CFEngine on Android 

Summary Conf Management for Android? CFEngine / Rudder 03 04 01 Android? 02 Android != GNU/Linux 

Android ? 01 

Android ? I suppose you already know android :-) You find it in many Consumer devices like phone and tablet. OS made by Google, opensource (Apache Licence) Many manufacturers: build devices and customize the OS Google make sure that devices are “compatible” (CTS) Do you need configuration tools for your pocket device? 

People bring their own devices at work (or work devices at home) Access to corporate network resources, contains sensitive data. => need to apply security policy Localisation / wipe Tracking / inventory Bring Your Own Device BYOD Android ? 

Android is used on every kind of devices. eg: bus shelter at Paris. 3 Android screens, interactive application for the city (tourist info, find shop at 11pm, ...) Those devices are connected by ethernet, static ip, UPS, … => not mobile but more like server => Need to update the software, change configuration (ssh keys, fix bug in libssl, ...) Mobile Devices NOT Android ? 

Android is found on many type of embedded devices. Google has bought Nest => android on Internet of Things => security issue, how to update and patch those devices? Fridge sending spam (http://www.bbc.co.uk/news/technology- 25780908) Bruce schneier wrote an essay to explain that embedded devices are often shipped with old open source packages and no way for the user to update them. https://www.schneier.com/essay-468.html Internet of Things Android ? 

NEED CONFIGURATION MANAGEMENT Android ? 

A bit of background story At genymobile, we build customized android version of professional usage (eg: bus shelter, professional tablet) We took the source code from google (AOSP) and customize it and add / remove feature (ethernet support, proxy, snmp), be able to run a (legacy) binary as root, improve security, …. I am a software engineer not a sysadmin :-) Customer ask us how to manage the rom we provided, no real solution out of the box How hard it can be? Android is just another linux, just install your favorite configuration management tool Add features AOSP Dev Ops? Management? Customize Genymobile Android ? Genymobile Story 

Android is not GNU/Linux 02 

How android is different? Let see (quickly) : * Linux kernel (patched) * libc: bionic, not fully posix. * Many opensource componant: sqlite, ssl, webkit, … * Some are google made: X11 => surfaceflinger, gstreamer => Mediaframework * can run binaries but all the OS / Framework is written in java: API oriented with configuration stored in sqlite db ex: change keyboard layout * Gnu/Linux: edit xorg.conf /restart X * Android: API call, sqlite store + framework send messages to all applications Android is not Gnu / Linux Android Challenge 

Not FHS ! In data an application can only see its own folder Android is not Gnu / Linux Android Challenge un-partitioned => kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System 

No package management for the system (you cannot update a lib) PM is for application only (playstore) To update the OS you need to use OTA: * download a zip file with the new OS or a binary patch * reboot in recovery mode, flash the zip * reboot with the new system Android is not Gnu / Linux Android Challenge 

No python, no ruby (at least not easy) Mobile devices: no much ram, need to take care of cpu usage => battery Limit the choice of tools HAVE NOT -:( Android is not Gnu / Linux Android Challenge 

We can do native C or java with limitation (not posix, …) CHOICE :-) Android is not Gnu / Linux Android Challenge 

What exists? Conf Management for Android 03 

Google is targeted to “mass market”. Make money with ads, playstore, and android drive user to google products No enterprise offers (!=RIM) Android has a Device Administrator API. If you set an app to be you Device Administrator, it can do the following http://developer.android.com/guide/topics/admin/device-admin.html Password Management Conf Management for Android Google: Device Administrator API Remote Wipe Force Encryption 

Some manufacturer have private API to manage their device => buy the phone AND the MDM solution => classic tied Other use various hack + user help (popup if a forbidden app is installed) Private API Conf Management for Android Manufacturer / Solution provider Hack 

Can we do better with CFEngine CFEngine + Rudder 04 

Native code: light, efficient, written in C => good match for Android Need to solve some compilation issue Add support for android (android::) + techniques ⇒ patch sent upstream (or in progress) Native code CFEngine + Rudder CFEngine Porting patches Android Support 

