How do you know if what is in various configuration files is what is supposed to be there?  Did a hacker break-in and add some entries?  Did a system administrator accidentally change a file?  Did a security administrator make a mistake when modifying multiple lines in a firewall policy?  And how do you easily restore what should be there?

File integrity analysis tools, like Aide, Samhain and Tripwire can be configured to let you know that a file has changed but they don't correct the change.

Version control systems, like RCS, CVS and SVN, give you the ability to see when changes where made to a file and what changes were made at those times.  You can easily rollback to a prior version of a file if needed.

System configuration automation tools like cfengine and Puppet allow you to define configurations for specific servers, or classes of servers, and ensure that the related software and configuration files exist on the servers and are the correct versions.  If someone edits a configuration file manually on one of the servers and changes it from the expected contents, cfengine and puppet can detect the change and restore the correct file contents from an associated version control system repository.

We use Kickstart to build all our new Linux servers, quickly and repeatedly with our standard minimal footprint and then we use Puppet to  install the specific software required for that server, be it a web server, database server, VPN gateway, or other.

The tools listed above are predominantly for Linux servers, and most are open-source; this happens to be the environment that I work in and am most familiar with.

What are other version control systems or system configuration automation tools that you use in your environments?  Send in answers and I'll update this diary with people's responses.

David Goldsmith
SANS / ISC Handler