Security policies are increasingly complex and demanding on the operations teams must implement them. How can you be sure that your security policy is really correct everywhere, apart from an expensive yearly audit? How can you know that what was OK a few weeks ago is still OK? Rudder is open source IT compliance automation technology that comes from the DevOps world, where automatic configuration management is already the norm. With a focus on continuously checking configurations and centralizing real-time status data, Rudder can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”). Jonathan Clarke offers an overview of Rudder and demonstrates how to input the technical rules of a security policy into Rudder, watch it check them every 5 minutes on each and every one of your servers, and report back a global summary to you, allowing you to drill down to any issues that need remediating. Jonathan also explains how a successfully deployed policy can be enforced by the same tool, moving one step further from automatic auditing to automatic remediation. Along the way, Jonathan shares lessons learned from companies that have gone from asking whether their security policy was really applied to receiving near real-time alerts about noncompliance issues as they arise. In particular, Jonathan explores the specific features in Rudder that have made it successful in compliance projects: - A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this. - Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes. - Rudder works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way. - Rudder is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication. - Rudder relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.

1. Jonathan CLARKE
Continuous auditing
for effective compliance
jcl@normation.com
@jooooooon42
Co-founder &
Chief Product Officer @

2. Normation – CC-BY-SA
normation.com 2
It’s a continuous world
Continuous *

3. Normation – CC-BY-SA
normation.com 3
It’s a continuous world
Integration Delivery
Improvement
(agile, devops)
Continuous *

4. Normation – CC-BY-SA
normation.com 4
It’s a continuous world
adjective
1. without interruption
2. progressive
Synonyms: sustained, round-the-clock, relentless
Continuous

5. Normation – CC-BY-SA
normation.com 5
Continuous everything
Continuous *

6. Normation – CC-BY-SA
normation.com
Continuous everything
Continuous
Growth
Continuous *

7. Normation – CC-BY-SA
normation.com
Continuous everything
Continuous
Growth
Continuously
Connected
Continuous *

8. Normation – CC-BY-SA
normation.com
Continuous everything
Continuous
Growth
Continuous
Threats
Continuously
Connected
Continuous *

9. Normation – CC-BY-SA
normation.com
Continuous everything
We need a continuous response
Continuous
Growth
Continuous
Threats
Continuously
Connected
Continuous *

10. Normation – CC-BY-SA
normation.com
Continuous auditing
for effective compliance

11. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Rules come from different levels

12. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Organisational
process
Technical
directives
Rules come from different levels

13. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Rules come from different levels
Organisational
process
Technical
directives
We can’t automate
humans!

14. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Industry
regulations
Best
practices
Corporate
regulations
Laws
Organisational
process
Technical
directives
Rules come from different levels

15. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity

16. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)

17. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers

18. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access

19. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package

20. Normation – CC-BY-SA
normation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package
GOAL
Harden access
Harden access
Avoid potential
exploits
Obey the law
Avoid known
exploits

21. Normation – CC-BY-SA
normation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply on
new servers
OK
Regular audits
(3-12 months)
REMEDIATION

22. Normation – CC-BY-SA
normation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply on
new servers
OK
Regular audits
(3-12 months)
?
REMEDIATION
DRIFT

23. Normation – CC-BY-SA
normation.com
Introducing Rudder
Rudder: noun
Piece used for steering a ship.
Used to correct heading when trajectory drifts off course.

24. Normation – CC-BY-SA
normation.com
Introducing Rudder
Define desired state
Target
Imperative Declarative Install package x
vs
Package x should be installed
Restart service z
vs
Service z should be running
Copy file template y.tpl
vs
File y should contain line abc=def

25. Normation – CC-BY-SA
normation.com
Introducing Rudder
Rudder’s lifecycle
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report

26. Normation – CC-BY-SA
normation.com
Introducing Rudder
Rudder’s continuous lifecycle
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
REPEAT

27. Normation – CC-BY-SA
normation.com
Introducing Rudder
High-level overview

28. Normation – CC-BY-SA
normation.com
Introducing Rudder
Drill-down to each individual state
Compliant

29. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software package
GOAL
Harden access
Harden access
Obey the law
Avoid potential
exploits
Avoid known
exploits

30. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
2. Password policy
(strength, duration, ...)
3. No compilers on
production servers
4. Warning message on
server remote access
5. Patch vulnerable
software packages
GOAL
Harden access
Harden access
Obey the law
IMPLEMENTATION
File/Registry
edit
File/Registry
edit
Package
remove
File/Registry
edit
Package
install/update
Avoid potential
exploits
Avoid known
exploits

31. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Photo CC BY-NC-SA 2.0 from https://www.flickr.com/photos/dillpixel/

32. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything

33. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after a
period of inactivity
GOAL
Harden access
IMPLEMENTATION
File/Registry
edit

34. Normation – CC-BY-SA
normation.com
Avoid local
exploits
Package
remove
Building blocks can be used to check anything
Examples of security technical directives
3. No compilers on
production servers
GOAL IMPLEMENTATION

35. Normation – CC-BY-SA
normation.com
Building blocks in Rudder (aka generic methods)

36. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Package
absent
Package
absent
Security directive #2
File
enforce
Service
running
Security directive #3
Package
present
File
edit
Security directive #1

37. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Package
absent
Package
absent
Security directive #2
File
enforce
Service
running
Security directive #3
Package
present
File
edit
Security directive #1
RULERULE
Corporate security policy Security best practices

38. Normation – CC-BY-SA
normation.com
Building blocks can be used to check anything
Package
absent
Package
absent
Security directive #2
File
enforce
Service
running
Security directive #3
Package
present
File
edit
Security directive #1
Corporate security policy Security best practices
RULERULE

39. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Continuous auditing
Continuous remediation

40. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Rudder’s continuous lifecycle
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
REPEAT

41. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Node by node Policy by policy

42. Normation – CC-BY-SA
normation.com
From continuous auditing to continuous remediation
Rudder’s lifecycle with remediation
Define
desired
state
Distribute to
agents
OK
NOK
Check state
locally
OS-Specific
Implementations
Report
Remediate
REPEAT

43. Normation – CC-BY-SA
normation.com
Rudder
Open source
Automation & Compliance
www.rudder-project.org
@RudderProject

44. Normation – CC-BY-SA
normation.com
A bit more about Rudder
CloudServers
Desktop Embedded/IoT
Mobile
Any scale
Typical deployments
100s-1000s of servers.
Biggest known today is 7000.
2
→
> 10 000
Multi-platform
Metal, virtual, cloud, …
Multi-OS
C agent on UNIX/Linux,
DSC on Windows
Platform support

45. Normation – CC-BY-SA
normation.com
A bit more about Rudder
API
Automate new nodes, policy,
extract compliance
CLI / Code
Create new configuration templates,
everyday management tasks
Web
Use existing configuration
patterns, observe compliance
Separation of roles

46. Normation – CC-BY-SA
normation.com
Summary
Continuous IT
Continuous auditing
Continuous remediation

47. Normation – CC-BY-SA
normation.com
Summary
Fire & Forget
Worry about next thing
Continuous improvement

48. Thanks for listening!
Any questions?
This presentation is shared under a FLOSS licence, CC-BY-SA,
and available on http://www.slideshare.net/normation/.
Jonathan CLARKE
jcl@normation.com
@jooooooon42
Co-founder &
Chief Product Officer @