AcmeBase Small Enterprise System
An Annotated Computer Repository for Digital Assets
The AcmeBase Small Enterprise System is a file repository intended to compliment cloud systems. It was originally designed for those who want to have physical possession of their digital assets.
AcmeBase is a system of several servers working together to provide:
- safe secured storage
- encrypted communications
- robust backups
- a knowledge base
- a web portal
There are two methods to access your files:
- Using file shares from the LAN.
- Using a portal website from the Internet, like DropBox or Box.
The AcmeBase system was assembled for a soft-goods manufacturer. A hundred people use the system on the LAN and over a dozen portals service their national and international contractors.
The AcmeBase system has been built with open source software. All programs are licensed under the Apache License, the MIT License, or where marked, the GNU GPL3. The system is implemented on Debian Linux servers.
There are no license fees. That is intentional. It greatly simplifies changes and preserves the longevity of a customizable system like the AcmeBase system.
The AcmeBase system was set up to be a secure repository. Issues addressed were:
- how to be resilient and repel attacks
- how to detect and contain an invasion
- how to minimize dangers and the time to recover compromised servers
AcmeBase uses virtual servers as the basic "security realm" for the different functions of an enterprise system.
Each server is a stripped down server which performs a singular task. It makes rogue programs easier to spot. It also simplifies server upgrades and makes them more reliable.
All network communications are encrypted end-to-end. That includes server-to-server, pc-to-server, and server-to-internet communications.
Servers are automatically upgraded weekly.
File servers storing user files are segregated into three categories:
- Public servers — everyone in the enterprise can read the files but one must be a member of the file's workgroup to change it.
- Workgroup servers — one must be a member of the workgroup to be able to read or write the files.
- Private servers — files can only be seen or changed by the user.
Categorizing the file servers as such simplifies the technologies needed to implement a system like this.
Servers in the AcmeBase system are independent and do not connect or have control over each other. There is a control server and there is a backup server. Those servers connect to all the other servers but no other server connects to them. This organization helps restrain lateral movement of malware if a server is infected.
There are two exceptions: 1) the portal server connects to the file servers using a novel technique intended to isolate invasions to just the web server, and 2) the file servers connect to special read-only shares on the backup server to provide the user's view of their time machine backups.
The control server has a messaging system so other servers can ask for it's help performing privileged tasks such as sending files to the archive server.
Servers are configured to have only the minimal software required to perform their functions. Consequently, each server must be controlled from the command line.
The control server has a centralized repository of scripts that are used to monitor and control the other servers. The scripts are sent to the other servers to be executed as needed.
To assist the sysadmin manage all the servers, the control server has a web console.
The web console helps educate the sysadmin which
bash commands are used to display the resulting information about the other servers.
Users and groups are added to the LDAP directory and setup through the console. However, user privileges and group memberships are managed through the portal by HR personnel instead of IT as we IT people are traditionally the last ones to learn that kind of stuff.
People do not like to delete files. To keep user workspaces lean and trim, most file servers in the AcmeBase system have associated archives servers. Files are sent to the archive servers from the portal.
Files on the archive servers are stored in the same folders as they are on the source file server. Files can be restored to the user workspace by copy-and-paste and they can be re-archived multiple times if needed.
Read-only archive servers are much easier to protect and maintain.
A search engine server indexes all the user files making them easy to locate.
There are four different automated backup systems:
- Daily backup of server files (backup_daily)
- Hourly rsnapshot backups of users files (zBackups-TimeMachine)
- Periodic snapshots of running servers (backup_snapshot)
- Off-site backups to usb drives (backup_to_usb)
Backups of user files are encrypted.
The Myra-pm portal software puts a "web interface" on folders located in the file shares, similar to DropBox or Box.
Myra is a file manager. It's also a photo gallery. You can create, move, rename, and remove files. And you can rotate and rearrange thumbnails or slides. You can upload and download files to and from your desktop simply by dragging and dropping them.
The portal software operates under one of three different security models:
- A read-only (normal) website managed by a webmaster.
- A website managed by a site-specific list of editors, each able to manage different branches of the website.
- A web portal for users whose read/write privileges are retrieved from a central LDAP directory.
The AcmeBase system uses the third model. The second model, using editors, is useful for third-party access such as contract companies.
HTML documents can be created and edited from the web, providing a built-in knowledge base.
The graphical appearance of web pages is determined by different themes.
The AcmeBase system includes a built in knowledge base. It was initially developed to manage IT documents which historically have had a couple of big problems:
- they cannot be found or accessed when needed
- they're always wrong as things change too fast
The AcmeBase knowledge base is comprised of simple HTML documents. They can be easily accessed on a phone or laptop. Their big advantage is they can be edited and corrected in place as they are being used.
Different templates can be used for different documents and all document revisions are tracked. The documents are easily searchable by the search engine server.
A pseudo company has been set up at acmebase.com to provide an implementation of all the servers and their operations. It provides a test environment for development and it provides a demonstration of the portal web site for the AcmeBase System.
I began experimenting and developing the AcmeBase system over fifteen years ago. The basic problem was how to provide long term access and storage of digital assets. My ideas evolved from working with a hosting company, university libraries, and with a manufacturing company having a history of saving every pattern they ever made.
The design of this system would not have been possible without the freedom and accessibility of open source software.