Upgrade to Pro — share decks privately, control downloads, hide ads and more …

What’s new in RUDDER and future roadmap

February 04, 2020

What’s new in RUDDER and future roadmap

🎥 https://www.youtube.com/watch?v=SItG1ErWZpo
🧑 Alexandre Brianceau
📅 Configuration Management Camp 2020

In 2019, we have only released one major version. After 5.0, we moved on to... the 6.0!

What has happened in RUDDER since CfgMgmtCamp 2019? Let's discover together this new version, as well as all the new plugins: Ansible, OpenSCAP, Zabbix... And finally, let's discuss the next development of RUDDER for 2020!


February 04, 2020

More Decks by Rudder

Other Decks in Technology


  1. RUDDER 5.0 RUDDER 5.0 is the current stable release Main

    focus in the last minor versions: ➔ Adding osquery as variable source ➔ Technique categories can be renamed ➔ Scalability and performance ➔ Bug fixes ➔ Plugin’s architecture stabilization Supported for Community users until March, 9th 2020 Supported for Standard users until June, 9th 2020 Supported for Premium users until September, 9th 2020 - page 3
  2. Semantic versioning We stabilize our versioning, inspired by https://semver.org/ ▪

    Major (example : 6.0.0) - Impactful new features, which may be unstable ▪ Minor (example : 6.1.0) - New features with low production environment risks ▪ Patch (example : 6.1.4) - Only bug & security fix So please be careful with major new releases, and read the changelog before upgrading. - page 5
  3. RUDDER 6.0 Enhanced communication protocol (aka Protocol v2) ➔ Syslog

    is no longer used in RUDDER. No more interference with local systems ➔ HTTPS protocol, with compression (TLS 1.2+ forced for all communications) ➔ Reports are signed and inserted in a single transaction ➔ More details and logs from the agent for a better events understanding from the Server (and easier to debug) WARNING: Currently (6.0) HTTP reporting is not compatible with “Change Only” node communication mode (but it will be added in a near future) Technique resources ➔ Adding versioned resources (files) to the Technique Editor ➔ Better traceability and coherence, no more shared files ➔ Only internal (private) API until it is stabilized - page 6
  4. RUDDER 6.0 Node certificate ➔ Each node has its own

    certificate ◆ Reports are signed ◆ Unique ID for inventory (inventory signed with certificate key) ➔ You can use your own CA too ➔ New API to manage node’s certificate (eg: renewal) RUDDER agent provisioning migrated to bootstrap ➔ Initial promises during agent provisioning bring a lot of issues, now the provisioning is bootstrapped ➔ Lighter and quicker, with defaults parameters pulled from the server, immediate inventory on first run - page 8
  5. RUDDER 6.0 Better performance for scalability ➔ HTTP reporting ◆

    Less stress on database: one insert per node run ◆ More efficient network usage (compressed data) ➔ Architectural changes ◆ ZIO - allows for better composability and optimisation ➔ Tuning ◆ Options to set number of threads, which actions, etc ➔ Tests are in progress to identify regressions or bottlenecks Relay API rewritten in Rust ➔ Better performance, more secured, more reliable for the future ➔ New API available (report management & inventory) that will be extend in the future ➔ Run in non-root and read-only (except reports and inventory) - page 9
  6. RUDDER 6.0 Per user filter added to Validation Workflow ➔

    “I want to validate all my interns changes in RUDDER before it will be applied to production” AWS properties managed by Inventory Hook ➔ AWS properties as RUDDER Node properties All our services are now systemd units: RUDDER Agent & Server Graphical remote run ➔ Directly through the UI, but network flows need to be opened Python 3 used on server - page 11
  7. RUDDER 6.0 For your information: Starting process to package Techniques

    ➔ We want to publish additional Rules and Techniques besides RUDDER “core” - they will be distributed through plugins ➔ These plugins are based on a public import/export techniques API from the Technique Editor ◆ This API is in Alpha, not stable at all ◆ This API is not documented until it will be more stable ➔ This approach allow us to test in real life a first usage of the API through these plugins - page 12
  8. RUDDER 6.0 New / updated Generic Methods are available ➔

    Zypper Pattern are now handled in the Technique “Package” ➔ osquery can now being used as variable source in the Technique Editor - page 13
  9. RUDDER 6.0 New / updated plugins ➔ Creation node API

    ◆ Register in advance nodes in RUDDER ◆ Useful during automatic provisioning ➔ User management is updated ◆ User can now be managed through the WebUI ◆ No restart needed anymore ➔ Ansible (run a playbook from a Generic Method) ➔ OpenSCAP (execute a policy a get report in node details) ➔ Zabbix & Centreon (auto-registration, applying monitoring templates, monitor RUDDER services) - page 14
  10. RUDDER 6.0 CIS plugin ➔ Distribution of ready-to-use CIS rules

    ➔ Only a subset of CIS currently (~70% from C2S) ➔ Focus on Redhat and Debian (and soon Ubuntu) - page 16
  11. RUDDER 6.0 Vulnerability Assessment (CVE) plugin ➔ Based on vendor’s

    CVE (from Vulners API) ➔ First version that list vulnerable nodes to CVE ➔ Filter on CVE severity ➔ Still in active development for vulnerability assessment logs and historization, and automatic remediation - page 17
  12. RUDDER 6.1 ETA: 2020Q2 Stabilize and enhance security plugins ➔

    CIS rules ➔ CVE Assessment ➔ OpenSCAP Technique Editor and Technique Library enhancement ➔ Technique categories in the Technique Editor ➔ Techniques tags (to link a technique to a CIS chapter for example) Other plugins enhancement ➔ Scale out UI (promote a node to relay, node’s list) ➔ Branding can get your logo And probably more but less visible enhancements. - page 19
  13. And later? Maybe a 6.2, more probably a 7.0 ➔

    ETA 2020Q4 General strategy for RUDDER ➔ Facilitate interactions between Security & Ops teams ◆ Enhance workflows and risk assessments ◆ Speed up risk mitigation (vulnerability scanners integration…) ◆ Better compliance (observability, historized data accessible through API, SIEM interactions…) ◆ Detecting illegitimate changes ➔ Strengthen large & strategic IT configuration management ◆ Roll out and ramp up ◆ Delegation rights ◆ RUDDER language for a better expert onboarding and a better configuration flexibility ◆ Performance and scalability - page 20