A RUDDER walkthrough: manage your configurations through compliance

by Rudder

Slide 1

Slide 1 text

RUDDER WALKTHROUGH  1

Slide 2

Slide 2 text

RUDDER INTRODUCTION  2

Slide 3

Slide 3 text

Introduction The goal is to give you an idea of what it’s like to work with RUDDER • Start from the basics but quickly go to more interesting parts • Focus on new features for people who already know RUDDER •  3

Slide 4

Slide 4 text

What’s RUDDER? Configuration Management? • Yes, but automating configuration is not enough! • Built on configuration management abilities •  4

Slide 5

Slide 5 text

What’s RUDDER? RUDDER is a tool that allows: Configuring systems • Auditing systems • Maintaining security guidelines • Providing compliance reports •  5

Slide 6

Slide 6 text

Technically A central server containing: • A git repo with all configuration templates • A database of managed nodes with complete inventories • A database of reporting about whats happens on the managed systems • An agent on each managed system, that downloads and applies the policies •  6

Slide 7

Slide 7 text

Architecture  7

Slide 8

Slide 8 text

What’s RUDDER? A Rudder node is a machine managed by Rudder. In order to manage a machine with Rudder you need to: Install the Rudder agent on it • Configure the agent, to set its reference server (called its policy server) • Accept the machine on the server •  8

Slide 9

Slide 9 text

Our goal today Deploy and configure osquery on our infrastructure • Ensure our configuration complies with CIS guidelines • Provide eﬀicient compliance visualization •  9

Slide 10

Slide 10 text

POLICY DESIGN  10

Slide 11

Slide 11 text

General dev process Everything can be done from the same interface. Classify nodes with groups • Design the policy templates named techniques • Creates instances of the templates called directives • Apply policy instances to groups using rules • Check outcome • … Repeat! •  11

Slide 12

Slide 12 text

NODES AND GROUPS  12

Slide 13

Slide 13 text

Nodes A node is a computer with a Rudder agent • Includes inventory and configuration agent • Inventory is there for classification (and source of config data) •  13

Slide 14

Slide 14 text

Node properties Node properties are node data filled by the user Key- value store associated to each node, Values can be: Configurable from: String • JSON • Web interface • API • Third party plugins •  14

Slide 15

Slide 15 text

Node properties Usable in: Groups • Search • Configuration data •  15

Slide 16

Slide 16 text

Machines classiﬁcation - Groups The server has a very precise knowledge about the nodes • Hardware • So ware • Network •  16

Slide 17

Slide 17 text

Managed machines classiﬁcation - Groups Classification is done on server side: nodes only have access to what they have to apply • security • visibility • Group = search criteria over inventory data •  17

Slide 18

Slide 18 text

Design groups Group hierarchy by layers • By OS • By location: DC, cloud provider, etc. • By application • etc. • Group intersection •  18

Slide 19

Slide 19 text

Let’s build groups! Nothing more complicated than this! By OS • By site (using a property) •  19

Slide 20

Slide 20 text

Techniques Generic policy template • Configurable • Can embed files • (=playbook, modules, etc.) • Uses core system resources (file, services, packages, etc.) •  20

Slide 21

Slide 21 text

Types of techniques Standard techniques: built and editable with the technique editor • Pre-built techniques: part of base install or in a plugin • Ready to use • Not modifiable •  21

Slide 22

Slide 22 text

Pre-built techniques Let’s have a look at techniques coming with Rudder •  22

Slide 23

Slide 23 text

Techniques Now we’ll create a technique by ourselves. •  23

Slide 24

Slide 24 text

Generic methods A generic method is: a basic building block of techniques • an elementary state of the system • independent of the underlying system • a state, not an action (mostly) •  24

Slide 25

Slide 25 text

Generic methods Some generic methods do not define a state: Actions • service restart • command execution • Variable definition • from a file • from a command • Condition definition • see later •  25

Slide 26

Slide 26 text

Conditions A condition express when the generic method must be applied. Examples: We are on a Debian 9 system • The the ntp package is installed • The content of the configuration file has just been modified • etc. •  26

Slide 27

Slide 27 text

Conditions Condition can limit where a method must be applied : This enables writing policies compatible with diﬀerent operating systems. debian • debian_9 • centos • systemd •  27

Slide 28

Slide 28 text

Conditions Condition can limit when a method must be applied : This enables using actions (like service restart) by limiting them to a specific context package_present_ntp_repaired • file_content__etc_ntp_conf_repaired • Hr00.Min00_05 •  28

Slide 29

Slide 29 text

Conditions Every method will define a result condition that is one of the conditions displayed in method details: It can be: Success: When the state was already compliant • Repaired: When the state has been modified by the agent to become compliant • Error: When the expected state could not be reached •  29

Slide 30

Slide 30 text

Conditions Conditions can be combined using boolean operators: ! for not • | for or • . for and • ( and ) for grouping •  30

Slide 31

Slide 31 text

osquery technique We need to install osquery first • Let’s build a technique using the technique editor! • We need to keep two parameter configurable: tls_client_cert and tls_client_key • We want it to work on both CentOS and Ubuntu systems (at least) • Let’s do it •  31

Slide 32

Slide 32 text

Techniques resources Allow to encapsulate liked files • Automatically copied where the technique is applied • File browser • Special variable to access local file path •  32

