240 likes | 347 Views
Configuration Management, Tracking and Reporting of Unix Machines using BCFG. Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007. Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users
E N D
Configuration Management, Tracking and Reporting of Unix Machines using BCFG Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007
Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users Foreign national employees, users, and collaborators Diverse funding: Not every computer is a DOE computer. IT is funded in many ways. Every program is working in an increasingly distributed computing model. Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements. Argonne National Laboratory IT Environment Challenges Argonne is managed by the UChicago Argonne LLC for the Department of Energy.
Emphasis on the Synergies of Multi-Program Science, Engineering & Applications FundamentalPhysics AcceleratorResearch InfrastructureAnalysis ComputationalScience MaterialsCharacterization Catalysis Science TransportationScience NuclearFuel Cycle User Facilities StructuralBiology .. and much more.
Gene Rackow Cyber Security Office Craig Stacey Group Manager Narayan Desai Primary developer Rick Bradshaw HPC Cluster Support Desktop Systems Sandra Bittner Software Support and licensing Susan Coughlan HPC Cluster Systems Manager Ti Leggett HPC Clusters and Visualization Max Trefonides Infrastructure and Desktop Systems Andrew Cherry HPC Systems Cory Lueninghoener HPC Cluster Systems Systems Team Behind Bcfg Added support now coming from the OpenSource Community
Why Bcfg? • Complexity became unmanagable • Maintaining many configurations became impossible • Applying security updates uniformly • Machines getting “left behind” • Users wanted to know what changed since “last year” • Bcfg2 history. Config management is not new. • Simple management, rsh/ssh to desktops • Cfg, an early implementation of centralized config • Bcfg-1 internal development only (wrong direction) • Reset expectations move forward, Bcfg2
Common Configuration Management Tools • Configuration done at build time • SystemImager • KickStart • JumpStart • cfengine • … • Vendor Supplied Updates • Ubuntu Update Manager • RedHat Update • Yum • …
Configuration as an “Event” • New packages need to be added • Commercial Packages (Matlab, Mathematica …) • Custom Packages (GridFTP, Globus, …) • Security Update • Disabling SSH Version 1 • Changing TCP-Wrappers • The Auditors are coming. • Hacker Issue How do these relate to the system installed on the last slide?
Installation Methods Post Install • Add new info to Install Image and reinstall the world • For I in `cat hostlist`; do … • PDSH • Specialized startup files
Questions about Installed Systems • How many machines have patch ____ applied? • When did patch 6 go into production? • How long before all machines are updated? • How many “package” licenses are needed? • How do you handle special cases? • What about the machine that was turned off during the last update? • What changed on the web server that is now causing errors in the app?
History Data Bcfg Services Client Nodes Configuration Data Bcfg Block Diagram
Client host Historical Data Bcfg Server Specification Data Config Generator Config file /etc/motd Getting Started Historical Data Bcfg Services Client Nodes Configuration Data
Common Tasks • Adding new configuration file • Adding a new host • Change existing config file • Bring existing host into the flock • Reconciling Reality with Expectations • Creating a new machine to match existing system • Crash recovery • Adding capacity
Clusternode Clusternode Mail Server Historical Data WebServer Report Generators Bcfg Server Scientific Desktop Scientific Desktop Specification Data Config Generator Generic Desktop Operating System Packages Generated Files 3rd Party Packages Configuration Files Admin Desktop Revision Control System Adding complexity
NIST 800-53 • AC-1 Access Control • AC-2 Account Management • AC-3 Access Enforcement • AC-5 Separation of Duties • AU-1 Audit and Accountability Policy and Procedure • AU-2 Auditable Events • AU-6 Audit Monitoring, Analysis and Reporting • AU-7 Audit Reduction and Report Generation • AU-8 Audit Log Time Stamps • AU-9 Protection of Audit Logs • AU-11 Audit Retention
NIST 800-53 (continued) • CA-1 Certification, Accreditation, & Security Assessment Policies & Procedures • CA-2 Security Assessments • CA-7 Continuous Monitoring • CM-1 Configuration Management Policy and Procedures • CM-2 Baseline configuration and System Component Inventory • CM-3 Configuration Change Control • CM-4 Monitoring Configuration Changes • CM-6 Configuration Settings • CP-1 Contingency Planning Policy and Procedures • CP-2 Contingency Planning • CP-5 Contingency Plan Update • CP-9 Information System Backup • CP-10 Information System Recovery and Reconstitution
NIST 800-53 (continued) • IA-1 Identification and Authentication Policy and Procedures • IA-2 User Identification and Authentication • IA-3 Device Identification and Authentication • IA-6 Authenticator Feedback • MA-1 System Maintenance Policy and Procedure • MA-2 Periodic Maintenance • MA-3 Maintenance Tools • MA-6 Timely Maintenance • RA-1 Risk Assessment Policy and Procedures • SA-5 Information System Documentation • SA-6 Software Usage Restrictions • SA-7 User Installed Software • SI-1 System and Information Integrity • SI-2 Flaw Remediation • SI-4 Information System Monitoring Tools and Techniques • SI-5 Security Alerts and Advisories • SI-6 Security Functionality Verification
Supported Operating Systems • RedHat • Ubuntu • CentOS • Debian • Solaris • Partial support of MacOSX and AIX
Conclusion/Contacts • http://trac.mcs.anl.gov/projects/bcfg2 • http://www.bcfg2.org • Mailing list • Bcfg-dev@mcs.anl.gov • Subscribe via majordomo@mcs.anl.gov • Gene Rackow • Rackow@anl.gov Any Questions?