backup app and security documentation/setup/app

[smithcferg]

Hi. Just posted below this one. Forgot to mention, I am just learning Linux, so can't really help with the development of any of my suggestions, sorry.

RE: Backup
I saw the Wiki on backups, and it was talking about either using the PBA built into AMAHI or a third party solution (such as Norton BESR or Vista's built in backup app). Is there really no file by file backup built in to AMAHI, or did I miss it?

Is RDIFF-backup a reliable app for packaging for AMAHI? Could an Amahi server initiate a server-side backup of all home computers using this? Is there an easy way to use it with the server?

RE: Security

1) I haven't seen much about security, in Amahi forums/wiki. This is a big concern for me, right up there with utterly reliable backups and filesharing. Our computers have been hacked before. How can I know it is secure out of the box? Saw a post about antivirus - clamvir or something like that - someone mentioned that it was not an important thing to include. Is it typical that a server supporting a number of computers wouldn't have antivirus software?

2) Those of us, like me, who have drunk Mother Window's milk for our computing lives need to know that the repository for all our house files are secure. Because we don't understand Linux security, we need to know in exacting yet simple terms 1) where the Amahi server is secure, out of the box, 2) what we shouldn't mess with, 3) What specific configuration steps need to be taken to ensure security, 4) What regular maintenance steps need to be taken to ensure security, 5) Steps to greater security and perhaps attendant potential side effects, 6) Ways to test Linux security.

It is difficult just to keep up with a familiar operating system. If an amahi-specific document has already been written that covers all aspects of hda security, please let me know where I could find it?

Thanks much for your help,

Craig

[moredruid]

regarding backup: pba makes a disk image (full, compressed if possible) of the host you're backing up. If you only want certain files to be backed up, you can back these up to a network (samba) share with either 3rd party software or software integrated in the OS of the client.

regarding security: this is as secure as the weakest part. Yes, that's an open door but very valid. That said, Linux is quite secure out of the box, and by choosing to enable/disable certain services (like not installing certain web-apps) you can mitigate a few risks. Amahi installs on top of Linux, and uses the permissions on the Linux level. Of course you will want to shield the system from the internet as much as you can, but this is also true for Windows systems. There is talk about including a virus scanner in the install, as far as I recall it wasn't marked as unimportant, but more something for a next release. The nice thing about Amahi is that you have the option to tinker with the Linux install (install extra software), mostly without affecting the Amahi settings. That means you could implement an antivirus solution (like ClamAV) yourself. If you feel bold, you might even want to package it as a web-app for the rest of the community to benefit as well.

regarding the repositories: well, that's based on trust. You need to trust your upstream provider (mirror), most of them can be validated by a GPG key. If a mirror is compromised this is usually detected real quick and countermeasures are taken. However: this is also true with Microsoft. You trust them to roll out patches that are well tested and have minimal impact as well as guaranteeing that they're not compromised. Due to the nature of Open Source you can validate the mirror and packages yourself (if you know what you're doing of course), while on the Microsoft platform you basically just need to trust whatever Microsoft publishes in a KB article and the description of the patch. You can subscribe to the fedora security mailing lists if you really want/need to be on top of everything.
Amahi settings: don't mess with the settings unless you know what you're doing. Want to fool around? Install a local version in a VM and test the changes thoroughly. When you're satisfied you can roll out to production.
the other security related stuff: configuration steps: most services are configured very conservative from the start. If you want to open your system more, you'll need to enable it. The only thing I've strengthened is the SSH config (which is secured up to a ridiculous point) but the default is pretty secure out of the box as long as you pick decent passwords for the users and don't give out the password for root to everyone. For security stuff you can read up on the sudo command, sudoers file and optionally SELinux, however due to the inner workings of SELinux I think it will interfere with the Amahi install. Regular maintenance is easy: just install the latest security patches (and only those) by default. Every now and then update your whole system. This is scriptable and can be scheduled. Again: test in a sandbox environment to see if a security patch doesn't break Amahi in any way before you roll out to production if you really need high availability. Steps for more security is simple: security is a process so treat it that way. Remember: you are never finished with security. There are lots of good forums and books (I recommend o'reilly books) to be found on linux security. Be sure to focus on the security on the points you _really really_ need, otherwise you can get overwhelmed quite easily. There are lots of ways to test your security, but one of them is making sure your system is clean and stays clean, monitor it (with tripwire for instance) and run a rootkit tester every now and then, as well as nmap scans from another (preferably secure, read-only live cd) host.

There is no security document for Amahi that I know of, but I think it's an interesting idea. Certain security guidelines for apps could be defined in such a document.