Configuration management tracking and reporting of unix machines using bcfg
1 / 24

Configuration Management, Tracking and Reporting of Unix Machines using BCFG - PowerPoint PPT Presentation

  • Uploaded on

Configuration Management, Tracking and Reporting of Unix Machines using BCFG. Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007. Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Configuration Management, Tracking and Reporting of Unix Machines using BCFG' - vic

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Configuration management tracking and reporting of unix machines using bcfg

Configuration Management, Tracking and Reporting of Unix Machines using BCFG

Gene Rackow

Argonne National Laboratory

2007 DOE, OCIO Cyber Security Training Conference

Anaheim, California

May 2,2007

Argonne national laboratory

Diverse population: Machines using BCFG

2500 employees

10,000+ visitors annually

Off-site computer users

Foreign national employees, users, and collaborators

Diverse funding:

Not every computer is a DOE computer.

IT is funded in many ways.

Every program is working in an increasingly distributed computing model.

Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements.

Argonne National Laboratory

IT Environment Challenges

Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

Emphasis on the synergies of multi program science engineering applications
Emphasis on the Synergies of Multi-Program Science, Engineering & Applications






Catalysis Science


NuclearFuel Cycle

User Facilities


.. and much more.

Systems team behind bcfg

Gene Rackow Engineering & Applications

Cyber Security Office

Craig Stacey

Group Manager

Narayan Desai

Primary developer

Rick Bradshaw

HPC Cluster Support

Desktop Systems

Sandra Bittner

Software Support and licensing

Susan Coughlan

HPC Cluster Systems Manager

Ti Leggett

HPC Clusters and Visualization

Max Trefonides

Infrastructure and Desktop Systems

Andrew Cherry

HPC Systems

Cory Lueninghoener

HPC Cluster Systems

Systems Team Behind Bcfg

Added support now coming from the OpenSource Community

Why bcfg
Why Bcfg? Engineering & Applications

  • Complexity became unmanagable

    • Maintaining many configurations became impossible

    • Applying security updates uniformly

    • Machines getting “left behind”

  • Users wanted to know what changed since “last year”

  • Bcfg2 history. Config management is not new.

    • Simple management, rsh/ssh to desktops

    • Cfg, an early implementation of centralized config

    • Bcfg-1 internal development only (wrong direction)

    • Reset expectations move forward, Bcfg2

Common configuration management tools
Common Configuration Management Tools Engineering & Applications

  • Configuration done at build time

    • SystemImager

    • KickStart

    • JumpStart

    • cfengine

  • Vendor Supplied Updates

    • Ubuntu Update Manager

    • RedHat Update

    • Yum

Configuration as an event
Configuration as an “Event” Engineering & Applications

  • New packages need to be added

    • Commercial Packages (Matlab, Mathematica …)

    • Custom Packages (GridFTP, Globus, …)

  • Security Update

    • Disabling SSH Version 1

    • Changing TCP-Wrappers

  • The Auditors are coming.

  • Hacker Issue

    How do these relate to the system installed on the last slide?

Installation methods post install
Installation Methods Post Install Engineering & Applications

  • Add new info to Install Image and reinstall the world

  • For I in `cat hostlist`; do …

  • PDSH

  • Specialized startup files

Questions about installed systems
Questions about Installed Systems Engineering & Applications

  • How many machines have patch ____ applied?

  • When did patch 6 go into production?

  • How long before all machines are updated?

  • How many “package” licenses are needed?

  • How do you handle special cases?

  • What about the machine that was turned off during the last update?

  • What changed on the web server that is now causing errors in the app?

Bcfg block diagram

History Data Engineering & Applications

Bcfg Services



Configuration Data

Bcfg Block Diagram

Getting started

Client host Engineering & Applications

Historical Data

Bcfg Server

Specification Data

Config Generator

Config file


Getting Started

Historical Data

Bcfg Services

Client Nodes

Configuration Data

Common tasks
Common Tasks Engineering & Applications

  • Adding new configuration file

  • Adding a new host

  • Change existing config file

  • Bring existing host into the flock

    • Reconciling Reality with Expectations

  • Creating a new machine to match existing system

    • Crash recovery

    • Adding capacity

Adding complexity

Clusternode Engineering & Applications


Mail Server

Historical Data


Report Generators

Bcfg Server





Specification Data

Config Generator



Operating System Packages



3rd Party


Configuration Files



Revision Control System

Adding complexity

Visualizing a configuration
Visualizing a Configuration Engineering & Applications

Visualizing what you have
Visualizing what you have Engineering & Applications

Status report
Status Report Engineering & Applications

When a host is offline
When a host is offline Engineering & Applications

What makes a system dirty
What makes a system “dirty” Engineering & Applications

Charting change management
Charting Change Management Engineering & Applications

Nist 800 53
NIST 800-53 Engineering & Applications

  • AC-1 Access Control

  • AC-2 Account Management

  • AC-3 Access Enforcement

  • AC-5 Separation of Duties

  • AU-1 Audit and Accountability Policy and Procedure

  • AU-2 Auditable Events

  • AU-6 Audit Monitoring, Analysis and Reporting

  • AU-7 Audit Reduction and Report Generation

  • AU-8 Audit Log Time Stamps

  • AU-9 Protection of Audit Logs

  • AU-11 Audit Retention

Nist 800 53 continued
NIST 800-53 (continued) Engineering & Applications

  • CA-1 Certification, Accreditation, & Security Assessment Policies & Procedures

  • CA-2 Security Assessments

  • CA-7 Continuous Monitoring

  • CM-1 Configuration Management Policy and Procedures

  • CM-2 Baseline configuration and System Component Inventory

  • CM-3 Configuration Change Control

  • CM-4 Monitoring Configuration Changes

  • CM-6 Configuration Settings

  • CP-1 Contingency Planning Policy and Procedures

  • CP-2 Contingency Planning

  • CP-5 Contingency Plan Update

  • CP-9 Information System Backup

  • CP-10 Information System Recovery and Reconstitution

Nist 800 53 continued1
NIST 800-53 (continued) Engineering & Applications

  • IA-1 Identification and Authentication Policy and Procedures

  • IA-2 User Identification and Authentication

  • IA-3 Device Identification and Authentication

  • IA-6 Authenticator Feedback

  • MA-1 System Maintenance Policy and Procedure

  • MA-2 Periodic Maintenance

  • MA-3 Maintenance Tools

  • MA-6 Timely Maintenance

  • RA-1 Risk Assessment Policy and Procedures

  • SA-5 Information System Documentation

  • SA-6 Software Usage Restrictions

  • SA-7 User Installed Software

  • SI-1 System and Information Integrity

  • SI-2 Flaw Remediation

  • SI-4 Information System Monitoring Tools and Techniques

  • SI-5 Security Alerts and Advisories

  • SI-6 Security Functionality Verification

Supported operating systems
Supported Operating Systems Engineering & Applications

  • RedHat

  • Ubuntu

  • CentOS

  • Debian

  • Solaris

  • Partial support of MacOSX and AIX

Conclusion contacts
Conclusion/Contacts Engineering & Applications



  • Mailing list

    • [email protected]

      • Subscribe via [email protected]

  • Gene Rackow

    • [email protected]

Any Questions?