I need something that can scan my network for Linux machines and then log in to anything it can find and check configs to make sure everything is set up correctly, eg things like that ssh settings are correct, smartd is configured and enabled (if physical machine), no blank passwords, permissions on sensitive config files, etc. This is more of an automatic check of the install process than a tripwire to check for malicious reconfiguration (I just found a machine with a failed harddisk on which I hadn't enabled smartd!) What's out there? 'baseline config' is a term I'm more used to hearing in the windows world so maybe I'm googling on the wrong keywords... Thanks James
James Harper <james.harper@bendigoit.com.au> wrote:
I need something that can scan my network for Linux machines and then log in to anything it can find and check configs to make sure everything is set up correctly, eg things like that ssh settings are correct, smartd is configured and enabled (if physical machine), no blank passwords, permissions on sensitive config files, etc. This is more of an automatic check of the install process than a tripwire to check for malicious reconfiguration (I just found a machine with a failed harddisk on which I hadn't enabled smartd!)
What's out there? 'baseline config' is a term I'm more used to hearing in the windows world so maybe I'm googling on the wrong keywords...
I haven't heard of any such tool (but I'm not into system administration heavily). The practice that I have heard of is to use cfengine or puppet to configure all of the machines instead of doing so manually. As I understand it, you can write rules which ensure that certain packages are installed everywhere and (crucially for your scenario) that certain configuration options are set.
On Sun, Jun 16, 2013 at 11:20 AM, James Harper < james.harper@bendigoit.com.au> wrote:
I need something that can scan my network for Linux machines and then log in to anything it can find and check configs to make sure everything is set up correctly, eg things like that ssh settings are correct, smartd is configured and enabled (if physical machine), no blank passwords, permissions on sensitive config files, etc. This is more of an automatic check of the install process than a tripwire to check for malicious reconfiguration (I just found a machine with a failed harddisk on which I hadn't enabled smartd!)
Everything you've just described can be done with puppet. Bit of a learning curve, but will cover all the bases. / Brett
James Harper <james.harper@bendigoit.com.au> writes:
I need something that can scan my network for Linux machines and then log in to anything it can find and check configs to make sure everything is set up correctly, eg things like that ssh settings are correct, smartd is configured and enabled (if physical machine), no blank passwords, permissions on sensitive config files, etc. This is more of an automatic check of the install process than a tripwire to check for malicious reconfiguration (I just found a machine with a failed harddisk on which I hadn't enabled smartd!)
The problem domain you describe is called "configuration management". As others have said, puppet is probably the best-known at present. I'm not enthusiastic about any of them - haven't tried ansible yet. What I currently do is keep a BCP checklist (e.g. "install etckeeper") and go through it when I first deploy a host. If I add to the list after a host is deployed, that's generally just too bad for that host. :-(
participants (4)
-
Brett Pemberton -
James Harper -
Jason White -
trentbuck@gmail.com