1 / 24

Configuration Management, Tracking and Reporting of Unix Machines using BCFG

Configuration Management, Tracking and Reporting of Unix Machines using BCFG. Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007. Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users

odell
Download Presentation

Configuration Management, Tracking and Reporting of Unix Machines using BCFG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Configuration Management, Tracking and Reporting of Unix Machines using BCFG Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007

  2. Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users Foreign national employees, users, and collaborators Diverse funding: Not every computer is a DOE computer. IT is funded in many ways. Every program is working in an increasingly distributed computing model. Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements. Argonne National Laboratory IT Environment Challenges Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

  3. Emphasis on the Synergies of Multi-Program Science, Engineering & Applications FundamentalPhysics AcceleratorResearch InfrastructureAnalysis ComputationalScience MaterialsCharacterization Catalysis Science TransportationScience NuclearFuel Cycle User Facilities StructuralBiology .. and much more.

  4. Gene Rackow Cyber Security Office Craig Stacey Group Manager Narayan Desai Primary developer Rick Bradshaw HPC Cluster Support Desktop Systems Sandra Bittner Software Support and licensing Susan Coughlan HPC Cluster Systems Manager Ti Leggett HPC Clusters and Visualization Max Trefonides Infrastructure and Desktop Systems Andrew Cherry HPC Systems Cory Lueninghoener HPC Cluster Systems Systems Team Behind Bcfg Added support now coming from the OpenSource Community

  5. Why Bcfg? • Complexity became unmanagable • Maintaining many configurations became impossible • Applying security updates uniformly • Machines getting “left behind” • Users wanted to know what changed since “last year” • Bcfg2 history. Config management is not new. • Simple management, rsh/ssh to desktops • Cfg, an early implementation of centralized config • Bcfg-1 internal development only (wrong direction) • Reset expectations move forward, Bcfg2

  6. Common Configuration Management Tools • Configuration done at build time • SystemImager • KickStart • JumpStart • cfengine • … • Vendor Supplied Updates • Ubuntu Update Manager • RedHat Update • Yum • …

  7. Configuration as an “Event” • New packages need to be added • Commercial Packages (Matlab, Mathematica …) • Custom Packages (GridFTP, Globus, …) • Security Update • Disabling SSH Version 1 • Changing TCP-Wrappers • The Auditors are coming. • Hacker Issue How do these relate to the system installed on the last slide?

  8. Installation Methods Post Install • Add new info to Install Image and reinstall the world • For I in `cat hostlist`; do … • PDSH • Specialized startup files

  9. Questions about Installed Systems • How many machines have patch ____ applied? • When did patch 6 go into production? • How long before all machines are updated? • How many “package” licenses are needed? • How do you handle special cases? • What about the machine that was turned off during the last update? • What changed on the web server that is now causing errors in the app?

  10. History Data Bcfg Services Client Nodes Configuration Data Bcfg Block Diagram

  11. Client host Historical Data Bcfg Server Specification Data Config Generator Config file /etc/motd Getting Started Historical Data Bcfg Services Client Nodes Configuration Data

  12. Common Tasks • Adding new configuration file • Adding a new host • Change existing config file • Bring existing host into the flock • Reconciling Reality with Expectations • Creating a new machine to match existing system • Crash recovery • Adding capacity

  13. Clusternode Clusternode Mail Server Historical Data WebServer Report Generators Bcfg Server Scientific Desktop Scientific Desktop Specification Data Config Generator Generic Desktop Operating System Packages Generated Files 3rd Party Packages Configuration Files Admin Desktop Revision Control System Adding complexity

  14. Visualizing a Configuration

  15. Visualizing what you have

  16. Status Report

  17. When a host is offline

  18. What makes a system “dirty”

  19. Charting Change Management

  20. NIST 800-53 • AC-1 Access Control • AC-2 Account Management • AC-3 Access Enforcement • AC-5 Separation of Duties • AU-1 Audit and Accountability Policy and Procedure • AU-2 Auditable Events • AU-6 Audit Monitoring, Analysis and Reporting • AU-7 Audit Reduction and Report Generation • AU-8 Audit Log Time Stamps • AU-9 Protection of Audit Logs • AU-11 Audit Retention

  21. NIST 800-53 (continued) • CA-1 Certification, Accreditation, & Security Assessment Policies & Procedures • CA-2 Security Assessments • CA-7 Continuous Monitoring • CM-1 Configuration Management Policy and Procedures • CM-2 Baseline configuration and System Component Inventory • CM-3 Configuration Change Control • CM-4 Monitoring Configuration Changes • CM-6 Configuration Settings • CP-1 Contingency Planning Policy and Procedures • CP-2 Contingency Planning • CP-5 Contingency Plan Update • CP-9 Information System Backup • CP-10 Information System Recovery and Reconstitution

  22. NIST 800-53 (continued) • IA-1 Identification and Authentication Policy and Procedures • IA-2 User Identification and Authentication • IA-3 Device Identification and Authentication • IA-6 Authenticator Feedback • MA-1 System Maintenance Policy and Procedure • MA-2 Periodic Maintenance • MA-3 Maintenance Tools • MA-6 Timely Maintenance • RA-1 Risk Assessment Policy and Procedures • SA-5 Information System Documentation • SA-6 Software Usage Restrictions • SA-7 User Installed Software • SI-1 System and Information Integrity • SI-2 Flaw Remediation • SI-4 Information System Monitoring Tools and Techniques • SI-5 Security Alerts and Advisories • SI-6 Security Functionality Verification

  23. Supported Operating Systems • RedHat • Ubuntu • CentOS • Debian • Solaris • Partial support of MacOSX and AIX

  24. Conclusion/Contacts • http://trac.mcs.anl.gov/projects/bcfg2 • http://www.bcfg2.org • Mailing list • Bcfg-dev@mcs.anl.gov • Subscribe via majordomo@mcs.anl.gov • Gene Rackow • Rackow@anl.gov Any Questions?

More Related