Control, etc

You will sometimes find yourself looking at a Linux system, wondering why it suddenly started misbehaving. Did someone change a configuration file?

If you have no backups, and no history of your /etc directory, you may be able to look at file modification times with ls -l. If someone made a change, you can hope they left a comment. Both of those options are lacking.

A better way

Use git to control your /etc directory. Git keeps a time and date for every commit, and a file delta. This is perfect for controlling configuration files.

However, how can you guarantee that “someone” remembers to run git commit every time they make a change? When there’s an IT emergency and everything is blowing up, it’s easy to forget little details like this.

Trinity test detonation
Source: Wikimedia

Your automation helper

To ensure your commits are automatic, use etckeeper. Recent Linux releases make this easy : apt/yum install etckeeper. Besides adding a daily commit via cron, etckeeper will also add a commit whenever you install or remove packages!

To be certain things are working, you should run git status after you install etckeeper. If you don’t see any history, you may need to complete your setup. Run etckeeper init and etckeeper commit.

The next time something inexplicably goes wrong on this system, you can now check whether a configuration change is the culprit.

For example

root@trinity:/etc# git log -p -1
commit 3bd9eceaa45fc8884a2555925d55dbbffa845b3d
Author: kyoder <kyoder@trinity.greenfly.io>
Date:   Fri May 15 16:59:54 2020 -0400

    Disable sshnuke

diff --git a/ssh/sshd_config b/ssh/sshd_config
index bcf3ac1..61021da 100644
--- a/ssh/sshd_config
+++ b/ssh/sshd_config
@@ -121,3 +121,6 @@ Subsystem   sftp    /usr/lib/openssh/sftp-server
 #      AllowTcpForwarding no
 #      PermitTTY no
 #      ForceCommand cvs server
+
+ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
+macs hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com