Big Brother is a network and system monitoring tool. It monitors the connections to machines, check disk space, CPU load, system error messages and processes. Information is gathered every 10 minutes on the client machines and sent to the server. The server checks the network connections every 10 minutes and creates web pages based on the information. You can view the Big Brother display by visiting here: http://jove.eng.yale.edu/bb/.
The Big Brother home directory is /usr/local/bb. You can read about the Big Brother installation and configuration by visiting here: http://wss.yale.edu/doco/BigBrother/. Keep in mind that this documentation is for the Computer Science department and the Big Brother home directory is in a different directory. However, the rest of the configuration should be identical except you substitute /usr/local/bb for the home directory.
The start, stop script for Big Brother is /etc/rc.d/init.d/bb
syssumm is a PERL script that summarizes the system resources. There is a cron job that runs once a week to gather the system resources. The cron job is /etc/cron.weekly/run-syssumm. The home directory for syssumm is /usr/local/remote. The output from syssumm is sent to the Workstation Support server (wss.yale.edu) and stored. There are scripts in the Big Brother home directory under /usr/local/bb/www/notes for each of the client machines. These are just CGI bin scripts that read the information off of the WSS server and create web pages. These pages are password protected. You can use the username "guest" and password "0nYoHa" (first character is a zero) to view the syssumm output from Big Brother. Simply click on the link to the host name from the Big Brother home page.
fixnode is a very powerful, but dangerous script. It is located in /root/fixnode. It has two functions: you can execute a command on EVERY client or copy a file to EVERY client. The client list is in /root/client_list. You can modify the client list by editing the /root/client_list file.
fixnode uses ssh1 and a /root/.shosts file on every client machine. That way a password in not required. You need to copy all the ssh1 host keys to all the client machines as well. This file is located in /etc/ssh/ssh_known_hosts.
Be VERY careful when using fixnode. Once it is started it can not be stopped. So make sure you are copying the correct file or executing the correct command.
sudo lets non-root users perform tasks as root. The database file that contains the list of users and privileges is /etc/sudoers. You should use "visudo" to modify this file.
The nice thing about sudo is you don't have to remember or use the root password. It also logs to /var/log/messages whenever you use it.
ADSM is the backup service that is always running. The home directory is in /usr/adsm. Please read the section Backups: ADSM in this manual for more details.
AIDE or Advanced Intrusion Detection Environment, is an intrusion detection system for checking the integrity of files. AIDE uses MD5 and other checksums utilities to check the integrity of files. If files are changed, added or deleted, AIDE will tell you about it.
AIDE uses /etc/aide.conf as it's configuration file. This file contains the lists of files and directories to check and which tests to check. The AIDE database is /etc/aide.db. There is a hourly cronjob called /etc/cron.hourly/aidecheck.cron which runs AIDE hourly. This cron job also sends output to Big Brother.
You MUST be aware that if you make a change, addition or deletion in one of the operating system directories, AIDE will "catch" you! Of course, if someone else makes a change, addition or deletion, they will be "caught" as well, which is what you want AIDE to do.
If you make a change to an operating system file or directory, you need to update the AIDE database. There is a script in place to do this. Simply type the following:
at -f /local/scripts/update-aide nowThere is also a sample "fixnode" line in the script if you wish to do an AIDE update on all the clients.
There is a firewall installed on all the client machines. This is accomplished by using ipchains. The start/stop/chkconfig script is /etc/rc.d/init.d/firewall. The script is self-documented, so please read it to see what services and ports are blocked. To bring down the firewall type:
/etc/rc.d/init.d/firewall stopTo bring the firewall back up, just type:
/etc/rc.d/init.d/firewall start