I think, honestly, the biggest pain in the arse was making Apache’s rewrite rules work the way I wanted them to. I still have the annvix.org domain, and moving the subversion viewvc and repo sub-domain is silly and painful (and neither require much effort on my part), so I’ve left them but still wanted to redirect http://annvix.org/foo to http://linsec.ca/Annvix:foo. Easy enough without cPanel getting in the way and .htaccess files and whatnot, so I finally got it working after much goatee tugging. For the interested, the pertinent bits of the .htaccess file I ended up using are below (criticism welcome!)

Options All -Indexes FollowSymLinks

RedirectMatch permanent ^/repo/$ http://repo.annvix.org/

RedirectMatch permanent ^Annvix:(.+)$ http://linsec.ca/Annvix:$1

RewriteEngine on

RewriteCond %{HTTP_HOST} !^repo\.annvix\.org [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ http://linsec.ca/Annvix:$1 [L,QSA]

The Apache mod_rewrite stuff always messes me up, so I’m sure there are prettier ways to do it, but at least this seems to work in all the cases that I want.

Apparently someone other than myself uses these scripts. =) AIDE+gpg is a set of scripts to make AIDE more like Tripwire in that the database is cryptographically signed (with gpg) so you can be alerted as to whether or not the AIDE database has been tampered with between runs. It also setups a cron job to check the database against the system daily to alert you of any changes. It is an add-on to AIDE that can be used on any Linux distribution (and probably distributions as well, although you may need to edit the scripts if the binary locations for gpg and aide differ from RHEL).

You can grab it from the project page.

I don’t know if anyone other than myself uses this, but it’s a set of scripts to make AIDE more like Tripwire in that the database is cryptographically signed (with gpg) so you can be alerted as to whether or not the AIDE database has been tampered with between runs. It also setups a cron job to check the database against the system daily to alert you of any changes. It is an add-on to AIDE that can be used on any Linux distribution (and probably distributions as well, although you may need to edit the scripts if the gpg binary location differs from RHEL).

Anyways, one of my favourite features in Annvix was being able to run the entire system out of runit (Annvix used runit in place of SysVinit). This gave us nicely supervised services using runit (much like DJB’s daemontools). Feeling crappy with the first day of a head cold, I spent some time today over lunch to get runit working with RHEL5. I had to re-tool the package since I don’t want it to replace SysVinit, but run under init and just supervise services (like sshd, exim, etc. — call me weird, but runit/daemontools makes a fantastic watchdog and with sshd running from tcpsvd, I get some nice ACLs to use as well).

At any rate, runit now installs and works properly. Sorry to anyone who wanted to use it (I’ve been meaning to do this for the last year, ever since I switched all of my servers over to CentOS). The runit package also comes with a bunch of run scripts; I’ve not tested them all yet so if you do end up using it and have issues, let me know. I did have to fix a few minor things in a few of them.

At any rate, I’ve chkconfig’d off a few services and have them running supervised now:

# srv --list|grep -v '-'

service                   status   pid      started
crond                     up       2737     04/07/2010 02:16:32 PM
crond/log                 up       2735     04/07/2010 02:16:32 PM
exim                      up       2747     04/07/2010 02:16:32 PM
exim/log                  up       2746     04/07/2010 02:16:32 PM
mdadm                     up       2738     04/07/2010 02:16:32 PM
mdadm/log                 up       2736     04/07/2010 02:16:32 PM
ntpd                      up       2733     04/07/2010 02:16:32 PM
ntpd/log                  up       2731     04/07/2010 02:16:32 PM
smartd                    up       2739     04/07/2010 02:16:32 PM
smartd/log                up       2734     04/07/2010 02:16:32 PM
sshd                      up       2732     04/07/2010 02:16:32 PM
sshd/log                  up       2730     04/07/2010 02:16:32 PM

One thing knocked off my TODO list. Replaced it with going to bed early tonight.

I have heard that msec now is much better, but have not had a chance to try it although I do try to keep up with the changes to msec related to reporting and fold those back into rsec.

Annvix is not coming back as an operating system like it used to be, but rather a repository of packages for RHEL/CentOS (currently just version 5). There is very little there right now: a new version of openssh and a new version of logwatch. It will increase as time permits. I do plan on “porting” some of the stuff I had done for Annvix to RHEL5; things like rsec, AIDE+GPG, runit, scripts to use with runit, etc. Essentially those things that were fun to deal with on Annvix, but without the pain of managing a whole OS.

If you feel like giving it a go, just execute:

# rpm -ivh http://repo.annvix.org/media/EL5/x86_64/annvix-release-1.0-2.el5.avx.x86_64.rpm

on your RHEL5 or CentOS5 install (change x86_64 to i386 if you’re using an x86 system). If you have the priority plugin setup on CentOS, make sure you edit /etc/yum.repos.d/annvix.repo and add:

priority = 1

or something suitable. The annvix.org web site will be updated at some point to reflect that Annvix is a repository add-on to RHEL5 now instead of a stand-alone OS.

It’s exciting to see the first review of something you’ve spent four years working on, especially when you’re not the one to write it. =)

If anyone has an account on fsdaily.com, I’d love it if you could vote for the story and help make it hit the frontpage (shouldn’t be too hard, looks like it’s a fairly new site, kinda like digg).

Just a heads up in case you wonder why a) a category was removed and b) why some entries seem to have disappeared.