Security policies are increasingly complex and demanding on the operations teams must implement them. How can you be sure that your security policy is really correct everywhere, apart from an expensive yearly audit? How can you know that what was OK a few weeks ago is still OK?
Rudder is open source IT compliance automation technology that comes from the DevOps world, where automatic configuration management is already the norm. With a focus on continuously checking configurations and centralizing real-time status data, Rudder can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”).
Jonathan Clarke offers an overview of Rudder and demonstrates how to input the technical rules of a security policy into Rudder, watch it check them every 5 minutes on each and every one of your servers, and report back a global summary to you, allowing you to drill down to any issues that need remediating. Jonathan also explains how a successfully deployed policy can be enforced by the same tool, moving one step further from automatic auditing to automatic remediation. Along the way, Jonathan shares lessons learned from companies that have gone from asking whether their security policy was really applied to receiving near real-time alerts about noncompliance issues as they arise.
In particular, Jonathan explores the specific features in Rudder that have made it successful in compliance projects:
- A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this.
- Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes.
- Rudder works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way.
- Rudder is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication.
- Rudder relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.
12. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Organisational
process
Technical
directives
Rules come from different levels
13. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Rules come from different levels
Organisational
process
Technical
directives
We can’t automate
humans!
14. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Organisational
process
Technical
directives
Rules come from different levels
16. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
17. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
18. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
19. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package
20. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package
GOAL
Harden access
Harden access
Avoid potential
exploits
Obey the law
Avoid known
exploits
21. Normation – CC-BY-SA
normation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply on
new servers
OK
Regular audits
(3-12 months)
REMEDIATION
22. Normation – CC-BY-SA
normation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply on
new servers
OK
Regular audits
(3-12 months)
?
REMEDIATION
DRIFT
24. Normation – CC-BY-SA
normation.com
Introducing Rudder
Define desired state
Target
Imperative Declarative Install package x
vs
Package x should be installed
Restart service z
vs
Service z should be running
Copy file template y.tpl
vs
File y should contain line abc=def
26. Normation – CC-BY-SA
normation.com
Introducing Rudder
Rudder’s continuous lifecycle
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
REPEAT
29. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package
GOAL
Harden access
Harden access
Obey the law
Avoid potential
exploits
Avoid known
exploits
30. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software packages
GOAL
Harden access
Harden access
Obey the law
IMPLEMENTATION
File/Registry
edit
File/Registry
edit
Package
remove
File/Registry
edit
Package
install/update
Avoid potential
exploits
Avoid known
exploits
33. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
GOAL
Harden access
IMPLEMENTATION
File/Registry
edit
34. Normation – CC-BY-SA
normation.com
Avoid local
exploits
Package
remove
Building blocks can be used to check anything
Examples of security technical directives
3. No compilers on
production servers
GOAL IMPLEMENTATION
40. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Rudder’s continuous lifecycle
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
REPEAT
42. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Rudder’s lifecycle with remediation
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
Remediate
REPEAT
44. Normation – CC-BY-SA
normation.com
A bit more about Rudder
CloudServers
Desktop Embedded/IoT
Mobile
Any scale
Typical deployments
100s-1000s of servers.
Biggest known today is 7000.
2
→
> 10 000
Multi-platform
Metal, virtual, cloud, …
Multi-OS
C agent on UNIX/Linux,
DSC on Windows
Platform support
45. Normation – CC-BY-SA
normation.com
A bit more about Rudder
API
Automate new nodes, policy,
extract compliance
CLI / Code
Create new configuration templates,
everyday management tasks
Web
Use existing configuration
patterns, observe compliance
Separation of roles
48. Thanks for listening!
Any questions?
This presentation is shared under a FLOSS licence, CC-BY-SA,
and available on http://www.slideshare.net/normation/.
Jonathan CLARKE
jcl@normation.com
@jooooooon42
Co-founder &
Chief Product Officer @