Configuration Best-Practices Auditor
I have seen a lot of ASG systems out there, which have use a insecure or not (possible) optimal configuration in ASG. Some other manufacturers will bring up while configuration already a warning, when a setting may affect system security.
It would be nice to have a possibility to start a basic system configuration checker, which will check the configuration against some "best practice" recommendations and generate a little audit report with found issues, a small explanation and a recommendation to make it better.
Issues could be (to list some...)
- inappropriate configured proxies with access from ANY networks
- Webadmin Access or SSH access from ANY Networks
- Packetfilter rules from internal networks to Internet with ANY Service allowed
- Exceptions that may affect Security Services as IPS or AFC (as exclude source internal networks from IPS...or similar)
- Anti Portscan not activated
- Insecure passwords for users
- no FQN name set for SMTP proxy
- no BATV secret set for SMTP proxy
and so on...
I like the way Microsoft picks up this issue: They have a so called Best Practice Analyzer for many products which check various configurations against rules. This rules are updated regularely and contain misconfigurations as well as performance problems.
david haman commented
From an IT Management and Security Director standpoint this makes the most sense to me. This would also give ASG a huge leg up on the competition out there.
david haman commented
i also think there should be better hardware compaibility for the asg user who wishes tio run on a spare pc, i currently run on an Intel pentioum D 3.4 W/ 2gb ram, but had many issues trying to run asg on any amd x2 chip set, installation failed on a sb740 chipset, aswell as a nvidia 6100 chipset mp-bios bug 8254
Bob Alfson commented
This is a great idea to mix with the one about being able to print out the configuration. What a great tool for tech support! My wife wrote a "sysinfo" script for IBM AIX boxes so she can get a quick look at what's happenning when people need help.
An Astaro "Auditor" program would be much better than the raw information one gets from 'Config dump'.
Practically speaking, there are some well-know mistakes that can be made, and some already receive warnings in WebAdmin. I suspect there are many more one could check for if one weren't concerned about mucking up the programming in the product.