How Configuration Management supports Systems Security

Published: 2008-05-04
Last Updated: 2008-05-04 23:31:20 UTC
by David Goldsmith (Version: 1)
1 comment(s)

How do you know if what is in various configuration files is what is supposed to be there?  Did a hacker break-in and add some entries?  Did a system administrator accidentally change a file?  Did a security administrator make a mistake when modifying multiple lines in a firewall policy?  And how do you easily restore what should be there?

File integrity analysis tools, like Aide, Samhain and Tripwire can be configured to let you know that a file has changed but they don't correct the change.

Version control systems, like RCS, CVS and SVN, give you the ability to see when changes where made to a file and what changes were made at those times.  You can easily rollback to a prior version of a file if needed.

System configuration automation tools like cfengine and Puppet allow you to define configurations for specific servers, or classes of servers, and ensure that the related software and configuration files exist on the servers and are the correct versions.  If someone edits a configuration file manually on one of the servers and changes it from the expected contents, cfengine and puppet can detect the change and restore the correct file contents from an associated version control system repository.

We use Kickstart to build all our new Linux servers, quickly and repeatedly with our standard minimal footprint and then we use Puppet to  install the specific software required for that server, be it a web server, database server, VPN gateway, or other.

The tools listed above are predominantly for Linux servers, and most are open-source; this happens to be the environment that I work in and am most familiar with.

What are other version control systems or system configuration automation tools that you use in your environments?  Send in answers and I'll update this diary with people's responses.

David Goldsmith
SANS / ISC Handler

Keywords:
1 comment(s)

Comments

We are exploring change detection products like Tripwire, and we've spoken to two other vendors who offer competing products: SolidCore and NetPro. We hope to choose one later this year from among those 3 (or more) vendors. Our initial motive was to detect unauthorized change to reinforce change management policies. But we are learning that there is overlap between change auditing tools available and Intrusion Detection Systems and Intrusion Prevention Systems. So we may expand the requirements of our search.

Diary Archives