configuration management tracking and reporting of unix machines using bcfg
Download
Skip this Video
Download Presentation
Configuration Management, Tracking and Reporting of Unix Machines using BCFG

Loading in 2 Seconds...

play fullscreen
1 / 24

Configuration Management, Tracking and Reporting of Unix Machines using BCFG - PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on

Configuration Management, Tracking and Reporting of Unix Machines using BCFG. Gene Rackow Argonne National Laboratory 2007 DOE, OCIO Cyber Security Training Conference Anaheim, California May 2,2007. Diverse population: 2500 employees 10,000+ visitors annually Off-site computer users

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Configuration Management, Tracking and Reporting of Unix Machines using BCFG' - vic


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
configuration management tracking and reporting of unix machines using bcfg

Configuration Management, Tracking and Reporting of Unix Machines using BCFG

Gene Rackow

Argonne National Laboratory

2007 DOE, OCIO Cyber Security Training Conference

Anaheim, California

May 2,2007

argonne national laboratory
Diverse population:

2500 employees

10,000+ visitors annually

Off-site computer users

Foreign national employees, users, and collaborators

Diverse funding:

Not every computer is a DOE computer.

IT is funded in many ways.

Every program is working in an increasingly distributed computing model.

Our goal: a consistent and comprehensively secure environment that supports the diversity of IT and requirements.

Argonne National Laboratory

IT Environment Challenges

Argonne is managed by the UChicago Argonne LLC for the Department of Energy.

emphasis on the synergies of multi program science engineering applications
Emphasis on the Synergies of Multi-Program Science, Engineering & Applications

FundamentalPhysics

AcceleratorResearch

InfrastructureAnalysis

ComputationalScience

MaterialsCharacterization

Catalysis Science

TransportationScience

NuclearFuel Cycle

User Facilities

StructuralBiology

.. and much more.

systems team behind bcfg
Gene Rackow

Cyber Security Office

Craig Stacey

Group Manager

Narayan Desai

Primary developer

Rick Bradshaw

HPC Cluster Support

Desktop Systems

Sandra Bittner

Software Support and licensing

Susan Coughlan

HPC Cluster Systems Manager

Ti Leggett

HPC Clusters and Visualization

Max Trefonides

Infrastructure and Desktop Systems

Andrew Cherry

HPC Systems

Cory Lueninghoener

HPC Cluster Systems

Systems Team Behind Bcfg

Added support now coming from the OpenSource Community

why bcfg
Why Bcfg?
  • Complexity became unmanagable
    • Maintaining many configurations became impossible
    • Applying security updates uniformly
    • Machines getting “left behind”
  • Users wanted to know what changed since “last year”
  • Bcfg2 history. Config management is not new.
    • Simple management, rsh/ssh to desktops
    • Cfg, an early implementation of centralized config
    • Bcfg-1 internal development only (wrong direction)
    • Reset expectations move forward, Bcfg2
common configuration management tools
Common Configuration Management Tools
  • Configuration done at build time
    • SystemImager
    • KickStart
    • JumpStart
    • cfengine
  • Vendor Supplied Updates
    • Ubuntu Update Manager
    • RedHat Update
    • Yum
configuration as an event
Configuration as an “Event”
  • New packages need to be added
    • Commercial Packages (Matlab, Mathematica …)
    • Custom Packages (GridFTP, Globus, …)
  • Security Update
    • Disabling SSH Version 1
    • Changing TCP-Wrappers
  • The Auditors are coming.
  • Hacker Issue

How do these relate to the system installed on the last slide?

installation methods post install
Installation Methods Post Install
  • Add new info to Install Image and reinstall the world
  • For I in `cat hostlist`; do …
  • PDSH
  • Specialized startup files
questions about installed systems
Questions about Installed Systems
  • How many machines have patch ____ applied?
  • When did patch 6 go into production?
  • How long before all machines are updated?
  • How many “package” licenses are needed?
  • How do you handle special cases?
  • What about the machine that was turned off during the last update?
  • What changed on the web server that is now causing errors in the app?
bcfg block diagram

History Data

Bcfg Services

Client

Nodes

Configuration Data

Bcfg Block Diagram
getting started

Client host

Historical Data

Bcfg Server

Specification Data

Config Generator

Config file

/etc/motd

Getting Started

Historical Data

Bcfg Services

Client Nodes

Configuration Data

common tasks
Common Tasks
  • Adding new configuration file
  • Adding a new host
  • Change existing config file
  • Bring existing host into the flock
    • Reconciling Reality with Expectations
  • Creating a new machine to match existing system
    • Crash recovery
    • Adding capacity
adding complexity

Clusternode

Clusternode

Mail Server

Historical Data

WebServer

Report Generators

Bcfg Server

Scientific

Desktop

Scientific

Desktop

Specification Data

Config Generator

Generic

Desktop

Operating System Packages

Generated

Files

3rd Party

Packages

Configuration Files

Admin

Desktop

Revision Control System

Adding complexity
nist 800 53
NIST 800-53
  • AC-1 Access Control
  • AC-2 Account Management
  • AC-3 Access Enforcement
  • AC-5 Separation of Duties
  • AU-1 Audit and Accountability Policy and Procedure
  • AU-2 Auditable Events
  • AU-6 Audit Monitoring, Analysis and Reporting
  • AU-7 Audit Reduction and Report Generation
  • AU-8 Audit Log Time Stamps
  • AU-9 Protection of Audit Logs
  • AU-11 Audit Retention
nist 800 53 continued
NIST 800-53 (continued)
  • CA-1 Certification, Accreditation, & Security Assessment Policies & Procedures
  • CA-2 Security Assessments
  • CA-7 Continuous Monitoring
  • CM-1 Configuration Management Policy and Procedures
  • CM-2 Baseline configuration and System Component Inventory
  • CM-3 Configuration Change Control
  • CM-4 Monitoring Configuration Changes
  • CM-6 Configuration Settings
  • CP-1 Contingency Planning Policy and Procedures
  • CP-2 Contingency Planning
  • CP-5 Contingency Plan Update
  • CP-9 Information System Backup
  • CP-10 Information System Recovery and Reconstitution
nist 800 53 continued1
NIST 800-53 (continued)
  • IA-1 Identification and Authentication Policy and Procedures
  • IA-2 User Identification and Authentication
  • IA-3 Device Identification and Authentication
  • IA-6 Authenticator Feedback
  • MA-1 System Maintenance Policy and Procedure
  • MA-2 Periodic Maintenance
  • MA-3 Maintenance Tools
  • MA-6 Timely Maintenance
  • RA-1 Risk Assessment Policy and Procedures
  • SA-5 Information System Documentation
  • SA-6 Software Usage Restrictions
  • SA-7 User Installed Software
  • SI-1 System and Information Integrity
  • SI-2 Flaw Remediation
  • SI-4 Information System Monitoring Tools and Techniques
  • SI-5 Security Alerts and Advisories
  • SI-6 Security Functionality Verification
supported operating systems
Supported Operating Systems
  • RedHat
  • Ubuntu
  • CentOS
  • Debian
  • Solaris
  • Partial support of MacOSX and AIX
conclusion contacts
Conclusion/Contacts

Any Questions?

ad