Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RUDDER - Continuous Configuration (configuration management + continuous auditing) [English]

2,042 views

Published on

RUDDER is an easy to use, web-driven, role-based solution for IT Infrastructure Automation and Compliance. With a focus on continuously checking configurations and centralising real-time status data, RUDDER can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”).

A few things that make RUDDER stand out:
- A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this.
- Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes.
- RUDDER works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way.
- RUDDER is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication.
- RUDDER relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.
- RUDDER is a true and professional open source solution—the team behind RUDDER doesn’t believe in the dual-speed licensing approach that makes you reinstall everything and promotes open source as little more than a “demo version.”

RUDDER is an established project with several 10000s of node managed, in companies from small to biggest-in-their-field. Typical deployments manage 100s to 1000s of nodes. The biggest known deployment in 2016 is about 7000 nodes.

Published in: Software
  • Be the first to comment

RUDDER - Continuous Configuration (configuration management + continuous auditing) [English]

  1. 1. Rudder: non visible immersed part of the shipwheel, it is the boat part that actually lets you correct the course when the boat is drifting away. Continuous Auditing – Continuous Configuration
  2. 2. 2 Rudder devops♡ → Culture → Automate → Measure → Share → devops Conbination of « developer » and « operations » (= « system administrator »)
  3. 3. 3 Modern IT production service management
  4. 4. 4 Modern IT production service management Provisioning Installation Configuration Mise à jour Patch
  5. 5. 5 Modern IT production service management Automatisation Provisioning Installation Configuration Mise à jour Patch
  6. 6. 6 Installation Configuration Mise à jour Patch Open source brick for each level Provisioning Briques open source
  7. 7. 7 IT is becoming continuous Continuous growth Continuous threat Continuous availability Continuous *
  8. 8. 8 IT is becoming continuous IT management must become continuous Continuous growth Continuous threat Continuous availability Continuous Auditing – Continuous Configuration
  9. 9. 9 Continuous approach benefits Continuous auditing & configuration Reliable reporting Real-time and continuous analysis KPIs for your IT Time saved Deployment , maintenance, evolutions Management not impacted by park growth Ensured reliability Operational maintenance Controlled changes
  10. 10. 10 Overview Node-server communication Centralized management Local agents↔
  11. 11. 11 Key points (1/3) Good citizen Easy to insert in your chaintool : change requests, audit log AD/LDAP authentication , ... Vigilance Continuous checking to react fast and rely on accurate Information. Production ready Audit Enforce↔ Each configuration can be set in Audit mode, only checking its compliance, of in Enforce mode, to actually apply itself. Don't guess anymore. Know. Rapport Re- médiation
  12. 12. 12 Key points (2/3) CLI / Code Create new configuration templates. Trigger events. Web Use configuration templates. See compliance. A role-based solution API Automatically add new nodes. Integrate with third party tools.
  13. 13. 13 CloudServers Desktop Embedded/IoT Mobile Every scales Performance Relay components 2 → > 10 000 Multi-OS (Possible portage on almost every existing OS, except iOS) Cross-platform Physical, VM, cloud, mobile, embedded, … Key points (3/3) Universel
  14. 14. 14 The desired state concept Defining desired state Cible Imperative Declarative Update openssl package Package openssl always up-to-date Restart ntpd service Ntpd service must be running Copy sshd_config.template file sshd_config file must contain “PermitRootLogin no”
  15. 15. 15 Audit mode: hello Continuous Auditing! Rudder's lifecycle with continuous {auditing, configuration} Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report Remediate ? REPEAT
  16. 16. 16 Features: defining configuration Techniques Ready to use configuration templates
  17. 17. 17 Features: defining configuration Techniques Ready to use configuration templates A few examples : 1. Users, groups, passwords 2. Software (deb/rpm/exe/MSI) 3. Configurations files (fulls, templates, per line, per section, ...) 4. Services management 5. Application configurations (OpenSSH, Apache HTTPd, IIS, NFS, ...) → For everything else, the Technique Editor
  18. 18. 18 Features: defining configuration
  19. 19. 19 Features: defining configuration Technical directive examples 1. Auto logout après inactivité 2. Passwords (force, durée de vie, ...) 3. No compilers in production 4. Alert following a distant connexion 5. Software vulnerability Patching GOAL Protect access Protect access Abide by the law IMPLEMENTATION File/register content File/register content Missing package File/register content Installed/up- to-date package Avoid potential exploitations Avoid known exploitations
  20. 20. 20 Feature: defining configuration Technique Editor (IDE) Create any configuration with primary blocks
  21. 21. 21 Features: defining configuration Technique Editor (IDE) Create any configuration with primary blocks Package absent Package absent Security directive #2 File enforce Service running Security directive #3 Package present File edit Security directive #1 Corporate security policy Security best practices RULERULE
  22. 22. 22 Reporting graphique pour analyser en détail un état Rapport agrégé de conformité Compliance report Features: Reporting Detailed reporting by configuration rule
  23. 23. 23 Features: Reporting Dashboard – overview
  24. 24. 24 Double validation / Change Requests Features: double validation
  25. 25. 25 Restauration automatique de la configuration précédente en cas de besoin Features: audit log + rollback Changes automatic tracking
  26. 26. 26 Network architecture Central server Node Node Node TCP communication (port 5309) File metadata File contents Authentification + encryption (TLS) TCP communication (ports 443 et 514) Protocols: HTTPS, syslog Node Node Node Isolated network zone Relay server Aggregated data Inventory + Reports Configuration policy
  27. 27. 27 Summary : key points Universal Cross-platform and multi-OS Smallest to biggest scales Lightweight and autonomous agent Production ready Vigilance Audit Enforce↔ Good citizen of the chaintool Key points Role based Interface web / API / CLI User friendly Fast learning curve Advanced extensibility Reporting Re- mediation 2 → > 10 000
  28. 28. 28 Summary : continuous approach Continuous auditing & configuration Reliable reporting Real-time and continuous analysis KPIs for your IT Time saved Deployment , maintenance, evolutions Management not impacted by park growth Ensured reliability Operational maintenance Controlled changes
  29. 29. 29 Rudder devops♡ → Culture → Automate → Measure → Share → devops Conbination of « developer » and « operations » (= « system administrator »)
  30. 30. Normation – 87 rue de Turbigo, 75003 PARIS, France –Normation – 87 rue de Turbigo, 75003 PARIS, France – contact@normation.comcontact@normation.com – +33.1.83.62.26.96 –– +33.1.83.62.26.96 – http://www.normation.com/http://www.normation.com/ Continuous Auditing Continuous Configuration Jonathan CLARKE Co-founder & Product jcl@normation.com

×