Designing, applying and keeping track of security-oriented rules for your IT infrastructure can be time-consuming, costly and approximate job. Whether you're in charge of defining the policy, implementing it or checking for discrepencies, you'll be aware that all of this takes time, often out-of-hours time, that there is a lot of room for error and usually a considerable gap between ideals and reality - just how big a gap may or may not be shared with everyone involved.
This talk will show how Rudder, an open source stack for automating configuration and auditing, can be used to ease and improve on several of these issues. Topics covered will include deploying identical settings everywhere, saving time for multiple changes, near real-time auditing of actual settings, gaining global overview to help analyze vulnerability impacts, and improved reactivity. I will include real-life examples and feedback from several companies where this has been put into action, including benefits (of course) and shortcomings (because there are always some).
The aim of this session is to discuss methods and the approach of automation applied to this field, while demonstrating and giving feedback on some of the possibilities offered by Rudder. I hope to avoid being side-tracked into talking about detailed security recommendations, sticking to simple best practices for the sake of examples, thus focusing on the approach.
Automating security policies (compliance) with Rudder
1. Automating security
policies
From deployment to auditing with Rudder
Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA
normation.com
2. Who am I ?
● Jonathan Clarke
● Job: Co-founder and CTO at Normation
● Line of work:
– Initially system administration, infrastructure management...
– Now a whole load of other stuff !
● Free software:
– Co-creator of Rudder
– Developer in several LDAP projects: LSC, LTB, OpenLDAP …
– Contributor to CFEngine
Contact info
Email: jcl@normation.com
Twitter: @jooooooon42 (that's 7 'o's!)
Normation – CC-BY-SA
normation.com 2
3. Context
IT infrastructure
Normation – CC-BY-SA
normation.com 3
4. Context
IT infrastructure
Automation
Normation – CC-BY-SA
normation.com 4
5. Context
IT infrastructure
Automation
Motivations:
Avoid Build new Rebuild hosts Scale out
human error hosts quickly quickly quickly
Normation – CC-BY-SA
normation.com 5
7. What about compliance?
IT infrastructure
Compliance?
Normation – CC-BY-SA
normation.com 7
8. What about compliance?
IT infrastructure
Compliance?
Motivations:
Get a Get an
Know about Prove
complete objective
config drift compliance
overview overview
Normation – CC-BY-SA
normation.com 8
9. What about compliance?
IT infrastructure
Compliance to what?
Normation – CC-BY-SA
normation.com 9
10. What about compliance?
IT infrastructure
Compliance to what?
Rules come from everywhere:
Industry Corporate
Laws Best practices
regulations regulations
Normation – CC-BY-SA
normation.com 10
11. What about compliance?
IT infrastructure
Compliance to what?
Practical examples
Enforce some
MOTD Password Tripwire
parameters
“warning” policy (disk contents)
in a service
Normation – CC-BY-SA
normation.com 11
12. How is this different from “just” automation?
Automation
vs
Compliance
How different is this technically?
Normation – CC-BY-SA
normation.com 12
13. How is this different from “just” automation?
Frequency
The more often you check,
the more reliable your
compliance reporting is.
How can you reach this goal?
Lightweight, Run “slow” Focus on the
efficient agent checks in the security checks
background
(file copying Reporting can
over network...) be done later
Normation – CC-BY-SA
normation.com 13
14. How is this different from “just” automation?
All or nothing
Compliance matters on each
and every system.
Not “most”. All of them.
How can you reach this goal?
Make sure you Support all the Two systems may
know what {old,weird,buggy} be alike on paper,
systems exist: {OS,software, they very rarely
rely on an versions} are in reality.
inventory DB
Normation – CC-BY-SA
normation.com 14
15. How is this different from “just” automation?
You cannot get it wrong.
You cannot get it wrong.
You cannot get it wrong.
If you care about compliance,
“prod” is usually pretty real.
How can you reach this goal?
Fake ID +
Prebook flight
to Cayman
islands?
Normation – CC-BY-SA
normation.com 15
16. How is this different from “just” automation?
You cannot get it wrong.
You cannot get it wrong.
You cannot get it wrong.
If you care about compliance,
“prod” is usually pretty real.
How can you reach this goal?
Don't touch stuff Start with no changes. Classic
you don't need to. Just check. Dry-run? quality
Be specific. control
Cover full cycles (reviews...)
(One line in a file?) (days, weeks, months...)
Normation – CC-BY-SA
normation.com 16
17. So, what have we actually done?
Applied these principles in
Normation – CC-BY-SA
normation.com 17
18. Introducing Rudder
http://rudder.cm/
Specifically designed for Simplified user experience
automation & compliance via a Web UI
Based on CFEngine 3 Graphical reporting
Multi-platform
Open Source
(packaged for each OS)
Vagrant config to test:
https://github.com/normation/rudder-vagrant/
Normation – CC-BY-SA
normation.com 18
20. Key points for security compliance
Continuous checking High freqency, trust in
Every 5 minutes compliance reporting
Reuse implementations,
Separate configuration
from implementation less bugs, shared code...
Clear separation of roles
Multi-platform Cover as many systems
Linux, Unix, Windows, Android... as possible
Reporting Avoid bottleneck
Done after the checks, Different report types
separate process
Normation – CC-BY-SA
normation.com 20
21. Rudder - workflow
Define Changes
security policy (fixes, upgrades...)
Management
REPORTING
c c Technical abstraction
Community Expert
(method vs parameters)
Configure
parameters
Sysadmins
Initial application
Configuration agent Continuous verification
Normation – CC-BY-SA
normation.com 21
22. Final thoughts
Summary:
- Security compliance is a very demanding type of automation
- Possible today with open source tools
- Main issue is about how you use them!
Next steps?
- Authorizations: who can change which parameters?
(law vs regulations vs policy...)
- Correlate with monitoring data: determine root causes, cross
effects...
It works but the tools can be improved:
- detect changes (inotify?) - even 1 minute not always enough
- dry-run iterations automatically?
Normation – CC-BY-SA
normation.com 23
23. Questions?
Follow us on Twitter:
@RudderProject
Jonathan CLARKE – jcl@normation.com Normation – CC-BY-SA
normation.com