config management Re: [nycbug-talk] A couple of security related questions

Tillman Hodgson tillman
Tue Oct 5 15:57:28 EDT 2004


On Tue, Oct 05, 2004 at 01:15:08PM -0400, George Georgalis wrote:
> Which is a decent segue to my present issues.
> 
> first off I'm thinking to use CVSup and unison [1] to resolve.
> 
> Three problems,
> 1) for the purpose of NFS, sync /etc/passwd, group and mount points.
> 2) get "root read only" (and other ownership/perms) files from golden
>    box to production.

These two I can take a crack at with some pretty simple architecture,
not up to cfengine snuff but "good enough", assuming that "mount points"
means "/etc/fstab" ;-)

Use rcp and push the critical files from a golden master. No, seriously:
Kerberized rcp is secure, data session encrypted (with the '-x' switch),
and can be easily automated from cron with the use of a keytab on the
golden master in place of a password (without needing to deal with the
mess of putting matching keys on all the clients machines). Push is
better than pull in this sort of situation simply because failure
detection and resolution is centralized.

The script, running on the golden master, can contain all kinds of
safety checks and can email details of inconsistencies to your cell
phone or whatever you use for notifications. Heck, if you use something
like rt3 to track problems you can have the script create a trouble
ticket for you and dump details into the ticket automatically.

You can also use mtree to check ownership/permissions and reset them if
necesasry. The mtree master file can be rcp'ed in from a golden master
(and should be, as a local copy is vulnerable to tampering).

On the golden master use RCS or non-networked Subversion (local
repository) to track changes to config files that are being pushed out.

Oh, ok, scp with rsa keys would also work. But key management is a pain,
and I'm a Kerberos nut ;-)

-T


-- 
"Waking a person unnecessarily should not be considered a capital crime.
 For a first offense, that is."
    -- Robert Heinlein




More information about the talk mailing list