WEBINAR, July 11th – CVE: speed up vulnerability remediation to secure your systems (in French)
Features
Centralised graphical management
Web management interface with drag & drop editor
As a Continuous Configuration solution, RUDDER embodies the fusion between infrastructure-as-code (infrastructure automation) and continuous audit. The operation of RUDDER is based on the definition of a reference target state for the systems. Anything that does not comply with this target state that you want to achieve or maintain will report alerts in real time, create drift reports, or trigger automatic remediation. An intelligent and autonomous tool, RUDDER is particularly well suited to meet the constraints of production infrastructure where the need for reliability is a permanent necessity. Technically, the RUDDER agent installed on each machine performs a complete check of its condition every 5 minutes against the target condition. This operation is possible thanks to an agent developed in C, lightweight (10 to 20 MB of RAM) and fast (it can apply a hundred rules on a machine in less than 10 seconds), as well as to the distributed architecture that unites the agents: the agents recover their configuration from the central server (or relay servers), to distribute the load, which allows a single RUDDER server to manage more than 10 000 agents. RUDER is thus able to operate on machines with limited resources without disrupting their operation.
UI customization (logo, color)
When RUDDER is deployed on a large infrastructure, it is common to have several RUDDER servers, each managing a different environment (production/QA/dev, different sites, etc.). To facilitate the daily life of administrators, but also and above all to avoid confusion between the different servers (which is all the more likely if they contain similar configurations), it is important to be able to distinguish them visually at a glance on the interface, regardless of the menu opened. The branding functionality, by adding coloured banners and a brief description to all pages, responds to this simple but not insignificant issue.
Security & compliance
Audit-mode
One of the main features of RUDDER is the ability to configure a server to only check the status of certain configuration rules. This configuration can be performed for a complete machine or for a configuration portion, or at the global level on all configuration rules and all machines. In short, RUDDER offers two management modes: Audit and Enforce, respectively to check the state without modifying it, and to modify the system to reach the target state.
Some possible use cases:
- pure audit tool; for example, for a verification of standards (PCI-DSS, ISO 27001, etc.). Unlike a dedicated tool, once the configuration is done, it can be used directly to configure;
- validation of changes before applying them; for example, a new configuration; this case can be seen as an equivalent of a classic dry-run mode, but potentially on the whole infrastructure and with a higher granularity (covering only some configuration points);
- validation after the installation of RUDDER on an existing infrastructure, to validate that it corresponds to the theoretical target configuration, before activating Enforce mode.
While the techniques (rules provided by default during installation) may be limited for audit purposes, the construction of audit rules is particularly simple and accessible using the Technique Editor, a web configuration editor.
Autonomous compliance maintenance
As a Continuous Configuration solution, RUDDER embodies the fusion between infrastructure-as-code (infrastructure automation) and continuous audit. The operation of RUDDER is based on the definition of a reference target state for the systems. Anything that does not comply with this target state that you want to achieve or maintain will report alerts in real time, create drift reports, or trigger automatic remediation. An intelligent and autonomous tool, RUDDER is particularly well suited to meet the constraints of production infrastructure where the need for reliability is a permanent necessity. Technically, the RUDDER agent installed on each machine performs a complete check of its condition every 5 minutes against the target condition. This operation is possible thanks to an agent developed in C, lightweight (10 to 20 MB of RAM) and fast (it can apply a hundred rules on a machine in less than 10 seconds), as well as to the distributed architecture that unites the agents: the agents recover their configuration from the central server (or relay servers), to distribute the load, which allows a single RUDDER server to manage more than 10 000 agents. RUDER is thus able to operate on machines with limited resources without disrupting their operation.
CIS security benchmarks
The CIS Benchmarks of the Center for Internet Security offer many best practices in cybersecurity.
You can import and apply these best practices into RUDDER, thus easing their tracking while matching your own specific needs. Continuously audited, you will have global and real-time visibility of the compliance and security (hardening) of your systems.
Continuous vulnerability management
This feature allows you to detect and track vulnerabilities affecting your systems in real time. Based on security vulnerability analysis tools, this plugin will help your teams to prioritize threats and fix them with RUDDER.
Advanced reporting
The basic compliance check in RUDDER allows the current application status of the configurations to be displayed at a time T.
The advanced reporting tool allows compliance data to be logged in order to consult their evolution over time via customized dashboards. Fully customizable, from the period over which to define the analysis, to the machine groups or configuration rules involved, these custom dashboards can be exported as PDF reports to prove compliance to an external auditor, a customer, or their hierarchy, without having to conduct a manual preparatory inspection.
