WEBINAR, July 11th – CVE: speed up vulnerability remediation to secure your systems (in French)
Centralised graphical management
Web management interface with drag & drop editor
UI customization (logo, color)
Security & compliance
One of the main features of RUDDER is the ability to configure a server to only check the status of certain configuration rules. This configuration can be performed for a complete machine or for a configuration portion, or at the global level on all configuration rules and all machines. In short, RUDDER offers two management modes: Audit and Enforce, respectively to check the state without modifying it, and to modify the system to reach the target state.
Some possible use cases:
- pure audit tool; for example, for a verification of standards (PCI-DSS, ISO 27001, etc.). Unlike a dedicated tool, once the configuration is done, it can be used directly to configure;
- validation of changes before applying them; for example, a new configuration; this case can be seen as an equivalent of a classic dry-run mode, but potentially on the whole infrastructure and with a higher granularity (covering only some configuration points);
- validation after the installation of RUDDER on an existing infrastructure, to validate that it corresponds to the theoretical target configuration, before activating Enforce mode.
While the techniques (rules provided by default during installation) may be limited for audit purposes, the construction of audit rules is particularly simple and accessible using the Technique Editor, a web configuration editor.
Autonomous compliance maintenance
CIS security benchmarks
Continuous vulnerability management
Access rights management
Change validation workflow
One of RUDDER’s main objectives has always been to combine greater accessibility with the power of the code-based infrastructure, in particular through functionalities such as the management interface, the ready-to-use rule library, the technique editor, or more simply the abstraction of implementation differences between the different operating systems supported by the agent.
However, this facility would not contribute to making IT more reliable if we did not want to complete this accessibility with change control functionalities. This is the case in particular with the Audit mode, which allows you to simulate changes without modifying the configurations, in order to anticipate their impact, or the validation workflow, which requires a second validation of the changes (regular pull request users on GitHub already know the benefits of peer review).The validation workflow makes sense in the complex human environments for which it was designed, i.e. the multidisciplinary and multi-level teams that naturally form in large IT departments.
Abstraction of implementation differences
Included template library
Nodes detailed inventory (extensible)
The RUDDER agent contains FusionInventory, an open source inventory tool that allows you to collect and view machine software and hardware characteristics (CPU, RAM, OS version, network, installed software, versions, etc.) directly from the RUDDER interface. The inventory information is very useful for defining groups of machines in order to apply certain configurations only to certain machines according to their characteristics.This inventory is extensible by the implementation of scripts whose output (in JSON format) is added to the inventory. This makes it possible to complete the node properties, which are variables (scalar or hierarchical) associated with each managed machine, that can be used as classification criteria or directly in the configuration.
Change history with rollback function (restoration of changes)
- to create bridges between different network areas;
- to isolate sets of nodes from each other;
- to prohibit direct access to the main RUDDER server;
- to distribute the load among several servers to manage more machines from a single root server.
Real state visualization
Scale-out relay servers (for network zone isolation and scalability)
- Security audit – integration with OpenSCAP OpenSCAP is a security audit tool. Integrated with RUDDER, it allows you to track your security policies and standards on your infrastructure, such as PCI-DSS. Your reports are automatically generated and centralized within RUDDER
- Encryption data – integration with Hashicorp Vault Vault is a tool for storing and managing secrets (passwords, keys, etc.). Integrated with RUDDER, it facilitates the use of encrypted data from a Vault digital safe in RUDDER configurations. This avoids storing all data in RUDDER and gives you more security.
- Supervision – integration with Centreon and Zabbix (beta – available upon request) Supervision and configuration management are two key functions in maintaining an IS in operational condition. Centreon and Zabbix are commonly used free supervision tools. Integration with RUDDER allows machines to be automatically added to this type of solution as soon as they are accepted into RUDDER. In addition, configuration policies in RUDDER can include a new method that automatically associates the supervision model of a configured application with the machine.
- CMDB – integration with iTop and ServiceNow (beta – available upon request) iTop is a frequently used free CMDB. The integration between iTop and RUDDER allows data to be synchronized between CMDB and RUDDER. The latter allows you to synchronize configuration rules with the inventory of machines in iTop. Similar features are being finalized as part of the integration with ServiceNow.
- Deployment – integration with Ansible and Rundeck Ansible and Rundeck are infrastructure automation tools that are particularly complementary with RUDDER because they are specialized in a different dimension of IT automation. They complement RUDDER in the fields of orchestration and application deployment, where RUDDER specializes in the verification, visualization, and continuous reliability of system configurations. This feature allows interconnection with RUDDER in order to benefit from the functionalities of the different solutions together. One of the main advantages is to retrieve inventory information on machines from RUDDER for use in Ansible or Rundeck.
- Notification – integration with Slack RUDDER produces a flow of changes from the different agents connected to a server, centralizing all actions performed or errors encountered. This integration allows you to select events (belonging to a particular rule and/or group of machines), and generate corresponding messages by email or on the Slack instant messenger.
- Patrowl – available soon This integration allows you to directly integrate the main information from security audits performed on your nodes into the RUDDER interface for a unified devsecops view.
Main linux distributions support
- Debian 5 to 10
- Ubuntu 10.04 to 20.04
- Red Hat Entreprise Linux / CentOS 3 to 8
- SLES 10 to 15
- Slackware 14
Developed in partnership with Microsoft, the RUDDER Agent for Windows uses native DSC (Desired State Configuration) technology, which has been included in Windows since Powershell 4. It therefore allows to manage servers under Windows Server 2008R2, 2012, 2012, 2012 R2, 2016, 2019 and desktops under Windows 7, 8, 8, 8.1 and 10. The Windows agent provides the same management power as the Linux agent, so all the features of RUDDER under Linux are also available on Windows (except for the techniques specific to the Linux operating mode of course).
Raspberry Pi and ARM support
The RUDDER agent for macOS support allows you to manage all macOS systems.
- in audit and enforce (remediation) mode if the instances have persistent storage,
- in audit-only mode on read-only instances.