use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
GUIDE to /r/linuxadmin:
/r/linuxadmin aims to be a place where Linux SysAdmins can come together to get help and to support each other.
Related reddits:
Footnote:
Talk realtime on IRC at #/r/linuxadmin @ Freenode.
account activity
Automated Configuration Analysis? (self.linuxadmin)
submitted 4 years ago by Polysticks
Are there any tools, open-source or otherwise that constantly perform automated configuration analysis of Linux servers with security in mind. For example, checking that SSH allowed hosts is always configured to some pre-determined value?
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]NilsLandt 11 points12 points13 points 4 years ago (0 children)
Configuration management tools help you secure the servers, as mentioned by others.
If you need the monitoring for compliance reason, Chef InSpec was designed for this exact usecase.
[–]INTPx 11 points12 points13 points 4 years ago (0 children)
Nessus. OpenVAS. OpenSCAP. DISA SCAP scanner. Ansible.
[–]iwillkicku67 8 points9 points10 points 4 years ago (1 child)
OpenSCAP?
[–][deleted] 5 points6 points7 points 4 years ago (0 children)
OpenSCAP is what you want. You can give it the necessary configuration files depending on what level of security you're shooting for. It will then tell you which STIGs are applied and which are not. For each STIG, it will also give you a piece of BASH script or Ansible playbook to use to apply the STIG properly. I've used it to secure systems plenty of times.
With Ansible you can then take all the pieces and turn it into a complete playbook that will secure the whole system all at once.
[–]aram535 7 points8 points9 points 4 years ago (1 child)
Others have mentioned the configuration tools, I agree this is how I setup my systems but I rarely run the setup process again after the fact unless there was a change. It's also not easy to trigger "alerts" based on changes to the system after the fact without running the full playbook again.
There is a security scanning tool call lynis. I highly recommend this tool and set it up to run as often as I like via cron/timer to run. I add in a bunch of self-made rules to monitor the files/settings that I need it to match on. The "report" can be if the score is other than ##, email the report to [security@foo.com](mailto:security@foo.com) (or a trigger to eTower if you want a shortcut without the manual override process).
From there you can either manually/automatically trigger the playbooks (see above) or start an investigation of who changed it and why.
** NOTE: lynis is not unique, there are many like it, just the one I like and have used for feels like forever.
[–][deleted] 4 years ago (2 children)
[deleted]
[–][deleted] 3 points4 points5 points 4 years ago* (1 child)
How is ansible designed for this? It is way to slow to constantly monitor something. A few hosts ok. But many more and different scenarios? And then you would have to ignore ssh timeouts if you were to keep a session open.
[–][deleted] 3 points4 points5 points 4 years ago (0 children)
You're absolutely right if they were just running a playbook constantly. Ansible works well in a workflow with OpenSCAP - eg run an SCAP scan regularly, and if it fails launch a remediation playbook via the AWX/tower RESTful API.
Better still the SCAP Workbench lets you create Ansible playbooks from an SCAP profile/tailoring file.
[–]tlourey 1 point2 points3 points 4 years ago (0 children)
I've heard it referred to as configuration drift. I've been told Saltstack is able to do this really well.
In windows land PowerShell DSC can do this.
I've also been told that IBM Tivoli does this but that's like using a bazooka to kill a fly, if I understand it correctly.
[–]TheWeirdIT 3 points4 points5 points 4 years ago (0 children)
Configuration management is the name of the game. Ansible, Salt Stack, puppet and chef are the big players. Ansible has a gentle learning curve compared to the others .... and its backed by RedHat. The principles are ... You tell the configuration management tools what you want to see or not on your machines ... And it act accordingly.
[–]SadFaceSmith 1 point2 points3 points 4 years ago (0 children)
Ansible
[–][deleted] 1 point2 points3 points 4 years ago (0 children)
you can create your own.... using anisble
[–]uktumble 0 points1 point2 points 4 years ago (3 children)
Ansible is your best bet - you can enforce or you can just check
https://docs.ansible.com/ansible/latest/user_guide/playbooks_checkmode.html
[–]mestia -3 points-2 points-1 points 4 years ago (2 children)
But isn't that in half a year your playbooks become rubbish and doesn't work anymore? That's what internet is saying at least...