Access rights management
Using external data as node properties, more commonly referred to as “DataSources”, allows you to query external REST APIs automatically to retrieve business data for each node.
Change validation workflow
One of RUDDER’s main objectives has always been to combine greater accessibility with the power of the code-based infrastructure, in particular through functionalities such as the management interface, the ready-to-use rule library, the technique editor, or more simply the abstraction of implementation differences between the different operating systems supported by the agent.
However, this facility would not contribute to making IT more reliable if we did not want to complete this accessibility with change control functionalities. This is the case in particular with the Audit mode, which allows you to simulate changes without modifying the configurations, in order to anticipate their impact, or the validation workflow, which requires a second validation of the changes (regular pull request users on GitHub already know the benefits of peer review).
The validation workflow makes sense in the complex human environments for which it was designed, i.e. the multidisciplinary and multi-level teams that naturally form in large IT departments.External authentication
IT teams of well-established companies often use a directory-based user management system (AD, LDAP, etc.) to manage users. This feature dedicated to larger companies allows users to base their authentication on an external source such as LDAP or RADIUS, directly from the RUDDER web interface.
System automation
Abstraction of implementation differences
RUDDER runs on Linux, Windows, AIX, and other systems. With RUDDER, there is no need to create rules specific to each system. Indeed, the implementation differences between the different systems are managed by the agent who is responsible for translating the configuration rules according to the operation of each OS.
Included template library
RUDDER contains a library of predefined configurations that meet the basic management needs of the system (DNS configuration, user management, NTP, SSH key distribution, etc.), allowing to cover many common use cases. Thanks to this library, configurations can be easily applied from the first hours of use, allowing an almost immediate return on investment of the time invested in the tool. In addition, the learning curve of the solution is further shortened. The advantage of this limited library compared to a community forge is also the uniqueness of correspondence between a need and a module, thus avoiding the possible long hours of searching and testing templates often too specific to distant use cases.
Hierarchical variables
Configuration values depend on the context of your information system and can be applied at different levels: site, cluster, server, machine, etc. This contributes to the complexity of your infrastructure.
In RUDDER, the management of this information is essential. Therefore hierarchical variables allow you to easily transcribe the complexity of your information system in RUDDER. You thus keep a permanent visibility and control of your configuration data.
Nodes detailed inventory (extensible)
The RUDDER agent contains FusionInventory, an open source inventory tool that allows you to collect and view machine software and hardware characteristics (CPU, RAM, OS version, network, installed software, versions, etc.) directly from the RUDDER interface. The inventory information is very useful for defining groups of machines in order to apply certain configurations only to certain machines according to their characteristics.
This inventory is extensible by the implementation of scripts whose output (in JSON format) is added to the inventory. This makes it possible to complete the node properties, which are variables (scalar or hierarchical) associated with each managed machine, that can be used as classification criteria or directly in the configuration.Change history with rollback function (restoration of changes)
Relay servers can meet two main needs: scale-up on the one hand, and architecture segmentation on the other. Indeed, a relay server is a kind of proxy between the nodes managed by RUDDER and the main RUDDER server. The relays allow:
- to create bridges between different network areas;
- to isolate sets of nodes from each other;
- to prohibit direct access to the main RUDDER server;
- to distribute the load among several servers to manage more machines from a single root server.
Real state visualization
Thanks to its main dashboard and numerous graphics, RUDDER makes it possible to visualize the compliance status of the fleet, both on a global scale and with very fine granularity, in the detail of environment, group, machine, configuration rule, machine, file, line… It is easy for any member of the IT team (including managers) to ensure, for example, that the security policy is properly applied throughout the fleet.
Scale-out relay servers (for network zone isolation and scalability)
RUDDER tracks all changes made to the park in an audit log. Thanks to this change history, a rollback system allows you to return to a previous configuration state. This functionality, along with the audit mode and validation workflow, secures the use of RUDDER by junior administrators or IT team members further away from infrastructure management.
Integrations
REST API
The importance of the availability of REST-type APIs by applications is no longer to be demonstrated in solving the problems of automation and complex integration between IS services. Service-oriented or micro-service architectures are based on this prerequisite. RUDDER therefore naturally exposes all its functionalities via a REST API. This API can be operated directly via a command line (or the python library on which it is based), as well as from third-party scripts or programs.
External datasources
This feature allows to precisely limit, track and log RUDDER users’ access to the configuration (including via the API), and to finely restrict the rights given to system API tokens (not linked to a user) for better security and privilege separation. Indeed, RUDDER generates one API token per RUDDER user, thus allowing the management of precise ACLs on the system tokens (of the same type as the user rights, with limitation in reading or writing on the different items). All this can be configured from the web interface.
