JP Vossen on 30 Mar 2008 13:35:45 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Compare servers


> Date: Sat, 29 Mar 2008 22:07:36 -0400
> From: "Mag Gam" <magawake@gmail.com>
> Subject: Re: [PLUG] Compare servers
> 
> Thanks for the response Dan. Yes, cluster as HA. I want to compare things
> such as passwd, groups, network settings, etc..etc..

Tripwire (or better yet, other, new clones) are a Good Idea in general, 
but may be overkill for this purpose.  Here are several possible solutions.

_Classic Shell Scripting_ (http://www.oreilly.com/catalog/shellsrptg/) 
"8.2 Automating Software Builds" pages 192-222 has an *excellent* 
treatment of this issue, albeit from the slightly different perspective 
of automating software builds on multiple machines.  See 
./sh/build-all.sh in 
http://examples.oreilly.com/shellsrptg/css-2005-06-11.zip.

http://www.stearns.org/fanout/	Run commands on remote machines 
simultaneously

http://sourceforge.net/projects/clusterssh/	ClusterSSH controls a number 
of xterm windows via a single graphical console window to allow commands 
to be interactively run on multiple servers over an ssh connection.

http://www.linux.com/articles/52131	Execute commands simultaneously on 
multiple servers (excerpted from Linux Server Hacks, Volume Two)
http://expect.nist.gov/example/multixterm.man.html	multixterm - drive 
multiple xterms separately or together

OR, you could just roll your own using a trivial script with SSH.  You'd 
need to set up SSH keys so the command could access the other machines 
without a password [1], then perhaps do something like:

# ssh root@server1 'md5sum /etc/passwd /etc/group; netstat -rn' \
    > /some/path/server1.new
ffbf549c354e2ca10077424946594683  /etc/passwd
8a536258fb9edcd2d9d0b6a1f59c4851  /etc/group
Kernel IP routing table
Destination  Gateway       Genmask        Flags  MSS Window  irtt Iface
192.168.99.0 0.0.0.0       255.255.255.0  U        0 0          0 eth0
0.0.0.0      192.168.99.1  0.0.0.0        UG       0 0          0 eth0

Add to the SSH command as needed.  Then you can diff "server1.new" 
against "server1.old" or against some known/desired values, or whatever. 
  Or possibly have some cron job on each machine that dumps the correct 
files and output--possibly with per machine tweaks as needed to 
normalize the data--someplace, then share it via NFS/http/SSH and 
analyze it on the master machine periodically.  Lots of possibilities... :-)


[1] The SSH book covers using SSH without a password, as do I in _bash 
Cookbook_ in "14.21 Using SSH without a Password" pages 308-216.  I use 
the SSH Agent with the "keychain" script and SSH keys.  It's tedious but 
not really difficult to set up and get working, but once you do it's 
pretty cool and about as secure as you're going to get right now.


> Also, is tripwire actively being developed?

IIRC, the free/open source version is not, though 
http://www.tripwire.com/products/enterprise/ost/compare.cfm is unclear 
on that point.

As mentioned there are lots of newer clones:

http://www.la-samhna.de/library/scanners.html	File Integrity Checker 
comparison
http://la-samhna.de/samhain/index.html	Open Source file integrity 
checker and HIDS
http://www.cs.tut.fi/~rammer/aide.html	GNU Tripwire clone (UNIX only)
http://integrit.sourceforge.net/	Simpler alternative to file integrity 
verification programs like tripwire and aide
http://osiris.shmoo.com/	A Tripwire clone for Windows or Unix (w/ 
Windows installer)
http://www.ossec.net/	OSSEC is an Open Source Host-based Intrusion 
Detection System. It performs log analysis, integrity checking, Windows 
registry monitoring, rootkit detection
http://www.pedestalsoftware.com/	Security products, SCM/KSA superset, 
others.  Cool!
http://www.freeveracity.org/	DISCONTINUED. A FREE, client/server 
integrity checker


Of related interest is this giant DB of hashes from "known" OS files:
http://www.nsrl.nist.gov/	NIST National Software Reference Library (NSRL)

I'd love to see this used as part of a malware detection tool.  I was 
toying with trying to write one in Perl, my my copious spare time (ha!) 
or for my next book.

Good luck,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|        jp{at}jpsdomain{dot}org
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug