Quoting "James Harper" <james.harper@bendigoit.com.au>

I need something that can scan my network for Linux machines and then log in to anything it can find and check configs to make sure everything is set up correctly, eg things like that ssh settings are correct, smartd is configured and enabled (if physical machine), no blank passwords, permissions on sensitive config files, etc. This is more of an automatic check of the install process than a tripwire to check for malicious reconfiguration (I just found a machine with a failed harddisk on which I hadn't enabled smartd!)

What's out there? 'baseline config' is a term I'm more used to hearing in the windows world so maybe I'm googling on the wrong keywords...

Puppet was mentioned here. At the moment my "Unix universe" is quite uniform on the OS level (FreeBSD machines and jails, with only one Ubuntu VM for a Zimbra mail server) That gives me the ability to script configurations easily - so machines are uniform from the start. Most configs and admin scripts (e.g. for backup and system mirroring for failover) are symlinked against a directory tree that is under version control. Regular updates keep the scripts in sync. Installation includes defined package sets, including configuration scripts (the install script is a wrapper around the package installation which looks for post-install script adapting them to our environment) The repository used for "cloning" (including compiled base systems and packages) is distributed via ZFS (send/receive) so all installations are the same. In other work environments I used templates for virtual machines. Don't run manual installs - you will always forget something, or things end up in different spots and are harder to maintain. I only use CDs or USB sticks for booting - everything else comes scripted from the network. Then there is nagios. The systems all belong to pre-defined hostgroups so they check what's expected from every container (e.g. response, update check for installed packages), physical machine (e.g smartd) and services (e.g. HTTP(S) response) I think all of it as very basic, in fact doing it in a similar way for 20 years by now - and I am still surprised how many admins are out there doing manual installs, and every system looks different and every time something pops up it's just: "oh, forgot to install this or that". My zoo isn't too big (ca. 30 systems) and I don't have had many unforeseen problems caused by configuration neglect for a while. You can do "configuration distribution" in many ways. I use shell scripts, SVN, ZFS and nagios because its easy for me but there are others: Puppet as an example, or Capistrano written in Ruby (http://en.wikipedia.org/wiki/Capistrano). I am pretty sure there are more. BTW: We are using nagios/nsclient for ca. 50 Windows machines as well, the machines have directories under version control too (Tortoise SVN) and it checks basic parameters (CPU, hard disk space etc.), installed programs, available updates, anti-virus protection etc. That reduces the frustration in that area as well. Just thinking of the TCO/admin work claim recently.. Okay, most Windows admins don't seem to know much about scripting? So, in that case the Windows-man on my side (who actually wrote some Windows scripts triggered by NSClient) and the Unix admin, seem to be the best you can have for a Windows network;-) Regards Peter