Software integration
- Security audit – integration with OpenSCAP OpenSCAP is a security audit tool. Integrated with RUDDER, it allows you to track your security policies and standards on your infrastructure, such as PCI-DSS. Your reports are automatically generated and centralized within RUDDER
- Encryption data – integration with Hashicorp Vault Vault is a tool for storing and managing secrets (passwords, keys, etc.). Integrated with RUDDER, it facilitates the use of encrypted data from a Vault digital safe in RUDDER configurations. This avoids storing all data in RUDDER and gives you more security.
- Supervision – integration with Centreon and Zabbix (beta – available upon request) Supervision and configuration management are two key functions in maintaining an IS in operational condition. Centreon and Zabbix are commonly used free supervision tools. Integration with RUDDER allows machines to be automatically added to this type of solution as soon as they are accepted into RUDDER. In addition, configuration policies in RUDDER can include a new method that automatically associates the supervision model of a configured application with the machine.
- CMDB – integration with iTop and ServiceNow (beta – available upon request) iTop is a frequently used free CMDB. The integration between iTop and RUDDER allows data to be synchronized between CMDB and RUDDER. The latter allows you to synchronize configuration rules with the inventory of machines in iTop. Similar features are being finalized as part of the integration with ServiceNow.
- Deployment – integration with Ansible and Rundeck Ansible and Rundeck are infrastructure automation tools that are particularly complementary with RUDDER because they are specialized in a different dimension of IT automation. They complement RUDDER in the fields of orchestration and application deployment, where RUDDER specializes in the verification, visualization, and continuous reliability of system configurations. This feature allows interconnection with RUDDER in order to benefit from the functionalities of the different solutions together. One of the main advantages is to retrieve inventory information on machines from RUDDER for use in Ansible or Rundeck.
- Notification – integration with Slack RUDDER produces a flow of changes from the different agents connected to a server, centralizing all actions performed or errors encountered. This integration allows you to select events (belonging to a particular rule and/or group of machines), and generate corresponding messages by email or on the Slack instant messenger.
- Patrowl – available soon This integration allows you to directly integrate the main information from security audits performed on your nodes into the RUDDER interface for a unified devsecops view.
Supported system
Main linux distributions support
RUDDER manages Linux machines with the most common distributions:
- Debian 5 to 10
- Ubuntu 10.04 to 20.04
- Red Hat Entreprise Linux / CentOS 3 to 8
- SLES 10 to 15
- Slackware 14
Windows support
Developed in partnership with Microsoft, the RUDDER Agent for Windows uses native DSC (Desired State Configuration) technology, which has been included in Windows since Powershell 4. It therefore allows to manage servers under Windows Server 2008R2, 2012, 2012, 2012 R2, 2016, and desktops under Windows 7, 8, 8, 8.1 and 10. The Windows agent provides the same management power as the Linux agent, so all the features of RUDDER under Linux are also available on Windows (except for the techniques specific to the Linux operating mode of course).
AIX support
The RUDDER agent for AIX allows you to manage servers under IBM AIX 5, 6 and 7. The AIX agent allows the same management power as the Linux agent.
Raspberry Pi and ARM support
RUDDER works on machines equipped with ARM processors (including Raspberry Pi) and thus to manage embedded machines (with a Linux OS). Thanks to the lightness and performance of this agent, RUDDER is the tool of choice for IoT, defense, and digital city projects involving connected street furniture.
Solaris support
The RUDDER agent for Solaris support allows you to manage Solaris 11 systems.
MacOS support
The RUDDER agent for macOS support allows you to manage all macOS systems.
Docker support
The RUDDER agent can run in Docker containers in two different ways:
- in audit and enforce (remediation) mode if the instances have persistent storage,
- in audit-only mode on read-only instances.
In short
Web management interface
RUDDER is the only open source automation tool that provides a web management interface, through which a few clicks are enough to deploy configuration rules.
Ready-to-use configurations
No need to develop the code; a library of ready-to-use rules is included in the solution.
Drag-and-drop technique editor
With a graphical creation module for custom configuations directly included in the solution, you are free to create your own rules, still without code!
Continuous compliance
RUDDER does not just execute deployment commands, it verifies and maintains proactively the target state of your IT.
Keeping an eye on compliance
Through a comprehensive dashboard, overall compliance of the machines is available at a glance.
Scalability
RUDDER's agent is developed in C, which makes it highly scalable, and has low resource utilization so you can manage up to 100 000 machines with low impact.