RUDDER - Continuous Configuration (configuration management + continuous auditing) [English]
1 like2,447 views
The document discusses Rudder, a tool for continuous auditing and configuration management in IT environments, emphasizing the importance of a continuous approach to IT management. It outlines features, benefits, and key practices, including defining the desired state and automatic auditing. Additionally, it highlights the tool's cross-platform capabilities and its role in enhancing operational efficiency and compliance in IT systems.
RUDDER - Continuous Configuration (configuration management + continuous auditing) [English]
- 1. Rudder: non visible immersed part of the shipwheel, it is the boat part that actually lets you correct the course when the boat is drifting away. Continuous Auditing – Continuous Configuration
- 2. 2 Rudder devops♡ → Culture → Automate → Measure → Share → devops Conbination of « developer » and « operations » (= « system administrator »)
- 3. 3 Modern IT production service management
- 4. 4 Modern IT production service management Provisioning Installation Configuration Mise à jour Patch
- 5. 5 Modern IT production service management Automatisation Provisioning Installation Configuration Mise à jour Patch
- 6. 6 Installation Configuration Mise à jour Patch Open source brick for each level Provisioning Briques open source
- 7. 7 IT is becoming continuous Continuous growth Continuous threat Continuous availability Continuous *
- 8. 8 IT is becoming continuous IT management must become continuous Continuous growth Continuous threat Continuous availability Continuous Auditing – Continuous Configuration
- 9. 9 Continuous approach benefits Continuous auditing & configuration Reliable reporting Real-time and continuous analysis KPIs for your IT Time saved Deployment , maintenance, evolutions Management not impacted by park growth Ensured reliability Operational maintenance Controlled changes
- 10. 10 Overview Node-server communication Centralized management Local agents↔
- 11. 11 Key points (1/3) Good citizen Easy to insert in your chaintool : change requests, audit log AD/LDAP authentication , ... Vigilance Continuous checking to react fast and rely on accurate Information. Production ready Audit Enforce↔ Each configuration can be set in Audit mode, only checking its compliance, of in Enforce mode, to actually apply itself. Don't guess anymore. Know. Rapport Re- médiation
- 12. 12 Key points (2/3) CLI / Code Create new configuration templates. Trigger events. Web Use configuration templates. See compliance. A role-based solution API Automatically add new nodes. Integrate with third party tools.
- 13. 13 CloudServers Desktop Embedded/IoT Mobile Every scales Performance Relay components 2 → > 10 000 Multi-OS (Possible portage on almost every existing OS, except iOS) Cross-platform Physical, VM, cloud, mobile, embedded, … Key points (3/3) Universel
- 14. 14 The desired state concept Defining desired state Cible Imperative Declarative Update openssl package Package openssl always up-to-date Restart ntpd service Ntpd service must be running Copy sshd_config.template file sshd_config file must contain “PermitRootLogin no”
- 15. 15 Audit mode: hello Continuous Auditing! Rudder's lifecycle with continuous {auditing, configuration} Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report Remediate ? REPEAT
- 16. 16 Features: defining configuration Techniques Ready to use configuration templates
- 17. 17 Features: defining configuration Techniques Ready to use configuration templates A few examples : 1. Users, groups, passwords 2. Software (deb/rpm/exe/MSI) 3. Configurations files (fulls, templates, per line, per section, ...) 4. Services management 5. Application configurations (OpenSSH, Apache HTTPd, IIS, NFS, ...) → For everything else, the Technique Editor
- 19. 19 Features: defining configuration Technical directive examples 1. Auto logout après inactivité 2. Passwords (force, durée de vie, ...) 3. No compilers in production 4. Alert following a distant connexion 5. Software vulnerability Patching GOAL Protect access Protect access Abide by the law IMPLEMENTATION File/register content File/register content Missing package File/register content Installed/up- to-date package Avoid potential exploitations Avoid known exploitations
- 20. 20 Feature: defining configuration Technique Editor (IDE) Create any configuration with primary blocks
- 21. 21 Features: defining configuration Technique Editor (IDE) Create any configuration with primary blocks Package absent Package absent Security directive #2 File enforce Service running Security directive #3 Package present File edit Security directive #1 Corporate security policy Security best practices RULERULE
- 22. 22 Reporting graphique pour analyser en détail un état Rapport agrégé de conformité Compliance report Features: Reporting Detailed reporting by configuration rule
- 23. 23 Features: Reporting Dashboard – overview
- 24. 24 Double validation / Change Requests Features: double validation
- 25. 25 Restauration automatique de la configuration précédente en cas de besoin Features: audit log + rollback Changes automatic tracking
- 26. 26 Network architecture Central server Node Node Node TCP communication (port 5309) File metadata File contents Authentification + encryption (TLS) TCP communication (ports 443 et 514) Protocols: HTTPS, syslog Node Node Node Isolated network zone Relay server Aggregated data Inventory + Reports Configuration policy
- 27. 27 Summary : key points Universal Cross-platform and multi-OS Smallest to biggest scales Lightweight and autonomous agent Production ready Vigilance Audit Enforce↔ Good citizen of the chaintool Key points Role based Interface web / API / CLI User friendly Fast learning curve Advanced extensibility Reporting Re- mediation 2 → > 10 000
- 28. 28 Summary : continuous approach Continuous auditing & configuration Reliable reporting Real-time and continuous analysis KPIs for your IT Time saved Deployment , maintenance, evolutions Management not impacted by park growth Ensured reliability Operational maintenance Controlled changes
- 29. 29 Rudder devops♡ → Culture → Automate → Measure → Share → devops Conbination of « developer » and « operations » (= « system administrator »)
- 30. Normation – 87 rue de Turbigo, 75003 PARIS, France –Normation – 87 rue de Turbigo, 75003 PARIS, France – contact@normation.comcontact@normation.com – +33.1.83.62.26.96 –– +33.1.83.62.26.96 – http://www.normation.com/http://www.normation.com/ Continuous Auditing Continuous Configuration Jonathan CLARKE Co-founder & Product jcl@normation.com