automating security policies (compliance) with rudder
DESCRIPTION
Designing, applying and keeping track of security-oriented rules for your IT infrastructure can be time-consuming, costly and approximate job. Whether you're in charge of defining the policy, implementing it or checking for discrepencies, you'll be aware that all of this takes time, often out-of-hours time, that there is a lot of room for error and usually a considerable gap between ideals and reality - just how big a gap may or may not be shared with everyone involved. This talk will show how Rudder, an open source stack for automating configuration and auditing, can be used to ease and improve on several of these issues. Topics covered will include deploying identical settings everywhere, saving time for multiple changes, near real-time auditing of actual settings, gaining global overview to help analyze vulnerability impacts, and improved reactivity. I will include real-life examples and feedback from several companies where this has been put into action, including benefits (of course) and shortcomings (because there are always some). The aim of this session is to discuss methods and the approach of automation applied to this field, while demonstrating and giving feedback on some of the possibilities offered by Rudder. I hope to avoid being side-tracked into talking about detailed security recommendations, sticking to simple best practices for the sake of examples, thus focusing on the approach.TRANSCRIPT
Normation – CC-BY-SAnormation.com
Automating security Automating security policiespolicies
From deployment to auditing with RudderFrom deployment to auditing with Rudder
Jonathan CLARKE – [email protected]
Normation – CC-BY-SAnormation.com 2
Who am I ?
● Jonathan Clarke
● Job: Co-founder and CTO at Normation
● Line of work:
– Initially system administration, infrastructure management...
– Now a whole load of other stuff !
● Free software:
– Co-creator of Rudder
– Developer in several LDAP projects: LSC, LTB, OpenLDAP …
– Contributor to CFEngine
Contact infoEmail: [email protected]: @jooooooon42 (that's 7 'o's!)
Normation – CC-BY-SAnormation.com 5
Context
IT infrastructureAutomation
Motivations:
Build newhosts quickly
Scale outquickly
Rebuild hostsquickly
Avoidhuman error
Normation – CC-BY-SAnormation.com 8
What about compliance?
IT infrastructureCompliance?
Motivations:
Get a completeoverview
Provecompliance
Get anobjectiveoverview
Know aboutconfig drift
Normation – CC-BY-SAnormation.com 10
What about compliance?
IT infrastructureCompliance to what?
Industryregulations Best practices
CorporateregulationsLaws
Rules come from everywhere:
Normation – CC-BY-SAnormation.com 11
What about compliance?
IT infrastructureCompliance to what?
Passwordpolicy
Tripwire(disk contents)
Enforce someparametersin a service
MOTD“warning”
Practical examples
Normation – CC-BY-SAnormation.com 12
How is this different from “just” automation?
Automationvs
Compliance
How different is this technically?
Normation – CC-BY-SAnormation.com 13
How is this different from “just” automation?
Frequency
The more often you check, the more reliable your
compliance reporting is.
How can you reach this goal?
Lightweight, efficient agent
Run “slow” checks in the background(file copying
over network...)
Focus on the security checks
Reporting can be done later
Normation – CC-BY-SAnormation.com 14
How is this different from “just” automation?
All or nothing
Compliance matters on each and every system.
Not “most”. All of them.
How can you reach this goal?
Support all the {old,weird,buggy}
{OS,software,versions}
Make sure you know what
systems exist: rely on an
inventory DB
Two systems may be alike on paper,
they very rarely are in reality.
Normation – CC-BY-SAnormation.com 15
How is this different from “just” automation?
You cannot get it wrong.You cannot get it wrong.You cannot get it wrong.
If you care about compliance,“prod” is usually pretty real.
How can you reach this goal?
Fake ID + Prebook flight
to Cayman islands?
Normation – CC-BY-SAnormation.com 16
How is this different from “just” automation?
You cannot get it wrong.You cannot get it wrong.You cannot get it wrong.
If you care about compliance,“prod” is usually pretty real.
How can you reach this goal?
Don't touch stuff you don't need to.
Be specific.
(One line in a file?)
Start with no changes.Just check. Dry-run?
Cover full cycles(days, weeks, months...)
Classic quality control
(reviews...)
Normation – CC-BY-SAnormation.com 18
Introducing Rudder
Specifically designed forautomation & compliance
Multi-platform(packaged for each OS)
Open Source
Simplified user experiencevia a Web UI
Graphical reportingBased on CFEngine 3
http://rudder.cm/
Vagrant config to test:https://github.com/normation/rudder-vagrant/
Normation – CC-BY-SAnormation.com 20
Key points for security compliance
Continuous checkingEvery 5 minutes
Multi-platformLinux, Unix, Windows, Android...
Separate configuration from implementation
ReportingDone after the checks, separate process
High freqency, trust in compliance reporting
Reuse implementations, less bugs, shared code...Clear separation of roles
Cover as many systems as possible
Avoid bottleneckDifferent report types
Normation – CC-BY-SAnormation.com 21
Rudder - workflow
Management
Definesecurity policy
Changes(fixes, upgrades...)
c c
Community Expert
Sysadmins
Configureparameters
Configuration agent
Initial applicationContinuous verification
REP
OR
TIN
G
Technical abstraction(method vs parameters)
Normation – CC-BY-SAnormation.com 23
Final thoughts
It works but the tools can be improved:- detect changes (inotify?) - even 1 minute not always enough- dry-run iterations automatically?
Next steps?- Authorizations: who can change which parameters?
(law vs regulations vs policy...)- Correlate with monitoring data: determine root causes, cross effects...
Summary:- Security compliance is a very demanding type of automation- Possible today with open source tools- Main issue is about how you use them!
Normation – CC-BY-SAnormation.com
Questions?
Follow us on Twitter: @RudderProject
Jonathan CLARKE – [email protected]