foreword
Our "friendship" began two years ago. I came to a new place of work, where the previous administrator easily left this software as a legacy to me. On the Internet, apart from official documentation, nothing could be found. Even now, if you google “rudder”, in 99% of cases it will give out: ship helms and quadrocopters. I managed to find a way to it. Since the community of this software is negligible, I decided to share my experience and rake. I think it will be useful for someone.
So Rudder
Rudder is an open source auditing and configuration management utility that helps automate system configuration. It works on the principle of installing an agent for each end user. Through a user-friendly interface, we can observe how our infrastructure complies with all specified policies.
Using
Below I will list what I use Rudder for.
-
File and config control: ./ssh/authorized_keys ; /etc/hosts ; iptables ; (and then where the fantasy will lead)
-
Control of installed packages: zabbix.agent or any other software
Server installation
The other day I upgraded from version 5 to 6.1, everything went well. Below will be the commands for Deban/Ubuntu but also support: и .
I will hide the installation in spoilers so as not to distract you.
Spoiler
Addictions
rudder-server requires at least Java RE version 8, can be installed from the standard repository:
Check if it is installed
java -versionif output
-bash: java: command not foundthen install
apt install default-jreServer
Importing the key
wget --quiet -O- "https://repository.rudder.io/apt/rudder_apt_key.pub" | sudo apt-key add -Here is the imprint
pub 4096R/474A19E8 2011-12-15 Rudder Project (release key) <[email protected]>
Key fingerprint = 7C16 9817 7904 212D D58C B4D1 9322 C330 474A 19E8Since we do not have a paid subscription, we add the following repository
echo "deb http://repository.rudder.io/apt/6.1/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/rudder.listUpdate the list of repositories and install the server
apt update
apt install rudder-server-rootCreate an admin user
rudder server create-user -u admin -p "Ваш Пароль"In the future, we can manage users through the config
Everything, the server is ready.
Server Tuning
Now you need to add the ip addresses of agents or an entire subnet to the rudder agent, focusing on the security policy.
Settings -> General
In the field "Add a network" Enter the address and mask in the format xxxx/xx . In order to allow access from all addresses of the internal network (If, of course, this is a test network and you are behind NAT), enter: 0.0.0.0/0
Important - after adding the ip address, do not forget to click Save changes, otherwise nothing will be saved.
Ports
Open the following ports on the server
-
443-tcp
-
5309-tcp
-
514-udp
We figured out the initial server setup.
Installing the Agent
Spoiler
Adding a Key
wget --quiet -O- "https://repository.rudder.io/apt/rudder_apt_key.pub" | sudo apt-key add -Key fingerprint
pub 4096R/474A19E8 2011-12-15 Rudder Project (release key) <[email protected]>
Key fingerprint = 7C16 9817 7904 212D D58C B4D1 9322 C330 474A 19E8Adding a repository
echo "deb http://repository.rudder.io/apt/6.1/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/rudder.listInstalling the agent
apt update
apt install rudder-agentAgent setup
Specify the ip address of the policy server to the agent
rudder agent policy-server <rudder server ip or hostname> #Без скобок. Можно также использовать доменное имя By running the following command, we will send a request to add a new agent to the server, in a couple of minutes it will appear in the list of new agents, I will explain how to add in the next section
rudder agent inventoryWe can also force the agent to start and it will send a request instantly
rudder agent runOur agent is set, let's move on.
Adding agents
Login
https://127.0.0.1/rudder/index.html
Your agent will appear in the "Accept new nodes" section, check the box and click Accept
It should take some time for the system to check the server for compliance
Create server groups
Let's create a group (that's still entertainment), without a clue why the developers made such a hemorrhoid formation of groups, but as I understand it, there is no other way. Go to the Node management -> Groups section and click on Create, select a static group and a name.
We filter the server we need according to special signs, for example, by ip address, and save
The group is set up.
Setting up rules
Go to Configuration policy → Rules and create a new rule
Add a group prepared earlier group (this can be done later)
And we form a new directive
Let's create a directive for adding public keys to .ssh/authorized_keys. I use this when a new employee leaves, or for reinsurance, for example, if someone accidentally cuts out my key.
Go to Configuration policy → Directives on the left we see “Directive library” Find “Remote access → SSH authorized keys”, on the right click Create Directive
We enter data about the user and add his key. Next, choose an application policy
-
Global - Default Policy
-
Enforce - Execute on selected servers
-
Audit - Conduct an audit and tell which clients have the key
Be sure to specify our rule
Then save and you're done.
Checking
Key added successfully
Buns
The agent gives complete information about the server. Lists of installed packages, interfaces, open ports and much more, which you can see in the screenshot below
You can also install and control software not only on linux but also on windows, I did not check the latter, there was no need ..
From the author
You must be asking, why reinvent the wheel if ansible and puppet have long been invented?
I answer: Ansible has drawbacks, for example, we don’t see what state this config is in now, or everyone knows the situation when you start a role or playbook and crash errors fly, and you start to climb on the server and see which package has been updated where. And I just didn’t work with puppet ..
Are there any downsides to Rudder? A lot .. Starting from the fact that agents fall off and you have to reinstall them or use the rudder reset command. (but by the way, I haven’t seen this in version 6 yet), ending with an extremely complex setup and an illogical interface.
Are there any advantages? And there are also a lot of pluses: Unlike the well-known ansible, we have a web interface in which we can see the compliance applied by us. For example, whether ports are sticking out into the world, what state the firewall is in, whether security agents or other stray are installed.
This software is perfect for the information security department, since the state of the infrastructure will always be in front of your eyes, and if any of the rules lights up in red, then this is a reason to visit the server. As I said, I have been using Rudder for 2 years already, and if you smoke it a little, then life becomes better. The most difficult thing in a large infrastructure is that you don’t remember what state the server is in, whether June missed installing security agents or configured iptables correctly, rudder will help you keep abreast of all events. Aware means armed! )
PS It turned out much more than I planned, I will not describe how to install packages, if there are any requests, I will write the second part.
PSS The article is for informational purposes, I decided to share it because there is very little information on the Internet. Maybe it will be of interest to someone. Have a nice day dear friends
As advertising
Epic servers - Is or Windows with powerful AMD EPYC family processors and very fast Intel NVMe drives. Hurry up to order!
Source: habr.com