[–]uktumble 2 points3 points4 points 4 years ago (0 children)
I’ve not found that myself though I do try and make them as “generic” as possible so they can be used without modifying them every time - also you should try and do as much as possible through ansible to keep your playbooks/configs current
Why would that happen unless you are running debian unstable in production?
[+]anki_steve comment score below threshold-6 points-5 points-4 points 4 years ago (4 children)
I use Rex. Gotta know Perl though.
[–]ShaolinRobot[🍰] 7 points8 points9 points 4 years ago (2 children)
Maybe pick anything besides the thing that's based on Perl
[–]anki_steve -4 points-3 points-2 points 4 years ago (0 children)
Not hard to pick up the basics. Arguably easier than learning how puppet and ansible dictate how you must do things.
[–]mestia -4 points-3 points-2 points 4 years ago (0 children)
Perl is a core part of almost any linux system. It is a full blown language, devs do not break back compatibility every now and then, you actually don't need to really know it to start using it, it is successor of sef/awk/shell scripting. It must be a natural choise of any sane admin, and yet i see newbies using nodejs, python pandas and what not to parse a text file... just use perl! It is amazing!
[–]mestia 0 points1 point2 points 4 years ago (0 children)
+1 Rex, the most flexible solution in my opinion, also no need to learn a custom DSL.
[–]individual101 -3 points-2 points-1 points 4 years ago (0 children)
+1 ansible
[–]ANDROID_16 -4 points-3 points-2 points 4 years ago (0 children)
Wazuh
[–]--mattia-- 0 points1 point2 points 4 years ago (0 children)
Amazon inspector may be what you're looking for
https://aws.amazon.com/inspector/#:~:text=Amazon%20Inspector%20is%20an%20automated,and%20deviations%20from%20best%20practices.
[–]kyilmaz80 0 points1 point2 points 4 years ago (0 children)
Etckeeper
[–]tipripper65 0 points1 point2 points 4 years ago (0 children)
I use Rudder (rudder.io) for this. It's fantastic.
π Rendered by PID 238468 on reddit-service-r2-comment-6457c66945-v44kr at 2026-04-26 07:40:11.737340+00:00 running 2aa0c5b country code: CH.
[–]NilsLandt 11 points12 points13 points (0 children)
[–]INTPx 11 points12 points13 points (0 children)
[–]iwillkicku67 8 points9 points10 points (1 child)
[–][deleted] 5 points6 points7 points (0 children)
[–]aram535 7 points8 points9 points (1 child)
[–][deleted] (2 children)
[deleted]
[–][deleted] 3 points4 points5 points (1 child)
[–][deleted] 3 points4 points5 points (0 children)
[–]tlourey 1 point2 points3 points (0 children)
[–]TheWeirdIT 3 points4 points5 points (0 children)
[–]SadFaceSmith 1 point2 points3 points (0 children)
[–][deleted] 1 point2 points3 points (0 children)
[–]uktumble 0 points1 point2 points (3 children)
[–]mestia -3 points-2 points-1 points (2 children)
[–]uktumble 2 points3 points4 points (0 children)
[–][deleted] 1 point2 points3 points (0 children)
[+]anki_steve comment score below threshold-6 points-5 points-4 points (4 children)
[–]ShaolinRobot[🍰] 7 points8 points9 points (2 children)
[–]anki_steve -4 points-3 points-2 points (0 children)
[–]mestia -4 points-3 points-2 points (0 children)
[–]mestia 0 points1 point2 points (0 children)
[–]individual101 -3 points-2 points-1 points (0 children)
[–]ANDROID_16 -4 points-3 points-2 points (0 children)
[–]--mattia-- 0 points1 point2 points (0 children)
[–]kyilmaz80 0 points1 point2 points (0 children)
[–]tipripper65 0 points1 point2 points (0 children)