cfengine-android

Transcript

1. CFEngine on Android

2. Summary Conf Management for Android? CFEngine / Rudder 03 04

   01 Android? 02 Android != GNU/Linux

3. Android ? 01

4. Android ? I suppose you already know android :-) You

   find it in many Consumer devices like phone and tablet. OS made by Google, opensource (Apache Licence) Many manufacturers: build devices and customize the OS Google make sure that devices are “compatible” (CTS) Do you need configuration tools for your pocket device?

5. People bring their own devices at work (or work devices

   at home) Access to corporate network resources, contains sensitive data. => need to apply security policy Localisation / wipe Tracking / inventory Bring Your Own Device BYOD Android ?

6. Android is used on every kind of devices. eg: bus

   shelter at Paris. 3 Android screens, interactive application for the city (tourist info, find shop at 11pm, ...) Those devices are connected by ethernet, static ip, UPS, … => not mobile but more like server => Need to update the software, change configuration (ssh keys, fix bug in libssl, ...) Mobile Devices NOT Android ?

7. Android is found on many type of embedded devices. Google

   has bought Nest => android on Internet of Things => security issue, how to update and patch those devices? Fridge sending spam (http://www.bbc.co.uk/news/technology- 25780908) Bruce schneier wrote an essay to explain that embedded devices are often shipped with old open source packages and no way for the user to update them. https://www.schneier.com/essay-468.html Internet of Things Android ?

8. NEED CONFIGURATION MANAGEMENT Android ?

9. A bit of background story At genymobile, we build customized

   android version of professional usage (eg: bus shelter, professional tablet) We took the source code from google (AOSP) and customize it and add / remove feature (ethernet support, proxy, snmp), be able to run a (legacy) binary as root, improve security, …. I am a software engineer not a sysadmin :-) Customer ask us how to manage the rom we provided, no real solution out of the box How hard it can be? Android is just another linux, just install your favorite configuration management tool Add features AOSP Dev Ops? Management? Customize Genymobile Android ? Genymobile Story

10. Android is not GNU/Linux 02

11. How android is different? Let see (quickly) : * Linux

    kernel (patched) * libc: bionic, not fully posix. * Many opensource componant: sqlite, ssl, webkit, … * Some are google made: X11 => surfaceflinger, gstreamer => Mediaframework * can run binaries but all the OS / Framework is written in java: API oriented with configuration stored in sqlite db ex: change keyboard layout * Gnu/Linux: edit xorg.conf /restart X * Android: API call, sqlite store + framework send messages to all applications Android is not Gnu / Linux Android Challenge

12. Not FHS ! In data an application can only see

    its own folder Android is not Gnu / Linux Android Challenge un-partitioned => kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System

13. No package management for the system (you cannot update a

    lib) PM is for application only (playstore) To update the OS you need to use OTA: * download a zip file with the new OS or a binary patch * reboot in recovery mode, flash the zip * reboot with the new system Android is not Gnu / Linux Android Challenge

14. No python, no ruby (at least not easy) Mobile devices:

    no much ram, need to take care of cpu usage => battery Limit the choice of tools HAVE NOT -:( Android is not Gnu / Linux Android Challenge

15. We can do native C or java with limitation (not

    posix, …) CHOICE :-) Android is not Gnu / Linux Android Challenge

16. What exists? Conf Management for Android 03

17. Google is targeted to “mass market”. Make money with ads,

    playstore, and android drive user to google products No enterprise offers (!=RIM) Android has a Device Administrator API. If you set an app to be you Device Administrator, it can do the following http://developer.android.com/guide/topics/admin/device-admin.html Password Management Conf Management for Android Google: Device Administrator API Remote Wipe Force Encryption

18. Some manufacturer have private API to manage their device =>

    buy the phone AND the MDM solution => classic tied Other use various hack + user help (popup if a forbidden app is installed) Private API Conf Management for Android Manufacturer / Solution provider Hack

