Configuration Tools: Working Together

Since the LISA conferences began, the character of a typical ‘‘large installation’ ’ has changed greatly. Most large sites tended to consist of a comparatively small number of handcrafted ‘‘servers’ ’ supporting a larger number of very similar ‘‘clients’ ’ (which would usually be configured with the aid of some automatic tool). A modern large site involves a more complex mesh of services, often with demanding requirements for completely automatic reconfiguration of entire services to provide fault-tolerance. As these changes have happened however, the tools available to provide configuration management for a site have not evolved to keep pace with these new challenges. This paper looks at some of the reasons why configuration tools have failed to move forward, and presents some suggestions for enabling the state of the art to advance. Background and Motivation Configuration Tools have been an important theme at LISA for many years, and most conferences include one or more papers in this area. Despite increasing recognition of the importance of the configuratio

A sustainable model for ICT capacity building in developing countries

System administrators are often asked to apply their professional expertise in unusual situations, or under tight resource constraints. What happens, though, when the “situation” is a foreign country with only basic technical infrastructure, and the task is to bauild systems which are able to survive and grow in these over-constrained environments? In this paper we report on our experiences in two very different countries – Cuba and Ethiopia – where we ran a number of ICT projects. In those projects we assisted local universities to upgrade their ICT infrastructure and services. This included skills and process building for local system administrators. Based on our experiences we formulate a model for sustainable ICT capacity building. We hope this model will be useful for other organizations doing similar projects

ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems

We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%

A Review of the Literature on Configuration Management Tools

Configuration management tools help administrators in defining and automating system configurations. With cloud computing, host numbers are likely to grow. IaaS (infrastructure as a service) offerings with pay-per-use pricing models make fast and effective deployment of applications necessary. Configuration management tools address both challenges. In this paper, the existing research on this topic is reviewed comprehensively. Readers are provided with a descriptive analysis of the published literature as well as with an analysis of the content of the respective research works. The paper serves as an overview for researchers who are new to the topic. Furthermore, it serves to identify work related to an intended research field and identifies research gaps. Practitioners are provided with a means to identify solutions to their organizational problems

A potpourri of system configuration concepts

For many reasons, large and small installations of computers can benefit from Automated Configuration Management tools. All the processes from installation, configuration, to maintenance and updating the computers can benefit from automation for the following reasons. * Consistency across all the machines. * Timeliness in maintenance and updates * Simplify the process through the use declarative instructions. Meanwhile in software configuration management, they are examining the problems of identifying, controlling, monitoring and verifying changes in software development projects. To complicate matters, some of the reasons for software configuration management * Consistency in the source code. * Timeliness in updates to the project members so that they have what is needed. * A need to simplify documentation and development of complex projects. Subsequently, the purpose of this thesis is to understand how concepts from Software Configuration Management can aid the development of the field of System Configuration. To achieve this purpose, this thesis will start with an examination of the similiarities between SCM and System configuration. This will be followed by an examination of different key concepts in System Configuration and the following three different tools that have taken different approaches to the problem. * Cfengine * ISconf * LSconf With an understanding of how System Configuration and SCM are similar and an understanding of many of the major concepts in System Configuration, the next step is to examine some of the difference between the two fields. From there, it should be possible to see how some concepts from SCM could be applied to System Configuration. It should also be possible to examine concepts from System Configuration that could be applied to SCM

Towards a high-level machine configuration system

This paper presents a machine configuration system which stores all configuration parameters in a central ‘‘database’’. The system is dynamic in the sense that machines reconfigure themselves to reflect any changes in the database whenever they are rebooted. The use of a central database allows configurations to be validated, and correct configurations to be automatically generated from policy rules and high-level descriptions of the network. A permanent record of every machine configuration is always available and the system is extensible to handle configuration of new subsystems in a modular way. The paper includes a review of previously published work and common techniques for cloning and configuring workstations

Identifying Native Applications with High Assurance

The work described in this paper investigates the problem of identifying and deterring stealthy malicious processes on a host. We point out the lack of strong application iden- tication in main stream operating systems. We solve the application identication problem by proposing a novel iden- tication model in which user-level applications are required to present identication proofs at run time to be authenti- cated by the kernel using an embedded secret key. The se- cret key of an application is registered with a trusted kernel using a key registrar and is used to uniquely authenticate and authorize the application. We present a protocol for secure authentication of applications. Additionally, we de- velop a system call monitoring architecture that uses our model to verify the identity of applications when making critical system calls. Our system call monitoring can be integrated with existing policy specication frameworks to enforce application-level access rights. We implement and evaluate a prototype of our monitoring architecture in Linux as device drivers with nearly no modication of the ker- nel. The results from our extensive performance evaluation shows that our prototype incurs low overhead, indicating the feasibility of our model