CFEngine: native daemon, run in the linux / shell land Configuration: managed by android in the java land CFEngine + Rudder CFEngine 

Jni: C code that call java function Java helper: launch java “command line tool” from linux (see command am on android) Rom helper: CFEngine + Rudder CFEngine JNI Java Helper Rom Helper 

Create your own Android version: * permission: need to run as root. Can root the device and install sudo to launch cfengine, not a clean solution Write your rom and create a clean daemon launched in the init script * management: Android state can be exported as files and CFEngine is good at managing files. Solve the communication issue (eg package whitelist / blacklist) * Add the feature you need and let cfengine manage it (eg: proxy) Can be scary, but is the only way to master your device: your are free to update it and push security fix if needed. Use The ROM! CFEngine + Rudder ROM 

User Friendly CFEngine + Rudder Rudder Inventory Reporting 

You have two part in rudder, the server is a web interface to manage all the nodes. The client is cfengine + techniques + inventory agent: fusionInventory or OCSInventory When an agent start, it send a inventory to the server. Then you can search for agents based on the inventory (hostname, mac, operating system, processor type, …) The search result can be used to create groups of nodes. CFEngine + Rudder Rudder 

Create a directive: ie a “configuration element”. For example, this directive make sure your node use the version 42 of the Android operating system. Directive template are created in order to be easy to use: here you select only the version number, the server name, and the time to update. A non expert operator can easily use the directive and change some parameters. The role of the expert team is to create the directive (in cfengine3 language) CFEngine + Rudder Rudder 

Finally you apply directives to groups of node. “I want every Android devices from this group to be in this version of the system” You can check the compliance: if your devices are responding to the directive. CFEngine + Rudder Rudder 

os behaviour: add a proxy, bring up vpn with geo data, …. OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement os behaviour Features CFEngine + Rudder 

* cfengine is portable * you can build it with your rom * help you to manage your android with your features Thank You for your time ! Questions ? Email: [email protected] G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa 

CFEngine on Android 

Summary Conf Management for Android? CFEngine / Rudder 03 04 01 Android? 02 Android != GNU/Linux 

Android ? 01 

Android ? 

Bring Your Own Device BYOD Android ? 

Mobile Devices NOT Android ? 

Internet of Things Android ? 

NEED CONFIGURATION MANAGEMENT Android ? 

Add features AOSP Dev Ops? Management? Customize Genymobile Android ? Genymobile Story 

Android is not GNU/Linux 02 

Android is not Gnu / Linux Android Challenge 

Android is not Gnu / Linux Android Challenge un-partitioned => kernel, ramfs (contains /) / => initscript + conf, cannot be modified /system => RO, can be remounted RW (need root access) /bin => daemon + toolbox (less than busybox) /lib => libssl.so, libsqlite.so /framework => *.jar /data => RW, application data + user configuration, accounts, … (need root) /data/data/myapp => user application File System 

Android is not Gnu / Linux Android Challenge 

HAVE NOT -:( Android is not Gnu / Linux Android Challenge 

CHOICE :-) Android is not Gnu / Linux Android Challenge 

Conf Management for Android 03 

Password Management Conf Management for Android Google: Device Administrator API Remote Wipe Force Encryption 

Private API Conf Management for Android Manufacturer / Solution provider Hack 

CFEngine + Rudder 04 

Native code CFEngine + Rudder CFEngine Porting patches Android Support 

CFEngine + Rudder CFEngine 

CFEngine + Rudder CFEngine JNI Java Helper Rom Helper 

Use The ROM! CFEngine + Rudder ROM 

User Friendly CFEngine + Rudder Rudder Inventory Reporting 

CFEngine + Rudder Rudder 

CFEngine + Rudder Rudder 

CFEngine + Rudder Rudder 

OTA Update Package Management Blacklist Geofencing Remote Wipe Policy enforcement os behaviour Features CFEngine + Rudder 

Thank You for your time ! Questions ? Email: [email protected] G+: https://www.google.com/+CedricCabessa Slides: https://speakerdeck.com/cedriccabessa/cfengine-android Cédric Cabessa