Monitor for Configuration Drift

Configuration drift occurs when system settings, security policies, or application configurations deviate from their intended secure baseline. These deviations can lead to:

✅ Security vulnerabilities – Unintended changes may introduce exploitable weaknesses.
✅ Compliance failures – Systems may no longer align with security policies (e.g., PCI-DSS, HIPAA).
✅ Operational issues – Unauthorized changes can cause system instability or failures.

By automating configuration monitoring, you ensure your servers remain secure and compliant over time.

How to Monitor and Prevent Configuration Drift

1. Use Configuration Management Tools to Enforce Baselines

Tools like Ansible, Puppet, and Chef allow you to define and maintain a secure configuration state.

✅ Ansible Example – Enforcing SSH Security Policies:

1. Install Ansible:

   sudo apt install ansible -y  # Debian/Ubuntu
   sudo yum install ansible -y  # CentOS/RHEL

2. Create a Playbook to Enforce SSH Security:

   - name: Enforce SSH Security
     hosts: all
     tasks:
       - name: Disable root login
         lineinfile:
           path: /etc/ssh/sshd_config
           regexp: '^PermitRootLogin'
           line: 'PermitRootLogin no'
       - name: Restart SSH service
         service:
           name: sshd
           state: restarted
   

3. Run the Playbook to apply and enforce settings:

   ansible-playbook ssh_security.yml
   

2. Detect Configuration Drift with Security Auditing Tools

Regularly audit system configurations to identify unauthorized changes.

✅ Use Lynis to Detect Configuration Deviations:

1. Install Lynis:

   sudo apt install lynis -y
   

2. Run a system security audit:

   sudo lynis audit system
   

3. Review security recommendations and drifts in system configurations.

✅ Use diff to Compare Configuration Files:
Track changes in critical configuration files:

diff -u /etc/ssh/sshd_config /backup/sshd_config

(This checks if /etc/ssh/sshd_config has changed from its backed-up version.)

✅ Automate Configuration Checks with a Cron Job:
Schedule periodic configuration integrity checks:

crontab -e

Add:

0 2 * * * diff -u /etc/ssh/sshd_config /backup/sshd_config | mail -s "SSH Config Changes" admin@example.com

(Runs every night at 2 AM and emails differences if found.)

3. Set Up File Integrity Monitoring (FIM) for Configuration Files

1. Install AIDE (Advanced Intrusion Detection Environment):

   sudo apt install aide -y
   

2. Initialize the AIDE database:

   sudo aideinit
   sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
   

3. Run a configuration check manually:

   sudo aide --check
   

4. Automate periodic integrity checks:

   sudo crontab -e
   

   Add:

   0 3 * * * /usr/bin/aide --check
   

Best Practices for Managing Configuration Drift

✅ Maintain a "golden image" of secure configurations to compare against live systems.
✅ Use Git or version control to track configuration changes (git diff /etc/ssh/sshd_config).
✅ Log and monitor configuration changes (/var/log/audit.log).
✅ Automate drift detection and alerting with tools like OSSEC, Wazuh, or Splunk.

By monitoring configuration drift, you detect unauthorized changes, enforce security policies, and ensure compliance—keeping your Linux servers secure and stable.