system,then save the current files in the snapshot directory.
>
> First run will send the complete configs, all subsequent runs will send the diffs.
>
> Of course you need a change management system that will hold an inventory of systems, those systems' hardware/software inventories and configurations, and track those changes with alerts and reports and such.
>
> I don't know of a good system for doing all that unfortunately, but if you do find one let me know.

well. take look of following open source products also:

ossec (www.ossec.net)
samhain (http://la-samhna.de/samhain/)

--
Eero
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org