What’s new in RUDDER and future roadmap

Transcript

1. Alexandre BRIANCEAU
   Business Development Director
   [email protected]
   What’s new in RUDDER?
   and future roadmap...
   CONTINUOUS AUDITING &
   CONFIGURATION
   

   View Slide

2. So far so good...
   

   View Slide

3. RUDDER 5.0 RUDDER 5.0 is the current stable release
   Main focus in the last minor versions:
   ➔ Adding osquery as variable source
   ➔ Technique categories can be renamed
   ➔ Scalability and performance
   ➔ Bug fixes
   ➔ Plugin’s architecture stabilization
   Supported for Community users until March, 9th 2020
   Supported for Standard users until June, 9th 2020
   Supported for Premium users until September, 9th 2020
   - page 3
   

   View Slide

4. Semantic versioning
   

   View Slide

5. Semantic
   versioning
   We stabilize our versioning, inspired by https://semver.org/
   ▪ Major (example : 6.0.0)
   - Impactful new features, which may be unstable
   ▪ Minor (example : 6.1.0)
   - New features with low production environment risks
   ▪ Patch (example : 6.1.4)
   - Only bug & security fix
   So please be careful with major new releases, and read the
   changelog before upgrading.
   - page 5
   

   View Slide

6. RUDDER 6.0
   Enhanced communication protocol (aka Protocol v2)
   ➔ Syslog is no longer used in RUDDER. No more interference with
   local systems
   ➔ HTTPS protocol, with compression (TLS 1.2+ forced for all
   communications)
   ➔ Reports are signed and inserted in a single transaction
   ➔ More details and logs from the agent for a better events
   understanding from the Server (and easier to debug)
   WARNING: Currently (6.0) HTTP reporting is not compatible with
   “Change Only” node communication mode (but it will be added in a
   near future)
   Technique resources
   ➔ Adding versioned resources (files) to the Technique Editor
   ➔ Better traceability and coherence, no more shared files
   ➔ Only internal (private) API until it is stabilized
   - page 6
   

   View Slide

7. RUDDER 6.0
   Technique
   ressources
   - page 7
   

   View Slide

8. RUDDER 6.0 Node certificate
   ➔ Each node has its own certificate
   ◆ Reports are signed
   ◆ Unique ID for inventory (inventory signed with certificate key)
   ➔ You can use your own CA too
   ➔ New API to manage node’s certificate (eg: renewal)
   RUDDER agent provisioning migrated to bootstrap
   ➔ Initial promises during agent provisioning bring a lot of issues,
   now the provisioning is bootstrapped
   ➔ Lighter and quicker, with defaults parameters pulled from the
   server, immediate inventory on first run
   - page 8
   

   View Slide

9. RUDDER 6.0 Better performance for scalability
   ➔ HTTP reporting
   ◆ Less stress on database: one insert per node run
   ◆ More efficient network usage (compressed data)
   ➔ Architectural changes
   ◆ ZIO - allows for better composability and optimisation
   ➔ Tuning
   ◆ Options to set number of threads, which actions, etc
   ➔ Tests are in progress to identify regressions or bottlenecks
   Relay API rewritten in Rust
   ➔ Better performance, more secured, more reliable for the future
   ➔ New API available (report management & inventory) that will
   be extend in the future
   ➔ Run in non-root and read-only (except reports and inventory)
   - page 9
   

   View Slide

10. RUDDER 6.0
    Enhanced
    Technique Editor
    interface
    - page 10
    

    View Slide

11. RUDDER 6.0
    Per user filter added to Validation Workflow
    ➔ “I want to validate all my interns changes in RUDDER before it
    will be applied to production”
    AWS properties managed by Inventory Hook
    ➔ AWS properties as RUDDER Node properties
    All our services are now systemd units: RUDDER Agent & Server
    Graphical remote run
    ➔ Directly through the UI, but network flows need to be opened
    Python 3 used on server
    - page 11
    

    View Slide

12. RUDDER 6.0 For your information: Starting process to package Techniques
    ➔ We want to publish additional Rules and Techniques besides
    RUDDER “core” - they will be distributed through plugins
    ➔ These plugins are based on a public import/export techniques
    API from the Technique Editor
    ◆ This API is in Alpha, not stable at all
    ◆ This API is not documented until it will be more stable
    ➔ This approach allow us to test in real life a first usage of the
    API through these plugins
    - page 12
    

    View Slide

13. RUDDER 6.0 New / updated Generic Methods are available
    ➔ Zypper Pattern are now handled
    in the Technique “Package”
    ➔ osquery can now being used as variable source in the
    Technique Editor
    - page 13
    

    View Slide

14. RUDDER 6.0 New / updated plugins
    ➔ Creation node API
    ◆ Register in advance nodes in RUDDER
    ◆ Useful during automatic provisioning
    ➔ User management is updated
    ◆ User can now be managed through the WebUI
    ◆ No restart needed anymore
    ➔ Ansible (run a playbook from a Generic Method)
    ➔ OpenSCAP (execute a policy a get report in node details)
    ➔ Zabbix & Centreon (auto-registration, applying monitoring
    templates, monitor RUDDER services)
    - page 14
    

    View Slide

15. RUDDER 6.0
    Focus on Ansible
    plugin
    - page 15
    

    View Slide

16. RUDDER 6.0 CIS plugin
    ➔ Distribution of ready-to-use
    CIS rules
    ➔ Only a subset of CIS currently
    (~70% from C2S)
    ➔ Focus on Redhat and Debian
    (and soon Ubuntu)
    - page 16
    

    View Slide

17. RUDDER 6.0
    Vulnerability Assessment (CVE) plugin
    ➔ Based on vendor’s CVE (from Vulners API)
    ➔ First version that list vulnerable nodes to CVE
    ➔ Filter on CVE severity
    ➔ Still in active development for vulnerability assessment logs
    and historization, and automatic remediation
    - page 17
    

    View Slide

18. Next releases
    

    View Slide

19. RUDDER 6.1
    ETA: 2020Q2
    Stabilize and enhance security plugins
    ➔ CIS rules
    ➔ CVE Assessment
    ➔ OpenSCAP
    Technique Editor and Technique Library enhancement
    ➔ Technique categories in the Technique Editor
    ➔ Techniques tags (to link a technique to a CIS chapter for example)
    Other plugins enhancement
    ➔ Scale out UI (promote a node to relay, node’s list)
    ➔ Branding can get your logo
    And probably more but less visible enhancements.
    - page 19
    

    View Slide

20. And later?
    Maybe a 6.2, more probably a 7.0
    ➔ ETA 2020Q4
    General strategy for RUDDER
    ➔ Facilitate interactions between Security & Ops teams
    ◆ Enhance workflows and risk assessments
    ◆ Speed up risk mitigation (vulnerability scanners integration…)
    ◆ Better compliance (observability, historized data accessible
    through API, SIEM interactions…)
    ◆ Detecting illegitimate changes
    ➔ Strengthen large & strategic IT configuration management
    ◆ Roll out and ramp up
    ◆ Delegation rights
    ◆ RUDDER language for a better expert onboarding and a better
    configuration flexibility
    ◆ Performance and scalability
    - page 20
    

    View Slide

21. View Slide

22. Thank you !
    22
    

    View Slide