19. Can we do better with CFEngine CFEngine + Rudder 04

20. Native code: light, efficient, written in C => good match

    for Android Need to solve some compilation issue Add support for android (android::) + techniques ⇒ patch sent upstream (or in progress) Native code CFEngine + Rudder CFEngine Porting patches Android Support

21. CFEngine: native daemon, run in the linux / shell land

    Configuration: managed by android in the java land CFEngine + Rudder CFEngine

22. Jni: C code that call java function Java helper: launch

    java “command line tool” from linux (see command am on android) Rom helper: CFEngine + Rudder CFEngine JNI Java Helper Rom Helper

23. Create your own Android version: * permission: need to run

    as root. Can root the device and install sudo to launch cfengine, not a clean solution Write your rom and create a clean daemon launched in the init script * management: Android state can be exported as files and CFEngine is good at managing files. Solve the communication issue (eg package whitelist / blacklist) * Add the feature you need and let cfengine manage it (eg: proxy) Can be scary, but is the only way to master your device: your are free to update it and push security fix if needed. Use The ROM! CFEngine + Rudder ROM

24. User Friendly CFEngine + Rudder Rudder Inventory Reporting

25. You have two part in rudder, the server is a

    web interface to manage all the nodes. The client is cfengine + techniques + inventory agent: fusionInventory or OCSInventory When an agent start, it send a inventory to the server. Then you can search for agents based on the inventory (hostname, mac, operating system, processor type, …) The search result can be used to create groups of nodes. CFEngine + Rudder Rudder

26. Create a directive: ie a “configuration element”. For example, this

    directive make sure your node use the version 42 of the Android operating system. Directive template are created in order to be easy to use: here you select only the version number, the server name, and the time to update. A non expert operator can easily use the directive and change some parameters. The role of the expert team is to create the directive (in cfengine3 language) CFEngine + Rudder Rudder

27. Finally you apply directives to groups of node. “I want

    every Android devices from this group to be in this version of the system” You can check the compliance: if your devices are responding to the directive. CFEngine + Rudder Rudder

28. os behaviour: add a proxy, bring up vpn with geo

    data, …. OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement os behaviour Features CFEngine + Rudder

29. * cfengine is portable * you can build it with

    your rom * help you to manage your android with your features Thank You for your time ! Questions ? Email: [email protected] G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa

30. CFEngine on Android

31. Summary Conf Management for Android? CFEngine / Rudder 03 04

    01 Android? 02 Android != GNU/Linux

32. Android ? 01

33. Android ?

34. Bring Your Own Device BYOD Android ?

35. Mobile Devices NOT Android ?

36. Internet of Things Android ?

37. NEED CONFIGURATION MANAGEMENT Android ?

38. Add features AOSP Dev Ops? Management? Customize Genymobile Android ?

    Genymobile Story

39. Android is not GNU/Linux 02

40. Android is not Gnu / Linux Android Challenge

41. Android is not Gnu / Linux Android Challenge un-partitioned =>

    kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System

42. Android is not Gnu / Linux Android Challenge

43. HAVE NOT -:( Android is not Gnu / Linux Android

    Challenge

44. CHOICE :-) Android is not Gnu / Linux Android Challenge

45. Conf Management for Android 03

46. Password Management Conf Management for Android Google: Device Administrator API

    Remote Wipe Force Encryption

47. Private API Conf Management for Android Manufacturer / Solution provider

    Hack

48. CFEngine + Rudder 04

49. Native code CFEngine + Rudder CFEngine Porting patches Android Support

50. CFEngine + Rudder CFEngine

51. CFEngine + Rudder CFEngine JNI Java Helper Rom Helper

52. Use The ROM! CFEngine + Rudder ROM

53. User Friendly CFEngine + Rudder Rudder Inventory Reporting

54. CFEngine + Rudder Rudder

55. CFEngine + Rudder Rudder

56. CFEngine + Rudder Rudder

57. OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement

    os behaviour Features CFEngine + Rudder

58. Thank You for your time ! Questions ? Email: [email protected]

    G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa