automating security policies (compliance) with rudder

Normation – CC-BY-SAnormation.com

Automating security Automating security policiespolicies

From deployment to auditing with RudderFrom deployment to auditing with Rudder

Jonathan CLARKE – jcl@normation.com

Normation – CC-BY-SAnormation.com 2

Who am I ?

● Jonathan Clarke

● Job: Co-founder and CTO at Normation

● Line of work:

– Initially system administration, infrastructure management...

– Now a whole load of other stuff !

● Free software:

– Co-creator of Rudder

– Developer in several LDAP projects: LSC, LTB, OpenLDAP …

– Contributor to CFEngine

Contact infoEmail: jcl@normation.comTwitter: @jooooooon42 (that's 7 'o's!)

Normation – CC-BY-SAnormation.com 3

Context

IT infrastructure

Normation – CC-BY-SAnormation.com 4

Context

IT infrastructureAutomation

Normation – CC-BY-SAnormation.com 5

Context

IT infrastructureAutomation

Motivations:

Build newhosts quickly

Scale outquickly

Rebuild hostsquickly

Avoidhuman error

Normation – CC-BY-SAnormation.com 6

Context

IT infrastructureAutomation

Tools:

Normation – CC-BY-SAnormation.com 7

What about compliance?

IT infrastructureCompliance?

Normation – CC-BY-SAnormation.com 8

What about compliance?

IT infrastructureCompliance?

Motivations:

Get a completeoverview

Provecompliance

Get anobjectiveoverview

Know aboutconfig drift

Normation – CC-BY-SAnormation.com 9

What about compliance?

IT infrastructureCompliance to what?

Normation – CC-BY-SAnormation.com 10

What about compliance?

IT infrastructureCompliance to what?

Industryregulations Best practices

CorporateregulationsLaws

Rules come from everywhere:

Normation – CC-BY-SAnormation.com 11

What about compliance?

IT infrastructureCompliance to what?

Passwordpolicy

Tripwire(disk contents)

Enforce someparametersin a service

MOTD“warning”

Practical examples

Normation – CC-BY-SAnormation.com 12

How is this different from “just” automation?

Automationvs

Compliance

How different is this technically?

Normation – CC-BY-SAnormation.com 13

How is this different from “just” automation?

Frequency

The more often you check, the more reliable your

compliance reporting is.

How can you reach this goal?

Lightweight, efficient agent

Run “slow” checks in the background(file copying

over network...)

Focus on the security checks

Reporting can be done later

Normation – CC-BY-SAnormation.com 14

How is this different from “just” automation?

All or nothing

Compliance matters on each and every system.

Not “most”. All of them.

How can you reach this goal?

Support all the {old,weird,buggy}

{OS,software,versions}

Make sure you know what

systems exist: rely on an

inventory DB

Two systems may be alike on paper,

they very rarely are in reality.

Normation – CC-BY-SAnormation.com 15

How is this different from “just” automation?

You cannot get it wrong.You cannot get it wrong.You cannot get it wrong.

If you care about compliance,“prod” is usually pretty real.

How can you reach this goal?

Fake ID + Prebook flight

to Cayman islands?

Normation – CC-BY-SAnormation.com 16

How is this different from “just” automation?

You cannot get it wrong.You cannot get it wrong.You cannot get it wrong.

If you care about compliance,“prod” is usually pretty real.

How can you reach this goal?

Don't touch stuff you don't need to.

Be specific.

(One line in a file?)

Start with no changes.Just check. Dry-run?

Cover full cycles(days, weeks, months...)

Classic quality control

(reviews...)

Normation – CC-BY-SAnormation.com 17

So, what have we actually done?

Applied these principles in

Normation – CC-BY-SAnormation.com 18

Introducing Rudder

Specifically designed forautomation & compliance

Multi-platform(packaged for each OS)

Open Source

Simplified user experiencevia a Web UI

Graphical reportingBased on CFEngine 3

http://rudder.cm/

Vagrant config to test:https://github.com/normation/rudder-vagrant/

Normation – CC-BY-SAnormation.com 19

Introducing Rudder

Normation – CC-BY-SAnormation.com 20

Key points for security compliance

Continuous checkingEvery 5 minutes

Multi-platformLinux, Unix, Windows, Android...

Separate configuration from implementation

ReportingDone after the checks, separate process

High freqency, trust in compliance reporting

Reuse implementations, less bugs, shared code...Clear separation of roles

Cover as many systems as possible

Avoid bottleneckDifferent report types

Normation – CC-BY-SAnormation.com 21

Rudder - workflow

Management

Definesecurity policy

Changes(fixes, upgrades...)

c c

Community Expert

Sysadmins

Configureparameters

Configuration agent

Initial applicationContinuous verification

REP

OR

TIN

G

Technical abstraction(method vs parameters)

Normation – CC-BY-SAnormation.com 23

Final thoughts

It works but the tools can be improved:- detect changes (inotify?) - even 1 minute not always enough- dry-run iterations automatically?

Next steps?- Authorizations: who can change which parameters?

(law vs regulations vs policy...)- Correlate with monitoring data: determine root causes, cross effects...

Summary:- Security compliance is a very demanding type of automation- Possible today with open source tools- Main issue is about how you use them!

Normation – CC-BY-SAnormation.com

Questions?

Follow us on Twitter: @RudderProject

Jonathan CLARKE – jcl@normation.com