Browse Prior Art Database

A method and system to manage configuration drift and remediation Disclosure Number: IPCOM000200136D
Publication Date: 2010-Sep-30
Document File: 7 page(s) / 51K

Publishing Venue

The Prior Art Database


The present publication discloses a system and a method for representing and assessing the compliance of configuration files based on a uniform representation of the file's content (and of the corresponding compliance rules) regardless of its actual format.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 22% of the total text.

Page 01 of 7

A method and system to manage configuration drift and remediation

Configuration drift is an important aspect of Data Center environments. In general terms, a configuration drift happens when hardware and/or software infrastructure configurations "drift" or become different in some way from a reference configuration.

Configuration drift is a natural condition in every data center environment due to the large number of ongoing hardware and software changes. Unidentified configuration drift exposes an organization to high risk of data loss and extended outages. For this reasons configuration drift needs to be identified and corrected as soon as possible when it happens to eliminate these risks.

    In this disclosure we are going to address the problem of assessing (and remediating) software configuration drift specifically (even if not limited to) for configuration files.

    A lot of enterogenous applications are usually installed and run in a Data Center environment having their configurations specified through files whose format varies among one application and another.

Products exists (such as

Altiris SecurityExpression

IBM Tivoli

Policy Driven Software Distributio, IBM Tivoli Provisioning Manager cited in the Reference section) in the field that allow to define policies for checking the compliance of a given computer against a set of defined rules. Such policies in general have a custom format for specifying the condition to check. In some cases you have to write your own custom script for checking a particular condition; in other cases you have a predefined set of operators that you can combine for creating the final policy.

    In any case all such products do not provide any consistent and flexible way of building policies for assessing the content of configuration files (and optionally for performing an automatic remediation in case of not compliance). To perform such tasks you need in any case to write your own custom script or custom rule. Additionally there is no consistent way to define a reference template to be used as the golden configuration to be checked against a list of target systems.

    In this document we are describing a system and an implementing method for:
1. Representing configuration reference models
2. Assessing the compliance of a set of targets against the so far defined templates
3. Automatically remediating any not compliant rule

All the above points are devised in a way that that does not suffer of the drawbacks highlighted above.

    The main idea of this system is based on providing a uniform representation of configuration reference models regardless of the actual mean (and format) for storing them along with a generic assessment and remediation model.

    The picture below shows an architectural view of the main elements of a typical Data Center environment where the systems gets deployed:
1. The management server

It is the central point of control from which it is possible to manage the entire life cycle of a set of t...