Friday, January 16, 2009

Damm that STiG looks ESXy!

Where I work at we are currently in the process of virtualizing two of datacenters. Basically were going to stand up our ESX hosts, and then P2V all of our production systems into the new ESX hosts. Sounds simple (and actually it kind of is), but the tricky part is that we a have to first lockdown ESX according to the DISA STiGs since our network is a accredited secure network. DISA provides you with a checklist of all the lockdown steps they require (which is great reading if need a good nap but if your not inclined to do so I just tell you that there quite extensive).

DISA usually provides you with a way to automate most of their lockdown procedures, but when it comes to ESX.....no such luck. However I am not alone in this conquest and in fact there is a postings in the VMware Communities forums which discusses this topic. If you lok at the posting you'll see a kind man by the name of Phillip Morrison has modified the given DISA Security Readiness Review Evaluation Script for Unix,
wherever it is appropriate in regards to ESX (click here for more info). I want to give huge props to Phil and his colleague for putting their hard work into the shell script as it really simplified much of this process. I basically followed his blog posting from here, although I also saw another posting of his where he mentioned that the ESX host has to be in maintenance mode before preforming the secure lockdown (see here).

Wednesday, January 14, 2009

IntenseDebate added

I just installed IntenseDebate into this blog and intend on creating more posts this year then I did last year (which shouldn't be too hard). I am currently working on a project where I am trying to automate an ESX deployment in which all of the ESX hosts are locked down according to the DISA STiG, but more on that later.

Friday, October 17, 2008

Group Policy Manager 2.0

So where I work at I we are in the process of completely rebuilding our Windows forest. Why you may ask, well that's another story lets just say we have quite a few people come and go over the years and very little documentation of who did what and why through our Windows AD infrastructure. Anyways one of my main tasks is the organizing of our current Group Policies, and then figuring out what gets migrated where. So I went looking at our policies and found that there so many policies doing so many different things (something we sort of already knew), and found that we had over 149 group policies in current domain. In the new domain we really want to simplify everything and implement a change management so that we can easily see what we have at all times. So that said ideally we would have only 5-10 policies in the new forest. So I am taking on the challenge of trying o figure the best way to figure out what we have, what's need and where to put it. Needless to say while it started of being pretty simple I soon started to notice that the task was mundane and really pretty complex. I tried to think of the best way of documenting what we had so that we could figure out what to keep and what to through away, and the idea I came up with was how about a wiki. We already have Active Administrator from ScriptLogic, which is great product but really for I was trying to do it didn't really help. Next came the trusty old GPMC, which is also a great product (especially for being free), but it too didn't really have what I was looking for. It did however a great COM library which I could tap into to pull information about our policies, like the GenerateReportToFile method.

Enter the Wiki
Well I now have a way to get my information out of AD, now I just need a way managing what I had. Now I just needed some sort of wiki site manager, I decided to go with Dokuwiki, which I had previously installed for another documenting project I had. I really loved how simple it was to install and maintain and thought that it was a great fit since there was tagging, discussion, and blogging modules which is really what I wanted (another plus was the easy LDAP integration for the user login). So I exported all of the group policies in HTML format and started to input the information into the Wiki, but I quickly found out the process of exporting each one and then stripping out all the unnecessary info to then import into the wiki seemed to get crazy. So I decided to try to automate the process with a vbscript which parsed each of the HTM files, but quickly realized that this solution was getting crazy because the information in each of the files weren't in the same place. I really wished Microsoft exported the information in XHTML format, but I guess that would be too much to ask. So I then decided instead export each of the policies into an XML format instead, where it would be easier to then parse out the necessary information from each of the policies. The XML files ended up have a tremendous out of namespace information included each of the files which made it almost impossible to parse anything out of (at least when using XPath queries which is all I know when it comes to XML). Luckily my good old friend Steve helped my out by showing me that I could remove this namespace stuff and then the XPath queries would work. I quickly wrote a vbscript function that opened each of the XML files and then rewrote them stripping out all of the namespace information. Next I worked on a script which ran all of the XPath queries to export all of the necessary information into the dokuwiki syntax, where I could then easily then copy and paste all of the info into the wiki. once all posted I had a website which was completely searchable, taggable, and each policy had a discussion area where could easily discuss it ultimate demise in the new forest.

Enter another beta project

So while the end result that I have is pretty good, it definitely has room for improvement. The tagging feature in Dokuwiki is pretty ugly, and I really don't like the wiki sytax requirement. So I think I am going to have end up creating my own wiki website which makes the process much cleaner and more refined. The proof of concept is complete, now I just have to create my own website using my own custom language for my purpose (sounds easy hugh, yeah right). I will probably end upi writing the code with a mix ruby and vbscript, but ultimatley I want the end result to be site which automatically gets updated each time a policy is changed. and I wantto add the ability to subscribe to certain policies so that can be notified each time a policy is changed, what was changed, and who changed it, and what was changed. Since it will be a wiki it will definetly have revision control where I can easily see its history and the ability to rollback to any point in time its history. What do you guys think?

I found this comparison website for GPMC and Active Adminisrator for anyone interested see here: http://www.amtsoftware.com/Active-Administrator/docs/GPMC-vs-Active-Administrator
Ultimately I want the end project to have most of the features found in Active Admin but with a more web 2.0 look and feel.

Monday, October 22, 2007

The beastly AD

The network that I work on is currently have some replication problems in its Active Directory. I'm not talking about the built in windows replication, but instead a custom replication that we make between two different forests where there happens to be nu trust established. We know the problem is linked back to the fact that the amount of data is too much for the synchronization process, and in result the replication crashes are application which triggers the process. We also know that this is caused by the fact that we are not paging or replication request, but while our developers on working on fixing it I have had to find a work around. My work around involves running a scheduled task which goes through all of our accounts (about 1000), and changes their permissions, allowing for a small number (150 users) of them to be viewable during a replication. Then I cycle through which users are viewable between each replication cycle. It may seem like a ugly process, but I am all words if you have anything better in mind.

Thursday, September 27, 2007

Who am I