| View previous topic :: View next topic |
| Author |
Message |
marly
n00b
Joined: 07 Aug 2003
Posts: 8
|
 Posted: Thu Jun 16, 2005 2:26 am Post subject: Configuration Baseline - Sarbanes-Oxley |
 |
|
I have a few Gentoo boxes that fall under Sarbanes-Oxley and I'm required to follow change management on those boxes. So in a nutshell, anything and everything that changes on the box needs to be recorded for what changed, when, and why.
What I need to do is have a baseline configuration documented which is fairly easy to do. I can just run a qpkg -I -v which will display the packages installed and their current version.
Then when I run emerge -av world it says for example, sys-apps/grep-2.5.1-r7 will be upgraded from 2.5.1-r6. This works out great again, because for evidence I will be required to say, "On such and such date, grep was upgraded from 2.5.1-r6 to 2.5.1-r7". (I love how under SarBox you're guilty until proven innocent, but anyway...) So I'm 90% there for change management.
Now that I have upgraded maybe 10 or 15 packages for whatever reason, there maybe configuration changes in or /etc/ or /etc/init.d for whatever reason. Maybe someone just wanted to change the copyright date or whatever, but it still falls under change management.
I was thinking of using some sort of CSV for this purpose, to track the file changes (I normaly just leave a few backup version for "just in case" but I need to keep these changes for pretty much ever). So for example say "/etc/issue.logo" changes I can say, "Well, on such and such date, /etc/issue.logo was this, and it changed to that, and then to this and so on".
Has anyone else run into a similar situation yet? There must be some type of good way to track changes on the system sort of automatically without me having to spend 90% of my time writing down the changes which no one will ever look at.
How do bigger companies handle changes to the system with more than one Admin running the system? I'm sure if there's five admins for a box they don't just make changes without telling anyone.
Any ideas or helpful pointers in the right direction would be helpful.
Thanks,
marly
PS.
I used files like issue.logo and grep to point out how stupid this is.  Im sure me changing my /etc/issue.logo will impact my companies financial statements in some way.
Thanks Enron! |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Thu Jun 16, 2005 7:41 pm Post subject: |
|
|
| Quote: | | There must be some type of good way to track changes on the system sort of automatically without me having to spend 90% of my time writing down the changes which no one will ever look at. |
There is.
and use dispatch-conf instead of etc-update in the future; this will do automatic versioning for everything in /etc, recoverable with rcs or any other tool that can handle its file format (normal diff AFAIK)
Check the main site on how to set this up.
| Quote: | | How do bigger companies handle changes to the system with more than one Admin running the system? I'm sure if there's five admins for a box they don't just make changes without telling anyone. |
cfengine, but be warned - easy it ain't 
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
marly
n00b
Joined: 07 Aug 2003
Posts: 8
|
| Posted: Fri Jun 17, 2005 1:51 am Post subject: |
|
|
| adaptr wrote: | | Quote: | | There must be some type of good way to track changes on the system sort of automatically without me having to spend 90% of my time writing down the changes which no one will ever look at. |
There is.
and use dispatch-conf instead of etc-update in the future; this will do automatic versioning for everything in /etc, recoverable with rcs or any other tool that can handle its file format (normal diff AFAIK)
Check the main site on how to set this up.
| Quote: | | How do bigger companies handle changes to the system with more than one Admin running the system? I'm sure if there's five admins for a box they don't just make changes without telling anyone. |
cfengine, but be warned - easy it ain't |
Thanks for you help, looks like dispatch-conf and rcs will work out great. cfengine looks very interesting.
If anyone has any other ideas, I'd be happy to hear them. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