Slide 33

Slide 33 text

Techniques design Think about parameters you need • A technique should not depend on anything external •  33

Slide 34

Slide 34 text

Techniques design Report component: Useful for: By default, uses the generic method name • Can be improved and customized • Documentation • Quick access (multiple editions on the same file) • Compliance •  34

Slide 35

Slide 35 text

Common problem in techniques Hardcode things • Rely on external data • Conditions when not necessary •  35

Slide 36

Slide 36 text

Directives Document et organize for the future with: Policy instances, appliable • = technique + parameters • Will bring the specificities • brings the data • Markdown description • Tags •  36

Slide 37

Slide 37 text

Let’s create one For our osquery installation and configuration • Provide values (cn be hardcoded or variables) • Provide a default value for … • Now overridable using node properties •  37

Slide 38

Slide 38 text

Quick search Access anything! • Small query syntax (similar to github) • in:node is:hostname •  38

Slide 39

Slide 39 text

Rules Business logic •  39

Slide 40

Slide 40 text

CIS rules We’ll use a plugin for this! It provides directly appliable policies. •  40

Slide 41

Slide 41 text

POLICY APPLICATION  41

Slide 42

Slide 42 text

Policy generation Then the node will download their policies, and apply them. Compute the policy to apply on each node • Asynchronous (compute everything, then distribute) • Based on all available information • Checks for undefined variables in directive parameters • Computes expected reports (to track missing reports) • You can trigger it from the server • Even automatically •  42

Slide 43

Slide 43 text

Policy generation Generating policies has several qualities: Nodes only have access to what they need • Checking for errors (inconsistent policies, undefined variables, etc.) on the server, and avoid breaking locally •  43

Slide 44

Slide 44 text

Local application The agent: You can run it with rudder agent run -u Downloads the policies • Applies them locally • Either in enforce • Or audit mode •  44

Slide 45

Slide 45 text

Local application Interesting local tracability features: rudder agent history • rudder agent log • rudder agent diff •  45

Slide 46

Slide 46 text

Debugging Compliance view • Technical logs • Remote run from Compliance tab • rudder agent run -i • rudder directive run -i/-v •  46

Slide 47

Slide 47 text

Reporting When the agent runs, it generates a run log, which contains what it did and the state of the diﬀerent checked components. This report is transmitted to the server which stores it. You can access these in: The server knows which reports are expected, and will indicate all discrepancies. ("No news is good news" is not enough for compliance) Explicit better than implicit Changes graphs by rule • Technical log by nodes •  47

Slide 48

Slide 48 text

Let’s add a new node! It’s an existing prod node • Should be already correct • Let’s check with audit mode • Then switch to enforce •  48

Slide 49

Slide 49 text

Acceptation Inventory: A new agent automatically sends its inventory to its server • The server will then treat it and display node as a pending node • You can then either accept • or refuse it. • Note: a Rudder ID is the node’s unique identifier in UUID format. • It looks like b409510a-c6b1-48fc-b8d4-e6be080a773a • You can see it in rudder agent info output •  49

Slide 50

Slide 50 text

Pending nodes Once your node is accepted: 1. Its policies will be computed 2. They will be made available to the node 3. The node will start applying them 4. The node will report to the server 5. The server will display compliance  50

Slide 51

Slide 51 text

Audit mode Avoid making any changes on a node • Because it is sensitive • Because of an update freeze • Test a directive before applying it everywhere • Set audit mode then change it to enforce • Audit configurations without enforcing them • Set audit mode permanently •  51

Slide 52

Slide 52 text

Audit mode Audit mode can be changed from • a global setting, used as a default value for other places • a node specific setting, that overrides the global setting • a directive specific setting, that overrides the global setting • If audit and enforce settings conflict, audit always wins! •  52

Slide 53

Slide 53 text

Compliance Computed from reports • Gives visibility •  53

Slide 54

Slide 54 text

COMPLIANCE & TRACABILITY  54

Slide 55

Slide 55 text

Event log All changes made to the applied configuration are stored (forever!) Everything is traced •  55

Slide 56

Slide 56 text

Imagine we want to know who created the osquery directive Let’s have a look! •  56

Slide 57

Slide 57 text

INTEGRATIONS  57

Slide 58

Slide 58 text

Integrations Plugins (come to Felix’s talk!) • Monitoring (Zabbix, Centreon) • Automation (Rundeck, Ansible) • Features (notification, etc.) • Full API (including policy definition) • For anything else! •  58

Slide 59

Slide 59 text

API Everything visible in the Web interface (and more!= is available through the API)  59

Slide 60

Slide 60 text

Let’s extract some compliance in a spreadsheet We want CIS compliance as a speadsheet file.  60

Slide 61

Slide 61 text

We can use a jq ﬁlter curl -k -H "X-API-Token: 26KVA5KASlyTyvgdTEtbSSK0xeepy77p" -X GET 'https://localhost/rudder/api/latest/compliance/rules' | jq '.data.rules[] | select(.name == "CIS - redhat7") | .compliance'  61

Slide 62

Slide 62 text

QUESTIONS?  62

Slide 63

Slide 63 text

Thank you! Workshop tomorrow with a more detailed introduction and hands-on • docs.rudder.io • chat.rudder.io (or #rudder on freenode!) •  63